From 099d70f87208afc6bc0baf098c266c0d705f2453 Mon Sep 17 00:00:00 2001 From: Andrew Cady Date: Tue, 26 Oct 2021 09:29:50 -0400 Subject: split OpenSSH_Anonymous_Access from EndoForge EndoForge now installs OpenSSH_Anonymous_Access as a dependency. --- EndoForge/Makefile | 67 +++++++++++------------ EndoForge/src/AuthorizedKeysCommand | 15 ----- EndoForge/src/anonymous-access.conf | 10 ---- OpenSSH_Anonymous_Access/Makefile | 23 ++++++++ OpenSSH_Anonymous_Access/OpenSSH_Anonymous_Access | 8 +++ OpenSSH_Anonymous_Access/README.txt | 14 +++++ OpenSSH_Anonymous_Access/anonymous-access.conf | 13 +++++ 7 files changed, 90 insertions(+), 60 deletions(-) delete mode 100755 EndoForge/src/AuthorizedKeysCommand delete mode 100644 EndoForge/src/anonymous-access.conf create mode 100644 OpenSSH_Anonymous_Access/Makefile create mode 100755 OpenSSH_Anonymous_Access/OpenSSH_Anonymous_Access create mode 100644 OpenSSH_Anonymous_Access/README.txt create mode 100644 OpenSSH_Anonymous_Access/anonymous-access.conf diff --git a/EndoForge/Makefile b/EndoForge/Makefile index de5d480..a63fa31 100644 --- a/EndoForge/Makefile +++ b/EndoForge/Makefile @@ -16,15 +16,14 @@ endif HAVE_ROOT != $(SUDO) true && echo y || true -ROOT_INSTALL = $(SUDO) $(INSTALL) USER != echo "$${SUDO_USER:-$$(id -un)}" -SSH_CONFIG_DIR = /etc/ssh -SSHD_CONFIG_DIR = $(SSH_CONFIG_DIR)/sshd_config.d -SSH_LIB_DIR = /usr/lib/ssh -USER_SSH_CONFIG_DIR = ~$(USER)/.ssh BROWSER != 2>/dev/null which xdg-open || which w3m || which links || which elinks +SRC = src +SOURCE_NAMES = AnonymousAccessCommand sshd_config +SOURCES = $(addprefix $(SRC), $(SOURCE_NAMES)) + .PHONY: install install-user install-user-config install-root shared doc test doc: README.html @@ -33,46 +32,44 @@ doc: README.html shared: install git config core.self-forge true -SRC = src -SOURCE_NAMES = AnonymousAccessCommand anonymous-access.conf AuthorizedKeysCommand sshd_config -SOURCES = $(addprefix $(SRC), $(SOURCE_NAMES)) - -KEYTYPE = ed25519 -define EDIT_SSHD -sed \ - -e 's?ForceCommand=$$?&$(HOME)/.ssh/AnonymousAccessCommand?' \ - -e 's?AuthorizedKeysCommandUser=$$?&$(USER)?' \ - -e 's?HostKey=$$?&$(HOME)/.ssh/id_$(KEYTYPE)?' \ - -e 's?PidFile=$$?&$(HOME)/.ssh/sshd.pid?' -endef - install: $(if $(HAVE_ROOT), install-root, install-user) install-user-config: - $(INSTALL) -d ~/.ssh - $(INSTALL) -t ~/.ssh $(SRC)/AnonymousAccessCommand + install -d ~/.ssh + install -t ~/.ssh $(SRC)/AnonymousAccessCommand - -~/.ssh/id_ed25519: - ssh-keygen -t ed25519 -P '' -f $@ - -install-user: install-user-config ~/.ssh/id_ed25519 - $(EDIT_SSHD) < $(SRC)/sshd_config > ~/.ssh/sshd_config.tmp - $(MV) ~/.ssh/sshd_config.tmp ~/.ssh/sshd_config +install-user: install-user-config build/sshd_config ~/.ssh/id_ed25519 + $(INSTALL) -m0644 -t ~/.ssh build/sshd_config $(INSTALL) -m0644 -t ~/.config/systemd/user $(SRC)/sshd.service systemctl --user daemon-reload systemctl --user enable sshd systemctl --user restart sshd install-root: install-user-config - $(ROOT_INSTALL) -d "$(SSH_CONFIG_DIR)" "$(SSHD_CONFIG_DIR)" "$(SSH_LIB_DIR)" || true - $(ROOT_INSTALL) -m0644 -t "$(SSHD_CONFIG_DIR)" $(SRC)/anonymous-access.conf || true - $(ROOT_INSTALL) -t "$(SSH_LIB_DIR)" $(SRC)/AuthorizedKeysCommand || true - [ -e /etc/ssh/AuthorizedKeysCommand ] || $(SUDO) ln -s -t /etc/ssh "$(SSH_LIB_DIR)"/AuthorizedKeysCommand - $(SUDO) systemctl reload sshd - -README.html: README.md - pandoc -s --css "$(SRC)"/style.css -t html $< -o $@ + $(SUDO) make -C ../OpenSSH_Anonymous_Access install test: make -C test + +build/sshd_config: $(SRC)/sshd_config Makefile + $(edit_sshd) < "$<" > "$@".tmp + mv "$@".tmp "$@" + +KEYTYPE = ed25519 +HOST_KEY_FILE = $(HOME)/.ssh/id_$(KEYTYPE) +SSHD_PID_FILE = $(HOME)/.ssh/sshd.pid +FORCE_COMMAND = $(HOME)/.ssh/AnonymousAccessCommand + +$(HOST_KEY_FILE): + ssh-keygen -t "$(KEYTYPE)" -P '' -f "$@" + +define edit_sshd +sed \ + -e 's?ForceCommand=$$?&$(FORCE_COMMAND)?' \ + -e 's?AuthorizedKeysCommandUser=$$?&$(USER)?' \ + -e 's?HostKey=$$?&$(HOST_KEY_FILE)?' \ + -e 's?PidFile=$$?&$(SSHD_PID_FILE)?' +endef + +README.html: README.md + pandoc -s --css "$(SRC)"/style.css -t html $< -o $@ diff --git a/EndoForge/src/AuthorizedKeysCommand b/EndoForge/src/AuthorizedKeysCommand deleted file mode 100755 index 6e13063..0000000 --- a/EndoForge/src/AuthorizedKeysCommand +++ /dev/null @@ -1,15 +0,0 @@ -#!/bin/sh -username=$1 -userhome=$2 -fingerprint=$3 -authline="$4 $5" - -case "$userhome" in - *'"'*) exit ;; -esac - -usercommand=$userhome/.ssh/AnonymousAccessCommand - -[ -x "$usercommand" ] || exit - -printf 'command="%s",no-port-forwarding %s\n' "$usercommand $fingerprint" "$authline" diff --git a/EndoForge/src/anonymous-access.conf b/EndoForge/src/anonymous-access.conf deleted file mode 100644 index 5cd6b6a..0000000 --- a/EndoForge/src/anonymous-access.conf +++ /dev/null @@ -1,10 +0,0 @@ -ExposeAuthInfo=yes -AuthorizedKeysCommandUser=root -AuthorizedKeysCommand=/etc/ssh/AuthorizedKeysCommand %u %h %f "%t %k" - -# %u The username. -# %h The home directory of the user. -# %f The fingerprint of the key or certificate. -# %t The key or certificate type. -# %k The base64-encoded key or certificate for authentication. - diff --git a/OpenSSH_Anonymous_Access/Makefile b/OpenSSH_Anonymous_Access/Makefile new file mode 100644 index 0000000..d93c271 --- /dev/null +++ b/OpenSSH_Anonymous_Access/Makefile @@ -0,0 +1,23 @@ +SRC = . + +SELF_NAME = OpenSSH_Anonymous_Access + +SSHD_CONFIG_DIR = /etc/ssh/sshd_config.d +SSH_LIBEXEC_DIR = /usr/lib/ssh + +.PHONY: install install-files install-link + +install: install-files install-link + systemctl reload sshd + +install-files: + install -d "$(SSHD_CONFIG_DIR)" "$(SSH_LIBEXEC_DIR)" + + install -m0644 -t "$(SSHD_CONFIG_DIR)" "$(SRC)/anonymous-access.conf" + install -t "$(SSH_LIBEXEC_DIR)" "$(SRC)/$(SELF_NAME)" + +# The location of this link is hard-coded here and in the +# OpenSSH_Anonymous_Access script. +install-link: + [ -e /etc/ssh/AuthorizedKeysCommand ] || ln -s -t /etc/ssh "$(SSH_LIBEXEC_DIR)/$(SELF_NAME)" + diff --git a/OpenSSH_Anonymous_Access/OpenSSH_Anonymous_Access b/OpenSSH_Anonymous_Access/OpenSSH_Anonymous_Access new file mode 100755 index 0000000..c6d0bfc --- /dev/null +++ b/OpenSSH_Anonymous_Access/OpenSSH_Anonymous_Access @@ -0,0 +1,8 @@ +#!/bin/sh +# First argument is OpenSSH auth line. +# Following arguments are the ForceCommand. +keys=$1 +shift +if [ -x "$1" ] +then printf 'restrict,pty,command="%s" %s\n' "$*" "$keys" +fi diff --git a/OpenSSH_Anonymous_Access/README.txt b/OpenSSH_Anonymous_Access/README.txt new file mode 100644 index 0000000..fb08716 --- /dev/null +++ b/OpenSSH_Anonymous_Access/README.txt @@ -0,0 +1,14 @@ +OpenSSH Anonymous Access +------------------------ + +This repository contains a configuration file for openssh-server that enables +anonymous access to user accounts with the forced command +`$HOME/.ssh/AnonymousAccessCommand`. + +When this is installed each user can install their own `AnonymousAccessCommand` +to control access to their account through `OpenSSH`. + +Note that this configuration does make it easy for users to accidentally +compromise their own accounts. + + diff --git a/OpenSSH_Anonymous_Access/anonymous-access.conf b/OpenSSH_Anonymous_Access/anonymous-access.conf new file mode 100644 index 0000000..7329eb0 --- /dev/null +++ b/OpenSSH_Anonymous_Access/anonymous-access.conf @@ -0,0 +1,13 @@ +ExposeAuthInfo=yes +AuthorizedKeysCommandUser=root +AuthorizedKeysCommand=/bin/sh -c '[ -x "$0" ] && echo "restrict,pty,command=\\"$0 $*\\" %t %k"' "%h/.ssh/AnonymousAccessCommand" "%f" +# This will break if a user's $HOME contains a double quote. Sorry not sorry. + +# This simpler version works: +# AuthorizedKeysCommand=/bin/echo 'restrict,pty,command="%h/.ssh/AnonymousAccessCommand" %t %k' +# +# But that interferes with login failures on accounts that don't have that file. +# +# So a shell script is used that checks to make sure the file exists for the +# user before generating any auth line. + -- cgit v1.2.3