From 2e5909e761f40e42684fbaa71f3b5bcb49500567 Mon Sep 17 00:00:00 2001 From: Andrew Cady Date: Sat, 23 Oct 2021 12:52:42 -0400 Subject: move all files to EndoForge --- EndoForge/src/AnonymousAccessCommand | 126 +++++++++++++++++++++++++++++++++++ EndoForge/src/AuthorizedKeysCommand | 15 +++++ EndoForge/src/anonymous-access.conf | 10 +++ 3 files changed, 151 insertions(+) create mode 100755 EndoForge/src/AnonymousAccessCommand create mode 100755 EndoForge/src/AuthorizedKeysCommand create mode 100644 EndoForge/src/anonymous-access.conf (limited to 'EndoForge/src') diff --git a/EndoForge/src/AnonymousAccessCommand b/EndoForge/src/AnonymousAccessCommand new file mode 100755 index 0000000..443d25e --- /dev/null +++ b/EndoForge/src/AnonymousAccessCommand @@ -0,0 +1,126 @@ +#!/bin/sh +default_msg() +{ + sshfpline="$(get_sshfp_authline ${SSH_CLIENT%% *})" + cat <&2 + + You are: + + $authline + $sshfpline + +EOF +} + +get_sshfp_authline() +{ + ( + r=${1:-.} + key=$(mktemp) || exit + trap 'rm -rf "$key"' EXIT + echo "$authline" > "$key" + get_sshfp "$key" "$r" + ) +} + +get_sshfp() +{ + ( + key="$1" + r="${2:-.}" + dns=$(mktemp) || exit + trap 'rm -rf "$dns"' EXIT + + ssh-keygen -r "$r" -f "$key" > "$dns" + exec < "$dns" + while read line + do + set -- $line + if [ "$3 $5" = "SSHFP 2" ] + then + echo "$line" + break + fi + done + ) +} + +ssh_client_fingerprint_base16() +{ + set -- $(get_sshfp_authline) + [ "$6" ] + echo $6 +} + +check_if_self_forge() +{ + # TODO: don't use description, but something else. + local dir="$1" + [ -d "$dir" ] || exit + [ -r "$dir"/description ] || exit + read description < "$dir"/description + if [ "$description" != self-forge ] && [ "$(GIT_DIR=$dir git config core.self-forge)" != true ] + then + echo 'Error: access denied. The specified directory is not a self-forge.' >&2 + exit + fi +} + +read authtype authline < "$SSH_USER_AUTH" || exit +[ "$authtype" = publickey ] || exit + +cmd=${SSH_ORIGINAL_COMMAND%% *} + +case "$cmd" in + git-send-pack | git-upload-pack) + GIT_NAMESPACE= + ;; + git-receive-pack) + export GIT_NAMESPACE="$(ssh_client_fingerprint_base16)" + [ "$GIT_NAMESPACE" ] || exit + ;; + *) + default_msg + exit + ;; +esac + +arg=${SSH_ORIGINAL_COMMAND#* } +arg=${arg%\'} +arg=${arg#\'} +case "$arg" in + *\'*) exit ;; + *.git) ;; + *) arg=$arg/.git ;; +esac + +dir=$(readlink -e "$arg") || exit + +check_if_self_forge "$dir" + +with_allowCurrentBranch() +{ + local cmd="$1" dir="$2" + ( + set -eC + lockfile=$GIT_DIR/index.lock + echo $$ > "$lockfile" + trap 'rm -f "$lockfile"' EXIT + + # This doesn't seem very secure. Need to patch git probably. + for deny in CurrentBranch # DeleteCurrent + do git config receive.deny$deny false + done + "$@" + for deny in CurrentBranch # DeleteCurrent + do git config receive.deny$deny true + done + ) +} + +if [ "$GIT_NAMESPACE" ] +then + GIT_DIR=$dir with_allowCurrentBranch "$cmd" "$dir" +else + "$cmd" "$dir" +fi diff --git a/EndoForge/src/AuthorizedKeysCommand b/EndoForge/src/AuthorizedKeysCommand new file mode 100755 index 0000000..6e13063 --- /dev/null +++ b/EndoForge/src/AuthorizedKeysCommand @@ -0,0 +1,15 @@ +#!/bin/sh +username=$1 +userhome=$2 +fingerprint=$3 +authline="$4 $5" + +case "$userhome" in + *'"'*) exit ;; +esac + +usercommand=$userhome/.ssh/AnonymousAccessCommand + +[ -x "$usercommand" ] || exit + +printf 'command="%s",no-port-forwarding %s\n' "$usercommand $fingerprint" "$authline" diff --git a/EndoForge/src/anonymous-access.conf b/EndoForge/src/anonymous-access.conf new file mode 100644 index 0000000..5cd6b6a --- /dev/null +++ b/EndoForge/src/anonymous-access.conf @@ -0,0 +1,10 @@ +ExposeAuthInfo=yes +AuthorizedKeysCommandUser=root +AuthorizedKeysCommand=/etc/ssh/AuthorizedKeysCommand %u %h %f "%t %k" + +# %u The username. +# %h The home directory of the user. +# %f The fingerprint of the key or certificate. +# %t The key or certificate type. +# %k The base64-encoded key or certificate for authentication. + -- cgit v1.2.3