From 626edff649102539c65156f7191595957e711aec Mon Sep 17 00:00:00 2001 From: Alex Landau Date: Sun, 14 Dec 2008 14:47:43 +0000 Subject: rapid-tunneling: - Created server part RPM. git-svn-id: svn+ssh://xorcom/home/svn/debs/components/rapid-tunneling@6470 283159da-0705-0410-b60c-f2062b4bb6ad --- Makefile | 19 +++++- from-remote | 37 ----------- rapid-tunneling.spec | 76 ++++++++++----------- rt-from-remote | 37 +++++++++++ rtadm | 44 +++++++------ rtadm.config | 10 +++ sshd_support | 182 +++++++++++++++++++++++++++++++++++++++++++++++++++ sshd_support_config | 79 ++++++++++++++++++++++ 8 files changed, 385 insertions(+), 99 deletions(-) delete mode 100755 from-remote create mode 100755 rt-from-remote create mode 100644 rtadm.config create mode 100755 sshd_support create mode 100644 sshd_support_config diff --git a/Makefile b/Makefile index 33c98a9..9b41431 100644 --- a/Makefile +++ b/Makefile @@ -1,7 +1,10 @@ PACKAGE = rapid-tunneling SPEC = rapid-tunneling.spec -SOURCES = rapid-tunneling rapid-tunneling-status +SCRIPTS = rapid-tunneling rapid-tunneling-status rtadm rt-from-remote +CONFIGS = rtadm.config sshd_support_config +INIT_D = sshd_support +SOURCES = Makefile $(SPEC) $(SCRIPTS) $(CONFIGS) $(INIT_D) VER = $(shell awk '/^Version: / {print $$2}' $(SPEC)| head -n 1) REL = $(shell awk '/^Release: / {print $$2}' $(SPEC)| head -n 1) @@ -13,5 +16,17 @@ rpm: $(SPEC) SOURCES/$(PACKAGE)-$(VER).tar.gz [ -e SPECS ] || ln -s . SPECS cd SPECS; rpmbuild --target noarch --define "_topdir $(PWD)" -ba $(SPEC) -SOURCES/$(PACKAGE)-%.tar.gz: $(SOURCES) +SOURCES/$(PACKAGE)-$(VER).tar.gz: $(SOURCES) tar czf $@ --transform 's|^|$(PACKAGE)-$(VER)/|' $^ + +install: + install -m 755 -d $(DESTDIR)/usr/sbin + install -m 755 rapid-tunneling $(DESTDIR)/usr/sbin + install -m 755 rapid-tunneling-status $(DESTDIR)/usr/sbin + install -m 755 -d $(DESTDIR)/var/lib/rapid-tunneling + install -m 755 rtadm $(DESTDIR)/usr/sbin + install -m 755 rt-from-remote $(DESTDIR)/usr/sbin + install -m 755 -d $(DESTDIR)/etc/default + install -m 644 rtadm.config $(DESTDIR)/etc/default/rtadm + install -m 755 -d $(DESTDIR)/etc/ssh + install -m 644 sshd_support_config $(DESTDIR)/etc/ssh diff --git a/from-remote b/from-remote deleted file mode 100755 index 178b4c1..0000000 --- a/from-remote +++ /dev/null @@ -1,37 +0,0 @@ -#!/bin/bash - -# from-remote: this script is executed by the remote ssh client as -# instructed in .ssh/authorized_keys. - -# /bin/bash: because of the usage of the non-posix 'exec -a' - -exec 2>>err - -log() -{ - echo `date` "$@" >> log -} - -bad() -{ - mv $file bad/ra-$$.tar.gz - log "Bad connection attempt. SSH_CONNECTION='$SSH_CONNECTION', file=bad/ra-$$.tar.gz" - exit 1 -} - -mkdir -p ra ra/old bad -file=ra/ra-$$.tar.gz -dd of=$file bs=100k count=1 2>/dev/null -tar tzf $file >/dev/null 2>&1 || bad -pubkey=`tar xzf $file -O origkey | ssh-keygen -y -f /proc/self/fd/0 | awk '$1 == "ssh-rsa" {print $2}'` -[ -z "$pubkey" ] && bad -comment=`grep "$pubkey" .ssh/authorized_keys | awk '{print $NF}'` -[ -z "$comment" ] && bad -mv -f ra/$comment-* ra/old 2>/dev/null -mv $file ra/$comment-$$.tar.gz -file=ra/$comment-$$.tar.gz -keyfile=`echo $file | sed 's/.tar.gz$/-key/'` -tar xzf $file -O key > $keyfile || bad -chmod 600 $keyfile -log "Connection from $comment. SSH_CONNECTION='$SSH_CONNECTION', file=$file" -exec -a sleep-$comment sleep 1d diff --git a/rapid-tunneling.spec b/rapid-tunneling.spec index 5afe062..fc54a40 100644 --- a/rapid-tunneling.spec +++ b/rapid-tunneling.spec @@ -6,57 +6,33 @@ License: GPLv2 Group: Applications/Internet URL: http://www.xorcom.com/ Source: rapid-tunneling-%{version}.tar.gz -#Patch0: libname.diff -#Patch1: bristuff.diff Requires: openssh-clients busybox -# Patch: libpri-1.2.3-cflags.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root %description RapidTunneling (tm) allows remote access to machines behind firewalls and NAT routers via SSH port forwarding. -#%package devel -#Summary: Header files and development libraries for libpri -#Group: Development/Libraries -#Requires: %{name} = %{version} +%package server +Summary: Server part of RapidTunneling +Group: Applications/Internet +Requires: openssh-server -#%description devel -#This package contains the header files needed to compile applications that -#will use libpri. +%description server +This package contains the server files needed to run RapidTunneling Server. %prep %setup -q -# %patch -p1 -b .cflags -#%{__perl} -pi -e 's|(\$\(INSTALL_BASE\)/)lib|$1%{_lib}|g' Makefile -#%patch0 -p1 - -# this does basically: cp -a . bristuff -#mkdir %{bristuff_dir} -#tar cf - . --exclude ./%{bristuff_dir} | tar xf - -C %{bristuff_dir} -#cd %{bristuff_dir} -#%patch1 -p1 %build -#export CFLAGS="%{optflags}" -#%{__make} %{?_smp_mflags} - -#cd %{bristuff_dir} -#%{__make} %{?_smp_mflags} LIB_SUF=bristuffed %install %{__rm} -rf %{buildroot} -%{__install} -m 755 -d %{buildroot}%{_sbindir} -%{__install} -m 755 rapid-tunneling %{buildroot}%{_sbindir} -%{__install} -m 755 rapid-tunneling-status %{buildroot}%{_sbindir} -%{__install} -m 755 -d %{buildroot}/var/lib/rapid-tunneling - -#%{__rm} -rf %{buildroot} -#%{__make} install INSTALL_PREFIX=%{buildroot} - -#cd %{bristuff_dir} -#%{__make} install INSTALL_PREFIX=%{buildroot} LIB_SUF=bristuffed +%{__make} install DESTDIR=%{buildroot} +%{__mv} -f %{buildroot}/etc/default %{buildroot}/etc/sysconfig +%{__install} -m 755 -d %{buildroot}/etc/init.d +%{__install} -m 755 sshd_support %{buildroot}/etc/init.d %clean %{__rm} -rf %{buildroot} @@ -67,19 +43,37 @@ useradd -d /var/lib/rapid-tunneling/home -m -u 0 -g 0 -o rapid-tunneling 2>/dev/ %preun if [ "$1" = 0 ]; then - userdel -r rapid-tunneling || true + userdel -r rapid-tunneling || : fi +%post server +useradd -d /var/lib/rapid-tunneling-server -m support 2>/dev/null || : +/sbin/chkconfig --add sshd_support + +%preun server +if [ "$1" = 0 ]; then + /sbin/service sshd_support stop > /dev/null 2>&1 || : + /sbin/chkconfig --del sshd_support + userdel support || : +fi + +%postun server +/sbin/service sshd_support condrestart > /dev/null 2>&1 || : + %files %defattr(-, root, root, 0755) -#%doc ChangeLog LICENSE README TODO -%{_sbindir}/* +/usr/sbin/rapid-tunneling +/usr/sbin/rapid-tunneling-status /var/lib/rapid-tunneling -#%files devel -#%defattr(-, root, root, 0755) -#%{_sbindir}/* +%files server +%defattr(-, root, root, 0755) +%config(noreplace) /etc/sysconfig/rtadm +%config(noreplace) /etc/ssh/sshd_support_config +/usr/sbin/rtadm +/usr/sbin/rt-from-remote +/etc/init.d/sshd_support %changelog -* Sun Dec 8 2008 Alex Landau 1.0-1 +* Sun Dec 14 2008 Alex Landau 1.0-1 - Initial RPM release. diff --git a/rt-from-remote b/rt-from-remote new file mode 100755 index 0000000..89d6623 --- /dev/null +++ b/rt-from-remote @@ -0,0 +1,37 @@ +#!/bin/bash + +# from-remote: this script is executed by the remote ssh client as +# instructed in .ssh/authorized_keys. + +# /bin/bash: because of the usage of the non-posix 'exec -a' + +exec 2>>err + +log() +{ + echo `date` "$@" >> log +} + +bad() +{ + mv $file bad/ra-$$.tar.gz + log "Bad connection attempt. SSH_CONNECTION='$SSH_CONNECTION', file=bad/ra-$$.tar.gz" + exit 1 +} + +mkdir -p ra ra/old bad +file=ra/ra-$$.tar.gz +dd of=$file bs=100k count=1 2>/dev/null +tar tzf $file >/dev/null 2>&1 || bad +pubkey=`tar xzf $file -O origkey | ssh-keygen -y -f /proc/self/fd/0 | awk '$1 == "ssh-rsa" {print $2}'` +[ -z "$pubkey" ] && bad +comment=`grep "$pubkey" .ssh/authorized_keys | awk '{print $NF}'` +[ -z "$comment" ] && bad +mv -f ra/$comment-* ra/old 2>/dev/null +mv $file ra/$comment-$$.tar.gz +file=ra/$comment-$$.tar.gz +keyfile=ra/$comment-key +tar xzf $file -O key > $keyfile || bad +chmod 600 $keyfile +log "Connection from $comment. SSH_CONNECTION='$SSH_CONNECTION', file=$file" +exec -a sleep-$comment sleep 1d diff --git a/rtadm b/rtadm index c51df44..e1e8746 100755 --- a/rtadm +++ b/rtadm @@ -1,35 +1,42 @@ #!/bin/sh -FROM_REMOTE_COMMAND=/usr/local/bin/from-remote -HOSTNAME=tunnel.vserver -PORT=2222 USERNAME=support +FROM_REMOTE_COMMAND=/usr/sbin/rt-from-remote + +[ -r /etc/default/rtadm ] && . /etc/default/rtadm +[ -r /etc/sysconfig/rtadm ] && . /etc/sysconfig/rtadm + +if [ -z "$HOSTNAME" -o -z "$PORT" ]; then + echo "ERROR: Hostname or port not set in configuration file." 1>&2 + exit 1 +fi create() { set -e - KEY=tmp/key TUNNEL_PORT=$1 COMMENT=$2 - rm -rf tmp - mkdir tmp + rm -rf ~/tmp + mkdir ~/tmp key_comment=ra-$TUNNEL_PORT-$COMMENT-`date '+%Y%m%d%H%M%S'` - ssh-keygen -q -t rsa -f tmp/key -N "" -C $key_comment - sed -i 's|^|#DISABLED#no-X11-forwarding,no-agent-forwarding,no-pty,permitopen="127.0.0.1:65534",command="'"$FROM_REMOTE_COMMAND $TUNNEL_PORT"' |' tmp/key.pub - echo $HOSTNAME > tmp/host - echo $PORT > tmp/port - echo $USERNAME > tmp/user - echo $TUNNEL_PORT > tmp/tunnelport - tar -czf remote-access.tar.gz -C tmp host port user tunnelport key --owner root --group root - cat tmp/key.pub >> ~/.ssh/authorized_keys + ssh-keygen -q -t rsa -f ~/tmp/key -N "" -C $key_comment + sed -i 's|^|#DISABLED#no-X11-forwarding,no-agent-forwarding,no-pty,permitopen="127.0.0.1:65534",command="'"$FROM_REMOTE_COMMAND $TUNNEL_PORT"'" |' ~/tmp/key.pub + echo $HOSTNAME > ~/tmp/host + echo $PORT > ~/tmp/port + echo $USERNAME > ~/tmp/user + echo $TUNNEL_PORT > ~/tmp/tunnelport + tar -czf remote-access.tar.gz -C ~/tmp host port user tunnelport key --owner root --group root + mkdir -m 700 -p ~/.ssh + umask 022 + cat ~/tmp/key.pub >> ~/.ssh/authorized_keys perl -e '$host="'ra-$COMMENT'"; $/=undef; $_=<>; s/^Host\s+(${host}$).*?((?=^Host)|\s*\Z)//gsm; print' ~/.ssh/config > ~/.ssh/config.new 2>/dev/null cat >> ~/.ssh/config.new <" echo " # disconnect connection" - echo " delete [-d] " - echo " # delete any trace of the connection, if -d specified, disconnect too" + echo " delete " + echo " # disconnect and delete any trace of the connection" exit 1 } @@ -141,10 +148,9 @@ case "$1" in ;; delete) shift - [ "$1" = "-d" ] && do_disconnect=1 && shift [ -z "$1" ] && usage delete "$1" - [ "$do_disconnect" = 1 ] && disconnect "$1" + disconnect "$1" ;; *) usage diff --git a/rtadm.config b/rtadm.config new file mode 100644 index 0000000..e7734fb --- /dev/null +++ b/rtadm.config @@ -0,0 +1,10 @@ +# rtadm (RapidTunneling Administrator) configuration options + +# Hostname of the server as seen by the client. This may be +# a host name or an IP address. +# Example: HOSTNAME=support.example.com +HOSTNAME= + +# Port number on which the local SSH server listens. +# If you change it below, change it also in /etc/ssh/sshd_support_config +PORT=2222 diff --git a/sshd_support b/sshd_support new file mode 100755 index 0000000..7120eaa --- /dev/null +++ b/sshd_support @@ -0,0 +1,182 @@ +#!/bin/bash +# +# Init file for OpenSSH server daemon +# +# chkconfig: 2345 55 25 +# description: OpenSSH server daemon +# +# processname: sshd +# config: /etc/ssh/ssh_host_key +# config: /etc/ssh/ssh_host_key.pub +# config: /etc/ssh/ssh_random_seed +# config: /etc/ssh/sshd_support_config +# pidfile: /var/run/sshd_support.pid + +# source function library +. /etc/rc.d/init.d/functions + +# pull in sysconfig settings +[ -f /etc/sysconfig/sshd_support ] && . /etc/sysconfig/sshd_support + +RETVAL=0 +prog="sshd_support" + +# Some functions to make the below more readable +KEYGEN=/usr/bin/ssh-keygen +SSHD=/usr/sbin/sshd +RSA1_KEY=/etc/ssh/ssh_host_key +RSA_KEY=/etc/ssh/ssh_host_rsa_key +DSA_KEY=/etc/ssh/ssh_host_dsa_key +PID_FILE=/var/run/sshd_support.pid +PID_BASENAME=sshd_support +CONFIG_FILE=/etc/ssh/sshd_support_config + +runlevel=$(set -- $(runlevel); eval "echo \$$#" ) + +do_rsa1_keygen() { + if [ ! -s $RSA1_KEY ]; then + echo -n $"Generating SSH1 RSA host key: " + if $KEYGEN -q -t rsa1 -f $RSA1_KEY -C '' -N '' >&/dev/null; then + chmod 600 $RSA1_KEY + chmod 644 $RSA1_KEY.pub + if [ -x /sbin/restorecon ]; then + /sbin/restorecon $RSA1_KEY.pub + fi + success $"RSA1 key generation" + echo + else + failure $"RSA1 key generation" + echo + exit 1 + fi + fi +} + +do_rsa_keygen() { + if [ ! -s $RSA_KEY ]; then + echo -n $"Generating SSH2 RSA host key: " + if $KEYGEN -q -t rsa -f $RSA_KEY -C '' -N '' >&/dev/null; then + chmod 600 $RSA_KEY + chmod 644 $RSA_KEY.pub + if [ -x /sbin/restorecon ]; then + /sbin/restorecon $RSA_KEY.pub + fi + success $"RSA key generation" + echo + else + failure $"RSA key generation" + echo + exit 1 + fi + fi +} + +do_dsa_keygen() { + if [ ! -s $DSA_KEY ]; then + echo -n $"Generating SSH2 DSA host key: " + if $KEYGEN -q -t dsa -f $DSA_KEY -C '' -N '' >&/dev/null; then + chmod 600 $DSA_KEY + chmod 644 $DSA_KEY.pub + if [ -x /sbin/restorecon ]; then + /sbin/restorecon $DSA_KEY.pub + fi + success $"DSA key generation" + echo + else + failure $"DSA key generation" + echo + exit 1 + fi + fi +} + +do_restart_sanity_check() +{ + $SSHD -f $CONFIG_FILE -t + RETVAL=$? + if [ ! "$RETVAL" = 0 ]; then + failure $"Configuration file or keys are invalid" + echo + fi +} + +start() +{ + # Create keys if necessary + do_rsa1_keygen + do_rsa_keygen + do_dsa_keygen + + cp -af /etc/localtime /var/empty/sshd/etc + + echo -n $"Starting $prog: " + $SSHD -f $CONFIG_FILE -o "PidFile $PID_FILE" $OPTIONS && success || failure + RETVAL=$? + [ "$RETVAL" = 0 ] && touch /var/lock/subsys/sshd_support + echo +} + +stop() +{ + echo -n $"Stopping $prog: " + if [ -n "`pidfileofproc $PID_BASENAME`" ] ; then + killproc $PID_BASENAME + else + failure $"Stopping $prog" + fi + RETVAL=$? + # if we are in halt or reboot runlevel kill all running sessions + # so the TCP connections are closed cleanly + if [ "x$runlevel" = x0 -o "x$runlevel" = x6 ] ; then + killall $prog 2>/dev/null + fi + [ "$RETVAL" = 0 ] && rm -f /var/lock/subsys/sshd_support + echo +} + +reload() +{ + echo -n $"Reloading $prog: " + if [ -n "`pidfileofproc $PID_BASENAME`" ] ; then + killproc $PID_BASENAME -HUP + else + failure $"Reloading $prog" + fi + RETVAL=$? + echo +} + +case "$1" in + start) + start + ;; + stop) + stop + ;; + restart) + stop + start + ;; + reload) + reload + ;; + condrestart) + if [ -f /var/lock/subsys/sshd_support ] ; then + do_restart_sanity_check + if [ "$RETVAL" = 0 ] ; then + stop + # avoid race + sleep 3 + start + fi + fi + ;; + status) + status $PID_BASENAME + RETVAL=$? + ;; + *) + echo $"Usage: $0 {start|stop|restart|reload|condrestart|status}" + RETVAL=1 +esac +exit $RETVAL diff --git a/sshd_support_config b/sshd_support_config new file mode 100644 index 0000000..9794b01 --- /dev/null +++ b/sshd_support_config @@ -0,0 +1,79 @@ +# Package generated configuration file +# See the sshd(8) manpage for details + +# What ports, IPs and protocols we listen for +Port 2222 +# Use these options to restrict which interfaces/protocols sshd will bind to +#ListenAddress :: +#ListenAddress 0.0.0.0 +Protocol 2 +# HostKeys for protocol version 2 +HostKey /etc/ssh/ssh_host_rsa_key +HostKey /etc/ssh/ssh_host_dsa_key +#Privilege Separation is turned on for security +UsePrivilegeSeparation yes + +# Lifetime and size of ephemeral version 1 server key +KeyRegenerationInterval 3600 +ServerKeyBits 768 + +# Logging +SyslogFacility AUTH +LogLevel INFO + +# Authentication: +LoginGraceTime 120 +PermitRootLogin no +StrictModes yes + +RSAAuthentication yes +PubkeyAuthentication yes +#AuthorizedKeysFile %h/.ssh/authorized_keys + +# Don't read the user's ~/.rhosts and ~/.shosts files +IgnoreRhosts yes +# For this to work you will also need host keys in /etc/ssh_known_hosts +RhostsRSAAuthentication no +# similar for protocol version 2 +HostbasedAuthentication no +# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication +#IgnoreUserKnownHosts yes + +# To enable empty passwords, change to yes (NOT RECOMMENDED) +PermitEmptyPasswords no + +# Change to yes to enable challenge-response passwords (beware issues with +# some PAM modules and threads) +ChallengeResponseAuthentication no + +# Change to no to disable tunnelled clear text passwords +PasswordAuthentication no + +# Kerberos options +#KerberosAuthentication no +#KerberosGetAFSToken no +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes + +# GSSAPI options +#GSSAPIAuthentication no +#GSSAPICleanupCredentials yes + +X11Forwarding no +X11DisplayOffset 10 +PrintMotd no +PrintLastLog no +TCPKeepAlive yes +#UseLogin no + +#MaxStartups 10:30:60 +#Banner /etc/issue.net + +# Allow client to pass locale environment variables +AcceptEnv LANG LC_* + +Subsystem sftp /usr/lib/openssh/sftp-server + +UsePAM yes + +AllowUsers support -- cgit v1.2.3