bin/openakc-session

#!/bin/bash

# Filename      : /usr/sbin/openakc-session
# Function      : OpenAKC Authentication Plugin
#
# Copyright (C) 2019-2020  A. James Lewis
#
#  This program is free software: you can redistribute it and/or modify
#  it under the terms of the GNU General Public License as published by
#  the Free Software Foundation, either version 2 of the License, or
#  (at your option) any later version.
#
#  This program is distributed in the hope that it will be useful,
#  but WITHOUT ANY WARRANTY; without even the implied warranty of
#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#  GNU General Public License for more details.
#
#  You should have received a copy of the GNU General Public License
#  along with this program.  If not, see <https://www.gnu.org/licenses/>.
#

#
# Static Values
#

#trap '' SIGTSTP
#trap '' SIGINT
RELEASE="0.0"

#
# Values from OpenAKC Stage One
#
API=${1}
RPPID=${2}
HID=${3}
HNS=${4}

#
# Defaults
#
CONFFILE="/etc/openakc/openakc.conf"
DATADIR="/var/lib/openakc"
SESSKEY=""
tmout=5
DEBUG="yes"
PERMITROOT="no"
HIDE="no"
QUIZ="yes"
FAKESUDO="no"

#
# Includes Functions
#
source "$DATADIR/libexec/functions-$RELEASE.cache"

#
# Local Functions
#
isok () {
 ISOK=$(echo "$OK" | cut -d ":" -f 1)
 if [ "x$ISOK" != "xOK" ]; then
  logerr "Quitting due to unexpected command response - $OK"
  echo "quit" >&5
  exec 5>&-
  exit 1
 fi
}

sendmessage () {
#FIXME redirect stderr, and check exit code
 MESSAGE=$(echo "$MESSAGE" | openssl enc $SSLOPTS"$SESSKEY" 2> /dev/null | base64 -w 0 | tr -d '\r')
 echo "message $MESSAGE" >&5
}

#
# OpenAKC command line check.
#
tmpcmd=$(tr -d '\0' < "/proc/$PPID/cmdline") 2> /dev/null
if [ "x${tmpcmd:0:4}" != "xsshd" ]; then
 echo "OpenAKC Copyright (C) 2019-2020  A. James Lewis.  Version is $RELEASE."
 echo ""
 echo "This program comes with ABSOLUTELY NO WARRANTY; for details type \"license\"".
 echo "This is free software, and you are welcome to redistribute it"
 echo "under certain conditions; See LICENSE file for further details."
 echo ""
 echo "OpenAKC Session cannot be run from the command line."
 echo ""
 exit 1
fi

#
# Find OpenSSL Version
#
OSSLV=$(openssl version 2> /dev/null | tr 'a-zA-Z' ' ' | awk '{print $1}' | awk -F. '{ printf("%02d%02d%02d", $1,$2,$3) }')
if [ "$OSSLV" -eq "$OSSLV" ] 2>/dev/null; then
 :
else
 logerr "Unrecognised OpenSSL version, exiting."
 exit 1
fi
if [ "$OSSLV" -ge 908 ];then
 CPROTOS="akcrsa1" # Space Separated List
else
 logerr "OpenSSL too old, exiting."
 exit 1
fi
if [ "$OSSLV" -ge 10101 ];then
 CPROTOS="akcrsa1 akcrsa1.1" # Space Separated List
fi


#
# Get Configuration File (or exit).
#
if [ -r "$CONFFILE" ]; then
 source "$CONFFILE"
else
 logerr "Can't find config file, exiting."
 exit 1
fi

#
# Transient Values
#
DAT="$(date "+%c")"
SDAT="$(date "+%s")"

#
# Initial Startup
#

#
# Validate Config FIXME Needs more checks. (ESP API hosts's)
#
if [ "$CACHETIME" -eq "$CACHETIME" ] 2>/dev/null; then
 :
else
 logwarn "Cache time $CACHETIME is not a number, defaults to 60 seconds"
 CACHETIME=60
fi
#
if [ "x$ENABLED" != "xyes" ]; then
 logstatus "Disabled in config \"ENABLED\" must be \"yes\" to enable OpenAKC"
 exit 1
fi
#
if [ "$PORT" -eq "$PORT" ] 2>/dev/null; then
 if [ "$PORT" -gt 65535 ]; then
  logerr "Warning - TCP port $PORT is out of range, exiting"
  exit 1
 fi
else
 logerr "TCP port $PORT is not a number, exiting"
 exit 1
fi


#
# Start of illogical function dance.
#
apicall () {
 # Connect to API
 exec 5<>/dev/tcp/"$1"/"$PORT"
 success=$?
 if [ "$success" -ne 0 ]; then
  exit "$success"
 fi
 
 # If we're still going, then we're it!
 
 read -r TAGLINE <&5
 read -r OK <&5
 isok
 echo "getproto" >&5
 read -r PROTOS <&5
 read -r OK <&5
 isok
 
 #
 # Check our protocol is available
 #
 POK=0
 for C in $CPROTOS
 do
  for P in $PROTOS
  do
   if [ "x$P" == "x$C" ]; then
    POK=1
    PROTO=$C
   fi
  done
 done
 if [ "x$POK" == "x0" ]; then
  logerr "No matching protocols found, exiting!"
  exit 1
 fi
 #
 case "$PROTO" in
  akcrsa1)
   SSLOPTS="-aes-256-cbc -md md5 -salt -in /dev/stdin -pass pass:"
   ;;
  akcrsa1.1)
   SSLOPTS="-aes-256-cbc -md sha512 -pbkdf2 -iter 13370 -salt -in /dev/stdin -pass pass:"
   ;;
  *)
   logerr "Can't set OpenSSL Options (Code Error), exiting."
   exit 1
 esac

 #
 # Initialise Public Key
 #
 echo "setproto $PROTO" >&5
 read -r OK <&5
 isok

 if [ ! -f "$DATADIR/keys/openakc-server-pubkey-$1.pem" ]; then
  logerr "Missing public key, exiting!"
  echo "AKC Session Failed, public key $DATADIR/keys/openakc-server-pubkey-$1.pem inaccessible."
  echo "Please contact your Sysadmin or Security Administrator"
  exit 1
 fi

 #
 # Generate Session Key and register it.
 #
 SESSKEY=$(openssl rand -hex 26 2> /dev/null | tr '0' 'z'|tr '2' 'j')
 SESSCODE=$(echo "$SESSKEY" | openssl rsautl -encrypt -inkey "$DATADIR/keys/openakc-server-pubkey-$1.pem" -pubin -in /dev/stdin | base64 -w 0 | tr -d '\r')

 echo "sessioncode $SESSCODE" >&5
 read -r OK <&5
 isok

 if [ "x$SESSCODE" = "x" ]; then
  echo "OpenAKC Session Failed, to negotiate session with backend."
  echo "Please contact your Sysadmin or Security Administrator"
  exit 1
 fi

 MESSAGE="sessiondata $RPPID-$(hostid) $SSH_CLIENT $SSH_TTY";sendmessage
 read -r SESSDAT <&5
 read -r OK <&5
 isok
 
 SESSDAT="$(echo "$SESSDAT" | base64 -d | openssl enc -d $SSLOPTS"$SESSKEY" 2> /dev/null | tr -d '\r')"
 logdebug "Session Data - $SESSDAT"
 HNS="$(echo "$SESSDAT" | cut -d ";" -f 1)" # Short Hostname
 HND="$(echo "$SESSDAT" | cut -d ";" -f 2)" # Domain Name
 HID="$(echo "$SESSDAT" | cut -d ";" -f 3)" # Hostid
 HIP="$(echo "$SESSDAT" | cut -d ";" -f 4)" # Host IP
 USR="$(echo "$SESSDAT" | cut -d ";" -f 5)" # Username
 KEYF="$(echo "$SESSDAT" | cut -d ";" -f 6)" # Key Fingerprint
 API="$(echo "$SESSDAT" | cut -d ";" -f 7)" # API Hostname
 REL="$(echo "$SESSDAT" | cut -d ";" -f 8)" # Client Code Release
 RPPID="$(echo "$SESSDAT" | cut -d ";" -f 9)" # Remote Parent PID
 RUSR="$(echo "$SESSDAT" | cut -d ";" -f 10)" # Remote Username
 SHL="$(echo "$SESSDAT" | cut -d ";" -f 11)" # Shell
 BSCP="$(echo "$SESSDAT" | cut -d ";" -f 12)" # SCP replace
 CAP="$(echo "$SESSDAT" | cut -d ";" -f 13)" # Capabilities
 FRM="$(echo "$SESSDAT" | cut -d ";" -f 14)" # Permitted Source IP
 TIM="$(echo "$SESSDAT" | cut -d ";" -f 15)" # Daily Time Window
 BCMD="$(echo "$SESSDAT" | cut -d ";" -f 16)" # Permitted Remote Commands
 DAY="$(echo "$SESSDAT" | cut -d ";" -f 17)" # Permitted Days
 REC="$(echo "$SESSDAT" | cut -d ";" -f 18 | tr '[:upper:]' '[:lower:]')" # Record Session
 EXT="$(echo "$SESSDAT" | cut -d ";" -f 19)" # Extensions
 RIP="$(echo "$SESSDAT" | cut -d ";" -f 20)" # Remote IP
 #
 CMD="$(base64 -d <<< "$BCMD")"
 SCP="$(base64 -d <<< "$BSCP")"
 
 RESTRICT=${CAP}
 KLOG=0
 KEXIT=0
  
 if [ "x$SSH_ORIGINAL_COMMAND" != "x" ]; then
  if [  "x$SSH_ORIGINAL_COMMAND" == "xinternal-sftp" ]; then
   logstatus "OpenAKC session does not support \"internal-sftp\", define \"CMD=internal-sftp\" in role to bypass session control."
   echo "quit" >&5
   exec 5>&-
   exit 1
  fi
  OCOMMAND="$(which "$(echo "$SSH_ORIGINAL_COMMAND" | cut --delimiter=" " -f 1)")"
  export OCOMMAND
  BCOMMAND="$(basename "$OCOMMAND")"
  export BCOMMAND
  PERMITC=0
 else
  export OCOMMAND=""
  PERMITC=1
 fi 
 
 logdebug "Checking Permitted Commands"
 saveifs="$IFS"
 IFS=";"
 for i in $CMD; do
  logdebug "BCOMMAND = $BCOMMAND vs $i"
  if [ "x$BCOMMAND" == "x$i" ]||[ "x$i" == "xany" ]||[ "x$OCOMMAND" == "x$i" ]; then
   if [ "x${SSH_ORIGINAL_COMMAND:0:1}" != "x/" ]||[ "x$i" == "xany" ]; then
    logdebug "Permitting Relative Path $i"
    PERMITC=1
   fi
   logdebug "Compare = $SSH_ORIGINAL_COMMAND with $i"
   if [ "x${SSH_ORIGINAL_COMMAND:0:1}" == "x/" ]&&[ "x$SSH_ORIGINAL_COMMAND" == "x$i" ]; then
    logdebug "Permitting Absolute Path $i"
    PERMITC=1
   fi
  fi
 done
 IFS="$saveifs"
 #
 if [ $PERMITC -eq 0 ]; then
  if [ "x$FAKESUDO" == "xyes" ]; then
   logger -t sudo -p authpriv.info "  $RUSR : command not allowed ; TTY=$SSH_TTY ; VIA=$RIP ; USER=$(whoami) ; COMMAND=$SSH_ORIGINAL_COMMAND ; CAP_RESTRICTIONS=$RESTRICT ; OPENAKC_SESSION=$RPPID-$(hostid) ; API=$API"
  fi
  logauth "Remote user $RUSR : OpenAKC role does not permit command ; TTY=$SSH_TTY ; VIA=$RIP ; USER=$(whoami) ; COMMAND=$SSH_ORIGINAL_COMMAND ; CAP_RESTRICTIONS=$RESTRICT ; OPENAKC_SESSION=$RPPID-$(hostid) ; API=$API"
  if [ "x$BCOMMAND" != "xsftp-server" ]; then
   echo "OpenAKC role does not permit command, must match the following command(s) - \"$CMD\""
  fi
  echo "quit" >&5
  exec 5>&-
  exit 1
 fi 
 
 TMPFILE="$(mktemp -u).openakc-$(whoami)-$RPPID-$(hostid)"
 TMPHEAD="$TMPFILE.head"
# TMPFIFO="$TMPFILE.fifo"
# if [ "x${REC}" == "xyes" ]; then
#  TMPOUT="$TMPFIFO"
# else
#  TMPOUT="/dev/null"
# fi

# FIXME Buffer issue if keystroke logging process is sent SIGSTOP.
# FIXME Buffer issue if not enough output generated by shell (exit kills hpenc?)
 
 if [ "x$SSH_TTY" != "x" ]; then
  logdebug "Going to interactive mode"
  if [ "x$HIDE" != "xyes" ]; then
   echo "OpenAKC (v$RELEASE) - Interactive Session Initialized"
   echo
  elif [ "x$QUIZ" == "xyes" ]; then
   echo "OpenAKC - Interactive Session Initialized"
   echo
  fi
#
  if [ "x$QUIZ" == "xyes" ]; then
   logstatus "Presenting user quiz for session $RPPID-$(hostid)"
   echo "Please enter the reason for your connection"
   echo -n "Title / Change Number: "
   read -rt 30 i
   [ $? -gt 100 ]&&echo "Timeout!"&&i="Input timed out!"
   echo
   echo "Title: $i" > "$TMPHEAD"
   echo "Description (blank line to end)"
   while true
   do
   read -rt 45 j
   [ $? -gt 100 ]&&echo "Timeout!"&&j="Input timed out!"
   echo "Summary: $j" >> "$TMPHEAD"
   [ "x$j" == "x" ]&&break
   done
  else
   echo "Title: Quiz Disabled" > "$TMPHEAD"
  fi
  {
   echo ""
   echo "Network Source: $SSH_CLIENT"
   echo "Key Used: $KEYF"
   echo "TTY: $SSH_TTY"
   echo "Term Type: $TERM"
   echo "Term Language: $LANG"
   echo "Shell: $SHL"
   echo "Restricted Capabilties: $CAP"
   echo "Session Logging Enabled: $REC"
   echo ""
  } >> "$TMPHEAD"

  MESSAGE="logturn $USR@$HNS.$RUSR.$RPPID-$(hostid)";sendmessage
  KLOG=1
#
#
  if [ "x$RESTRICT" != "x" ]&&[ "x$HIDE" == "xno" ]; then
   echo "Restrictions Applied":-
   for i in $(echo "$RESTRICT" | tr ',' ' '); do
    echo "Captbility $i withdrawn by role config"
   done
   echo
  fi

  if [ "x$PERMITROOT$EUID" != "xno0" ]; then
   if [ "x$FAKESUDO" == "xyes" ]; then
    logger -t sudo -p authpriv.info "  $RUSR : TTY=$SSH_TTY ; VIA=$RIP ; USER=$(whoami) ; COMMAND=$SHL ; CAP_RESTRICTIONS=$RESTRICT ; OPENAKC_SESSION=$RPPID-$(hostid) ; API=$API"
   fi
   logauth "Remote user $RUSR : granted access ; TTY=$SSH_TTY ; VIA=$RIP ; USER=$(whoami) ; COMMAND=$SHL ; CAP_RESTRICTIONS=$RESTRICT ; OPENAKC_SESSION=$RPPID-$(hostid) ; API=$API"
   export PSK="$SESSKEY"
   if [ "x$REC" == "xyes" ]; then
    /usr/bin/openakc-cap --drop="$RESTRICT" -- -c "script -ec \"PSK=OpenAKC $SHL\" -qaf >(cat \"$TMPHEAD\" - | /usr/bin/openakc-hpenc -a chacha20 -b 128 -K PSK >&5)"
   else
    cat "$TMPHEAD" | /usr/bin/openakc-hpenc -a chacha20 -b 128 -K PSK >&5
    /usr/bin/openakc-cap --drop="$RESTRICT" -- -c "PSK=OpenAKC $SHL"
   fi
   KEXIT=$?
   unset PSK
  else
   if [ "x$FAKESUDO" == "xyes" ]; then
    logger -t sudo -p authpriv.info "  $RUSR : command not allowed ; TTY=$SSH_TTY ; VIA=$RIP ; USER=$(whoami) ; COMMAND=$SHL ; CAP_RESTRICTIONS=$RESTRICT ; OPENAKC_SESSION=$RPPID-$(hostid) ; API=$API"
   fi
   logauth "Remote user $RUSR : OpenAKC root login not allowed by client config ; TTY=$SSH_TTY ; VIA=$RIP ; USER=$(whoami) ; COMMAND=$SHL ; CAP_RESTRICTIONS=$RESTRICT ; OPENAKC_SESSION=$RPPID-$(hostid) ; API=$API"
   echo "This host is configured to deny root access via OpenAKC"
   echo "You will be disconnected, please contact your system administrator"
   export PSK="$SESSKEY"
   echo "PERMITROOT configuration blocked this login" |(cat "$TMPHEAD" - | /usr/bin/openakc-hpenc -a chacha20 -b 128 -K PSK >&5)
   unset PSK
   logauth "PERMITROOT configuration blocked access to root account by $KEYF($RUSR) from $SSH_CLIENT"
   sleep 3
  fi
#
# 
 else
  if [ "x$REC" == "xyes" ]; then
   MESSAGE="logturn $USR@$HNS.$RUSR.$RPPID-$(hostid)";sendmessage
   KLOG=1
   echo "\"$SSH_ORIGINAL_COMMAND\" called via ssh" > "$TMPHEAD"
   echo "" >> "$TMPHEAD"
  fi
 
  if [ "x$PERMITROOT$EUID" != "xno0" ]; then
   if [ "x$FAKESUDO" == "xyes" ]; then
    logger -t sudo -p authpriv.info "  $RUSR : TTY=$SSH_TTY ; VIA=$RIP ; USER=$(whoami) ; COMMAND=$SSH_ORIGINAL_COMMAND ; CAP_RESTRICTIONS=$RESTRICT ; OPENAKC_SESSION=$RPPID-$(hostid) ; API=$API"
   fi
   logauth "Remote user $RUSR : granted access ; TTY=$SSH_TTY ; VIA=$RIP ; USER=$(whoami) ; COMMAND=$SSH_ORIGINAL_COMMAND ; CAP_RESTRICTIONS=$RESTRICT ; OPENAKC_SESSION=$RPPID-$(hostid) ; API=$API"
   if [ "x$BCOMMAND" == "xscp" ]; then
    SCPCMD=$(echo "$SSH_ORIGINAL_COMMAND" | awk '{print $1" "$2}')
    SCPVAL=$(echo "$SSH_ORIGINAL_COMMAND" | awk '{print $3}')
    saveifs="$IFS"
    IFS=";"
    for iscp in $SCP; do
     logdebug "Running \"sed\" command \"$iscp\""
     SCPVAL=$(echo "$SCPVAL" | sed -e "$iscp")
    done
    IFS="$saveifs"
    /usr/bin/openakc-cap --drop="$RESTRICT" -- -c "$SCPCMD $SCPVAL"
    KEXIT=$?
    [ "x$SCPCMD" == "xscp -f" ]&&SCPCMD="GET"
    [ "x$SCPCMD" == "xscp -t" ]&&SCPCMD="PUT"
    export PSK="$SESSKEY"
    echo "SCP $SCPCMD $SCPVAL executed, exit code $KEXIT" |(cat "$TMPHEAD" - | /usr/bin/openakc-hpenc -a chacha20 -b 128 -K PSK >&5)
    unset PSK
    SCPEXIT="Failed"
    [ $KEXIT -eq 0 ]&&SCPEXIT="Succeeded"
    logger -t openakc-scp -p local6.info "$SCPCMD $SCPVAL ; $SCPEXIT for user $(whoami)"
   elif [ "x$BCOMMAND" == "xsftp-server" ]; then
    [[ $SSH_ORIGINAL_COMMAND == *"/sftp-server" ]]&&SSH_ORIGINAL_COMMAND="$SSH_ORIGINAL_COMMAND -f LOCAL6 -l INFO"
    /usr/bin/openakc-cap --drop="$RESTRICT" -- -c "$SSH_ORIGINAL_COMMAND"
    KEXIT="$?"
    export PSK="$SESSKEY"
    echo "$SSH_ORIGINAL_COMMAND executed" |(cat "$TMPHEAD" - | /usr/bin/openakc-hpenc -a chacha20 -b 128 -K PSK >&5)
    unset PSK
   else
    if [ "x$REC" == "xyes" ]; then
     export PSK="$SESSKEY"
     /usr/bin/openakc-cap --drop="$RESTRICT" -- -c "script -ec \"PSK=OpenAKC $SSH_ORIGINAL_COMMAND\" -qaf >(cat \"$TMPHEAD\" - | /usr/bin/openakc-hpenc -a chacha20 -b 128 -K PSK >&5)"
     KEXIT="$?"
     unset PSK
    else
     export PSK="$SESSKEY"
     cat "$TMPHEAD" | /usr/bin/openakc-hpenc -a chacha20 -b 128 -K PSK >&5
     unset PSK
     /usr/bin/openakc-cap --drop="$RESTRICT" -- -c "$SSH_ORIGINAL_COMMAND"
     KEXIT="$?"
    fi
   fi
  else
   if [ "x$FAKESUDO" == "xyes" ]; then
    logger -t sudo -p authpriv.info "  $RUSR : command not allowed ; TTY=$SSH_TTY ; VIA=$RIP ; USER=$(whoami) ; COMMAND=$SSH_ORIGINAL_COMMAND ; CAP_RESTRICTIONS=$RESTRICT ; OPENAKC_SESSION=$RPPID-$(hostid) ; API=$API"
   fi
   logauth "Remote user $RUSR : OpenAKC root login not allowed by client config ; TTY=$SSH_TTY ; VIA=$RIP ; USER=$(whoami) ; COMMAND=$SSH_ORIGINAL_COMMAND ; CAP_RESTRICTIONS=$RESTRICT ; OPENAKC_SESSION=$RPPID-$(hostid) ; API=$API"
   logauth "PERMITROOT configuration blocked access to root account by $KEYF($RUSR) from $SSH_CLIENT"
   sleep 3
  fi
 fi
#
 rm "$TMPHEAD" 2> /dev/null
 
 logstatus "Remote user $RUSR : session ended ; TTY=$SSH_TTY ; VIA=$RIP ; USER=$(whoami) ; OPENAKC_SESSION=$RPPID-$(hostid)"
 [ "$KLOG" -eq 0 ]&&echo "quit" >&5
 exec 5>&-
 logdebug "Passing on exit code $KEXIT"
 exit $KEXIT
}


apicall "$API"