From 15e846e3a4ee27d0d2764caa4170a19becd7ffbf Mon Sep 17 00:00:00 2001 From: Yann Autissier Date: Thu, 5 May 2022 21:33:43 +0000 Subject: [PATCH] cleanup --- docker/x2go/xfce-debian/setup_ecryptfs.sh | 5 - .../xfce-debian/setup_ecryptfs_sshagent.sh | 127 +++++++++--------- 2 files changed, 61 insertions(+), 71 deletions(-) diff --git a/docker/x2go/xfce-debian/setup_ecryptfs.sh b/docker/x2go/xfce-debian/setup_ecryptfs.sh index ded8858..a3d7148 100755 --- a/docker/x2go/xfce-debian/setup_ecryptfs.sh +++ b/docker/x2go/xfce-debian/setup_ecryptfs.sh @@ -21,17 +21,12 @@ if ! grep -q "${LOWER_DIR} ${UPPER_DIR} ecryptfs " /proc/mounts 2>/dev/null; the key="${KEY}",\ no_sig_cache,\ ecryptfs_cipher="${CIPHER}",\ -ecryptfs_enable_filename=y,\ -ecryptfs_enable_filename_crypto=y,\ ecryptfs_fnek_sig="${FNEK_SIG}",\ ecryptfs_key_bytes="${KEY_BYTES}",\ -ecryptfs_passthrough=n,\ ecryptfs_unlink_sigs\ "${LOWER_DIR}" "${UPPER_DIR}" >/dev/null # Overwrite sensible variables with random data - ECRYPTFS_KEY="$(/usr/bin/base64 /dev/urandom |/usr/bin/head -c 64)" - ECRYPTFS_PASSPHRASE="$(/usr/bin/base64 /dev/urandom |/usr/bin/head -c 64)" KEY="$(/usr/bin/base64 /dev/urandom |/usr/bin/head -c 64)" PASSPHRASE="$(/usr/bin/base64 /dev/urandom |/usr/bin/head -c 64)" fi diff --git a/docker/x2go/xfce-debian/setup_ecryptfs_sshagent.sh b/docker/x2go/xfce-debian/setup_ecryptfs_sshagent.sh index 705ed15..c2d443e 100755 --- a/docker/x2go/xfce-debian/setup_ecryptfs_sshagent.sh +++ b/docker/x2go/xfce-debian/setup_ecryptfs_sshagent.sh @@ -1,74 +1,69 @@ #!/bin/sh [ -n "${DEBUG}" ] && set -x -# if auto-mount ecryptfs -if [ -f "${HOME}/.ecryptfs/auto-mount" ]; then +LOWER_DIR="${1:-${ECRYPTFS_LOWER_DIR:-${HOME}/Secure}}" +UPPER_DIR="${ECRYPTFS_UPPER_DIR:-${LOWER_DIR}}" +ALIAS="${ECRYPTFS_ALIAS:-${LOWER_DIR##*/}}" - LOWER_DIR="${1:-${ECRYPTFS_LOWER_DIR:-${HOME}/Secure}}" - UPPER_DIR="${ECRYPTFS_UPPER_DIR:-${LOWER_DIR}}" - ALIAS="${ECRYPTFS_ALIAS:-${LOWER_DIR##*/}}" +# if not already mounted +if ! grep -q "${LOWER_DIR} ${UPPER_DIR} ecryptfs " /proc/mounts 2>/dev/null; then - # if not already mounted - if ! grep -q "${LOWER_DIR} ${UPPER_DIR} ecryptfs " /proc/mounts 2>/dev/null; then + # create mount point + mkdir -p "${LOWER_DIR}" "${UPPER_DIR}" - # create mount point - mkdir -p "${LOWER_DIR}" "${UPPER_DIR}" - - # we should always use the same key when multiple keys are loaded in ssh-agent - if [ -f "${HOME}/.ecryptfs/${ALIAS}.key" ]; then - ssh_key_fingerprint=$(cat "${HOME}/.ecryptfs/${ALIAS}.key") - # first time, select the first key and write fingerprint to file - else - ssh_key_fingerprint=$(/usr/bin/ssh-add -l 2>/dev/null |awk '{print $2; exit;}') - [ -n "${ssh_key_fingerprint}" ] && printf "%s\n" "${ssh_key_fingerprint}" > "${HOME}/.ecryptfs/${ALIAS}.key" - fi - - # select ssh key name matching fingerprint - ssh_key=$(/usr/bin/ssh-add -l 2>/dev/null |awk '$2 == "'"${ssh_key_fingerprint:-undef}"'" {print $3}') - # if ssh key - if [ -n "${ssh_key}" ]; then - # decrypt encrypted passphrase - if [ -f "${HOME}/.ecryptfs/${ALIAS}.ssh" ]; then - PASSPHRASE=$(/usr/local/bin/ssh-crypt -b -d -k "${ssh_key}" -i "${HOME}/.ecryptfs/${ALIAS}.ssh") - # first time, generate random passphrase and write encrypted passphrase to file - else - PASSPHRASE="${ECRYPTFS_PASSPHRASE:-$(/usr/bin/base64 /dev/urandom |/usr/bin/head -c 64)}" - printf "%s" "${PASSPHRASE}" |/usr/local/bin/ssh-crypt -b -e -k "${ssh_key}" -o "${HOME}/.ecryptfs/${ALIAS}.ssh" - fi - # load authentication token signature (fekek) - SIG="${ECRYPTFS_SIG:-$(printf "%s" "${PASSPHRASE}" |/usr/bin/ecryptfs-add-passphrase - |/usr/bin/awk '$5 == "sig" {print substr($6,2,16); exit;}')}" - # load filename authentication token signature (fnek) - FNEK_SIG="${ECRYPTFS_FNEK_SIG:-$(printf "%s" "${PASSPHRASE}" |/usr/bin/ecryptfs-add-passphrase --fnek - |/usr/bin/awk '$5 == "sig" && NR == 2 {print substr($6,2,16)}')}" - - # Overwrite sensible variables with random data - ECRYPTFS_PASSPHRASE="$(/usr/bin/base64 /dev/urandom |/usr/bin/head -c 64)" - PASSPHRASE="$(/usr/bin/base64 /dev/urandom |/usr/bin/head -c 64)" - - # first time, write ecryptfs_private config to file - if [ ! -f "${HOME}/.ecryptfs/${ALIAS}.conf" ]; then - printf "%s %s ecryptfs\n" "${LOWER_DIR}" "${UPPER_DIR}" > "${HOME}/.ecryptfs/${ALIAS}.conf" - fi - - # first time, write authentication token signatures to file - if [ ! -f "${HOME}/.ecryptfs/${ALIAS}.sig" ]; then - printf "%s\n" "${SIG}" > "${HOME}/.ecryptfs/${ALIAS}.sig" - printf "%s\n" "${FNEK_SIG}" >> "${HOME}/.ecryptfs/${ALIAS}.sig" - # mount ecryptfs - /sbin/mount.ecryptfs_private "${ALIAS}" - else - # check authentication tokens to prevent mounting with bad ones - if grep "${SIG}" "${HOME}/.ecryptfs/${ALIAS}.sig" >/dev/null \ - && grep "${FNEK_SIG}" "${HOME}/.ecryptfs/${ALIAS}.sig" >/dev/null; then - # mount ecryptfs - /sbin/mount.ecryptfs_private "${ALIAS}" - fi - fi - - else - echo "WARNING: Unable to find ssh key ${ssh_key} in ssh agent ${SSH_AUTH_SOCK}" - # if ssh key - fi - # if not already mounted + # we should always use the same key when multiple keys are loaded in ssh-agent + if [ -f "${HOME}/.ecryptfs/${ALIAS}.key" ]; then + ssh_key_fingerprint=$(cat "${HOME}/.ecryptfs/${ALIAS}.key") + # first time, select the first key and write fingerprint to file + else + ssh_key_fingerprint=$(/usr/bin/ssh-add -l 2>/dev/null |awk '{print $2; exit;}') + [ -n "${ssh_key_fingerprint}" ] && printf "%s\n" "${ssh_key_fingerprint}" > "${HOME}/.ecryptfs/${ALIAS}.key" fi -# if auto-mount ecryptfs + + # select ssh key name matching fingerprint + ssh_key=$(/usr/bin/ssh-add -l 2>/dev/null |awk '$2 == "'"${ssh_key_fingerprint:-undef}"'" {print $3}') + # if ssh key + if [ -n "${ssh_key}" ]; then + # decrypt encrypted passphrase + if [ -f "${HOME}/.ecryptfs/${ALIAS}.ssh" ]; then + PASSPHRASE=$(/usr/local/bin/ssh-crypt -b -d -k "${ssh_key}" -i "${HOME}/.ecryptfs/${ALIAS}.ssh") + # first time, generate random passphrase and write encrypted passphrase to file + else + PASSPHRASE="${ECRYPTFS_PASSPHRASE:-$(/usr/bin/base64 /dev/urandom |/usr/bin/head -c 64)}" + printf "%s" "${PASSPHRASE}" |/usr/local/bin/ssh-crypt -b -e -k "${ssh_key}" -o "${HOME}/.ecryptfs/${ALIAS}.ssh" + fi + # load authentication token signature (fekek) + SIG="${ECRYPTFS_SIG:-$(printf "%s" "${PASSPHRASE}" |/usr/bin/ecryptfs-add-passphrase - |/usr/bin/awk '$5 == "sig" {print substr($6,2,16); exit;}')}" + # load filename authentication token signature (fnek) + FNEK_SIG="${ECRYPTFS_FNEK_SIG:-$(printf "%s" "${PASSPHRASE}" |/usr/bin/ecryptfs-add-passphrase --fnek - |/usr/bin/awk '$5 == "sig" && NR == 2 {print substr($6,2,16)}')}" + + # Overwrite sensible variables with random data + ECRYPTFS_PASSPHRASE="$(/usr/bin/base64 /dev/urandom |/usr/bin/head -c 64)" + PASSPHRASE="$(/usr/bin/base64 /dev/urandom |/usr/bin/head -c 64)" + + # first time, write ecryptfs_private config to file + if [ ! -f "${HOME}/.ecryptfs/${ALIAS}.conf" ]; then + printf "%s %s ecryptfs\n" "${LOWER_DIR}" "${UPPER_DIR}" > "${HOME}/.ecryptfs/${ALIAS}.conf" + fi + + # first time, write authentication token signatures to file + if [ ! -f "${HOME}/.ecryptfs/${ALIAS}.sig" ]; then + printf "%s\n" "${SIG}" > "${HOME}/.ecryptfs/${ALIAS}.sig" + printf "%s\n" "${FNEK_SIG}" >> "${HOME}/.ecryptfs/${ALIAS}.sig" + fi + + # check authentication tokens to prevent mounting with bad ones + if grep "${SIG}" "${HOME}/.ecryptfs/${ALIAS}.sig" >/dev/null \ + && grep "${FNEK_SIG}" "${HOME}/.ecryptfs/${ALIAS}.sig" >/dev/null; then + # mount ecryptfs + /sbin/mount.ecryptfs_private "${ALIAS}" + else + echo "WARNING: Bad authentication token ${SIG} for ecryptfs mount ${ALIAS}" + fi + + else + echo "WARNING: Unable to find ssh key ${ssh_key} in ssh agent ${SSH_AUTH_SOCK}" + # if ssh key + fi +# if not already mounted fi