added support for operation via command instead of user

This commit is contained in:
Zehka 2021-11-07 18:02:14 +01:00
parent 8bb7f10d84
commit 30b027014e
2 changed files with 71 additions and 47 deletions

28
foodoor
View File

@ -9,15 +9,29 @@ if [ ! -e $PIPE_PATH ]
exit 1 exit 1
fi fi
case $1 in action="$1"
close) isTriggerActivated="0"
echo close > $PIPE_PATH
if [ -z "$action" ]
then
action="$SSH_ORIGINAL_COMMAND"
isTriggerActivated="1"
fi
case $action in
close|open)
echo $action | tee $PIPE_PATH > /tmp/state
;; ;;
open) status)
echo open > $PIPE_PATH
;; ;;
*) *)
echo "Usage: $(basename $0) { close, open}" echo "Usage: $(basename $0) { close, open, status }"
exit 1 exit 1
;; ;;
esac esac
if [ $isTriggerActivated -eq 1 ]
then
cat /tmp/state
sleep 2
fi

View File

@ -4,53 +4,63 @@ set -e
export PATH="/usr/bin:/bin:/usr/sbin:/sbin" export PATH="/usr/bin:/bin:/usr/sbin:/sbin"
dest=/var/run/foodoor-keys dest=/var/run/foodoor-keys
temp_outfile="$dest.tmp"
if [ ! -e "${dest}/.git/config" ] if [ ! -e "${dest}/.git/config" ]
then then
#echo "Repo does not exist, trying to clone..." #echo "Repo does not exist, trying to clone..."
( cd /var/run && git clone --quiet --single-branch --depth=1 ssh://git.chaospott.de/Chaospott/foodoor-keys.git "${dest}" ) ( cd /var/run && git clone --quiet --single-branch --depth=1 ssh://git.chaospott.de/Chaospott/foodoor-keys.git "${dest}" )
else else
#echo "Repo exists, updating..." #echo "Repo exists, updating..."
( cd "${dest}" && git fetch --quiet && git merge --quiet origin/master master ) ( cd "${dest}" && git fetch --quiet && git merge --quiet origin/master master )
fi fi
for action in open close rm -f ${temp_outfile}
find "${dest}/keys" -name '*.pub' | sort | \
while read keyfile
do
ssh-keygen -l -f ${keyfile} &> /dev/null
if [ $? -eq 0 ]; then
valid=false
keyinfo=$(ssh-keygen -l -f ${keyfile}) # The whole key information
crypto=$(echo "${keyinfo}" | cut -d" " -f4) # Looks like "(RSA)" or "(ED25519)"
key_length=$(echo "${keyinfo}" | cut -d" " -f1)
if [ "${crypto}" == "(RSA)" ]; then
if [ ${key_length} -lt 4096 ]; then
echo "Key size of key ${keyfile} not equal to 4096. Not adding it to key database." >&2
continue
else
valid=true
fi
elif [ "${crypto}" == "(ED25519)" ]; then
valid=true
fi
if [ "$valid" = true ]; then
echo "command=\"/usr/sbin/foodoor \$action \",no-port-forwarding,no-X11-forwarding,no-agent-forwarding ${keyfile}" >> ${temp_outfile}
fi
fi
done
for appendix in open close door
do do
outfile="${dest}/authorized_keys.${action}" action="$appendix"
rm -f ${outfile} if [ "$action" -eq "door" ]
find "${dest}/keys" -name '*.pub' | sort | \ then
while read keyfile action=""
do fi
ssh-keygen -l -f ${keyfile} &> /dev/null
if [ $? -eq 0 ]; then
valid=false
keyinfo=$(ssh-keygen -l -f ${keyfile}) # The whole key information
crypto=$(echo "${keyinfo}" | cut -d" " -f4) # Looks like "(RSA)" or "(ED25519)"
key_length=$(echo "${keyinfo}" | cut -d" " -f1)
if [ "${crypto}" == "(RSA)" ]; then export action
outfile="${dest}/authorized_keys.${appendix}"
cat ${tmp_outfile} |envsubst > ${outfile}
if [ ${key_length} -lt 4096 ]; then # Oben
echo "Key size of key ${keyfile} not equal to 4096. Not adding it to key database." >&2 install -d -o ${appendix} -g nogroup -m 0700 /var/lib/foodoor/${appendix}/.ssh
continue install -b -S .last -o ${appendix} -g nogroup -m 0600 ${outfile} /var/lib/foodoor/${appendix}/.ssh/authorized_keys
else
valid=true
fi
elif [ "${crypto}" == "(ED25519)" ]; then
valid=true
fi
if [ "$valid" = true ]; then
printf "command=\"/usr/sbin/foodoor ${action}\",no-port-forwarding,no-X11-forwarding,no-agent-forwarding " >> ${outfile}
cat "${keyfile}" >> ${outfile}
echo >> ${outfile}
fi
fi
done
# Oben
install -d -o ${action} -g nogroup -m 0700 /var/lib/foodoor/${action}/.ssh
install -b -S .last -o ${action} -g nogroup -m 0600 ${outfile} /var/lib/foodoor/${action}/.ssh/authorized_keys
# Unten # Unten