mirror of
https://github.com/ryantm/agenix.git
synced 2024-11-22 17:50:48 +03:00
Merge pull request #152 from ryantm/rtm-2-18-fix-bogus-id-rsa
This commit is contained in:
commit
78a22dbc0d
3 changed files with 25 additions and 6 deletions
|
@ -107,12 +107,14 @@ function edit {
|
||||||
if [ -f "$FILE" ]
|
if [ -f "$FILE" ]
|
||||||
then
|
then
|
||||||
DECRYPT=("${DEFAULT_DECRYPT[@]}")
|
DECRYPT=("${DEFAULT_DECRYPT[@]}")
|
||||||
|
if [[ "${DECRYPT[*]}" != *"--identity"* ]]; then
|
||||||
if [ -f "$HOME/.ssh/id_rsa" ]; then
|
if [ -f "$HOME/.ssh/id_rsa" ]; then
|
||||||
DECRYPT+=(--identity "$HOME/.ssh/id_rsa")
|
DECRYPT+=(--identity "$HOME/.ssh/id_rsa")
|
||||||
fi
|
fi
|
||||||
if [ -f "$HOME/.ssh/id_ed25519" ]; then
|
if [ -f "$HOME/.ssh/id_ed25519" ]; then
|
||||||
DECRYPT+=(--identity "$HOME/.ssh/id_ed25519")
|
DECRYPT+=(--identity "$HOME/.ssh/id_ed25519")
|
||||||
fi
|
fi
|
||||||
|
fi
|
||||||
if [[ "${DECRYPT[*]}" != *"--identity"* ]]; then
|
if [[ "${DECRYPT[*]}" != *"--identity"* ]]; then
|
||||||
echo "No identity found to decrypt $FILE. Try adding an SSH key at $HOME/.ssh/id_rsa or $HOME/.ssh/id_ed25519 or using the --identity flag to specify a file."
|
echo "No identity found to decrypt $FILE. Try adding an SSH key at $HOME/.ssh/id_rsa or $HOME/.ssh/id_ed25519 or using the --identity flag to specify a file."
|
||||||
exit 1
|
exit 1
|
||||||
|
|
|
@ -1,18 +1,24 @@
|
||||||
# Do not copy this! It is insecure. This is only okay because we are testing.
|
# Do not copy this! It is insecure. This is only okay because we are testing.
|
||||||
{
|
{config, ...}: {
|
||||||
system.activationScripts.agenixInstall.deps = ["installSSHHostKeys"];
|
system.activationScripts.agenixInstall.deps = ["installSSHHostKeys"];
|
||||||
|
|
||||||
system.activationScripts.installSSHHostKeys.text = ''
|
system.activationScripts.installSSHHostKeys.text = ''
|
||||||
|
USER1_UID="${toString config.users.users.user1.uid}"
|
||||||
|
USERS_GID="${toString config.users.groups.users.gid}"
|
||||||
|
|
||||||
mkdir -p /etc/ssh /home/user1/.ssh
|
mkdir -p /etc/ssh /home/user1/.ssh
|
||||||
|
chown $USER1_UID:$USERS_GID /home/user1/.ssh
|
||||||
(
|
(
|
||||||
umask u=rw,g=r,o=r
|
umask u=rw,g=r,o=r
|
||||||
cp ${../example_keys/system1.pub} /etc/ssh/ssh_host_ed25519_key.pub
|
cp ${../example_keys/system1.pub} /etc/ssh/ssh_host_ed25519_key.pub
|
||||||
cp ${../example_keys/user1.pub} /home/user1/.ssh/id_ed25519.pub
|
cp ${../example_keys/user1.pub} /home/user1/.ssh/id_ed25519.pub
|
||||||
|
chown $USER1_UID:$USERS_GID /home/user1/.ssh/id_ed25519.pub
|
||||||
)
|
)
|
||||||
(
|
(
|
||||||
umask u=rw,g=,o=
|
umask u=rw,g=,o=
|
||||||
cp ${../example_keys/system1} /etc/ssh/ssh_host_ed25519_key
|
cp ${../example_keys/system1} /etc/ssh/ssh_host_ed25519_key
|
||||||
cp ${../example_keys/user1} /home/user1/.ssh/id_ed25519
|
cp ${../example_keys/user1} /home/user1/.ssh/id_ed25519
|
||||||
|
chown $USER1_UID:$USERS_GID /home/user1/.ssh/id_ed25519
|
||||||
touch /etc/ssh/ssh_host_rsa_key
|
touch /etc/ssh/ssh_host_rsa_key
|
||||||
)
|
)
|
||||||
'';
|
'';
|
||||||
|
|
|
@ -39,6 +39,7 @@ pkgs.nixosTest {
|
||||||
user1 = {
|
user1 = {
|
||||||
isNormalUser = true;
|
isNormalUser = true;
|
||||||
passwordFile = config.age.secrets.passwordfile-user1.path;
|
passwordFile = config.age.secrets.passwordfile-user1.path;
|
||||||
|
uid = 1000;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
@ -78,5 +79,15 @@ pkgs.nixosTest {
|
||||||
assert h[1] == "/tmp/secrets/passwordfile-user1.age", "filename is incorrect"
|
assert h[1] == "/tmp/secrets/passwordfile-user1.age", "filename is incorrect"
|
||||||
assert len(h[0].strip()) == 64, "hash length is incorrect"
|
assert len(h[0].strip()) == 64, "hash length is incorrect"
|
||||||
assert before_hash[0] != after_hash[0], "hash did not change with rekeying"
|
assert before_hash[0] != after_hash[0], "hash did not change with rekeying"
|
||||||
|
|
||||||
|
userDo = lambda input : f"sudo -u user1 -- bash -c 'set -eou pipefail; cd /tmp/secrets; {input}'"
|
||||||
|
|
||||||
|
# user1 can edit passwordfile-user1.age
|
||||||
|
system1.succeed(userDo("EDITOR=cat agenix -e passwordfile-user1.age"))
|
||||||
|
|
||||||
|
# user1 can edit even if bogus id_rsa present
|
||||||
|
system1.succeed(userDo("echo bogus > ~/.ssh/id_rsa"))
|
||||||
|
system1.fail(userDo("EDITOR=cat agenix -e passwordfile-user1.age"))
|
||||||
|
system1.succeed(userDo("EDITOR=cat agenix -e passwordfile-user1.age -i /home/user1/.ssh/id_ed25519"))
|
||||||
'';
|
'';
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue