From 18cdc71f9a55fa50fdb16cfeca5dfd8741375519 Mon Sep 17 00:00:00 2001
From: Jonas Gunz <himself@jonasgunz.de>
Date: Sat, 11 Mar 2023 14:44:08 +0100
Subject: sssd: allow ssh login via key

---
 galaxy.yml                                     | 2 +-
 roles/sssd/defaults/main.yml                   | 1 +
 roles/sssd/files/sshd_sss_authorized_keys.conf | 5 +++++
 roles/sssd/handlers/main.yml                   | 5 +++++
 roles/sssd/tasks/main.yml                      | 9 +++++++++
 5 files changed, 21 insertions(+), 1 deletion(-)
 create mode 100644 roles/sssd/files/sshd_sss_authorized_keys.conf

diff --git a/galaxy.yml b/galaxy.yml
index 0c5c38b..92a5af0 100644
--- a/galaxy.yml
+++ b/galaxy.yml
@@ -1,6 +1,6 @@
 namespace: kompetenzbolzen
 name: stuff
-version: 0.17.1
+version: 0.17.2
 readme: README.md
 authors:
 - Jonas Gunz <himself@jonasgunz.de>
diff --git a/roles/sssd/defaults/main.yml b/roles/sssd/defaults/main.yml
index 381bb74..4544fb3 100644
--- a/roles/sssd/defaults/main.yml
+++ b/roles/sssd/defaults/main.yml
@@ -8,3 +8,4 @@ sssd_ldap:
   user_dn: 'ou=users,dc=example,dc=com'
   group_dn: 'ou=groups,dc=example,dc=com'
   access_filter: '&(objectClass=posixAccount)'
+  sshd_keys_from_sss: false
diff --git a/roles/sssd/files/sshd_sss_authorized_keys.conf b/roles/sssd/files/sshd_sss_authorized_keys.conf
new file mode 100644
index 0000000..e4f17bd
--- /dev/null
+++ b/roles/sssd/files/sshd_sss_authorized_keys.conf
@@ -0,0 +1,5 @@
+# vi: ft=sshdconfig
+# This file is managed by Ansible. Do NOT change.
+
+AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
+AuthorizedKeysCommandUser nobody
diff --git a/roles/sssd/handlers/main.yml b/roles/sssd/handlers/main.yml
index ac65088..add6945 100644
--- a/roles/sssd/handlers/main.yml
+++ b/roles/sssd/handlers/main.yml
@@ -4,3 +4,8 @@
     name: sssd
     state: restarted
   become: yes
+- name: Restart sshd
+  systemd:
+    name: sshd
+    state: restarted
+  become: yes
diff --git a/roles/sssd/tasks/main.yml b/roles/sssd/tasks/main.yml
index a7f2b5e..e24cdfd 100644
--- a/roles/sssd/tasks/main.yml
+++ b/roles/sssd/tasks/main.yml
@@ -35,3 +35,12 @@
     line: 'session required pam_mkhomedir.so skel=/etc/skel/ umask=0022'
     insertafter: '^session optional pam_sss\.so'
   become: yes
+
+- name: Configure SSH Key login via LDAP
+  copy:
+    src: sshd_sss_authorized_keys.conf
+    dest: /etc/ssh/sshd_config.d/sss_authorized_keys.conf
+  become: yes
+  when: sssd_ldap.sshd_keys_from_sss | default(false)
+  notify:
+    - Restart sshd
-- 
cgit v1.2.3