Add sshd setup instructions

Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2025-02-03 10:43:03 +01:00 · 2014-12-20 12:57:15 +01:00 · 2014-12-20 12:57:15 +01:00 · e1aac98bf5
commit e1aac98bf5
parent 1dcdd3b3ea
3 changed files with 185 additions and 81 deletions
--- a/108
+++ b/108
@ -1,96 +1,42 @@
-Setup on Arch Linux:
+Setup on Arch Linux
-====================
+===================
 1) Install Apache, MySQL, PHP, git and php-pear
  # pacman -Syu apache mysql php git php-pear
-2) Set a local 'hostname' of 'aur'
+1) Clone the AUR project:
 - Edit /etc/hosts and append 'aur' to loopback address
   127.0.0.1    localhost aur
-3) Configure Apache
+   $ cd /srv/http/
 - Edit /etc/httpd/conf/httpd.conf and enable PHP support
   by adding the following lines.
   LoadModule php5_module modules/libphp5.so
   Include conf/extra/php5_module.conf
 - Also append the following snippet to enable the aur
   Virtual Host in /etc/httpd/conf/extra/httpd-vhosts.conf.
 	 Comment out the example vhosts and replace MYUSER with your username.
 	 (You could put aur in /srv/http/aur and then create a symlink in ~ )
   <VirtualHost aur:80>
   Servername    aur
   DocumentRoot  /home/MYUSER/aur/web/html
   ErrorLog    /var/log/httpd/aur-error.log
   CustomLog   /var/log/httpd/aur-access.log combined
     <Directory /home/MYUSER/aur/web/html>
       Options Indexes FollowSymLinks
       AllowOverride All
       Order allow,deny
       Allow from all
     </Directory>
   </VirtualHost>
 - In httpd.conf, uncomment this line:
   Include conf/extra/httpd-vhosts.conf
 4) Clone the AUR project (using the MYUSER from above)
   $ cd
   $ git clone git://projects.archlinux.org/aur.git
-5) Configure PHP
+2) Setup a web server with PHP and MySQL.
   Make sure you have mysql and json enabled in PHP.
- - Edit php.ini and uncomment/add this line:
+3) Copy conf/config.proto to conf/config and adjust the configuration.
   extension=pdo_mysql.so
-   If this PHP extension is a separate package on your system, install it.
+4) Create a new MySQL database and a user and import the AUR SQL schema:
-6) Configure MySQL
+   $ mysql -uaur -p AUR </srv/http/aur/schema/aur-schema.sql
 - Start the MySQL service. Example:
   # systemctl start mysqld
- - Create database
+5) Clone the OpenSSH project, apply the AUR sshd patch and run `make`:
   # mysqladmin -p create AUR
- - Connect to the mysql client
+   $ cd /srv/http/aur/
-   $ mysql -uroot -p AUR
+   $ git clone git://anongit.mindrot.org/openssh.git
   $ cd openssh
   $ git am ../scripts/git-integration/0001-Patch-sshd-for-the-AUR.patch
   $ autoreconf
   $ ./configure
   $ make
- - Issue the following commands to the mysql client
+6) Create and edit the sshd configuration:
   mysql> GRANT ALL PRIVILEGES ON AUR.* to aur@localhost
       -> identified by 'aur';
   mysql> FLUSH PRIVILEGES;
   mysql> quit
- - Load the schema file
+   $ cd /srv/http/aur/
-   $ mysql -uaur -p AUR < ~/aur/schema/aur-schema.sql
+   $ umask 077
-   (give password 'aur' at the prompt)
+   $ mkdir .ssh/
   $ ssh-keygen -f .ssh/ssh_host_rsa_key -N '' -t rsa
   $ cp scripts/git-integration/sshd_config .ssh/
- - Optionally load some test data for development purposes.
+7) Create a new user and change ownership of the .ssh directory:
   # pacman -S words fortune-mod
   $ cd ~/aur/schema/
   $ python gendummydata.py dummy-data.sql
   $ bzip2 dummy-data.sql
   $ bzcat dummy-data.sql.bz2 | mysql -uaur -p AUR
   (give password 'aur' at the prompt)
-   If your test data consists of real people and real email addresses consider
+   # useradd -U -d /srv/http/aur -c 'AUR user' aur
-   inserting bogus addressess to avoid sending unwanted spam from testing. You
+   # chown aur:aur /srv/http/aur/.ssh/
   can insert garbage addresses with:
   mysql> UPDATE Users SET Email = RAND() * RAND();
-7) Copy the config.inc.php.proto file to config.inc.php. Modify as needed.
+8) Run the sshd as the new user.
   $ cd ~/aur/web/lib/
   $ cp config.inc.php.proto config.inc.php
-   In case you set $USE_VIRTUAL_URLS to true (default nowadays) you should add
+   $ /srv/http/aur/openssh/sshd -f /srv/http/aur/.ssh/sshd_config
   a rewrite rule. For Apache, add this ~/aur/web/html/.htaccess:
   RewriteEngine on
   RewriteCond %{REQUEST_URI} !^/index.php
   RewriteRule ^(.*)$ /index.php/$1
 8) Point your browser to http://aur
--- a/scripts/git-integration/0001-Patch-sshd-for-the-AUR.patch
+++ b/scripts/git-integration/0001-Patch-sshd-for-the-AUR.patch
@ -0,0 +1,152 @@
 From e23745b61a46f034bca3cab9936c24c249afdc7f Mon Sep 17 00:00:00 2001
 From: Lukas Fleischer <archlinux@cryptocrack.de>
 Date: Sun, 21 Dec 2014 22:17:48 +0100
 Subject: [PATCH] Patch sshd for the AUR
 * Add SSH_KEY_FINGERPRINT and SSH_KEY variables to the environment of
  the AuthorizedKeysCommand which allows for efficiently looking up SSH
  keys in the AUR database.
 * Remove the secure path check for the AuthorizedKeysCommand. We are
  running the sshd under a non-privileged user who has as little
  permissions as possible. In particular, he does not own the directory
  that contains the scripts for the Git backend.
 * Prevent from running the sshd as root.
 Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
 ---
 auth2-pubkey.c | 48 +++++++++++++++++++++++++++++++++++++++++++-----
 ssh.h          | 12 ++++++++++++
 sshd.c         |  5 +++++
 sshd_config.5  |  5 +++++
 4 files changed, 65 insertions(+), 5 deletions(-)
 diff --git a/auth2-pubkey.c b/auth2-pubkey.c
 index 0a3c1de..baf4922 100644
 --- a/auth2-pubkey.c
 +++ b/auth2-pubkey.c
@@ -510,6 +510,8 @@ user_key_command_allowed2(struct passwd *user_pw, Key *key)
 	int status, devnull, p[2], i;
 	pid_t pid;
 	char *username, errmsg[512];
 +	struct sshbuf *b = NULL, *bb = NULL;
 +	char *keytext, *uu = NULL;
 	if (options.authorized_keys_command == NULL ||
 	    options.authorized_keys_command[0] != '/')
@@ -538,11 +540,6 @@ user_key_command_allowed2(struct passwd *user_pw, Key *key)
 		    options.authorized_keys_command, strerror(errno));
 		goto out;
 	}
 -	if (auth_secure_path(options.authorized_keys_command, &st, NULL, 0,
 -	    errmsg, sizeof(errmsg)) != 0) {
 -		error("Unsafe AuthorizedKeysCommand: %s", errmsg);
 -		goto out;
 -	}
 	if (pipe(p) != 0) {
 		error("%s: pipe: %s", __func__, strerror(errno));
@@ -568,6 +565,47 @@ user_key_command_allowed2(struct passwd *user_pw, Key *key)
 		for (i = 0; i < NSIG; i++)
 			signal(i, SIG_DFL);
 +		keytext = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
 +		if (setenv(SSH_KEY_FINGERPRINT_ENV_NAME, keytext, 1) == -1) {
 +			error("%s: setenv: %s", __func__, strerror(errno));
 +			_exit(1);
 +		}
 +
 +		if (!(b = sshbuf_new()) || !(bb = sshbuf_new())) {
 +			error("%s: sshbuf_new: %s", __func__, strerror(errno));
 +			_exit(1);
 +		}
 +		if (sshkey_to_blob_buf(key, bb) != 0) {
 +			error("%s: sshkey_to_blob_buf: %s", __func__,
 +			    strerror(errno));
 +			_exit(1);
 +		}
 +		if (!(uu = sshbuf_dtob64(bb))) {
 +			error("%s: sshbuf_dtob64: %s", __func__,
 +			    strerror(errno));
 +			_exit(1);
 +		}
 +		if (sshbuf_putf(b, "%s ", sshkey_ssh_name(key))) {
 +			error("%s: sshbuf_putf: %s", __func__,
 +			    strerror(errno));
 +			_exit(1);
 +		}
 +		if (sshbuf_put(b, uu, strlen(uu) + 1)) {
 +			error("%s: sshbuf_put: %s", __func__,
 +			    strerror(errno));
 +			_exit(1);
 +		}
 +		if (setenv(SSH_KEY_ENV_NAME, sshbuf_ptr(b), 1) == -1) {
 +			error("%s: setenv: %s", __func__, strerror(errno));
 +			_exit(1);
 +		}
 +		if (uu)
 +			free(uu);
 +		if (b)
 +			sshbuf_free(b);
 +		if (bb)
 +			sshbuf_free(bb);
 +
 		if ((devnull = open(_PATH_DEVNULL, O_RDWR)) == -1) {
 			error("%s: open %s: %s", __func__, _PATH_DEVNULL,
 			    strerror(errno));
 diff --git a/ssh.h b/ssh.h
 index c94633b..411ea86 100644
 --- a/ssh.h
 +++ b/ssh.h
@@ -97,3 +97,15 @@
 /* Listen backlog for sshd, ssh-agent and forwarding sockets */
 #define SSH_LISTEN_BACKLOG		128
 +
 +/*
 + * Name of the environment variable containing the incoming key passed
 + * to AuthorizedKeysCommand.
 + */
 +#define SSH_KEY_ENV_NAME "SSH_KEY"
 +
 +/*
 + * Name of the environment variable containing the incoming key fingerprint
 + * passed to AuthorizedKeysCommand.
 + */
 +#define SSH_KEY_FINGERPRINT_ENV_NAME "SSH_KEY_FINGERPRINT"
 diff --git a/sshd.c b/sshd.c
 index 4e01855..60c676f 100644
 --- a/sshd.c
 +++ b/sshd.c
@@ -1424,6 +1424,11 @@ main(int ac, char **av)
 	av = saved_argv;
 #endif
 +	if (geteuid() == 0) {
 +		fprintf(stderr, "this is a patched version of the sshd that must not be run as root.\n");
 +		exit(1);
 +	}
 +
 	if (geteuid() == 0 && setgroups(0, NULL) == -1)
 		debug("setgroups(): %.200s", strerror(errno));
 diff --git a/sshd_config.5 b/sshd_config.5
 index ef36d33..1d7bade 100644
 --- a/sshd_config.5
 +++ b/sshd_config.5
@@ -223,6 +223,11 @@ It will be invoked with a single argument of the username
 being authenticated, and should produce on standard output zero or
 more lines of authorized_keys output (see AUTHORIZED_KEYS in
 .Xr sshd 8 ) .
 +The key being used for authentication (the key's type and the key text itself,
 +separated by a space) will be available in the
 +.Ev SSH_KEY
 +environment variable, and the fingerprint of the key will be available in the
 +.Ev SSH_KEY_FINGERPRINT environment variable.
 If a key supplied by AuthorizedKeysCommand does not successfully authenticate
 and authorize the user then public key authentication continues using the usual
 .Cm AuthorizedKeysFile
 -- 
 2.2.1
--- a/scripts/git-integration/sshd_config
+++ b/scripts/git-integration/sshd_config
@ -0,0 +1,6 @@
 Port 2222
 HostKey ~/.ssh/ssh_host_rsa_key
 PasswordAuthentication no
 UsePrivilegeSeparation no
 AuthorizedKeysCommand /srv/http/aur/scripts/git-integration/git-auth.py
 AuthorizedKeysCommandUser aur