From 2826570c12240cee6cd88bad893ce334ba65dd8c Mon Sep 17 00:00:00 2001
From: Adar Nimrod <nimrod@shore.co.il>
Date: Sun, 27 Dec 2020 23:05:00 +0200
Subject: [PATCH] Much commit, very changes.
---
.gitlab-ci.yml | 4 ++
.pre-commit-config.yaml | 54 ++++++++++++-----
.travis.yml | 26 ---------
Makefile | 53 +----------------
README.md | 124 ++++++++++++++++++++++++++++++++++++++++
README.rst | 114 ------------------------------------
ssh-ca | 4 +-
tests/ssh-ca.bats | 52 +++++++++++++++++
8 files changed, 225 insertions(+), 206 deletions(-)
create mode 100644 .gitlab-ci.yml
delete mode 100644 .travis.yml
create mode 100644 README.md
delete mode 100644 README.rst
create mode 100644 tests/ssh-ca.bats
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
new file mode 100644
index 0000000..ab65b9a
--- /dev/null
+++ b/.gitlab-ci.yml
@@ -0,0 +1,4 @@
+---
+include:
+ - project: shore/ci-templates
+ file: templates/bats.yml
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index c35f133..afa7193 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -1,18 +1,42 @@
-- repo: git://github.com/pre-commit/pre-commit-hooks
- sha: v0.7.1
+---
+repos:
+ - repo: https://github.com/pre-commit/pre-commit-hooks.git
+ rev: v3.4.0
hooks:
- - id: check-added-large-files
- - id: check-yaml
- - id: check-merge-conflict
-- repo: https://www.shore.co.il/git/shell-pre-commit/
- sha: v0.3.0
+ - id: check-added-large-files
+ - id: check-executables-have-shebangs
+ - id: check-merge-conflict
+ - id: check-symlinks
+ - id: trailing-whitespace
+
+ - repo: https://github.com/Yelp/detect-secrets
+ rev: v0.14.3
hooks:
- - id: shell-lint
- files: ssh-ca
-- repo: local
+ - id: detect-secrets
+
+ - repo: https://github.com/adrienverge/yamllint
+ rev: v1.25.0
hooks:
- - id: test
- name: make test
- language: system
- entry: make clean test
- files: ssh-ca|Makefile
+ - id: yamllint
+
+ - repo: https://github.com/amperser/proselint/
+ rev: 0.10.2
+ hooks:
+ - id: proselint
+ types: [plain-text]
+ exclude: LICENSE
+
+ - repo: https://github.com/executablebooks/mdformat.git
+ rev: 0.5.3
+ hooks:
+ - id: mdformat
+
+ - repo: https://git.shore.co.il/nimrod/shell-pre-commit.git
+ rev: v0.6.0
+ hooks:
+ - id: shell-lint
+
+ - repo: https://github.com/shellcheck-py/shellcheck-py.git
+ rev: v0.7.1.1
+ hooks:
+ - id: shellcheck
diff --git a/.travis.yml b/.travis.yml
deleted file mode 100644
index 833d0ec..0000000
--- a/.travis.yml
+++ /dev/null
@@ -1,26 +0,0 @@
----
-language: python
-python: "2.7"
-dist: trusty
-sudo: false
-group: beta
-cache:
- - pip
- - directories:
- - $HOME/.pre-commit
-
-addons:
- apt:
- packages:
- - openssh-server
- - openssh-client
- - build-essential
-
-install:
- - pip install pre_commit
-
-script:
- - pre-commit run --all-files
-
-notifications:
- email: false
diff --git a/Makefile b/Makefile
index 61438df..2cc85ec 100644
--- a/Makefile
+++ b/Makefile
@@ -1,55 +1,8 @@
-.PHONY: install test clean
-
-USERNAME = $$(whoami)
-
+.PHONY: clean
clean:
- kill $$(cat sshd.pid)
git clean -fdx
-test: ssh_config sshd_config CA CA.pub users/$(USERNAME) hosts/localhost known_hosts
- $$(PATH=$$PATH:/usr/local/sbin:/usr/sbin:/sbin which sshd) -f sshd_config
- test "$$(ssh -F ssh_config test whoami)" = "$$USER"
- kill $$(cat sshd.pid)
-
-CA CA.pub users hosts:
- ./ssh-ca init
-
-users/$(USERNAME): users CA CA.pub
- ./ssh-ca newuser $(USERNAME)
-
-hosts/localhost: hosts CA CA.pub
- ./ssh-ca newhost localhost
-
-known_hosts: CA.pub
- echo "@cert-authority * $$(cat CA.pub)" > known_hosts
-
-sshd_config:
- @echo "ListenAddress 127.0.0.1:22222" > sshd_config
- @echo "HostKey $$PWD/hosts/localhost/ssh_host_rsa_key" >> sshd_config
- @echo "HostKey $$PWD/hosts/localhost/ssh_host_dsa_key" >> sshd_config
- @echo "HostKey $$PWD/hosts/localhost/ssh_host_ecdsa_key" >> sshd_config
- @echo "HostKey $$PWD/hosts/localhost/ssh_host_ed25519_key" >> sshd_config
- @echo "HostCertificate $$PWD/hosts/localhost/ssh_host_rsa_key-cert.pub" >> sshd_config
- @echo "HostCertificate $$PWD/hosts/localhost/ssh_host_dsa_key-cert.pub" >> sshd_config
- @echo "HostCertificate $$PWD/hosts/localhost/ssh_host_ecdsa_key-cert.pub" >> sshd_config
- @echo "HostCertificate $$PWD/hosts/localhost/ssh_host_ed25519_key-cert.pub" >> sshd_config
- @echo "PidFile sshd.pid" >> sshd_config
- @echo "UsePrivilegeSeparation no" >> sshd_config
- @echo "MaxAuthTries 20" >> sshd_config
- @echo "TrustedUserCAKeys $$PWD/CA.pub" >> sshd_config
-
-ssh_config:
- @echo "Host test" > ssh_config
- @echo "HostName localhost" >> ssh_config
- @echo "Port 22222" >> ssh_config
- @echo "IdentityFile users/%u/id_rsa" >> ssh_config
- @echo "IdentityFile users/%u/id_dsa" >> ssh_config
- @echo "IdentityFile users/%u/id_ecdsa" >> ssh_config
- @echo "IdentityFile users/%u/id_ed25519" >> ssh_config
- @echo "UserKnownHostsFile known_hosts" >> ssh_config
- @echo "StrictHostKeyChecking yes" >> ssh_config
- @echo "BatchMode yes" >> ssh_config
-
+.PHONY: install
install:
- cp ssl-ca /usr/local/bin/ssh-ca
- chmod 755 /usr/local/bin/ssh-ca
+ install -m 755 ssl-ca /usr/local/bin/ssh-ca
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..29d9fda
--- /dev/null
+++ b/README.md
@@ -0,0 +1,124 @@
+# SSH-CA
+
+[](https://git.shore.co.il/nimrod/ssh-ca/-/commits/master)
+
+This utility assists in creating an SSH certificate authority. It aims
+to be production-ready and a secure solution for managing SSH key-pairs
+for both users and hosts.
+
+## Installation
+
+```shell
+git clone https://www.shore.co.il/git/ssh-ca
+cd ssh-ca
+sudo make install
+```
+
+## Usage
+
+To start a new certificate authority (creates an RSA keypair for signing
+purposes and hosts and users directories)
+
+```shell
+ssh-ca init
+```
+
+To sign a user's public key (found under
+users/\<username>/[id](<>)\*.pub)
+
+```shell
+ssh-ca signuser username
+```
+
+To sign a host's public key (found under
+hosts/\<hostname>/[ssh\_host](<>)\*.pub)
+
+```shell
+ssh-ca signhost hostname
+```
+
+To generate a new keypair for a host with a signed public key
+
+```shell
+ssh-ca newhost hostname
+```
+
+To generate a new keypair for a user with a signed public key
+
+```shell
+ssh-ca newuser username
+```
+
+## Authenticating hosts
+
+1. Sign the server's public key or generate a new pair and copy the
+ files over.
+
+1. Add the following line to `/etc/ssh/sshd_config`:
+
+ ```
+ HostCertificate /path/to/the/signed/public/key
+ ```
+
+1. Add a line to your known\_hosts file to authorize signed public keys
+ to a specific top level domain. For example if your domain is
+ example.com and the contents of `CA.pub` is:
+
+ ```
+ ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC2fAkeidfnPn712B4uW3XhKyFt9FcJtVwSPKDSCykULg3X5gVV/Xa1yb4ameY3ihXOqQOlG3YpYnOQ8KdM67WtnERVbTJIfieRjGzoURz9NquLFXSKsuQrXMWRNHqXAHw7VirPvKL4cSc4l00Az1HDnHhMIclPY8G+8SkRIRsTwwwa5QjGF2wuhC6j5UHJSaF7qLFw9FSaCsEJTkQxtCD4+Rd/dxv3kVWSkm5DbNG0z3QHyISW7XDvyXP+1ccSb5+IWC0yQCT4OJNFUMDb+SdD7AzDHfI9Z5zTp56uGV23lywWhSvv20UPA0SyXJNGPOw7uJ1ak8q4SBh60PtOENQf ssh-ca
+ ```
+
+Then the line will be:
+
+```
+@cert-authority *.example.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC2fAkeidfnPn712B4uW3XhKyFt9FcJtVwSPKDSCykULg3X5gVV/Xa1yb4ameY3ihXOqQOlG3YpYnOQ8KdM67WtnERVbTJIfieRjGzoURz9NquLFXSKsuQrXMWRNHqXAHw7VirPvKL4cSc4l00Az1HDnHhMIclPY8G+8SkRIRsTwwwa5QjGF2wuhC6j5UHJSaF7qLFw9FSaCsEJTkQxtCD4+Rd/dxv3kVWSkm5DbNG0z3QHyISW7XDvyXP+1ccSb5+IWC0yQCT4OJNFUMDb+SdD7AzDHfI9Z5zTp56uGV23lywWhSvv20UPA0SyXJNGPOw7uJ1ak8q4SBh60PtOENQf ssh-ca
+```
+
+\#. You can also add it system wide by adding the above line to
+`/etc/ssh/ssh_known_hosts` and the following line to your
+`ssh_config` file:
+
+```
+GlobalKnownHostsFile /etc/ssh/ssh_known_hosts
+```
+
+1. For strict security, add the following line to you ssh\_config file:
+
+ ```
+ StrictHostKeyChecking yes
+ ```
+
+## Authenticating users
+
+1. Sign the user's public key or generate a new pair and copy them
+ over.
+
+1. Copy `CA.pub` over to the host.
+
+1. Add the following line to `/etc/ssh/sshd_config`:
+
+ ```
+ TrustedUserCAKeys /path/to/CA.pub
+ ```
+
+## Development
+
+For testing run `make test`}. For cleaning temporary files
+run `git clean -fdx`. You can use
+[pre-commit](http://pre-commit.com/) to have the test (which is quite
+quick) run on every commit to ensure quality code.
+
+## License
+
+This software is licensed under the MIT license (see `LICENSE.txt`).
+
+## Author Information
+
+Nimrod Adar, [contact me](mailto:nimrod@shore.co.il) or visit my
+[website](https://www.shore.co.il/). Patches are welcome via
+[`git send-email`](http://git-scm.com/book/en/v2/Git-Commands-Email). The repository
+is located at: <https://git.shore.co.il/expore/>.
+
+## TODO
+
+- Better, more thorough documentation.
diff --git a/README.rst b/README.rst
deleted file mode 100644
index 97695df..0000000
--- a/README.rst
+++ /dev/null
@@ -1,114 +0,0 @@
-SSH-CA
-######
-
-.. image:: https://travis-ci.org/adarnimrod/ssh-ca.svg?branch=master
- :target: https://travis-ci.org/adarnimrod/ssh-ca
-
-This utility assists in creating an SSH certificate authority. It aims to be
-production-ready and a secure solution for managing SSH key-pairs for both users
-and hosts.
-
-Installation
-------------
-.. code:: shell
-
- git clone https://www.shore.co.il/git/ssh-ca
- cd ssh-ca
- sudo make install
-
-Usage
------
-
-To start a new certificate authority (creates an RSA keypair for signing
-purposes and hosts and users directories)
-
-.. code:: shell
-
- ssh-ca init
-
-To sign a user's public key (found under users/<username>/id_*.pub)
-
-.. code:: shell
-
- ssh-ca signuser username
-
-To sign a host's public key (found under hosts/<hostname>/ssh_host_*.pub)
-
-.. code:: shell
-
- ssh-ca signhost hostname
-
-To generate a new keypair for a host with a signed public key
-
-.. code:: shell
-
- ssh-ca newhost hostname
-
-To generate a new keypair for a user with a signed public key
-
-.. code:: shell
-
- ssh-ca newuser username
-
-Authenticating hosts
---------------------
-
-#. Sign the server's public key or generate a new pair and copy the files over.
-#. Add the following line to :code:`/etc/ssh/sshd_config`::
-
- HostCertificate /path/to/the/signed/public/key
-
-#. Add a line to your `known_hosts` file to authorize signed public keys to a
- specific top level domain. For example if your domain is example.com and the
- contents of :code:`CA.pub` is::
-
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC2fAkeidfnPn712B4uW3XhKyFt9FcJtVwSPKDSCykULg3X5gVV/Xa1yb4ameY3ihXOqQOlG3YpYnOQ8KdM67WtnERVbTJIfieRjGzoURz9NquLFXSKsuQrXMWRNHqXAHw7VirPvKL4cSc4l00Az1HDnHhMIclPY8G+8SkRIRsTwwwa5QjGF2wuhC6j5UHJSaF7qLFw9FSaCsEJTkQxtCD4+Rd/dxv3kVWSkm5DbNG0z3QHyISW7XDvyXP+1ccSb5+IWC0yQCT4OJNFUMDb+SdD7AzDHfI9Z5zTp56uGV23lywWhSvv20UPA0SyXJNGPOw7uJ1ak8q4SBh60PtOENQf ssh-ca
-
-Then the line will be::
-
- @cert-authority *.example.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC2fAkeidfnPn712B4uW3XhKyFt9FcJtVwSPKDSCykULg3X5gVV/Xa1yb4ameY3ihXOqQOlG3YpYnOQ8KdM67WtnERVbTJIfieRjGzoURz9NquLFXSKsuQrXMWRNHqXAHw7VirPvKL4cSc4l00Az1HDnHhMIclPY8G+8SkRIRsTwwwa5QjGF2wuhC6j5UHJSaF7qLFw9FSaCsEJTkQxtCD4+Rd/dxv3kVWSkm5DbNG0z3QHyISW7XDvyXP+1ccSb5+IWC0yQCT4OJNFUMDb+SdD7AzDHfI9Z5zTp56uGV23lywWhSvv20UPA0SyXJNGPOw7uJ1ak8q4SBh60PtOENQf ssh-ca
-
-#. You can also add it system wide by adding the above line to
-:code:`/etc/ssh/ssh_known_hosts` and the following line to your
-:code:`ssh_config` file::
-
- GlobalKnownHostsFile /etc/ssh/ssh_known_hosts
-
-#. For strict security, add the following line to you `ssh_config` file::
-
- StrictHostKeyChecking yes
-
-Authenticating users
---------------------
-
-#. Sign the user's public key or generate a new pair and copy them over.
-#. Copy :code:`CA.pub` over to the host.
-#. Add the following line to :code:`/etc/ssh/sshd_config`::
-
- TrustedUserCAKeys /path/to/CA.pub
-
-Development
------------
-
-For testing run :code:`make test`. For cleaning temporary files run :code:`git
-clean -fdx`. You can use `pre-commit <http://pre-commit.com/>`_ to have the test
-(which is quite quick) run on every commit to ensure quality code.
-
-License
--------
-
-This software is licensed under the MIT license (see the :code:`LICENSE.txt`
-file).
-
-Author
-------
-
-Nimrod Adar, `contact me <nimrod@shore.co.il>`_ or visit my `website
-<https://www.shore.co.il/>`_. Patches are welcome via `git send-email
-<http://git-scm.com/book/en/v2/Git-Commands-Email>`_. The repository is located
-at: https://www.shore.co.il/git/.
-
-TODO
-----
-
-- Better, more thorough documentation.
diff --git a/ssh-ca b/ssh-ca
index a0e812e..39296d4 100755
--- a/ssh-ca
+++ b/ssh-ca
@@ -6,7 +6,7 @@ error () {
exit 1
}
-[ $(which ssh-keygen) ] || \
+(which ssh-keygen) || \
error "Can't find ssh-keygen. Is OpenSSH installed properly?"
key_types="dsa ecdsa ed25519 rsa"
@@ -36,6 +36,7 @@ signuser () {
then
echo "Signing user $1 $type key."
ssh-keygen -s CA -I "$1" -n "$1" "users/$1/id_${type}.pub"
+ # shellcheck disable=SC2039
local flag="not empty"
fi
done
@@ -51,6 +52,7 @@ signhost () {
echo "Signing host $1 $type key."
ssh-keygen -s CA -I "$1" -h -n "$1" \
"hosts/$1/ssh_host_${type}_key.pub"
+ # shellcheck disable=SC2039
local flag="not empty"
fi
done
diff --git a/tests/ssh-ca.bats b/tests/ssh-ca.bats
new file mode 100644
index 0000000..2342695
--- /dev/null
+++ b/tests/ssh-ca.bats
@@ -0,0 +1,52 @@
+setup () {
+ teardown
+}
+
+teardown () {
+ { [ -f sshd.pid ] && kill "$(cat sshd.pid)"; } || true
+ git clean -fdX
+}
+
+@test "full test" {
+ USERNAME="$(whoami)"
+ ./ssh-ca init
+ ./ssh-ca newuser "$USERNAME"
+ ./ssh-ca newhost localhost
+ echo "@cert-authority * $(cat CA.pub)" > known_hosts
+
+ # Generating sshd_config
+ echo "ListenAddress 127.0.0.1:22222" > sshd_config
+ echo "HostKey $PWD/hosts/localhost/ssh_host_rsa_key" >> sshd_config
+ echo "HostKey $PWD/hosts/localhost/ssh_host_dsa_key" >> sshd_config
+ echo "HostKey $PWD/hosts/localhost/ssh_host_ecdsa_key" >> sshd_config
+ echo "HostKey $PWD/hosts/localhost/ssh_host_ed25519_key" >> sshd_config
+ echo "HostCertificate $$PWD/hosts/localhost/ssh_host_rsa_key-cert.pub" >> sshd_config
+ echo "HostCertificate $$PWD/hosts/localhost/ssh_host_dsa_key-cert.pub" >> sshd_config
+ echo "HostCertificate $$PWD/hosts/localhost/ssh_host_ecdsa_key-cert.pub" >> sshd_config
+ echo "HostCertificate $$PWD/hosts/localhost/ssh_host_ed25519_key-cert.pub" >> sshd_config
+ echo "PidFile sshd.pid" >> sshd_config
+ echo "UsePrivilegeSeparation no" >> sshd_config
+ echo "MaxAuthTries 20" >> sshd_config
+ echo "TrustedUserCAKeys $PWD/CA.pub" >> sshd_config
+
+ # Generating ssh_config
+ echo "Host test" > ssh_config
+ echo "HostName localhost" >> ssh_config
+ echo "Port 22222" >> ssh_config
+ echo "IdentityFile users/%u/id_rsa" >> ssh_config
+ echo "IdentityFile users/%u/id_dsa" >> ssh_config
+ echo "IdentityFile users/%u/id_ecdsa" >> ssh_config
+ echo "IdentityFile users/%u/id_ed25519" >> ssh_config
+ echo "UserKnownHostsFile known_hosts" >> ssh_config
+ echo "StrictHostKeyChecking yes" >> ssh_config
+ echo "BatchMode yes" >> ssh_config
+
+ # Launching test sshd
+ $(PATH=$PATH:/usr/local/sbin:/usr/sbin:/sbin which sshd) -f sshd_config
+
+ # Testing
+ run ssh -F ssh_config test whoami
+ [ "$status" -eq 0 ]
+ [ "$output" = "$USERNAME" ]
+
+}
--
GitLab