v/xiringuito
1
0
Fork 0
mirror of https://github.com/ivanilves/xiringuito.git synced 2025-06-03 16:00:23 -07:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #58 from ivanilves/server-sudo

Browse Source 
Bootstrap server-side sudo
This commit is contained in:
Ivan Ilves 2018-01-14 14:43:06 +01:00 committed by GitHub
commit 4408c01854
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 27 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
README.md
View File

@ -39,6 +39,9 @@ You will need:
## Mac note ## Mac note
Install [TunTap for Mac OS X](http://tuntaposx.sourceforge.net/) first. Install [TunTap for Mac OS X](http://tuntaposx.sourceforge.net/) first.
## Server-side sudo note
If you do not have passwordless **sudo** on the side of SSH server, you will need to enter **sudo** password every time you connect to this server. You will be also unable to use `xaval` "background" connect option (see `xaval toggle`).
## Route discovery ## Route discovery
Specifying routes by hand is not bad. But we could make it better by creating an executable `discover-routes` script in the project directory. If no routes are passed by hand, `xiringuito` will run `discover-routes`, pass SSH server hostname to it and use script output as a list of routes, so you may have per-host or per-domain route lists instead of boring manual typing. More information is available in [AWS example](https://github.com/ivanilves/xiringuito/blob/master/discover-routes.aws.example) which uses AWS CLI to discover VPC subnets and route traffic to them through our VPN tunnel. Specifying routes by hand is not bad. But we could make it better by creating an executable `discover-routes` script in the project directory. If no routes are passed by hand, `xiringuito` will run `discover-routes`, pass SSH server hostname to it and use script output as a list of routes, so you may have per-host or per-domain route lists instead of boring manual typing. More information is available in [AWS example](https://github.com/ivanilves/xiringuito/blob/master/discover-routes.aws.example) which uses AWS CLI to discover VPC subnets and route traffic to them through our VPN tunnel.

20
scripts/bootstrap-server-sudo.sh Executable file
View File

@ -0,0 +1,20 @@
#!/usr/bin/env bash
#
# Bootstrap sudoers.d config on server side before doing anything else!
#
set -e
if [[ ${#} -lt 1 ]]; then
echo "Usage: ${0} [OPTIONS] [SSH_USER@]SSH_SERVER"
exit 1
fi
declare -r SUDO_CONF="'ALL=(ALL) NOPASSWD:ALL'"
declare -r SUDO_NOTE="'# Managed by xiringuito, DO NOT EDIT!!!'"
declare -r BASE_NAME=/etc/sudoers.d/xiringuito
declare -r STDOUTERR=/tmp/xiringuito.$(basename ${0}).${USER}
ssh -t -oStrictHostKeyChecking=no ${@} \
"sudo true && sudo bash -c \
\"umask 0337 && echo -e ${SUDO_NOTE}'\n'\${USER} ${SUDO_CONF} | tee ${BASE_NAME}-\${USER}\" >/dev/null" \
&>${STDOUTERR}

1
scripts/server-execute.sh
View File

@ -26,6 +26,7 @@ function teardown() {
kill ${PPID} kill ${PPID}
sleep 2 sleep 2
[[ ! -x /usr/sbin/tunctl ]] && sudo ip tuntap del mode tun ${NETWORK_DEVICE} || sudo /usr/sbin/tunctl -d ${NETWORK_DEVICE} [[ ! -x /usr/sbin/tunctl ]] && sudo ip tuntap del mode tun ${NETWORK_DEVICE} || sudo /usr/sbin/tunctl -d ${NETWORK_DEVICE}
sudo rm -f /etc/sudoers.d/xiringuito-${USER}
} }
FAILED_PINGS=0 FAILED_PINGS=0

5
xiringuito
View File

@ -102,10 +102,11 @@ cd $(dirname ${0})
./scripts/client-preexec.sh ./scripts/client-preexec.sh
echo -n "[ sudo check ] "; sudo true; echo
declare -r SSH_SERVER=${1}; shift declare -r SSH_SERVER=${1}; shift
echo -n "[ (client) sudo check ] "; sudo true; echo
echo -n "[ (server) sudo check ] "; ./scripts/bootstrap-server-sudo.sh ${SSH_PRIVATE_KEY_OPTS} ${SSH_PORT_OPTS} ${SSH_EXTRA_OPTS} ${SSH_SERVER}; echo
declare -r ROUTE_CACHE_PATH=~/.xiringuito/routes; mkdir -p ${ROUTE_CACHE_PATH} declare -r ROUTE_CACHE_PATH=~/.xiringuito/routes; mkdir -p ${ROUTE_CACHE_PATH}
declare -r ROUTE_CACHE_FILE=${ROUTE_CACHE_PATH}/${SSH_SERVER} declare -r ROUTE_CACHE_FILE=${ROUTE_CACHE_PATH}/${SSH_SERVER}
if [[ ${#} -gt 0 ]]; then if [[ ${#} -gt 0 ]]; then