diff options
-rw-r--r-- | EndoForge/Makefile | 33 | ||||
-rw-r--r-- | EndoForge/README.md | 15 | ||||
-rwxr-xr-x | EndoForge/openssh/AuthorizedKeysCommand | 21 | ||||
-rw-r--r-- | EndoForge/openssh/Makefile | 7 | ||||
-rwxr-xr-x | EndoForge/openssh/run-sshd | 32 | ||||
-rw-r--r-- | EndoForge/src/sshd_config (renamed from EndoForge/openssh/sshd_config) | 16 |
6 files changed, 42 insertions, 82 deletions
diff --git a/EndoForge/Makefile b/EndoForge/Makefile index 46f1af4..3846ebd 100644 --- a/EndoForge/Makefile +++ b/EndoForge/Makefile | |||
@@ -1,13 +1,18 @@ | |||
1 | ENDOFORGE_BACKUPS = y | ||
2 | ifneq (,$(ENDOFORGE_BACKUPS)) | ||
3 | INSTALL := install -b --suffix=~$(shell date -Ins | tr -d :) | ||
4 | else | ||
5 | INSTALL = install | ||
6 | endif | ||
7 | |||
1 | ifeq ($(shell id -u),0) | 8 | ifeq ($(shell id -u),0) |
2 | SUDO = | 9 | SUDO = |
3 | else | 10 | else |
4 | SUDO = sudo | 11 | SUDO = sudo |
5 | endif | 12 | endif |
6 | 13 | ||
7 | ROOT_INSTALL = $(SUDO) install | 14 | ROOT_INSTALL = $(SUDO) $(INSTALL) |
8 | |||
9 | USER != echo "$${SUDO_USER:-$$(id -un)}" | 15 | USER != echo "$${SUDO_USER:-$$(id -un)}" |
10 | |||
11 | SSH_CONFIG_DIR = /etc/ssh | 16 | SSH_CONFIG_DIR = /etc/ssh |
12 | SSHD_CONFIG_DIR = $(SSH_CONFIG_DIR)/sshd_config.d | 17 | SSHD_CONFIG_DIR = $(SSH_CONFIG_DIR)/sshd_config.d |
13 | SSH_LIB_DIR = /usr/lib/ssh | 18 | SSH_LIB_DIR = /usr/lib/ssh |
@@ -15,7 +20,7 @@ USER_SSH_CONFIG_DIR = ~$(USER)/.ssh | |||
15 | 20 | ||
16 | BROWSER != 2>/dev/null which xdg-open || which w3m || which links || which elinks | 21 | BROWSER != 2>/dev/null which xdg-open || which w3m || which links || which elinks |
17 | 22 | ||
18 | .PHONY: install shared doc test | 23 | .PHONY: install install-user install-root shared doc test |
19 | 24 | ||
20 | doc: README.html | 25 | doc: README.html |
21 | $(BROWSER) $< | 26 | $(BROWSER) $< |
@@ -24,17 +29,27 @@ shared: install | |||
24 | git config core.self-forge true | 29 | git config core.self-forge true |
25 | 30 | ||
26 | SRC = src | 31 | SRC = src |
27 | SOURCES = $(addprefix $(SRC), AnonymousAccessCommand anonymous-access.conf AuthorizedKeysCommand) | 32 | SOURCE_NAMES = AnonymousAccessCommand anonymous-access.conf AuthorizedKeysCommand sshd_config |
33 | SOURCES = $(addprefix $(SRC), $(SOURCE_NAMES)) | ||
34 | |||
35 | install: install-user install-root | ||
28 | 36 | ||
29 | install: | 37 | install-user: |
30 | install -t $(USER_SSH_CONFIG_DIR) $(SRC)/AnonymousAccessCommand | 38 | $(INSTALL) -d ~/.ssh |
31 | $(ROOT_INSTALL) -d "$(SSH_CONFIG_DIR)" "$(SSHD_CONFIG_DIR)" "$(SSH_LIB_DIR)" || true | 39 | $(INSTALL) -t ~/.ssh $(SRC)/AnonymousAccessCommand |
40 | $(INSTALL) -m0600 -t ~/.ssh $(SRC)/sshd_config | ||
41 | |||
42 | install-root: | ||
43 | $(ROOT_INSTALL) -d "$(SSH_CONFIG_DIR)" "$(SSHD_CONFIG_DIR)" "$(SSH_LIB_DIR)" || true | ||
32 | $(ROOT_INSTALL) -m0644 -t "$(SSHD_CONFIG_DIR)" $(SRC)/anonymous-access.conf || true | 44 | $(ROOT_INSTALL) -m0644 -t "$(SSHD_CONFIG_DIR)" $(SRC)/anonymous-access.conf || true |
33 | $(ROOT_INSTALL) -t "$(SSH_LIB_DIR)" $(SRC)/AuthorizedKeysCommand || true | 45 | $(ROOT_INSTALL) -t "$(SSH_LIB_DIR)" $(SRC)/AuthorizedKeysCommand || true |
34 | [ -e "$(SSH_LIB_DIR)"/AuthorizedKeysCommand ] || $(SUDO) ln -s -t /etc/ssh "$(SSH_LIB_DIR)"/AuthorizedKeysCommand | 46 | [ -e "$(SSH_LIB_DIR)"/AuthorizedKeysCommand ] || $(SUDO) ln -s -t /etc/ssh "$(SSH_LIB_DIR)"/AuthorizedKeysCommand |
35 | 47 | ||
48 | run: install-user | ||
49 | /usr/sbin/sshd -D -e -f ~/.ssh/sshd_config | ||
50 | |||
36 | README.html: README.md | 51 | README.html: README.md |
37 | pandoc -s --css style.css -t html $< -o $@ | 52 | pandoc --metadata 'EndoForge - A self-forge in any git repository' -s --css style.css -t html $< -o $@ |
38 | 53 | ||
39 | test: | 54 | test: |
40 | make -C test | 55 | make -C test |
diff --git a/EndoForge/README.md b/EndoForge/README.md index 0b1a8dd..14e640e 100644 --- a/EndoForge/README.md +++ b/EndoForge/README.md | |||
@@ -1,6 +1,8 @@ | |||
1 | EndoForge | 1 | EndoForge |
2 | --------- | 2 | --------- |
3 | Convert your Git repository into a Self-Forge by merging this repository. | 3 | A Self-Forge. |
4 | |||
5 | Convert any Git repository into a Self-Forge by merging this repository. | ||
4 | 6 | ||
5 | 7 | ||
6 | 8 | ||
@@ -57,8 +59,8 @@ Run: | |||
57 | make install | 59 | make install |
58 | ``` | 60 | ``` |
59 | 61 | ||
60 | This installs the `AnonymousAccessCommand` in the current user's home | 62 | This installs the `AnonymousAccessCommand` in the current user's home directory |
61 | directory. | 63 | (under `$HOME/.ssh`). |
62 | 64 | ||
63 | Then, if sudo access is available, it enables anonymous access by | 65 | Then, if sudo access is available, it enables anonymous access by |
64 | editing the system `OpenSSH` configuration. | 66 | editing the system `OpenSSH` configuration. |
@@ -71,8 +73,8 @@ editing the system `OpenSSH` configuration. | |||
71 | NON-ROOT INSTALLATION | 73 | NON-ROOT INSTALLATION |
72 | --------------------- | 74 | --------------------- |
73 | 75 | ||
74 | A configuration is included for running OpenSSH from an unprivileged user | 76 | An OpenSSH configuration and wrapper is included for running EndoForge from an |
75 | account. Try it like so: | 77 | unprivileged user account. Try it like so: |
76 | 78 | ||
77 | 79 | ||
78 | ``` | 80 | ``` |
@@ -83,7 +85,8 @@ account. Try it like so: | |||
83 | ``` | 85 | ``` |
84 | 86 | ||
85 | This launches a script that uses 'fakeroot' and to make OpenSSH think the | 87 | This launches a script that uses 'fakeroot' and to make OpenSSH think the |
86 | permissions are OK. | 88 | permissions are OK. This repository needs a systemd service file to launch it |
89 | automatically (TODO). | ||
87 | 90 | ||
88 | 91 | ||
89 | 92 | ||
diff --git a/EndoForge/openssh/AuthorizedKeysCommand b/EndoForge/openssh/AuthorizedKeysCommand deleted file mode 100755 index 0e6d285..0000000 --- a/EndoForge/openssh/AuthorizedKeysCommand +++ /dev/null | |||
@@ -1,21 +0,0 @@ | |||
1 | #!/bin/sh | ||
2 | # Modified AuthorizedKeysCommand for running OpenSSH as unprivileged user. | ||
3 | # | ||
4 | # Uses the home directory of the calling user (ascertained through "id -un") | ||
5 | # instead of the authenticated user. | ||
6 | |||
7 | fingerprint=$3 | ||
8 | authline="$4 $5" | ||
9 | |||
10 | username=$(id -un) | ||
11 | userhome=$(getent passwd $(id -un) | (IFS=: read _ _ _ _ _ home _ && echo "$home")) | ||
12 | |||
13 | case "$userhome" in | ||
14 | '' | *"'"* ) exit ;; | ||
15 | esac | ||
16 | |||
17 | usercommand=$userhome/.ssh/AnonymousAccessCommand | ||
18 | |||
19 | [ -x "$usercommand" ] || exit | ||
20 | |||
21 | printf 'command="%s",no-port-forwarding %s\n' "$usercommand $fingerprint" "$authline" | ||
diff --git a/EndoForge/openssh/Makefile b/EndoForge/openssh/Makefile deleted file mode 100644 index ae39ed2..0000000 --- a/EndoForge/openssh/Makefile +++ /dev/null | |||
@@ -1,7 +0,0 @@ | |||
1 | |||
2 | run: | ||
3 | ./run-sshd -D -e -f ~/.ssh/sshd_config | ||
4 | |||
5 | install: | ||
6 | install -m0600 sshd_config -t ~/.ssh | ||
7 | install -m0755 AuthorizedKeysCommand -t ~/.ssh | ||
diff --git a/EndoForge/openssh/run-sshd b/EndoForge/openssh/run-sshd deleted file mode 100755 index 20e82d8..0000000 --- a/EndoForge/openssh/run-sshd +++ /dev/null | |||
@@ -1,32 +0,0 @@ | |||
1 | #!/bin/sh | ||
2 | # Fix file ownership with fakeroot so that OpenSSH will run as a user. | ||
3 | # | ||
4 | # The ownership is not really changed on disk, but 'chmod go-w' might actually | ||
5 | # change permissions on disk. | ||
6 | |||
7 | case "$LD_PRELOAD" in | ||
8 | libfakeroot-sysv.so) ;; | ||
9 | '') exec fakeroot -- "$0" "$@" ;; | ||
10 | *) exit 1 ;; | ||
11 | esac | ||
12 | |||
13 | fixperms() | ||
14 | { | ||
15 | set -- "$1" | ||
16 | local p="$1" oldp= | ||
17 | while [ "$p" != "$oldp" ] | ||
18 | do | ||
19 | oldp=$p | ||
20 | p=${p%/*}/ | ||
21 | set -- "$@" "$p" | ||
22 | done | ||
23 | chown root:root "$@" | ||
24 | chmod go-w "$@" | ||
25 | } | ||
26 | |||
27 | fixperms "$HOME"/.ssh | ||
28 | |||
29 | PATH=/sbin:/usr/sbin:$PATH | ||
30 | cmd="$(which sshd) $*" | ||
31 | runuser -u "$USER" -- sh -c "$cmd" | ||
32 | |||
diff --git a/EndoForge/openssh/sshd_config b/EndoForge/src/sshd_config index 2273805..de34cd4 100644 --- a/EndoForge/openssh/sshd_config +++ b/EndoForge/src/sshd_config | |||
@@ -1,15 +1,17 @@ | |||
1 | Port=22022 | 1 | # This allows completely open access: |
2 | 2 | AuthorizedKeysCommand=/bin/echo %t %k | |
3 | HostKey=/home/u/.ssh/id_ed25519 | 3 | # Only this closes it back up: |
4 | PidFile=/home/u/.ssh/sshd.pid | 4 | ForceCommand=/home/u/.ssh/AnonymousAccessCommand |
5 | 5 | ||
6 | AuthenticationMethods publickey | ||
6 | AuthorizedKeysCommandUser=u | 7 | AuthorizedKeysCommandUser=u |
7 | AuthorizedKeysCommand=/home/u/.ssh/AuthorizedKeysCommand %u %h %f "%t %k" | ||
8 | ExposeAuthInfo=yes | 8 | ExposeAuthInfo=yes |
9 | 9 | ||
10 | AuthenticationMethods publickey | 10 | Port=22022 |
11 | HostKey=/home/u/.ssh/id_ed25519 | ||
12 | PidFile=/home/u/.ssh/sshd.pid | ||
13 | |||
11 | AcceptEnv LANG LC_* | 14 | AcceptEnv LANG LC_* |
12 | Subsystem sftp /usr/lib/openssh/sftp-server | ||
13 | UsePAM no | 15 | UsePAM no |
14 | PermitTTY no | 16 | PermitTTY no |
15 | ChrootDirectory=none | 17 | ChrootDirectory=none |