v/xiringuito
1
0
Fork 0
mirror of https://github.com/ivanilves/xiringuito.git synced 2025-05-28 04:50:23 -07:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #58 from ivanilves/server-sudo

Browse Source 
Bootstrap server-side sudo
This commit is contained in:
Ivan Ilves 2018-01-14 14:43:06 +01:00 committed by GitHub
commit 4408c01854
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 27 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
README.md
View File

@ -39,6 +39,9 @@ You will need:
## Mac note
Install [TunTap for Mac OS X](http://tuntaposx.sourceforge.net/) first.
## Server-side sudo note
If you do not have passwordless **sudo** on the side of SSH server, you will need to enter **sudo** password every time you connect to this server. You will be also unable to use `xaval` "background" connect option (see `xaval toggle`).
## Route discovery
Specifying routes by hand is not bad. But we could make it better by creating an executable `discover-routes` script in the project directory. If no routes are passed by hand, `xiringuito` will run `discover-routes`, pass SSH server hostname to it and use script output as a list of routes, so you may have per-host or per-domain route lists instead of boring manual typing. More information is available in [AWS example](https://github.com/ivanilves/xiringuito/blob/master/discover-routes.aws.example) which uses AWS CLI to discover VPC subnets and route traffic to them through our VPN tunnel.

20
scripts/bootstrap-server-sudo.sh Executable file
View File

@ -0,0 +1,20 @@
#!/usr/bin/env bash
#
# Bootstrap sudoers.d config on server side before doing anything else!
#
set -e
if [[ ${#} -lt 1 ]]; then
echo "Usage: ${0} [OPTIONS] [SSH_USER@]SSH_SERVER"
exit 1
fi
declare -r SUDO_CONF="'ALL=(ALL) NOPASSWD:ALL'"
declare -r SUDO_NOTE="'# Managed by xiringuito, DO NOT EDIT!!!'"
declare -r BASE_NAME=/etc/sudoers.d/xiringuito
declare -r STDOUTERR=/tmp/xiringuito.$(basename ${0}).${USER}
ssh -t -oStrictHostKeyChecking=no ${@} \
"sudo true && sudo bash -c \
\"umask 0337 && echo -e ${SUDO_NOTE}'\n'\${USER} ${SUDO_CONF} | tee ${BASE_NAME}-\${USER}\" >/dev/null" \
&>${STDOUTERR}

1
scripts/server-execute.sh
View File

@ -26,6 +26,7 @@ function teardown() {
kill ${PPID}
sleep 2
[[ ! -x /usr/sbin/tunctl ]] && sudo ip tuntap del mode tun ${NETWORK_DEVICE} || sudo /usr/sbin/tunctl -d ${NETWORK_DEVICE}
sudo rm -f /etc/sudoers.d/xiringuito-${USER}
}
FAILED_PINGS=0

5
xiringuito
View File

@ -102,10 +102,11 @@ cd $(dirname ${0})
./scripts/client-preexec.sh
echo -n "[ sudo check ] "; sudo true; echo
declare -r SSH_SERVER=${1}; shift
echo -n "[ (client) sudo check ] "; sudo true; echo
echo -n "[ (server) sudo check ] "; ./scripts/bootstrap-server-sudo.sh ${SSH_PRIVATE_KEY_OPTS} ${SSH_PORT_OPTS} ${SSH_EXTRA_OPTS} ${SSH_SERVER}; echo
declare -r ROUTE_CACHE_PATH=~/.xiringuito/routes; mkdir -p ${ROUTE_CACHE_PATH}
declare -r ROUTE_CACHE_FILE=${ROUTE_CACHE_PATH}/${SSH_SERVER}
if [[ ${#} -gt 0 ]]; then