mirror of
https://github.com/5im-0n/sshenc.sh.git
synced 2025-08-02 19:30:05 +02:00
Compare commits
2 Commits
b7c0dad242
...
bae0175dce
| Author | SHA1 | Date | |
|---|---|---|---|
|
bae0175dce | ||
|
|
c97265aa00 |
79
sshenc.sh
79
sshenc.sh
@@ -1,7 +1,6 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
OPTIND=1 # reset in case getopts has been used previously in the shell.
|
||||
|
||||
# --- constants
|
||||
me=sshenc.sh
|
||||
|
||||
show_help() {
|
||||
@@ -9,23 +8,25 @@ cat << EOF
|
||||
usage: $me [[-p <public ssh key> | -g <github handle>]| -s <private ssh key>] [-h]
|
||||
|
||||
examples:
|
||||
- encrypt a file
|
||||
$me -p ~/.ssh/id_rsa.pub < plain-text-file.txt > encrypted.txt
|
||||
|
||||
- decrypt a file
|
||||
$me -s ~/.ssh/id_rsa < encrypted.txt
|
||||
|
||||
- encrypt a file to a GitHub user (requires curl and bash 4)
|
||||
- encrypt a file
|
||||
$me -p ~/.ssh/id_rsa.pub < plain-text-file.txt > encrypted.txt
|
||||
|
||||
- encrypt using a GitHub users public SSH key (requires curl and bash 3.2)
|
||||
$me -g foo < plain-text-file.txt > encrypted.txt
|
||||
|
||||
- encrypt using multiple public keys (file can be read by any associated private key)
|
||||
$me -g foo -g bar -p baz -p ~/.ssh/id_rsa.pub < plain-text-file.txt > encrypted.txt
|
||||
|
||||
$me home page: https://sshenc.sh/
|
||||
EOF
|
||||
}
|
||||
|
||||
cleanup() {
|
||||
rm -rf "$temp_dir"
|
||||
}
|
||||
|
||||
# --- process option parameters
|
||||
OPTIND=1 # reset in case getopts has been used previously in the shell
|
||||
while getopts "h?p:s:g:" opt; do
|
||||
case "$opt" in
|
||||
h|\?)
|
||||
@@ -40,31 +41,48 @@ while getopts "h?p:s:g:" opt; do
|
||||
esac
|
||||
done
|
||||
|
||||
shift $((OPTIND -1))
|
||||
|
||||
shift $((OPTIND -1)) # pop the processed options off the stack
|
||||
[ "$1" = "--" ] && shift
|
||||
|
||||
# --- setup environment
|
||||
|
||||
# data cache files
|
||||
temp_dir="$(mktemp -d -t "$me.XXXXXX")"
|
||||
temp_file_key="$(mktemp "$temp_dir/$me.XXXXXX.key")"
|
||||
temp_file="$(mktemp "$temp_dir/$me.XXXXXX.cypher")"
|
||||
|
||||
cleanup() {
|
||||
rm -rf "$temp_dir"
|
||||
}
|
||||
trap cleanup EXIT
|
||||
|
||||
uname=$(uname -s 2>/dev/null)
|
||||
|
||||
case "${uname}x" in
|
||||
Darwinx)
|
||||
openssl_path=$(command -v openssl 2>/dev/null)
|
||||
if [ "${openssl_path}x" = "/usr/bin/opensslx" ]; then
|
||||
echo >&2 "You need openssl 1.1.1 installed and in the \$PATH"
|
||||
# os specific configuration
|
||||
case "$(uname -s 2>/dev/null)" in
|
||||
Darwin)
|
||||
if [[ -n $(openssl version | grep -Eo "LibreSSL [2-9]") ]]; then
|
||||
openssl_params=''
|
||||
else
|
||||
echo >&2 "Install openssl 1.1.1 or higher and add it to your \$PATH"
|
||||
echo ''
|
||||
echo ' brew install openssl'
|
||||
echo ' echo 'export PATH="/usr/local/opt/openssl/bin:$PATH"' >> ~/.bash_profile'
|
||||
echo ' source ~/.bash_profile'
|
||||
echo ''
|
||||
exit 1
|
||||
fi
|
||||
;;
|
||||
;;
|
||||
*)
|
||||
openssl_params='-pbkdf2 -iter 100000'
|
||||
esac
|
||||
|
||||
# retrieve ssh keys from github
|
||||
OLDMASK=$(umask)
|
||||
umask 0266
|
||||
# --- retrieve ssh keys from github
|
||||
if [[ "${#github_handle[@]}" -gt 0 ]]; then
|
||||
if ! which curl >/dev/null ; then
|
||||
>&2 echo "curl command not found"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
OLDMASK=$(umask); umask 0266
|
||||
for handle in "${github_handle[@]}"
|
||||
do
|
||||
curl -s "https://github.com/$handle.keys" | grep ssh-rsa > "$temp_dir/$handle"
|
||||
@@ -77,12 +95,10 @@ if [[ "${#github_handle[@]}" -gt 0 ]]; then
|
||||
done < "$temp_dir/$handle"
|
||||
fi
|
||||
done
|
||||
|
||||
umask "$OLDMASK"
|
||||
fi
|
||||
|
||||
umask "$OLDMASK"
|
||||
|
||||
#encrypt
|
||||
# --- encrypt stdin
|
||||
if [[ "${#public_key[@]}" > 0 ]]; then
|
||||
openssl rand 32 > $temp_file_key
|
||||
|
||||
@@ -103,11 +119,11 @@ if [[ "${#public_key[@]}" > 0 ]]; then
|
||||
done
|
||||
echo "-- /keys"
|
||||
|
||||
if cat | openssl enc -aes-256-cbc -pbkdf2 -iter 100000 -salt -pass file:"$temp_file_key" > "$temp_file"; then
|
||||
if cat | openssl enc -aes-256-cbc -salt $openssl_params -pass file:"$temp_file_key" > "$temp_file"; then
|
||||
openssl base64 -A < "$temp_file"
|
||||
fi
|
||||
|
||||
#decrypt
|
||||
# --- decrypt stdin
|
||||
elif [[ -e "$private_key" ]]; then
|
||||
stdin=`cat`
|
||||
keys_enc=$(echo "$stdin" | awk '/-- keys/{f=1;next} /-- \/keys/{f=0} f')
|
||||
@@ -115,7 +131,6 @@ elif [[ -e "$private_key" ]]; then
|
||||
install -m 0600 "$private_key" "$temp_dir/private_key"
|
||||
ssh-keygen -p -m PEM -N '' -f "$temp_dir/private_key" >/dev/null
|
||||
|
||||
|
||||
i=0
|
||||
while read line ; do \
|
||||
if [ "$line" == "-- key" ]; then
|
||||
@@ -129,8 +144,8 @@ elif [[ -e "$private_key" ]]; then
|
||||
|
||||
decrypted=false
|
||||
for key in "${keys[@]}"; do
|
||||
if $(echo "$key" | openssl base64 -d -A | openssl rsautl -decrypt -oaep -inkey "$temp_dir/private_key" >"$temp_file" 2>/dev/null); then
|
||||
if echo "$cypher" | openssl base64 -d -A | openssl aes-256-cbc -pbkdf2 -iter 100000 -d -pass file:"$temp_file"; then
|
||||
if $(echo "$key" | openssl base64 -d -A | openssl rsautl -decrypt -oaep -inkey "$temp_dir/private_key" >"$temp_file_key" 2>/dev/null); then
|
||||
if echo "$cypher" | openssl base64 -d -A | openssl aes-256-cbc -d $openssl_params -pass file:"$temp_file_key"; then
|
||||
decrypted=true
|
||||
fi
|
||||
fi
|
||||
@@ -141,7 +156,7 @@ elif [[ -e "$private_key" ]]; then
|
||||
exit 1
|
||||
fi
|
||||
|
||||
#help
|
||||
# --- help
|
||||
else
|
||||
show_help
|
||||
exit 1
|
||||
|
||||
Reference in New Issue
Block a user