summaryrefslogtreecommitdiff
path: root/EndoForge/src
diff options
context:
space:
mode:
authorAndrew Cady <d@cryptonomic.net>2021-10-23 12:52:42 -0400
committerAndrew Cady <d@cryptonomic.net>2021-10-23 12:52:42 -0400
commit2e5909e761f40e42684fbaa71f3b5bcb49500567 (patch)
tree335259ca973c5e07807fcb97fb09a1f49fb2a1dc /EndoForge/src
parent4d14156fd5b306b366b4d74e1a5bbf82e0ae081a (diff)
move all files to EndoForge
Diffstat (limited to 'EndoForge/src')
-rwxr-xr-xEndoForge/src/AnonymousAccessCommand126
-rwxr-xr-xEndoForge/src/AuthorizedKeysCommand15
-rw-r--r--EndoForge/src/anonymous-access.conf10
3 files changed, 151 insertions, 0 deletions
diff --git a/EndoForge/src/AnonymousAccessCommand b/EndoForge/src/AnonymousAccessCommand
new file mode 100755
index 0000000..443d25e
--- /dev/null
+++ b/EndoForge/src/AnonymousAccessCommand
@@ -0,0 +1,126 @@
1#!/bin/sh
2default_msg()
3{
4 sshfpline="$(get_sshfp_authline ${SSH_CLIENT%% *})"
5 cat <<EOF >&2
6
7 You are:
8
9 $authline
10 $sshfpline
11
12EOF
13}
14
15get_sshfp_authline()
16{
17 (
18 r=${1:-.}
19 key=$(mktemp) || exit
20 trap 'rm -rf "$key"' EXIT
21 echo "$authline" > "$key"
22 get_sshfp "$key" "$r"
23 )
24}
25
26get_sshfp()
27{
28 (
29 key="$1"
30 r="${2:-.}"
31 dns=$(mktemp) || exit
32 trap 'rm -rf "$dns"' EXIT
33
34 ssh-keygen -r "$r" -f "$key" > "$dns"
35 exec < "$dns"
36 while read line
37 do
38 set -- $line
39 if [ "$3 $5" = "SSHFP 2" ]
40 then
41 echo "$line"
42 break
43 fi
44 done
45 )
46}
47
48ssh_client_fingerprint_base16()
49{
50 set -- $(get_sshfp_authline)
51 [ "$6" ]
52 echo $6
53}
54
55check_if_self_forge()
56{
57 # TODO: don't use description, but something else.
58 local dir="$1"
59 [ -d "$dir" ] || exit
60 [ -r "$dir"/description ] || exit
61 read description < "$dir"/description
62 if [ "$description" != self-forge ] && [ "$(GIT_DIR=$dir git config core.self-forge)" != true ]
63 then
64 echo 'Error: access denied. The specified directory is not a self-forge.' >&2
65 exit
66 fi
67}
68
69read authtype authline < "$SSH_USER_AUTH" || exit
70[ "$authtype" = publickey ] || exit
71
72cmd=${SSH_ORIGINAL_COMMAND%% *}
73
74case "$cmd" in
75 git-send-pack | git-upload-pack)
76 GIT_NAMESPACE=
77 ;;
78 git-receive-pack)
79 export GIT_NAMESPACE="$(ssh_client_fingerprint_base16)"
80 [ "$GIT_NAMESPACE" ] || exit
81 ;;
82 *)
83 default_msg
84 exit
85 ;;
86esac
87
88arg=${SSH_ORIGINAL_COMMAND#* }
89arg=${arg%\'}
90arg=${arg#\'}
91case "$arg" in
92 *\'*) exit ;;
93 *.git) ;;
94 *) arg=$arg/.git ;;
95esac
96
97dir=$(readlink -e "$arg") || exit
98
99check_if_self_forge "$dir"
100
101with_allowCurrentBranch()
102{
103 local cmd="$1" dir="$2"
104 (
105 set -eC
106 lockfile=$GIT_DIR/index.lock
107 echo $$ > "$lockfile"
108 trap 'rm -f "$lockfile"' EXIT
109
110 # This doesn't seem very secure. Need to patch git probably.
111 for deny in CurrentBranch # DeleteCurrent
112 do git config receive.deny$deny false
113 done
114 "$@"
115 for deny in CurrentBranch # DeleteCurrent
116 do git config receive.deny$deny true
117 done
118 )
119}
120
121if [ "$GIT_NAMESPACE" ]
122then
123 GIT_DIR=$dir with_allowCurrentBranch "$cmd" "$dir"
124else
125 "$cmd" "$dir"
126fi
diff --git a/EndoForge/src/AuthorizedKeysCommand b/EndoForge/src/AuthorizedKeysCommand
new file mode 100755
index 0000000..6e13063
--- /dev/null
+++ b/EndoForge/src/AuthorizedKeysCommand
@@ -0,0 +1,15 @@
1#!/bin/sh
2username=$1
3userhome=$2
4fingerprint=$3
5authline="$4 $5"
6
7case "$userhome" in
8 *'"'*) exit ;;
9esac
10
11usercommand=$userhome/.ssh/AnonymousAccessCommand
12
13[ -x "$usercommand" ] || exit
14
15printf 'command="%s",no-port-forwarding %s\n' "$usercommand $fingerprint" "$authline"
diff --git a/EndoForge/src/anonymous-access.conf b/EndoForge/src/anonymous-access.conf
new file mode 100644
index 0000000..5cd6b6a
--- /dev/null
+++ b/EndoForge/src/anonymous-access.conf
@@ -0,0 +1,10 @@
1ExposeAuthInfo=yes
2AuthorizedKeysCommandUser=root
3AuthorizedKeysCommand=/etc/ssh/AuthorizedKeysCommand %u %h %f "%t %k"
4
5# %u The username.
6# %h The home directory of the user.
7# %f The fingerprint of the key or certificate.
8# %t The key or certificate type.
9# %k The base64-encoded key or certificate for authentication.
10