Much commit, very changes.

2826570c · nimrod · 62215b03 · 2826570c · 2826570c · 62215b03
Commit 2826570c authored 4 years ago by nimrod
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
+---
+include:
+  - project: shore/ci-templates
+    file: templates/bats.yml
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
-   repo: git://github.com/pre-commit/pre-commit-hooks
+---
-    sha: v0.7.1
+repos:
+  - repo: https://github.com/pre-commit/pre-commit-hooks.git
+    rev: v3.4.0
    hooks:
-    -   id: check-added-large-files
+      - id: check-added-large-files
-    -   id: check-yaml
+      - id: check-executables-have-shebangs
-    -   id: check-merge-conflict
+      - id: check-merge-conflict
-   repo: https://www.shore.co.il/git/shell-pre-commit/
+      - id: check-symlinks
-    sha: v0.3.0
+      - id: trailing-whitespace
+  - repo: https://github.com/Yelp/detect-secrets
+    rev: v0.14.3
    hooks:
-    -   id: shell-lint
+      - id: detect-secrets
-        files: ssh-ca
-   repo: local
+  - repo: https://github.com/adrienverge/yamllint
+    rev: v1.25.0
    hooks:
-    -   id: test
+      - id: yamllint
-        name: make test
-        language: system
+  - repo: https://github.com/amperser/proselint/
-        entry: make clean test
+    rev: 0.10.2
-        files: ssh-ca|Makefile
+    hooks:
+      - id: proselint
+        types: [plain-text]
+        exclude: LICENSE
+  - repo: https://github.com/executablebooks/mdformat.git
+    rev: 0.5.3
+    hooks:
+      - id: mdformat
+  - repo: https://git.shore.co.il/nimrod/shell-pre-commit.git
+    rev: v0.6.0
+    hooks:
+      - id: shell-lint
+  - repo: https://github.com/shellcheck-py/shellcheck-py.git
+    rev: v0.7.1.1
+    hooks:
+      - id: shellcheck
--- a/.travis.yml
+++ b/.travis.yml
---
-language: python
-python: "2.7"
-dist: trusty
-sudo: false
-group: beta
-cache:
-  - pip
-  - directories:
-      - $HOME/.pre-commit
-addons:
-  apt:
-    packages:
-      - openssh-server
-      - openssh-client
-      - build-essential
-install:
-  - pip install pre_commit
-script:
-  - pre-commit run --all-files
-notifications:
-  email: false
--- a/Makefile
+++ b/Makefile
-.PHONY: install test clean
+.PHONY: clean
-USERNAME = $$(whoami)
 clean:
 	- kill $$(cat sshd.pid)
 	git clean -fdx
-test: ssh_config sshd_config CA CA.pub users/$(USERNAME) hosts/localhost known_hosts
+.PHONY: install
-	$$(PATH=$$PATH:/usr/local/sbin:/usr/sbin:/sbin which sshd) -f sshd_config
-	test "$$(ssh -F ssh_config test whoami)" = "$$USER"
-	kill $$(cat sshd.pid)
-CA CA.pub users hosts:
-	./ssh-ca init
-users/$(USERNAME): users CA CA.pub
-	./ssh-ca newuser $(USERNAME)
-hosts/localhost: hosts CA CA.pub
-	./ssh-ca newhost localhost
-known_hosts: CA.pub
-	echo "@cert-authority * $$(cat CA.pub)" > known_hosts
-sshd_config:
-	@echo "ListenAddress 127.0.0.1:22222" > sshd_config
-	@echo "HostKey $$PWD/hosts/localhost/ssh_host_rsa_key" >> sshd_config
-	@echo "HostKey $$PWD/hosts/localhost/ssh_host_dsa_key" >> sshd_config
-	@echo "HostKey $$PWD/hosts/localhost/ssh_host_ecdsa_key" >> sshd_config
-	@echo "HostKey $$PWD/hosts/localhost/ssh_host_ed25519_key" >> sshd_config
-	@echo "HostCertificate $$PWD/hosts/localhost/ssh_host_rsa_key-cert.pub" >> sshd_config
-	@echo "HostCertificate $$PWD/hosts/localhost/ssh_host_dsa_key-cert.pub" >> sshd_config
-	@echo "HostCertificate $$PWD/hosts/localhost/ssh_host_ecdsa_key-cert.pub" >> sshd_config
-	@echo "HostCertificate $$PWD/hosts/localhost/ssh_host_ed25519_key-cert.pub" >> sshd_config
-	@echo "PidFile sshd.pid" >> sshd_config
-	@echo "UsePrivilegeSeparation no" >> sshd_config
-	@echo "MaxAuthTries 20" >> sshd_config
-	@echo "TrustedUserCAKeys $$PWD/CA.pub" >> sshd_config
-ssh_config:
-	@echo "Host test" > ssh_config
-	@echo "HostName localhost" >> ssh_config
-	@echo "Port 22222"  >> ssh_config
-	@echo "IdentityFile users/%u/id_rsa" >> ssh_config
-	@echo "IdentityFile users/%u/id_dsa" >> ssh_config
-	@echo "IdentityFile users/%u/id_ecdsa" >> ssh_config
-	@echo "IdentityFile users/%u/id_ed25519" >> ssh_config
-	@echo "UserKnownHostsFile known_hosts" >> ssh_config
-	@echo "StrictHostKeyChecking yes" >> ssh_config
-	@echo "BatchMode yes" >> ssh_config
 install:
-	cp ssl-ca /usr/local/bin/ssh-ca
+	install -m 755 ssl-ca /usr/local/bin/ssh-ca
-	chmod 755 /usr/local/bin/ssh-ca
--- a/README.md
+++ b/README.md
+# SSH-CA
+[![pipeline status](https://git.shore.co.il/nimrod/ssh-ca/badges/master/pipeline.svg)](https://git.shore.co.il/nimrod/ssh-ca/-/commits/master)
+This utility assists in creating an SSH certificate authority. It aims
+to be production-ready and a secure solution for managing SSH key-pairs
+for both users and hosts.
+## Installation
+```shell
+git clone https://www.shore.co.il/git/ssh-ca
+cd ssh-ca
+sudo make install
+```
+## Usage
+To start a new certificate authority (creates an RSA keypair for signing
+purposes and hosts and users directories)
+```shell
+ssh-ca init
+```
+To sign a user's public key (found under
+users/\<username>/[id](<>)\*.pub)
+```shell
+ssh-ca signuser username
+```
+To sign a host's public key (found under
+hosts/\<hostname>/[ssh\_host](<>)\*.pub)
+```shell
+ssh-ca signhost hostname
+```
+To generate a new keypair for a host with a signed public key
+```shell
+ssh-ca newhost hostname
+```
+To generate a new keypair for a user with a signed public key
+```shell
+ssh-ca newuser username
+```
+## Authenticating hosts
+1. Sign the server's public key or generate a new pair and copy the
+   files over.
+1. Add the following line to `/etc/ssh/sshd_config`:
+   ```
+   HostCertificate /path/to/the/signed/public/key
+   ```
+1. Add a line to your known\_hosts file to authorize signed public keys
+   to a specific top level domain. For example if your domain is
+   example.com and the contents of `CA.pub` is:
+   ```
+   ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC2fAkeidfnPn712B4uW3XhKyFt9FcJtVwSPKDSCykULg3X5gVV/Xa1yb4ameY3ihXOqQOlG3YpYnOQ8KdM67WtnERVbTJIfieRjGzoURz9NquLFXSKsuQrXMWRNHqXAHw7VirPvKL4cSc4l00Az1HDnHhMIclPY8G+8SkRIRsTwwwa5QjGF2wuhC6j5UHJSaF7qLFw9FSaCsEJTkQxtCD4+Rd/dxv3kVWSkm5DbNG0z3QHyISW7XDvyXP+1ccSb5+IWC0yQCT4OJNFUMDb+SdD7AzDHfI9Z5zTp56uGV23lywWhSvv20UPA0SyXJNGPOw7uJ1ak8q4SBh60PtOENQf ssh-ca
+   ```
+Then the line will be:
+```
+@cert-authority *.example.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC2fAkeidfnPn712B4uW3XhKyFt9FcJtVwSPKDSCykULg3X5gVV/Xa1yb4ameY3ihXOqQOlG3YpYnOQ8KdM67WtnERVbTJIfieRjGzoURz9NquLFXSKsuQrXMWRNHqXAHw7VirPvKL4cSc4l00Az1HDnHhMIclPY8G+8SkRIRsTwwwa5QjGF2wuhC6j5UHJSaF7qLFw9FSaCsEJTkQxtCD4+Rd/dxv3kVWSkm5DbNG0z3QHyISW7XDvyXP+1ccSb5+IWC0yQCT4OJNFUMDb+SdD7AzDHfI9Z5zTp56uGV23lywWhSvv20UPA0SyXJNGPOw7uJ1ak8q4SBh60PtOENQf ssh-ca
+```
+\#. You can also add it system wide by adding the above line to
+`/etc/ssh/ssh_known_hosts` and the following line to your
+`ssh_config` file:
+```
+GlobalKnownHostsFile /etc/ssh/ssh_known_hosts
+```
+1. For strict security, add the following line to you ssh\_config file:
+   ```
+   StrictHostKeyChecking yes
+   ```
+## Authenticating users
+1. Sign the user's public key or generate a new pair and copy them
+   over.
+1. Copy `CA.pub` over to the host.
+1. Add the following line to `/etc/ssh/sshd_config`:
+   ```
+   TrustedUserCAKeys /path/to/CA.pub
+   ```
+## Development
+For testing run `make test`}. For cleaning temporary files
+run `git clean -fdx`. You can use
+[pre-commit](http://pre-commit.com/) to have the test (which is quite
+quick) run on every commit to ensure quality code.
+## License
+This software is licensed under the MIT license (see `LICENSE.txt`).
+## Author Information
+Nimrod Adar, [contact me](mailto:nimrod@shore.co.il) or visit my
+[website](https://www.shore.co.il/). Patches are welcome via
+[`git send-email`](http://git-scm.com/book/en/v2/Git-Commands-Email). The repository
+is located at: <https://git.shore.co.il/expore/>.
+## TODO
+- Better, more thorough documentation.
--- a/README.rst
+++ b/README.rst
-SSH-CA
-######
-.. image:: https://travis-ci.org/adarnimrod/ssh-ca.svg?branch=master
-    :target: https://travis-ci.org/adarnimrod/ssh-ca
-This utility assists in creating an SSH certificate authority. It aims to be
-production-ready and a secure solution for managing SSH key-pairs for both users
-and hosts.
-Installation
------------
-.. code:: shell
-    git clone https://www.shore.co.il/git/ssh-ca
-    cd ssh-ca
-    sudo make install
-Usage
-----
-To start a new certificate authority (creates an RSA keypair for signing
-purposes and hosts and users directories)
-.. code:: shell
-    ssh-ca init
-To sign a user's public key (found under users/<username>/id_*.pub)
-.. code:: shell
-    ssh-ca signuser username
-To sign a host's public key (found under hosts/<hostname>/ssh_host_*.pub)
-.. code:: shell
-    ssh-ca signhost hostname
-To generate a new keypair for a host with a signed public key
-.. code:: shell
-    ssh-ca newhost hostname
-To generate a new keypair for a user with a signed public key
-.. code:: shell
-    ssh-ca newuser username
-Authenticating hosts
--------------------
-#. Sign the server's public key or generate a new pair and copy the files over.
-#. Add the following line to :code:`/etc/ssh/sshd_config`::
-    HostCertificate /path/to/the/signed/public/key
-#. Add a line to your `known_hosts` file to authorize signed public keys to a
-   specific top level domain. For example if your domain is example.com and the
-   contents of :code:`CA.pub` is::
-       ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC2fAkeidfnPn712B4uW3XhKyFt9FcJtVwSPKDSCykULg3X5gVV/Xa1yb4ameY3ihXOqQOlG3YpYnOQ8KdM67WtnERVbTJIfieRjGzoURz9NquLFXSKsuQrXMWRNHqXAHw7VirPvKL4cSc4l00Az1HDnHhMIclPY8G+8SkRIRsTwwwa5QjGF2wuhC6j5UHJSaF7qLFw9FSaCsEJTkQxtCD4+Rd/dxv3kVWSkm5DbNG0z3QHyISW7XDvyXP+1ccSb5+IWC0yQCT4OJNFUMDb+SdD7AzDHfI9Z5zTp56uGV23lywWhSvv20UPA0SyXJNGPOw7uJ1ak8q4SBh60PtOENQf ssh-ca
-Then the line will be::
-    @cert-authority *.example.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC2fAkeidfnPn712B4uW3XhKyFt9FcJtVwSPKDSCykULg3X5gVV/Xa1yb4ameY3ihXOqQOlG3YpYnOQ8KdM67WtnERVbTJIfieRjGzoURz9NquLFXSKsuQrXMWRNHqXAHw7VirPvKL4cSc4l00Az1HDnHhMIclPY8G+8SkRIRsTwwwa5QjGF2wuhC6j5UHJSaF7qLFw9FSaCsEJTkQxtCD4+Rd/dxv3kVWSkm5DbNG0z3QHyISW7XDvyXP+1ccSb5+IWC0yQCT4OJNFUMDb+SdD7AzDHfI9Z5zTp56uGV23lywWhSvv20UPA0SyXJNGPOw7uJ1ak8q4SBh60PtOENQf ssh-ca
-#. You can also add it system wide by adding the above line to
-:code:`/etc/ssh/ssh_known_hosts` and the following line to your
-:code:`ssh_config` file::
-    GlobalKnownHostsFile /etc/ssh/ssh_known_hosts
-#. For strict security, add the following line to you `ssh_config` file::
-    StrictHostKeyChecking yes
-Authenticating users
--------------------
-#. Sign the user's public key or generate a new pair and copy them over.
-#. Copy :code:`CA.pub` over to the host.
-#. Add the following line to :code:`/etc/ssh/sshd_config`::
-    TrustedUserCAKeys /path/to/CA.pub
-Development
-----------
-For testing run :code:`make test`. For cleaning temporary files run :code:`git
-clean -fdx`. You can use `pre-commit <http://pre-commit.com/>`_ to have the test
-(which is quite quick) run on every commit to ensure quality code.
-License
-------
-This software is licensed under the MIT license (see the :code:`LICENSE.txt`
-file).
-Author
------
-Nimrod Adar, `contact me <nimrod@shore.co.il>`_ or visit my `website
-<https://www.shore.co.il/>`_. Patches are welcome via `git send-email
-<http://git-scm.com/book/en/v2/Git-Commands-Email>`_. The repository is located
-at: https://www.shore.co.il/git/.
-TODO
----
- Better, more thorough documentation.
--- a/ssh-ca
+++ b/ssh-ca
@@ -6,7 +6,7 @@ error () {
    exit 1
 }
-[ $(which ssh-keygen) ] || \
+(which ssh-keygen) || \
    error "Can't find ssh-keygen. Is OpenSSH installed properly?"
 key_types="dsa ecdsa ed25519 rsa"
@@ -36,6 +36,7 @@ signuser () {
        then
            echo "Signing user $1 $type key."
            ssh-keygen -s CA -I "$1" -n "$1" "users/$1/id_${type}.pub"
+            # shellcheck disable=SC2039
            local flag="not empty"
        fi
    done
@@ -51,6 +52,7 @@ signhost () {
            echo "Signing host $1 $type key."
            ssh-keygen -s CA -I "$1" -h -n "$1" \
                "hosts/$1/ssh_host_${type}_key.pub"
+            # shellcheck disable=SC2039
            local flag="not empty"
        fi
    done

--- a/tests/ssh-ca.bats
+++ b/tests/ssh-ca.bats
+setup () {
+    teardown
+}
+teardown () {
+    { [ -f sshd.pid ] && kill "$(cat sshd.pid)"; } || true
+    git clean -fdX
+}
+@test "full test" {
+    USERNAME="$(whoami)"
+    ./ssh-ca init
+    ./ssh-ca newuser "$USERNAME"
+    ./ssh-ca newhost localhost
+    echo "@cert-authority * $(cat CA.pub)" > known_hosts
+    # Generating sshd_config
+    echo "ListenAddress 127.0.0.1:22222" > sshd_config
+    echo "HostKey $PWD/hosts/localhost/ssh_host_rsa_key" >> sshd_config
+    echo "HostKey $PWD/hosts/localhost/ssh_host_dsa_key" >> sshd_config
+    echo "HostKey $PWD/hosts/localhost/ssh_host_ecdsa_key" >> sshd_config
+    echo "HostKey $PWD/hosts/localhost/ssh_host_ed25519_key" >> sshd_config
+    echo "HostCertificate $$PWD/hosts/localhost/ssh_host_rsa_key-cert.pub" >> sshd_config
+    echo "HostCertificate $$PWD/hosts/localhost/ssh_host_dsa_key-cert.pub" >> sshd_config
+    echo "HostCertificate $$PWD/hosts/localhost/ssh_host_ecdsa_key-cert.pub" >> sshd_config
+    echo "HostCertificate $$PWD/hosts/localhost/ssh_host_ed25519_key-cert.pub" >> sshd_config
+    echo "PidFile sshd.pid" >> sshd_config
+    echo "UsePrivilegeSeparation no" >> sshd_config
+    echo "MaxAuthTries 20" >> sshd_config
+    echo "TrustedUserCAKeys $PWD/CA.pub" >> sshd_config
+    # Generating ssh_config
+    echo "Host test" > ssh_config
+    echo "HostName localhost" >> ssh_config
+    echo "Port 22222"  >> ssh_config
+    echo "IdentityFile users/%u/id_rsa" >> ssh_config
+    echo "IdentityFile users/%u/id_dsa" >> ssh_config
+    echo "IdentityFile users/%u/id_ecdsa" >> ssh_config
+    echo "IdentityFile users/%u/id_ed25519" >> ssh_config
+    echo "UserKnownHostsFile known_hosts" >> ssh_config
+    echo "StrictHostKeyChecking yes" >> ssh_config
+    echo "BatchMode yes" >> ssh_config
+    # Launching test sshd
+    $(PATH=$PATH:/usr/local/sbin:/usr/sbin:/sbin which sshd) -f sshd_config
+    # Testing
+    run ssh -F ssh_config test whoami
+    [ "$status" -eq 0 ]
+    [ "$output" = "$USERNAME" ]
+}