diff options
Diffstat (limited to 'community/safekeep')
| -rw-r--r-- | community/safekeep/0001-ssh.strict_hostkey_checking-configurable.patch | 95 | ||||
| -rw-r--r-- | community/safekeep/APKBUILD | 53 | ||||
| -rw-r--r-- | community/safekeep/safekeep-server.post-install | 6 |
3 files changed, 154 insertions, 0 deletions
diff --git a/community/safekeep/0001-ssh.strict_hostkey_checking-configurable.patch b/community/safekeep/0001-ssh.strict_hostkey_checking-configurable.patch new file mode 100644 index 0000000000..c0004fcf30 --- /dev/null +++ b/community/safekeep/0001-ssh.strict_hostkey_checking-configurable.patch @@ -0,0 +1,95 @@ +From 5d66f5106e77c378e387c9c9159a3fdc150b0818 Mon Sep 17 00:00:00 2001 +From: Henrik Riomar <henrik.riomar@gmail.com> +Date: Sun, 19 Feb 2017 21:10:27 +0100 +Subject: [PATCH] ssh.strict_hostkey_checking configurable + +Make ssh StrictHostKeyChecking configurable in safekeep.conf with +'ask' as default if not configured. +--- + doc/safekeep.conf.txt | 9 +++++++++ + safekeep | 14 +++++++++++--- + 2 files changed, 20 insertions(+), 3 deletions(-) + +diff --git a/doc/safekeep.conf.txt b/doc/safekeep.conf.txt +index 43fff57..11f6876 100644 +--- a/doc/safekeep.conf.txt ++++ b/doc/safekeep.conf.txt +@@ -151,6 +151,15 @@ ssh.keygen.bits:: + option with no corresponding bit size. + This value is optional, it defaults to '4096'. + ++ssh.strict_hostkey_checking:: ++ Specifies if StrictHostKeyChecking should be performed by the ssh ++ client when connecting to the remote host. ++ This value is optional, it defaults to 'ask'. ++ Set to 'yes' if you sign host keys with a CA key or manage host keys ++ by other means (FreeIPA/sssd, Ansible,,,). ++ Setting this to 'no' is a bit unsafe as new hosts are automatically ++ added to known_hosts without any validation. ++ + NOTES + ----- + Safekeep uses `trickle` to implement bandwidth throttling (see +diff --git a/safekeep b/safekeep +index 4cbf374..43b6cd1 100755 +--- a/safekeep ++++ b/safekeep +@@ -79,6 +79,8 @@ ssh_keygen_type = 'rsa' + ssh_keygen_bits = 4096 + SSH_TYPES = ['dsa', 'rsa', 'ed25519', 'ecdsa'] + SSH_KEY_TYPES = ['ssh-dss', 'ssh-rsa', 'ssh-ed25519', 'ecdsa-sha2-nistp256', 'ecdsa-sha2-nistp384', 'ecdsa-sha2-nistp521'] ++ssh_StrictHostKeyChecking = 'ask' ++SSH_STRICT_HOSTKEY_CHECK_OPTS = ['ask', 'yes', 'no' ] + # Default mount options, overridden elsewhere: + # Key is a file system type, or 'snapshot' for default for snapshot mount + # or 'bind' for a bind mount (check mount for details) +@@ -1548,7 +1550,7 @@ def do_server_rdiff(cfg, bdir, nice, ionice, force): + args.extend(['rdiff-backup']) + + if cfg['host']: +- basessh = 'ssh -oStrictHostKeyChecking=no' ++ basessh = 'ssh -oStrictHostKeyChecking=%s' % (ssh_StrictHostKeyChecking) + if cfg['port']: basessh += ' -p %s' % cfg['port'] + schema = '%s %s -i %s %%s rdiff-backup --server' % (basessh, verbosity_ssh, cfg['key_data']) + args.extend(['--remote-schema', schema]) +@@ -1694,6 +1696,7 @@ def do_server(cfgs, ids, nice, ionice, force, cleanup): + cmd.extend(['ssh']) + if verbosity_ssh: cmd.extend([verbosity_ssh]) + if cfg['port']: cmd.extend(['-p', cfg['port']]) ++ cmd.extend(['-oStrictHostKeyChecking=%s' % (ssh_StrictHostKeyChecking)]) + cmd.extend(['-T', '-i', cfg['key_ctrl'], '-l', cfg['user'], cfg['host']]) + cmd.extend(['safekeep', '--client']) + +@@ -1977,7 +1980,7 @@ def do_keys(cfgs, ids, nice_rem, identity, status, dump, deploy): + if dump: + print output + +- basessh = ['ssh', '-oStrictHostKeyChecking=no'] ++ basessh = ['ssh', '-oStrictHostKeyChecking=%s' % (ssh_StrictHostKeyChecking) ] + if cfg['port']: basessh.append('-p %s' % cfg['port']) + if identity: basessh.append('-i %s' % (commands.mkarg(identity))) + +@@ -2306,7 +2309,7 @@ def main(): + default_snapshot += 'FREE' + client_defaults.append('snapshot.size=%s' % default_snapshot) + +- global ssh_keygen_type, ssh_keygen_bits ++ global ssh_keygen_type, ssh_keygen_bits, ssh_StrictHostKeyChecking + if 'ssh.keygen.type' in props: + ssh_keygen_type = props['ssh.keygen.type'] + if ssh_keygen_type not in SSH_TYPES: +@@ -2324,6 +2327,11 @@ def main(): + else: + # For cases where no bit size is required + ssh_keygen_bits = 0 ++ if 'ssh.strict_hostkey_checking' in props: ++ ssh_StrictHostKeyChecking = props['ssh.strict_hostkey_checking'] ++ if ssh_StrictHostKeyChecking not in SSH_STRICT_HOSTKEY_CHECK_OPTS: ++ error('CONFIG ERROR: invalid ssh.strict_hostkey_checking value: %s' % props['ssh.strict_hostkey_checking']) ++ sys.exit(2) + + if len(cfglocs) == 0: + locs = os.path.join(os.path.dirname(cfgfile), 'backup.d') +-- +2.1.4 + diff --git a/community/safekeep/APKBUILD b/community/safekeep/APKBUILD new file mode 100644 index 0000000000..17f044d7b2 --- /dev/null +++ b/community/safekeep/APKBUILD @@ -0,0 +1,53 @@ +# Contributor: Henrik Riomar <henrik.riomar@gmail.com> +# Maintainer: Henrik Riomar <henrik.riomar@gmail.com> +pkgname=safekeep +pkgver=1.4.4 +pkgrel=1 +pkgdesc="SafeKeep backup system" +url="https://github.com/dimipaun/safekeep" +arch="noarch" +license="GPL2" +depends="openssh-client python2 rdiff-backup util-linux" +makedepends="asciidoc libxml2-utils xmlto" +install="$pkgname-server.post-install" +subpackages="$pkgname-doc $pkgname-client $pkgname-server" +source="$pkgname-$pkgver.tar.gz::https://github.com/dimipaun/$pkgname/archive/$pkgver.tar.gz + 0001-ssh.strict_hostkey_checking-configurable.patch + " +builddir="$srcdir/$pkgname-$pkgver" + +build() { + cd "$builddir" + make man || return 1 + # ionice from util-linux is in /usr/bin (busybox in /bin) + sed -i 's|PATH=/sbin:/bin:/usr/sbin:/usr/bin|PATH=/sbin:/usr/sbin:/usr/bin:/bin|' safekeep.cron || return 1 +} + +check() { + cd "$builddir" + PATH="$PATH:." make check || return 1 +} + +client() { + pkgdesc="SafeKeep backup system - client" + depends="$pkgname" + mkdir -p "$subpkgdir" + # just a meta package +} + +server() { + pkgdesc="SafeKeep backup system - server" + depends="$pkgname" + mkdir -p "$subpkgdir" + mv "$pkgdir"/etc "$subpkgdir"/etc || return 1 + mkdir "$subpkgdir"/etc/periodic || return 1 + mv "$subpkgdir"/etc/cron.daily "$subpkgdir"/etc/periodic/daily || return 1 +} + +package() { + cd "$builddir" + make install DESTDIR="$pkgdir" || return 1 +} + +sha512sums="2afdf6784ef2033032978554bc4b8703be86b5dde92795f1b7efe0099fc4cd35d215bc390e9b9ee3b3e396435ab1168a81dad1c7051861fb584a31749e63c68d safekeep-1.4.4.tar.gz +c4576c6aad11b70b3e3fbd43a726dcc9f41e6a607281178f30605ff0812833e09efc97d46dda68c89d6e1586e9dc01a74f38484c625f64d084f11f4d806e1e25 0001-ssh.strict_hostkey_checking-configurable.patch" diff --git a/community/safekeep/safekeep-server.post-install b/community/safekeep/safekeep-server.post-install new file mode 100644 index 0000000000..5a208c4aad --- /dev/null +++ b/community/safekeep/safekeep-server.post-install @@ -0,0 +1,6 @@ +#!/bin/sh + +adduser -S -h /var/lib/safekeep safekeep +install -d -m 0700 -o safekeep -g nogroup /var/lib/safekeep/.ssh + +exit 0 |