From f58f4fdb3919c196a747636007af7da1ee308e28 Mon Sep 17 00:00:00 2001
From: Andrew Cady <d@cryptonomic.net>
Date: Sun, 24 Oct 2021 06:37:45 -0400
Subject: Eliminate hard-coded values in sshd_config

This dirties up the code though, making the separate directory approach
look better again.  But it's not that bad.
---
 EndoForge/Makefile        | 16 ++++++++++++++--
 EndoForge/src/sshd_config | 19 ++++++++++++-------
 2 files changed, 26 insertions(+), 9 deletions(-)

diff --git a/EndoForge/Makefile b/EndoForge/Makefile
index 3846ebd..b6bba95 100644
--- a/EndoForge/Makefile
+++ b/EndoForge/Makefile
@@ -1,8 +1,11 @@
 ENDOFORGE_BACKUPS = y
 ifneq (,$(ENDOFORGE_BACKUPS))
-INSTALL := install -b --suffix=~$(shell date -Ins | tr -d :)
+SUFFIX := ~$(shell date -Ins | tr -d :)
+INSTALL := install -b --suffix=$(SUFFIX)
+MV := mv -b --suffix=$(SUFFIX)
 else
 INSTALL = install
+MV = mv
 endif
 
 ifeq ($(shell id -u),0)
@@ -32,12 +35,21 @@ SRC = src
 SOURCE_NAMES = AnonymousAccessCommand anonymous-access.conf AuthorizedKeysCommand sshd_config
 SOURCES = $(addprefix $(SRC), $(SOURCE_NAMES))
 
+KEYTYPE = ed25519
+define EDIT_SSHD
+sed \
+		-e 's?ForceCommand=$$?&$(HOME)/.ssh/AnonymousAccessCommand?' \
+		-e 's?AuthorizedKeysCommandUser=$$?&$(USER)?' \
+		-e 's?HostKey=$$?&$(HOME)/.ssh/id_$(KEYTYPE)?' \
+		-e 's?PidFile=$$?&$(HOME)/.ssh/sshd.pid?'
+endef
+
 install: install-user install-root
 
 install-user:
 	$(INSTALL)        -d ~/.ssh
 	$(INSTALL)        -t ~/.ssh $(SRC)/AnonymousAccessCommand
-	$(INSTALL) -m0600 -t ~/.ssh $(SRC)/sshd_config
+	$(EDIT_SSHD) < $(SRC)/sshd_config > ~/.ssh/sshd_config.tmp && $(MV) ~/.ssh/sshd_config.tmp ~/.ssh/sshd_config
 
 install-root:
 	$(ROOT_INSTALL)        -d "$(SSH_CONFIG_DIR)" "$(SSHD_CONFIG_DIR)" "$(SSH_LIB_DIR)" || true
diff --git a/EndoForge/src/sshd_config b/EndoForge/src/sshd_config
index de34cd4..f89a47d 100644
--- a/EndoForge/src/sshd_config
+++ b/EndoForge/src/sshd_config
@@ -1,15 +1,20 @@
-# This allows completely open access:
+# This is an sshd_config for running OpenSSH as an unprivileged user on a
+# non-standard port.
+Port=22022
+
+# This setting completely opens up access:
 AuthorizedKeysCommand=/bin/echo %t %k
-# Only this closes it back up:
-ForceCommand=/home/u/.ssh/AnonymousAccessCommand
+
+# This closes it back up:
+ForceCommand=
+DisableForwarding=yes
 
 AuthenticationMethods publickey
-AuthorizedKeysCommandUser=u
+AuthorizedKeysCommandUser=
 ExposeAuthInfo=yes
 
-Port=22022
-HostKey=/home/u/.ssh/id_ed25519
-PidFile=/home/u/.ssh/sshd.pid
+HostKey=
+PidFile=
 
 AcceptEnv LANG LC_*
 UsePAM no
-- 
cgit v1.2.3