99 lines
3 KiB
Bash
99 lines
3 KiB
Bash
|
#!/usr/bin/env bash
|
||
|
|
# =============================================================================
|
||
|
|
# lib/authorized_keys.sh — Rebuild authorized_keys from registry
|
||
|
|
#
|
||
|
|
# Rebuilds disinto-tunnel's authorized_keys file from the registry.
|
||
|
|
# Each entry has:
|
||
|
|
# - restrict flag (no shell, no X11 forwarding, etc.)
|
||
|
|
# - permitlisten for allowed reverse tunnel ports
|
||
|
|
# - command="/bin/false" to prevent arbitrary command execution
|
||
|
|
#
|
||
|
|
# Functions:
|
||
|
|
# rebuild_authorized_keys → rebuilds /home/disinto-tunnel/.ssh/authorized_keys
|
||
|
|
# get_tunnel_authorized_keys → prints the generated authorized_keys content
|
||
|
|
# =============================================================================
|
||
|
|
set -euo pipefail
|
||
|
|
|
||
|
|
# Source ports library
|
||
|
|
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
|
||
|
|
source "${SCRIPT_DIR}/ports.sh"
|
||
|
|
|
||
|
|
# Tunnel user home directory
|
||
|
|
TUNNEL_USER="disinto-tunnel"
|
||
|
|
TUNNEL_SSH_DIR="/home/${TUNNEL_USER}/.ssh"
|
||
|
|
TUNNEL_AUTH_KEYS="${TUNNEL_SSH_DIR}/authorized_keys"
|
||
|
|
|
||
|
|
# Ensure tunnel user exists
|
||
|
|
_ensure_tunnel_user() {
|
||
|
|
if ! id "$TUNNEL_USER" &>/dev/null; then
|
||
|
|
useradd -r -s /usr/sbin/nologin -M "$TUNNEL_USER" 2>/dev/null || true
|
||
|
|
mkdir -p "$TUNNEL_SSH_DIR"
|
||
|
|
chmod 700 "$TUNNEL_SSH_DIR"
|
||
|
|
fi
|
||
|
|
}
|
||
|
|
|
||
|
|
# Generate the authorized_keys content from registry
|
||
|
|
# Output: one authorized_keys line per registered project
|
||
|
|
generate_authorized_keys_content() {
|
||
|
|
local content=""
|
||
|
|
local first=true
|
||
|
|
|
||
|
|
# Get all projects from registry
|
||
|
|
while IFS= read -r line; do
|
||
|
|
[ -z "$line" ] && continue
|
||
|
|
|
||
|
|
local project port pubkey
|
||
|
|
project=$(echo "$line" | jq -r '.name') # shellcheck disable=SC2034
|
||
|
|
port=$(echo "$line" | jq -r '.port')
|
||
|
|
pubkey=$(echo "$line" | jq -r '.pubkey')
|
||
|
|
|
||
|
|
# Skip if missing required fields
|
||
|
|
[ -z "$port" ] || [ -z "$pubkey" ] && continue
|
||
|
|
|
||
|
|
# Build the authorized_keys line
|
||
|
|
# Format: restrict,port-forwarding,permitlisten="127.0.0.1:<port>",command="/bin/false" <key-type> <key>
|
||
|
|
local auth_line="restrict,port-forwarding,permitlisten=\"127.0.0.1:${port}\",command=\"/bin/false\" ${pubkey}"
|
||
|
|
|
||
|
|
if [ "$first" = true ]; then
|
||
|
|
content="$auth_line"
|
||
|
|
first=false
|
||
|
|
else
|
||
|
|
content="${content}
|
||
|
|
${auth_line}"
|
||
|
|
fi
|
||
|
|
done < <(list_ports)
|
||
|
|
|
||
|
|
if [ -z "$content" ]; then
|
||
|
|
# No projects registered, create empty file
|
||
|
|
echo "# No tunnels registered"
|
||
|
|
else
|
||
|
|
echo "$content"
|
||
|
|
fi
|
||
|
|
}
|
||
|
|
|
||
|
|
# Rebuild authorized_keys file
|
||
|
|
# Usage: rebuild_authorized_keys
|
||
|
|
rebuild_authorized_keys() {
|
||
|
|
_ensure_tunnel_user
|
||
|
|
|
||
|
|
local content
|
||
|
|
content=$(generate_authorized_keys_content)
|
||
|
|
|
||
|
|
# Write to file
|
||
|
|
echo "$content" > "$TUNNEL_AUTH_KEYS"
|
||
|
|
chmod 600 "$TUNNEL_AUTH_KEYS"
|
||
|
|
chown -R "$TUNNEL_USER":"$TUNNEL_USER" "$TUNNEL_SSH_DIR"
|
||
|
|
|
||
|
|
echo "Rebuilt authorized_keys for ${TUNNEL_USER} (entries: $(echo "$content" | grep -c 'ssh-' || echo 0))"
|
||
|
|
}
|
||
|
|
|
||
|
|
# Get the current authorized_keys content (for verification)
|
||
|
|
# Usage: get_tunnel_authorized_keys
|
||
|
|
get_tunnel_authorized_keys() {
|
||
|
|
if [ -f "$TUNNEL_AUTH_KEYS" ]; then
|
||
|
|
cat "$TUNNEL_AUTH_KEYS"
|
||
|
|
else
|
||
|
|
generate_authorized_keys_content
|
||
|
|
fi
|
||
|
|
}
|