From f6c6fd27a4634464f7ace0c135699cce02c43817 Mon Sep 17 00:00:00 2001 From: Tzafrir Cohen Date: Mon, 5 Jan 2009 19:42:10 +0000 Subject: GPG signature of tarball; path changes * The tarball sent by the support user is now signed: an extra sig.asc gpg ascii-armoured signature of the contents of all the other file (alphabetical order). * Client verifies that before touching the data further. * Hence packages depend on gnupg. * Error code from gpg errors: 7. * Scripts used by the server are now in /usr/share/rapid-tunneling/bin . * Server support user sources /usr/share/rapid-tunneling/support_env . * Fixed purging for Debian -server package. * rtadm's config file is /etc/rapid-tunneling/rtadm . git-svn-id: svn+ssh://xorcom/home/svn/debs/components/rapid-tunneling@6550 283159da-0705-0410-b60c-f2062b4bb6ad --- Makefile | 24 +++++++++++-------- debian/control | 5 ++-- debian/dirs | 2 -- debian/postinst | 43 --------------------------------- debian/rapid-tunneling-server.install | 7 +++--- debian/rapid-tunneling-server.postinst | 15 ++++++++---- debian/rapid-tunneling-server.postrm | 18 ++++++++++++++ debian/rapid-tunneling-server.prerm | 44 ---------------------------------- debian/rapid-tunneling.install | 1 - debian/rapid-tunneling.postinst | 43 +++++++++++++++++++++++++++++++++ rapid-tunneling | 9 +++++++ rapid-tunneling.spec | 15 ++++++------ rtadm | 38 +++++++++++++++++++++++++---- rtadm.config | 4 ++++ support_env | 7 ++++++ 15 files changed, 153 insertions(+), 122 deletions(-) delete mode 100644 debian/dirs delete mode 100644 debian/postinst create mode 100755 debian/rapid-tunneling-server.postrm delete mode 100644 debian/rapid-tunneling-server.prerm create mode 100644 debian/rapid-tunneling.postinst create mode 100644 support_env diff --git a/Makefile b/Makefile index 7e65f18..988aa0b 100644 --- a/Makefile +++ b/Makefile @@ -2,9 +2,11 @@ PACKAGE = rapid-tunneling SPEC = rapid-tunneling.spec SCRIPTS = rapid-tunneling rapid-tunneling-status rtadm rt-from-remote -CONFIGS = rtadm.config sshd_support_config +CONFIGS = rtadm.config sshd_support_config support_env INIT_D = sshd_support SOURCES = Makefile $(SPEC) $(SCRIPTS) $(CONFIGS) $(INIT_D) +SBINDIR = /usr/sbin +BINDIR = /usr/share/rapid-tunneling/bin VER = $(shell awk '/^Version: / {print $$2}' $(SPEC)| head -n 1) RPM_REL = $(shell awk '/^Release: / {print $$2}' $(SPEC)| head -n 1) @@ -37,16 +39,18 @@ ifneq ($(VER),$(DEB_VER)) endif install: - install -m 755 -d $(DESTDIR)/usr/sbin - install -m 755 rapid-tunneling $(DESTDIR)/usr/sbin - install -m 755 rapid-tunneling-status $(DESTDIR)/usr/sbin - install -m 755 -d $(DESTDIR)/var/lib/rapid-tunneling - install -m 755 rtadm $(DESTDIR)/usr/sbin - install -m 755 rt-from-remote $(DESTDIR)/usr/sbin - install -m 755 -d $(DESTDIR)/etc/default - install -m 644 rtadm.config $(DESTDIR)/etc/default/rtadm + install -m 755 -d $(DESTDIR)$(SBINDIR) + install -m 755 rapid-tunneling $(DESTDIR)$(SBINDIR) + install -m 755 rapid-tunneling-status $(DESTDIR)$(SBINDIR) + install -m 755 -d $(DESTDIR)/usr/share/rapid-tunneling + install -m 644 support_env $(DESTDIR)/usr/share/rapid-tunneling/ + install -m 755 -d $(DESTDIR)$(BINDIR) + install -m 755 rtadm $(DESTDIR)$(BINDIR) + install -m 755 rt-from-remote $(DESTDIR)$(BINDIR) + install -m 755 -d $(DESTDIR)/etc/rapid-tunneling + install -m 644 rtadm.config $(DESTDIR)/etc/rapid-tunneling/rtadm install -m 755 -d $(DESTDIR)/etc/ssh - install -m 644 sshd_support_config $(DESTDIR)/etc/ssh + install -m 644 sshd_support_config $(DESTDIR)/etc/ssh/ .PHONY: clean dummy dummy: diff --git a/debian/control b/debian/control index f9a165e..5ebd1b2 100644 --- a/debian/control +++ b/debian/control @@ -2,13 +2,14 @@ Source: rapid-tunneling Section: net Priority: extra Maintainer: Alex Landau +Uploaders: Tzafrir Cohen Build-Depends: cdbs, debhelper (>= 7) Standards-Version: 3.8.0 Homepage: http://www.xorcom.com/ Package: rapid-tunneling Architecture: all -Depends: ${shlibs:Depends}, ${misc:Depends} openssh-client +Depends: ${misc:Depends}, openssh-client, gnupg Description: RapidTunneling (tm) client RapidTunneling (tm) allows remote access to machines behind firewalls and NAT routers via SSH port forwarding. @@ -17,7 +18,7 @@ Description: RapidTunneling (tm) client Package: rapid-tunneling-server Architecture: all -Depends: ${shlibs:Depends}, ${misc:Depends} openssh-server +Depends: ${misc:Depends}, openssh-server, gnupg, adduser Description: RapidTunneling (tm) server RapidTunneling (tm) allows remote access to machines behind firewalls and NAT routers via SSH port forwarding. diff --git a/debian/dirs b/debian/dirs deleted file mode 100644 index ca882bb..0000000 --- a/debian/dirs +++ /dev/null @@ -1,2 +0,0 @@ -usr/bin -usr/sbin diff --git a/debian/postinst b/debian/postinst deleted file mode 100644 index 5fdc023..0000000 --- a/debian/postinst +++ /dev/null @@ -1,43 +0,0 @@ -#!/bin/sh -# postinst script for rapid-tunneling -# -# see: dh_installdeb(1) - -set -e - -# summary of how this script can be called: -# * `configure' -# * `abort-upgrade' -# * `abort-remove' `in-favour' -# -# * `abort-remove' -# * `abort-deconfigure' `in-favour' -# `removing' -# -# for details, see http://www.debian.org/doc/debian-policy/ or -# the debian-policy package - - -case "$1" in - configure) - # add a user with uid=gid=0 - useradd -d /var/lib/rapid-tunneling/home -m -u 0 -g 0 -o rapid-tunneling 2>/dev/null || true - ;; - - abort-upgrade|abort-remove|abort-deconfigure) - ;; - - *) - echo "postinst called with unknown argument \`$1'" >&2 - exit 1 - ;; -esac - -# dh_installdeb will replace this with shell code automatically -# generated by other debhelper scripts. - -#DEBHELPER# - -exit 0 - - diff --git a/debian/rapid-tunneling-server.install b/debian/rapid-tunneling-server.install index 035481c..e427762 100644 --- a/debian/rapid-tunneling-server.install +++ b/debian/rapid-tunneling-server.install @@ -1,4 +1,5 @@ -etc/default/rtadm +etc/rapid-tunneling/rtadm etc/ssh/sshd_support_config -usr/sbin/rtadm -usr/sbin/rt-from-remote +usr/share/rapid-tunneling/support_env +usr/share/rapid-tunneling/bin/rtadm +usr/share/rapid-tunneling/bin/rt-from-remote diff --git a/debian/rapid-tunneling-server.postinst b/debian/rapid-tunneling-server.postinst index 18e8b5b..1a1c3fb 100644 --- a/debian/rapid-tunneling-server.postinst +++ b/debian/rapid-tunneling-server.postinst @@ -17,13 +17,20 @@ set -e # for details, see http://www.debian.org/doc/debian-policy/ or # the debian-policy package +HOME_DIR=/var/lib/rapid-tunneling/support +NEW_USER=support case "$1" in configure) - useradd -d /var/lib/rapid-tunneling-server -m support 2>/dev/null || : - LINE='export PATH=$PATH:/usr/sbin' - PROFILE=/var/lib/rapid-tunneling-server/.bash_profile - if ! fgrep -q "$LINE" $PROFILE 2>/dev/null; then echo "$LINE" >> $PROFILE; fi + if ! getent passwd $NEW_USER >/dev/null; then + adduser --disabled-password --home $HOME_DIR \ + --gecos "Rapid Tunneling support" $NEW_USER 2>/dev/null || : + fi + LINE='. /usr/share/rapid-tunneling/support_env' + PROFILE=$HOME_DIR/.profile + if ! fgrep -q "$LINE" $PROFILE 2>/dev/null; then + echo "$LINE" >> $PROFILE; + fi ;; abort-upgrade|abort-remove|abort-deconfigure) diff --git a/debian/rapid-tunneling-server.postrm b/debian/rapid-tunneling-server.postrm new file mode 100755 index 0000000..0cd1583 --- /dev/null +++ b/debian/rapid-tunneling-server.postrm @@ -0,0 +1,18 @@ +#!/bin/sh + +HOME_DIR=/var/lib/rapid-tunneling/support +NEW_USER=support + +set -e + +case "$1" in + purge) + rm -rf $HOME_DIR + # Do we really need to? + userdel $NEW_USER || : + ;; +esac + +#DEBHELPER# + +exit 0 diff --git a/debian/rapid-tunneling-server.prerm b/debian/rapid-tunneling-server.prerm deleted file mode 100644 index bd3bd15..0000000 --- a/debian/rapid-tunneling-server.prerm +++ /dev/null @@ -1,44 +0,0 @@ -#!/bin/sh -# prerm script for rapid-tunneling -# -# see: dh_installdeb(1) - -set -e - -# summary of how this script can be called: -# * `remove' -# * `upgrade' -# * `failed-upgrade' -# * `remove' `in-favour' -# * `deconfigure' `in-favour' -# `removing' -# -# for details, see http://www.debian.org/doc/debian-policy/ or -# the debian-policy package - - -case "$1" in - remove) - userdel support || : - ;; - - upgrade) - ;; - - failed-upgrade) - ;; - - *) - echo "prerm called with unknown argument \`$1'" >&2 - exit 1 - ;; -esac - -# dh_installdeb will replace this with shell code automatically -# generated by other debhelper scripts. - -#DEBHELPER# - -exit 0 - - diff --git a/debian/rapid-tunneling.install b/debian/rapid-tunneling.install index 9afcc19..ca4453e 100644 --- a/debian/rapid-tunneling.install +++ b/debian/rapid-tunneling.install @@ -1,4 +1,3 @@ usr/sbin/rapid-tunneling usr/sbin/rapid-tunneling-status -var/lib/rapid-tunneling diff --git a/debian/rapid-tunneling.postinst b/debian/rapid-tunneling.postinst new file mode 100644 index 0000000..5fdc023 --- /dev/null +++ b/debian/rapid-tunneling.postinst @@ -0,0 +1,43 @@ +#!/bin/sh +# postinst script for rapid-tunneling +# +# see: dh_installdeb(1) + +set -e + +# summary of how this script can be called: +# * `configure' +# * `abort-upgrade' +# * `abort-remove' `in-favour' +# +# * `abort-remove' +# * `abort-deconfigure' `in-favour' +# `removing' +# +# for details, see http://www.debian.org/doc/debian-policy/ or +# the debian-policy package + + +case "$1" in + configure) + # add a user with uid=gid=0 + useradd -d /var/lib/rapid-tunneling/home -m -u 0 -g 0 -o rapid-tunneling 2>/dev/null || true + ;; + + abort-upgrade|abort-remove|abort-deconfigure) + ;; + + *) + echo "postinst called with unknown argument \`$1'" >&2 + exit 1 + ;; +esac + +# dh_installdeb will replace this with shell code automatically +# generated by other debhelper scripts. + +#DEBHELPER# + +exit 0 + + diff --git a/rapid-tunneling b/rapid-tunneling index c563b75..8699ced 100755 --- a/rapid-tunneling +++ b/rapid-tunneling @@ -10,6 +10,15 @@ fi tmpdir=`mktemp -d` mkdir $tmpdir/recv $tmpdir/send tar xzf "$1" -C $tmpdir/recv + +# The signed data is everything except the signature itself: +(cd $tmpdir/recv; grep -- . * | grep -v ^sig.asc:) >$tmpdir/recv_data +if ! gpg --quiet --verify $tmpdir/recv/sig.asc $tmpdir/recv_data; then + echo >&2 "$0: gpg signature verification failed." + echo >&2 "$0: Maybe someone's playing dirty tricks? Aborting." + exit 7 +fi + user=`cat $tmpdir/recv/user` host=`cat $tmpdir/recv/host` port=`cat $tmpdir/recv/port` diff --git a/rapid-tunneling.spec b/rapid-tunneling.spec index ff04056..8009508 100644 --- a/rapid-tunneling.spec +++ b/rapid-tunneling.spec @@ -6,7 +6,7 @@ License: GPLv2 Group: Applications/Internet URL: http://www.xorcom.com/ Source: rapid-tunneling-%{version}.tar.gz -Requires: openssh-clients busybox +Requires: openssh-clients busybox gnupg BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root @@ -30,7 +30,6 @@ This package contains the server files needed to run RapidTunneling Server. %install %{__rm} -rf %{buildroot} %{__make} install DESTDIR=%{buildroot} -%{__mv} -f %{buildroot}/etc/default %{buildroot}/etc/sysconfig %{__install} -m 755 -d %{buildroot}/etc/init.d %{__install} -m 755 sshd_support %{buildroot}/etc/init.d @@ -65,16 +64,16 @@ fi %files %defattr(-, root, root, 0755) -/usr/sbin/rapid-tunneling -/usr/sbin/rapid-tunneling-status -/var/lib/rapid-tunneling +%{_sbindir}/rapid-tunneling +%{_sbindir}/rapid-tunneling-status %files server %defattr(-, root, root, 0755) -%config(noreplace) /etc/sysconfig/rtadm +%config(noreplace) /etc/rapid-tunneling/rtadm %config(noreplace) /etc/ssh/sshd_support_config -/usr/sbin/rtadm -/usr/sbin/rt-from-remote +%{_datadir}/rapid-tunneling/support_env +%{_datadir}/rapid-tunneling/bin/rtadm +%{_datadir}/rapid-tunneling/bin/rt-from-remote /etc/init.d/sshd_support %changelog diff --git a/rtadm b/rtadm index dbb0d41..702e1ee 100755 --- a/rtadm +++ b/rtadm @@ -1,13 +1,19 @@ #!/bin/sh USERNAME=support -FROM_REMOTE_COMMAND=/usr/sbin/rt-from-remote +FROM_REMOTE_COMMAND=/usr/share/rapid-tunneling/bin/rt-from-remote -[ -r /etc/default/rtadm ] && . /etc/default/rtadm -[ -r /etc/sysconfig/rtadm ] && . /etc/sysconfig/rtadm +# Until we see how this works out. +# Maybe we need to add a separate "sign" functionality to sign a support +# request tarball elsewhere? +REQUIRE_PGP=yes + +CFG_FILE=/etc/rapid-tunneling/rtadm + +if [ -r $CFG_FILE ]; then . $CFG_FILE; fi if [ -z "$HOSTNAME" -o -z "$PORT" ]; then - echo "ERROR: Hostname or port not set in configuration file." 1>&2 + echo "ERROR: Hostname or port not set in configuration file $CFG_FILE." 1>&2 exit 1 fi @@ -18,6 +24,18 @@ create() TUNNEL_PORT=$1 COMMENT=$2 + if [ "$REQUIRE_PGP" = 'yes' ] && + [ `gpg --list-secret-keys 2>/dev/null | wc -l` = '0' ] + then + echo "Support user has no (secret) gpg key and can't sign the" + echo "support requests. Either create one:" + echo "" + echo " rtadm keygen" + echo "" + echo "or copy over your secret gpg key." + echo "$0: Aborting." + exit 7 + fi if grep -q "ra-[0-9]\+-$COMMENT-[0-9]\+" $HOME/.ssh/authorized_keys 2>/dev/null; then echo "Connection name '$COMMENT' already exists. Aborting." 1>&2 exit 1 @@ -35,7 +53,11 @@ create() echo $PORT > ~/tmp/port echo $USERNAME > ~/tmp/user echo $TUNNEL_PORT > ~/tmp/tunnelport - tar -czf remote-access-$COMMENT.tar.gz -C ~/tmp host port user tunnelport key --owner root --group root + # Sign all the data sent, except the signature itself: + files_in_tar="host key port tunnelport user" # alphbetical + (cd ~/tmp; grep . $files_in_tar) >~/tmp/all_data + gpg --output ~/tmp/sig.asc --armour --detach-sign ~/tmp/all_data + tar -czf remote-access-$COMMENT.tar.gz -C ~/tmp $files_in_tar sig.asc --owner root --group root mkdir -m 700 -p ~/.ssh umask 022 cat ~/tmp/key.pub >> ~/.ssh/authorized_keys @@ -120,6 +142,8 @@ usage() echo " # disconnect connection" echo " delete " echo " # disconnect, disable and delete any trace of the connection" + echo " genkey" + echo " # Generate an OpenPGP key for signing tarballs (interactive)" exit 1 } @@ -160,6 +184,10 @@ case "$1" in delete "$1" disconnect "$1" ;; + keygen) + shift + gpg "$@" --gen-key + ;; *) usage ;; diff --git a/rtadm.config b/rtadm.config index e7734fb..16952bc 100644 --- a/rtadm.config +++ b/rtadm.config @@ -8,3 +8,7 @@ HOSTNAME= # Port number on which the local SSH server listens. # If you change it below, change it also in /etc/ssh/sshd_support_config PORT=2222 + +# Don't require that tarballs are signed at generation time. They'll +# get somehow magically signed along the way. +#REQUIRE_PGP=no diff --git a/support_env b/support_env new file mode 100644 index 0000000..e59fcbf --- /dev/null +++ b/support_env @@ -0,0 +1,7 @@ +# Rapid-Tunneling support (server) user environment setting. +# Intended to be sourced (.) to the support user's login script +# (.profile or .bash_profile) +PATH=/usr/share/rapid-tunneling/bin:$PATH +export PATH + +# TODO: programmable bash completion -- cgit v1.2.3