From 5e1f460dd3bf6288893ae61429a94dd90d19cdfb Mon Sep 17 00:00:00 2001 From: Andrew Cady Date: Sun, 24 Oct 2021 06:15:10 -0400 Subject: Removing run-sshd script I realized that if you are running `sshd` as a user, then you can just use `ForceCommand=` directly in the `sshd_config`. This eliminates the need for fakeroot. And that simplifies the setup enough so that the `openssh/` directory can go away. --- EndoForge/Makefile | 33 ++++++++++++++++++++++++--------- EndoForge/README.md | 15 +++++++++------ EndoForge/openssh/AuthorizedKeysCommand | 21 --------------------- EndoForge/openssh/Makefile | 7 ------- EndoForge/openssh/run-sshd | 32 -------------------------------- EndoForge/openssh/sshd_config | 15 --------------- EndoForge/src/sshd_config | 17 +++++++++++++++++ 7 files changed, 50 insertions(+), 90 deletions(-) delete mode 100755 EndoForge/openssh/AuthorizedKeysCommand delete mode 100644 EndoForge/openssh/Makefile delete mode 100755 EndoForge/openssh/run-sshd delete mode 100644 EndoForge/openssh/sshd_config create mode 100644 EndoForge/src/sshd_config diff --git a/EndoForge/Makefile b/EndoForge/Makefile index 46f1af4..3846ebd 100644 --- a/EndoForge/Makefile +++ b/EndoForge/Makefile @@ -1,13 +1,18 @@ +ENDOFORGE_BACKUPS = y +ifneq (,$(ENDOFORGE_BACKUPS)) +INSTALL := install -b --suffix=~$(shell date -Ins | tr -d :) +else +INSTALL = install +endif + ifeq ($(shell id -u),0) SUDO = else SUDO = sudo endif -ROOT_INSTALL = $(SUDO) install - +ROOT_INSTALL = $(SUDO) $(INSTALL) USER != echo "$${SUDO_USER:-$$(id -un)}" - SSH_CONFIG_DIR = /etc/ssh SSHD_CONFIG_DIR = $(SSH_CONFIG_DIR)/sshd_config.d SSH_LIB_DIR = /usr/lib/ssh @@ -15,7 +20,7 @@ USER_SSH_CONFIG_DIR = ~$(USER)/.ssh BROWSER != 2>/dev/null which xdg-open || which w3m || which links || which elinks -.PHONY: install shared doc test +.PHONY: install install-user install-root shared doc test doc: README.html $(BROWSER) $< @@ -24,17 +29,27 @@ shared: install git config core.self-forge true SRC = src -SOURCES = $(addprefix $(SRC), AnonymousAccessCommand anonymous-access.conf AuthorizedKeysCommand) +SOURCE_NAMES = AnonymousAccessCommand anonymous-access.conf AuthorizedKeysCommand sshd_config +SOURCES = $(addprefix $(SRC), $(SOURCE_NAMES)) + +install: install-user install-root -install: - install -t $(USER_SSH_CONFIG_DIR) $(SRC)/AnonymousAccessCommand - $(ROOT_INSTALL) -d "$(SSH_CONFIG_DIR)" "$(SSHD_CONFIG_DIR)" "$(SSH_LIB_DIR)" || true +install-user: + $(INSTALL) -d ~/.ssh + $(INSTALL) -t ~/.ssh $(SRC)/AnonymousAccessCommand + $(INSTALL) -m0600 -t ~/.ssh $(SRC)/sshd_config + +install-root: + $(ROOT_INSTALL) -d "$(SSH_CONFIG_DIR)" "$(SSHD_CONFIG_DIR)" "$(SSH_LIB_DIR)" || true $(ROOT_INSTALL) -m0644 -t "$(SSHD_CONFIG_DIR)" $(SRC)/anonymous-access.conf || true $(ROOT_INSTALL) -t "$(SSH_LIB_DIR)" $(SRC)/AuthorizedKeysCommand || true [ -e "$(SSH_LIB_DIR)"/AuthorizedKeysCommand ] || $(SUDO) ln -s -t /etc/ssh "$(SSH_LIB_DIR)"/AuthorizedKeysCommand +run: install-user + /usr/sbin/sshd -D -e -f ~/.ssh/sshd_config + README.html: README.md - pandoc -s --css style.css -t html $< -o $@ + pandoc --metadata 'EndoForge - A self-forge in any git repository' -s --css style.css -t html $< -o $@ test: make -C test diff --git a/EndoForge/README.md b/EndoForge/README.md index 0b1a8dd..14e640e 100644 --- a/EndoForge/README.md +++ b/EndoForge/README.md @@ -1,6 +1,8 @@ EndoForge --------- -Convert your Git repository into a Self-Forge by merging this repository. +A Self-Forge. + +Convert any Git repository into a Self-Forge by merging this repository. @@ -57,8 +59,8 @@ Run: make install ``` -This installs the `AnonymousAccessCommand` in the current user's home -directory. +This installs the `AnonymousAccessCommand` in the current user's home directory +(under `$HOME/.ssh`). Then, if sudo access is available, it enables anonymous access by editing the system `OpenSSH` configuration. @@ -71,8 +73,8 @@ editing the system `OpenSSH` configuration. NON-ROOT INSTALLATION --------------------- -A configuration is included for running OpenSSH from an unprivileged user -account. Try it like so: +An OpenSSH configuration and wrapper is included for running EndoForge from an +unprivileged user account. Try it like so: ``` @@ -83,7 +85,8 @@ account. Try it like so: ``` This launches a script that uses 'fakeroot' and to make OpenSSH think the -permissions are OK. +permissions are OK. This repository needs a systemd service file to launch it +automatically (TODO). diff --git a/EndoForge/openssh/AuthorizedKeysCommand b/EndoForge/openssh/AuthorizedKeysCommand deleted file mode 100755 index 0e6d285..0000000 --- a/EndoForge/openssh/AuthorizedKeysCommand +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/sh -# Modified AuthorizedKeysCommand for running OpenSSH as unprivileged user. -# -# Uses the home directory of the calling user (ascertained through "id -un") -# instead of the authenticated user. - -fingerprint=$3 -authline="$4 $5" - -username=$(id -un) -userhome=$(getent passwd $(id -un) | (IFS=: read _ _ _ _ _ home _ && echo "$home")) - -case "$userhome" in - '' | *"'"* ) exit ;; -esac - -usercommand=$userhome/.ssh/AnonymousAccessCommand - -[ -x "$usercommand" ] || exit - -printf 'command="%s",no-port-forwarding %s\n' "$usercommand $fingerprint" "$authline" diff --git a/EndoForge/openssh/Makefile b/EndoForge/openssh/Makefile deleted file mode 100644 index ae39ed2..0000000 --- a/EndoForge/openssh/Makefile +++ /dev/null @@ -1,7 +0,0 @@ - -run: - ./run-sshd -D -e -f ~/.ssh/sshd_config - -install: - install -m0600 sshd_config -t ~/.ssh - install -m0755 AuthorizedKeysCommand -t ~/.ssh diff --git a/EndoForge/openssh/run-sshd b/EndoForge/openssh/run-sshd deleted file mode 100755 index 20e82d8..0000000 --- a/EndoForge/openssh/run-sshd +++ /dev/null @@ -1,32 +0,0 @@ -#!/bin/sh -# Fix file ownership with fakeroot so that OpenSSH will run as a user. -# -# The ownership is not really changed on disk, but 'chmod go-w' might actually -# change permissions on disk. - -case "$LD_PRELOAD" in - libfakeroot-sysv.so) ;; - '') exec fakeroot -- "$0" "$@" ;; - *) exit 1 ;; -esac - -fixperms() -{ - set -- "$1" - local p="$1" oldp= - while [ "$p" != "$oldp" ] - do - oldp=$p - p=${p%/*}/ - set -- "$@" "$p" - done - chown root:root "$@" - chmod go-w "$@" -} - -fixperms "$HOME"/.ssh - -PATH=/sbin:/usr/sbin:$PATH -cmd="$(which sshd) $*" -runuser -u "$USER" -- sh -c "$cmd" - diff --git a/EndoForge/openssh/sshd_config b/EndoForge/openssh/sshd_config deleted file mode 100644 index 2273805..0000000 --- a/EndoForge/openssh/sshd_config +++ /dev/null @@ -1,15 +0,0 @@ -Port=22022 - -HostKey=/home/u/.ssh/id_ed25519 -PidFile=/home/u/.ssh/sshd.pid - -AuthorizedKeysCommandUser=u -AuthorizedKeysCommand=/home/u/.ssh/AuthorizedKeysCommand %u %h %f "%t %k" -ExposeAuthInfo=yes - -AuthenticationMethods publickey -AcceptEnv LANG LC_* -Subsystem sftp /usr/lib/openssh/sftp-server -UsePAM no -PermitTTY no -ChrootDirectory=none diff --git a/EndoForge/src/sshd_config b/EndoForge/src/sshd_config new file mode 100644 index 0000000..de34cd4 --- /dev/null +++ b/EndoForge/src/sshd_config @@ -0,0 +1,17 @@ +# This allows completely open access: +AuthorizedKeysCommand=/bin/echo %t %k +# Only this closes it back up: +ForceCommand=/home/u/.ssh/AnonymousAccessCommand + +AuthenticationMethods publickey +AuthorizedKeysCommandUser=u +ExposeAuthInfo=yes + +Port=22022 +HostKey=/home/u/.ssh/id_ed25519 +PidFile=/home/u/.ssh/sshd.pid + +AcceptEnv LANG LC_* +UsePAM no +PermitTTY no +ChrootDirectory=none -- cgit v1.2.3