Removing run-sshd script

I realized that if you are running `sshd` as a user, then you can just use `ForceCommand=` directly in the `sshd_config`. This eliminates the need for fakeroot. And that simplifies the setup enough so that the `openssh/` directory can go away.
author: Andrew Cady <d@cryptonomic.net> 2021-10-24 06:15:10 -0400
committer: Andrew Cady <d@cryptonomic.net> 2021-10-24 06:18:45 -0400
commit: 5e1f460dd3bf6288893ae61429a94dd90d19cdfb (patch)
tree: c0811cf81cbdcad19d0f7bd84b26350ad3835310
parent: 187db8e649641aa64dc49c29ea6bbeba1f7cabf7 (diff)
6 files changed, 42 insertions, 82 deletions
diff --git a/EndoForge/Makefile b/EndoForge/Makefile
index 46f1af4..3846ebd 100644
--- a/EndoForge/Makefile
+++ b/EndoForge/Makefile
@@ -1,13 +1,18 @@
+ENDOFORGE_BACKUPS = y
+ifneq (,$(ENDOFORGE_BACKUPS))
+INSTALL := install -b --suffix=~$(shell date -Ins | tr -d :)
+else
+INSTALL = install
+endif
 ifeq ($(shell id -u),0)
 SUDO =
 else
 SUDO = sudo
 endif
-ROOT_INSTALL = $(SUDO) install
+ROOT_INSTALL = $(SUDO) $(INSTALL)
 USER != echo "$${SUDO_USER:-$$(id -un)}"
 SSH_CONFIG_DIR = /etc/ssh
 SSHD_CONFIG_DIR = $(SSH_CONFIG_DIR)/sshd_config.d
 SSH_LIB_DIR = /usr/lib/ssh
@@ -15,7 +20,7 @@ USER_SSH_CONFIG_DIR = ~$(USER)/.ssh
 BROWSER != 2>/dev/null which xdg-open || which w3m || which links || which elinks
-.PHONY: install shared doc test
+.PHONY: install install-user install-root shared doc test
 doc: README.html
        $(BROWSER) $<
@@ -24,17 +29,27 @@ shared: install
        git config core.self-forge true
 SRC = src
-SOURCES = $(addprefix $(SRC), AnonymousAccessCommand anonymous-access.conf AuthorizedKeysCommand)
+SOURCE_NAMES = AnonymousAccessCommand anonymous-access.conf AuthorizedKeysCommand sshd_config
+SOURCES = $(addprefix $(SRC), $(SOURCE_NAMES))
+install: install-user install-root
-install:
+install-user:
-        install -t $(USER_SSH_CONFIG_DIR) $(SRC)/AnonymousAccessCommand
+        $(INSTALL)        -d ~/.ssh
-        $(ROOT_INSTALL) -d "$(SSH_CONFIG_DIR)" "$(SSHD_CONFIG_DIR)" "$(SSH_LIB_DIR)" || true
+        $(INSTALL)        -t ~/.ssh $(SRC)/AnonymousAccessCommand
+        $(INSTALL) -m0600 -t ~/.ssh $(SRC)/sshd_config
+install-root:
+        $(ROOT_INSTALL)        -d "$(SSH_CONFIG_DIR)" "$(SSHD_CONFIG_DIR)" "$(SSH_LIB_DIR)" || true
        $(ROOT_INSTALL) -m0644 -t "$(SSHD_CONFIG_DIR)" $(SRC)/anonymous-access.conf || true
        $(ROOT_INSTALL)        -t "$(SSH_LIB_DIR)" $(SRC)/AuthorizedKeysCommand || true
        [ -e "$(SSH_LIB_DIR)"/AuthorizedKeysCommand ] || $(SUDO) ln -s -t /etc/ssh "$(SSH_LIB_DIR)"/AuthorizedKeysCommand
+run: install-user
+        /usr/sbin/sshd -D -e -f ~/.ssh/sshd_config
 README.html: README.md
-        pandoc -s --css style.css -t html $< -o $@
+        pandoc --metadata 'EndoForge - A self-forge in any git repository' -s --css style.css -t html $< -o $@
 test:
        make -C test
diff --git a/EndoForge/README.md b/EndoForge/README.md
index 0b1a8dd..14e640e 100644
--- a/EndoForge/README.md
+++ b/EndoForge/README.md
@@ -1,6 +1,8 @@
 EndoForge
 ---------
-Convert your Git repository into a Self-Forge by merging this repository.
+A Self-Forge.
+Convert any Git repository into a Self-Forge by merging this repository.
@@ -57,8 +59,8 @@ Run:
  make install
 ```
-This installs the `AnonymousAccessCommand` in the current user's home
+This installs the `AnonymousAccessCommand` in the current user's home directory
-directory.
+(under `$HOME/.ssh`).
 Then, if sudo access is available, it enables anonymous access by
 editing the system `OpenSSH` configuration.
@@ -71,8 +73,8 @@ editing the system `OpenSSH` configuration.
 NON-ROOT INSTALLATION
 ---------------------
-A configuration is included for running OpenSSH from an unprivileged user
+An OpenSSH configuration and wrapper is included for running EndoForge from an
-account.  Try it like so:
+unprivileged user account. Try it like so:
 ```
@@ -83,7 +85,8 @@ account.  Try it like so:
 ```
 This launches a script that uses 'fakeroot' and to make OpenSSH think the
-permissions are OK.
+permissions are OK. This repository needs a systemd service file to launch it
+automatically (TODO).
diff --git a/EndoForge/openssh/AuthorizedKeysCommand b/EndoForge/openssh/AuthorizedKeysCommand
deleted file mode 100755
index 0e6d285..0000000
--- a/EndoForge/openssh/AuthorizedKeysCommand
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/sh
-# Modified AuthorizedKeysCommand for running OpenSSH as unprivileged user.
-#
-# Uses the home directory of the calling user (ascertained through "id -un")
-# instead of the authenticated user.
-fingerprint=$3
-authline="$4 $5"
-username=$(id -un)
-userhome=$(getent passwd $(id -un) | (IFS=: read _ _ _ _ _ home _ && echo "$home"))
-case "$userhome" in
-        '' | *"'"* ) exit ;;
-esac
-usercommand=$userhome/.ssh/AnonymousAccessCommand
-[ -x "$usercommand" ] || exit
-printf 'command="%s",no-port-forwarding %s\n' "$usercommand $fingerprint" "$authline"
diff --git a/EndoForge/openssh/Makefile b/EndoForge/openssh/Makefile
deleted file mode 100644
index ae39ed2..0000000
--- a/EndoForge/openssh/Makefile
+++ /dev/null
@@ -1,7 +0,0 @@
-run:
-        ./run-sshd -D -e -f ~/.ssh/sshd_config
-install:
-        install -m0600 sshd_config -t ~/.ssh
-        install -m0755 AuthorizedKeysCommand -t ~/.ssh
diff --git a/EndoForge/openssh/run-sshd b/EndoForge/openssh/run-sshd
deleted file mode 100755
index 20e82d8..0000000
--- a/EndoForge/openssh/run-sshd
+++ /dev/null
@@ -1,32 +0,0 @@
-#!/bin/sh
-# Fix file ownership with fakeroot so that OpenSSH will run as a user.
-#
-# The ownership is not really changed on disk, but 'chmod go-w' might actually
-# change permissions on disk.
-case "$LD_PRELOAD" in
-    libfakeroot-sysv.so) ;;
-    '') exec fakeroot -- "$0" "$@" ;;
-    *) exit 1 ;;
-esac
-fixperms()
-{
-    set -- "$1"
-    local p="$1" oldp=
-    while [ "$p" != "$oldp" ]
-    do
-        oldp=$p
-        p=${p%/*}/
-        set -- "$@" "$p"
-    done
-    chown root:root "$@"
-    chmod go-w "$@"
-}
-fixperms "$HOME"/.ssh
-PATH=/sbin:/usr/sbin:$PATH
-cmd="$(which sshd) $*"
-runuser -u "$USER" -- sh -c "$cmd"
diff --git a/EndoForge/openssh/sshd_config b/EndoForge/src/sshd_config
index 2273805..de34cd4 100644
--- a/EndoForge/openssh/sshd_config
+++ b/EndoForge/src/sshd_config
@@ -1,15 +1,17 @@
-Port=22022
+# This allows completely open access:
+AuthorizedKeysCommand=/bin/echo %t %k
-HostKey=/home/u/.ssh/id_ed25519
+# Only this closes it back up:
-PidFile=/home/u/.ssh/sshd.pid
+ForceCommand=/home/u/.ssh/AnonymousAccessCommand
+AuthenticationMethods publickey
 AuthorizedKeysCommandUser=u
-AuthorizedKeysCommand=/home/u/.ssh/AuthorizedKeysCommand %u %h %f "%t %k"
 ExposeAuthInfo=yes
-AuthenticationMethods publickey
+Port=22022
+HostKey=/home/u/.ssh/id_ed25519
+PidFile=/home/u/.ssh/sshd.pid
 AcceptEnv LANG LC_*
-Subsystem       sftp /usr/lib/openssh/sftp-server
 UsePAM no
 PermitTTY no
 ChrootDirectory=none
author	Andrew Cady <d@cryptonomic.net>	2021-10-24 06:15:10 -0400
committer	Andrew Cady <d@cryptonomic.net>	2021-10-24 06:18:45 -0400
commit	5e1f460dd3bf6288893ae61429a94dd90d19cdfb (patch)
tree	c0811cf81cbdcad19d0f7bd84b26350ad3835310
parent	187db8e649641aa64dc49c29ea6bbeba1f7cabf7 (diff)

diff --git a/EndoForge/Makefile b/EndoForge/Makefile index 46f1af4..3846ebd 100644 --- a/EndoForge/Makefile +++ b/EndoForge/Makefile
@@ -1,13 +1,18 @@
		1	ENDOFORGE_BACKUPS = y
		2	ifneq (,$(ENDOFORGE_BACKUPS))
		3	INSTALL := install -b --suffix=~$(shell date -Ins \| tr -d :)
		4	else
		5	INSTALL = install
		6	endif
		7
1	ifeq ($(shell id -u),0)	8	ifeq ($(shell id -u),0)
2	SUDO =	9	SUDO =
3	else	10	else
4	SUDO = sudo	11	SUDO = sudo
5	endif	12	endif
6		13
7	ROOT_INSTALL = $(SUDO) install	14	ROOT_INSTALL = $(SUDO) $(INSTALL)
8
9	USER != echo "$${SUDO_USER:-$$(id -un)}"	15	USER != echo "$${SUDO_USER:-$$(id -un)}"
10
11	SSH_CONFIG_DIR = /etc/ssh	16	SSH_CONFIG_DIR = /etc/ssh
12	SSHD_CONFIG_DIR = $(SSH_CONFIG_DIR)/sshd_config.d	17	SSHD_CONFIG_DIR = $(SSH_CONFIG_DIR)/sshd_config.d
13	SSH_LIB_DIR = /usr/lib/ssh	18	SSH_LIB_DIR = /usr/lib/ssh
@@ -15,7 +20,7 @@ USER_SSH_CONFIG_DIR = ~$(USER)/.ssh
15		20
16	BROWSER != 2>/dev/null which xdg-open \|\| which w3m \|\| which links \|\| which elinks	21	BROWSER != 2>/dev/null which xdg-open \|\| which w3m \|\| which links \|\| which elinks
17		22
18	.PHONY: install shared doc test	23	.PHONY: install install-user install-root shared doc test
19		24
20	doc: README.html	25	doc: README.html
21	$(BROWSER) $<	26	$(BROWSER) $<
@@ -24,17 +29,27 @@ shared: install
24	git config core.self-forge true	29	git config core.self-forge true
25		30
26	SRC = src	31	SRC = src
27	SOURCES = $(addprefix $(SRC), AnonymousAccessCommand anonymous-access.conf AuthorizedKeysCommand)	32	SOURCE_NAMES = AnonymousAccessCommand anonymous-access.conf AuthorizedKeysCommand sshd_config
		33	SOURCES = $(addprefix $(SRC), $(SOURCE_NAMES))
		34
		35	install: install-user install-root
28		36
29	install:	37	install-user:
30	install -t $(USER_SSH_CONFIG_DIR) $(SRC)/AnonymousAccessCommand	38	$(INSTALL) -d ~/.ssh
31	$(ROOT_INSTALL) -d "$(SSH_CONFIG_DIR)" "$(SSHD_CONFIG_DIR)" "$(SSH_LIB_DIR)" \|\| true	39	$(INSTALL) -t ~/.ssh $(SRC)/AnonymousAccessCommand
		40	$(INSTALL) -m0600 -t ~/.ssh $(SRC)/sshd_config
		41
		42	install-root:
		43	$(ROOT_INSTALL) -d "$(SSH_CONFIG_DIR)" "$(SSHD_CONFIG_DIR)" "$(SSH_LIB_DIR)" \|\| true
32	$(ROOT_INSTALL) -m0644 -t "$(SSHD_CONFIG_DIR)" $(SRC)/anonymous-access.conf \|\| true	44	$(ROOT_INSTALL) -m0644 -t "$(SSHD_CONFIG_DIR)" $(SRC)/anonymous-access.conf \|\| true
33	$(ROOT_INSTALL) -t "$(SSH_LIB_DIR)" $(SRC)/AuthorizedKeysCommand \|\| true	45	$(ROOT_INSTALL) -t "$(SSH_LIB_DIR)" $(SRC)/AuthorizedKeysCommand \|\| true
34	[ -e "$(SSH_LIB_DIR)"/AuthorizedKeysCommand ] \|\| $(SUDO) ln -s -t /etc/ssh "$(SSH_LIB_DIR)"/AuthorizedKeysCommand	46	[ -e "$(SSH_LIB_DIR)"/AuthorizedKeysCommand ] \|\| $(SUDO) ln -s -t /etc/ssh "$(SSH_LIB_DIR)"/AuthorizedKeysCommand
35		47
		48	run: install-user
		49	/usr/sbin/sshd -D -e -f ~/.ssh/sshd_config
		50
36	README.html: README.md	51	README.html: README.md
37	pandoc -s --css style.css -t html $< -o $@	52	pandoc --metadata 'EndoForge - A self-forge in any git repository' -s --css style.css -t html $< -o $@
38		53
39	test:	54	test:
40	make -C test	55	make -C test


diff --git a/EndoForge/README.md b/EndoForge/README.md index 0b1a8dd..14e640e 100644 --- a/EndoForge/README.md +++ b/EndoForge/README.md
@@ -1,6 +1,8 @@
1	EndoForge	1	EndoForge
2	---------	2	---------
3	Convert your Git repository into a Self-Forge by merging this repository.	3	A Self-Forge.
		4
		5	Convert any Git repository into a Self-Forge by merging this repository.
4		6
5		7
6		8
@@ -57,8 +59,8 @@ Run:
57	make install	59	make install
58	```	60	```
59		61
60	This installs the `AnonymousAccessCommand` in the current user's home	62	This installs the `AnonymousAccessCommand` in the current user's home directory
61	directory.	63	(under `$HOME/.ssh`).
62		64
63	Then, if sudo access is available, it enables anonymous access by	65	Then, if sudo access is available, it enables anonymous access by
64	editing the system `OpenSSH` configuration.	66	editing the system `OpenSSH` configuration.
@@ -71,8 +73,8 @@ editing the system `OpenSSH` configuration.
71	NON-ROOT INSTALLATION	73	NON-ROOT INSTALLATION
72	---------------------	74	---------------------
73		75
74	A configuration is included for running OpenSSH from an unprivileged user	76	An OpenSSH configuration and wrapper is included for running EndoForge from an
75	account. Try it like so:	77	unprivileged user account. Try it like so:
76		78
77		79
78	```	80	```
@@ -83,7 +85,8 @@ account. Try it like so:
83	```	85	```
84		86
85	This launches a script that uses 'fakeroot' and to make OpenSSH think the	87	This launches a script that uses 'fakeroot' and to make OpenSSH think the
86	permissions are OK.	88	permissions are OK. This repository needs a systemd service file to launch it
		89	automatically (TODO).
87		90
88		91
89		92


diff --git a/EndoForge/openssh/AuthorizedKeysCommand b/EndoForge/openssh/AuthorizedKeysCommand deleted file mode 100755 index 0e6d285..0000000 --- a/EndoForge/openssh/AuthorizedKeysCommand +++ /dev/null
@@ -1,21 +0,0 @@
1	#!/bin/sh
2	# Modified AuthorizedKeysCommand for running OpenSSH as unprivileged user.
3	#
4	# Uses the home directory of the calling user (ascertained through "id -un")
5	# instead of the authenticated user.
6
7	fingerprint=$3
8	authline="$4 $5"
9
10	username=$(id -un)
11	userhome=$(getent passwd $(id -un) \| (IFS=: read _ _ _ _ _ home _ && echo "$home"))
12
13	case "$userhome" in
14	'' \| "'" ) exit ;;
15	esac
16
17	usercommand=$userhome/.ssh/AnonymousAccessCommand
18
19	[ -x "$usercommand" ] \|\| exit
20
21	printf 'command="%s",no-port-forwarding %s\n' "$usercommand $fingerprint" "$authline"


diff --git a/EndoForge/openssh/Makefile b/EndoForge/openssh/Makefile deleted file mode 100644 index ae39ed2..0000000 --- a/EndoForge/openssh/Makefile +++ /dev/null
@@ -1,7 +0,0 @@
1
2	run:
3	./run-sshd -D -e -f ~/.ssh/sshd_config
4
5	install:
6	install -m0600 sshd_config -t ~/.ssh
7	install -m0755 AuthorizedKeysCommand -t ~/.ssh


diff --git a/EndoForge/openssh/run-sshd b/EndoForge/openssh/run-sshd deleted file mode 100755 index 20e82d8..0000000 --- a/EndoForge/openssh/run-sshd +++ /dev/null
@@ -1,32 +0,0 @@
1	#!/bin/sh
2	# Fix file ownership with fakeroot so that OpenSSH will run as a user.
3	#
4	# The ownership is not really changed on disk, but 'chmod go-w' might actually
5	# change permissions on disk.
6
7	case "$LD_PRELOAD" in
8	libfakeroot-sysv.so) ;;
9	'') exec fakeroot -- "$0" "$@" ;;
10	*) exit 1 ;;
11	esac
12
13	fixperms()
14	{
15	set -- "$1"
16	local p="$1" oldp=
17	while [ "$p" != "$oldp" ]
18	do
19	oldp=$p
20	p=${p%/*}/
21	set -- "$@" "$p"
22	done
23	chown root:root "$@"
24	chmod go-w "$@"
25	}
26
27	fixperms "$HOME"/.ssh
28
29	PATH=/sbin:/usr/sbin:$PATH
30	cmd="$(which sshd) $*"
31	runuser -u "$USER" -- sh -c "$cmd"
32


diff --git a/EndoForge/openssh/sshd_config b/EndoForge/src/sshd_config index 2273805..de34cd4 100644 --- a/EndoForge/openssh/sshd_config +++ b/EndoForge/src/sshd_config
@@ -1,15 +1,17 @@
1	Port=22022	1	# This allows completely open access:
2		2	AuthorizedKeysCommand=/bin/echo %t %k
3	HostKey=/home/u/.ssh/id_ed25519	3	# Only this closes it back up:
4	PidFile=/home/u/.ssh/sshd.pid	4	ForceCommand=/home/u/.ssh/AnonymousAccessCommand
5		5
		6	AuthenticationMethods publickey
6	AuthorizedKeysCommandUser=u	7	AuthorizedKeysCommandUser=u
7	AuthorizedKeysCommand=/home/u/.ssh/AuthorizedKeysCommand %u %h %f "%t %k"
8	ExposeAuthInfo=yes	8	ExposeAuthInfo=yes
9		9
10	AuthenticationMethods publickey	10	Port=22022
		11	HostKey=/home/u/.ssh/id_ed25519
		12	PidFile=/home/u/.ssh/sshd.pid
		13
11	AcceptEnv LANG LC_*	14	AcceptEnv LANG LC_*
12	Subsystem sftp /usr/lib/openssh/sftp-server
13	UsePAM no	15	UsePAM no
14	PermitTTY no	16	PermitTTY no
15	ChrootDirectory=none	17	ChrootDirectory=none