diff options
author | Andrew Cady <d@cryptonomic.net> | 2021-10-26 09:29:50 -0400 |
---|---|---|
committer | Andrew Cady <d@cryptonomic.net> | 2021-10-26 09:29:55 -0400 |
commit | 099d70f87208afc6bc0baf098c266c0d705f2453 (patch) | |
tree | c920faf0df43a51d882ab7e31873535b998924de /OpenSSH_Anonymous_Access | |
parent | d702643534828f72036d19f75c57ca48a4edc07b (diff) |
split OpenSSH_Anonymous_Access from EndoForge
EndoForge now installs OpenSSH_Anonymous_Access as a dependency.
Diffstat (limited to 'OpenSSH_Anonymous_Access')
-rw-r--r-- | OpenSSH_Anonymous_Access/Makefile | 23 | ||||
-rwxr-xr-x | OpenSSH_Anonymous_Access/OpenSSH_Anonymous_Access | 8 | ||||
-rw-r--r-- | OpenSSH_Anonymous_Access/README.txt | 14 | ||||
-rw-r--r-- | OpenSSH_Anonymous_Access/anonymous-access.conf | 13 |
4 files changed, 58 insertions, 0 deletions
diff --git a/OpenSSH_Anonymous_Access/Makefile b/OpenSSH_Anonymous_Access/Makefile new file mode 100644 index 0000000..d93c271 --- /dev/null +++ b/OpenSSH_Anonymous_Access/Makefile | |||
@@ -0,0 +1,23 @@ | |||
1 | SRC = . | ||
2 | |||
3 | SELF_NAME = OpenSSH_Anonymous_Access | ||
4 | |||
5 | SSHD_CONFIG_DIR = /etc/ssh/sshd_config.d | ||
6 | SSH_LIBEXEC_DIR = /usr/lib/ssh | ||
7 | |||
8 | .PHONY: install install-files install-link | ||
9 | |||
10 | install: install-files install-link | ||
11 | systemctl reload sshd | ||
12 | |||
13 | install-files: | ||
14 | install -d "$(SSHD_CONFIG_DIR)" "$(SSH_LIBEXEC_DIR)" | ||
15 | |||
16 | install -m0644 -t "$(SSHD_CONFIG_DIR)" "$(SRC)/anonymous-access.conf" | ||
17 | install -t "$(SSH_LIBEXEC_DIR)" "$(SRC)/$(SELF_NAME)" | ||
18 | |||
19 | # The location of this link is hard-coded here and in the | ||
20 | # OpenSSH_Anonymous_Access script. | ||
21 | install-link: | ||
22 | [ -e /etc/ssh/AuthorizedKeysCommand ] || ln -s -t /etc/ssh "$(SSH_LIBEXEC_DIR)/$(SELF_NAME)" | ||
23 | |||
diff --git a/OpenSSH_Anonymous_Access/OpenSSH_Anonymous_Access b/OpenSSH_Anonymous_Access/OpenSSH_Anonymous_Access new file mode 100755 index 0000000..c6d0bfc --- /dev/null +++ b/OpenSSH_Anonymous_Access/OpenSSH_Anonymous_Access | |||
@@ -0,0 +1,8 @@ | |||
1 | #!/bin/sh | ||
2 | # First argument is OpenSSH auth line. | ||
3 | # Following arguments are the ForceCommand. | ||
4 | keys=$1 | ||
5 | shift | ||
6 | if [ -x "$1" ] | ||
7 | then printf 'restrict,pty,command="%s" %s\n' "$*" "$keys" | ||
8 | fi | ||
diff --git a/OpenSSH_Anonymous_Access/README.txt b/OpenSSH_Anonymous_Access/README.txt new file mode 100644 index 0000000..fb08716 --- /dev/null +++ b/OpenSSH_Anonymous_Access/README.txt | |||
@@ -0,0 +1,14 @@ | |||
1 | OpenSSH Anonymous Access | ||
2 | ------------------------ | ||
3 | |||
4 | This repository contains a configuration file for openssh-server that enables | ||
5 | anonymous access to user accounts with the forced command | ||
6 | `$HOME/.ssh/AnonymousAccessCommand`. | ||
7 | |||
8 | When this is installed each user can install their own `AnonymousAccessCommand` | ||
9 | to control access to their account through `OpenSSH`. | ||
10 | |||
11 | Note that this configuration does make it easy for users to accidentally | ||
12 | compromise their own accounts. | ||
13 | |||
14 | |||
diff --git a/OpenSSH_Anonymous_Access/anonymous-access.conf b/OpenSSH_Anonymous_Access/anonymous-access.conf new file mode 100644 index 0000000..7329eb0 --- /dev/null +++ b/OpenSSH_Anonymous_Access/anonymous-access.conf | |||
@@ -0,0 +1,13 @@ | |||
1 | ExposeAuthInfo=yes | ||
2 | AuthorizedKeysCommandUser=root | ||
3 | AuthorizedKeysCommand=/bin/sh -c '[ -x "$0" ] && echo "restrict,pty,command=\\"$0 $*\\" %t %k"' "%h/.ssh/AnonymousAccessCommand" "%f" | ||
4 | # This will break if a user's $HOME contains a double quote. Sorry not sorry. | ||
5 | |||
6 | # This simpler version works: | ||
7 | # AuthorizedKeysCommand=/bin/echo 'restrict,pty,command="%h/.ssh/AnonymousAccessCommand" %t %k' | ||
8 | # | ||
9 | # But that interferes with login failures on accounts that don't have that file. | ||
10 | # | ||
11 | # So a shell script is used that checks to make sure the file exists for the | ||
12 | # user before generating any auth line. | ||
13 | |||