commit df41cacbba8cb9c210bb655d6e0b147ac1c8e4a1 Author: Lucas Date: Thu Apr 7 13:48:50 2022 +0000 Initial import diff --git a/COPYING b/COPYING new file mode 100644 index 0000000..0e259d4 --- /dev/null +++ b/COPYING @@ -0,0 +1,121 @@ +Creative Commons Legal Code + +CC0 1.0 Universal + + CREATIVE COMMONS CORPORATION IS NOT A LAW FIRM AND DOES NOT PROVIDE + LEGAL SERVICES. DISTRIBUTION OF THIS DOCUMENT DOES NOT CREATE AN + ATTORNEY-CLIENT RELATIONSHIP. CREATIVE COMMONS PROVIDES THIS + INFORMATION ON AN "AS-IS" BASIS. CREATIVE COMMONS MAKES NO WARRANTIES + REGARDING THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS + PROVIDED HEREUNDER, AND DISCLAIMS LIABILITY FOR DAMAGES RESULTING FROM + THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS PROVIDED + HEREUNDER. + +Statement of Purpose + +The laws of most jurisdictions throughout the world automatically confer +exclusive Copyright and Related Rights (defined below) upon the creator +and subsequent owner(s) (each and all, an "owner") of an original work of +authorship and/or a database (each, a "Work"). + +Certain owners wish to permanently relinquish those rights to a Work for +the purpose of contributing to a commons of creative, cultural and +scientific works ("Commons") that the public can reliably and without fear +of later claims of infringement build upon, modify, incorporate in other +works, reuse and redistribute as freely as possible in any form whatsoever +and for any purposes, including without limitation commercial purposes. +These owners may contribute to the Commons to promote the ideal of a free +culture and the further production of creative, cultural and scientific +works, or to gain reputation or greater distribution for their Work in +part through the use and efforts of others. + +For these and/or other purposes and motivations, and without any +expectation of additional consideration or compensation, the person +associating CC0 with a Work (the "Affirmer"), to the extent that he or she +is an owner of Copyright and Related Rights in the Work, voluntarily +elects to apply CC0 to the Work and publicly distribute the Work under its +terms, with knowledge of his or her Copyright and Related Rights in the +Work and the meaning and intended legal effect of CC0 on those rights. + +1. Copyright and Related Rights. A Work made available under CC0 may be +protected by copyright and related or neighboring rights ("Copyright and +Related Rights"). Copyright and Related Rights include, but are not +limited to, the following: + + i. the right to reproduce, adapt, distribute, perform, display, + communicate, and translate a Work; + ii. moral rights retained by the original author(s) and/or performer(s); +iii. publicity and privacy rights pertaining to a person's image or + likeness depicted in a Work; + iv. rights protecting against unfair competition in regards to a Work, + subject to the limitations in paragraph 4(a), below; + v. rights protecting the extraction, dissemination, use and reuse of data + in a Work; + vi. database rights (such as those arising under Directive 96/9/EC of the + European Parliament and of the Council of 11 March 1996 on the legal + protection of databases, and under any national implementation + thereof, including any amended or successor version of such + directive); and +vii. other similar, equivalent or corresponding rights throughout the + world based on applicable law or treaty, and any national + implementations thereof. + +2. Waiver. To the greatest extent permitted by, but not in contravention +of, applicable law, Affirmer hereby overtly, fully, permanently, +irrevocably and unconditionally waives, abandons, and surrenders all of +Affirmer's Copyright and Related Rights and associated claims and causes +of action, whether now known or unknown (including existing as well as +future claims and causes of action), in the Work (i) in all territories +worldwide, (ii) for the maximum duration provided by applicable law or +treaty (including future time extensions), (iii) in any current or future +medium and for any number of copies, and (iv) for any purpose whatsoever, +including without limitation commercial, advertising or promotional +purposes (the "Waiver"). Affirmer makes the Waiver for the benefit of each +member of the public at large and to the detriment of Affirmer's heirs and +successors, fully intending that such Waiver shall not be subject to +revocation, rescission, cancellation, termination, or any other legal or +equitable action to disrupt the quiet enjoyment of the Work by the public +as contemplated by Affirmer's express Statement of Purpose. + +3. Public License Fallback. Should any part of the Waiver for any reason +be judged legally invalid or ineffective under applicable law, then the +Waiver shall be preserved to the maximum extent permitted taking into +account Affirmer's express Statement of Purpose. In addition, to the +extent the Waiver is so judged Affirmer hereby grants to each affected +person a royalty-free, non transferable, non sublicensable, non exclusive, +irrevocable and unconditional license to exercise Affirmer's Copyright and +Related Rights in the Work (i) in all territories worldwide, (ii) for the +maximum duration provided by applicable law or treaty (including future +time extensions), (iii) in any current or future medium and for any number +of copies, and (iv) for any purpose whatsoever, including without +limitation commercial, advertising or promotional purposes (the +"License"). The License shall be deemed effective as of the date CC0 was +applied by Affirmer to the Work. Should any part of the License for any +reason be judged legally invalid or ineffective under applicable law, such +partial invalidity or ineffectiveness shall not invalidate the remainder +of the License, and in such case Affirmer hereby affirms that he or she +will not (i) exercise any of his or her remaining Copyright and Related +Rights in the Work or (ii) assert any associated claims and causes of +action with respect to the Work, in either case contrary to Affirmer's +express Statement of Purpose. + +4. Limitations and Disclaimers. + + a. No trademark or patent rights held by Affirmer are waived, abandoned, + surrendered, licensed or otherwise affected by this document. + b. Affirmer offers the Work as-is and makes no representations or + warranties of any kind concerning the Work, express, implied, + statutory or otherwise, including without limitation warranties of + title, merchantability, fitness for a particular purpose, non + infringement, or the absence of latent or other defects, accuracy, or + the present or absence of errors, whether or not discoverable, all to + the greatest extent permissible under applicable law. + c. Affirmer disclaims responsibility for clearing rights of other persons + that may apply to the Work or any use thereof, including without + limitation any person's Copyright and Related Rights in the Work. + Further, Affirmer disclaims responsibility for obtaining any necessary + consents, permissions or other rights required for any use of the + Work. + d. Affirmer understands and acknowledges that Creative Commons is not a + party to this document and has no duty or obligation with respect to + this CC0 or use of the Work. diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..c5745b3 --- /dev/null +++ b/Makefile @@ -0,0 +1,54 @@ +# cassh - Manager for an OpenSSH Certification Authority +# +# Written in 2022 by Lucas +# +# To the extent possible under law, the author(s) have dedicated all +# copyright and related and neighboring rights to this software to the +# public domain worldwide. This software is distributed without any +# warranty. +# +# You should have received a copy of the CC0 Public Domain Dedication +# along with this software. If not, see +# . +.POSIX: +.SUFFIXES: +.SUFFIXES: .sh + +.sh: + cp $< $@ + chmod a+x $@ + +P = cassh +V = 0 + +PREFIX = /usr/local +MANPREFIX = ${PREFIX}/man + +BIN = cassh +MAN1 = ${BIN:=.1} +SRC = ${BIN:=.sh} ${MAN1} + +DIST = ${SRC} COPYING Makefile README + +all: ${BIN} + +test: all + prove -p + +clean: + rm -f ${BIN} ${P}-${V}.tgz + +dist: clean + pax -ws ',^,${P}-${V}/,' ${DIST} | gzip >${P}-${V}.tgz + +install: all + mkdir -p ${PREFIX}/bin + cp -f ${BIN} ${PREFIX}/bin + cd ${PREFIX}/bin && chmod 555 ${BIN} + mkdir -p ${MANPREFIX}/man1 + cp -f ${MAN1} ${MANPREFIX}/man1 + cd ${MANPREFIX}/man1 && chmod 444 ${MAN1} + +uninstall: + cd ${PREFIX}/bin && rm -f ${BIN} + cd ${MANPREFIX}/man1 && rm -f ${MAN1} diff --git a/README b/README new file mode 100644 index 0000000..74c30b2 --- /dev/null +++ b/README @@ -0,0 +1,4 @@ +cassh +===== + +Manager for an OpenSSH Certification Authority. diff --git a/cassh.1 b/cassh.1 new file mode 100644 index 0000000..498b16f --- /dev/null +++ b/cassh.1 @@ -0,0 +1,136 @@ +.\" cassh - Manager for an OpenSSH Certification Authority +.\" +.\" Written in 2022 by Lucas +.\" +.\" To the extent possible under law, the author(s) have dedicated all +.\" copyright and related and neighboring rights to this software to the +.\" public domain worldwide. This software is distributed without any +.\" warranty. +.\" +.\" You should have received a copy of the CC0 Public Domain Dedication +.\" along with this software. If not, see +.\" . +.\" +.Dd March 01, 2022 +.Dt CASSH 1 +.Os +.Sh NAME +.Nm cassh +.Nd Manager for an OpenSSH Certification Authority +.Sh SYNOPSIS +.Nm +.Bk -words +.Cm issue +.Op Fl hqv +.Op Fl I Ar key_id +.Op Fl n Ar principals +.Op Fl V Ar validity_interval +.Ek +.Nm +.Bk -words +.Cm mkfile +.Ic authorized_keys +.Op options +.Ek +.Nm +.Bk -words +.Cm mkfile +.Ic known_hosts +.Op hostnames +.Ek +.Sh DESCRIPTION +.Nm +is a small utility for issuing and revoking OpenSSH Certificates. +It relies on a simple filesystem structure and a running +.Xr ssh-agent 1 +instance that is in charge of performing all signing operations. +Additionally, +.Nm +can generate +.Pa authorized_keys +and +.Pa known_hosts +files based on the active Certification Authority. +.Pp +A Certification Authority directory consists of a +.Pa ca.pub +file corresponding to the public key of it, a +.Pa pubkeys/ +directory which holds the public keys to be signed, and an optional +.Pa serial.txt +file holding the current serial number for the issued certificates. +.Pp +The following commands are available to +.Xr cassh 1 : +.Bl -tag -width Ds +.It Xo +.Cm issue +.Op Fl hqv +.Op Fl I Ar key_id +.Op Fl n Ar principals +.Op Fl V Ar validity_interval +.Xc +Issue certificates for all the public keys inside the +.Pa pubkeys/ +directory. +Token expansion is performed on arguments +.Ar key_id +and +.Ar principals . +The recognized tokens are: +.Pp +.Bl -tag -width XXXX -offset indent -compact +.It %% +A literal +.Sq % . +.It \&%C +The Certification Authority private key comment. +.It %f +The basename of the public key being signed. +.El +.Pp +.Ar key_id +accepts the tokens %%, %C, and %f. +.Pp +.Ar principals +accepts the tokens %% and %f. +.Pp +After token expansion, all recognized options are passed down to +.Xr ssh-keygen 1 +process. +.It Cm mkfile Ic authorized_keys Op Ar options +Write an +.Ic authorized_keys +file on standard output corresponding to the current Certification +Authority. +.Ar options +is copied verbatim to the output, and +.Cm cert-authority +is always added. +.It Cm mkfile Ic known_hosts Op Ar hostnames +Write a +.Ic known_hosts +file on standard output corresponding to the current Certification +Authority. +.Ar hostnames is copied verbatim to the output. +.El +.Sh ENVIRONMENT +TBD +.Sh EXIT STATUS +.Ex -std +.Sh EXAMPLES +TBD +.Sh SEE ALSO +.Xr ssh-agent 1 , +.Xr ssh-keygen 1 +.Sh AUTHORS +.An Lucas +.Sh LICENSE +.Nm +is in the public domain. +.Pp +To the extent possible under law, the author(s) have dedicated all +copyright and related and neighboring rights to this software to the +public domain worldwide. +.Pp +.Lk http://creativecommons.org/publicdomain/zero/1.0/ diff --git a/cassh.sh b/cassh.sh new file mode 100644 index 0000000..50777d1 --- /dev/null +++ b/cassh.sh @@ -0,0 +1,257 @@ +#!/bin/sh +# cassh - Manager for an OpenSSH Certification Authority +# +# Written in 2022 by Lucas +# +# To the extent possible under law, the author(s) have dedicated all +# copyright and related and neighboring rights to this software to the +# public domain worldwide. This software is distributed without any +# warranty. +# You should have received a copy of the CC0 Public Domain Dedication +# along with this software. If not, see +# . + +usage() +{ + cat - <&2 +Usage: + ${0##*/} issue [-hqv] [-I key_id] [-n principals] + [-V validity_interval] + ${0##*/} mkfile [-n principals] authorized_keys | known_hosts +EOF + exit 1 +} + +err() +{ + printf "%s: %s\n" "${0##*/}" "$*" >&2 + exit 1 +} + +strip_leading_zeros() +{ + _s=$1 + if [ -z "$_s" ]; then + return + fi + while [ X"${_s#0}" != X"$_s" ]; do + _s=${_s#0} + done + echo "${_s:-0}" +} + +strcmp() +{ + _r=$(expr "X$1" "$2" "X$3") + [ "${_r:-0}" -eq 1 ] +} + +# Returns comment from the ssh-agent if any is returned, otherwise it +# returns the public key's fingerprint. +get_ca_comment_from_sk() +{ + ssh-keygen -lf "$1" | { + read -r pk_sz pk_fp pk_extra + _comment=$(ssh-add -l | while read -r sk_sz sk_fp sk_extra; do + if [ "X$sk_fp" = "X$pk_fp" ]; then + echo "${sk_extra% (*)}" + break + fi + done) + echo "${_comment:-${pk_fp#*:}}" + } +} + +_template_fmt() +{ + _allowed_chars=$1 + _char=$2 + if [ "X$_char" = X% ]; then + echo % + return $? + fi + + case $_char in + [$_allowed_chars]) + ;; + *) + return 1 + ;; + esac + + _v=$(eval echo '${_template_fmt_'"$_char"':-}') + if [ -z "$_v" ]; then + return 1 + fi + + echo "$_v" +} + +template() +{ + _allowed=$1 + _s=$2 + _out= + + while [ "${_s#*%}" != "$_s" ]; do + _t=${_s#*%} + _out=$_out${_s%"%"$_t} + _s=$_t + _c=${_s%${_s#?}} + + _t=$(_template_fmt "$_allowed" "$_c") + if [ $? -ne 0 ]; then + return 1 + fi + _out=$_out$_t + + _s=${_s#$_c} + done + _out=$_out$_s + + echo "$_out" +} + +main_issue() +{ + hflag= + key_id_fmt=%C/%f + nflag=false + principals_fmt= + qflag= + validity_interval=always:forever + vflag= + while getopts hI:n:qV:v flag; do + case $flag in + h) hflag=-h ;; + I) key_id_fmt=$OPTARG ;; + n) nflag=true principals_fmt=$OPTARG ;; + q) qflag=-q ;; + V) validity_interval=$OPTARG ;; + v) vflag=${vflag:--}v ;; + *) usage ;; + esac + done + shift $(($OPTIND - 1)) + if [ $# -ne 0 ]; then + usage + fi + + if [ ! -f ca.pub ]; then + err "no ca.pub found" + fi + if ! ssh-add $qflag $vflag -T ca.pub; then + err "can't use CA key" + fi + if [ ! -d pubkeys/ ]; then + err "no pubkeys directory found" + fi + + if [ ! -f serial.txt ]; then + date -u +%Y%m%d000000000 >serial.txt + fi + read -r serial " "$serial_date"; then + serial_date=$current_date + serial_counter=0 + else + # Remove YYYYmmdd prefix and leading + serial_counter=$(strip_leading_zeros "${serial#????????}") + fi + serial=$(printf "%s%09u\n" "$serial_date" "$serial_counter") + + _template_fmt_C=$(get_ca_comment_from_sk ca.pub) + find pubkeys/ -type f -name '*.pub' ! -name '*-cert.pub' | { + rc=0 + while read -r pk; do + pkname=${pk%.pub} + pkname=${pkname#pubkeys/} + _template_fmt_f=$pkname + + id=$(template Cf "$key_id_fmt") + set -- -I "$id" -Us ca.pub $hflag $qflag $vflag \ + -V "$validity_interval" -z "$serial" + + if $nflag; then + principals=$(template f "$principals_fmt") + ssh-keygen "$@" -n "$principals" "$pk" + else + ssh-keygen "$@" "$pk" + fi || rc=1 + + serial_counter=$(($serial_counter + 1)) + if [ $serial_counter -ge 1000000000 ]; then + err "can't issue more certificates today" + fi + serial=$(printf "%s%09u\n" "$serial_date" \ + "$serial_counter" | tee serial.txt) + + if [ $rc -ne 0 ]; then + break + fi + done + return $rc + } +} + +main_mkfile() +{ + while getopts : flag; do + case $flag in + *) usage ;; + esac + done + shift $(($OPTIND - 1)) + if [ $# -lt 1 ]; then + usage + fi + file=$1 + shift + + if [ ! -f ca.pub ]; then + err "no ca.pub found" + fi + + case $file in + authorized_keys) + if [ $# -gt 1 ]; then + usage + fi + options=cert-authority${1:+,$1} + printf "%s " "$options" + ;; + known_hosts) + if [ $# -gt 1 ]; then + usage + fi + hostnames=${1:-} + if [ -n "$hostnames" ]; then + printf "@cert-authority %s " "$hostnames" + else + printf "@cert-authority " + fi + ;; + *) + err "unknown file \"$file\"" + ;; + esac + + cat ca.pub +} + +set -u + +if [ $# -lt 1 ]; then + usage +fi +cmd=$1 +shift + +case $cmd in +issue) main_issue "$@" ;; +mkfile) main_mkfile "$@" ;; +*) usage ;; +esac