split OpenSSH_Anonymous_Access from EndoForge

EndoForge now installs OpenSSH_Anonymous_Access as a dependency.
author: Andrew Cady <d@cryptonomic.net> 2021-10-26 09:29:50 -0400
committer: Andrew Cady <d@cryptonomic.net> 2021-10-26 09:29:55 -0400
commit: 099d70f87208afc6bc0baf098c266c0d705f2453 (patch)
tree: c920faf0df43a51d882ab7e31873535b998924de
parent: d702643534828f72036d19f75c57ca48a4edc07b (diff)
7 files changed, 90 insertions, 60 deletions
diff --git a/EndoForge/Makefile b/EndoForge/Makefile
index de5d480..a63fa31 100644
--- a/EndoForge/Makefile
+++ b/EndoForge/Makefile
@@ -16,15 +16,14 @@ endif
 HAVE_ROOT != $(SUDO) true && echo y || true
-ROOT_INSTALL = $(SUDO) $(INSTALL)
 USER != echo "$${SUDO_USER:-$$(id -un)}"
-SSH_CONFIG_DIR = /etc/ssh
-SSHD_CONFIG_DIR = $(SSH_CONFIG_DIR)/sshd_config.d
-SSH_LIB_DIR = /usr/lib/ssh
-USER_SSH_CONFIG_DIR = ~$(USER)/.ssh
 BROWSER != 2>/dev/null which xdg-open || which w3m || which links || which elinks
+SRC = src
+SOURCE_NAMES = AnonymousAccessCommand sshd_config
+SOURCES = $(addprefix $(SRC), $(SOURCE_NAMES))
 .PHONY: install install-user install-user-config install-root shared doc test
 doc: README.html
@@ -33,46 +32,44 @@ doc: README.html
 shared: install
        git config core.self-forge true
-SRC = src
-SOURCE_NAMES = AnonymousAccessCommand anonymous-access.conf AuthorizedKeysCommand sshd_config
-SOURCES = $(addprefix $(SRC), $(SOURCE_NAMES))
-KEYTYPE = ed25519
-define EDIT_SSHD
-sed \
-                -e 's?ForceCommand=$$?&$(HOME)/.ssh/AnonymousAccessCommand?' \
-                -e 's?AuthorizedKeysCommandUser=$$?&$(USER)?' \
-                -e 's?HostKey=$$?&$(HOME)/.ssh/id_$(KEYTYPE)?' \
-                -e 's?PidFile=$$?&$(HOME)/.ssh/sshd.pid?'
-endef
 install: $(if $(HAVE_ROOT), install-root, install-user)
 install-user-config:
-        $(INSTALL) -d ~/.ssh
+        install -d ~/.ssh
-        $(INSTALL) -t ~/.ssh $(SRC)/AnonymousAccessCommand
+        install -t ~/.ssh $(SRC)/AnonymousAccessCommand
+install-user: install-user-config build/sshd_config ~/.ssh/id_ed25519
-~/.ssh/id_ed25519:
+        $(INSTALL) -m0644 -t ~/.ssh build/sshd_config
-        ssh-keygen -t ed25519 -P '' -f $@
-install-user: install-user-config ~/.ssh/id_ed25519
-        $(EDIT_SSHD) < $(SRC)/sshd_config > ~/.ssh/sshd_config.tmp
-        $(MV) ~/.ssh/sshd_config.tmp ~/.ssh/sshd_config
        $(INSTALL) -m0644 -t ~/.config/systemd/user $(SRC)/sshd.service
        systemctl --user daemon-reload
        systemctl --user enable sshd
        systemctl --user restart sshd
 install-root: install-user-config
-        $(ROOT_INSTALL)        -d "$(SSH_CONFIG_DIR)" "$(SSHD_CONFIG_DIR)" "$(SSH_LIB_DIR)" || true
+        $(SUDO) make -C ../OpenSSH_Anonymous_Access install
-        $(ROOT_INSTALL) -m0644 -t "$(SSHD_CONFIG_DIR)" $(SRC)/anonymous-access.conf || true
-        $(ROOT_INSTALL)        -t "$(SSH_LIB_DIR)" $(SRC)/AuthorizedKeysCommand || true
-        [ -e /etc/ssh/AuthorizedKeysCommand ] || $(SUDO) ln -s -t /etc/ssh "$(SSH_LIB_DIR)"/AuthorizedKeysCommand
-        $(SUDO) systemctl reload sshd
-README.html: README.md
-        pandoc -s --css "$(SRC)"/style.css -t html $< -o $@
 test:
        make -C test
+build/sshd_config: $(SRC)/sshd_config Makefile
+        $(edit_sshd) < "$<" > "$@".tmp
+        mv "$@".tmp "$@"
+KEYTYPE = ed25519
+HOST_KEY_FILE = $(HOME)/.ssh/id_$(KEYTYPE)
+SSHD_PID_FILE = $(HOME)/.ssh/sshd.pid
+FORCE_COMMAND = $(HOME)/.ssh/AnonymousAccessCommand
+$(HOST_KEY_FILE):
+        ssh-keygen -t "$(KEYTYPE)" -P '' -f "$@"
+define edit_sshd
+sed \
+                -e 's?ForceCommand=$$?&$(FORCE_COMMAND)?' \
+                -e 's?AuthorizedKeysCommandUser=$$?&$(USER)?' \
+                -e 's?HostKey=$$?&$(HOST_KEY_FILE)?' \
+                -e 's?PidFile=$$?&$(SSHD_PID_FILE)?'
+endef
+README.html: README.md
+        pandoc -s --css "$(SRC)"/style.css -t html $< -o $@
diff --git a/EndoForge/src/AuthorizedKeysCommand b/EndoForge/src/AuthorizedKeysCommand
deleted file mode 100755
index 6e13063..0000000
--- a/EndoForge/src/AuthorizedKeysCommand
+++ /dev/null
@@ -1,15 +0,0 @@
-#!/bin/sh
-username=$1
-userhome=$2
-fingerprint=$3
-authline="$4 $5"
-case "$userhome" in
-        *'"'*) exit ;;
-esac
-usercommand=$userhome/.ssh/AnonymousAccessCommand
-[ -x "$usercommand" ] || exit
-printf 'command="%s",no-port-forwarding %s\n' "$usercommand $fingerprint" "$authline"
diff --git a/EndoForge/src/anonymous-access.conf b/EndoForge/src/anonymous-access.conf
deleted file mode 100644
index 5cd6b6a..0000000
--- a/EndoForge/src/anonymous-access.conf
+++ /dev/null
@@ -1,10 +0,0 @@
-ExposeAuthInfo=yes
-AuthorizedKeysCommandUser=root
-AuthorizedKeysCommand=/etc/ssh/AuthorizedKeysCommand %u %h %f "%t %k"
-#          %u    The username.
-#          %h    The home directory of the user.
-#          %f    The fingerprint of the key or certificate.
-#          %t    The key or certificate type.
-#          %k    The base64-encoded key or certificate for authentication.
diff --git a/OpenSSH_Anonymous_Access/Makefile b/OpenSSH_Anonymous_Access/Makefile
new file mode 100644
index 0000000..d93c271
--- /dev/null
+++ b/OpenSSH_Anonymous_Access/Makefile
@@ -0,0 +1,23 @@
+SRC = .
+SELF_NAME = OpenSSH_Anonymous_Access
+SSHD_CONFIG_DIR = /etc/ssh/sshd_config.d
+SSH_LIBEXEC_DIR                 = /usr/lib/ssh
+.PHONY: install install-files install-link
+install: install-files install-link
+        systemctl reload sshd
+install-files:
+        install -d "$(SSHD_CONFIG_DIR)" "$(SSH_LIBEXEC_DIR)"
+        install -m0644 -t "$(SSHD_CONFIG_DIR)" "$(SRC)/anonymous-access.conf"
+        install        -t     "$(SSH_LIBEXEC_DIR)" "$(SRC)/$(SELF_NAME)"
+# The location of this link is hard-coded here and in the
+# OpenSSH_Anonymous_Access script.
+install-link:
+        [ -e /etc/ssh/AuthorizedKeysCommand ] || ln -s -t /etc/ssh "$(SSH_LIBEXEC_DIR)/$(SELF_NAME)"
diff --git a/OpenSSH_Anonymous_Access/OpenSSH_Anonymous_Access b/OpenSSH_Anonymous_Access/OpenSSH_Anonymous_Access
new file mode 100755
index 0000000..c6d0bfc
--- /dev/null
+++ b/OpenSSH_Anonymous_Access/OpenSSH_Anonymous_Access
@@ -0,0 +1,8 @@
+#!/bin/sh
+# First argument is OpenSSH auth line.
+# Following arguments are the ForceCommand.
+keys=$1
+shift
+if [ -x "$1" ]
+then printf 'restrict,pty,command="%s" %s\n' "$*" "$keys"
+fi
diff --git a/OpenSSH_Anonymous_Access/README.txt b/OpenSSH_Anonymous_Access/README.txt
new file mode 100644
index 0000000..fb08716
--- /dev/null
+++ b/OpenSSH_Anonymous_Access/README.txt
@@ -0,0 +1,14 @@
+OpenSSH Anonymous Access
+------------------------
+This repository contains a configuration file for openssh-server that enables
+anonymous access to user accounts with the forced command
+`$HOME/.ssh/AnonymousAccessCommand`.
+When this is installed each user can install their own `AnonymousAccessCommand`
+to control access to their account through `OpenSSH`.
+Note that this configuration does make it easy for users to accidentally
+compromise their own accounts.
diff --git a/OpenSSH_Anonymous_Access/anonymous-access.conf b/OpenSSH_Anonymous_Access/anonymous-access.conf
new file mode 100644
index 0000000..7329eb0
--- /dev/null
+++ b/OpenSSH_Anonymous_Access/anonymous-access.conf
@@ -0,0 +1,13 @@
+ExposeAuthInfo=yes
+AuthorizedKeysCommandUser=root
+AuthorizedKeysCommand=/bin/sh -c '[ -x "$0" ] && echo "restrict,pty,command=\\"$0 $*\\" %t %k"' "%h/.ssh/AnonymousAccessCommand" "%f"
+# This will break if a user's $HOME contains a double quote. Sorry not sorry.
+# This simpler version works:
+# AuthorizedKeysCommand=/bin/echo 'restrict,pty,command="%h/.ssh/AnonymousAccessCommand" %t %k'
+#
+# But that interferes with login failures on accounts that don't have that file.
+#
+# So a shell script is used that checks to make sure the file exists for the
+# user before generating any auth line.
author	Andrew Cady <d@cryptonomic.net>	2021-10-26 09:29:50 -0400
committer	Andrew Cady <d@cryptonomic.net>	2021-10-26 09:29:55 -0400
commit	099d70f87208afc6bc0baf098c266c0d705f2453 (patch)
tree	c920faf0df43a51d882ab7e31873535b998924de
parent	d702643534828f72036d19f75c57ca48a4edc07b (diff)

diff --git a/EndoForge/Makefile b/EndoForge/Makefile index de5d480..a63fa31 100644 --- a/EndoForge/Makefile +++ b/EndoForge/Makefile
@@ -16,15 +16,14 @@ endif
16		16
17	HAVE_ROOT != $(SUDO) true && echo y \|\| true	17	HAVE_ROOT != $(SUDO) true && echo y \|\| true
18		18
19	ROOT_INSTALL = $(SUDO) $(INSTALL)
20	USER != echo "$${SUDO_USER:-$$(id -un)}"	19	USER != echo "$${SUDO_USER:-$$(id -un)}"
21	SSH_CONFIG_DIR = /etc/ssh
22	SSHD_CONFIG_DIR = $(SSH_CONFIG_DIR)/sshd_config.d
23	SSH_LIB_DIR = /usr/lib/ssh
24	USER_SSH_CONFIG_DIR = ~$(USER)/.ssh
25		20
26	BROWSER != 2>/dev/null which xdg-open \|\| which w3m \|\| which links \|\| which elinks	21	BROWSER != 2>/dev/null which xdg-open \|\| which w3m \|\| which links \|\| which elinks
27		22
		23	SRC = src
		24	SOURCE_NAMES = AnonymousAccessCommand sshd_config
		25	SOURCES = $(addprefix $(SRC), $(SOURCE_NAMES))
		26
28	.PHONY: install install-user install-user-config install-root shared doc test	27	.PHONY: install install-user install-user-config install-root shared doc test
29		28
30	doc: README.html	29	doc: README.html
@@ -33,46 +32,44 @@ doc: README.html
33	shared: install	32	shared: install
34	git config core.self-forge true	33	git config core.self-forge true
35		34
36	SRC = src
37	SOURCE_NAMES = AnonymousAccessCommand anonymous-access.conf AuthorizedKeysCommand sshd_config
38	SOURCES = $(addprefix $(SRC), $(SOURCE_NAMES))
39
40	KEYTYPE = ed25519
41	define EDIT_SSHD
42	sed \
43	-e 's?ForceCommand=$$?&$(HOME)/.ssh/AnonymousAccessCommand?' \
44	-e 's?AuthorizedKeysCommandUser=$$?&$(USER)?' \
45	-e 's?HostKey=$$?&$(HOME)/.ssh/id_$(KEYTYPE)?' \
46	-e 's?PidFile=$$?&$(HOME)/.ssh/sshd.pid?'
47	endef
48
49	install: $(if $(HAVE_ROOT), install-root, install-user)	35	install: $(if $(HAVE_ROOT), install-root, install-user)
50		36
51	install-user-config:	37	install-user-config:
52	$(INSTALL) -d ~/.ssh	38	install -d ~/.ssh
53	$(INSTALL) -t ~/.ssh $(SRC)/AnonymousAccessCommand	39	install -t ~/.ssh $(SRC)/AnonymousAccessCommand
54		40
55		41	install-user: install-user-config build/sshd_config ~/.ssh/id_ed25519
56	~/.ssh/id_ed25519:	42	$(INSTALL) -m0644 -t ~/.ssh build/sshd_config
57	ssh-keygen -t ed25519 -P '' -f $@
58
59	install-user: install-user-config ~/.ssh/id_ed25519
60	$(EDIT_SSHD) < $(SRC)/sshd_config > ~/.ssh/sshd_config.tmp
61	$(MV) ~/.ssh/sshd_config.tmp ~/.ssh/sshd_config
62	$(INSTALL) -m0644 -t ~/.config/systemd/user $(SRC)/sshd.service	43	$(INSTALL) -m0644 -t ~/.config/systemd/user $(SRC)/sshd.service
63	systemctl --user daemon-reload	44	systemctl --user daemon-reload
64	systemctl --user enable sshd	45	systemctl --user enable sshd
65	systemctl --user restart sshd	46	systemctl --user restart sshd
66		47
67	install-root: install-user-config	48	install-root: install-user-config
68	$(ROOT_INSTALL) -d "$(SSH_CONFIG_DIR)" "$(SSHD_CONFIG_DIR)" "$(SSH_LIB_DIR)" \|\| true	49	$(SUDO) make -C ../OpenSSH_Anonymous_Access install
69	$(ROOT_INSTALL) -m0644 -t "$(SSHD_CONFIG_DIR)" $(SRC)/anonymous-access.conf \|\| true
70	$(ROOT_INSTALL) -t "$(SSH_LIB_DIR)" $(SRC)/AuthorizedKeysCommand \|\| true
71	[ -e /etc/ssh/AuthorizedKeysCommand ] \|\| $(SUDO) ln -s -t /etc/ssh "$(SSH_LIB_DIR)"/AuthorizedKeysCommand
72	$(SUDO) systemctl reload sshd
73
74	README.html: README.md
75	pandoc -s --css "$(SRC)"/style.css -t html $< -o $@
76		50
77	test:	51	test:
78	make -C test	52	make -C test
		53
		54	build/sshd_config: $(SRC)/sshd_config Makefile
		55	$(edit_sshd) < "$<" > "$@".tmp
		56	mv "$@".tmp "$@"
		57
		58	KEYTYPE = ed25519
		59	HOST_KEY_FILE = $(HOME)/.ssh/id_$(KEYTYPE)
		60	SSHD_PID_FILE = $(HOME)/.ssh/sshd.pid
		61	FORCE_COMMAND = $(HOME)/.ssh/AnonymousAccessCommand
		62
		63	$(HOST_KEY_FILE):
		64	ssh-keygen -t "$(KEYTYPE)" -P '' -f "$@"
		65
		66	define edit_sshd
		67	sed \
		68	-e 's?ForceCommand=$$?&$(FORCE_COMMAND)?' \
		69	-e 's?AuthorizedKeysCommandUser=$$?&$(USER)?' \
		70	-e 's?HostKey=$$?&$(HOST_KEY_FILE)?' \
		71	-e 's?PidFile=$$?&$(SSHD_PID_FILE)?'
		72	endef
		73
		74	README.html: README.md
		75	pandoc -s --css "$(SRC)"/style.css -t html $< -o $@


diff --git a/EndoForge/src/AuthorizedKeysCommand b/EndoForge/src/AuthorizedKeysCommand deleted file mode 100755 index 6e13063..0000000 --- a/EndoForge/src/AuthorizedKeysCommand +++ /dev/null
@@ -1,15 +0,0 @@
1	#!/bin/sh
2	username=$1
3	userhome=$2
4	fingerprint=$3
5	authline="$4 $5"
6
7	case "$userhome" in
8	'"') exit ;;
9	esac
10
11	usercommand=$userhome/.ssh/AnonymousAccessCommand
12
13	[ -x "$usercommand" ] \|\| exit
14
15	printf 'command="%s",no-port-forwarding %s\n' "$usercommand $fingerprint" "$authline"


diff --git a/EndoForge/src/anonymous-access.conf b/EndoForge/src/anonymous-access.conf deleted file mode 100644 index 5cd6b6a..0000000 --- a/EndoForge/src/anonymous-access.conf +++ /dev/null
@@ -1,10 +0,0 @@
1	ExposeAuthInfo=yes
2	AuthorizedKeysCommandUser=root
3	AuthorizedKeysCommand=/etc/ssh/AuthorizedKeysCommand %u %h %f "%t %k"
4
5	# %u The username.
6	# %h The home directory of the user.
7	# %f The fingerprint of the key or certificate.
8	# %t The key or certificate type.
9	# %k The base64-encoded key or certificate for authentication.
10


diff --git a/OpenSSH_Anonymous_Access/Makefile b/OpenSSH_Anonymous_Access/Makefile new file mode 100644 index 0000000..d93c271 --- /dev/null +++ b/OpenSSH_Anonymous_Access/Makefile
@@ -0,0 +1,23 @@
		1	SRC = .
		2
		3	SELF_NAME = OpenSSH_Anonymous_Access
		4
		5	SSHD_CONFIG_DIR = /etc/ssh/sshd_config.d
		6	SSH_LIBEXEC_DIR = /usr/lib/ssh
		7
		8	.PHONY: install install-files install-link
		9
		10	install: install-files install-link
		11	systemctl reload sshd
		12
		13	install-files:
		14	install -d "$(SSHD_CONFIG_DIR)" "$(SSH_LIBEXEC_DIR)"
		15
		16	install -m0644 -t "$(SSHD_CONFIG_DIR)" "$(SRC)/anonymous-access.conf"
		17	install -t "$(SSH_LIBEXEC_DIR)" "$(SRC)/$(SELF_NAME)"
		18
		19	# The location of this link is hard-coded here and in the
		20	# OpenSSH_Anonymous_Access script.
		21	install-link:
		22	[ -e /etc/ssh/AuthorizedKeysCommand ] \|\| ln -s -t /etc/ssh "$(SSH_LIBEXEC_DIR)/$(SELF_NAME)"
		23


diff --git a/OpenSSH_Anonymous_Access/OpenSSH_Anonymous_Access b/OpenSSH_Anonymous_Access/OpenSSH_Anonymous_Access new file mode 100755 index 0000000..c6d0bfc --- /dev/null +++ b/OpenSSH_Anonymous_Access/OpenSSH_Anonymous_Access
@@ -0,0 +1,8 @@
		1	#!/bin/sh
		2	# First argument is OpenSSH auth line.
		3	# Following arguments are the ForceCommand.
		4	keys=$1
		5	shift
		6	if [ -x "$1" ]
		7	then printf 'restrict,pty,command="%s" %s\n' "$*" "$keys"
		8	fi


diff --git a/OpenSSH_Anonymous_Access/README.txt b/OpenSSH_Anonymous_Access/README.txt new file mode 100644 index 0000000..fb08716 --- /dev/null +++ b/OpenSSH_Anonymous_Access/README.txt
@@ -0,0 +1,14 @@
		1	OpenSSH Anonymous Access
		2	------------------------
		3
		4	This repository contains a configuration file for openssh-server that enables
		5	anonymous access to user accounts with the forced command
		6	`$HOME/.ssh/AnonymousAccessCommand`.
		7
		8	When this is installed each user can install their own `AnonymousAccessCommand`
		9	to control access to their account through `OpenSSH`.
		10
		11	Note that this configuration does make it easy for users to accidentally
		12	compromise their own accounts.
		13
		14


diff --git a/OpenSSH_Anonymous_Access/anonymous-access.conf b/OpenSSH_Anonymous_Access/anonymous-access.conf new file mode 100644 index 0000000..7329eb0 --- /dev/null +++ b/OpenSSH_Anonymous_Access/anonymous-access.conf
@@ -0,0 +1,13 @@
		1	ExposeAuthInfo=yes
		2	AuthorizedKeysCommandUser=root
		3	AuthorizedKeysCommand=/bin/sh -c '[ -x "$0" ] && echo "restrict,pty,command=\\"$0 $*\\" %t %k"' "%h/.ssh/AnonymousAccessCommand" "%f"
		4	# This will break if a user's $HOME contains a double quote. Sorry not sorry.
		5
		6	# This simpler version works:
		7	# AuthorizedKeysCommand=/bin/echo 'restrict,pty,command="%h/.ssh/AnonymousAccessCommand" %t %k'
		8	#
		9	# But that interferes with login failures on accounts that don't have that file.
		10	#
		11	# So a shell script is used that checks to make sure the file exists for the
		12	# user before generating any auth line.
		13