diff options
author | Andrew Cady <d@cryptonomic.net> | 2021-10-24 04:58:30 -0400 |
---|---|---|
committer | Andrew Cady <d@cryptonomic.net> | 2021-10-24 05:48:56 -0400 |
commit | 187db8e649641aa64dc49c29ea6bbeba1f7cabf7 (patch) | |
tree | 7d4795161361f4bebe7d5d29dc111f77c1956728 | |
parent | 82724b1955cb39fde0d920e3de7a61574502f56a (diff) |
comments and fiddling
-rw-r--r-- | EndoForge/README.md | 19 | ||||
-rwxr-xr-x | EndoForge/openssh/AuthorizedKeysCommand | 5 | ||||
-rwxr-xr-x | EndoForge/openssh/run-sshd | 24 |
3 files changed, 28 insertions, 20 deletions
diff --git a/EndoForge/README.md b/EndoForge/README.md index 9abcabe..0b1a8dd 100644 --- a/EndoForge/README.md +++ b/EndoForge/README.md | |||
@@ -71,20 +71,19 @@ editing the system `OpenSSH` configuration. | |||
71 | NON-ROOT INSTALLATION | 71 | NON-ROOT INSTALLATION |
72 | --------------------- | 72 | --------------------- |
73 | 73 | ||
74 | If sudo access is not available, you can install to a different | 74 | A configuration is included for running OpenSSH from an unprivileged user |
75 | location: | 75 | account. Try it like so: |
76 | |||
76 | 77 | ||
77 | ``` | 78 | ``` |
78 | make SSH_CONFIG_DIR=.config/ssh \ | 79 | cd EndoForge |
79 | SSHD_CONFIG_DIR=.config/ssh/config.d \ | 80 | make install |
80 | SSH_LIB_DIR=.local/lib/ssh \ | 81 | cd openssh |
81 | install | 82 | make run |
82 | ``` | 83 | ``` |
83 | 84 | ||
84 | Then you will need to run `OpenSSH` on a non-default port (the default | 85 | This launches a script that uses 'fakeroot' and to make OpenSSH think the |
85 | port requires root access). | 86 | permissions are OK. |
86 | |||
87 | |||
88 | 87 | ||
89 | 88 | ||
90 | 89 | ||
diff --git a/EndoForge/openssh/AuthorizedKeysCommand b/EndoForge/openssh/AuthorizedKeysCommand index 063444e..0e6d285 100755 --- a/EndoForge/openssh/AuthorizedKeysCommand +++ b/EndoForge/openssh/AuthorizedKeysCommand | |||
@@ -1,4 +1,9 @@ | |||
1 | #!/bin/sh | 1 | #!/bin/sh |
2 | # Modified AuthorizedKeysCommand for running OpenSSH as unprivileged user. | ||
3 | # | ||
4 | # Uses the home directory of the calling user (ascertained through "id -un") | ||
5 | # instead of the authenticated user. | ||
6 | |||
2 | fingerprint=$3 | 7 | fingerprint=$3 |
3 | authline="$4 $5" | 8 | authline="$4 $5" |
4 | 9 | ||
diff --git a/EndoForge/openssh/run-sshd b/EndoForge/openssh/run-sshd index 29615fb..20e82d8 100755 --- a/EndoForge/openssh/run-sshd +++ b/EndoForge/openssh/run-sshd | |||
@@ -1,4 +1,9 @@ | |||
1 | #!/bin/sh | 1 | #!/bin/sh |
2 | # Fix file ownership with fakeroot so that OpenSSH will run as a user. | ||
3 | # | ||
4 | # The ownership is not really changed on disk, but 'chmod go-w' might actually | ||
5 | # change permissions on disk. | ||
6 | |||
2 | case "$LD_PRELOAD" in | 7 | case "$LD_PRELOAD" in |
3 | libfakeroot-sysv.so) ;; | 8 | libfakeroot-sysv.so) ;; |
4 | '') exec fakeroot -- "$0" "$@" ;; | 9 | '') exec fakeroot -- "$0" "$@" ;; |
@@ -7,20 +12,19 @@ esac | |||
7 | 12 | ||
8 | fixperms() | 13 | fixperms() |
9 | { | 14 | { |
10 | set -- | 15 | set -- "$1" |
11 | dirs=$HOME | 16 | local p="$1" oldp= |
12 | p=$HOME | 17 | while [ "$p" != "$oldp" ] |
13 | while [ "$p" != "${p%/*}" ] | ||
14 | do | 18 | do |
15 | p=${p%/*} | 19 | oldp=$p |
16 | dirs="$dirs $p/" | 20 | p=${p%/*}/ |
21 | set -- "$@" "$p" | ||
17 | done | 22 | done |
18 | 23 | chown root:root "$@" | |
19 | chown root:root $dirs | 24 | chmod go-w "$@" |
20 | chmod go-w $dirs | ||
21 | } | 25 | } |
22 | 26 | ||
23 | fixperms | 27 | fixperms "$HOME"/.ssh |
24 | 28 | ||
25 | PATH=/sbin:/usr/sbin:$PATH | 29 | PATH=/sbin:/usr/sbin:$PATH |
26 | cmd="$(which sshd) $*" | 30 | cmd="$(which sshd) $*" |