From 382ef318edc009e9b8e66f5724f62ea92381042a Mon Sep 17 00:00:00 2001
From: Theo Chatzimichos <tampakrap@opensuse.org>
Date: Aug 28 2017 14:00:58 +0000
Subject: Add support for ssh authentication via public ssh keys stored in freeipa


- install packages openssh-helpers and openldap2-client
- install sssd.conf on all machines and improve it:
  - add ssh as service
  - rename the domain to infra.o.o
  - add the search base for users and for groups so that both get
    populated properly after an ssh login
  - demand tls and valid cert
- install the appropriate /etc/pam.d files
- install /etc/openldap/ldap.conf
- install a script that fetches the ssh public keys stored in ldap/freeipa for
  a given username. We are using a custom script instead of the sss or the
  openssh-helpers script because they hardcode the attribute name that contains
  the public SSH keys on LDAP, which is different on freeipa. We can get rid of
  it and replace it with the sss script as soon as we introduce the sssd-ipa
  package in opensuse
- use the above script on /etc/ssh/sshd_config as user nobody
- add the profile.ldap-client on the base role to be applied on all machines

---

diff --git a/pillar/common.sls b/pillar/common.sls
index 5895109..b151569 100644
--- a/pillar/common.sls
+++ b/pillar/common.sls
@@ -40,6 +40,8 @@ salt:
     environment: production
     hash_type: sha512
 sshd_config:
+  AuthorizedKeysCommand: /usr/local/bin/fetch_freeipa_ldap_sshpubkey.sh
+  AuthorizedKeysCommandUser: nobody
   HostKey:
     - /etc/ssh/ssh_host_rsa_key
     - /etc/ssh/ssh_host_dsa_key
@@ -66,6 +68,29 @@ sshd_config:
 timezone:
   name: UTC
   utc: True
+sssd:
+  settings:
+    sssd: True
+    sssd_conf:
+      domains:
+        infra.opensuse.org:
+          auth_provider: ldap
+          id_provider: ldap
+          ldap_group_search_base = cn=groups,cn=compat,dc=infra,dc=opensuse,dc=org
+          ldap_search_base: dc=infra,dc=opensuse,dc=org
+          ldap_tls_reqcert: demand
+          ldap_uri: ldaps://freeipa.infra.opensuse.org
+          ldap_user_search_base = cn=users,cn=accounts,dc=infra,dc=opensuse,dc=org
+      general_settings:
+        config_file_version: 2
+        domains: infra.opensuse.org
+        services: nss, pam, ssh
+      services:
+        nss:
+          filter_group: root
+          filter_users: root
+        pam: {}
+        ssh: {}
 sudoers:
   defaults:
     generic:
@@ -102,7 +127,10 @@ zypper:
     lsof: {}
     man: {}
     mtr: {}
+    openldap2-client: {}
+    openssh-helpers: {}
     screen: {}
+    sssd-ldap: {}
     susepaste: {}
     tcpdump: {}
     traceroute: {}
diff --git a/pillar/role/openvpn.sls b/pillar/role/openvpn.sls
index 2602355..792d600 100644
--- a/pillar/role/openvpn.sls
+++ b/pillar/role/openvpn.sls
@@ -1,23 +1 @@
-sssd:
-  settings:
-    sssd: True
-    sssd_conf:
-      domains:
-        freeipa.infra.opensuse.org:
-          enumerate: False
-          id_provider: ldap
-          ldap_group_uuid: entryuuid
-          ldap_schema: rfc2307bis
-          ldap_search_base: cn=users,cn=accounts,dc=infra,dc=opensuse,dc=org
-          ldap_user_uuid: entryuuid
-          ldap_tls_reqcert: allow
-          ldap_uri: ldap://freeipa.infra.opensuse.org
-      general_settings:
-        config_file_version: 2
-        domains: freeipa.infra.opensuse.org
-        services: nss, pam
-      services:
-        nss:
-          filter_group: root
-          filter_users: root
-        pam: {}
+#
diff --git a/salt/profile/ldap/client/files/etc/openldap/ldap.conf b/salt/profile/ldap/client/files/etc/openldap/ldap.conf
new file mode 100644
index 0000000..e985a8e
--- /dev/null
+++ b/salt/profile/ldap/client/files/etc/openldap/ldap.conf
@@ -0,0 +1,15 @@
+#
+# LDAP Defaults
+#
+
+# See ldap.conf(5) for details
+# This file should be world readable but not world writable.
+
+BASE	dc=infra,dc=opensuse,dc=org
+URI	ldaps://freeipa.infra.opensuse.org
+
+#SIZELIMIT	12
+#TIMELIMIT	15
+#DEREF		never
+TLS_REQCERT demand
+TLS_CACERTDIR /etc/ssl/certs/
diff --git a/salt/profile/ldap/client/files/etc/pam.d/common-account-pc b/salt/profile/ldap/client/files/etc/pam.d/common-account-pc
new file mode 100644
index 0000000..d5e39cf
--- /dev/null
+++ b/salt/profile/ldap/client/files/etc/pam.d/common-account-pc
@@ -0,0 +1,14 @@
+#%PAM-1.0
+#
+# Managed by Salt
+#
+# Account-related modules common to all services
+#
+# This file is included from other service-specific PAM config files,
+# and should contain a list of the account modules that define
+# the central access policy for use on the system.  The default is to
+# only deny service to users whose accounts are expired.
+#
+account	requisite	pam_unix.so	try_first_pass
+account	sufficient	pam_localuser.so
+account	required	pam_sss.so	use_first_pass
diff --git a/salt/profile/ldap/client/files/etc/pam.d/common-auth-pc b/salt/profile/ldap/client/files/etc/pam.d/common-auth-pc
new file mode 100644
index 0000000..67561ff
--- /dev/null
+++ b/salt/profile/ldap/client/files/etc/pam.d/common-auth-pc
@@ -0,0 +1,15 @@
+#%PAM-1.0
+#
+# Managed by Salt
+#
+# Authentication-related modules common to all services
+#
+# This file is included from other service-specific PAM config files,
+# and should contain a list of the authentication modules that define
+# the central authentication scheme for use on the system
+# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
+# traditional Unix authentication mechanisms.
+#
+auth	required	pam_env.so
+auth	sufficient	pam_unix.so	try_first_pass
+auth	required	pam_sss.so	use_first_pass
diff --git a/salt/profile/ldap/client/files/etc/pam.d/common-password-pc b/salt/profile/ldap/client/files/etc/pam.d/common-password-pc
new file mode 100644
index 0000000..249f70a
--- /dev/null
+++ b/salt/profile/ldap/client/files/etc/pam.d/common-password-pc
@@ -0,0 +1,13 @@
+#%PAM-1.0
+#
+# Managed by Salt
+#
+# Password-related modules common to all services
+#
+# This file is included from other service-specific PAM config files,
+# and should contain a list of modules that define  the services to be
+# used to change user passwords.
+#
+password	requisite	pam_cracklib.so
+password	sufficient	pam_unix.so	use_authtok nullok shadow try_first_pass
+password	required	pam_sss.so	use_authtok
diff --git a/salt/profile/ldap/client/files/etc/pam.d/common-session-pc b/salt/profile/ldap/client/files/etc/pam.d/common-session-pc
new file mode 100644
index 0000000..0f6415b
--- /dev/null
+++ b/salt/profile/ldap/client/files/etc/pam.d/common-session-pc
@@ -0,0 +1,18 @@
+#%PAM-1.0
+#
+# Managed by Salt
+#
+# Session-related modules common to all services
+#
+# This file is included from other service-specific PAM config files,
+# and should contain a list of modules that define tasks to be performed
+# at the start and end of sessions of *any* kind (both interactive and
+# non-interactive
+#
+session	optional	pam_mkhomedir.so
+session	required	pam_limits.so
+session	required	pam_unix.so	try_first_pass
+session	optional	pam_sss.so
+session	optional	pam_umask.so
+session	optional	pam_systemd.so
+session	optional	pam_env.so
diff --git a/salt/profile/ldap/client/files/usr/local/bin/fetch_freeipa_ldap_sshpubkey.sh b/salt/profile/ldap/client/files/usr/local/bin/fetch_freeipa_ldap_sshpubkey.sh
new file mode 100644
index 0000000..80e4636
--- /dev/null
+++ b/salt/profile/ldap/client/files/usr/local/bin/fetch_freeipa_ldap_sshpubkey.sh
@@ -0,0 +1,9 @@
+#!/bin/bash
+
+# Script that fetches the SSH Public Keys for a given user from LDAP/FreeIPA.
+# It takes a FreeIPA/LDAP username as first argument, and returns the SSH
+# public keys of that user, one per line.
+# Used by sshd (see AuthorizedKeysCommand in sshd_config) for ssh
+# authentication via SSH public keys stored in LDAP/FreeIPA
+
+ldapsearch -x -LLL -b cn=users,cn=accounts,dc=infra,dc=opensuse,dc=org '(&(objectClass=posixAccount)(uid='"$1"'))' 'ipaSshPubKey' | sed -n '/^ /{H;d};/ipaSshPubKey:/x;$g;s/\n *//g;s/ipaSshPubKey: //gp'
diff --git a/salt/profile/ldap/client/init.sls b/salt/profile/ldap/client/init.sls
index f97afde..d986648 100644
--- a/salt/profile/ldap/client/init.sls
+++ b/salt/profile/ldap/client/init.sls
@@ -1,2 +1,17 @@
 include:
   - sssd
+
+{% for file in [account, auth, password, session] %}
+/etc/pam.d/session-{{ file }}-pc:
+  file.managed:
+    - source: salt://profile/ldap/client/files/etc/pam.d/session-{{ file }}-pc
+{% endif %}
+
+/usr/local/bin/fetch_freeipa_ldap_sshpubkey.sh
+  file.managed:
+    - source: salt://profile/ldap/client/files/usr/local/bin/fetch_freeipa_ldap_sshpubkey.sh
+    - mode: 0755
+
+/etc/openldap/ldap.conf
+  file.managed:
+    - source: salt://profile/ldap/client/files/etc/openldap/ldap.conf
diff --git a/salt/role/base.sls b/salt/role/base.sls
index e28b8cf..191ffe6 100644
--- a/salt/role/base.sls
+++ b/salt/role/base.sls
@@ -1,6 +1,7 @@
 include:
   - profile.accounts
   - profile.apparmor
+  - profile.ldap.client
   - profile.regional
   - profile.salt.minion
   - profile.zypper
diff --git a/salt/role/openvpn.sls b/salt/role/openvpn.sls
index 2328ec5..792d600 100644
--- a/salt/role/openvpn.sls
+++ b/salt/role/openvpn.sls
@@ -1,2 +1 @@
-include:
-  - profile.ldap.client
+#