split OpenSSH_Anonymous_Access from EndoForge

EndoForge now installs OpenSSH_Anonymous_Access as a dependency.

4 files changed, 58 insertions, 0 deletions

diff --git a/OpenSSH_Anonymous_Access/Makefile b/OpenSSH_Anonymous_Access/Makefile
new file mode 100644
index 0000000..d93c271
--- /dev/null
+++ b/OpenSSH_Anonymous_Access/Makefile
@@ -0,0 +1,23 @@
+SRC = .
+
+SELF_NAME = OpenSSH_Anonymous_Access
+
+SSHD_CONFIG_DIR = /etc/ssh/sshd_config.d
+SSH_LIBEXEC_DIR                 = /usr/lib/ssh
+
+.PHONY: install install-files install-link
+
+install: install-files install-link
+        systemctl reload sshd
+
+install-files:
+        install -d "$(SSHD_CONFIG_DIR)" "$(SSH_LIBEXEC_DIR)"
+
+        install -m0644 -t "$(SSHD_CONFIG_DIR)" "$(SRC)/anonymous-access.conf"
+        install        -t     "$(SSH_LIBEXEC_DIR)" "$(SRC)/$(SELF_NAME)"
+
+# The location of this link is hard-coded here and in the
+# OpenSSH_Anonymous_Access script.
+install-link:
+        [ -e /etc/ssh/AuthorizedKeysCommand ] || ln -s -t /etc/ssh "$(SSH_LIBEXEC_DIR)/$(SELF_NAME)"
+
diff --git a/OpenSSH_Anonymous_Access/OpenSSH_Anonymous_Access b/OpenSSH_Anonymous_Access/OpenSSH_Anonymous_Access
new file mode 100755
index 0000000..c6d0bfc
--- /dev/null
+++ b/OpenSSH_Anonymous_Access/OpenSSH_Anonymous_Access
@@ -0,0 +1,8 @@
+#!/bin/sh
+# First argument is OpenSSH auth line.
+# Following arguments are the ForceCommand.
+keys=$1
+shift
+if [ -x "$1" ]
+then printf 'restrict,pty,command="%s" %s\n' "$*" "$keys"
+fi
diff --git a/OpenSSH_Anonymous_Access/README.txt b/OpenSSH_Anonymous_Access/README.txt
new file mode 100644
index 0000000..fb08716
--- /dev/null
+++ b/OpenSSH_Anonymous_Access/README.txt
@@ -0,0 +1,14 @@
+OpenSSH Anonymous Access
+------------------------
+
+This repository contains a configuration file for openssh-server that enables
+anonymous access to user accounts with the forced command
+`$HOME/.ssh/AnonymousAccessCommand`.
+
+When this is installed each user can install their own `AnonymousAccessCommand`
+to control access to their account through `OpenSSH`.
+
+Note that this configuration does make it easy for users to accidentally
+compromise their own accounts.
+
+
diff --git a/OpenSSH_Anonymous_Access/anonymous-access.conf b/OpenSSH_Anonymous_Access/anonymous-access.conf
new file mode 100644
index 0000000..7329eb0
--- /dev/null
+++ b/OpenSSH_Anonymous_Access/anonymous-access.conf
@@ -0,0 +1,13 @@
+ExposeAuthInfo=yes
+AuthorizedKeysCommandUser=root
+AuthorizedKeysCommand=/bin/sh -c '[ -x "$0" ] && echo "restrict,pty,command=\\"$0 $*\\" %t %k"' "%h/.ssh/AnonymousAccessCommand" "%f"
+# This will break if a user's $HOME contains a double quote. Sorry not sorry.
+
+# This simpler version works:
+# AuthorizedKeysCommand=/bin/echo 'restrict,pty,command="%h/.ssh/AnonymousAccessCommand" %t %k'
+#
+# But that interferes with login failures on accounts that don't have that file.
+#
+# So a shell script is used that checks to make sure the file exists for the
+# user before generating any auth line.
+