search

mwarning / trigger

Android app to lock/unlock/ring doors. Supports generic HTTPS/SSH/Bluetooth/MQTT and Nuki Smartlock.
GNU General Public License v3.0
130 stars 22 forks source link

ssh key generation/registration on device #35

Closed clach04 closed 4 years ago

clach04 commented 4 years ago

There is a cool key registration option in Trigger but I can't locate docs for it.

I think I've figured out how to make use of it. I posted some docs to https://github.com/clach04/shell_locked#key-registration (along with a dumb implementation of a server that can then record the finger print). Is this how registration is intended to work?

mwarning commented 4 years ago

Hi, key registration was never documented. It will create a TCP/IP connection to the given IP address and port (e.g. 192.168.1.1:50007) and send the public key as byte stream.

.. It would be nicer to send the key in PEM format (in ASCII) and to display back any message the registration server send back (like 'Thanks for the key. Speak to the Admin to let it be enabled.'). nvm, it is already in pem format.

mwarning commented 4 years ago

@clach04 yes, the public key is send via tcp to the given address. That is all. I use netcat on the console for a simple example: nc -l 12345 -c register.sh and register.sh contains cat >> sshkeys.txt.

mwarning commented 4 years ago

The next version will not require the tcp:// in front. Also, the script can send back a custom message that will be displayed.

clach04 commented 4 years ago

@clach04 yes, the public key is send via tcp to the given address. That is all. I use netcat on the console for a simple example: nc -l 12345 -c register.sh and register.sh contains cat >> sshkeys.txt.

That's really neat!

I've not yet put a lot of thought into it but my intention is to update my script to use environment and/or command directive to ~/.ssh/authorized_keys to use a restricted shell. That way, the same user id can be used but something in the environment would distinguish the different key (real user) that used it - see https://unix.stackexchange.com/questions/15575/can-i-find-out-which-ssh-key-was-used-to-access-an-account.

I did wonder about rolling my own ssh service via Paramiko but I'm thinking a restricted shell is likely to be more robust :)

mwarning commented 4 years ago

This project certainly needs more documentation and howtos.

mwarning commented 4 years ago

I have added a documentation site along with a key registration example.