... | ... | @@ -459,14 +459,7 @@ This is a (hopefully) exhaustive list of files generated by |
|
|
might have changed since this was documented, on 2020-10-07.
|
|
|
|
|
|
All files are written in the `/var/cache/userdir-ldap/hosts/`, with
|
|
|
one subdirectory per host. This is where `ud-replicate` finds its
|
|
|
files. For example, for a host named `example.torproject.org`,
|
|
|
`ud-generate` will write the files in
|
|
|
`/var/cache/userdir-ldap/hosts/example.torproject.org/` and
|
|
|
`ud-replicate` will synchronize that directory, on
|
|
|
`example.torproject.org`, in the
|
|
|
`/var/lib/misc/example.torproject.org/` directory. The
|
|
|
`/var/lib/misc/thishost` symlink will also point to that directory.
|
|
|
one subdirectory per host.
|
|
|
|
|
|
| Path | Function | Fields used |
|
|
|
|------------------------------------|-----------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------|
|
... | ... | @@ -502,6 +495,25 @@ files. For example, for a host named `example.torproject.org`, |
|
|
| `users.oath` | TOTP authentication | `uid`, `totpSeed`, `userPassword` (skips inactive) , `supplementaryGid` (skips guests) |
|
|
|
| `web-passwords` | secondary password database for web apps (user:pass) | `uid`, `webPassword` |
|
|
|
|
|
|
### How files get distributed by ud-replicate
|
|
|
|
|
|
The `ud-replicate` program runs on all hosts every 5 minutes and logs
|
|
|
in as the `sshdist` user on the LDAP server. It rsyncs the files from
|
|
|
the `/var/cache/userdir-ldap/$HOST/` directory on the LDAP server to
|
|
|
the `/var/lib/misc/$HOST` directory.
|
|
|
|
|
|
For example, for a host named `example.torproject.org`, `ud-generate`
|
|
|
will write the files in
|
|
|
`/var/cache/userdir-ldap/hosts/example.torproject.org/` and
|
|
|
`ud-replicate` will synchronize that directory, on
|
|
|
`example.torproject.org`, in the
|
|
|
`/var/lib/misc/example.torproject.org/` directory. The
|
|
|
`/var/lib/misc/thishost` symlink will also point to that directory.
|
|
|
|
|
|
Then ud-replicate those special things with some of those
|
|
|
files. Otherwise consumers of those files are expected to use them
|
|
|
directly in `/var/lib/misc/thishost/`, as is.
|
|
|
|
|
|
#### `makedb` template files
|
|
|
|
|
|
Files labeled with `template` are inputs for the [makedb(1)][]
|
... | ... | @@ -532,7 +544,34 @@ The `authorized_keys` file gets shipped if `AUTHKEYS` is set in |
|
|
`sshdist` user) and synchronise their configuration with
|
|
|
`ud-replicate`.
|
|
|
|
|
|
TODO: trace this to ud-replicate a little further.
|
|
|
This file gets dropped in `/var/lib/misc/authorized_keys` by
|
|
|
`ud-replicate`. A symlink in `/etc/ssh/userkeys/sshdist` ensures those
|
|
|
keys are active for the `sshdist` user.
|
|
|
|
|
|
#### other special files
|
|
|
|
|
|
More files are handled specially by `ud-replicate`:
|
|
|
|
|
|
* `forward-alias` gets modified (`@emailappend` appended to each
|
|
|
line) and replaces `/etc/postfix/debian`, which gets rehashed by
|
|
|
`postmap`. this is done only if `/etc/postfix` and `forward-alias`
|
|
|
exist
|
|
|
* the `bsmtp` config file is deployed in `/etc/exim4`, if both exist
|
|
|
* if `dns-sshfp` or `dns-zone` are changed, the DNS server zone files
|
|
|
get regenerated and server reloaded (`sudo -u dnsadm
|
|
|
/srv/dns.torproject.org/bin/update`, see "DNS zone file management"
|
|
|
below)
|
|
|
* `ssh_known_hosts` gets symlinked to `/etc/ssh`
|
|
|
* the `ssh-keys.tar.gz` tar archive gets decompressed in
|
|
|
`/var/lib/misc/userkeys`
|
|
|
* the `web-passwords` file is given to `root:www-data` and made
|
|
|
readable only by the group
|
|
|
* the `rtc-passwords` file is installed in `/var/local/` as:
|
|
|
* `rtc-passwords.freerad` if `/etc/freeradius` exists
|
|
|
* `rtc-passwords.return` if `/etc/reTurn` exists
|
|
|
* `rtc-passwords.prosody` if `/etc/prosody` exists
|
|
|
.. and the appropriate service (`freeradius`,
|
|
|
`resiprocate-turn-server`, `prosody`, respectively) get reloaded
|
|
|
|
|
|
### SSH access controls
|
|
|
|
... | ... | |