From e06289c9e49e33167cc0cba77ca41e149e2991a0 Mon Sep 17 00:00:00 2001 From: Ian Kelling Date: Sat, 4 Sep 2021 15:15:20 -0400 Subject: [PATCH] ssh fixes --- distro-begin | 2 +- hssh | 6 +++++- rootsshsync | 9 +++++++-- 3 files changed, 13 insertions(+), 4 deletions(-) diff --git a/distro-begin b/distro-begin index 9534e82..7467e7b 100755 --- a/distro-begin +++ b/distro-begin @@ -661,7 +661,7 @@ EOF sudo sed -i.orig '/key * *{/,/}/s/KP_Multiply/underscore/g' /usr/share/X11/xkb/symbols/keypad ##### basic graphical packages - pi konsole suckless-tools + pi konsole suckless-tools ssh-askpass fi diff --git a/hssh b/hssh index b325197..00d06b8 100755 --- a/hssh +++ b/hssh @@ -35,5 +35,9 @@ done if $allow; then eval $SSH_ORIGINAL_COMMAND else - /a/opt/btrbk/ssh_filter_btrbk.sh --target --delete --source --info + f=/usr/local/bin/ssh_filter_btrbk.sh + if [[ ! -e $f ]]; then + f=/a/opt/btrbk/ssh_filter_btrbk.sh + fi + $f --target --delete --source --info fi diff --git a/rootsshsync b/rootsshsync index f44cd6f..1aebad8 100755 --- a/rootsshsync +++ b/rootsshsync @@ -40,16 +40,21 @@ find $user_ssh_dir -xtype l -exec rm '{}' \; rsync --exclude=/h --exclude=/h.pub --exclude /config --exclude /confighome -rtL --delete $user_ssh_dir/ /root/.ssh rsync -tL $user_ssh_dir/config /root/.ssh/confighome cp -a /q/root/h{,.pub} /root/.ssh -# The h key is like the home key, but only a whitelist of commands allowed, and +### The h key is like the home key, but only a whitelist of commands allowed, and # not encrypted, so cron and whatnot can use it. # For any interactive ssh command we want to run as root that is not in that # whitelist, we need to ssh -F $HOME/.ssh/confighome +### I run a separate ssh-agent for root where I add keys without +# confirm. This the root ssh-agent is only available +# to root, and it allows us to have a working ssh when X isnt available, +# eg, in an ssh shell. confirm for regular user provides some protection +# that a rouge user program cant use my ssh key. sed 's,^IdentityFile ~/\.ssh/home$,IdentityFile ~/\.ssh/h,;s,^AddKeysToAgent confirm,AddKeysToAgent yes,' /root/.ssh/confighome >/root/.ssh/config chown -R root:root /root/.ssh # notably: installs hssh /a/exe/install-my-scripts - +install /a/opt/btrbk/ssh_filter_btrbk.sh /usr/local/bin systemctl enable --now ssh-agent-root d=/etc/initramfs-tools -- 2.30.2