|
|
|
@ -21,7 +21,7 @@ set -e
|
|
|
|
|
# вывод короткой справки
|
|
|
|
|
# show the short help message
|
|
|
|
|
usage() {
|
|
|
|
|
echo "Usage: $0 --id ID [--sshkey PKEY] [--header HEADER] --key KEYFILE --device DEVICE --mountpoint MOUNTPOINT
|
|
|
|
|
echo "Usage: $0 --id ID [--ssh-key PKEY] [--header HEADER] --key KEYFILE --device DEVICE --mount DIR
|
|
|
|
|
|
|
|
|
|
Version: $CL_ACCESS_VERSION
|
|
|
|
|
|
|
|
|
@ -33,18 +33,18 @@ ${DESCRIPTION}
|
|
|
|
|
# вывод полной справки
|
|
|
|
|
# show the long help message
|
|
|
|
|
long_usage() {
|
|
|
|
|
echo "Usage: $0 --id ID [--sshkey PKEY] [--header HEADER] --key KEYFILE --device DEVICE --mountpoint MOUNTPOINT
|
|
|
|
|
echo "Usage: $0 --id ID [--ssh-key PKEY] [--header HEADER] --key KEYFILE --device DEVICE --mount DIR
|
|
|
|
|
|
|
|
|
|
Version: $CL_ACCESS_VERSION
|
|
|
|
|
|
|
|
|
|
${DESCRIPTION}
|
|
|
|
|
|
|
|
|
|
--id ID set access id
|
|
|
|
|
--sshkey PKEY public authorized key
|
|
|
|
|
--header HEADER separated LUKS header
|
|
|
|
|
--key KEYFILE LUKS key file
|
|
|
|
|
--device DEVICE LUKS device (/dev or PARTUUID)
|
|
|
|
|
--mountpoint MOUNTPOINT mount point
|
|
|
|
|
--id ID set access id
|
|
|
|
|
-s PKEY, --ssh-key PKEY public authorized key
|
|
|
|
|
-H HEADER, --header HEADER separated LUKS header
|
|
|
|
|
-k KEYFILE, --key KEYFILE LUKS key file
|
|
|
|
|
-d DEVICE, --device DEVICE LUKS device (/dev or PARTUUID)
|
|
|
|
|
-m DIR, --mount DIR mount point
|
|
|
|
|
"
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
@ -53,14 +53,14 @@ ${DESCRIPTION}
|
|
|
|
|
rearrange_params() {
|
|
|
|
|
set +e
|
|
|
|
|
TEMP=$(unset POSIXLY_CORRECT; getopt \
|
|
|
|
|
-o "h" \
|
|
|
|
|
-o "hs:H:k:d:m:" \
|
|
|
|
|
--long help \
|
|
|
|
|
--long id: \
|
|
|
|
|
--long sshkey: \
|
|
|
|
|
--long ssh-key: \
|
|
|
|
|
--long header: \
|
|
|
|
|
--long key: \
|
|
|
|
|
--long device: \
|
|
|
|
|
--long mountpoint: \
|
|
|
|
|
--long mount: \
|
|
|
|
|
-- "$@" 2>&1)
|
|
|
|
|
if (( $? != 0 )); then
|
|
|
|
|
echo "$TEMP" | sed 's/getopt: /cl-access-add: /;$d'
|
|
|
|
@ -82,31 +82,27 @@ do_args() {
|
|
|
|
|
ID="$2"
|
|
|
|
|
shift
|
|
|
|
|
;;
|
|
|
|
|
--sshkey)
|
|
|
|
|
-s|--ssh-key)
|
|
|
|
|
SSHKEY="$2"
|
|
|
|
|
shift
|
|
|
|
|
;;
|
|
|
|
|
--header)
|
|
|
|
|
-H|--header)
|
|
|
|
|
HEADER="$2"
|
|
|
|
|
shift
|
|
|
|
|
shift
|
|
|
|
|
;;
|
|
|
|
|
--key)
|
|
|
|
|
-k|--key)
|
|
|
|
|
KEY="$2"
|
|
|
|
|
shift
|
|
|
|
|
shift
|
|
|
|
|
;;
|
|
|
|
|
--device)
|
|
|
|
|
-d|--device)
|
|
|
|
|
DEVICE="$2"
|
|
|
|
|
shift
|
|
|
|
|
;;
|
|
|
|
|
--partuuid)
|
|
|
|
|
PARTUUID="$2"
|
|
|
|
|
shift
|
|
|
|
|
shift
|
|
|
|
|
;;
|
|
|
|
|
--mountpoint)
|
|
|
|
|
-m|---mount)
|
|
|
|
|
MP="$2"
|
|
|
|
|
shift
|
|
|
|
|
shift
|
|
|
|
|
;;
|
|
|
|
|
--) shift; break;;
|
|
|
|
|
--) shift; break;;
|
|
|
|
|
*) usage;
|
|
|
|
|
eerror $"Unknown option: $1"
|
|
|
|
|
;;
|
|
|
|
@ -129,150 +125,150 @@ eval set -- "$TEMP"
|
|
|
|
|
do_args "$@"
|
|
|
|
|
|
|
|
|
|
check_setup() {
|
|
|
|
|
[[ -d $ACCESSDIR ]]
|
|
|
|
|
[[ -d $ACCESSDIR ]]
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
id_not_exists() {
|
|
|
|
|
local id=$1
|
|
|
|
|
[[ ! -d $STORAGE/$id ]]
|
|
|
|
|
local id=$1
|
|
|
|
|
[[ ! -d $STORAGE/$id ]]
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
create_id() {
|
|
|
|
|
local id=$1
|
|
|
|
|
local dn=$STORAGE/$id
|
|
|
|
|
mkdir -p $dn
|
|
|
|
|
chown $USERNAME. -R $dn
|
|
|
|
|
local id=$1
|
|
|
|
|
local dn=$STORAGE/$id
|
|
|
|
|
mkdir -p $dn
|
|
|
|
|
chown $USERNAME. -R $dn
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
update_sshkey() {
|
|
|
|
|
local id=$1
|
|
|
|
|
local sshkey=$2
|
|
|
|
|
local publickey=$STORAGE/$id/id_rsa.pub
|
|
|
|
|
local sshdir=$ACCESSDIR/.ssh
|
|
|
|
|
local authkeys=$sshdir/authorized_keys
|
|
|
|
|
cp $sshkey $publickey
|
|
|
|
|
chown $USERNAME. $publickey
|
|
|
|
|
if [[ -f $authkeys ]]
|
|
|
|
|
then
|
|
|
|
|
sed -i "/access-shell $id/d" $authkeys
|
|
|
|
|
else
|
|
|
|
|
if [[ ! -d $sshdir ]]
|
|
|
|
|
then
|
|
|
|
|
mkdir -p $sshdir
|
|
|
|
|
chown $USERNAME. $sshdir
|
|
|
|
|
fi
|
|
|
|
|
touch $authkeys
|
|
|
|
|
fi
|
|
|
|
|
cat >>$authkeys <<EOF
|
|
|
|
|
local id=$1
|
|
|
|
|
local sshkey=$2
|
|
|
|
|
local publickey=$STORAGE/$id/id_rsa.pub
|
|
|
|
|
local sshdir=$ACCESSDIR/.ssh
|
|
|
|
|
local authkeys=$sshdir/authorized_keys
|
|
|
|
|
cp $sshkey $publickey
|
|
|
|
|
chown $USERNAME. $publickey
|
|
|
|
|
if [[ -f $authkeys ]]
|
|
|
|
|
then
|
|
|
|
|
sed -i "/access-shell $id/d" $authkeys
|
|
|
|
|
else
|
|
|
|
|
if [[ ! -d $sshdir ]]
|
|
|
|
|
then
|
|
|
|
|
mkdir -p $sshdir
|
|
|
|
|
chown $USERNAME. $sshdir
|
|
|
|
|
fi
|
|
|
|
|
touch $authkeys
|
|
|
|
|
fi
|
|
|
|
|
cat >>$authkeys <<EOF
|
|
|
|
|
command="~/bin/access-shell $id",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty $(cat $publickey)
|
|
|
|
|
EOF
|
|
|
|
|
chown $USERNAME. $authkeys
|
|
|
|
|
chown $USERNAME. $authkeys
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
ask_rewrite_sshkey() {
|
|
|
|
|
while true
|
|
|
|
|
do
|
|
|
|
|
read -p $"Do you want replace authorzied key? " yn
|
|
|
|
|
case $yn in
|
|
|
|
|
[Yy]* ) return 0;;
|
|
|
|
|
[Nn]* ) return 1;;
|
|
|
|
|
* ) ewarn $"Please answer yes or no." ;;
|
|
|
|
|
esac
|
|
|
|
|
done
|
|
|
|
|
while true
|
|
|
|
|
do
|
|
|
|
|
read -p $"Do you want replace authorzied key? " yn
|
|
|
|
|
case $yn in
|
|
|
|
|
[Yy]* ) return 0;;
|
|
|
|
|
[Nn]* ) return 1;;
|
|
|
|
|
* ) ewarn $"Please answer yes or no." ;;
|
|
|
|
|
esac
|
|
|
|
|
done
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
check_sshkey() {
|
|
|
|
|
local sshkey=$1
|
|
|
|
|
if ! [[ -f $sshkey ]]
|
|
|
|
|
then
|
|
|
|
|
eerror $"Public authorized key not found"
|
|
|
|
|
return 1
|
|
|
|
|
fi
|
|
|
|
|
if grep -q "PRIVATE KEY" $sshkey
|
|
|
|
|
then
|
|
|
|
|
eerror $"You should use public key instead private"
|
|
|
|
|
return 1
|
|
|
|
|
fi
|
|
|
|
|
if ! ssh-keygen -l -f $sshkey &>/dev/null
|
|
|
|
|
then
|
|
|
|
|
eerror $"$sshkey is not public key"
|
|
|
|
|
return 1
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
return 0
|
|
|
|
|
local sshkey=$1
|
|
|
|
|
if ! [[ -f $sshkey ]]
|
|
|
|
|
then
|
|
|
|
|
eerror $"Public authorized key not found"
|
|
|
|
|
return 1
|
|
|
|
|
fi
|
|
|
|
|
if grep -q "PRIVATE KEY" $sshkey
|
|
|
|
|
then
|
|
|
|
|
eerror $"You should use public key instead private"
|
|
|
|
|
return 1
|
|
|
|
|
fi
|
|
|
|
|
if ! ssh-keygen -l -f $sshkey &>/dev/null
|
|
|
|
|
then
|
|
|
|
|
eerror $"$sshkey is not public key"
|
|
|
|
|
return 1
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
return 0
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
check_luks_header() {
|
|
|
|
|
local header=$1
|
|
|
|
|
if ! [[ -f $header ]]
|
|
|
|
|
then
|
|
|
|
|
eerror $"LUKS header not found"
|
|
|
|
|
return 1
|
|
|
|
|
fi
|
|
|
|
|
if ! cryptsetup isLuks $header &>/dev/null
|
|
|
|
|
then
|
|
|
|
|
eerror $"LUKS header is wrong"
|
|
|
|
|
return 1
|
|
|
|
|
fi
|
|
|
|
|
return 0
|
|
|
|
|
local header=$1
|
|
|
|
|
if ! [[ -f $header ]]
|
|
|
|
|
then
|
|
|
|
|
eerror $"LUKS header not found"
|
|
|
|
|
return 1
|
|
|
|
|
fi
|
|
|
|
|
if ! cryptsetup isLuks $header &>/dev/null
|
|
|
|
|
then
|
|
|
|
|
eerror $"LUKS header is wrong"
|
|
|
|
|
return 1
|
|
|
|
|
fi
|
|
|
|
|
return 0
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
check_luks_key() {
|
|
|
|
|
local key=$1
|
|
|
|
|
local header=$2
|
|
|
|
|
|
|
|
|
|
if ! [[ -f $key ]]
|
|
|
|
|
then
|
|
|
|
|
eerror $"LUKS key not found"
|
|
|
|
|
return 1
|
|
|
|
|
fi
|
|
|
|
|
if [[ -z $header ]]
|
|
|
|
|
then
|
|
|
|
|
ewarn $"Could not check key without header"
|
|
|
|
|
return 0
|
|
|
|
|
else
|
|
|
|
|
cryptsetup -d $key -q luksDump --dump-master-key $header &>/dev/null || eerror "Wrong LUKS key/header pair"
|
|
|
|
|
fi
|
|
|
|
|
local key=$1
|
|
|
|
|
local header=$2
|
|
|
|
|
|
|
|
|
|
if ! [[ -f $key ]]
|
|
|
|
|
then
|
|
|
|
|
eerror $"LUKS key not found"
|
|
|
|
|
return 1
|
|
|
|
|
fi
|
|
|
|
|
if [[ -z $header ]]
|
|
|
|
|
then
|
|
|
|
|
ewarn $"Could not check key without header"
|
|
|
|
|
return 0
|
|
|
|
|
else
|
|
|
|
|
cryptsetup -d $key -q luksDump --dump-master-key $header &>/dev/null || eerror "Wrong LUKS key/header pair"
|
|
|
|
|
fi
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
check_device_name() {
|
|
|
|
|
local device=$1
|
|
|
|
|
is_uuid $device || is_dev $device || eerror $"Device must be PARTUUID or /dev"
|
|
|
|
|
local device=$1
|
|
|
|
|
is_uuid $device || is_dev $device || eerror $"Device must be PARTUUID or /dev"
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
is_uuid() {
|
|
|
|
|
[[ "$1" =~ ^(PARTUUID=)?(([0-9a-f]+-)+[0-9a-f]+)$ ]]
|
|
|
|
|
[[ "$1" =~ ^(PARTUUID=)?(([0-9a-f]+-)+[0-9a-f]+)$ ]]
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
is_dev() {
|
|
|
|
|
[[ "$1" =~ ^/dev/ ]]
|
|
|
|
|
[[ "$1" =~ ^/dev/ ]]
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
create_record() {
|
|
|
|
|
local id=$1
|
|
|
|
|
local key=$2
|
|
|
|
|
local device=$3
|
|
|
|
|
local mp=$4
|
|
|
|
|
local header=$5
|
|
|
|
|
for rec in {0..99}
|
|
|
|
|
do
|
|
|
|
|
recdn=$STORAGE/$id/$rec
|
|
|
|
|
if [[ ! -d $recdn ]]
|
|
|
|
|
then
|
|
|
|
|
mkdir -p $recdn
|
|
|
|
|
[[ -n $header ]] && cp $header $recdn/header
|
|
|
|
|
cp $key $recdn/key
|
|
|
|
|
if is_uuid $device
|
|
|
|
|
then
|
|
|
|
|
echo ${BASH_REMATCH[2]} >$recdn/partuuid
|
|
|
|
|
else
|
|
|
|
|
echo $device >$recdn/dev
|
|
|
|
|
fi
|
|
|
|
|
echo $mp >$recdn/mountpoint
|
|
|
|
|
|
|
|
|
|
break
|
|
|
|
|
fi
|
|
|
|
|
done
|
|
|
|
|
local id=$1
|
|
|
|
|
local key=$2
|
|
|
|
|
local device=$3
|
|
|
|
|
local mp=$4
|
|
|
|
|
local header=$5
|
|
|
|
|
for rec in {0..99}
|
|
|
|
|
do
|
|
|
|
|
recdn=$STORAGE/$id/$rec
|
|
|
|
|
if [[ ! -d $recdn ]]
|
|
|
|
|
then
|
|
|
|
|
mkdir -p $recdn
|
|
|
|
|
[[ -n $header ]] && cp $header $recdn/header
|
|
|
|
|
cp $key $recdn/key
|
|
|
|
|
if is_uuid $device
|
|
|
|
|
then
|
|
|
|
|
echo ${BASH_REMATCH[2]} >$recdn/partuuid
|
|
|
|
|
else
|
|
|
|
|
echo $device >$recdn/dev
|
|
|
|
|
fi
|
|
|
|
|
echo $mp >$recdn/mountpoint
|
|
|
|
|
|
|
|
|
|
break
|
|
|
|
|
fi
|
|
|
|
|
done
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
check_setup || eerror $"Calculate access is not setup"
|
|
|
|
@ -292,7 +288,6 @@ check_device_name $DEVICE
|
|
|
|
|
|
|
|
|
|
id_not_exists $ID || ask_rewrite_sshkey
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
id_not_exists $ID && create_id $ID
|
|
|
|
|
|
|
|
|
|
create_record "$ID" "$KEY" "$DEVICE" "$MP" "$HEADER"
|
|
|
|
|