Compare commits
26 Commits
v1
...
72b2276603
| Author | SHA1 | Date | |
|---|---|---|---|
| 72b2276603 | |||
| b3e57e3b57 | |||
| a104fbf913 | |||
| 897c3a442a | |||
| 3583fddb7b | |||
| 3995b4b289 | |||
| ec75fc14e3 | |||
| 3f59acbfb0 | |||
| 98f31f6965 | |||
| deed2c6764 | |||
| 30b027014e | |||
8bb7f10d84
|
|||
|
116ff5eba0
|
|||
|
8856ba9cf4
|
|||
| 7326d8f70d | |||
| fe2b275779 | |||
| a3add44c29 | |||
| 7d38b27c05 | |||
| c1de357149 | |||
| 10516d232f | |||
| e0dc1222ed | |||
| 4b7406b60a | |||
| 7d1df01a3e | |||
| 1f7515a0ed | |||
| a4539fae1d | |||
| ef06d24202 |
83
README.md
83
README.md
@ -2,6 +2,87 @@
|
||||
|
||||
Das Schließsystem läuft auf einem RaspberryPi mit der Erweiterungsplatine "PiFaceDigitalIO".
|
||||
|
||||
##Software##
|
||||
|
||||
###Installation###
|
||||
<code>apt-get install python-pifacedigitalio </code>
|
||||
|
||||
Um das Paket zu installieren muss die */etc/apt/sources.list* angepasst werden.
|
||||
|
||||
<code>deb http://archive.raspbian.org/raspbian wheezy main contrib non-free rpi</code>
|
||||
|
||||
<code>deb-src http://archive.raspbian.org/raspbian wheezy main contrib non-free rpi</code>
|
||||
|
||||
Wer apt-get benutzt, kann den Raspbian Pubkey zum keyring hinzufügen.
|
||||
|
||||
<code>wget http://archive.raspbian.org/raspbian.public.key -O - | sudo apt-key add -</code>
|
||||
|
||||
|
||||
|
||||
###Dateiliste###
|
||||
Der Deamon besteht aus folgenden Dateien.
|
||||
|
||||
* foodoor
|
||||
* foodoord
|
||||
* foodoord.conf
|
||||
* foodoord_initd
|
||||
* foodoor-ssh-wrapper
|
||||
* foodoor-update-keydb
|
||||
|
||||
Zusätzlich sollte für das git-repo eine Config angelegt werden:
|
||||
|
||||
/root/.ssh/config
|
||||
```
|
||||
Host git.chaospott.de
|
||||
User git
|
||||
Port 2222
|
||||
IdentityFile ~/.ssh/id_chaospott
|
||||
```
|
||||
|
||||
Das IdentityFile ist der Deploy-SSH-Key, der im [Repo](https://git.chaospott.de/Chaospott/foodoor-keys) hinterlegt ist.
|
||||
|
||||
|
||||
##Schüssel
|
||||
|
||||
###Schlüsselupdate
|
||||
<pre><code>foodoor-update-keydb
|
||||
</code></pre>
|
||||
Aktualisiert die die Schlüssel auf der Tür und baut die *Authorized_Keys* für die User *open* und *close*. Keys die nicht dem OpenSSH-Format mit 4096 bit entsprechen, werden ignoriert. Wenn das Script von Hand aufgerufen wird, werden die betroffenen Keys angezeigt. Über einen Cronjob werden die Keys alle **5 Min aktualisiert**.
|
||||
|
||||
###Schlüsselformate###
|
||||
Der foodoord akzeptiert nur Pub-Keys im *OpenSSH2-Format*. Keys lassen sich unter anderem mit OpenSSH oder PuTTygen erzeugen.
|
||||
|
||||
###OpenSSH####
|
||||
|
||||
####Keys generieren####
|
||||
* Mit <code>ssh-keygen -b 4096 </code> lassen sich Keys generieren.
|
||||
* <code>ssh-add $Pfad_zum_Key</code> fügt den Key dem ssh-Agent hinzu. Die Option <code>ssh-add -l</code> zeigt geladene Keys an.
|
||||
* <code>ssh-kegen -l -f $Pfad_zum_Key </code> gibt den Fingerprint und andere Informationen zurück.
|
||||
|
||||
####Keys konvertieren(PuTTy>OpenSSH):####
|
||||
* <code>ssh-keygen -i $Pfad_zum_Key > $Pfad_neuer_Pfad.pub</code> liest ssh2-kompatible Keys(RFC 4716) ein und speichert diese im OpenSSH-Format.
|
||||
|
||||
###PuTTy###
|
||||
Da die Tür nur Keys im OpenSSH-Format verträgt, dürfen auch mit Putty nur OpenSSH-Keys genutzt werden.
|
||||
|
||||
###Keys generieren (OpenSSH-Format mit PuttyGen):###
|
||||
1. PuTTYgen öffnen
|
||||
2. Unten "Number of Bits in a generated Key:" 4096 eintippen
|
||||
3. "Generate" klicken um Key zu generieren
|
||||
4. Nach dem generieren oben im Menu "Conversions" > "Export OpenSSH-Key"
|
||||
5. Speichern
|
||||
|
||||
Es ist zu beachten, dass Putty den PrivateKey im Putty-Format benötigt! Das heißt, falls der generierte Key vor dem Export nicht gespeichert wurde, muss der private Key noch konvertiert werden, siehe nächster Punkt!
|
||||
|
||||
###Keys konvertieren(OpenSSH>PuTTy):###
|
||||
1. PuTTYgen öffnen
|
||||
2. "Load" drücken
|
||||
3. OpenSSH-Key auswählen
|
||||
4. "Save Private-Key" drücken
|
||||
5. Speichern
|
||||
|
||||
##Hardware
|
||||
|
||||
### Input:
|
||||
* ssh-login
|
||||
* Klingel
|
||||
@ -10,4 +91,4 @@ Das Schließsystem läuft auf einem RaspberryPi mit der Erweiterungsplatine "PiF
|
||||
### Output:
|
||||
* Status LEDs
|
||||
* Summer
|
||||
* Keymatic
|
||||
* Keymatic
|
||||
|
||||
28
foodoor
28
foodoor
@ -9,15 +9,29 @@ if [ ! -e $PIPE_PATH ]
|
||||
exit 1
|
||||
fi
|
||||
|
||||
case $1 in
|
||||
close)
|
||||
echo close > $PIPE_PATH
|
||||
action="$1"
|
||||
isTriggerActivated="0"
|
||||
|
||||
if [ -z "$action" ]
|
||||
then
|
||||
action="$SSH_ORIGINAL_COMMAND"
|
||||
isTriggerActivated="1"
|
||||
fi
|
||||
|
||||
case $action in
|
||||
close|open)
|
||||
echo $action | tee $PIPE_PATH |sed 's/open/UNLOCKED/;s/close/LOCKED/' > /state
|
||||
;;
|
||||
open)
|
||||
echo open > $PIPE_PATH
|
||||
status)
|
||||
;;
|
||||
*)
|
||||
echo "Usage: $(basename $0) { close, open}"
|
||||
echo "Usage: $(basename $0) { close, open, status }"
|
||||
exit 1
|
||||
;;
|
||||
;;
|
||||
esac
|
||||
|
||||
if [ $isTriggerActivated -eq 1 ]
|
||||
then
|
||||
cat /state
|
||||
sleep 2
|
||||
fi
|
||||
|
||||
@ -1,2 +0,0 @@
|
||||
#!/bin/sh
|
||||
ssh -i /root/.ssh/id_rsa_gitlab_deploy $1 $2
|
||||
@ -1,37 +1,83 @@
|
||||
#!/bin/sh
|
||||
#!/bin/bash
|
||||
set -e
|
||||
|
||||
export PATH="/usr/bin:/bin:/usr/sbin:/sbin"
|
||||
export GIT_SSH="/usr/sbin/foodoor-ssh-wrapper"
|
||||
|
||||
dest=/var/run/foodoor-keys
|
||||
temp_outfile="$dest.tmp"
|
||||
|
||||
|
||||
if [ ! -e "${dest}/.git/config" ]
|
||||
then
|
||||
#echo "Repo does not exist, trying to clone..."
|
||||
( cd /var/run && git clone --quiet --single-branch --depth=1 luftschleuse@nordstern.chaospott.de:/home/luftschleuse/foodoor-keys "${dest}" )
|
||||
#echo "Repo does not exist, trying to clone..."
|
||||
( cd /var/run && git clone --quiet --single-branch --depth=1 ssh://git.chaospott.de/Keyverwaltung/foodoor-keys.git "${dest}" )
|
||||
else
|
||||
#echo "Repo exists, updating..."
|
||||
( cd "${dest}" && git fetch --quiet && git merge --quiet origin/master master )
|
||||
#echo "Repo exists, updating..."
|
||||
( cd "${dest}" && git fetch --quiet && git merge --quiet origin/master master )
|
||||
fi
|
||||
|
||||
for action in open close
|
||||
rm -f ${temp_outfile}
|
||||
find "${dest}/keys" -name '*.pub' | sort | \
|
||||
while read keyfile
|
||||
do
|
||||
ssh-keygen -l -f ${keyfile} &> /dev/null
|
||||
if [ $? -eq 0 ]; then
|
||||
valid=false
|
||||
keyinfo=$(ssh-keygen -l -f ${keyfile}) # The whole key information
|
||||
crypto=$(echo "${keyinfo}" | cut -d" " -f4) # Looks like "(RSA)" or "(ED25519)"
|
||||
key_length=$(echo "${keyinfo}" | cut -d" " -f1)
|
||||
|
||||
if [ "${crypto}" == "(RSA)" ]; then
|
||||
|
||||
if [ ${key_length} -lt 4096 ]; then
|
||||
echo "Key size of key ${keyfile} not equal to 4096. Not adding it to key database." >&2
|
||||
continue
|
||||
else
|
||||
valid=true
|
||||
fi
|
||||
|
||||
elif [ "${crypto}" == "(ED25519)" ]; then
|
||||
valid=true
|
||||
fi
|
||||
|
||||
if [ "$valid" = true ]; then
|
||||
echo "command=\"/usr/sbin/foodoor \$action \",no-port-forwarding,no-X11-forwarding,no-agent-forwarding $(cat ${keyfile})" >> ${temp_outfile}
|
||||
fi
|
||||
fi
|
||||
done
|
||||
|
||||
for appendix in open close door
|
||||
do
|
||||
outfile="${dest}/authorized_keys.${action}"
|
||||
rm -f ${outfile}
|
||||
find "${dest}/keys" -name '*.pub' | sort | \
|
||||
while read keyfile
|
||||
do
|
||||
valid_key=$(ssh-keygen -l -f ${keyfile})
|
||||
if [ "$?" -eq "0" ]; then
|
||||
if [ $(echo "${valid_key}" | cut -d" " -f1) -ne "4096" ]; then
|
||||
echo "Key size of key ${keyfile} not equal to 4096. Not adding it to key database." >&2
|
||||
continue
|
||||
fi
|
||||
fi
|
||||
printf "command=\"/usr/sbin/foodoor ${action}\",no-port-forwarding,no-X11-forwarding,no-agent-forwarding " >> ${outfile}
|
||||
cat "${keyfile}" >> ${outfile}
|
||||
done
|
||||
install -d -o ${action} -g nogroup -m 0700 /var/lib/foodoor/${action}/.ssh
|
||||
install -b -S .last -o ${action} -g nogroup -m 0600 ${outfile} /var/lib/foodoor/${action}/.ssh/authorized_keys
|
||||
action="$appendix"
|
||||
if [ "$action" = "door" ]
|
||||
then
|
||||
action=""
|
||||
fi
|
||||
|
||||
export action
|
||||
outfile="${dest}/authorized_keys.${appendix}"
|
||||
cat ${temp_outfile} |envsubst > ${outfile}
|
||||
|
||||
# Oben
|
||||
if [ "$(hostname)" = "foodoor" ]; then
|
||||
install -d -o ${appendix} -g nogroup -m 0700 /var/lib/foodoor/${appendix}/.ssh
|
||||
install -b -S .last -o ${appendix} -g nogroup -m 0600 ${outfile} /var/lib/foodoor/${appendix}/.ssh/authorized_keys
|
||||
fi
|
||||
|
||||
# Unten
|
||||
if [ "$(hostname)" = "kellertuer" ]; then
|
||||
if [ "${action}" = "open" ]; then
|
||||
owner="unlock"
|
||||
elif [ "${action}" = "close" ]; then
|
||||
owner="lock"
|
||||
fi
|
||||
install -d -o ${owner} -g nogroup -m 0700 /var/lib/foodoor/${action}/.ssh
|
||||
install -b -S .last -o ${owner} -g nogroup -m 0600 ${outfile} /var/lib/foodoor/${action}/.ssh/authorized_keys
|
||||
if [ "${appendix}" = "door" ]; then
|
||||
install -d -o ${appendix} -g nogroup -m 0700 /var/lib/foodoor/${appendix}/.ssh
|
||||
install -b -S .last -o ${appendix} -g nogroup -m 0600 ${outfile} /var/lib/foodoor/${appendix}/.ssh/authorized_keys
|
||||
fi
|
||||
|
||||
fi
|
||||
|
||||
done
|
||||
|
||||
@ -1,5 +1,4 @@
|
||||
[door_firstlevel_old]
|
||||
[doorstatus]
|
||||
status_url =
|
||||
|
||||
[door_firstlevel]
|
||||
status_url =
|
||||
key =
|
||||
secret =
|
||||
|
||||
0
foodoord_initd
Normal file → Executable file
0
foodoord_initd
Normal file → Executable file
97
foodoord_unten
Executable file
97
foodoord_unten
Executable file
@ -0,0 +1,97 @@
|
||||
#! /usr/bin/python
|
||||
|
||||
import os
|
||||
import stat
|
||||
import time
|
||||
import urllib2
|
||||
import signal
|
||||
import sys
|
||||
import RPi.GPIO as gpio
|
||||
import grp
|
||||
from ConfigParser import SafeConfigParser
|
||||
|
||||
#Read config
|
||||
parser = SafeConfigParser()
|
||||
parser.read('/etc/foodoord.conf')
|
||||
|
||||
doorapi = parser.get('doorstatus', 'status_url')
|
||||
consumerkey = parser.get('doorstatus', 'key')
|
||||
consumersecret = parser.get('doorstatus', 'secret')
|
||||
|
||||
#Definitions for output
|
||||
LED_RED=6
|
||||
LED_GREEN=7
|
||||
RELAYS_LOCK=0
|
||||
RELAYS_UNLOCK=1
|
||||
PIN_OPEN=24
|
||||
PIN_CLOSE=27
|
||||
#Definitions for input
|
||||
DOOR_BELL=0
|
||||
REED_RELAYS=1 #not implementet yet
|
||||
|
||||
#Definitions for LEDcolor
|
||||
RED=1
|
||||
GREEN=2
|
||||
ORANGE=3
|
||||
|
||||
|
||||
|
||||
def write_state(state):
|
||||
try:
|
||||
handle = open("/tmp/door_state", "w")
|
||||
handle.write(state)
|
||||
handle.close()
|
||||
except:
|
||||
pass
|
||||
|
||||
|
||||
def update_api(locked):
|
||||
try:
|
||||
os.system("/usr/bin/curl -XPOST --header 'Content-Type: application/json' --data '{ \"consumer_key\": \"" + consumerkey + "\", \"consumer_secret\": \"" + consumersecret + "\", \"cellar\": " + str(locked).lower() + " }' '" + doorapi + "' ")
|
||||
except:
|
||||
pass
|
||||
|
||||
if __name__ == "__main__":
|
||||
|
||||
#Startsettings
|
||||
STATUS=False
|
||||
gpio.setmode(gpio.BCM)
|
||||
gpio.setup(PIN_OPEN, gpio.OUT)
|
||||
gpio.setup(PIN_CLOSE, gpio.OUT)
|
||||
#Setting up FiFo to get sshd-output
|
||||
try:
|
||||
os.mkfifo("/var/run/foodoord.pipe")
|
||||
os.chown("/var/run/foodoord.pipe", -1, grp.getgrnam('foodoor')[2])
|
||||
os.chmod("/var/run/foodoord.pipe", stat.S_IRUSR | stat.S_IWUSR | stat.S_IRGRP | stat.S_IWGRP)
|
||||
except OSError:
|
||||
pass
|
||||
|
||||
with open("/var/run/foodoord.pipe", "r") as ssh_input:
|
||||
while 1:
|
||||
#Read sshd-output from pipe
|
||||
Pipe = ssh_input.readline()[:-1]
|
||||
|
||||
if (Pipe == "close"):
|
||||
gpio.output(PIN_CLOSE,1)
|
||||
time.sleep(1)
|
||||
gpio.output(PIN_CLOSE,0)
|
||||
|
||||
write_state("closed")
|
||||
update_api(True)
|
||||
|
||||
|
||||
elif (Pipe == "open"):
|
||||
|
||||
#Locking
|
||||
gpio.output(PIN_OPEN,1)
|
||||
time.sleep(1)
|
||||
gpio.output(PIN_OPEN,0)
|
||||
|
||||
#Save State
|
||||
write_state("open")
|
||||
|
||||
#Status Update
|
||||
update_api(False)
|
||||
|
||||
time.sleep(0.2)
|
||||
|
||||
Reference in New Issue
Block a user