From 099d70f87208afc6bc0baf098c266c0d705f2453 Mon Sep 17 00:00:00 2001 From: Andrew Cady Date: Tue, 26 Oct 2021 09:29:50 -0400 Subject: split OpenSSH_Anonymous_Access from EndoForge EndoForge now installs OpenSSH_Anonymous_Access as a dependency. --- OpenSSH_Anonymous_Access/Makefile | 23 +++++++++++++++++++++++ OpenSSH_Anonymous_Access/OpenSSH_Anonymous_Access | 8 ++++++++ OpenSSH_Anonymous_Access/README.txt | 14 ++++++++++++++ OpenSSH_Anonymous_Access/anonymous-access.conf | 13 +++++++++++++ 4 files changed, 58 insertions(+) create mode 100644 OpenSSH_Anonymous_Access/Makefile create mode 100755 OpenSSH_Anonymous_Access/OpenSSH_Anonymous_Access create mode 100644 OpenSSH_Anonymous_Access/README.txt create mode 100644 OpenSSH_Anonymous_Access/anonymous-access.conf (limited to 'OpenSSH_Anonymous_Access') diff --git a/OpenSSH_Anonymous_Access/Makefile b/OpenSSH_Anonymous_Access/Makefile new file mode 100644 index 0000000..d93c271 --- /dev/null +++ b/OpenSSH_Anonymous_Access/Makefile @@ -0,0 +1,23 @@ +SRC = . + +SELF_NAME = OpenSSH_Anonymous_Access + +SSHD_CONFIG_DIR = /etc/ssh/sshd_config.d +SSH_LIBEXEC_DIR = /usr/lib/ssh + +.PHONY: install install-files install-link + +install: install-files install-link + systemctl reload sshd + +install-files: + install -d "$(SSHD_CONFIG_DIR)" "$(SSH_LIBEXEC_DIR)" + + install -m0644 -t "$(SSHD_CONFIG_DIR)" "$(SRC)/anonymous-access.conf" + install -t "$(SSH_LIBEXEC_DIR)" "$(SRC)/$(SELF_NAME)" + +# The location of this link is hard-coded here and in the +# OpenSSH_Anonymous_Access script. +install-link: + [ -e /etc/ssh/AuthorizedKeysCommand ] || ln -s -t /etc/ssh "$(SSH_LIBEXEC_DIR)/$(SELF_NAME)" + diff --git a/OpenSSH_Anonymous_Access/OpenSSH_Anonymous_Access b/OpenSSH_Anonymous_Access/OpenSSH_Anonymous_Access new file mode 100755 index 0000000..c6d0bfc --- /dev/null +++ b/OpenSSH_Anonymous_Access/OpenSSH_Anonymous_Access @@ -0,0 +1,8 @@ +#!/bin/sh +# First argument is OpenSSH auth line. +# Following arguments are the ForceCommand. +keys=$1 +shift +if [ -x "$1" ] +then printf 'restrict,pty,command="%s" %s\n' "$*" "$keys" +fi diff --git a/OpenSSH_Anonymous_Access/README.txt b/OpenSSH_Anonymous_Access/README.txt new file mode 100644 index 0000000..fb08716 --- /dev/null +++ b/OpenSSH_Anonymous_Access/README.txt @@ -0,0 +1,14 @@ +OpenSSH Anonymous Access +------------------------ + +This repository contains a configuration file for openssh-server that enables +anonymous access to user accounts with the forced command +`$HOME/.ssh/AnonymousAccessCommand`. + +When this is installed each user can install their own `AnonymousAccessCommand` +to control access to their account through `OpenSSH`. + +Note that this configuration does make it easy for users to accidentally +compromise their own accounts. + + diff --git a/OpenSSH_Anonymous_Access/anonymous-access.conf b/OpenSSH_Anonymous_Access/anonymous-access.conf new file mode 100644 index 0000000..7329eb0 --- /dev/null +++ b/OpenSSH_Anonymous_Access/anonymous-access.conf @@ -0,0 +1,13 @@ +ExposeAuthInfo=yes +AuthorizedKeysCommandUser=root +AuthorizedKeysCommand=/bin/sh -c '[ -x "$0" ] && echo "restrict,pty,command=\\"$0 $*\\" %t %k"' "%h/.ssh/AnonymousAccessCommand" "%f" +# This will break if a user's $HOME contains a double quote. Sorry not sorry. + +# This simpler version works: +# AuthorizedKeysCommand=/bin/echo 'restrict,pty,command="%h/.ssh/AnonymousAccessCommand" %t %k' +# +# But that interferes with login failures on accounts that don't have that file. +# +# So a shell script is used that checks to make sure the file exists for the +# user before generating any auth line. + -- cgit v1.2.3