-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathssh.pl
More file actions
executable file
·157 lines (143 loc) · 4.65 KB
/
ssh.pl
File metadata and controls
executable file
·157 lines (143 loc) · 4.65 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
#!/usr/bin/perl
# ssh wrapper to make "super-like" wrapping of users to use
# the correct key file for their ssh commands to systems
use strict;
use User::grent;
#################
# configuration #
#################
# this is the list of groups in the /etc/group file that will be checked
# for access rights to ssh to production servers
my @grouplist = ('support1','support2','sysadmin1','sysadmin2','sysadmin3','ubersys','soc');
my $DEBUG = 0;
my $pfile = ".spref"; # file that stores gid pref for each user
my $localhost = `/bin/hostname`;
chomp $localhost;
#################
### main ########
#################
my $args = &getargs(\@ARGV);
my $hostname = $args->{hostname};
my $username = $args->{group}; # I know this is convoluted...
my $uname = $args->{username};
my $uhost = ();
my @info = getpwuid($<);
my $mygroup = &usergroup(\@info);
#print "Groups for $info[0]: ", join " ", @$mygroup, "\n";
if ( defined $username) {
$uname = $uname ? "$uname\@" : "$username\@";
$uhost = $uname . $hostname;
my $gri = getgrnam($username) or die "$username is not a valid group. exiting\n";
my $trusted = undef;
foreach my $name (@{$gri->members}) {
if ($name eq $info[0]) { $trusted = 1 }
}
if ($trusted) {
my @command = ("/usr/bin/sudo","/usr/bin/ssh","-i","/root/.ssh/otherkeys/tr00/id_dsa_$username",$uhost);
printf "executing %s\n", join " ", @command if $DEBUG;
system @command;
die "Welcome back to $localhost, $info[0]\n";
} else {
die "Sorry $info[0], you do not have rights for group $username\n";
}
} elsif ( scalar(@$mygroup) > 1) {
my $mg = &selectgroup($mygroup);
$uname = $uname ? "$uname\@" : "$mg\@";
$uhost = $uname . $hostname;
my @command = ("/usr/bin/sudo","/usr/bin/ssh","-i","/root/.ssh/otherkeys/tr00/id_dsa_$mg",$uhost);
printf "executing %s\n", join " ", @command if $DEBUG;
system @command;
die "Welcome back to $localhost, $info[0]\n";
} elsif ( scalar(@$mygroup) == 1 ) {
my $mg = $mygroup->[0];
$uname = $uname ? "$uname\@" : "$mg\@";
$uhost = $uname . $hostname;
my @command = ("/usr/bin/sudo","/usr/bin/ssh","-i","/root/.ssh/otherkeys/tr00/id_dsa_$mg",$uhost);
printf "executing %s\n", join " ", @command if $DEBUG;
system @command;
die "Welcome back to $localhost, $info[0]\n";
} else {
die "You do not have access to this command";
}
sub usergroup {
my $data = shift;
my $user = $data->[0];
my @group = ();
foreach my $node ( @grouplist ) {
my $gr = getgrnam($node);
foreach my $name (@{$gr->members}) {
if ($name eq $user) { push @group, $gr->name; }
}
}
return \@group;
}
sub selectgroup {
my $groups = shift;
# check pref file
my $pref = undef;
if (-f "$info[7]/$pfile") {
open PIN, "<$info[7]/$pfile" or warn "$info[7]/$pfile not read: $!\n";
$pref = <PIN>;
chomp $pref;
close PIN;
}
system ("/usr/bin/tput","reset") unless $DEBUG;
print <<DIRECTIONS;
Welcome, $info[0]
To avoid this screen for future ssh calls, you can run:
$0 -g groupname [username\@]hostname
where groupname refers to a group listed here
DIRECTIONS
my $correct = 0;
my $selected;
until ( $correct ) {
print <<INSTRUCTIONS;
Please select your login group. The group you select will determine your
access level on the remote system.
INSTRUCTIONS
my $num = 0;
foreach my $group (@$groups) {
printf("[%d] %s\n", $num++, $group);
}
my $default = $pref ? " [$pref]" : undef;
print "Enter the number of your selection$default: ";
chomp (my $gnum = <STDIN>);
if ($default && ($gnum eq "")) {
$selected = $pref;
} else {
$gnum ||=0;
$selected = $groups->[$gnum];
}
print "You selected $selected. Is this correct? [Yn]: ";
chomp (my $ans = <STDIN>);
$ans ||= 'y';
$correct = $ans =~ /y/i ? 1 : 0;
}
open POUT, ">$info[7]/$pfile" or warn "couldn't write $info[7]/$pfile: $!\n";
print POUT "$selected";
close POUT;
return $selected;
}
sub help { die "usage: $0 [-g usergroup] [username@]hostname\n"; }
sub getargs {
my $args = shift;
my ($username,$hostname,$group) = ();
while (my $arg = shift @$args) {
if ($arg eq '-g') {
$group = shift @$args ;
next;
}
if ($arg =~ /^([\w.-]+\@)*([\w.-]+)$/) {
($username,$hostname) = ($1,$2);
$username =~ tr/@//;
print "D: username=\"$username\" hostname=\"$hostname\"\n" if $DEBUG;
next;
}
&help if $arg =~ /-h|--help/i;
}
unless ( $hostname =~ /^[\w.-]+$/) {
warn "Invalid Hostname: \"$hostname\"\n" ;
&help;
}
return {'username'=>$username,'hostname'=>$hostname,'group'=>$group};
}