Merge branch 'master' of dark/ssh-reg into master

Dockerfile

@@ -0,0 +1,49 @@
+FROM python:3-slim
+
+MAINTAINER n1trux
+RUN apt-get update &&\
+    apt-get -y upgrade &&\
+    DEBIAN_FRONTEND=noninteractive apt-get -y install \
+     nano rsync openssh-server acl
+
+# Clean up APT when done.
+RUN apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
+
+
+# private/{scripts, administrate.py}, public/{scripts, userapplications.py}, config/userapplicatonsconfig.ini
+#configs, logs, db
+COPY config/applicationsconfig.ini /app/data/applicationsconfig.ini
+
+# admin scripts
+COPY private/ /app/admin/
+
+# user accessible scripts
+# Make TILDE_ENV 
+COPY public/ /app/user/
+#SSH config into /etc :)
+COPY config/etc /etc
+
+# create user for applications
+RUN useradd -Md /app/user/ -s /app/user/userapplication.py tilde
+
+# make tilde's password empty
+RUN passwd -d tilde
+RUN usermod -U tilde
+
+# add admin user
+RUN useradd -Md /app/admin -s /app/admin/administrate.py admin
+# privilege separation directory
+RUN mkdir -p /var/run/sshd
+
+# expose SSH port
+EXPOSE 22
+ENV TILDE_CONF="/app/data/applicationsconfig.ini"
+#COPY config/environment /app/user/.ssh/environment
+RUN mkdir /app/user/.ssh
+RUN echo TILDE_CONF=$TILDE_CONF > /app/user/.ssh/environment
+RUN touch /app/data/applications.sqlite
+RUN touch /app/data/applications.log
+#  Doesnt work, @TODO why
+#RUN setfacl -R -m u:tilde:rwx /app/data/
+RUN chown -R tilde  /app/data
+CMD ["/usr/sbin/sshd", "-D"]

config/applicationsconfig.ini

@@ -0,0 +1,23 @@
+[DEFAULT]
+base_path=/app/data/
+applications_db=%(base_path)sapplications.sqlite
+log_dir=/app/data/
+log_file=%(log_dir)sapplications.log
+user_creationscript=%(base_path)s/scripts/make-tilde-user.sh
+
+[USERS]
+UserGroup=tilde
+userPWLock=yes
+chmodPerms=0o700
+chmodParams=-Rv
+chownParams=%(chmodParams)s
+chownGroups=%(UserGroup)s:%(UserGroup)s
+
+[LOG_LEVEL]
+log_level=%(log_debug)s
+log_notset=0
+log_debug=10
+log_info=20
+log_warning=30
+log_error=40
+lo0g_critical=50

config/environment

@@ -0,0 +1 @@
+TILDE_CONF=/app/data/applicationsconfig.ini

config/etc/login.defs

@@ -0,0 +1,29 @@
+MAIL_DIR        /var/mail
+FAILLOG_ENAB		yes
+LOG_UNKFAIL_ENAB	no
+LOG_OK_LOGINS		no
+SYSLOG_SU_ENAB		yes
+SYSLOG_SG_ENAB		yes
+FTMP_FILE	/var/log/btmp
+SU_NAME		su
+HUSHLOGIN_FILE	.hushlogin
+ENV_SUPATH	PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+ENV_PATH	PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
+TTYGROUP	tty
+TTYPERM		0600
+ERASECHAR	0177
+KILLCHAR	025
+UMASK		022
+PASS_MAX_DAYS	99999
+PASS_MIN_DAYS	0
+PASS_WARN_AGE	7
+UID_MIN			100000
+UID_MAX			165536
+GID_MIN			100000
+GID_MAX			165536
+LOGIN_RETRIES		5
+LOGIN_TIMEOUT		60
+CHFN_RESTRICT		rwh
+DEFAULT_HOME	yes
+USERGROUPS_ENAB yes
+ENCRYPT_METHOD SHA512

config/etc/ssh/sshd_config

@@ -0,0 +1,11 @@
+UseDNS no
+Protocol 2
+SyslogFacility AUTHPRIV
+PermitRootLogin no
+PermitUserEnvironment yes
+PubkeyAuthentication yes
+ChallengeResponseAuthentication no
+Subsystem	sftp	/usr/lib/openssh/sftp-server
+
+Match User tilde
+  PermitEmptyPasswords yes

private/scripts/delusers.sh

@@ -0,0 +1,11 @@
+#!/bin/bash
+cut -d: -f1 /etc/passwd | grep test > deltest.txt
+while read name; do 
+	userdel "$name"
+	rm -rf /home/$name
+  if [ "$#" -eq 1 ]; then
+    sqlite3 -batch $1 "DELETE FROM applications WHERE username = '$name'"
+  fi
+done < deltest.txt
+
+rm -f deltest.txt

private/scripts/make-tilde-user.sh

@@ -0,0 +1,23 @@
+#!/bin/env bash
+USERNAME=$1
+REALNAME=$2
+EMAIL=$3
+PUBKEY=$4
+
+adduser $USERNAME
+
+# empty password
+usermod --lock $USERNAME
+
+# add to tilde group
+usermod -a -G tilde $USERNAME
+
+# paste ssh key
+mkdir /home/$USERNAME/.ssh
+echo $PUBKEY >/home/$USERNAME/.ssh/authorized_keys
+
+# fix perms
+chmod -Rv 700 /home/$USERNAME/.ssh/
+chown -Rv $USERNAME:$USERNAME /home/$USERNAME/.ssh/
+echo "user created."
+return 0

private/scripts/testinput.sh

@@ -0,0 +1,35 @@
+#!/usr/bin/expect
+expr {srand([clock seconds])}    ;# initialize RNG
+set username "testuser"
+set mail "test@testmail.com"
+set name "test Name"
+set sshkey "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7Tob2HvgKL5yns9BQpb/EJENR3UurMdhM9oc7tQ/USw/nIiisRDp4qmwqZM3kyl1RfkGoSiEALCogM693jl/2RO2MFLW/Da9WFuXwBmV4wMbQZQiZJCvqyMBW7uPHgfCXJ2E8T707Ixwv9S9gtmwgAqg/+x12C0fF7P45MpO3Mvc+6ZPdP5qg/GCaej67KHqfVTb4/OMrvHkRTlETFYVNj4B/uwuA7NxTi8YkCSKH+BGCLYDl95uISrHOxaKbeDb6OgkgdYS9ygg2F7r3S36n8woLdSXqJNpxx2zLgO8Ow9KE0paezyeQqPPjbYu6l8y2IAkKCWTHKTAQ6DFgcvAD darksider3@prism"
+set y "y"
+set random "[expr {int(rand() * 1000)}]"
+spawn ./userapplication.py
+
+expect "allowed:"
+send "$username$random\r"
+expect "full name:"
+send "$name\r"
+expect "email address:"
+send "$random$mail\r"
+expect "ssh public key:"
+send "$sshkey\r"
+expect "correct?*"
+send "$y\r"
+interact
+
+spawn ./administrate.py
+
+expect -glob "*-> "
+send "1\r"
+expect -glob  "*->"
+send "\r"
+expect -glob  "*-> "
+send "A\r"
+expect -glob  "*..."
+send "\r"
+expect -glob "*-> "
+send "4\r"
+interact