diff options
author | Gordon GECOS <u@adam> | 2023-11-21 21:55:52 -0500 |
---|---|---|
committer | Gordon GECOS <u@adam> | 2023-11-21 21:55:52 -0500 |
commit | 3095477fd53d405dd60c55a84e30f69dae98eef8 (patch) | |
tree | 00359a57965c270086302c3f9dd1c6fa645193ca |
initial
-rw-r--r-- | Makefile | 74 | ||||
-rwxr-xr-x | extract-ed25519-pubkey | 16 |
2 files changed, 90 insertions, 0 deletions
diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..909b444 --- /dev/null +++ b/Makefile | |||
@@ -0,0 +1,74 @@ | |||
1 | SHELL = bash | ||
2 | .DELETE_ON_ERROR: y | ||
3 | SUDO != [ "$$(id -u)" = 0 ] || echo sudo | ||
4 | |||
5 | .DEFAULT_TARGET = testall | ||
6 | |||
7 | target = testfile | ||
8 | |||
9 | signature = $(target).sig | ||
10 | |||
11 | hostname != hostname | ||
12 | identity = root@$(hostname) | ||
13 | quoted_identity != printf %q $(identity) | ||
14 | |||
15 | .PHONY: test validate | ||
16 | |||
17 | testall: $(signature) check-novalidate find-principals verify | ||
18 | |||
19 | validate: $(signature) verify | ||
20 | |||
21 | testfile: | ||
22 | echo hello world > $@ | ||
23 | |||
24 | hostkey = /etc/ssh/ssh_host_ed25519_key | ||
25 | key = $(hostkey) | ||
26 | |||
27 | %.sig: % | /usr/bin/ssh-keygen | ||
28 | $(SUDO) ssh-keygen -n file -I $(quoted_identity) -f $(key) -Y sign $^ | ||
29 | $(MAKE) verify | ||
30 | |||
31 | dirs = $(dir $(hostkey)) | ||
32 | $(dirs): | ||
33 | mkdir -p $@ | ||
34 | |||
35 | $(hostkey): | /usr/sbin/sshd /usr/bin/ssh-keygen $(dir $(hostkey)) | ||
36 | test -e $@ || $(SUDO) ssh-keygen -t ed25519 -N '' -f $@ | ||
37 | |||
38 | .PHONY: check-novalidate verify find-principals clean | ||
39 | clean: | ||
40 | rm -f test test.sig | ||
41 | check-novalidate: $(signature) | /usr/bin/ssh-keygen | ||
42 | ssh-keygen -n file -s $(signature) -f $(key).pub \ | ||
43 | -Y $@ < $(target) | ||
44 | |||
45 | find-principals: $(signature) | /usr/bin/ssh-keygen | ||
46 | ssh-keygen -n file -s $(signature) -f $(allowed) \ | ||
47 | -Y $@ < $(target) | ||
48 | |||
49 | allowed = <(printf '"%s" ' $(quoted_identity); cat $(key).pub) | ||
50 | |||
51 | verify: | /usr/bin/ssh-keygen /usr/bin/basez | ||
52 | ssh-keygen -n file -I $(quoted_identity) -f $(allowed) -s $(signature) \ | ||
53 | -Y $@ < $(target) | ||
54 | ssh-keygen -r . -f $(key).pub | ||
55 | ssh-keygen -e -f $(key).pub | ||
56 | ssh-keygen -t ed25519 -i -f <(ssh-keygen -e -f $(key).pub) | \ | ||
57 | sed -ne 's/^ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAI/I/p' | \ | ||
58 | basez -d | tail -c32 | basez -x | ||
59 | |||
60 | /usr/bin/apt: | ||
61 | $(warning Please install OpenSSH through your system package manager.) | ||
62 | @false | ||
63 | |||
64 | apt_dep_bins = /usr/bin/ssh-keygen /usr/sbin/sshd | ||
65 | apt_dep_bins += /usr/bin/basez | ||
66 | #apt_dep_bins += /usr/bin/sipcalc | ||
67 | |||
68 | apt_deps = openssh-client openssh-server | ||
69 | apt_deps += basez | ||
70 | #apt_deps += sipcalc | ||
71 | |||
72 | $(apt_dep_bins): | /usr/bin/apt | ||
73 | $(SUDO) apt install --no-upgrade $(apt_deps) | ||
74 | |||
diff --git a/extract-ed25519-pubkey b/extract-ed25519-pubkey new file mode 100755 index 0000000..ed66db4 --- /dev/null +++ b/extract-ed25519-pubkey | |||
@@ -0,0 +1,16 @@ | |||
1 | #!/bin/bash | ||
2 | set -e | ||
3 | set -o pipefail | ||
4 | |||
5 | read_ssh_key() | ||
6 | { | ||
7 | ssh-keygen -i -f <(ssh-keygen -e -f <(cat "$@")) | ||
8 | } | ||
9 | |||
10 | extract_ed25519() | ||
11 | { | ||
12 | sed -ne 's/^ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAI/I/p' | | ||
13 | basez -d | tail -c32 | basez -x | ||
14 | } | ||
15 | |||
16 | read_ssh_key "$@" | extract_ed25519 | ||