From f18e0834b46fc092bb159b11200b3319317571fb Mon Sep 17 00:00:00 2001 From: Guiran Patrick Date: Fri, 3 Sep 2010 19:34:56 +0200 Subject: [PATCH] first commit --- .gitmodules | 3 + COPYING | 280 ++++++++++++++ README | 34 ++ build.sh | 79 ++++ client/README | 20 + client/config-sshgate.sh | 68 ++++ client/scpg | 85 +++++ client/sshg | 27 ++ lib | 1 + server/COPYING | 280 ++++++++++++++ server/install.sh | 94 +++++ server/sshgate | 149 ++++++++ server/sshgate.conf | 55 +++ server/sshgate.func | 770 +++++++++++++++++++++++++++++++++++++++ server/sshgate.sh | 127 +++++++ 15 files changed, 2072 insertions(+) create mode 100644 .gitmodules create mode 100644 COPYING create mode 100644 README create mode 100755 build.sh create mode 100644 client/README create mode 100755 client/config-sshgate.sh create mode 100755 client/scpg create mode 100755 client/sshg create mode 160000 lib create mode 100644 server/COPYING create mode 100644 server/install.sh create mode 100644 server/sshgate create mode 100644 server/sshgate.conf create mode 100644 server/sshgate.func create mode 100644 server/sshgate.sh diff --git a/.gitmodules b/.gitmodules new file mode 100644 index 0000000..feeb313 --- /dev/null +++ b/.gitmodules @@ -0,0 +1,3 @@ +[submodule "lib"] + path = lib + url = git://github.com/Tauop/ScriptHelper.git diff --git a/COPYING b/COPYING new file mode 100644 index 0000000..e37680c --- /dev/null +++ b/COPYING @@ -0,0 +1,280 @@ + GNU GENERAL PUBLIC LICENSE + Version 2, June 1991 + + Copyright (C) 1989, 1991 Free Software Foundation, Inc., + 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + + Preamble + + The licenses for most software are designed to take away your +freedom to share and change it. By contrast, the GNU General Public +License is intended to guarantee your freedom to share and change free +software--to make sure the software is free for all its users. This +General Public License applies to most of the Free Software +Foundation's software and to any other program whose authors commit to +using it. (Some other Free Software Foundation software is covered by +the GNU Lesser General Public License instead.) You can apply it to +your programs, too. + + When we speak of free software, we are referring to freedom, not +price. Our General Public Licenses are designed to make sure that you +have the freedom to distribute copies of free software (and charge for +this service if you wish), that you receive source code or can get it +if you want it, that you can change the software or use pieces of it +in new free programs; and that you know you can do these things. + + To protect your rights, we need to make restrictions that forbid +anyone to deny you these rights or to ask you to surrender the rights. +These restrictions translate to certain responsibilities for you if you +distribute copies of the software, or if you modify it. + + For example, if you distribute copies of such a program, whether +gratis or for a fee, you must give the recipients all the rights that +you have. You must make sure that they, too, receive or can get the +source code. And you must show them these terms so they know their +rights. + + We protect your rights with two steps: (1) copyright the software, and +(2) offer you this license which gives you legal permission to copy, +distribute and/or modify the software. + + Also, for each author's protection and ours, we want to make certain +that everyone understands that there is no warranty for this free +software. If the software is modified by someone else and passed on, we +want its recipients to know that what they have is not the original, so +that any problems introduced by others will not reflect on the original +authors' reputations. + + Finally, any free program is threatened constantly by software +patents. We wish to avoid the danger that redistributors of a free +program will individually obtain patent licenses, in effect making the +program proprietary. To prevent this, we have made it clear that any +patent must be licensed for everyone's free use or not licensed at all. + + The precise terms and conditions for copying, distribution and +modification follow. + + GNU GENERAL PUBLIC LICENSE + TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION + + 0. This License applies to any program or other work which contains +a notice placed by the copyright holder saying it may be distributed +under the terms of this General Public License. The "Program", below, +refers to any such program or work, and a "work based on the Program" +means either the Program or any derivative work under copyright law: +that is to say, a work containing the Program or a portion of it, +either verbatim or with modifications and/or translated into another +language. (Hereinafter, translation is included without limitation in +the term "modification".) Each licensee is addressed as "you". + +Activities other than copying, distribution and modification are not +covered by this License; they are outside its scope. The act of +running the Program is not restricted, and the output from the Program +is covered only if its contents constitute a work based on the +Program (independent of having been made by running the Program). +Whether that is true depends on what the Program does. + + 1. You may copy and distribute verbatim copies of the Program's +source code as you receive it, in any medium, provided that you +conspicuously and appropriately publish on each copy an appropriate +copyright notice and disclaimer of warranty; keep intact all the +notices that refer to this License and to the absence of any warranty; +and give any other recipients of the Program a copy of this License +along with the Program. + +You may charge a fee for the physical act of transferring a copy, and +you may at your option offer warranty protection in exchange for a fee. + + 2. You may modify your copy or copies of the Program or any portion +of it, thus forming a work based on the Program, and copy and +distribute such modifications or work under the terms of Section 1 +above, provided that you also meet all of these conditions: + + a) You must cause the modified files to carry prominent notices + stating that you changed the files and the date of any change. + + b) You must cause any work that you distribute or publish, that in + whole or in part contains or is derived from the Program or any + part thereof, to be licensed as a whole at no charge to all third + parties under the terms of this License. + + c) If the modified program normally reads commands interactively + when run, you must cause it, when started running for such + interactive use in the most ordinary way, to print or display an + announcement including an appropriate copyright notice and a + notice that there is no warranty (or else, saying that you provide + a warranty) and that users may redistribute the program under + these conditions, and telling the user how to view a copy of this + License. (Exception: if the Program itself is interactive but + does not normally print such an announcement, your work based on + the Program is not required to print an announcement.) + +These requirements apply to the modified work as a whole. If +identifiable sections of that work are not derived from the Program, +and can be reasonably considered independent and separate works in +themselves, then this License, and its terms, do not apply to those +sections when you distribute them as separate works. But when you +distribute the same sections as part of a whole which is a work based +on the Program, the distribution of the whole must be on the terms of +this License, whose permissions for other licensees extend to the +entire whole, and thus to each and every part regardless of who wrote it. + +Thus, it is not the intent of this section to claim rights or contest +your rights to work written entirely by you; rather, the intent is to +exercise the right to control the distribution of derivative or +collective works based on the Program. + +In addition, mere aggregation of another work not based on the Program +with the Program (or with a work based on the Program) on a volume of +a storage or distribution medium does not bring the other work under +the scope of this License. + + 3. You may copy and distribute the Program (or a work based on it, +under Section 2) in object code or executable form under the terms of +Sections 1 and 2 above provided that you also do one of the following: + + a) Accompany it with the complete corresponding machine-readable + source code, which must be distributed under the terms of Sections + 1 and 2 above on a medium customarily used for software interchange; or, + + b) Accompany it with a written offer, valid for at least three + years, to give any third party, for a charge no more than your + cost of physically performing source distribution, a complete + machine-readable copy of the corresponding source code, to be + distributed under the terms of Sections 1 and 2 above on a medium + customarily used for software interchange; or, + + c) Accompany it with the information you received as to the offer + to distribute corresponding source code. (This alternative is + allowed only for noncommercial distribution and only if you + received the program in object code or executable form with such + an offer, in accord with Subsection b above.) + +The source code for a work means the preferred form of the work for +making modifications to it. For an executable work, complete source +code means all the source code for all modules it contains, plus any +associated interface definition files, plus the scripts used to +control compilation and installation of the executable. However, as a +special exception, the source code distributed need not include +anything that is normally distributed (in either source or binary +form) with the major components (compiler, kernel, and so on) of the +operating system on which the executable runs, unless that component +itself accompanies the executable. + +If distribution of executable or object code is made by offering +access to copy from a designated place, then offering equivalent +access to copy the source code from the same place counts as +distribution of the source code, even though third parties are not +compelled to copy the source along with the object code. + + 4. You may not copy, modify, sublicense, or distribute the Program +except as expressly provided under this License. Any attempt +otherwise to copy, modify, sublicense or distribute the Program is +void, and will automatically terminate your rights under this License. +However, parties who have received copies, or rights, from you under +this License will not have their licenses terminated so long as such +parties remain in full compliance. + + 5. You are not required to accept this License, since you have not +signed it. However, nothing else grants you permission to modify or +distribute the Program or its derivative works. These actions are +prohibited by law if you do not accept this License. Therefore, by +modifying or distributing the Program (or any work based on the +Program), you indicate your acceptance of this License to do so, and +all its terms and conditions for copying, distributing or modifying +the Program or works based on it. + + 6. Each time you redistribute the Program (or any work based on the +Program), the recipient automatically receives a license from the +original licensor to copy, distribute or modify the Program subject to +these terms and conditions. You may not impose any further +restrictions on the recipients' exercise of the rights granted herein. +You are not responsible for enforcing compliance by third parties to +this License. + + 7. If, as a consequence of a court judgment or allegation of patent +infringement or for any other reason (not limited to patent issues), +conditions are imposed on you (whether by court order, agreement or +otherwise) that contradict the conditions of this License, they do not +excuse you from the conditions of this License. If you cannot +distribute so as to satisfy simultaneously your obligations under this +License and any other pertinent obligations, then as a consequence you +may not distribute the Program at all. For example, if a patent +license would not permit royalty-free redistribution of the Program by +all those who receive copies directly or indirectly through you, then +the only way you could satisfy both it and this License would be to +refrain entirely from distribution of the Program. + +If any portion of this section is held invalid or unenforceable under +any particular circumstance, the balance of the section is intended to +apply and the section as a whole is intended to apply in other +circumstances. + +It is not the purpose of this section to induce you to infringe any +patents or other property right claims or to contest validity of any +such claims; this section has the sole purpose of protecting the +integrity of the free software distribution system, which is +implemented by public license practices. Many people have made +generous contributions to the wide range of software distributed +through that system in reliance on consistent application of that +system; it is up to the author/donor to decide if he or she is willing +to distribute software through any other system and a licensee cannot +impose that choice. + +This section is intended to make thoroughly clear what is believed to +be a consequence of the rest of this License. + + 8. If the distribution and/or use of the Program is restricted in +certain countries either by patents or by copyrighted interfaces, the +original copyright holder who places the Program under this License +may add an explicit geographical distribution limitation excluding +those countries, so that distribution is permitted only in or among +countries not thus excluded. In such case, this License incorporates +the limitation as if written in the body of this License. + + 9. The Free Software Foundation may publish revised and/or new versions +of the General Public License from time to time. Such new versions will +be similar in spirit to the present version, but may differ in detail to +address new problems or concerns. + +Each version is given a distinguishing version number. If the Program +specifies a version number of this License which applies to it and "any +later version", you have the option of following the terms and conditions +either of that version or of any later version published by the Free +Software Foundation. If the Program does not specify a version number of +this License, you may choose any version ever published by the Free Software +Foundation. + + 10. If you wish to incorporate parts of the Program into other free +programs whose distribution conditions are different, write to the author +to ask for permission. For software which is copyrighted by the Free +Software Foundation, write to the Free Software Foundation; we sometimes +make exceptions for this. Our decision will be guided by the two goals +of preserving the free status of all derivatives of our free software and +of promoting the sharing and reuse of software generally. + + NO WARRANTY + + 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY +FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN +OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES +PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED +OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS +TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE +PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, +REPAIR OR CORRECTION. + + 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING +WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR +REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, +INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING +OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED +TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY +YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER +PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE +POSSIBILITY OF SUCH DAMAGES. + + END OF TERMS AND CONDITIONS diff --git a/README b/README new file mode 100644 index 0000000..a8104e5 --- /dev/null +++ b/README @@ -0,0 +1,34 @@ +== Welcome to sshGate + +sshGate is a tool which help to configure openssh server in order to have +a ssh proxy. sshGate use the double ssh method, to be able to connect to +a target host. In fact, sshGate has private sshkey of target hosts, make +ACL checks and can log what users do on target host. + + /-------> target host N + /--------> . . . + user ----> sshGate ----> target host 1 + |-> ACL + |-> private sshkeys + + +sshGate is under GPLv2 license. + +== Description of content + +build.sh : use to build sshGate-server and/or sshGate-client .tar.gz package(s) + +lib/ : sshGate project make some use of ScriptHelper project. + for more information : http://github.com/Tauop/ScriptHelper + +server/ : server source + - install.sh : help to install sshGate-server. + - sshgate.conf : configuration file + - sshgate.func : main code of sshGate admin. used by 'sshgate' CLI + - sshgate : CLI for administration of sshGate. + - sshgate.sh : script which will be used on user connection (ACL, ...) + +client/ : client source + - config-sshgate.sh : help user to configure the ssh client + - sshg : script to make ssh through the sshGate-server + - scpg : script to make scp through the sshGate-server diff --git a/build.sh b/build.sh new file mode 100755 index 0000000..32b5681 --- /dev/null +++ b/build.sh @@ -0,0 +1,79 @@ +#!/bin/bash +# +# Copyright (c) 2010 Linagora +# Patrick Guiran +# http://github.com/Tauop/sshGate +# +# sshGate is free software, you can redistribute it and/or modify +# it under the terms of the GNU General Public License as +# published by the Free Software Foundation; either version 2 of +# the License, or (at your option) any later version. +# +# sshGate is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this program. If not, see . +# + +. ./lib/message.lib.sh +. ./lib/ask.lib.sh +. ./lib/exec.lib.sh + +version= +ASK version "sshgate version ? " + +action='all' +if [ $# -ne 0 ]; then + [ "$1" = 'client' ] && action='client' + [ "$1" = 'server' ] && action='server' +fi + +if [ "${action}" = 'all' -o "${action}" = 'client' ]; then + DOTHIS 'Build sshgate-client package' + dir=/tmp/sshGate-client-$version + + [ -d $dir/ ] && CMD rm -rf $dir/ + CMD mkdir $dir/ + CMD mkdir $dir/lib/ + + CMD cp COPYING $dir/ + CMD cp -r ./client/* $dir/ + CMD cp ./lib/ask.lib.sh $dir/lib/ + CMD cp ./lib/message.lib.sh $dir/lib/ + + CMD chmod +x ${dir}/config-sshgate.sh + CMD chmod +x ${dir}/sshg + CMD chmod +x ${dir}/scpg + + CMD tar c --transform "'s|^tmp/||S'" -z -f $dir.tar.gz ${dir} 2>/dev/null + + CMD mv $dir.tar.gz . + CMD rm -rf $dir + OK +fi + +if [ "${action}" = 'all' -o "${action}" = 'server' ]; then + DOTHIS 'Build sshgate-server package' + dir=/tmp/sshGate-server-$version + + [ -d $dir/ ] && CMD rm -rf $dir/ + CMD mkdir $dir/ + CMD mkdir $dir/lib/ + + CMD cp COPYING $dir/ + CMD cp -r ./server/* $dir/ + CMD cp ./lib/ask.lib.sh $dir/lib/ + CMD cp ./lib/message.lib.sh $dir/lib/ + CMD cp ./lib/conf.lib.sh $dir/lib/ + + CMD chmod +x ${dir}/install.sh + + CMD tar c --transform "'s|^tmp/||S'" -z -f $dir.tar.gz ${dir} 2>/dev/null + + CMD mv $dir.tar.gz . + CMD rm -rf $dir + OK +fi diff --git a/client/README b/client/README new file mode 100644 index 0000000..053becc --- /dev/null +++ b/client/README @@ -0,0 +1,20 @@ += README = + +config-sshgate.sh will help the user to update his ~/.ssh/config to +setup a "sshgate" host, which will be used by 'sshg' and 'scpg' script. + +'sshg' and 'scpg' scripts may be put into the /usr/local/bin/ directory. + +DETAILS + +'sshg' is quite simple. It's an equivalent of 'ssh sshgate ' + +'scpg' is more complex. Here are the 'scp - scp' equivalent syntaxes: + +in send mode: + scpg [] : + --> scp [] sshgate:/ + +in receive mode: + scpg [] : + --> scp [/ diff --git a/client/config-sshgate.sh b/client/config-sshgate.sh new file mode 100755 index 0000000..7e1a39f --- /dev/null +++ b/client/config-sshgate.sh @@ -0,0 +1,68 @@ +#!/bin/bash +# +# Copyright (c) 2010 Linagora +# Patrick Guiran +# http://github.com/Tauop/sshGate +# +# sshGate is free software, you can redistribute it and/or modify +# it under the terms of the GNU General Public License as +# published by the Free Software Foundation; either version 2 of +# the License, or (at your option) any later version. +# +# sshGate is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this program. If not, see . +# + +SSH_CLIENT_DIR=~/.ssh +SSH_CLIENT_CONFIG=~/.ssh/config +SSHGATE_GATE_ACCOUNT='sshgate' + +# include ask.lib.sh from ScriptHelper project (http://github.com/Tauop/ScriptHelper) +. ./lib/message.lib.sh +. ./lib/ask.lib.sh + +echo +echo " --- sshGate client configuration ---" +echo " by Patrick Guiran" +echo +echo "This script will help you to configure your ssh client in order to use sshGate." +echo + +sshgate_user= +sshgate_host= +sshgate_sshkey= + +ASK sshgate_host "What is the sshgGate hostname or IP address?" +ASK sshgate_user "What is the username to use when connecting to sshGate? [${SSHGATE_GATE_ACCOUNT}]" "${SSHGATE_GATE_ACCOUNT}" +ASK sshgate_sshkey "What is the SSH private key file to use for sshGate? [${SSH_CLIENT_DIR}/id_rsa]" "${SSH_CLIENT_DIR}/id_rsa" + +[ ! -d ${SSH_CLIENT_DIR} ] && mkdir -p ${SSH_CLIENT_DIR} + +ssh_config=" +Host sshgate + User ${sshgate_user} + IdentityFile ${sshgate_sshkey} + HostName ${sshgate_host} + ControlMaster auto + ControlPath /tmp/%r@%h:%p" + +echo >> ${SSH_CLIENT_CONFIG} +echo "${ssh_config}" >> ${SSH_CLIENT_CONFIG} +echo >> ${SSH_CLIENT_CONFIG} + + +echo +echo "The 'sshgate' host has been configured in your ssh configuration file ${SSH_CLIENT_CONFIG}" +echo +echo "You can use the 'sshg' and 'scpg' commands as equivalents of 'ssh' and 'scp' commands through sshGate" +echo "Just copy the 'sshg' and 'scpg' files into a directory which is in your PATH (eg.: /usr/local/bin/)," +echo "and make sure they are chmod a+rx." +echo "If you don't want to use the 'sshg' and 'scpg' commands, please read the README file to use sshGate directly." +echo + +exit 0 diff --git a/client/scpg b/client/scpg new file mode 100755 index 0000000..986a241 --- /dev/null +++ b/client/scpg @@ -0,0 +1,85 @@ +#!/bin/sh +# +# Copyright (c) 2010 Linagora +# Patrick Guiran +# http://github.com/Tauop/sshGate +# +# sshGate is free software, you can redistribute it and/or modify +# it under the terms of the GNU General Public License as +# published by the Free Software Foundation; either version 2 of +# the License, or (at your option) any later version. +# +# sshGate is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this program. If not, see . +# + +usage () { + echo "usage:" + echo " send : $0 ... :[]" + echo " receive : $0 :[] " + exit 1 +} + +is_target_arg() { + echo "$1" | grep ':' >/dev/null 2>/dev/null + [ $? -eq 0 ] && echo 'true' || echo 'false' +} + +if [ $# -lt 2 ]; then + echo "ERROR: bad arguments" + usage +fi + +action= +target_host= +target_location= +local_location= +scp_opt= + +# get options +while [ true ]; do + case "$1" in + -[1246BCpqrv] ) scp_opt="${scp_opt} $1"; shift;; + -[cFiloPS] ) scp_opt="${scp_opt} $1 '$2'"; shift 2;; + -* ) echo "ERROR: invalid '$1' option"; exit 1;; + * ) break ;; + esac +done + + +# determine if we want to send or receive files from the target host +if [ "$(is_target_arg "$1")" = "true" ]; then + action='receive' + target_host="${1%%:*}" + target_location="${1##*:}" + shift; # we have parsed the first argument + local_location="$1" + shift; + if [ "$#" -ne 0 ]; then + echo "ERROR: bad arguments" + usage + fi +else + action='send' + # concat files into "${files}", until the last argument + while [ $# -ne 1 ]; do + local_location="${local_location} $1"; shift; + done + if [ "$(is_target_arg "$1")" = "false" ]; then + echo "ERROR: bad arguments" + usage + fi + target_host="${1%%:*}" + target_location="${1##*:}" +fi + + +[ "${action}" = 'send' ] && eval "scp ${scp_opt} ${local_location} sshgate:${target_host}/${target_location}" +[ "${action}" = 'receive' ] && eval "scp ${scp_opt} sshgate:${target_host}/${target_location} ${local_location}" + +exit 0 diff --git a/client/sshg b/client/sshg new file mode 100755 index 0000000..fe01e9f --- /dev/null +++ b/client/sshg @@ -0,0 +1,27 @@ +#!/bin/sh +# +# Copyright (c) 2010 Linagora +# Patrick Guiran +# http://github.com/Tauop/sshGate +# +# sshGate is free software, you can redistribute it and/or modify +# it under the terms of the GNU General Public License as +# published by the Free Software Foundation; either version 2 of +# the License, or (at your option) any later version. +# +# sshGate is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this program. If not, see . +# + +if [ $# -ne 1 ]; then + echo "ERROR: bad arguments" + echo "usage: $0 " + exit 1 +fi + +ssh -t sshgate "$1" diff --git a/lib b/lib new file mode 160000 index 0000000..c5528b7 --- /dev/null +++ b/lib @@ -0,0 +1 @@ +Subproject commit c5528b73faf3e703bdd43eec91898392420669fb diff --git a/server/COPYING b/server/COPYING new file mode 100644 index 0000000..e37680c --- /dev/null +++ b/server/COPYING @@ -0,0 +1,280 @@ + GNU GENERAL PUBLIC LICENSE + Version 2, June 1991 + + Copyright (C) 1989, 1991 Free Software Foundation, Inc., + 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + + Preamble + + The licenses for most software are designed to take away your +freedom to share and change it. By contrast, the GNU General Public +License is intended to guarantee your freedom to share and change free +software--to make sure the software is free for all its users. This +General Public License applies to most of the Free Software +Foundation's software and to any other program whose authors commit to +using it. (Some other Free Software Foundation software is covered by +the GNU Lesser General Public License instead.) You can apply it to +your programs, too. + + When we speak of free software, we are referring to freedom, not +price. Our General Public Licenses are designed to make sure that you +have the freedom to distribute copies of free software (and charge for +this service if you wish), that you receive source code or can get it +if you want it, that you can change the software or use pieces of it +in new free programs; and that you know you can do these things. + + To protect your rights, we need to make restrictions that forbid +anyone to deny you these rights or to ask you to surrender the rights. +These restrictions translate to certain responsibilities for you if you +distribute copies of the software, or if you modify it. + + For example, if you distribute copies of such a program, whether +gratis or for a fee, you must give the recipients all the rights that +you have. You must make sure that they, too, receive or can get the +source code. And you must show them these terms so they know their +rights. + + We protect your rights with two steps: (1) copyright the software, and +(2) offer you this license which gives you legal permission to copy, +distribute and/or modify the software. + + Also, for each author's protection and ours, we want to make certain +that everyone understands that there is no warranty for this free +software. If the software is modified by someone else and passed on, we +want its recipients to know that what they have is not the original, so +that any problems introduced by others will not reflect on the original +authors' reputations. + + Finally, any free program is threatened constantly by software +patents. We wish to avoid the danger that redistributors of a free +program will individually obtain patent licenses, in effect making the +program proprietary. To prevent this, we have made it clear that any +patent must be licensed for everyone's free use or not licensed at all. + + The precise terms and conditions for copying, distribution and +modification follow. + + GNU GENERAL PUBLIC LICENSE + TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION + + 0. This License applies to any program or other work which contains +a notice placed by the copyright holder saying it may be distributed +under the terms of this General Public License. The "Program", below, +refers to any such program or work, and a "work based on the Program" +means either the Program or any derivative work under copyright law: +that is to say, a work containing the Program or a portion of it, +either verbatim or with modifications and/or translated into another +language. (Hereinafter, translation is included without limitation in +the term "modification".) Each licensee is addressed as "you". + +Activities other than copying, distribution and modification are not +covered by this License; they are outside its scope. The act of +running the Program is not restricted, and the output from the Program +is covered only if its contents constitute a work based on the +Program (independent of having been made by running the Program). +Whether that is true depends on what the Program does. + + 1. You may copy and distribute verbatim copies of the Program's +source code as you receive it, in any medium, provided that you +conspicuously and appropriately publish on each copy an appropriate +copyright notice and disclaimer of warranty; keep intact all the +notices that refer to this License and to the absence of any warranty; +and give any other recipients of the Program a copy of this License +along with the Program. + +You may charge a fee for the physical act of transferring a copy, and +you may at your option offer warranty protection in exchange for a fee. + + 2. You may modify your copy or copies of the Program or any portion +of it, thus forming a work based on the Program, and copy and +distribute such modifications or work under the terms of Section 1 +above, provided that you also meet all of these conditions: + + a) You must cause the modified files to carry prominent notices + stating that you changed the files and the date of any change. + + b) You must cause any work that you distribute or publish, that in + whole or in part contains or is derived from the Program or any + part thereof, to be licensed as a whole at no charge to all third + parties under the terms of this License. + + c) If the modified program normally reads commands interactively + when run, you must cause it, when started running for such + interactive use in the most ordinary way, to print or display an + announcement including an appropriate copyright notice and a + notice that there is no warranty (or else, saying that you provide + a warranty) and that users may redistribute the program under + these conditions, and telling the user how to view a copy of this + License. (Exception: if the Program itself is interactive but + does not normally print such an announcement, your work based on + the Program is not required to print an announcement.) + +These requirements apply to the modified work as a whole. If +identifiable sections of that work are not derived from the Program, +and can be reasonably considered independent and separate works in +themselves, then this License, and its terms, do not apply to those +sections when you distribute them as separate works. But when you +distribute the same sections as part of a whole which is a work based +on the Program, the distribution of the whole must be on the terms of +this License, whose permissions for other licensees extend to the +entire whole, and thus to each and every part regardless of who wrote it. + +Thus, it is not the intent of this section to claim rights or contest +your rights to work written entirely by you; rather, the intent is to +exercise the right to control the distribution of derivative or +collective works based on the Program. + +In addition, mere aggregation of another work not based on the Program +with the Program (or with a work based on the Program) on a volume of +a storage or distribution medium does not bring the other work under +the scope of this License. + + 3. You may copy and distribute the Program (or a work based on it, +under Section 2) in object code or executable form under the terms of +Sections 1 and 2 above provided that you also do one of the following: + + a) Accompany it with the complete corresponding machine-readable + source code, which must be distributed under the terms of Sections + 1 and 2 above on a medium customarily used for software interchange; or, + + b) Accompany it with a written offer, valid for at least three + years, to give any third party, for a charge no more than your + cost of physically performing source distribution, a complete + machine-readable copy of the corresponding source code, to be + distributed under the terms of Sections 1 and 2 above on a medium + customarily used for software interchange; or, + + c) Accompany it with the information you received as to the offer + to distribute corresponding source code. (This alternative is + allowed only for noncommercial distribution and only if you + received the program in object code or executable form with such + an offer, in accord with Subsection b above.) + +The source code for a work means the preferred form of the work for +making modifications to it. For an executable work, complete source +code means all the source code for all modules it contains, plus any +associated interface definition files, plus the scripts used to +control compilation and installation of the executable. However, as a +special exception, the source code distributed need not include +anything that is normally distributed (in either source or binary +form) with the major components (compiler, kernel, and so on) of the +operating system on which the executable runs, unless that component +itself accompanies the executable. + +If distribution of executable or object code is made by offering +access to copy from a designated place, then offering equivalent +access to copy the source code from the same place counts as +distribution of the source code, even though third parties are not +compelled to copy the source along with the object code. + + 4. You may not copy, modify, sublicense, or distribute the Program +except as expressly provided under this License. Any attempt +otherwise to copy, modify, sublicense or distribute the Program is +void, and will automatically terminate your rights under this License. +However, parties who have received copies, or rights, from you under +this License will not have their licenses terminated so long as such +parties remain in full compliance. + + 5. You are not required to accept this License, since you have not +signed it. However, nothing else grants you permission to modify or +distribute the Program or its derivative works. These actions are +prohibited by law if you do not accept this License. Therefore, by +modifying or distributing the Program (or any work based on the +Program), you indicate your acceptance of this License to do so, and +all its terms and conditions for copying, distributing or modifying +the Program or works based on it. + + 6. Each time you redistribute the Program (or any work based on the +Program), the recipient automatically receives a license from the +original licensor to copy, distribute or modify the Program subject to +these terms and conditions. You may not impose any further +restrictions on the recipients' exercise of the rights granted herein. +You are not responsible for enforcing compliance by third parties to +this License. + + 7. If, as a consequence of a court judgment or allegation of patent +infringement or for any other reason (not limited to patent issues), +conditions are imposed on you (whether by court order, agreement or +otherwise) that contradict the conditions of this License, they do not +excuse you from the conditions of this License. If you cannot +distribute so as to satisfy simultaneously your obligations under this +License and any other pertinent obligations, then as a consequence you +may not distribute the Program at all. For example, if a patent +license would not permit royalty-free redistribution of the Program by +all those who receive copies directly or indirectly through you, then +the only way you could satisfy both it and this License would be to +refrain entirely from distribution of the Program. + +If any portion of this section is held invalid or unenforceable under +any particular circumstance, the balance of the section is intended to +apply and the section as a whole is intended to apply in other +circumstances. + +It is not the purpose of this section to induce you to infringe any +patents or other property right claims or to contest validity of any +such claims; this section has the sole purpose of protecting the +integrity of the free software distribution system, which is +implemented by public license practices. Many people have made +generous contributions to the wide range of software distributed +through that system in reliance on consistent application of that +system; it is up to the author/donor to decide if he or she is willing +to distribute software through any other system and a licensee cannot +impose that choice. + +This section is intended to make thoroughly clear what is believed to +be a consequence of the rest of this License. + + 8. If the distribution and/or use of the Program is restricted in +certain countries either by patents or by copyrighted interfaces, the +original copyright holder who places the Program under this License +may add an explicit geographical distribution limitation excluding +those countries, so that distribution is permitted only in or among +countries not thus excluded. In such case, this License incorporates +the limitation as if written in the body of this License. + + 9. The Free Software Foundation may publish revised and/or new versions +of the General Public License from time to time. Such new versions will +be similar in spirit to the present version, but may differ in detail to +address new problems or concerns. + +Each version is given a distinguishing version number. If the Program +specifies a version number of this License which applies to it and "any +later version", you have the option of following the terms and conditions +either of that version or of any later version published by the Free +Software Foundation. If the Program does not specify a version number of +this License, you may choose any version ever published by the Free Software +Foundation. + + 10. If you wish to incorporate parts of the Program into other free +programs whose distribution conditions are different, write to the author +to ask for permission. For software which is copyrighted by the Free +Software Foundation, write to the Free Software Foundation; we sometimes +make exceptions for this. Our decision will be guided by the two goals +of preserving the free status of all derivatives of our free software and +of promoting the sharing and reuse of software generally. + + NO WARRANTY + + 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY +FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN +OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES +PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED +OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS +TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE +PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, +REPAIR OR CORRECTION. + + 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING +WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR +REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, +INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING +OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED +TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY +YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER +PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE +POSSIBILITY OF SUCH DAMAGES. + + END OF TERMS AND CONDITIONS diff --git a/server/install.sh b/server/install.sh new file mode 100644 index 0000000..aa8d1b0 --- /dev/null +++ b/server/install.sh @@ -0,0 +1,94 @@ +# +# Copyright (c) 2010 Linagora +# Patrick Guiran . +# + +. ./lib/message.lib.sh +. ./lib/ask.lib.sh +. ./lib/conf.lib.sh + +CONF_SET_FILE "sshgate.conf" +CONF_LOAD + +ASK SSHGATE_DIR \ + "Where do you want to install sshGate [${SSHGATE_DIR}] ? " \ + "${SSHGATE_DIR}" +CONF_SAVE SSHGATE_DIR + +ASK SSHGATE_GATE_ACCOUNT \ + "Which unix account to use for sshGate users [${SSHGATE_GATE_ACCOUNT}] ? " \ + "${SSHGATE_GATE_ACCOUNT}" +CONF_SAVE SSHGATE_GATE_ACCOUNT + +ASK SSHGATE_TARGETS_DEFAULT_USER \ + "What the default user account to use when connecting to target host [${SSHGATE_TARGETS_DEFAULT_USER}] ? " \ + "${SSHGATE_TARGETS_DEFAULT_USER}" +CONF_SAVE SSHGATE_TARGETS_DEFAULT_USER + +DOTHIS 'Reload configuration' + # reset loaded configuration and reload it + __SSHGATE_CONF__= + CONF_LOAD +OK + +DOTHIS 'Installing sshGate' + MK () { [ ! -d "$1/" ] && mkdir -p "$1"; } + MK "${SSHGATE_DIR}" + MK "${SSHGATE_DIR_BIN}" + MK "${SSHGATE_DIR_USERS}" + MK "${SSHGATE_DIR_TARGETS}" + MK "${SSHGATE_DIR_USERS_GROUPS}" + MK "${SSHGATE_DIR_TARGETS_GROUPS}" + MK "${SSHGATE_DIR_LOG}" + + grep "${SSHGATE_GATE_ACCOUNT}" /etc/passwd >/dev/null 2>/dev/null + if [ $? -ne 0 ]; then + useradd "${SSHGATE_GATE_ACCOUNT}" + home_dir=$( cat /etc/passwd | grep "${SSHGATE_GATE_ACCOUNT}" | cut -d':' -f6 ) + + MK "${home_dir}" + chmod 755 "${home_dir}" + chown "${SSHGATE_GATE_ACCOUNT}" "${home_dir}" + fi + + cp $( find . -maxdepth 1 -type f ) "${SSHGATE_DIR_BIN}" + [ -d ./lib/ ] && cp -r ./lib/ "${SSHGATE_DIR_BIN}" + + chown "${SSHGATE_GATE_ACCOUNT}" "${SSHGATE_DIR_LOG}" + chmod -R a+x "${SSHGATE_DIR}" + find "${SSHGATE_DIR_BIN}" -type f -exec chmod a+r {} \; +OK + +DOTHIS 'Update sshGate installation' + # update files and replace patterns + sed_repl= + sed_repl="${sed_repl} s|^\( *\)# %% __SSHGATE_CONF__ %%.*$|\1. ${SSHGATE_DIR_BIN}/sshgate.conf|;" + sed_repl="${sed_repl} s|^\( *\)# %% __SSHGATE_FUNC__ %%.*$|\1. ${SSHGATE_DIR_BIN}/sshgate.func|;" + sed_repl="${sed_repl} s|^\( *\)# %% __LIB_MESSAGE__ %%.*$|\1. ${SSHGATE_DIR_BIN}/lib/message.lib.sh|;" + sed_repl="${sed_repl} s|^\( *\)# %% __LIB_ASK__ %%.*$|\1. ${SSHGATE_DIR_BIN}/lib/ask.lib.sh|;" + sed_repl="${sed_repl} s|^\( *\)# %% __LIB_CLI__ %%.*$|\1. ${SSHGATE_DIR_BIN}/lib/cli.lib.sh|;" + + sed -i -e "${sed_repl}" ${SSHGATE_DIR_BIN}/sshgate + sed -i -e "${sed_repl}" ${SSHGATE_DIR_BIN}/sshgate.func + sed -i -e "${sed_repl}" ${SSHGATE_DIR_BIN}/sshgate.sh + + rm -f ${SSHGATE_DIR_BIN}/install.sh # ;-p +OK +BR + +NOTICE "You may add ${SSHGATE_DIR_BIN} in your PATH variable" +BR diff --git a/server/sshgate b/server/sshgate new file mode 100644 index 0000000..65a5848 --- /dev/null +++ b/server/sshgate @@ -0,0 +1,149 @@ +#!/bin/bash +# +# Copyright (c) 2010 Linagora +# Patrick Guiran +# http://github.com/Tauop/sshGate +# +# sshGate is free software, you can redistribute it and/or modify +# it under the terms of the GNU General Public License as +# published by the Free Software Foundation; either version 2 of +# the License, or (at your option) any later version. +# +# sshGate is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this program. If not, see . +# + + +# %% __LIB_MESSAGE__ %% <-- WARNING: don't remove. used by install.sh +# %% __LIB_ASK__ %% <-- WARNING: don't remove. used by install.sh +# %% __LIB_CLI__ %% <-- WARNING: don't remove. used by install.sh +# %% __SSHGATE_CONF__ %% <-- WARNING: don't remove. used by install.sh +# %% __SSHGATE_FUNC__ %% <-- WARNING: don't remove. used by install.sh + +[ -z "${__LIB_MESSAGE__}" -a -r ./lib/message.lib.sh ] && . ./lib/message.lib.sh +[ -z "${__LIB_ASK__}" -a -r ./lib/ask.lib.sh ] && . ./lib/ask.lib.sh +[ -z "${__LIB_CLI__}" -a -r ./lib/cli.lib.sh ] && . ./lib/cli.lib.sh +[ -z "${__SSHGATE_CONF__}" -a -r ./sshgate.conf ] && . ./sshgate.conf +[ -z "${__SSHGATE_FUNC__}" -a -r ./sshgate.func ] && . ./sshgate.func + +CHECK_ROOT + +CLI_REGISTER_MENU 'user' +CLI_REGISTER_COMMAND 'user list' 'USERS_LIST' +CLI_REGISTER_COMMAND 'user add ? key ?' 'USER_ADD \1 \2' +CLI_REGISTER_COMMAND 'user del ?' 'USER_DEL \1' + +CLI_REGISTER_MENU 'user ?' +CLI_REGISTER_COMMAND 'user ? list groups' 'USER_LIST_GROUPS \1' +CLI_REGISTER_COMMAND 'user ? list targets' 'USER_LIST_TARGETS \1' +CLI_REGISTER_COMMAND 'user ? has access ?' 'HAS_ACCESS \1 \2' + +CLI_REGISTER_MENU 'usergroup' +CLI_REGISTER_COMMAND 'usergroup list' 'USERGROUPS_LIST' +CLI_REGISTER_COMMAND 'usergroup add ?' 'USERGROUP_ADD \1' +CLI_REGISTER_COMMAND 'usergroup del ?' 'USERGROUP_DEL \1' + +CLI_REGISTER_MENU 'usergroup ?' +CLI_REGISTER_COMMAND 'usergroup ? list' 'USERGROUP_LIST_USERS \1' +CLI_REGISTER_COMMAND 'usergroup ? list users' 'USERGROUP_LIST_USERS \1' +CLI_REGISTER_COMMAND 'usergroup ? add user ?' 'USERGROUP_ADD_USER \1 \2' +CLI_REGISTER_COMMAND 'usergroup ? del user ?' 'USERGROUP_DEL_USER \1 \2' + +CLI_REGISTER_MENU 'target' +CLI_REGISTER_COMMAND 'target list' 'TARGETS_LIST' +CLI_REGISTER_COMMAND 'target add ? key ?' 'TARGET_ADD \1 \2' +CLI_REGISTER_COMMAND 'target del ?' 'TARGET_DEL \1' + +CLI_REGISTER_MENU 'target alias' +CLI_REGISTER_COMMAND 'target alias list' 'TARGET_LIST_ALIASES' +CLI_REGISTER_COMMAND 'target alias del ?' 'TARGET_DEL_ALIAS \1' + +CLI_REGISTER_MENU 'target ?' +CLI_REGISTER_COMMAND 'target ? realname' 'TARGET_REAL \1' +CLI_REGISTER_COMMAND 'target ? alias add ?' 'TARGET_ADD_ALIAS \1 \2' +CLI_REGISTER_COMMAND 'target ? alias del ?' 'TARGET_DEL_ALIAS \2' +CLI_REGISTER_COMMAND 'target ? alias list' 'TARGET_LIST_ALIASES \1' + +CLI_REGISTER_MENU 'target ? access' +CLI_REGISTER_COMMAND 'target ? access list users' 'TARGET_ACCESS_LIST_USERS' +CLI_REGISTER_COMMAND 'target ? access add user ?' 'TARGET_ACCESS_ADD_USER \1 \2' +CLI_REGISTER_COMMAND 'target ? access del user ?' 'TARGET_ACCESS_DEL_USER \1 \2' +CLI_REGISTER_COMMAND 'target ? access list groups' 'TARGET_ACCESS_LIST_GROUPS' +CLI_REGISTER_COMMAND 'target ? access add group ?' 'TARGET_ACCESS_ADD_GROUP \1 \2' +CLI_REGISTER_COMMAND 'target ? access del group ?' 'TARGET_ACCESS_DEL_GROUP \1 \2' + +CLI_REGISTER_COMMAND 'help' 'HELP_LIST' + +CLI_REGISTER_COMMAND 'save' 'SETUP_SSHGATE_GATE_ACCOUNT' + +HELP_LIST () { + MSG_INDENT_INC + MSG "= Users =" + MSG_INDENT_INC + MESSAGE "user list - List all users" + MESSAGE "user add key - add a new user" + MESSAGE "user del - delete a user" + MESSAGE "user list groups - list group of user" + MESSAGE "user list targets - list targets hosts of user" + MESSAGE "user has access - tell if a user has access to a target host" + MSG_INDENT_DEC + BR + + MSG "= User's Group =" + MSG_INDENT_INC + MESSAGE "usergroup list - list all users groups" + MESSAGE "usergroup add - create a users group" + MESSAGE "usergroup del - delete a users group" + MESSAGE "usergroup list [users] - list users of a group" + MESSAGE "usergroup add user - add an user into a group" + MESSAGE "usergroup del user - delete an user from a group" + MSG_INDENT_DEC + BR + + MSG "= Target =" + MSG_INDENT_INC + MESSAGE "target list - list all targets" + MESSAGE "target add key - add a new target host" + MESSAGE "target del - delete a target host" + MESSAGE "target alias list - list all aliases of a target host" + MESSAGE "target alias del - delete an alias name" + MESSAGE "target realname - print the real name of a target host" + MESSAGE "target alias add - add an alias of target hostname" + MESSAGE "target alias del - delete an alias of the target" + MESSAGE "target alias list - list aliases of the target host" + MSG_INDENT_DEC + BR + + MSG "= Access =" + MSG_INDENT_INC + MESSAGE "target access list users - list all users who can access to the target host" + MESSAGE "target access add user - give user access to a target host" + MESSAGE "target access del user - revoke user access of target host" + MESSAGE "target access list groups - list all groups who can access to the target host" + MESSAGE "target access add group - give group access to a target host" + MESSAGE "target access del group - revoke group access of a target host" + MSG_INDENT_DEC + BR + + MSG "= Misc =" + MSG_INDENT_INC + MESSAGE "save - forge re-write of sshgate account ./ssh/authorized_keys2 file" + MSG_INDENT_DEC + BR + + MSG_INDENT_DEC +} + +MSG "sshGate administration Interface" +MSG "By Patrick Guiran " +BR +MSG "Use 'help' command to list all avariable commands" +BR + +CLI_SET_PROMPT "sshGate" +CLI_RUN diff --git a/server/sshgate.conf b/server/sshgate.conf new file mode 100644 index 0000000..a34b3a9 --- /dev/null +++ b/server/sshgate.conf @@ -0,0 +1,55 @@ +# +# Copyright (c) 2010 Linagora +# Patrick Guiran . +# + +if [ "${__SSHGATE_CONF__:-}" != 'Loaded' ]; then + __SSHGATE_CONF__='Loaded' + + # directories of sshgates +SSHGATE_DIR=/opt/sshgate + SSHGATE_DIR_BIN="${SSHGATE_DIR}/bin" + SSHGATE_DIR_USERS="${SSHGATE_DIR}/users" + SSHGATE_DIR_TARGETS="${SSHGATE_DIR}/targets" + SSHGATE_DIR_USERS_GROUPS="${SSHGATE_DIR}/users.groups" + SSHGATE_DIR_TARGETS_GROUPS="${SSHGATE_DIR}/targets.groups" + SSHGATE_DIR_LOG="${SSHGATE_DIR}/log" + + # local unix account for using sshgate +SSHGATE_GATE_ACCOUNT=sshgate + + # default path where files where sent to the target host + SSHGATE_TARGETS_SCP_PATH='~' + + # default user to use when login to a target host +SSHGATE_TARGETS_DEFAULT_USER=root + + SSHGATE_TARGET_PRIVATE_SSHKEY_FILENAME='sshkey.priv' + SSHGATE_TARGET_PUBLIC_SSHKEY_FILENAME='sshkey.pub' + SSHGATE_TARGETS_USER_ACCESS_FILENAME='access.users' + SSHGATE_TARGETS_GROUP_ACCESS_FILENAME='access.groups' + + # logs files + SSHGATE_LOG_FILE="${SSHGATE_DIR_LOG}/sshgate.log" + + # $(USER_LOG_FILE) returns the user global log file. see sshgate.func + # $(SESSION_LOG_FILE) returns the user's session log file. see sshgate.func + +fi # __SSHGATE_CONF__ +SSHGATE_DIR=/opt/sshgate +SSHGATE_GATE_ACCOUNT=sshgate +SSHGATE_TARGETS_DEFAULT_USER=root diff --git a/server/sshgate.func b/server/sshgate.func new file mode 100644 index 0000000..b0232c2 --- /dev/null +++ b/server/sshgate.func @@ -0,0 +1,770 @@ +# +# Copyright (c) 2010 Linagora +# Patrick Guiran +# http://github.com/Tauop/sshGate +# +# sshGate is free software, you can redistribute it and/or modify +# it under the terms of the GNU General Public License as +# published by the Free Software Foundation; either version 2 of +# the License, or (at your option) any later version. +# +# sshGate is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this program. If not, see . +# +# README --------------------------------------------------------------------- +# Collection of all need functions to deal with sshgate administrations. +# +# FUNCTIONS ------------------------------------------------------------------ +# +# HELP() +# usage: HELP [ ] +# desc: if called without argument, display all functions usage list. +# if called with a function_name, display all information about this function +# +# SETUP_SSHGATE_GATE_ACCOUNT() +# usage: SETUP_SSHGATE_GATE_ACCOUNT +# desc: update the authorized_key2 of the sshGate account +# important: need to be root to be able to update authorized_keys2 and chown files +# +# TARGET_LOG_FILE() +# usage: TARGET_LOG_FILE [ ] +# desc: echo-return the target global log file +# note: create the target main directory in ${SSHGATGE_DIR_LOG} if needed +# note: if called without argument, try to use ${TARGET_HOST} variable +# +# TARGET_SESSION_LOG_FILE() +# usage: TARGET_SESSION_LOG_FILE [ [ ] ] +# desc: echo-return the target session log file path +# note: if called without argument, try to use ${SSHKEY_USER} and ${TARGET_HOST} variable +# note: if called without second argument, try to use ${SSHKEY_USER} variable +# +# TARGET_USER_ACCESS_FILE() +# usage: TARGET_USER_ACCESS_FILE [ ] +# desc: echo-return the path of the user access list file of the target host +# note: if called without argument, try to use ${TARGET_HOST} variable +# +# TARGET_GROUP_ACCESS_FILE() +# usage: TARGET_GROUP_ACCESS_FILE [ ] +# desc: echo-return the path to the group access list file of the target host +# note: if called without argument, try to use ${TARGET_HOST} variable +# +# USER_SSHKEY_FILE() +# usage: USER_SSHKEY_FILE [ ] +# desc: echo-return the path to the user sshkey file +# note: if called without argument, try to use ${SSHKEY_USER} +# +# TARGET_PRIVATE_SSHKEY() +# usage: TARGET_PRIVATE_SSHKEY [ ] +# desc: echo-return the path to the private ssh key of the target host +# note: if called without argument, try to use ${TARGET_HOST} variable +# +# TARGET_PUBLIC_SSHKEY() +# usage: TARGET_PUBLIC_SSHKEY [ ] +# desc: echo-return the path to the public ssh key of the target host +# note: if called without argument, try to use ${TARGET_HOST} variable +# +# +# HAS_ACCESS() +# usage: HAS_ACCESS [ [ ] ] +# desc: echo-return 'true' if is allowed to access to , 'false' otherwise +# if check this, by using TARGET_USER_ACCESS_FILE() and TARGET_GROUP_ACCESS_FILE() +# note: if called without argument, try to use ${SSHKEY_USER} and ${TARGET_HOST} variable +# note: if called without second argument, try to use ${TARGET_HOST} variable +# +# TARGETS_LIST() +# usage: TARGETS_LIST +# desc: echo-return the list of target host, separated by '\n' +# +# TARGET_ADD() +# usage: TARGET_ADD +# desc: delete a target host from sshGate +# +# TARGET_LIST_ALIASES() +# usage: TARGET_LIST_ALIASES [ ] +# desc: list aliases of host(s) +# note: if called without argument, list aliases of all hosts +# +# TARGET_ADD_ALIAS() +# usage: TARGET_ADD_ALIAS +# desc: add an name to the +# +# TARGET_DEL_ALIAS() +# usage: TARGET_DEL_ALIAS +# desc: delete an name of a target_host +# +# TARGET_REAL() +# usage: TARGET_REAL [ ] +# desc: echo-return the 'real' name if the argument +# is an alias. Otherwise, echo-return +# note: if called without argument, try to use ${TARGET_HOST} variable +# +# TARGET_ACCESS_LIST_USERS() +# usage: TARGET_ACCESS_LIST_USERS +# desc: list user who have access to +# alias: TARGET_LIST_USERS() +# +# TARGET_ACCESS_ADD_USER() +# usage: TARGET_ACCESS_ADD_USER +# desc: give access to to the +# +# TARGET_ACCESS_DEL_USER() +# usage: TARGET_ACCESS_DEL_USER +# desc: revoke access to for the +# +# TARGET_ACCESS_LIST_GROUPS() +# usage: TARGET_ACCESS_LIST_GROUPS +# desc: list group which have access to +# alias: TARGET_LIST_GROUPS() +# +# TARGET_ACCESS_ADD_GROUP() +# usage: TARGET_ACCESS_ADD_GROUP +# desc: give access to to the , ie to all users in this +# +# TARGET_ACCESS_DEL_GROUP() +# usage: TARGET_ACCESS_DEL_GROUP +# desc: revoke access to for the , ie to all users in this +# +# USERS_LIST() +# usage: USERS_LIST +# desc: list all sshGate users, separated by '\n' +# +# USER_ADD() +# usage: USER_ADD +# desc: add a user in the sshGate users list. +# +# USER_DEL() +# usage: USER_DEL +# desc: delete a user from the sshGate users list +# +# USER_LIST_GROUPS() +# usage: USER_LIST_GROUPS [ ] +# desc: List all group, which the user is in. +# note: group name are separated by \n +# note: if called without argument, try to use ${SSHKEY_USER} variable +# +# USER_LIST_TARGETS() +# usage: USER_LIST_TARGETS [ ] +# desc: List all target host, which the has access on +# note: target host name are separated by '\n' string. +# note: if called without argument, try to use ${SSHKEY_USER} variable +# +# USERGROUPS_LIST() +# usage: USERGROUPS_LIST +# desc: List all group of the sshGate +# note: group name are separated by '\n' +# +# USERGROUP_ADD() +# usage: USERGROUP_ADD +# desc: Add a user group to sshGate +# +# USERGROUP_DEL() +# usage: USERGROUP_DEL +# desc: Delete a group from sshGate +# +# USERGROUP_LIST_USERS() +# usage: USERGROUP_LIST_USERS +# desc: List all users who are in the +# note: user names are separated by \n +# +# USERGROUP_ADD_USER() +# usage: USERGROUP_ADD_USER +# desc: Add into the +# +# USERGROUP_DEL_USER() +# usage: USERGROUP_DEL_USER +# desc: Remove from the +# + +# ---------------------------------------------------------------------------- +if [ "${__SSHGATE_FUNC__:-}" != 'Loaded' ]; then + __SSHGATE_FUNC__='Loaded' + + # Try to source sshgate.conf + # %% __SSHGATE_CONF__ %% <-- WARNING: don't remove. used by install.sh + if [ -z "${__SSHGATE_CONF__:-}" ]; then + [ -r "`pwd`/sshgate.conf" ] && . `pwd`/sshgate.conf + [ -r "${0%/*}/sshgate.conf" ] && . "${0%/*}/sshgate.conf" + if [ -z "${__SSHGATE_CONF__:-}" ]; then + echo "ERROR: Unable to load sshgate.conf" + exit 1; + fi + fi + + HELP () { + local func= + [ $# -eq 1 ] && func="$1" + + if [ -z "${func}" ]; then + # == sed explanation == + # 1: :loop label + # 2: read the next line + # 3: match line which begin by # and ended with () -> ex: "# USERGROUP_DEL_USER()" + # 4: if the current line not match, goto :loop + # 5: the current line match 3:, read the next line and print the usage + # 6: if not at the end of the file, goto :loop + help=$( < "${SSHGATE_DIR_BIN}/sshgate.func" \ + sed -n -e \ + ':loop + n; + s/^# \([^ ].*[(][)]\)$/\1/; + T loop; + n; s/^# *usage: \(.*\)$/\1/p; + $! b loop;' ) + echo "== FILES ==" + echo "${help}" | grep --color=never "_FILE" + echo + echo "== USERS ==" + echo "${help}" | grep "^USERS\{0,1\}_" | grep -v "_FILE" + echo + echo "== GROUPS ==" + echo "${help}" | grep "^USERGROUP" | grep -v "_FILE" + echo + echo "== TARGETS ==" + echo "${help}" | grep "^TARGET" | grep -v "_ACCESS" | grep -v "_FILE" + echo + echo "== ACCESS ==" + echo "${help}" | grep "_ACCESS" | grep -v "_FILE" + echo + echo "== others ==" + echo "${help}" | grep -v "_FILE" \ + | grep -v "^USERS\{0,1\}_" \ + | grep -v "^USERGROUP" \ + | grep -v "^TARGET" \ + | grep -v "_ACCESS" + echo + else + # == sed explanation == + # 1: :search_func label + # 2: read the next line + # 3: match line which contain ${func} -> ex: "# ${func}()". print it if match + # 4: if the current line not match, goto :search_func + # 5: :loop label + # 6: read the next line + # 7: match line which don't only contain "#" + # 8: if the current line match, goto :loop, else end + < "${SSHGATE_DIR_BIN}/sshgate.func" \ + sed -n -e \ + ":search_func + n; + s/^# \\(${func}[(][)]\\)$/\1/p; + T search_func + :loop + n; + s/^#\\(..*\\)$/\1/p; + t loop; + " + fi + return 0; + } + + SETUP_SSHGATE_GATE_ACCOUNT () { + local home_dir= authorized_keys2= user_key= real_target= + + home_dir=$( cat /etc/passwd | grep "${SSHGATE_GATE_ACCOUNT}" | cut -d':' -f6 ) + [ -z "${home_dir}" ] && return 1; + + authorized_keys2="${home_dir}/.ssh/authorized_keys2" + + [ ! -d "${home_dir}/.ssh/" ] && mkdir "${home_dir}/.ssh" + + # reset the authorized_keys2 file + echo -n '' > "${authorized_keys2}" + + for user in $( USERS_LIST ); do + user_key=$( cat ` USER_SSHKEY_FILE "${user}" ` ) + echo "command=\"/bin/sh ${SSHGATE_DIR_BIN}/sshgate.sh ${user}\" ${user_key}" >> "${authorized_keys2}" + done + + chown "${SSHGATE_GATE_ACCOUNT}" "${authorized_keys2}" + + echo -n '' > "${home_dir}/.ssh/known_hosts" + for target in $( TARGETS_LIST ); do + real_target=$( TARGET_REAL "${target}" ) + if [ "${real_target}" = "${target}" ]; then + ssh-keyscan -t dsa,rsa "${target}" >> "${home_dir}/.ssh/known_hosts" 2>/dev/null + fi + done + chown "${SSHGATE_GATE_ACCOUNT}" "${home_dir}/.ssh/known_hosts" + + return 0; + } + + # the target global log file + # create the log directory if not exists + TARGET_LOG_FILE () { + local target= dir= + [ $# -eq 0 ] && target=${TARGET_HOST:-unknown} || target="$1" + target=$( TARGET_REAL "${target}" ) + + dir="${SSHGATE_DIR_LOG}/${target}" + [ ! -d "${dir}/" ] && mkdir -p "${dir}" + touch "${dir}/global.log" + echo "${dir}/global.log" + } + + # the user session log file + TARGET_SESSION_LOG_FILE () { + local user= target= f= + if [ $# -eq 0 ]; then + target=${TARGET_HOST:-unknown} + user=${SSHKEY_USER:-unknown} + else + target="$1" + [ $# -lt 2 ] && user=${SSHKEY_USER:-unknown} || user="$2" + fi + target=$( TARGET_REAL "${target}" ) + f="${SSHGATE_DIR_LOG}/${target}/$(date +%Y%m%d%H%M%S).${user}.$$" + touch "$f" + echo "$f" + } + + # return the path to the user access list file of the target host + TARGET_USER_ACCESS_FILE () { + local target= f= + [ $# -eq 0 ] && target=${TARGET_HOST:-unknown} || target=$1 + f="${SSHGATE_DIR_TARGETS}/${target}/${SSHGATE_TARGETS_USER_ACCESS_FILENAME}" + [ ! -r "$f" ] && f='' + echo "$f" + } + + TARGET_GROUP_ACCESS_FILE () { + local target= f= + [ $# -eq 0 ] && target=${TARGET_HOST:-unknown} || target="$1" + f="${SSHGATE_DIR_TARGETS}/${target}/${SSHGATE_TARGETS_GROUP_ACCESS_FILENAME}" + [ ! -r "$f" ] && f='' + echo "$f" + } + + USER_SSHKEY_FILE () { + local user= f= + [ $# -eq 0 ] && user=${SSHKEY_USER:-unknown} || user="$1" + f="${SSHGATE_DIR_USERS}/${user}" + [ ! -r "$f" ] && f='' + echo "$f" + } + + TARGET_PRIVATE_SSHKEY () { + local target= f= + [ $# -eq 0 ] && target=${TARGET_HOST:-unknown} || target=$1 + f="${SSHGATE_DIR_TARGETS}/${target}/${SSHGATE_TARGET_PRIVATE_SSHKEY_FILENAME}" + [ ! -r "$f" ] && f='' + echo "$f" + } + + TARGET_PUBLIC_SSHKEY () { + local target= f= + [ $# -eq 0 ] && target=${TARGET_HOST:-unknown} || target=$1 + f="${SSHGATE_DIR_TARGETS}/${target}/${SSHGATE_TARGET_PUBLIC_SSHKEY_FILENAME}" + [ ! -r "$f" ] && f='' + echo "$f" + } + + # check wether a user ($1) has access to a target host ($2) + HAS_ACCESS() { + local user= target= + local user_access_file= group_access_file= user_groups= + + if [ $# -eq 0 ]; then + user=${SSHKEY_USER:-unknown} + target=${TARGET_HOST:-unknown} + else + user=$1 + [ $# -lt 2 ] && target=${TARGET_HOST:-unknown} || target=$2 + fi + + user_access_file=$(TARGET_USER_ACCESS_FILE $target) + group_access_file=$(TARGET_GROUP_ACCESS_FILE $target) + + # individual access check + if [ -n "${user_access_file}" ]; then + < ${user_access_file} grep "^${user}$" >/dev/null 2>/dev/null + if [ $? -eq 0 ]; then + echo 'true'; return 0; + fi + fi + + # group access check + if [ -n "${group_access_file}" ]; then + user_groups=$(USER_LIST_GROUPS ${user}) + if [ -n "${user_groups}" ]; then + user_groups=" ${user_groups} " + if [ "${user_groups/ all /}" != "${user_groups}" ]; then + # user in the "all" group. he has access to all target ! + echo 'true'; return 0; + fi + + # check wether the target host is in one of the user group + for grp in ${user_groups}; do + < ${group_access_file} grep "^${grp}\$" >/dev/null 2>/dev/null + if [ $? -eq 0 ]; then + echo 'true'; return 0; + fi + done + fi + fi + + # no access granted for the user on the target host + echo 'false'; return 1; + } + + TARGETS_LIST () { + ls --color=none -m "${SSHGATE_DIR_TARGETS}" | sed -e 's/, /,/g' | tr ',' $'\n' + return 0; + } + + TARGET_ADD () { + local target= privsshkey= target_privsshkey= target_pubsshkey= + [ $# -ne 2 ] && return 1; + + target=$1; privsshkey=$2 + [ -d "${SSHGATE_DIR_TARGETS}/${target}" ] && return 1; + [ ! -r "${privsshkey}" ] && return 1; + + target_privsshkey="${SSHGATE_DIR_TARGETS}/${target}/${SSHGATE_TARGET_PRIVATE_SSHKEY_FILENAME}" + target_pubsshkey="${SSHGATE_DIR_TARGETS}/${target}/${SSHGATE_TARGET_PUBLIC_SSHKEY_FILENAME}" + + mkdir -p "${SSHGATE_DIR_TARGETS}/${target}" + cp "${privsshkey}" "${target_privsshkey}" + + # try to generate the public key, to check that the key doesn't have passphrase + ssh-keygen -y -f "${target_privsshkey}" > "${target_pubsshkey}" + if [ $? -ne 0 ]; then + rm -rf "${SSHGATE_DIR_TARGETS}/${target}" + return 1; + fi + + chmod 600 "${target_privsshkey}" + chown "${SSHGATE_GATE_ACCOUNT}" "${target_privsshkey}" + chown "${SSHGATE_GATE_ACCOUNT}" "${target_pubsshkey}" + + # create empty access files + touch "${SSHGATE_DIR_TARGETS}/${target}/${SSHGATE_TARGETS_USER_ACCESS_FILENAME}" + touch "${SSHGATE_DIR_TARGETS}/${target}/${SSHGATE_TARGETS_GROUP_ACCESS_FILENAME}" + + return 0; + } + + TARGET_DEL () { + local target= + [ $# -ne 1 ] && return 1; + + target="$1" + [ ! -d "${SSHGATE_DIR_TARGETS}/${target}" ] && return 1 + + rm -rf "${SSHGATE_DIR_TARGETS}/${target}" + return 0; + } + + TARGET_LIST_ALIASES () { + local target= t= + [ $# -eq 1 ] && target="$1" + + for file in $( find "${SSHGATE_DIR_TARGETS}/" -type l ); do + t=$( readlink -f "${file}" ) + [ -z "${target}" -o "${t##*/}" = "${target}" ] && echo "${file##*/}" + done + } + + TARGET_ADD_ALIAS () { + local target= + [ $# -ne 2 ] && return 1; + + target="$1"; alias="$2" + [ ! -d "${SSHGATE_DIR_TARGETS}/${target}" ] && return 1 + [ -L "${SSHGATE_DIR_TARGETS}/${alias}" ] && return 1 + + ln -s "${SSHGATE_DIR_TARGETS}/${target}" "${SSHGATE_DIR_TARGETS}/${alias}" + return 0; + } + + TARGET_DEL_ALIAS () { + local alias= + [ $# -ne 1 ] && return 1; + + alias="$1" + rm -f "${SSHGATE_DIR_TARGETS}/${alias}" + return 0; + } + + TARGET_REAL () { + local target= + [ $# -ne 1 ] && target="${TARGET_HOST:-unknown}" || target="$1" + + if [ -L "${SSHGATE_DIR_TARGETS}/${target}" ]; then + target=$( readlink -f "${SSHGATE_DIR_TARGETS}/${target}" ) + echo "${target##*/}" + else + echo "${target}" + fi + return 0; + } + + TARGET_ACCESS_LIST_USERS () { + local target= files= + [ $# -ne 1 ] && return 1; + + target="$1" + [ ! -d "${SSHGATE_DIR_TARGETS}/${target}" ] && return 1; + + files="${SSHGATE_DIR_TARGETS}/${target}/${SSHGATE_TARGETS_USER_ACCESS_FILENAME}" + + # through groups + for group in $( cat "${SSHGATE_DIR_TARGETS}/${target}/${SSHGATE_TARGETS_GROUP_ACCESS_FILENAME}" ); do + files="${files} ${SSHGATE_DIR_USERS_GROUPS}/${group}" + done + cat ${files} | sort -u + return 0; + } + + TARGET_LIST_USERS () { TARGET_ACCESS_LIST_USERS $@; } + + TARGET_ACCESS_ADD_USER () { + local target= user= access_file= + [ $# -ne 2 ] && return 1; + + target="$1"; user="$2"; + [ ! -d "${SSHGATE_DIR_TARGETS}/${target}" ] && return 1; + [ ! -f "${SSHGATE_DIR_USERS}/${user}" ] && return 1; + + access_file="${SSHGATE_DIR_TARGETS}/${target}/${SSHGATE_TARGETS_USER_ACCESS_FILENAME}" + < "${access_file}" grep "^${user}\$" >/dev/null 2>/dev/null + if [ $? -ne 0 ]; then + echo "${user}" >> "${access_file}" + fi + return 0; + } + + TARGET_ACCESS_DEL_USER () { + local target= user= access_file= random= + [ $# -ne 2 ] && return 1 + + target="$1"; user="$2" + [ ! -d "${SSHGATE_DIR_TARGETS}/${target}" ] && return 1; + [ ! -f "${SSHGATE_DIR_USERS}/${user}" ] && return 1; + + access_file="${SSHGATE_DIR_TARGETS}/${target}/${SSHGATE_TARGETS_USER_ACCESS_FILENAME}" + random=${RANDOM} + + grep -v "^${user}\$" < "${access_file}" >"/tmp/access.${random}" + mv "/tmp/access.${random}" "${access_file}" + return 0; + } + + TARGET_ACCESS_LIST_GROUPS () { + local target= + [ $# -ne 1 ] && return 1; + + target="$1" + [ ! -d "${SSHGATE_DIR_TARGETS}/${target}" ] && return 1; + + cat "${SSHGATE_DIR_TARGETS}/${target}/${SSHGATE_TARGETS_GROUP_ACCESS_FILENAME}" + return 0; + } + TARGET_LIST_GROUPS () { TARGET_ACCESS_LIST_GROUPS $@; } + + TARGET_ACCESS_ADD_GROUP () { + local target= group= access_file= + [ $# -ne 2 ] && return 1; + + target="$1"; group="$2" + [ ! -d "${SSHGATE_DIR_TARGETS}/${target}" ] && return 1; + [ ! -f "${SSHGATE_DIR_USERS_GROUPS}/${group}" ] && return 1; + + access_file="${SSHGATE_DIR_TARGETS}/${target}/${SSHGATE_TARGETS_GROUP_ACCESS_FILENAME}" + < "${access_file}" grep "^${group}\$" >/dev/null 2>/dev/null + if [ $? -ne 0 ]; then + echo "${group}" >> "${access_file}" + fi + return 0; + } + + TARGET_ACCESS_DEL_GROUP () { + local target= group= access_file= + [ $# -ne 2 ] && return 1 + + target="$1"; group="$2" + [ ! -d "${SSHGATE_DIR_TARGETS}/${target}" ] && return 1; + [ ! -f "${SSHGATE_DIR_USERS_GROUPS}/${group}" ] && return 1; + + access_file="${SSHGATE_DIR_TARGETS}/${target}/${SSHGATE_TARGETS_GROUP_ACCESS_FILENAME}" + random=$RANDOM + + grep -v "^${group}\$" < "${access_file}" >"/tmp/access.${random}" + mv "/tmp/access.${random}" "${access_file}" + return 0; + } + + USERS_LIST () { + ls --color=none -m "${SSHGATE_DIR_USERS}" | sed -e 's/, /,/g' | tr ',' $'\n' + return 0; + } + + USER_ADD () { + [ $# -ne 2 ] && return 1; + + local user=$1 userkey=$2 + + [ ! -r "${userkey}" ] && return 1; + [ -z "${user}" -o "${user/ }" != "${user}" ] && return 1 + + [ -f "${SSHGATE_DIR_USERS}/${user}" ] && return 1; + + cp ${userkey} ${SSHGATE_DIR_USERS}/${user} + SETUP_SSHGATE_GATE_ACCOUNT + } + + USER_DEL () { + [ $# -ne 1 ] && return 1 + local user=$1 + + [ ! -f "${SSHGATE_DIR_USERS}/${user}" ] && return 1; + + rm -f "${SSHGATE_DIR_USERS}/${user}" + + random=$RANDOM + + # delete user from groups + for group in $( USER_LIST_GROUPS "${user}" ); do + grep -v "^${user}\$" \ + < "${SSHGATE_DIR_USERS_GROUPS}/${group}" \ + > "/tmp/${group}.${random}" + mv "/tmp/${group}.${random}" "${SSHGATE_DIR_USERS_GROUPS}/${group}" + done + + # delete user from target access list + for target in $( USER_LIST_TARGETS "${user}" ); do + grep -v "^${user}\$" \ + < "${SSHGATE_DIR_TARGETS}/${target}/${SSHGATE_TARGETS_USER_ACCESS_FILENAME}" \ + > "/tmp/${target}.${random}" + mv "/tmp/${target}.${random}" \ + "${SSHGATE_DIR_TARGETS}/${target}/${SSHGATE_TARGETS_USER_ACCESS_FILENAME}" + done + SETUP_SSHGATE_GATE_ACCOUNT + return 0 + } + + USER_LIST_GROUPS () { + local user= + [ $# -eq 0 ] && user=${SSHKEY_USER:-unknown} || user=$1 + + if [ ! -f "${SSHGATE_DIR_USERS}/${user}" ]; then + echo ''; return 1; + fi + + for group in $( grep -l -r "^${user}\$" "${SSHGATE_DIR_USERS_GROUPS}/" | sort -u ); do + echo ${group##*/} + done + return 0; + } + + USER_LIST_TARGETS () { + local user= + [ $# -eq 0 ] && user=${SSHKEY_USER:-unknown} || user=$1 + + if [ ! -f "${SSHGATE_DIR_USERS}/${user}" ]; then + echo ''; return 1; + fi + + ( # subshell :( + for file in $( find "${SSHGATE_DIR_TARGETS}" \ + -name "${SSHGATE_TARGETS_USER_ACCESS_FILENAME}" \ + -exec grep -l "^${user}\$" {} \; ); do + file="${file%%/${SSHGATE_TARGETS_USER_ACCESS_FILENAME}}" + echo "${file##*/}" + done + + for group in $( USER_LIST_GROUPS "${user}" ); do + for file in $( find "${SSHGATE_DIR_TARGETS}" \ + -name "${SSHGATE_TARGETS_GROUP_ACCESS_FILENAME}" \ + -exec grep -l "^${group}\$" {} \; ); do + file="${file%%/${SSHGATE_TARGETS_GROUP_ACCESS_FILENAME}}" + echo "${file##*/}" + done + done + ) | sort -u + return 0; + } + + USERGROUPS_LIST () { + ls --color=none -m "${SSHGATE_DIR_USERS_GROUPS}" | sed -e 's/, /,/g' | tr ',' $'\n' + return 0; + } + + USERGROUP_ADD () { + local group= + + [ $# -ne 1 ] && return 1; + group=$1 + + [ -f "${SSHGATE_DIR_USERS_GROUPS}/${group}" ] && return 1 + + touch "${SSHGATE_DIR_USERS_GROUPS}/${group}" + return 0; + } + + USERGROUP_DEL () { + local group= + + [ $# -ne 1 ] && return 1; + group=$1 + + [ ! -f "${SSHGATE_DIR_USERS_GROUPS}/${group}" ] && return 1 + rm -f "${SSHGATE_DIR_USERS_GROUPS}/${group}" + + return 0 + } + + USERGROUP_LIST_USERS () { + local group= + if [ $# -ne 1 ]; then + echo ''; return 1; + fi + group="$1" + + if [ ! -f "${SSHGATE_DIR_USERS_GROUPS}/${group}" ]; then + echo ''; return 1; + fi + + cat "${SSHGATE_DIR_USERS_GROUPS}/${group}" + return 0; + } + + USERGROUP_ADD_USER () { + local group= user= + [ $# -ne 2 ] && return 1; + + group="$1"; user="$2"; + [ ! -f "${SSHGATE_DIR_USERS_GROUPS}/${group}" ] && return 1; + [ ! -f "${SSHGATE_DIR_USERS}/${user}" ] && return 1; + + echo "${user}" >> "${SSHGATE_DIR_USERS_GROUPS}/${group}" + } + + USERGROUP_DEL_USER () { + local group= user= + [ $# -ne 2 ] && return 1; + + group=$1 + user=$2 + + [ ! -f "${SSHGATE_DIR_USERS_GROUPS}/${group}" ] && return 1; + [ ! -f "${SSHGATE_DIR_USERS}/${user}" ] && return 1; + + random=${RANDOM} + grep -v "^${user}\$" \ + < "${SSHGATE_DIR_USERS_GROUPS}/${group}" \ + > "/tmp/${group}.${random}" + mv "/tmp/${group}.${random}" "${SSHGATE_DIR_USERS_GROUPS}/${group}" + } + +fi # __SSHGATE_FUNC__ diff --git a/server/sshgate.sh b/server/sshgate.sh new file mode 100644 index 0000000..cc34268 --- /dev/null +++ b/server/sshgate.sh @@ -0,0 +1,127 @@ +#!/bin/bash +# +# Copyright (c) 2010 Linagora +# Patrick Guiran +# http://github.com/Tauop/sshGate +# +# sshGate is free software, you can redistribute it and/or modify +# it under the terms of the GNU General Public License as +# published by the Free Software Foundation; either version 2 of +# the License, or (at your option) any later version. +# +# sshGate is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this program. If not, see . +# + +if [ $# -ne 1 ]; then + echo "your SSH KEY is not well configured. Please contact the sshGate administrator." + exit 1 +fi + +SSHKEY_USER=$1 + +# %% __SSHGATE_CONF__ %% <-- WARNING: don't remove. used by install.sh +if [ -z "${__SSHGATE_CONF__}" ]; then + [ -r "${0%/*}/sshgate.conf" ] && . ${0%/*}/sshgate.conf + [ -r "`pwd`/sshgate.conf" ] && . `pwd`/sshgate.conf + if [ -z "${__SSHGATE_CONF__:-}" ]; then + echo "ERROR: Unable to load sshgate.conf" + exit 1; + fi +fi + +# %% __SSHGATE_FUNC__ %% <-- WARNING: don't remove. used by install.sh +if [ -z "${__SSHGATE_FUNC__}" ]; then + [ -r "${0%/*}/sshgate.func" ] && . ${0%/*}/sshgate.func + [ -r "`pwd`/sshgate.func" ] && . `pwd`/sshgate.func + if [ -z "${__SSHGATE_FUNC__:-}" ]; then + echo "ERROR: Unable to load sshgate.func" + exit 1; + fi +fi + +# GLOBAL configuration +SFTP_SERVER=/usr/libexec/openssh/sftp-server + +# one little function +LOG () { local file=$1; shift; echo "$(date +'[%D %T]') $*" >> ${file}; } + +if [ -z ${SSHKEY_USER:-} ]; then + echo "your SSH key is not well configured. Please, contact the sshGate administrator." + exit 1 +fi + + +do_ssh='false' + +if [ "${SSH_ORIGINAL_COMMAND}" != "${SSH_ORIGINAL_COMMAND#${SFTP_SERVER} }" \ + -o "${SSH_ORIGINAL_COMMAND}" != "${SSH_ORIGINAL_COMMAND#scp }" ]; then + # SSH_ORIGNAL_COMMAND ends with the name of the target host + TARGET_HOST=${SSH_ORIGINAL_COMMAND##* } + + if [ "${TARGET_HOST%%/*}" != "${TARGET_HOST}" ]; then + SSH_ORIGINAL_COMMAND=${SSH_ORIGINAL_COMMAND%% ${TARGET_HOST}} + target_files=${TARGET_HOST#*/} + TARGET_HOST=${TARGET_HOST%%/*} + if [ -z "${target_files}" -o "${target_files#/}" = "${target_files}" ]; then + target_files="~/${target_files}" + fi + SSH_ORIGINAL_COMMAND="${SSH_ORIGINAL_COMMAND} ${target_files}" + else + SSH_ORIGINAL_COMMAND=${SSH_ORIGINAL_COMMAND%% ${TARGET_HOST}} + SSH_ORIGINAL_COMMAND="${SSH_ORIGINAL_COMMAND} ${TARGET_SCP_DIR}" + fi +else + # SSH_ORIGINAL_COMMAND contain the name of the target host + TARGET_HOST=${SSH_ORIGINAL_COMMAND%% *} + do_ssh='true' +fi + +TARGET_SSHKEY=$( TARGET_PRIVATE_SSHKEY ) +if [ -z "${TARGET_SSHKEY}" -o ! -r "${TARGET_SSHKEY:-}" ]; then + echo "ERROR: can't read target host ssh key. Please contact the sshGate administrator" + exit 1 +fi + +# here, you can make some ACL verification if you want :) +if [ $( HAS_ACCESS ) = 'false' ]; then + echo "ERROR: The ${TARGET_HOST} doesn't exist or you don't have access to it" + exit 1 +fi + +# you can either determine the TARGET_USER :) +TARGET_USER=${SSHGATE_TARGETS_DEFAULT_USER} +TARGET_HOST=$( TARGET_REAL "${TARGET_HOST}" ) +GLOG_FILE=$( TARGET_LOG_FILE ) + +LOG ${GLOG_FILE} "New session $$. Connection from ${SSH_CONNECTION%% *} with SSH_ORIGINAL_COMMAND = ${SSH_ORIGINAL_COMMAND:-}" + +RETURN_VALUE=0 +if [ "${do_ssh:-}" = 'true' ]; then + SLOG_FILE=$( TARGET_SESSION_LOG_FILE ) + LOG ${GLOG_FILE} "Creating session log file ${SLOG_FILE}" + LOG ${SSHGATE_LOG_FILE} "[SSSH] ${SSHKEY_USER} -> ${TARGET_USER}@${TARGET_HOST}" + + ssh -i ${TARGET_SSHKEY} ${TARGET_USER}@${TARGET_HOST} | tee ${SLOG_FILE} +# if [ $? -ne 0 ]; then +# LOG ${SSHGATE_LOG_FILE} "[ERROR] ${SSHKEY_USER} -> ssh -o 'StrictHostKeyChecking no' -i ${TARGET_SSHKEY} ${TARGET_USER}@${TARGET_HOST}" +# RETURN_VALUE=1 +# fi + LOG ${GLOG_FILE} "Session $$ ended. logfile = ${SLOG_FILE}" +else + LOG ${SSHGATE_LOG_FILE} "[SCP] ${SSHKEY_USER} -> ${TARGET_USER}@${TARGET_HOST} ${SSH_ORIGINAL_COMMAND}" + + ssh -i ${TARGET_SSHKEY} ${TARGET_USER}@${TARGET_HOST} ${SSH_ORIGINAL_COMMAND} +# if [ $? -ne 0 ]; then +# LOG ${SSHGATE_LOG_FILE} "[ERROR] ${SSHKEY_USER} -> ssh -o 'StrictHostKeyChecking no' -i ${TARGET_SSHKEY} ${TARGET_USER}@${TARGET_HOST} ${SSH_ORIGINAL_COMMAND}" +# RETURN_VALUE=1 +# fi + LOG ${GLOG_FILE} "Transfert $$ completed." +fi + +exit ${RETURN_VALUE}