diff options
author | Andrew Cady <d@cryptonomic.net> | 2021-10-26 09:29:50 -0400 |
---|---|---|
committer | Andrew Cady <d@cryptonomic.net> | 2021-10-26 09:29:55 -0400 |
commit | 099d70f87208afc6bc0baf098c266c0d705f2453 (patch) | |
tree | c920faf0df43a51d882ab7e31873535b998924de | |
parent | d702643534828f72036d19f75c57ca48a4edc07b (diff) |
split OpenSSH_Anonymous_Access from EndoForge
EndoForge now installs OpenSSH_Anonymous_Access as a dependency.
-rw-r--r-- | EndoForge/Makefile | 67 | ||||
-rwxr-xr-x | EndoForge/src/AuthorizedKeysCommand | 15 | ||||
-rw-r--r-- | EndoForge/src/anonymous-access.conf | 10 | ||||
-rw-r--r-- | OpenSSH_Anonymous_Access/Makefile | 23 | ||||
-rwxr-xr-x | OpenSSH_Anonymous_Access/OpenSSH_Anonymous_Access | 8 | ||||
-rw-r--r-- | OpenSSH_Anonymous_Access/README.txt | 14 | ||||
-rw-r--r-- | OpenSSH_Anonymous_Access/anonymous-access.conf | 13 |
7 files changed, 90 insertions, 60 deletions
diff --git a/EndoForge/Makefile b/EndoForge/Makefile index de5d480..a63fa31 100644 --- a/EndoForge/Makefile +++ b/EndoForge/Makefile | |||
@@ -16,15 +16,14 @@ endif | |||
16 | 16 | ||
17 | HAVE_ROOT != $(SUDO) true && echo y || true | 17 | HAVE_ROOT != $(SUDO) true && echo y || true |
18 | 18 | ||
19 | ROOT_INSTALL = $(SUDO) $(INSTALL) | ||
20 | USER != echo "$${SUDO_USER:-$$(id -un)}" | 19 | USER != echo "$${SUDO_USER:-$$(id -un)}" |
21 | SSH_CONFIG_DIR = /etc/ssh | ||
22 | SSHD_CONFIG_DIR = $(SSH_CONFIG_DIR)/sshd_config.d | ||
23 | SSH_LIB_DIR = /usr/lib/ssh | ||
24 | USER_SSH_CONFIG_DIR = ~$(USER)/.ssh | ||
25 | 20 | ||
26 | BROWSER != 2>/dev/null which xdg-open || which w3m || which links || which elinks | 21 | BROWSER != 2>/dev/null which xdg-open || which w3m || which links || which elinks |
27 | 22 | ||
23 | SRC = src | ||
24 | SOURCE_NAMES = AnonymousAccessCommand sshd_config | ||
25 | SOURCES = $(addprefix $(SRC), $(SOURCE_NAMES)) | ||
26 | |||
28 | .PHONY: install install-user install-user-config install-root shared doc test | 27 | .PHONY: install install-user install-user-config install-root shared doc test |
29 | 28 | ||
30 | doc: README.html | 29 | doc: README.html |
@@ -33,46 +32,44 @@ doc: README.html | |||
33 | shared: install | 32 | shared: install |
34 | git config core.self-forge true | 33 | git config core.self-forge true |
35 | 34 | ||
36 | SRC = src | ||
37 | SOURCE_NAMES = AnonymousAccessCommand anonymous-access.conf AuthorizedKeysCommand sshd_config | ||
38 | SOURCES = $(addprefix $(SRC), $(SOURCE_NAMES)) | ||
39 | |||
40 | KEYTYPE = ed25519 | ||
41 | define EDIT_SSHD | ||
42 | sed \ | ||
43 | -e 's?ForceCommand=$$?&$(HOME)/.ssh/AnonymousAccessCommand?' \ | ||
44 | -e 's?AuthorizedKeysCommandUser=$$?&$(USER)?' \ | ||
45 | -e 's?HostKey=$$?&$(HOME)/.ssh/id_$(KEYTYPE)?' \ | ||
46 | -e 's?PidFile=$$?&$(HOME)/.ssh/sshd.pid?' | ||
47 | endef | ||
48 | |||
49 | install: $(if $(HAVE_ROOT), install-root, install-user) | 35 | install: $(if $(HAVE_ROOT), install-root, install-user) |
50 | 36 | ||
51 | install-user-config: | 37 | install-user-config: |
52 | $(INSTALL) -d ~/.ssh | 38 | install -d ~/.ssh |
53 | $(INSTALL) -t ~/.ssh $(SRC)/AnonymousAccessCommand | 39 | install -t ~/.ssh $(SRC)/AnonymousAccessCommand |
54 | 40 | ||
55 | 41 | install-user: install-user-config build/sshd_config ~/.ssh/id_ed25519 | |
56 | ~/.ssh/id_ed25519: | 42 | $(INSTALL) -m0644 -t ~/.ssh build/sshd_config |
57 | ssh-keygen -t ed25519 -P '' -f $@ | ||
58 | |||
59 | install-user: install-user-config ~/.ssh/id_ed25519 | ||
60 | $(EDIT_SSHD) < $(SRC)/sshd_config > ~/.ssh/sshd_config.tmp | ||
61 | $(MV) ~/.ssh/sshd_config.tmp ~/.ssh/sshd_config | ||
62 | $(INSTALL) -m0644 -t ~/.config/systemd/user $(SRC)/sshd.service | 43 | $(INSTALL) -m0644 -t ~/.config/systemd/user $(SRC)/sshd.service |
63 | systemctl --user daemon-reload | 44 | systemctl --user daemon-reload |
64 | systemctl --user enable sshd | 45 | systemctl --user enable sshd |
65 | systemctl --user restart sshd | 46 | systemctl --user restart sshd |
66 | 47 | ||
67 | install-root: install-user-config | 48 | install-root: install-user-config |
68 | $(ROOT_INSTALL) -d "$(SSH_CONFIG_DIR)" "$(SSHD_CONFIG_DIR)" "$(SSH_LIB_DIR)" || true | 49 | $(SUDO) make -C ../OpenSSH_Anonymous_Access install |
69 | $(ROOT_INSTALL) -m0644 -t "$(SSHD_CONFIG_DIR)" $(SRC)/anonymous-access.conf || true | ||
70 | $(ROOT_INSTALL) -t "$(SSH_LIB_DIR)" $(SRC)/AuthorizedKeysCommand || true | ||
71 | [ -e /etc/ssh/AuthorizedKeysCommand ] || $(SUDO) ln -s -t /etc/ssh "$(SSH_LIB_DIR)"/AuthorizedKeysCommand | ||
72 | $(SUDO) systemctl reload sshd | ||
73 | |||
74 | README.html: README.md | ||
75 | pandoc -s --css "$(SRC)"/style.css -t html $< -o $@ | ||
76 | 50 | ||
77 | test: | 51 | test: |
78 | make -C test | 52 | make -C test |
53 | |||
54 | build/sshd_config: $(SRC)/sshd_config Makefile | ||
55 | $(edit_sshd) < "$<" > "$@".tmp | ||
56 | mv "$@".tmp "$@" | ||
57 | |||
58 | KEYTYPE = ed25519 | ||
59 | HOST_KEY_FILE = $(HOME)/.ssh/id_$(KEYTYPE) | ||
60 | SSHD_PID_FILE = $(HOME)/.ssh/sshd.pid | ||
61 | FORCE_COMMAND = $(HOME)/.ssh/AnonymousAccessCommand | ||
62 | |||
63 | $(HOST_KEY_FILE): | ||
64 | ssh-keygen -t "$(KEYTYPE)" -P '' -f "$@" | ||
65 | |||
66 | define edit_sshd | ||
67 | sed \ | ||
68 | -e 's?ForceCommand=$$?&$(FORCE_COMMAND)?' \ | ||
69 | -e 's?AuthorizedKeysCommandUser=$$?&$(USER)?' \ | ||
70 | -e 's?HostKey=$$?&$(HOST_KEY_FILE)?' \ | ||
71 | -e 's?PidFile=$$?&$(SSHD_PID_FILE)?' | ||
72 | endef | ||
73 | |||
74 | README.html: README.md | ||
75 | pandoc -s --css "$(SRC)"/style.css -t html $< -o $@ | ||
diff --git a/EndoForge/src/AuthorizedKeysCommand b/EndoForge/src/AuthorizedKeysCommand deleted file mode 100755 index 6e13063..0000000 --- a/EndoForge/src/AuthorizedKeysCommand +++ /dev/null | |||
@@ -1,15 +0,0 @@ | |||
1 | #!/bin/sh | ||
2 | username=$1 | ||
3 | userhome=$2 | ||
4 | fingerprint=$3 | ||
5 | authline="$4 $5" | ||
6 | |||
7 | case "$userhome" in | ||
8 | *'"'*) exit ;; | ||
9 | esac | ||
10 | |||
11 | usercommand=$userhome/.ssh/AnonymousAccessCommand | ||
12 | |||
13 | [ -x "$usercommand" ] || exit | ||
14 | |||
15 | printf 'command="%s",no-port-forwarding %s\n' "$usercommand $fingerprint" "$authline" | ||
diff --git a/EndoForge/src/anonymous-access.conf b/EndoForge/src/anonymous-access.conf deleted file mode 100644 index 5cd6b6a..0000000 --- a/EndoForge/src/anonymous-access.conf +++ /dev/null | |||
@@ -1,10 +0,0 @@ | |||
1 | ExposeAuthInfo=yes | ||
2 | AuthorizedKeysCommandUser=root | ||
3 | AuthorizedKeysCommand=/etc/ssh/AuthorizedKeysCommand %u %h %f "%t %k" | ||
4 | |||
5 | # %u The username. | ||
6 | # %h The home directory of the user. | ||
7 | # %f The fingerprint of the key or certificate. | ||
8 | # %t The key or certificate type. | ||
9 | # %k The base64-encoded key or certificate for authentication. | ||
10 | |||
diff --git a/OpenSSH_Anonymous_Access/Makefile b/OpenSSH_Anonymous_Access/Makefile new file mode 100644 index 0000000..d93c271 --- /dev/null +++ b/OpenSSH_Anonymous_Access/Makefile | |||
@@ -0,0 +1,23 @@ | |||
1 | SRC = . | ||
2 | |||
3 | SELF_NAME = OpenSSH_Anonymous_Access | ||
4 | |||
5 | SSHD_CONFIG_DIR = /etc/ssh/sshd_config.d | ||
6 | SSH_LIBEXEC_DIR = /usr/lib/ssh | ||
7 | |||
8 | .PHONY: install install-files install-link | ||
9 | |||
10 | install: install-files install-link | ||
11 | systemctl reload sshd | ||
12 | |||
13 | install-files: | ||
14 | install -d "$(SSHD_CONFIG_DIR)" "$(SSH_LIBEXEC_DIR)" | ||
15 | |||
16 | install -m0644 -t "$(SSHD_CONFIG_DIR)" "$(SRC)/anonymous-access.conf" | ||
17 | install -t "$(SSH_LIBEXEC_DIR)" "$(SRC)/$(SELF_NAME)" | ||
18 | |||
19 | # The location of this link is hard-coded here and in the | ||
20 | # OpenSSH_Anonymous_Access script. | ||
21 | install-link: | ||
22 | [ -e /etc/ssh/AuthorizedKeysCommand ] || ln -s -t /etc/ssh "$(SSH_LIBEXEC_DIR)/$(SELF_NAME)" | ||
23 | |||
diff --git a/OpenSSH_Anonymous_Access/OpenSSH_Anonymous_Access b/OpenSSH_Anonymous_Access/OpenSSH_Anonymous_Access new file mode 100755 index 0000000..c6d0bfc --- /dev/null +++ b/OpenSSH_Anonymous_Access/OpenSSH_Anonymous_Access | |||
@@ -0,0 +1,8 @@ | |||
1 | #!/bin/sh | ||
2 | # First argument is OpenSSH auth line. | ||
3 | # Following arguments are the ForceCommand. | ||
4 | keys=$1 | ||
5 | shift | ||
6 | if [ -x "$1" ] | ||
7 | then printf 'restrict,pty,command="%s" %s\n' "$*" "$keys" | ||
8 | fi | ||
diff --git a/OpenSSH_Anonymous_Access/README.txt b/OpenSSH_Anonymous_Access/README.txt new file mode 100644 index 0000000..fb08716 --- /dev/null +++ b/OpenSSH_Anonymous_Access/README.txt | |||
@@ -0,0 +1,14 @@ | |||
1 | OpenSSH Anonymous Access | ||
2 | ------------------------ | ||
3 | |||
4 | This repository contains a configuration file for openssh-server that enables | ||
5 | anonymous access to user accounts with the forced command | ||
6 | `$HOME/.ssh/AnonymousAccessCommand`. | ||
7 | |||
8 | When this is installed each user can install their own `AnonymousAccessCommand` | ||
9 | to control access to their account through `OpenSSH`. | ||
10 | |||
11 | Note that this configuration does make it easy for users to accidentally | ||
12 | compromise their own accounts. | ||
13 | |||
14 | |||
diff --git a/OpenSSH_Anonymous_Access/anonymous-access.conf b/OpenSSH_Anonymous_Access/anonymous-access.conf new file mode 100644 index 0000000..7329eb0 --- /dev/null +++ b/OpenSSH_Anonymous_Access/anonymous-access.conf | |||
@@ -0,0 +1,13 @@ | |||
1 | ExposeAuthInfo=yes | ||
2 | AuthorizedKeysCommandUser=root | ||
3 | AuthorizedKeysCommand=/bin/sh -c '[ -x "$0" ] && echo "restrict,pty,command=\\"$0 $*\\" %t %k"' "%h/.ssh/AnonymousAccessCommand" "%f" | ||
4 | # This will break if a user's $HOME contains a double quote. Sorry not sorry. | ||
5 | |||
6 | # This simpler version works: | ||
7 | # AuthorizedKeysCommand=/bin/echo 'restrict,pty,command="%h/.ssh/AnonymousAccessCommand" %t %k' | ||
8 | # | ||
9 | # But that interferes with login failures on accounts that don't have that file. | ||
10 | # | ||
11 | # So a shell script is used that checks to make sure the file exists for the | ||
12 | # user before generating any auth line. | ||
13 | |||