blob: 702e1eef3786232a0b5435da0c002e5eeac172ac (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
|
#!/bin/sh
USERNAME=support
FROM_REMOTE_COMMAND=/usr/share/rapid-tunneling/bin/rt-from-remote
# Until we see how this works out.
# Maybe we need to add a separate "sign" functionality to sign a support
# request tarball elsewhere?
REQUIRE_PGP=yes
CFG_FILE=/etc/rapid-tunneling/rtadm
if [ -r $CFG_FILE ]; then . $CFG_FILE; fi
if [ -z "$HOSTNAME" -o -z "$PORT" ]; then
echo "ERROR: Hostname or port not set in configuration file $CFG_FILE." 1>&2
exit 1
fi
create()
{
set -e
TUNNEL_PORT=$1
COMMENT=$2
if [ "$REQUIRE_PGP" = 'yes' ] &&
[ `gpg --list-secret-keys 2>/dev/null | wc -l` = '0' ]
then
echo "Support user has no (secret) gpg key and can't sign the"
echo "support requests. Either create one:"
echo ""
echo " rtadm keygen"
echo ""
echo "or copy over your secret gpg key."
echo "$0: Aborting."
exit 7
fi
if grep -q "ra-[0-9]\+-$COMMENT-[0-9]\+" $HOME/.ssh/authorized_keys 2>/dev/null; then
echo "Connection name '$COMMENT' already exists. Aborting." 1>&2
exit 1
fi
if ! [ $TUNNEL_PORT -ge 1024 -a $TUNNEL_PORT -le 65535 ] 2>/dev/null; then
echo "Tunnel-port should be an integer in the range 1024-65535. Aborting."
exit 1
fi
rm -rf ~/tmp
mkdir ~/tmp
key_comment=ra-$TUNNEL_PORT-$COMMENT-`date '+%Y%m%d%H%M%S'`
ssh-keygen -q -t rsa -f ~/tmp/key -N "" -C $key_comment
sed -i 's|^|#DISABLED#no-X11-forwarding,no-agent-forwarding,no-pty,permitopen="127.0.0.1:65534",command="'"$FROM_REMOTE_COMMAND $TUNNEL_PORT"'" |' ~/tmp/key.pub
echo $HOSTNAME > ~/tmp/host
echo $PORT > ~/tmp/port
echo $USERNAME > ~/tmp/user
echo $TUNNEL_PORT > ~/tmp/tunnelport
# Sign all the data sent, except the signature itself:
files_in_tar="host key port tunnelport user" # alphbetical
(cd ~/tmp; grep . $files_in_tar) >~/tmp/all_data
gpg --output ~/tmp/sig.asc --armour --detach-sign ~/tmp/all_data
tar -czf remote-access-$COMMENT.tar.gz -C ~/tmp $files_in_tar sig.asc --owner root --group root
mkdir -m 700 -p ~/.ssh
umask 022
cat ~/tmp/key.pub >> ~/.ssh/authorized_keys
perl -e '$host="'ra-$COMMENT'"; $/=undef; $_=<>; s/^Host\s+(${host}$).*?((?=^Host)|\s*\Z)//gsm; print' ~/.ssh/config > ~/.ssh/config.new 2>/dev/null
cat >> ~/.ssh/config.new <<EOF
Host ra-$COMMENT
HostName localhost
User rapid-tunneling
Port $TUNNEL_PORT
IdentityFile ~/ra/$key_comment-key
ForwardX11 no
EOF
mv -f ~/.ssh/config.new ~/.ssh/config
set +e
}
enable()
{
comment="$1"
sed -i "s|^#DISABLED#\(.*ra-[0-9]\+-$comment-[0-9]\+\)$|\1|" ~/.ssh/authorized_keys
}
disable()
{
comment="$1"
sed -i "s|.*ra-[0-9]\+-$comment-[0-9]\+\$|#DISABLED#&|" ~/.ssh/authorized_keys
}
delete()
{
comment="$1"
perl -i -e '$host="'ra-$comment'"; $/=undef; $_=<>; s/^Host\s+(${host}$).*?((?=^Host)|\s*\Z)//gsm; print' ~/.ssh/config
sed -i "/ra-[0-9]\+-$comment-[0-9]\+$/d" ~/.ssh/authorized_keys
count=`ls ~/ra/ra-*-$comment-*.tar.gz 2>/dev/null | wc -l`
[ $count -gt 0 ] && mv -f ~/ra/ra-*-$comment-*.tar.gz ~/ra/ra-*-$comment-*-key ~/ra/old 2>/dev/null
}
show()
{
comments=`sed -n 's/.*ra-[0-9]\+-\(.*\)-[0-9]\+$/\1/p' ~/.ssh/authorized_keys`
for i in $comments; do
if grep -q "^#DISABLED#.*ra-[0-9]\+-$i-[0-9]\+\$" ~/.ssh/authorized_keys; then
enabled="disabled"
else
enabled="enabled "
fi
sleep_ppid=`ps axj | awk '/sleep-ra-[0-9]+-'$i'-[0-9]+/ {print $1}' | tail -n 1`
if [ -z "$sleep_ppid" ]; then
connected="disconnected"
else
[ "$sleep_ppid" = "1" ] && connected="disconnected" || connected="connected"
fi
echo -e "$i\\t\\t$enabled\\t$connected"
done
}
disconnect()
{
comment="$1"
pids=`ps axj | awk '/sleep-ra-[0-9]+-'$comment'-[0-9]+/ {print $1 " " $2}'`
for i in $pids; do
[ "$i" = "1" ] && continue
kill $i 2>/dev/null
done
}
usage()
{
exec 1>&2
echo "Usage: $0 <command> [options]"
echo "Commands:"
echo " create [-e] <tunnel-port> <connection-name>"
echo " # create invitation tar.gz, if -e specified, enable it"
echo " show"
echo " # show current connections"
echo " enable <connection-name>"
echo " disable <connection-name>"
echo " # enable/disable future connections"
echo " disconnect <connection-name>"
echo " # disconnect connection"
echo " delete <connection-name>"
echo " # disconnect, disable and delete any trace of the connection"
echo " genkey"
echo " # Generate an OpenPGP key for signing tarballs (interactive)"
exit 1
}
if [ $# = 0 -o "$1" = "-h" -o "$1" = "--help" ]; then
usage
fi
case "$1" in
create)
shift
[ "$1" = "-e" ] && do_enable=1 && shift
[ -z "$1" -o -z "$2" -o -n "$3" ] && usage
create "$1" "$2"
[ "$do_enable" = 1 ] && enable "$2"
;;
show)
shift
show
;;
enable)
shift
[ -z "$1" -o -n "$2" ] && usage
enable "$1"
;;
disable)
shift
[ -z "$1" -o -n "$2" ] && usage
disable "$1"
;;
disconnect)
shift
[ -z "$1" -o -n "$2" ] && usage
disconnect "$1"
;;
delete)
shift
[ -z "$1" -o -n "$2" ] && usage
delete "$1"
disconnect "$1"
;;
keygen)
shift
gpg "$@" --gen-key
;;
*)
usage
;;
esac
|
