+++ /dev/null
-../ssh-utils/ssh-adduser.sh
\ No newline at end of file
--- /dev/null
+#!/bin/bash
+set -e
+set -u
+
+function __install_ssh_adduser() {
+ my_cmd="ssh-adduser"
+
+ rm -f "$HOME/.local/bin/${my_cmd}"
+
+ webi_download \
+ "$WEBI_HOST/packages/${my_cmd}/${my_cmd}.sh" \
+ "$HOME/.local/bin/${my_cmd}"
+
+ chmod a+x "$HOME/.local/bin/${my_cmd}"
+
+ # run the command
+ "$HOME/.local/bin/${my_cmd}"
+}
+
+__install_ssh_adduser
--- /dev/null
+#!/bin/bash
+set -e
+set -u
+
+function main() {
+
+ # Add User 'app'
+ # Picking 'app' by common convention (what Docker & Vagrant use).
+ my_new_user="${1:-"app"}"
+ #my_existing_user="${2:-"root"}"
+
+ # TODO would $EUID be better?
+ if [[ "root" != "$(whoami)" ]]; then
+ echo "webi adduser: running user is already a non-root user"
+ exit 0
+ fi
+
+ if [[ ! -e ~/.ssh/authorized_keys ]] || ! grep -v '#' ~/.ssh/authorized_keys; then
+ echo ""
+ echo "Error:"
+ echo " You must add a key to ~/.ssh/authorized_keys before adding a new ssh user."
+ echo ""
+ echo "To fix:"
+ echo " Run 'curl https://webinstall.dev/ssh-pubkey | bash' on your local system, "
+ echo " then add that key to ~/.ssh/authorized_keys on this (the remote) system. "
+ echo ""
+ exit 1
+ fi
+
+ adduser --disabled-password --gecos '' "$my_new_user"
+ my_password=$(openssl rand -hex 16)
+ printf '%s\n%s' "${my_password}" "${my_password}" | passwd "${my_new_user}"
+
+ # make 'app' a sudo-er (admin)
+ adduser "$my_new_user" sudo
+ echo "$my_new_user ALL=(ALL:ALL) NOPASSWD: ALL" | tee "/etc/sudoers.d/$my_new_user"
+
+ # allow users who can already login as 'root' to login as 'app'
+ mkdir -p "/home/$my_new_user/.ssh/"
+ chmod 0700 "/home/$my_new_user/.ssh/"
+ cp -r "${HOME}/.ssh/authorized_keys" "/home/$my_new_user/.ssh/"
+ chmod 0600 "/home/$my_new_user/.ssh/authorized_keys"
+ touch "/home/$my_new_user/.ssh/config"
+ chmod 0644 "/home/$my_new_user/.ssh/config"
+ chown -R "$my_new_user":"$my_new_user" "/home/$my_new_user/.ssh/"
+
+ # ensure that 'app' has an SSH Keypair
+ sudo -i -u "$my_new_user" bash -c "ssh-keygen -b 2048 -t rsa -f '/home/$my_new_user/.ssh/id_rsa' -q -N ''"
+ chown -R "$my_new_user":"$my_new_user" "/home/$my_new_user/.ssh/"
+
+ # Install webi for the new 'app' user
+ WEBI_HOST=${WEBI_HOST:-"https://webinstall.dev"}
+ sudo -i -u "$my_new_user" bash -c "curl -fsSL '$WEBI_HOST/webi' | bash" ||
+ sudo -i -u "$my_new_user" bash -c "wget -q -O - '$WEBI_HOST/webi' | bash"
+
+ # TODO ensure that ssh-password login is off
+ my_pass="$(grep 'PasswordAuthentication yes' /etc/ssh/sshd_config)"
+ my_pam=""
+ if [[ "Darwin" == "$(uname -s)" ]]; then
+ # Turn off PAM for macOS or it will allow password login
+ my_pam="$(grep 'UsePAM yes' /etc/ssh/sshd_config)"
+ fi
+ if [[ -n ${my_pass} ]] || [[ -n ${my_pam} ]]; then
+ echo "######################################################################"
+ echo "# #"
+ echo "# WARNING #"
+ echo "# #"
+ echo "# Found /etc/ssh/sshd_config: #"
+ if [[ -n ${my_pass} ]]; then
+ echo "# PasswordAuthentication yes #"
+ fi
+ if [[ -n ${my_pam} ]]; then
+ echo "# UsePAM yes #"
+ fi
+ echo "# #"
+ echo "# This is EXTREMELY DANGEROUS and insecure. #"
+ echo "# We'll attempt to fix this now... #"
+ echo "# #"
+
+ sed -i 's/#\?PasswordAuthentication \(yes\|no\)/PasswordAuthentication no/' \
+ /etc/ssh/sshd_config
+
+ sed -i 's/#\?UsePAM \(yes\|no\)/UsePAM no/' \
+ /etc/ssh/sshd_config
+
+ if grep "PasswordAuthentication yes" /etc/ssh/sshd_config; then
+ echo "# FAILED. Please check /etc/ssh/sshd_config manually. #"
+ else
+ echo "# Fixed... HOWEVER, you'll need to manually restart ssh: #"
+ echo "# #"
+ echo "# sudo systemctl restart ssh #"
+ echo "# #"
+ echo "# (you may want to make sure you can login as the new user first) #"
+ fi
+ echo "# #"
+ echo "######################################################################"
+ fi
+
+ echo "Created user '${my_new_user}' as sudoer with a random password."
+ echo "(set a new password with 'password ${my_new_user}')"
+}
+
+main "${1:-app}"
set -u
function __install_ssh_pubkey() {
- MY_CMD="ssh-pubkey"
+ my_cmd="ssh-pubkey"
- rm -f "$HOME/.local/bin/$MY_CMD"
- webi_download "$WEBI_HOST/packages/$MY_CMD/$MY_CMD.sh" "$HOME/.local/bin/$MY_CMD"
- chmod a+x "$HOME/.local/bin/$MY_CMD"
+ rm -f "$HOME/.local/bin/${my_cmd}"
+
+ webi_download \
+ "$WEBI_HOST/packages/${my_cmd}/${my_cmd}.sh" \
+ "$HOME/.local/bin/${my_cmd}"
+
+ chmod a+x "$HOME/.local/bin/${my_cmd}"
# run the command
- "$HOME/.local/bin/$MY_CMD"
+ "$HOME/.local/bin/${my_cmd}"
}
__install_ssh_pubkey
+++ /dev/null
-../ssh-utils/ssh-pubkey.ps1
\ No newline at end of file
--- /dev/null
+#!/usr/bin/env pwsh
+
+# TODO: can we use some of this?
+# https://github.com/PowerShell/openssh-portable/blob/latestw_all/contrib/win32/openssh/FixUserFilePermissions.ps1
+
+if (!(Test-Path -Path "$Env:USERPROFILE/.ssh"))
+{
+ New-Item -Path "$Env:USERPROFILE/.ssh" -ItemType Directory -Force | out-null
+ #& icacls "$Env:USERPROFILE/.ssh" /inheritance:r
+ #& icacls "$Env:USERPROFILE/.ssh" /grant:r "$Env:USERNAME":"(F)"
+}
+
+if (!(Test-Path -Path "$Env:USERPROFILE/.ssh/config"))
+{
+ New-Item -Path "$Env:USERPROFILE/.ssh/config" -ItemType "file" -Value ""
+ #& icacls "$Env:USERPROFILE/.ssh/config" /inheritance:r
+ #& icacls "$Env:USERPROFILE/.ssh/config" /grant:r "$Env:USERNAME":"(F)"
+}
+
+#if (!(Test-Path -Path "$Env:USERPROFILE/.ssh/authorized_keys"))
+#{
+# New-Item -Path "$Env:USERPROFILE/.ssh/authorized_keys" -ItemType "file" -Value ""
+# #& icacls "$Env:USERPROFILE/.ssh/authorized_keys" /inheritance:r
+# #& icacls "$Env:USERPROFILE/.ssh/authorized_keys" /grant:r "$Env:USERNAME":"(F)"
+#}
+
+if (!(Test-Path -Path "$Env:USERPROFILE/.ssh/id_rsa"))
+{
+ & ssh-keygen -b 2048 -t rsa -f "$Env:USERPROFILE/.ssh/id_rsa" -q -N """"
+ echo ""
+}
+
+if (!(Test-Path -Path "$Env:USERPROFILE/.ssh/id_rsa.pub"))
+{
+ & ssh-keygen -y -f "$Env:USERPROFILE/.ssh/id_rsa" > "$Env:USERPROFILE/.ssh/id_rsa.pub"
+ echo ""
+}
+
+# TODO use the comment (if any) for the name of the file
+echo ""
+echo "~/Downloads/id_rsa.$Env:USERNAME.pub":
+echo ""
+#rm -f "$Env:USERPROFILE/Downloads/id_rsa.$Env:USERNAME.pub":
+Copy-Item -Path "$Env:USERPROFILE/.ssh/id_rsa.pub" -Destination "$Env:USERPROFILE/Downloads/id_rsa.$Env:USERNAME.pub"
+& type "$Env:USERPROFILE/Downloads/id_rsa.$Env:USERNAME.pub"
+echo ""
+++ /dev/null
-../ssh-utils/ssh-pubkey.sh
\ No newline at end of file
--- /dev/null
+#!/bin/bash
+set -e
+set -u
+
+function main() {
+
+ if [ ! -d "$HOME/.ssh" ]; then
+ mkdir -p "$HOME/.ssh/"
+ chmod 0700 "$HOME/.ssh/"
+ fi
+
+ if [ ! -f "$HOME/.ssh/config" ]; then
+ # for the benefit of VSCode
+ touch "$HOME/.ssh/config"
+ chmod 0644 "$HOME/.ssh/config"
+ fi
+
+ if [ ! -f "$HOME/.ssh/authorized_keys" ]; then
+ touch "$HOME/.ssh/authorized_keys"
+ chmod 0600 "$HOME/.ssh/authorized_keys"
+ fi
+
+ if [ ! -f "$HOME/.ssh/id_rsa" ]; then
+ ssh-keygen -b 2048 -t rsa -f "$HOME/.ssh/id_rsa" -q -N ""
+ echo >&2 ""
+ fi
+
+ if [ ! -f "$HOME/.ssh/id_rsa.pub" ]; then
+ ssh-keygen -y -f "$HOME/.ssh/id_rsa" > "$HOME/.ssh/id_rsa.pub"
+ echo >&2 ""
+ fi
+
+ # TODO use the comment (if any) for the name of the file
+ echo >&2 ""
+ #shellcheck disable=SC2088
+ echo >&2 "~/Downloads/id_rsa.$(whoami).pub":
+ echo >&2 ""
+ rm -f "$HOME/Downloads/id_rsa.$(whoami).pub"
+ cp -r "$HOME/.ssh/id_rsa.pub" "$HOME/Downloads/id_rsa.$(whoami).pub"
+ cat "$HOME/Downloads/id_rsa.$(whoami).pub"
+ echo >&2 ""
+}
+
+main
+++ /dev/null
-../ssh-utils/ssh-setpass.sh
\ No newline at end of file
--- /dev/null
+#!/bin/bash
+set -e
+set -u
+
+function __install_ssh_setpass() {
+ my_cmd="ssh-setpass"
+
+ rm -f "$HOME/.local/bin/${my_cmd}"
+
+ webi_download \
+ "$WEBI_HOST/packages/${my_cmd}/${my_cmd}.sh" \
+ "$HOME/.local/bin/${my_cmd}"
+
+ chmod a+x "$HOME/.local/bin/${my_cmd}"
+
+ # run the command
+ echo ''
+ echo 'Set passphrase for ~/.ssh/id_rsa?'
+ "$HOME/.local/bin/${my_cmd}"
+}
+
+__install_ssh_setpass
--- /dev/null
+#!/bin/bash
+set -e
+set -u
+
+function main() {
+ my_key="${1:-"${HOME}/.ssh/id_rsa"}"
+ ssh-keygen -p -f "${my_key}"
+}
+
+main "${1:-}"
#!/bin/bash
function __init_ssh_utils() {
- rm -f "$HOME/.local/bin/ssh-pubkey" "$HOME/.local/bin/ssh-setpass" "$HOME/.local/bin/ssh-adduser"
- webi_download "$WEBI_HOST/packages/ssh-utils/ssh-pubkey.sh" "$HOME/.local/bin/ssh-pubkey"
- webi_download "$WEBI_HOST/packages/ssh-utils/ssh-setpass.sh" "$HOME/.local/bin/ssh-setpass"
- webi_download "$WEBI_HOST/packages/ssh-utils/ssh-adduser.sh" "$HOME/.local/bin/ssh-adduser"
+ rm -f \
+ "$HOME/.local/bin/ssh-pubkey" \
+ "$HOME/.local/bin/ssh-setpass" \
+ "$HOME/.local/bin/ssh-adduser"
+ # done
+
+ webi_download \
+ "$WEBI_HOST/packages/ssh-pubkey/ssh-pubkey.sh" \
+ "$HOME/.local/bin/ssh-pubkey"
+ webi_download \
+ "$WEBI_HOST/packages/ssh-setpass/ssh-setpass.sh" \
+ "$HOME/.local/bin/ssh-setpass"
+ webi_download \
+ "$WEBI_HOST/packages/ssh-adduser/ssh-adduser.sh" \
+ "$HOME/.local/bin/ssh-adduser"
+
chmod a+x "$HOME/.local/bin/ssh-"*
}
+++ /dev/null
-#!/bin/bash
-
-function __run_ssh_adduser() {
- set -e
- set -u
-
- # TODO would $EUID be better?
- if [[ "root" != "$(whoami)" ]]; then
- echo "webi adduser: running user is already a non-root user"
- exit 0
- fi
-
- if [[ ! -e ~/.ssh/authorized_keys ]] || ! grep -v '#' ~/.ssh/authorized_keys; then
- echo ""
- echo "Error:"
- echo " You must add a key to ~/.ssh/authorized_keys before adding a new ssh user."
- echo ""
- echo "To fix:"
- echo " Run 'curl https://webinstall.dev/ssh-pubkey | bash' on your local system, "
- echo " then add that key to ~/.ssh/authorized_keys on this (the remote) system. "
- echo ""
- exit 1
- fi
-
- # Add User 'app'
- # Picking 'app' by common convention (what Docker & Vagrant use).
- my_new_user="${1:-"app"}"
- #my_existing_user="${2:-"root"}"
- adduser --disabled-password --gecos '' "$my_new_user"
- my_password=$(openssl rand -hex 16)
- printf '%s\n%s' "${my_password}" "${my_password}" | passwd "${my_new_user}"
-
- # make 'app' a sudo-er (admin)
- adduser "$my_new_user" sudo
- echo "$my_new_user ALL=(ALL:ALL) NOPASSWD: ALL" | tee "/etc/sudoers.d/$my_new_user"
-
- # allow users who can already login as 'root' to login as 'app'
- mkdir -p "/home/$my_new_user/.ssh/"
- chmod 0700 "/home/$my_new_user/.ssh/"
- cp -r "${HOME}/.ssh/authorized_keys" "/home/$my_new_user/.ssh/"
- chmod 0600 "/home/$my_new_user/.ssh/authorized_keys"
- touch "/home/$my_new_user/.ssh/config"
- chmod 0644 "/home/$my_new_user/.ssh/config"
- chown -R "$my_new_user":"$my_new_user" "/home/$my_new_user/.ssh/"
-
- # ensure that 'app' has an SSH Keypair
- sudo -i -u "$my_new_user" bash -c "ssh-keygen -b 2048 -t rsa -f '/home/$my_new_user/.ssh/id_rsa' -q -N ''"
- chown -R "$my_new_user":"$my_new_user" "/home/$my_new_user/.ssh/"
-
- # Install webi for the new 'app' user
- WEBI_HOST=${WEBI_HOST:-"https://webinstall.dev"}
- sudo -i -u "$my_new_user" bash -c "curl -fsSL '$WEBI_HOST/webi' | bash" ||
- sudo -i -u "$my_new_user" bash -c "wget -q -O - '$WEBI_HOST/webi' | bash"
-
- # TODO ensure that ssh-password login is off
- my_pass="$(grep 'PasswordAuthentication yes' /etc/ssh/sshd_config)"
- my_pam=""
- if [[ "Darwin" == "$(uname -s)" ]]; then
- # Turn off PAM for macOS or it will allow password login
- my_pam="$(grep 'UsePAM yes' /etc/ssh/sshd_config)"
- fi
- if [[ -n ${my_pass} ]] || [[ -n ${my_pam} ]]; then
- echo "######################################################################"
- echo "# #"
- echo "# WARNING #"
- echo "# #"
- echo "# Found /etc/ssh/sshd_config: #"
- if [[ -n ${my_pass} ]]; then
- echo "# PasswordAuthentication yes #"
- fi
- if [[ -n ${my_pam} ]]; then
- echo "# UsePAM yes #"
- fi
- echo "# #"
- echo "# This is EXTREMELY DANGEROUS and insecure. #"
- echo "# We'll attempt to fix this now... #"
- echo "# #"
-
- sed -i 's/#\?PasswordAuthentication \(yes\|no\)/PasswordAuthentication no/' \
- /etc/ssh/sshd_config
-
- sed -i 's/#\?UsePAM \(yes\|no\)/UsePAM no/' \
- /etc/ssh/sshd_config
-
- if grep "PasswordAuthentication yes" /etc/ssh/sshd_config; then
- echo "# FAILED. Please check /etc/ssh/sshd_config manually. #"
- else
- echo "# Fixed... HOWEVER, you'll need to manually restart ssh: #"
- echo "# #"
- echo "# sudo systemctl restart ssh #"
- echo "# #"
- echo "# (you may want to make sure you can login as the new user first) #"
- fi
- echo "# #"
- echo "######################################################################"
- fi
-
- echo "Created user '${my_new_user}' as sudoer with a random password."
- echo "(set a new password with 'password ${my_new_user}')"
-}
-
-__run_ssh_adduser app
--- /dev/null
+../ssh-adduser/ssh-adduser.sh
\ No newline at end of file
+++ /dev/null
-#!/usr/bin/env pwsh
-
-# TODO: can we use some of this?
-# https://github.com/PowerShell/openssh-portable/blob/latestw_all/contrib/win32/openssh/FixUserFilePermissions.ps1
-
-if (!(Test-Path -Path "$Env:USERPROFILE/.ssh"))
-{
- New-Item -Path "$Env:USERPROFILE/.ssh" -ItemType Directory -Force | out-null
- #& icacls "$Env:USERPROFILE/.ssh" /inheritance:r
- #& icacls "$Env:USERPROFILE/.ssh" /grant:r "$Env:USERNAME":"(F)"
-}
-
-if (!(Test-Path -Path "$Env:USERPROFILE/.ssh/config"))
-{
- New-Item -Path "$Env:USERPROFILE/.ssh/config" -ItemType "file" -Value ""
- #& icacls "$Env:USERPROFILE/.ssh/config" /inheritance:r
- #& icacls "$Env:USERPROFILE/.ssh/config" /grant:r "$Env:USERNAME":"(F)"
-}
-
-#if (!(Test-Path -Path "$Env:USERPROFILE/.ssh/authorized_keys"))
-#{
-# New-Item -Path "$Env:USERPROFILE/.ssh/authorized_keys" -ItemType "file" -Value ""
-# #& icacls "$Env:USERPROFILE/.ssh/authorized_keys" /inheritance:r
-# #& icacls "$Env:USERPROFILE/.ssh/authorized_keys" /grant:r "$Env:USERNAME":"(F)"
-#}
-
-if (!(Test-Path -Path "$Env:USERPROFILE/.ssh/id_rsa"))
-{
- & ssh-keygen -b 2048 -t rsa -f "$Env:USERPROFILE/.ssh/id_rsa" -q -N """"
- echo ""
-}
-
-if (!(Test-Path -Path "$Env:USERPROFILE/.ssh/id_rsa.pub"))
-{
- & ssh-keygen -y -f "$Env:USERPROFILE/.ssh/id_rsa" > "$Env:USERPROFILE/.ssh/id_rsa.pub"
- echo ""
-}
-
-# TODO use the comment (if any) for the name of the file
-echo ""
-echo "~/Downloads/id_rsa.$Env:USERNAME.pub":
-echo ""
-#rm -f "$Env:USERPROFILE/Downloads/id_rsa.$Env:USERNAME.pub":
-Copy-Item -Path "$Env:USERPROFILE/.ssh/id_rsa.pub" -Destination "$Env:USERPROFILE/Downloads/id_rsa.$Env:USERNAME.pub"
-& type "$Env:USERPROFILE/Downloads/id_rsa.$Env:USERNAME.pub"
-echo ""
--- /dev/null
+../ssh-pubkey/ssh-pubkey.ps1
\ No newline at end of file
+++ /dev/null
-#!/bin/bash
-set -e
-set -u
-
-function _ssh_pubkey() {
-
- if [ ! -d "$HOME/.ssh" ]; then
- mkdir -p "$HOME/.ssh/"
- chmod 0700 "$HOME/.ssh/"
- fi
-
- if [ ! -f "$HOME/.ssh/config" ]; then
- # for the benefit of VSCode
- touch "$HOME/.ssh/config"
- chmod 0644 "$HOME/.ssh/config"
- fi
-
- if [ ! -f "$HOME/.ssh/authorized_keys" ]; then
- touch "$HOME/.ssh/authorized_keys"
- chmod 0600 "$HOME/.ssh/authorized_keys"
- fi
-
- if [ ! -f "$HOME/.ssh/id_rsa" ]; then
- ssh-keygen -b 2048 -t rsa -f "$HOME/.ssh/id_rsa" -q -N ""
- echo >&2 ""
- fi
-
- if [ ! -f "$HOME/.ssh/id_rsa.pub" ]; then
- ssh-keygen -y -f "$HOME/.ssh/id_rsa" > "$HOME/.ssh/id_rsa.pub"
- echo >&2 ""
- fi
-
- # TODO use the comment (if any) for the name of the file
- echo >&2 ""
- #shellcheck disable=SC2088
- echo >&2 "~/Downloads/id_rsa.$(whoami).pub":
- echo >&2 ""
- rm -f "$HOME/Downloads/id_rsa.$(whoami).pub"
- cp -r "$HOME/.ssh/id_rsa.pub" "$HOME/Downloads/id_rsa.$(whoami).pub"
- cat "$HOME/Downloads/id_rsa.$(whoami).pub"
- echo >&2 ""
-}
-
-_ssh_pubkey
--- /dev/null
+../ssh-pubkey/ssh-pubkey.sh
\ No newline at end of file
+++ /dev/null
-#!/bin/bash
-
-function __init_ssh_setpass() {
- set -e
- set -u
-
- ssh-keygen -p -f "$HOME/.ssh/id_rsa"
-}
-
-__init_ssh_setpass
--- /dev/null
+../ssh-setpass/ssh-setpass.sh
\ No newline at end of file
projects / webi-installers / .git / commitdiff