Tai Groot
#!/usr/bin/env bash
autoclean(){
echo "Launching autoclean for security purposes"
sleep 60
clean
}
gen_key(){
echo "Generating a fresh key for login"
echo "y" | ssh-keygen -t rsa -N "" -f /home/tunbun/.ssh/$1
cat /home/tunbun/.ssh/$1.pub >> /home/tunbun/.ssh/authorized_keys
}
start_remote(){
salt $1 cmd.run 'useradd tun || true'
salt $1 cmd.run 'usermod -aG sudo tun'
salt $1 state.apply tunbun pillar="{\"port\": \"$2\"}"
curl "https://gotify.myserver.com?token=your_token_here" -F "title=Tunnelbunny" -F "message=Device $1 has been accessed via tunnelbunny." -F "priority=0" > /dev/null 2>/dev/null
sleep 5
}
device_online(){
echo "Checking if device is online..."
if salt $1 test.ping; then
return 0
fi
return "1"
}
choose_port(){
local port=$(shuf -i 2000-65000 -n 1)
netstat -lat | grep $port > /dev/null
if [[ $? == 1 ]] ; then
echo "$port"
else
echo "$(choose_port)"
fi
}
clean(){ # we can just remove all keys here since connections already in # in effect use the session key, just run script again if you need to
rm -f /home/tunbun/.ssh/\*
}
connect(){
password=$(uuidgen)
salt "$device" cmd.run "yes $password | passwd tun"
{
sleep 15
echo "password: $password"
} &
ssh -p $port -o StrictHostKeyChecking=no -i "/home/tunbun/.ssh/$device" tun@localhost
}
device=""
if [[$EUID -ne 0]]; then
echo "This script must be run as root"
exit 1
fi
if [ "$1" == "" ]; then
echo "Please run $0 help to see a list of commands."
exit 0
elif [ "$1" == "help" ]; then
echo "Usage: tunnelbunny <hostname>"
echo "tunnelbunny can be used to ssh into an arbitrary salt-minion client as the tun user."
echo "The tun user has sudo access. Calling tunnelbunny opens a password-authenticated ssh tunnel."
echo "After establishing a tunnel, you will be asked for a password. Wait for ~10 seconds, and the password will be printed to the screen."
echo "Copy and paste that password once into the password prompt, then immediately after, run 'sudo su' and paste the password a second time to become root."
echo "Every run of tunnelbunny generates a new password, so there's not need to save it externally."
exit 0
elif [ "$1" == "clean" ]; then
clean
exit 0
# Sanitize the input before salt call (no spaces allowed for bash hijacking)
elif [[$1 = *" "*]]; then
echo "No tricksies please"
exit 1
fi
if ! device_online $1; then
echo "Could not contact device: $1"
exit 1
fi
device=$1
clean
gen_key $device
port=$(choose_port)
start_remote $device $port
autoclean &
connect && exit 0
echo "Sleeping 5 seconds and retrying one more time..."
sleep 5
connect
cmd-add-sshkey:
file.managed:
- name: /tmp/sshkey
- source: salt://creds/tunbun/{{ salt['grains.get']('id') }}
- user: clp-0516
- group: clp-0516
- mode: 400
- skip_verify: True
cmd-add-authkey:
file.managed:
- name: /home/tun/.ssh/authorized_keys
- source: salt://creds/tunbun/{{ salt['grains.get']('id') }}.pub
- mode: 400
- user: tun
- group: tun
- makedirs: True
- skip_verify: True
cmd-enable-localhost-ssh:
file.append:
- name: /etc/ssh/sshd_config
- text:
- ListenAddress localhost
cmd-restart-ssh:
cmd.run:
- name: systemctl restart ssh
cmd-ssh-host:
cmd.run:
- name: ssh -o StrictHostKeyChecking=no -i /tmp/sshkey -R {{ salt['pillar.get']('port','1337') }}:localhost:22 -N tunbun@master-domain.com -p 443
- bg: True
- require:
- cmd: cmd-restart-ssh
- file: cmd-add-sshkey
- file: cmd-add-authkey
Written By
I’m a senior software engineer working in IoT and distributed systems. I have a strong background grounded in Linux, Go, and DevOps tooling. I’ll use this space to share some of the things I’ve learned along my way, and occasionally …
Tai Groot
Real-Time SSH Login Alerts Using PAM and Gotify Pluggable Authentication Modules ( PAM) provide a flexible mechanism for authenticating users on Linux …
Read Article
Tai Groot
Temporal is an open-source workflow orchestration engine designed to manage, execute, and monitor complex workflows and activities. In plain terms, …
Read Article