[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Remote Job Entry validated by pgp (hack script)
#!/bin/sh
# This is a little hack to let me send myself signed pgp mail containing
# a batch script and have it execute as me. I knocked this up in a hurry
# this evening when I needed to remote control a machine I couldn't easily
# telnet to. It's not especially elegant but then it's not especially
# big, so if you don't like it, write your own the way you prefer.
# Because this runs as a batch job, PGPPATH and PGPPASS must be
# set in the environment. If invoked from procmail, they have to
# be defined in .procmailrc Clearly you should use a different
# private key to your personal one for mail. Given that this is
# only to stop outsiders accessing your account, it doesn't matter
# that the exec-key is held online or in the environment - if someone
# could hack your account to get the key they've already done enough
# to hack your account anyway and having access to this exec-server
# would give them no extra advantage...
# I use procmail runes like this to execute this script:
# :2
# ^From.*gtoal
# Subject: batch job
# The From line is redundant, but I just put it in so I could easily
# bounce requests from most unauthorised senders in a later procmail
# rule. Unauthorised senders posting as me are silently dropped
# on the floor... (assuming the pgp signature check fails that is!)
cat > $PGPPATH/job.$$
# This just extracts the first pgp message to a file to avoid possible
# problems with spoofing... - it leaves the file empty if no pgp message
# was found. I use my own editor 'ecce' to do this - you might use
# sed or perl or whatever...
if [ -f /usr/local/lib/ecce ]; then
# Skipping this stage probably doesn't hurt...
/usr/local/lib/ecce $PGPPATH/job.$$ << EOD
f/-----BEGIN PGP MESSAGE-----/l0k-0f/-----END PGP MESSAGE-----/mk0,m-0k0;%c
EOD
fi
# can't use -f filter mode because it's impossible to specify
# the pubring to use if you do.
# +batchmode is essential - it forces a return code of 0 if and
# only if the pgp message was signed and the signator is explicitly
# listed in 'execring.pgp'.
pgp +batchmode $PGPPATH/job.$$ \
$PGPPATH/exec.$$ \
$PGPPATH/execring.pgp
if [ $? -ne 0 ]; then
# This goes into the procmail log
echo ILLEGAL REMOTE JOB - USER NOT IN EXECRING.PGP
# tidy up
rm -f $PGPPATH/job.$$
rm -f $PGPPATH/exec.$$
exit 1
fi
# execute the command - probably a script but could as easily be a
# binary executable if properly compiled for the target host.
chmod +x $PGPPATH/exec.$$
$PGPPATH/exec.$$
# tidy up
rm -f $PGPPATH/job.$$
rm -f $PGPPATH/exec.$$
exit 0