PMISuite/BackTunnel
5
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add comprehensive inline metadata documentation to all BackTunnel scripts

Browse Source
This commit is contained in:
Matjaž Mozetič
2025-09-21 09:45:43 +02:00
parent 17cdbe9c55
commit 0e82955af5
11 changed files with 466 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

37
scripts/backtunnel-auth-setup
View File

@@ -1,4 +1,39 @@
#!/usr/bin/env bash
# SPDX-License-Identifier: GPL-3.0-or-later
# Copyright (c) 2025 LUXIM d.o.o., Slovenia
# Author: Matjaž Mozetič
#
# Name: backtunnel-auth-setup
# Summary: Initialize a tunnel-only, SFTP-only SSH key for BackTunnel access via reverse tunnel.
# Description:
# Generates (if missing) a dedicated SSH key (~/.ssh/id_ed25519_backtunnel) and installs its public
# key on the remote accounts authorized_keys, restricted to:
# from="127.0.0.1",command="internal-sftp",restrict
# This makes the key usable only through the reverse tunnel (localhost on the remote) and only for SFTP,
# not for shell or port-forwarding.
#
# Usage:
# backtunnel-auth-setup [-p PORT] user@localhost
#
# Examples:
# backtunnel-auth-setup alice@localhost
# backtunnel-auth-setup -p 4422 alice@localhost
#
# Dependencies:
# - bash
# - ssh, ssh-keygen
#
# Exit codes:
# 0 success (key exists/created, restricted entry ensured)
# 1 invalid usage (missing destination) or other failures
#
# Security:
# - The installed authorized_keys entry is tightly scoped to 127.0.0.1 and internal-sftp with restrict.
# - Remote authorized_keys is created with 600 permissions; umask 077 enforced during remote script.
#
# Notes:
# - Idempotent: re-running wont duplicate the restricted line if it is already present.
# Initialize tunnel-only SSH auth for BackTunnel (Option A)
# Usage: backtunnel-auth-setup [-p PORT] user@localhost
set -euo pipefail
@@ -28,7 +63,7 @@ fi
# 2) Append restricted key only (idempotent): tunnel-only + SFTP-only
echo "Installing restricted key (tunnel-only, SFTP-only) via port $PORT ..."
RESTRICTED_LINE="$(printf 'from="127.0.0.1",command="internal-sftp",restrict '; cat "$PUB")"
RESTRICTED_LINE="$(printf 'from=\"127.0.0.1\",command=\"internal-sftp\",restrict '; cat "$PUB")"
ssh -p "$PORT" "$DEST" bash -lc '
set -euo pipefail
umask 077