gen

app/neato_fns.php

@@ -210,3 +210,28 @@ function safe_cmd_quotes($data) {
 function safe_cmd($input, $in = '') {
     return (!empty($in)) ? escapeshellcmd(escapeshellarg($input) . " " . escapeshellarg($in)) : escapeshellcmd(escapeshellarg($input));
 }
+
+function cgetopt($Options = []) {
+    global $argv;
+    $options = [];
+    $currentOption = null;
+    for ($i = 1; $i < count($argv); $i++) {
+        $arg = $argv[$i];
+        if (substr($arg, 0, 1) == '-') {
+            $arg = substr($arg, 1);
+            if (in_array($arg, $Options)) {
+                $currentOption = $arg;
+                $options[$currentOption] = true;
+            } else {
+                $currentOption = null;
+            }
+        } else {
+            // Option value
+            if ($currentOption !== null) {
+                $options[$currentOption] = $arg;
+                $currentOption = null;
+            }
+        }
+    }
+    return $options;
+}

app/utils/keygen.php

@@ -17,5 +17,12 @@ class keygen {
     check_for_error($exit_code, "Unable to run ssh-keygen command: {$file}");
     return $exit_code;
   }
-  
+
+ public static function sign(string $host_ca_file, string $hostname, string $type="-h", string $fqdn = "", string $validfor = "+52w", string $file) {
+    exec(\neato::get_user_bin . 'ssh-keygen -s '. safe_cmd($host_ca_file).' -I '. safe_cmd($hostname).' '. safe_cmd($type).' -n '. safe_cmd($fqdn).' -V '. safe_cmd($validfor).' '. safe_cmd($file), $output, $exit_code);
+    display($output);
+    check_for_error($exit_code, "Unable to run ssh-keygen command: {$file}");
+    return $exit_code;
+  }
+ 
 }

config_files/deploy_sshd.php

@@ -1,27 +1,57 @@
 <?php
 
-$AllowUsers = "bobs";
-$PortNumber = "2299";
-$usePAM = "no";
+$options = cgetopt(["port","users","pam","inet","rekey"]);
+//var_dump($options); exit(0);
 
-force_root();
-run_once();
+$port = $options['port'] ?? null;
+$users = $options['users'] ?? null;
+$pam = $options['pam'] ?? null;
+$inet = $options['inet'] ?? null;
+$rekey = $options['rekey'] ?? "no";
+
+$AllowUsers = $users ?? "bobs";
+$PortNumber = $port ?? "2299";
+
+enum PAM: string {
+    case yes = "yes";
+    case no = "no";
 
-if (file_exists("/etc/ssh/ssh_host_rsa_key")) {
-    cp("/etc/ssh/ssh_host_rsa_key", "/etc/ssh/ssh_host_rsa_key_backup");
-    rm("/etc/ssh/ssh_host_rsa_key");
+    public function getValue(): string {
+        return $this->value;
+    }    
 }
-if (file_exists("/etc/ssh/ssh_host_ed25519_key")) {
-    cp("/etc/ssh/ssh_host_ed25519_key", "/etc/ssh/ssh_host_ed25519_key_backup");
-    rm("/etc/ssh/ssh_host_ed25519_key");
+$usePAM = $pam ?? PAM::no->getValue(); // yes or no
+
+enum INet: string {
+    case IPv4 = "inet";
+    case IPv6 = "inet6";
+    case any = "any";
+    
+    public function getValue(): string {
+        return $this->value;
+    }    
 }
+$allowedInet = $inet ?? INet::any->getValue(); // any, IPv4, or IPv6
 
-do_command('keygen::rsa', "/etc/ssh/ssh_host_rsa_key");
-do_command('keygen::ed25519', "/etc/ssh/ssh_host_ed25519_key");
+force_root();
+run_once();
+
+if ($rekey == "yes") {
+    if (file_exists("/etc/ssh/ssh_host_rsa_key")) {
+        cp("/etc/ssh/ssh_host_rsa_key", "/etc/ssh/ssh_host_rsa_key_backup");
+        rm("/etc/ssh/ssh_host_rsa_key");
+    }
+    if (file_exists("/etc/ssh/ssh_host_ed25519_key")) {
+        cp("/etc/ssh/ssh_host_ed25519_key", "/etc/ssh/ssh_host_ed25519_key_backup");
+        rm("/etc/ssh/ssh_host_ed25519_key");
+    }
+    do_command('keygen::rsa', "/etc/ssh/ssh_host_rsa_key");
+    do_command('keygen::ed25519', "/etc/ssh/ssh_host_ed25519_key");
+}
 
 $sshd = "Protocol 2    
 Port $PortNumber
-#AddressFamily inet
+AddressFamily $allowedInet
 #ListenAddress ::
 #ListenAddress 0.0.0.0
 
@@ -46,6 +76,8 @@ LogLevel INFO
 LoginGraceTime 2m
 PermitRootLogin no
 AllowUsers $AllowUsers
+#AllowGroups ssh_users
+#DenyGroups
 StrictModes yes
 MaxAuthTries 6
 MaxSessions 10