Tunnelbunny: Accessing a salt-minion using SSH Forwarding

post-thumb 

#!/usr/bin/env bash
autoclean(){
echo "Launching autoclean for security purposes"
sleep 60
clean
}

gen_key(){
echo "Generating a fresh key for login"
echo "y" | ssh-keygen -t rsa -N "" -f /home/tunbun/.ssh/$1
cat /home/tunbun/.ssh/$1.pub >> /home/tunbun/.ssh/authorized_keys
}

start_remote(){
salt $1 cmd.run 'useradd tun || true'
salt $1 cmd.run 'usermod -aG sudo tun'
salt $1 state.apply tunbun pillar="{\"port\": \"$2\"}"
curl "https://gotify.myserver.com?token=your_token_here" -F "title=Tunnelbunny" -F "message=Device $1 has been accessed via tunnelbunny." -F "priority=0" > /dev/null 2>/dev/null
sleep 5
}

device_online(){
echo "Checking if device is online..."
if salt $1 test.ping; then
return 0
fi
return "1"
}

choose_port(){
local port=$(shuf -i 2000-65000 -n 1)
    netstat -lat | grep $port > /dev/null
    if [[ $? == 1 ]] ; then
        echo "$port"
else
echo "$(choose_port)"
fi
}

clean(){ # we can just remove all keys here since connections already in # in effect use the session key, just run script again if you need to
rm -f /home/tunbun/.ssh/\*
}
connect(){
password=$(uuidgen)
    salt "$device" cmd.run "yes $password | passwd tun"
    {
        sleep 15
        echo "password: $password"
    } &
    ssh -p $port -o StrictHostKeyChecking=no -i "/home/tunbun/.ssh/$device" tun@localhost
}
device=""

if [[$EUID -ne 0]]; then
echo "This script must be run as root"
exit 1
fi

if [ "$1" == "" ]; then
echo "Please run $0 help to see a list of commands."
exit 0
elif [ "$1" == "help" ]; then
echo "Usage: tunnelbunny <hostname>"
echo "tunnelbunny can be used to ssh into an arbitrary salt-minion client as the tun user."
echo "The tun user has sudo access. Calling tunnelbunny opens a password-authenticated ssh tunnel."
echo "After establishing a tunnel, you will be asked for a password. Wait for ~10 seconds, and the password will be printed to the screen."
echo "Copy and paste that password once into the password prompt, then immediately after, run 'sudo su' and paste the password a second time to become root."
echo "Every run of tunnelbunny generates a new password, so there's not need to save it externally."
exit 0
elif [ "$1" == "clean" ]; then
clean
exit 0

# Sanitize the input before salt call (no spaces allowed for bash hijacking)

elif [[$1 = *" "*]]; then
echo "No tricksies please"
exit 1
fi
if ! device_online $1; then
echo "Could not contact device: $1"
exit 1
fi

device=$1
clean
gen_key $device
port=$(choose_port)
start_remote $device $port
autoclean &
connect && exit 0
echo "Sleeping 5 seconds and retrying one more time..."
sleep 5
connect

cmd-add-sshkey:
  file.managed:
    - name: /tmp/sshkey
    - source: salt://creds/tunbun/{{ salt['grains.get']('id') }}
    - user: clp-0516
    - group: clp-0516
    - mode: 400
    - skip_verify: True

cmd-add-authkey:
  file.managed:
    - name: /home/tun/.ssh/authorized_keys
    - source: salt://creds/tunbun/{{ salt['grains.get']('id') }}.pub
    - mode: 400
    - user: tun
    - group: tun
    - makedirs: True
    - skip_verify: True

cmd-enable-localhost-ssh:
  file.append:
    - name: /etc/ssh/sshd_config
    - text:
        - ListenAddress localhost

cmd-restart-ssh:
  cmd.run:
    - name: systemctl restart ssh

cmd-ssh-host:
  cmd.run:
    - name: ssh -o StrictHostKeyChecking=no -i /tmp/sshkey -R {{ salt['pillar.get']('port','1337') }}:localhost:22 -N tunbun@master-domain.com -p 443
    - bg: True
    - require:
        - cmd: cmd-restart-ssh
        - file: cmd-add-sshkey
        - file: cmd-add-authkey
Tai Groot

Written By

Tai Groot

I’m a senior software engineer working in IoT and distributed systems. I have a strong background grounded in Linux, Go, and DevOps tooling. I’ll use this space to share some of the things I’ve learned along my way, and occasionally …

You May Also Like