initial

author: Gordon GECOS <u@adam> 2023-11-21 21:55:52 -0500
committer: Gordon GECOS <u@adam> 2023-11-21 21:55:52 -0500
commit: 3095477fd53d405dd60c55a84e30f69dae98eef8 (patch)
tree: 00359a57965c270086302c3f9dd1c6fa645193ca
2 files changed, 90 insertions, 0 deletions
diff --git a/Makefile b/Makefile
new file mode 100644
index 0000000..909b444
--- /dev/null
+++ b/Makefile
@@ -0,0 +1,74 @@
+SHELL = bash
+.DELETE_ON_ERROR: y
+SUDO != [ "$$(id -u)" = 0 ] || echo sudo
+.DEFAULT_TARGET = testall
+target = testfile
+signature = $(target).sig
+hostname != hostname
+identity = root@$(hostname)
+quoted_identity != printf %q $(identity)
+.PHONY: test validate
+testall: $(signature) check-novalidate find-principals verify
+validate: $(signature) verify
+testfile:
+        echo hello world > $@
+hostkey = /etc/ssh/ssh_host_ed25519_key
+key = $(hostkey)
+%.sig: % | /usr/bin/ssh-keygen
+        $(SUDO) ssh-keygen -n file -I $(quoted_identity) -f $(key) -Y sign $^
+        $(MAKE) verify
+dirs = $(dir $(hostkey))
+$(dirs):
+        mkdir -p $@
+$(hostkey): | /usr/sbin/sshd /usr/bin/ssh-keygen $(dir $(hostkey))
+        test -e $@ || $(SUDO) ssh-keygen -t ed25519 -N '' -f $@
+.PHONY: check-novalidate verify find-principals clean
+clean:
+        rm -f test test.sig
+check-novalidate: $(signature) | /usr/bin/ssh-keygen
+        ssh-keygen -n file -s $(signature) -f $(key).pub \
+          -Y $@ < $(target)
+find-principals: $(signature) | /usr/bin/ssh-keygen
+        ssh-keygen -n file -s $(signature) -f $(allowed) \
+          -Y $@ < $(target)
+allowed = <(printf '"%s" ' $(quoted_identity); cat $(key).pub)
+verify: | /usr/bin/ssh-keygen /usr/bin/basez
+        ssh-keygen -n file -I $(quoted_identity) -f $(allowed) -s $(signature) \
+          -Y $@ < $(target)
+        ssh-keygen -r . -f $(key).pub
+        ssh-keygen -e -f $(key).pub
+        ssh-keygen -t ed25519 -i -f <(ssh-keygen -e -f $(key).pub) | \
+          sed -ne 's/^ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAI/I/p' | \
+          basez -d | tail -c32 | basez -x
+/usr/bin/apt:
+        $(warning Please install OpenSSH through your system package manager.)
+        @false
+apt_dep_bins = /usr/bin/ssh-keygen /usr/sbin/sshd
+apt_dep_bins += /usr/bin/basez
+#apt_dep_bins += /usr/bin/sipcalc
+apt_deps = openssh-client openssh-server
+apt_deps += basez
+#apt_deps += sipcalc
+$(apt_dep_bins): | /usr/bin/apt
+        $(SUDO) apt install --no-upgrade $(apt_deps)
diff --git a/extract-ed25519-pubkey b/extract-ed25519-pubkey
new file mode 100755
index 0000000..ed66db4
--- /dev/null
+++ b/extract-ed25519-pubkey
@@ -0,0 +1,16 @@
+#!/bin/bash
+set -e
+set -o pipefail
+read_ssh_key()
+{
+    ssh-keygen -i -f <(ssh-keygen -e -f <(cat "$@"))
+}
+extract_ed25519()
+{
+    sed -ne 's/^ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAI/I/p' |
+    basez -d | tail -c32 | basez -x
+}
+read_ssh_key "$@" | extract_ed25519
author	Gordon GECOS <u@adam>	2023-11-21 21:55:52 -0500
committer	Gordon GECOS <u@adam>	2023-11-21 21:55:52 -0500
commit	3095477fd53d405dd60c55a84e30f69dae98eef8 (patch)
tree	00359a57965c270086302c3f9dd1c6fa645193ca

diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..909b444 --- /dev/null +++ b/Makefile
@@ -0,0 +1,74 @@
	1	SHELL = bash
	2	.DELETE_ON_ERROR: y
	3	SUDO != [ "$$(id -u)" = 0 ] \|\| echo sudo
	4
	5	.DEFAULT_TARGET = testall
	6
	7	target = testfile
	8
	9	signature = $(target).sig
	10
	11	hostname != hostname
	12	identity = root@$(hostname)
	13	quoted_identity != printf %q $(identity)
	14
	15	.PHONY: test validate
	16
	17	testall: $(signature) check-novalidate find-principals verify
	18
	19	validate: $(signature) verify
	20
	21	testfile:
	22	echo hello world > $@
	23
	24	hostkey = /etc/ssh/ssh_host_ed25519_key
	25	key = $(hostkey)
	26
	27	%.sig: % \| /usr/bin/ssh-keygen
	28	$(SUDO) ssh-keygen -n file -I $(quoted_identity) -f $(key) -Y sign $^
	29	$(MAKE) verify
	30
	31	dirs = $(dir $(hostkey))
	32	$(dirs):
	33	mkdir -p $@
	34
	35	$(hostkey): \| /usr/sbin/sshd /usr/bin/ssh-keygen $(dir $(hostkey))
	36	test -e $@ \|\| $(SUDO) ssh-keygen -t ed25519 -N '' -f $@
	37
	38	.PHONY: check-novalidate verify find-principals clean
	39	clean:
	40	rm -f test test.sig
	41	check-novalidate: $(signature) \| /usr/bin/ssh-keygen
	42	ssh-keygen -n file -s $(signature) -f $(key).pub \
	43	-Y $@ < $(target)
	44
	45	find-principals: $(signature) \| /usr/bin/ssh-keygen
	46	ssh-keygen -n file -s $(signature) -f $(allowed) \
	47	-Y $@ < $(target)
	48
	49	allowed = <(printf '"%s" ' $(quoted_identity); cat $(key).pub)
	50
	51	verify: \| /usr/bin/ssh-keygen /usr/bin/basez
	52	ssh-keygen -n file -I $(quoted_identity) -f $(allowed) -s $(signature) \
	53	-Y $@ < $(target)
	54	ssh-keygen -r . -f $(key).pub
	55	ssh-keygen -e -f $(key).pub
	56	ssh-keygen -t ed25519 -i -f <(ssh-keygen -e -f $(key).pub) \| \
	57	sed -ne 's/^ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAI/I/p' \| \
	58	basez -d \| tail -c32 \| basez -x
	59
	60	/usr/bin/apt:
	61	$(warning Please install OpenSSH through your system package manager.)
	62	@false
	63
	64	apt_dep_bins = /usr/bin/ssh-keygen /usr/sbin/sshd
	65	apt_dep_bins += /usr/bin/basez
	66	#apt_dep_bins += /usr/bin/sipcalc
	67
	68	apt_deps = openssh-client openssh-server
	69	apt_deps += basez
	70	#apt_deps += sipcalc
	71
	72	$(apt_dep_bins): \| /usr/bin/apt
	73	$(SUDO) apt install --no-upgrade $(apt_deps)
	74


diff --git a/extract-ed25519-pubkey b/extract-ed25519-pubkey new file mode 100755 index 0000000..ed66db4 --- /dev/null +++ b/extract-ed25519-pubkey
@@ -0,0 +1,16 @@
	1	#!/bin/bash
	2	set -e
	3	set -o pipefail
	4
	5	read_ssh_key()
	6	{
	7	ssh-keygen -i -f <(ssh-keygen -e -f <(cat "$@"))
	8	}
	9
	10	extract_ed25519()
	11	{
	12	sed -ne 's/^ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAI/I/p' \|
	13	basez -d \| tail -c32 \| basez -x
	14	}
	15
	16	read_ssh_key "$@" \| extract_ed25519