bin/openakc-server

#!/bin/bash

# Filename	: /usr/sbin/openakc_server
# Function	: OpenAKC Authentication API handler
#
# Copyright (C) 2019-2020  A. James Lewis
#
#  This program is free software: you can redistribute it and/or modify
#  it under the terms of the GNU General Public License as published by
#  the Free Software Foundation, either version 2 of the License, or
#  (at your option) any later version.
#
#  This program is distributed in the hope that it will be useful,
#  but WITHOUT ANY WARRANTY; without even the implied warranty of
#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#  GNU General Public License for more details.
#
#  You should have received a copy of the GNU General Public License
#  along with this program.  If not, see <https://www.gnu.org/licenses/>.
#

#
# Static Values / Setup
#

trap '' SIGTSTP
trap '' SIGINT
#declare -A returnval
#declare -a returnarr
RELEASE="0.0"

#
# Defaults
#
DATADIR="/var/lib/openakc"
PREEXEC="/bin/true"
POSTEXEC="/bin/true"
CONFFILE="/etc/openakc/openakc.conf"
tmout=90 # Entire transaction must be completed in this number of seconds (Warning, includes QUIZ).
APIS="localhost"
PORT="889"
DEBUG="no"

#
# Get Configuration File (or make one).
#

CONFDIR=$(dirname "$CONFFILE")
if [ -f "$CONFFILE" ]; then
 source "$CONFFILE"
else
 mkdir -p "$CONFDIR"
 {
  echo "APIS=\"$APIS\""
  echo "PORT=\"$PORT\""
  echo "CACHETIME=\"60\""
  echo "DEBUG=\"$DEBUG\""
#  echo "DATADIR=\"$DATADIR\""
  echo "PREEXEC=\"$PREEXEC\""
  echo "POSTEXEC=\"$POSTEXEC\""
#  echo "PERMITROOT=\"yes\""
#  echo "QUIZ=\"yes\""
#  echo "FAKESUDO=\"yes\""
  } >> "$CONFFILE"
 chmod 644 "$CONFFILE"
 source "$CONFFILE"
fi

#
# Fixed Values
#
PERMS=""
PERMUSER=""
PRVKEY="openakc-system-server-$(hostid)-prvkey.pem"
PUBKEY="openakc-system-server-$(hostid)-pubkey.pem"
SESSKEY=""
PROTO="0"
# REMOTE_HOST defined by xinetd, REMOTE_ADDR by systemd.
[ "x$REMOTE_HOST" == "x" ]&&REMOTE_HOST="$REMOTE_ADDR"
REMOTE_HOST="${REMOTE_HOST//::ffff:/}"

#
# Transient Values
#
DAT="$(date +%c)"
SDAT=$(date +%s)
TDAT=$((SDAT+tmout))

#
# Database hack
#
export PGPASSWORD="$pgpassword"

#
# Includes Functions
#
source "$DATADIR/libexec/functions-$RELEASE.cache"

#
# Local Functions
#
greeter () {
 echo "OpenAKC-$RELEASE $(uname -o) $(uname -r)"
 echo "OK: OpenAKC Server Ready"
}

cleanapi () {
#FIXME Variable Reuse of "API="
 API=$(echo "${APIIN,,}" | tr -d '\r' | awk '{print $1}')
 PARAM=$(echo "$APIIN" | tr -d '\r' | awk '{print $2}')
}

setproto () {
 for PR in $PROTOS
 do
  if [ "x$PR" == "x$PARAM" ]; then
   PROTO=$PR
  fi
 done
 if [ "x$PROTO" == "x0" ]; then
  echo "ERR: Protocol Selection Failed"
 else
  echo "OK: Protocol Accepted"
  logdebug "Client $REMOTE_HOST Selected Protocol \"$PROTO\""
 fi
}

showhelp () {
 echo "Welcome to OpenAKC, you are in the protocol selection phase"
 echo ""
 echo "Commands Available:-"
 echo "help                  - This help text"
 echo "ping                  - Verify API response"
 echo "getproto              - List supported OpenAKC protocol"
 echo "setproto [protocol]   - Select supported OpenAKC protocol"
 echo "quit                  - Exit this interface"
 echo "OK: Help Sent"
}

showerr () {
 echo "ERR: Unknown Command"
 logdebug "Displayed \"Unknown Command\" message"
}

#
# Startup
#
OSSLV=$(openssl version | tr 'a-zA-Z' ' ' | awk '{print $1}' | awk -F. '{ printf("%02d%02d%02d", $1,$2,$3) }')
if [ "$OSSLV" -eq "$OSSLV" ] 2>/dev/null; then
 :
else
 logerr "Unrecognised OpenSSL version, exiting."
 exit 1
fi
if [ "$OSSLV" -ge 908 ];then
 PROTOS="akcrsa1" # Space Separated List
else
 logerr "OpenSSL too old, exiting."
 exit 1
fi
if [ "$OSSLV" -ge 10101 ];then
 PROTOS="akcrsa1 akcrsa1.1" # Space Separated List
fi

if [ ! -d "$DATADIR" ];then 
 mkdir -p "$DATADIR"
 chmod 755 "$DATADIR"
fi
if [ ! -d "$DATADIR/audit" ];then
 mkdir "$DATADIR/audit"
 chmod 755 "$DATADIR/audit"
fi
if [ ! -d "$DATADIR/keylogs" ];then
 mkdir "$DATADIR/keylogs"
 chmod 700 "$DATADIR/keylogs"
fi
if [ ! -d "$DATADIR/data" ];then
 mkdir "$DATADIR/data"
 chmod 700 "$DATADIR/data"
fi
[ ! -d "$DATADIR/keys" ]&&mkdir "$DATADIR/keys"
chmod 700 "$DATADIR/keys"
[ ! -f "$DATADIR/keys/$PUBKEY" ] && rm "$DATADIR/keys/$PRVKEY" 2> /dev/null
if [ ! -f "$DATADIR/keys/$PRVKEY" ]; then
 logstatus "Forcing refresh of openssl keys"
 openssl genrsa -out "$DATADIR/keys/$PRVKEY" 2048 2> /dev/null
 openssl rsa -in "$DATADIR/keys/$PRVKEY" -outform PEM -pubout -out "$DATADIR/keys/$PUBKEY" 2> /dev/null
fi 

#
# Greet Client
#
greeter
logstatus "Session with $REMOTE_HOST established"

#
# Welcome Loop
#
while [ "$(date +%s)" -lt $TDAT ]
do
 read -r APIIN
 cleanapi
 case "$API" in
  help)
   showhelp
   ;;
  ping)
   echo "OK: Pong!"
   ;;
  getproto)
   echo "$PROTOS"
   echo "OK: Protocols Listed" 
   ;;
  setproto)
   setproto
   [ "x$PROTO" != "x0" ]&&break
   ;;
  quit)
   PROTO="0"
   echo "OK: Goodbye (protocol selection)"
   logstatus "Session with $REMOTE_HOST quit during welcome phase"
   break
   ;;
  *)
   showerr
   ;;
 esac 
done

#
# Set OpenSSL options for protocol
#
case "$PROTO" in
 akcrsa1)
  SSLOPTS="-aes-256-cbc -md md5 -salt -in /dev/stdin -pass pass:"
  ;;
 akcrsa1.1)
  SSLOPTS="-aes-256-cbc -md sha512 -pbkdf2 -iter 13370 -salt -in /dev/stdin -pass pass:"
  ;;
 *)
  logerr "Can't set OpenSSL Options (Code Error), exiting."
  exit 1
esac
PROTO=$(echo $PROTO | awk -F. '{print $1}')

#
# Data Section FIXME Move to libexec and source functions based on configured data store.
# Migration to function library as first step part complete.
#

################################

data_registerkey () {
#FIXME Error checks & input validation
 mkdir -p "$DATADIR/data/keys"
 fp="${fp////-}"
 fn="$DATADIR/data/keys/$fp.$usr"
 rm "$DATADIR/data/keys/"*".$usr" 2> /dev/null
 {
  echo "$fp"
  echo "$usr"
  echo "$pkey"
  echo "$PARAM"
  echo "$DAT"
  echo "Personal Key for user $usr"
 } > "$fn"
} 

data_statickey () {
#FIXME Error checks
 mkdir -p "$DATADIR/data/keys"
 KEYSN="key-$(randsn)"
 fp="${fp////-}"
 fn="$DATADIR/data/keys/$fp.$KEYSN"
 kd=$(echo "$kd" | base64 -d | gzip -d)
 cmt=$(echo "$cmt" | base64 -d | gzip -d)
 {
  echo "$fp"
  echo "$KEYSN"
  echo "$kd"
  echo "static"
  echo "$DAT"
  echo "$cmt"
 } > "$fn"
}  

data_updatekey () {
#FIXME Error checks & input validation
#FIXME Preserve comment if new comment not supplied
 mkdir -p "$DATADIR/data/keys"
 fp="${fp////-}"
 fn="$DATADIR/data/keys/$fp.$sn"
 if [ "$(find "$DATADIR/data/keys/"*".$sn" 2> /dev/null | wc -l)" -ne 0 ]; then
  reply="OK: Updated public key - S/N = $sn"
  rm "$DATADIR/data/keys/"*".$sn" 2> /dev/null
  kd="$(echo "$kd" | base64 -d | gzip -d)"
  cmt="$(echo "$cmt" | base64 -d | gzip -d)"
  if [ "x$kd" == "xDELETE" ]; then
   reply="OK: Deleted public key - S/N = $sn"
  else 
   {
    echo "$fp"
    echo "$sn"
    echo "$kd"
    echo "static"
    echo "$DAT"
    echo "$cmt"
   } > "$fn"
  fi
 else
  reply="ERR: Error no key with serial number exists"
 fi
}

data_resolve () {
 cnt="$(getent hosts "$SOURCE" 2> /dev/null | wc -l)"
 if [ "$cnt" -eq 1 ]; then
  SOURCE_HOST=$(getent hosts "$SOURCE" 2> /dev/null | awk '{print $2}')
 else
  SOURCE_HOST="$SOURCE"
 fi
}
 
data_setrole () {
#FIXME Error Checks
 cnt="$(find "$DATADIR/data/hosts/$hn"* 2> /dev/null | wc -l)"
 if [ "$cnt" -eq 1 ]||[ "x$hn" == "xdefault" ]; then
  if [ "x$hn" != "xdefault" ]; then
   hnl="$(find "$DATADIR/data/hosts/$hn"* 2> /dev/null)"
   hn="$(basename "$hnl")"
  else
   hn="DEFAULT"
  fi
  mkdir -p "$DATADIR/data/roles"
  mkdir -p "$DATADIR/data/history"
  fn="$DATADIR/data/roles/$usr@$hn.roles"
  echo "$rolefile" | base64 -d | gzip -d > "$fn.tmp"
  touch "$fn"
  diff "$fn" "$fn.tmp" 1> /dev/null 2> /dev/null
  if [ "$?" -ne 0 ]; then
   {
    echo "User $PERMUSER altered role $usr@$hn as follows"
    diff --unified=8 "$fn" "$fn.tmp"
    echo "-------------------------------------------------------------------------------"
    echo
   } >> "$DATADIR/data/history/$usr@$hn.roles"
  fi
  mv "$fn.tmp" "$fn"
  reply="OK: Request processed, role data updated"
 else
  reply="ERR: Unknown Error, cannot save role data"
  [ "$cnt" -eq 0 ]&&reply="ERR: Server not aware of this host"
  [ "$cnt" -gt 1 ]&&reply="ERR: Hostname not unique, use fully qualified"
 fi 
}

data_getrole () {
# FIXME Input validation on $usr & $hn
 mkdir -p "$DATADIR/data/roles"
 cnt=$(find "$DATADIR/data/hosts/$hn"* 2> /dev/null | wc -l)
 if [ "$cnt" -eq 1 ]||[ "x$hn" == "xdefault" ]; then
  if [ "x$hn" != "xdefault" ]; then
   hnl="$(find "$DATADIR/data/hosts/$hn"* 2> /dev/null)"
   hn="$(basename "$hnl")"
  else
   hn="DEFAULT"
  fi
  fn="$DATADIR/data/roles/$usr@$hn.roles"
  if [ ! -r "$fn" ];then
   cat <<EOF > "$fn.tmp"
# Edit this file to control permissions managed by OpenAKC.
# Rules for $usr@$hn
#
# First matched rule will apply.
# Each rule begins with a RULE line "RULE=date,date,type,tag"
# "type" can be user, group or key(ssh key fingerprint)
# "tag" will depend on the type, either username, groupname, or key serial no.
# DAY= can be either "any" or a comma separated list of 3 letter day codes.
# TIM= is daily {Start Time},{End Time} 24 hour format, local server time.
# SHELL= users shell (you could make shell "rjoe/rvim file", or /bin/false).
# CMD= is a list of permitted commands, "any" or " ; separated list"
#   NB: 1) if CMD is not "any", it must include scp to allow SCP.
#       2) if CMD is not "any", sftp-server requires full path.
#       3) if CMD is exactly/only "internal-sftp", OpenAKC session will be
#          bypassed and "internal-sftp" will be forced.  Care! No capability
#          restrictions can be applied in this mode, and no session
#          recording will take place other than sftp's own logging.
#       4) Internal SFTP can only be chrooted in sshd_config, but capabilities
#          can be applied to external sftp Eg (/usr/lib/openssh/sftp-server).
#       5) if a users calls an absolute path to a binary then CMD must
#          match the absolute path, otherwise short names match path (Care!).
#   NB: Multiple CMD= lines are permitted and will be aggrigated.
#   EG: CMD=scp;ls;uname;dmidecode;/usr/lib/openssh/sftp-server
# SCP= "sed" expression applied to scp, to allow chroot or redirecting files.
#   NB: Multiple SCP= lines are permitted and will be aggrigated.
# CAP= comma separated list of capabilities denied to role (man capabilities).
# REC= record session log, yes/no
# FROM= can be either "any" or a comma separated list of IPs or CIDR subnets
#
# Warning, TAGs must be CAPITAL, do not use quotes.
# Rules nearer the top take priority, but some attampt is made to merge fully
# compatible rules (See User Guide for details.)
#
#RULE=2020/01/13 19:17,2020/01/13 20:17,user,jlewis
#DAY=any
#TIM=any
#SHELL=/bin/bash
#CMD=any
#SCP=s,^/,/data/,g
#CAP=cap_linux_immutable
#REC=yes
#FROM=any
EOF
   rolefile=$(base64 -w 0 < "$fn.tmp")
   rm "$fn.tmp"
  else
   rolefile=$(base64 -w 0 < "$fn") 
  fi
  reply="OK: Request processed, role data read"
 else
  reply="ERR: Unknown Error, cannot check host data"
  [ "$cnt" -eq 0 ]&&reply="ERR: Server not aware of this host"
  [ "$cnt" -gt 1 ]&&reply="ERR: Hostname not unique, use fully qualified"
 fi
}

#
# ^^ End of Data Section ^^
#


################################

#
# AKCRSA1 Protocol Section.
#
showhelp_akcrsa1 () {
#FIXME Help text incomplete
 echo "Welcome to OpenAKC, you are in the akcrsa1 protocol phase"
 echo ""
 echo "Commands Available:-"
 echo "help                 - This help text"
 echo "pubkey               - Request remote public key"
 echo "audit type:[cipher]  - Send audit data to server"
 echo "sessioncode [cipher] - Send encrypted sessioncode" 
 echo "logturn              - Transition to keystroke log receiver"
 echo "quit                 - Exit this interface"
 echo "OK: Help Sent"
}

sendpubkey () {
 if [ -f "$DATADIR/keys/$PUBKEY" ]; then
  cat "$DATADIR/keys/$PUBKEY"
  echo "OK: Sent Pubkey"
 else
  echo "ERR: Error Sending Pubkey"
  logdebug "Failed to find pubkey mid session"
 fi
}

readsesscode () {
 SESSKEY="$(echo "$PARAM" | tr -d '\r' | base64 -d | openssl rsautl -decrypt -inkey "$DATADIR/keys/$PRVKEY" -in /dev/stdin 2> /dev/null)"
 if [ "$?" -eq 0 ]; then 
  echo "OK: Session key decoded"
  logdebug "Session key substr is:- $(echo "$SESSKEY" | cut -c 1-10)"
  logstatus "Session with $REMOTE_HOST negotiated AKCRSA1 protocol successfully"
 else
  echo "ERR: Could not decode session key"
  logwarn "Could not decode session key during session with $REMOTE_HOST, try \"openakc-plugin resetkeys\" on $REMOTE_HOST"
 fi
}

rbmessage () {
#FIXME Check exit code of openssl
 ENC=1
 APIIN="$(echo "$PARAM" | base64 -d | openssl enc -d $SSLOPTS"$SESSKEY" 2> /dev/null | tr -d '\r')"
 logdebug "Message decoded - \"$APIIN\""
}

rbsessiondata () {
#FIXME Security, validate session before sending.
 logdebug "Processing session data request - \"$PARAM\""
 RIP="$(echo "$APIIN" | tr -d '\r' | awk '{print $3}')"
 RPRT="$(echo "$APIIN" | tr -d '\r' | awk '{print $4}')"
 RPTY="$(echo "$APIIN" | tr -d '\r' | awk '{print $6}')"
 data_sessionupd
 echo "$SESSDAT" | openssl enc $SSLOPTS"$SESSKEY" 2> /dev/null | base64 -w 0; echo
 echo "OK: Session data sent"
 HNS="$(echo "$SESSDAT" | cut -d ";" -f 1)" # Short Hostname
 HND="$(echo "$SESSDAT" | cut -d ";" -f 2)" # Domain Name
 HID="$(echo "$SESSDAT" | cut -d ";" -f 3)" # Hostid
 HIP="$(echo "$SESSDAT" | cut -d ";" -f 4)" # Host IP
 USR="$(echo "$SESSDAT" | cut -d ";" -f 5)" # Username
 KEYF="$(echo "$SESSDAT" | cut -d ";" -f 6)" # Key Fingerprint
 API="$(echo "$SESSDAT" | cut -d ";" -f 7)" # API Hostname
 REL="$(echo "$SESSDAT" | cut -d ";" -f 8)" # Client Code Release
 RPPID="$(echo "$SESSDAT" | cut -d ";" -f 9)" # Remote Parent PID
 RUSR="$(echo "$SESSDAT" | cut -d ";" -f 10)" # Remote Username
 SHL="$(echo "$SESSDAT" | cut -d ";" -f 11)" # Role Shell
 SCP="$(echo "$SESSDAT" | cut -d ";" -f 12)" # SCP Rules
 CAP="$(echo "$SESSDAT" | cut -d ";" -f 13)" # Capabilities
 FRM="$(echo "$SESSDAT" | cut -d ";" -f 14)" # Permitted Source IP
 TIM="$(echo "$SESSDAT" | cut -d ";" -f 15)" # Timebox
 CMD="$(echo "$SESSDAT" | cut -d ";" -f 16)" # Permitted Remote Commands
 DAY="$(echo "$SESSDAT" | cut -d ";" -f 17)" # Permitted Days
 REC="$(echo "$SESSDAT" | cut -d ";" -f 18)" # Record Session Log
 EXT="$(echo "$SESSDAT" | cut -d ";" -f 19)" # Extended data
 logauth "User $USR authenticated on $HNS($HIP) with session id $RPPID-$HID using key $KEYF($RUSR) to $RPTY from $RIP port $RPRT"
}

rbauth () {
#
# Parameters
# $1 = parameter string from API
# $2 = 
#
#

#
# Clear Function Return Arrays.
#
 local -A returnval=()
 local -a returnarr=()
 
#
# Define other local variables for this function
#
 local -a para
 local -A authdata
 local preres replylog replyflg replykey
 
#
# Split input parameters
# 
 logdebug "Processing auth request - \"$1\"" 
 IFS=';' read -r -a param <<< "$1"
 authdata["HNS"]="${param[0]}" # Short Hostname
 authdata["HND"]="${param[1]}" # Domain Name
 authdata["HID"]="${param[2]}" # Hostid
 authdata["HIP"]="${param[3]}" # Host IP
 authdata["USR"]="${param[4]}" # Username
 authdata["KEYF"]="${param[5]}" # Key Fingerprint
 authdata["API"]="${param[6]}" # API Hostname
 authdata["REL"]="${param[7]}" # Client Code Release
 authdata["RPPID"]="${param[8]}" # Remote Parent PID

# HNS=$(echo $PARAM | cut -d ";" -f 1) # Short Hostname
# HND=$(echo $PARAM | cut -d ";" -f 2) # Domain Name
# HID=$(echo $PARAM | cut -d ";" -f 3) # Hostid
# HIP=$(echo $PARAM | cut -d ";" -f 4) # Host IP
# USR=$(echo $PARAM | cut -d ";" -f 5) # Username
# KEYF=$(echo $PARAM | cut -d ";" -f 6) # Key Fingerprint
# API=$(echo $PARAM | cut -d ";" -f 7) # API Hostname
# REL=$(echo $PARAM | cut -d ";" -f 8) # Client Code Release
# RPPID=$(echo $PARAM | cut -d ";" -f 9) # Remote Parent PID
#
 data_idkeyf "${authdata["KEYF"]}"
 authdata["RUSR"]=${returnval["RUSR"]}
 authdata["PUBKEY"]=${returnval["PUBKEY"]}
#
 grant=0
#
 if [ "x${authdata["PUBKEY"]}" != "x" ]; then
  ( ${PREEXEC} "${authdata["USR"]}@${authdata["HNS"]}.${authdata["HND"]}" "${authdata["HIP"]}" "${authdata["KEYF"]}" "${authdata["RUSR"]}" ) 2> /dev/null 1> /dev/null
  preres="$?"
 else
  reply="OK: Auth request processed (Unknown Key)"
 fi
 [[ $preres -ne 0 ]]&&reply="OK: Auth request processed (PREEXEC Deny)"
 if [ "x${authdata["PUBKEY"]}" != "x" ]&&[[ $preres -eq 0 ]]; then
  #
  data_sessionlog 
  if [ "${returnval["TDIF"]}" -lt 10 ]; then
   replyflg="NOLOG"
  else
   replyflg="LOG"
  fi
  logdebug "Reply flag set to $replyflg"
#
  data_validateroles "${authdata["USR"]}" "${authdata["HNS"]}" "${authdata["HND"]}" "${authdata["HIP"]}" "${authdata["RUSR"]}" "${authdata["KEYF"]}" && grant=1
  reply=${returnval["reply"]}  
  authdata["SHL"]=${returnval["SHL"]}
  authdata["SCP"]=${returnval["SCP"]}
  authdata["CAP"]=${returnval["CAP"]}
  authdata["FRM"]=${returnval["FRM"]}
  authdata["CMD"]=${returnval["CMD"]}
  authdata["REC"]=${returnval["REC"]}
  logdebug "Reply from validateroles - $reply"
  logdebug "Updating Session Log CAP=${authdata["CAP"]} SHL=${authdata["SHL"]} SCP=${authdata["SCP"]} FRM=${authdata["FRM"]} CMD=${authdata["CMD"]} REC=${authdata["REC"]}"
# FIXME Perhaps we can put the $reply into sessionlog, for an "explain" function later
  data_sessionlog

#
 fi
 if [ "$grant" -eq 1 ]; then
  ( $POSTEXEC "${authdata["USR"]}@${authdata["HNS"]}.${authdata["HND"]}" "${authdata["HIP"]}" "${authdata["KEYF"]}" "${authdata["RUSR"]}" ACCEPT "${authdata["RPPID"]}-${authdata["HID"]}" ) 2> /dev/null 1> /dev/null
  replylog="User ${authdata["USR"]} authenticated on ${authdata["HNS"]}(${authdata["HIP"]}) with session id ${authdata["RPPID"]}-${authdata["HID"]} using key ${authdata["KEYF"]}(${authdata["RUSR"]})"
  replykey="no-port-forwarding,no-X11-forwarding,from=\"${authdata["FRM"]}\",command=\"/usr/bin/openakc-session ${authdata["API"]} ${authdata["RPPID"]} ${authdata["HID"]} ${authdata["HNS"]}\" ${authdata["PUBKEY"]}"
  if [ "x${authdata["CMD"]}" == "xinternal-sftp" ]; then
   replykey="no-port-forwarding,no-X11-forwarding,from=\"${authdata["FRM"]}\",command=\"internal-sftp -f LOCAL6 -l INFO\" ${authdata["PUBKEY"]}"
  fi
 else
  ( $POSTEXEC "${authdata["USR"]}@${authdata["HNS"]}.${authdata["HND"]}" "${authdata["HIP"]}" "${authdata["KEYF"]}" "${authdata["RUSR"]}" DENY "${authdata["RPPID"]}-${authdata["HID"]}" ) 2> /dev/null 1> /dev/null
  replylog="User ${authdata["USR"]} denied on ${authdata["HNS"]}(${authdata["HIP"]}) with session id ${authdata["RPPID"]}-${authdata["HID"]} using key ${authdata["KEYF"]}(${authdata["RUSR"]})"
  replykey="command=\"/usr/bin/openakc-session ${authdata["API"]} ${authdata["RPPID"]} ${authdata["HID"]} ${authdata["HNS"]}\" ssh-rsa DENIED"
 fi
 
 #
 logdebug "Sending key $replykey"
 echo "$replylog" | openssl enc $SSLOPTS"$SESSKEY" 2> /dev/null | base64 -w 0; echo
 echo "$replyflg" | openssl enc $SSLOPTS"$SESSKEY" 2> /dev/null | base64 -w 0; echo
 echo "$replykey" | openssl enc $SSLOPTS"$SESSKEY" 2> /dev/null | base64 -w 0; echo
 echo "$reply"
} 

rbchallenge () {
# FIXME do input validation
 KEYID=$(echo "$APIIN" | tr -d '\r' | awk '{print $3}')
 case "$PARAM" in
  system)
   KEYTYPE="system"
   ;;
  user)
   KEYTYPE="user"
   PERMUSER=$KEYID
   ;;
  *)
   KEYTYPE="error"
   ;;
 esac
 KEYFILE="$DATADIR/keys/openakc-$KEYTYPE-client-$KEYID-pubkey.pem"
 #
 CHAL=$(openssl rand -hex 26 2> /dev/null)
 if [ -r "$KEYFILE" ]; then
  CHALCODE=$(echo "$CHAL" | openssl rsautl -encrypt -inkey "$KEYFILE" -pubin -in /dev/stdin | base64 -w 0 | tr -d '\r')
  echo "$CHALCODE" | openssl enc $SSLOPTS"$SESSKEY" 2> /dev/null | base64 -w 0; echo
  logdebug "Challenge sent - \"$CHAL\""
  echo "OK: Challenge issued"
 else
  echo "FAIL"
  if [ "x$KEYTYPE" != "xerror" ];then
   echo "ERR: Cannot Find necessary public key on server - $KEYFILE"
  else
   echo "ERR: Protocol error, invalid keytype specified"
  fi
 fi
}

rbhandshake () {
 logdebug "Challenge response received - \"$PARAM\""
 if [ "x$CHAL" == "x$PARAM" ];then
  PERMS="${KEYTYPE^^} $PERMS"
  PERMS=$(echo -e "$PERMS" | sed -e 's/[[:space:]]*$//')
  echo "OK: Handshake accepted. Permission list now \"$PERMS\""
  logdebug "PERMS set to \"$PERMS\""
  logstatus "Authenticated session established with $REMOTE_HOST"
 else
  echo "ERR: Handshake failed"
  logerr "API Handshake Failed"  
 fi
} 

rbgetrole () {
#FIXME Input Validation (look up/validate hostid?)
 logdebug "Adding role data - \"$APIIN\""
 if [ "x$PERMS" == "xUSER" ]; then
  target=$(echo "$APIIN" | tr -d '\r' | awk '{print $2}')
  usr=$(echo "$target" | awk -F\@ '{print $1}')
  hn=$(echo "$target" | awk -F\@ '{print $2}')
  logstatus "Validated role read request from \"$PERMUSER@$REMOTE_HOST\" for \"$usr@$hn\""
  DAT="$(date +%s)"
  data_getrole
  echo "$rolefile" | gzip | openssl enc $SSLOPTS"$SESSKEY" 2> /dev/null | base64 -w 0; echo
  echo "$reply"
  logdebug "sent request processed"
 else
  logstatus "Invalid role read request from \"$KEYID@$REMOTE_HOST\" for \"$usr@$hn\""
  echo "ERR: Permission denied"
 fi
}

rbsetrole () {
#FIXME Input Validation
 logdebug "Adding role data - \"$APIIN\""
 if [ "x$PERMS" == "xUSER" ]; then
  target=$(echo "$APIIN" | tr -d '\r' | awk '{print $2}')
  usr=$(echo "$target" | awk -F\@ '{print $1}')
  hn=$(echo "$target" | awk -F\@ '{print $2}')
  rolefile=$(echo "$APIIN" | tr -d '\r' | awk '{print $3}')
  logstatus "Validated role update request from \"$PERMUSER@$REMOTE_HOST\" for \"$usr@$hn\""
  DAT="$(date +%s)"
  data_setrole
  echo "$reply"
 else
  logstatus "Invalid role update request from \"$KEYID@$REMOTE_HOST\" for \"$usr@$hn\""
  echo "ERR: Permission denied"
 fi
}

rbsubmit () {
#FIXME Input Validation
 logdebug "Adding public key data - \"$APIIN\""
 if [ "x$PERMS" == "xUSER" ]; then
  fp=$(echo "$APIIN" | tr -d '\r' | awk '{print $2}')
  kd=$(echo "$APIIN" | tr -d '\r' | awk '{print $3}')
  cmt=$(echo "$APIIN" | tr -d '\r' | awk '{print $4}')
  DAT="$(date +%s)"
  data_statickey
  echo "OK: Stored public key - S/N = $KEYSN"
 else
  logstatus "Invalid submit key request from \"$KEYID@$REMOTE_HOST\" for \"$usr@$hn\""
  echo "ERR: Permission denied"
 fi
}

rbupdate () {
#FIXME Input Validation
 logdebug "Updating public key data - \"$APIIN\""
 if [ "x$PERMS" == "xUSER" ]; then
  sn=$(echo "$APIIN" | tr -d '\r' | awk '{print $2}')
  fp=$(echo "$APIIN" | tr -d '\r' | awk '{print $3}')
  kd=$(echo "$APIIN" | tr -d '\r' | awk '{print $4}')
  cmt=$(echo "$APIIN" | tr -d '\r' | awk '{print $5}')
  DAT="$(date +%s)"
  data_updatekey
  echo "$reply"
 else
  logstatus "Invalid update key request from \"$KEYID@$REMOTE_HOST\" for \"$usr@$hn\""
  echo "ERR: Permission denied"
 fi
}

rbregisterkey () {
#FIXME Input validation
 logdebug "Adding registered user key - \"$APIIN\""
 if [ "x$PERMS" == "xSYSTEM" ]; then
  usr=$(echo "$APIIN" | tr -d '\r' | awk '{print $3}')
  fp=$(echo "$APIIN" | tr -d '\r' | awk '{print $4}')
  pkey=$(echo "$APIIN" | tr -d '\r' | awk '{print $5" "$6}')
  logstatus "Validated register-key request from \"$usr@$REMOTE_HOST\" for fingerprint \"$fp\" type \"$PARAM\""
  DAT="$(date +%s)"
  data_registerkey "$fp" "$usr" "$pkey" "$PARAM" "$DAT"
  echo "OK: Request processed"
 else
  logstatus "Invalid register-key request from \"$usr@$REMOTE_HOST\" for fingerprint \"$fp\" type \"$PARAM\""
  echo "ERR: Permission denied"
 fi
}

rbaudit () {
#FIXME Input Validation
SOURCE="$REMOTE_HOST"
REPLY="OK: Audit data accepted"
AUDFN=$(echo "$PARAM" | awk -F: '{print $1}')
AUDAT=$(echo "$PARAM" | awk -F: '{print $2}')
data_resolve
if echo "$AUDFN" | grep -Eq "^[-.a-zA-Z0-9]{0,33}$" 1> /dev/null 2> /dev/null; then
 mkdir -p "$DATADIR/audit/$SOURCE_HOST"
 echo -n "$AUDAT" | tr -d '\r' | base64 -d > "$DATADIR/audit/$SOURCE_HOST/$AUDFN.tmp"
 if [ "$?" -eq 0 ]; then
  echo "OK: Audit data accepted"
  mv "$DATADIR/audit/$SOURCE_HOST/$AUDFN.tmp" "$DATADIR/audit/$SOURCE_HOST/$AUDFN"
 else
  echo "ERR: Audit data corrupted"
  logwarn "Corrupt audit data detected"
  touch "$DATADIR/audit/$SOURCE_HOST/$AUDFN.tmp"
 rm "$DATADIR/audit/$SOURCE_HOST/$AUDFN.tmp"
 fi
 logstatus "Received audit packet from $SOURCE_HOST($SOURCE)"
else
 logerr "Received audit packet from $SOURCE_HOST($SOURCE) with invalid filename"
fi
}

rblog () {
# FIXME Validate session with data from authentication phase using backend.
 LOGFN="$(date "+%Y/%m/%d")/$(date "+%H:%M:%S")-$PARAM.log"
 loginfo "Session with $REMOTE_HOST transitioned to keystroke log receiver, see log:- $LOGFN"
 mkdir -p "$DATADIR/keylogs/$(date "+%Y/%m/%d")"
 touch "$DATADIR/keylogs/$LOGFN"
 if which chattr; then
  chattr +a "$DATADIR/keylogs/$LOGFN"
 fi
 export PSK="$SESSKEY"
 cat | /usr/bin/openakc-hpenc -d -K PSK >> "$DATADIR/keylogs/$LOGFN"
 unset PSK
}

ENC=0
if [ "x$PROTO" == "xakcrsa1" ]; then
 while [ "$(date +%s)" -lt $TDAT ]
 do
  [ "x$ENC" == "x0" ] && read -r APIIN
  cleanapi
  ENC=0
  logdebug "Proceessing AKCRSA1 message - \"$API\" - \"$PARAM\""
  case "$API" in
   help)
    showhelp_akcrsa1
    ;;
   pubkey)
    sendpubkey
    ;;
   sessioncode)
    readsesscode
    ;;
   challenge)
    rbchallenge
    ;;
   handshake)
    rbhandshake
    ;;
   setrole)
    rbsetrole
    ;;
   getrole)
    rbgetrole
    ;;
   listrole)
    rblistrole
    ;; 
   registerkey)
    rbregisterkey
    ;;
   submit)
    rbsubmit
    ;;
   update)
    rbupdate
    ;;
   sessiondata)
    rbsessiondata
    ;;
   message)
    rbmessage
    ;; 
   audit)
    rbaudit
    ;; 
   auth)
    rbauth "$PARAM" 
    ;;
   ping)
    echo "OK: Pong!"
    ;;
   logturn)
    rblog
    logstatus "Session with $REMOTE_HOST quit during session logging phase"
    break
    ;;
   quit)
    PROTO="0"
    echo "OK: Goodbye (encrypted phase)"
    logstatus "Session with $REMOTE_HOST quit during AKCRSA1 phase"
    break
    ;;
   *)
    showerr
    ;;
  esac 
 done
 exit 0
fi