From 3d449be640dca3ae2b1124b7377c046c67fe36ab Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Mon, 3 Jan 2022 14:27:43 +0100 Subject: openssh (WIP) Signed-off-by: Daniel Baumann --- openssh/Makefile | 80 +++++++++++++++++++++ openssh/bin/ssh-ca | 40 +++++++++++ openssh/bin/ssh-keycheck | 176 +++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 296 insertions(+) create mode 100644 openssh/Makefile create mode 100755 openssh/bin/ssh-ca create mode 100755 openssh/bin/ssh-keycheck diff --git a/openssh/Makefile b/openssh/Makefile new file mode 100644 index 0000000..6b3744b --- /dev/null +++ b/openssh/Makefile @@ -0,0 +1,80 @@ +# Open Infrastructure: service-tools + +# Copyright (C) 2014-2022 Daniel Baumann +# +# SPDX-License-Identifier: GPL-3.0+ +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +SHELL := sh -e + +SCRIPTS = bin/* + +all: build + +test: + @echo -n "Checking for syntax errors with sh... " + @for SCRIPT in $(SCRIPTS); \ + do \ + sh -n $${SCRIPT}; \ + echo -n "."; \ + done + @echo " done." + + @echo -n "Checking for bashisms... " + @if [ -x /usr/bin/checkbashisms ]; \ + then \ + for SCRIPT in $(SCRIPTS); \ + do \ + checkbashisms -f -x $${SCRIPT}; \ + echo -n "."; \ + done; \ + else \ + echo "Note: devscripts not installed, skipping checkbashisms."; \ + fi + @echo " done." + + @echo -n "Checking with shellcheck... " + @if [ -x /usr/bin/shellcheck ]; \ + then \ + for SCRIPT in $(SCRIPTS); \ + do \ + shellcheck -e SC2039 $${SCRIPT}; \ + echo -n "."; \ + done; \ + else \ + echo "Note: shellcheck not installed, skipping shellcheck."; \ + fi + @echo " done." + +build: + +install: build + mkdir -p $(DESTDIR)/usr/bin + cp -r bin/* $(DESTDIR)/usr/bin + +uninstall: + for FILE in bin/*; \ + do \ + rm -f $(DESTDIR)/usr/bin/$$(basename $${FILE}); \ + done + rmdir --ignore-fail-on-non-empty --parents $(DESTDIR)/usr/bin || true + + rmdir --ignore-fail-on-non-empty --parents $(DESTDIR) || true + +clean: + +distclean: + +reinstall: uninstall install diff --git a/openssh/bin/ssh-ca b/openssh/bin/ssh-ca new file mode 100755 index 0000000..675a2cf --- /dev/null +++ b/openssh/bin/ssh-ca @@ -0,0 +1,40 @@ +#!/bin/sh + +set -e + +HOST="$(cat /etc/hostname)" + +Init () +{ + echo "Init: creating CA key..." + + if [ -e "/etc/ssh-ca/keys/ssh-ca@${HOST}" ] || [ -e "/etc/ssh-ca/keys/ssh-ca@${HOST}.pub" ] + then + echo "/etc/ssh-ca/keys/ssh-ca@${HOST} key already exists" + exit 1 + fi + + mkdir -p /etc/ssh-ca/keys + ssh-keygen -f "/etc/ssh-ca/keys/ssh-ca@${HOST}" -t ed25519 -C ssh-ca@${HOST} -N "" +} + +Sign () +{ + FILE="${1}" + +} + +case "${1}" in + init) + Init + ;; + + sign) + Sign + ;; + + *) + echo "Usage: ${0} {init}" + exit 1 + ;; +esac diff --git a/openssh/bin/ssh-keycheck b/openssh/bin/ssh-keycheck new file mode 100755 index 0000000..67046f1 --- /dev/null +++ b/openssh/bin/ssh-keycheck @@ -0,0 +1,176 @@ +#!/bin/sh + +# Open Infrastructure: service-tools + +# Copyright (C) 2014-2022 Daniel Baumann +# +# SPDX-License-Identifier: GPL-3.0+ +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +set -e + +PROJECT="open-infrastructure" +SOFTWARE="service-tools" +PROGRAM="ssh-keycheck" + +Parameters () +{ + GETOPT_LONGOPTIONS="bits:,filename:,help,type:,verbose," + GETOPT_OPTIONS="b:,f:,h,t:,v," + + PARAMETERS="$(getopt --longoptions ${GETOPT_LONGOPTIONS} --name=${PROGRAM} --options ${GETOPT_OPTIONS} --shell sh -- ${@})" + + if [ "${?}" != "0" ] + then + echo "'${PROGRAM}': getopt exit" >&2 + exit 1 + fi + + eval set -- "${PARAMETERS}" + + while true + do + case "${1}" in + -b|--bits) + BITS="${2}" + shift 2 + ;; + + -f|--filename) + FILES="${2}" + shift 2 + ;; + + -h|--help) + HELP="true" + shift 1 + ;; + + -t|--type) + TYPES="${2}" + shift 2 + ;; + + -v|--verbose) + VERBOSE="true" + shift 1 + ;; + + --) + shift 1 + break + ;; + + *) + echo "'${PROGRAM}': getopt error" >&2 + exit 1 + ;; + esac + done +} + +Usage () +{ + echo "Usage: ${PROGRAM} -f KEY_FILE[,KEY_FILE] [-b BITS[,BITS]] [-t TYPE[,TYPE]]" >&2 + echo + echo "See ${PROGRAM}(1) and ${SOFTWARE}(7) for more information." + + exit 1 +} + +Parameters "${@}" + +if [ -z "${FILES}" ] || [ -n "${HELP}" ] +then + Usage +fi + +EXIT="0" + +for FILE in ${FILES} +do + if [ ! -e "${FILE}" ] + then + echo "'${FILE}': no such key file" >&2 + exit 1 + fi + + # Run + SSH_KEYGEN="$(ssh-keygen -l -f "${FILE}" 2>&1 || true)" + + KEY_TYPE="$(echo "${SSH_KEYGEN}" | awk '{ print $NF }' | sed -e 's|(||' -e 's|)||' | tr '[A-Z]' '[a-z]')" + KEY_BITS="$(echo "${SSH_KEYGEN}" | awk '{ print $1 }')" + + case "${KEY_TYPE}" in + dsa|ecdsa|ecdsa-sk|ed25519|ed25519-sk|rsa) + ;; + + *) + case "${VERBOSE}" in + true) + echo "'${FILE}': invalid key file" >&2 + ;; + esac + + KEY_TYPE="unknown" + EXIT="1" + ;; + esac + + if [ "${KEY_TYPE}" != "unknown" ] && [ -n "${TYPES}" ] + then + case "${KEY_TYPE}" in + $(echo ${TYPES} | sed -e 's|,| |g')) + ;; + + *) + echo "'${FILE}': wrong type ('${KEY_TYPE}' instead of '${TYPES}')" >&2 + EXIT="1" + ;; + esac + fi + + if [ "${KEY_TYPE}" != "unknown" ] && [ -n "${BITS}" ] + then + case "${KEY_BITS}" in + $(echo ${BITS} | sed -e 's|,| |g')) + ;; + + *) + echo "'${FILE}': wrong bits ('${KEY_BITS}' instead of '${BITS}')" >&2 + EXIT="1" + ;; + esac + fi + + case "${EXIT}" in + 0) + case "${VERBOSE}" in + true) + +cat << EOF +filename: ${FILE} +bits: ${KEY_BITS} +type: ${KEY_TYPE} +EOF + + ;; + esac + ;; + + esac +done + +exit "${EXIT}" -- cgit v1.2.3