Merge branch '8-add-ssh-key-endpoint' into 9-delete-ssh-key-endpoint

share/restrict_command.sed

-# Usage: echo "blablabla bia" | sed -rf etc/restrictCommand.sed
-/^#/d
-s@^(agent-forwarding|cert-authority|command="[^"]*"|environment="[^"]*"|from="[^"]*"|no-agent-forwarding|no-port-forwarding|no-pty|no-user-rc|no-X11-forwarding|permitopen="[^"]*"|port-forwarding|principals="[^"]*"|pty|restrict|tunnel="[^"]*"|user-rc|X11-forwarding|,)* *@command="cd / \&\& /usr/bin/cryptops-client" @

src/api/ssh_keys_post.c

@@ -41,23 +41,11 @@ int callback_ssh_keys_post(const struct _u_request * request,
         return send_simple_response(response, 400, "error", "missing ssh-key");
     }
 
-    // Call sed to append the command correctly:
-    char * command = NULL;
-    asprintf(&command, "echo '%s' | sed -rf '%s'", ssh_key, RESTRICT_COMMAND_PATH);
-    FILE * sed_output = popen(command, "r");
+    char * ssh_key_with_command;
 
-    if (!sed_output)
-    {
-        return send_simple_response(response, 500, "error", "Internal error while handling ssh-key");
-    }
-
-    // Get the output from sed
-    char * ssh_key_with_command = read_from_file(sed_output);
+    add_ssh_command(&ssh_key_with_command, ssh_key);
 
-    if(!ssh_key_with_command)
-    {
-        return send_simple_response(response, 500, "error", "Internal error while converting ssh-key");
-    }
+    asprintf(&ssh_key_with_command, "%s\n", ssh_key_with_command);
 
     // Write SSH key to file
     fprintf(authorized_keys, ssh_key_with_command);
@@ -65,4 +53,3 @@ int callback_ssh_keys_post(const struct _u_request * request,
 
     return send_simple_response(response, 200, "status", "ok");
 }
-

src/auxiliary.c

@@ -241,7 +241,7 @@ int replace_ssh_key(int id, const char * ssh_key)
         else
         {
             // Insert the new line first
-            putc(ch);
+            putc(ch, authorized_keys_out);
 
             // Copy ssh_key to the line that has id as line number
             // Some magic happens here, where *ssh_key++ returns the current
@@ -278,3 +278,17 @@ int replace_ssh_key(int id, const char * ssh_key)
     rename(authorized_keys_out_name, AUTHORIZED_KEYS_PATH);
     return 0;
 }
+
+/**
+ * Add the SSH_COMMAND string in front of ssh_key unless it's already there
+ * because people have seen it being used in ssh_keys_list.
+ * @param[in]   ssh_key a valid ssh key string
+ */
+int add_ssh_command(char ** ssh_key_with_command, const char * ssh_key)
+{
+    if(strncmp(SSH_COMMAND, ssh_key, strlen(SSH_COMMAND)) != 0)
+        asprintf(ssh_key_with_command, "%s %s", SSH_COMMAND, ssh_key);
+    else
+        asprintf(ssh_key_with_command, "%s", ssh_key);
+    return 0;
+}

src/includes/settings.h

@@ -15,4 +15,4 @@
 #define AUTHORIZED_KEYS_DIR "/root/.ssh"
 #define AUTHORIZED_KEYS_PATH AUTHORIZED_KEYS_DIR "/authorized_keys"
 #define SSH_HOST_KEY_DIR "/dropbear"
-#define RESTRICT_COMMAND_PATH "/etc/cryptops-api/restrict_command.sed"
+#define SSH_COMMAND "command=\"cd / && /usr/bin/cryptops-client\""