s2/sshenc.sh
1
0
Fork 0
mirror of https://github.com/5im-0n/sshenc.sh.git synced 2025-08-03 20:00:04 +02:00
Code Issues Releases Wiki Activity

Compare commits

base: s2:b7c0dad24210024bfb0ef847482317d03355d332
Branches Tags
s2:master
..
compare: s2:master
Branches Tags
s2:master

7 Commits
b7c0dad242 ... master

Author SHA1 Message Date
s2
2546ebca16 update urls 2023-03-17 12:42:15 +01:00
s2
079641675e fix readme link 2023-01-08 15:57:02 +01:00
s2
1ae9f9ed50 update link 2023-01-08 15:54:53 +01:00
s2
4bc407213b Revert "update sshenc.sh url" 
This reverts commit b2df05b763.
 2023-01-08 15:54:06 +01:00
s2
b2df05b763 update sshenc.sh url 2023-01-08 15:53:21 +01:00
Bernard Martis
bae0175dce Comment code and update user documentation 
- Group code into sections by functionality
- Explain the use of multiple public keys
 2020-09-07 19:28:04 -04:00
Bernard Martis
c97265aa00 Use LibreSSL on MacOS 
- Use the LibreSSL library that comes preinstalled on MacOS
- Disable the OpenSSL options that LibreSSL does not support
- Explain how to install OpenSSl if the LibreSSL version is too old
 2020-09-07 19:24:28 -04:00
3 changed files with 54 additions and 39 deletions
Expand all files Collapse all files

6
README.md
View File

@@ -4,13 +4,13 @@
If you received a message from someone that was encrypted with this script, you can decrypt it with your ssh private key using the following command without installing anything: If you received a message from someone that was encrypted with this script, you can decrypt it with your ssh private key using the following command without installing anything:
``` ```
bash <(curl -s https://sshenc.sh/sshenc.sh) -s ~/.ssh/id_rsa < file-containing-the-encrypted-text.txt bash <(curl -s https://raw.githubusercontent.com/5im-0n/sshenc.sh/master/sshenc.sh) -s ~/.ssh/id_rsa < file-containing-the-encrypted-text.txt
``` ```
sshenc.sh uses openssl under the hood, so you need to have that installed in your path to make it work. sshenc.sh uses openssl under the hood, so you need to have that installed in your path to make it work.
## Install ## Install
``` ```
curl -O https://sshenc.sh/sshenc.sh curl -O https://raw.githubusercontent.com/5im-0n/sshenc.sh/master/sshenc.sh
chmod +x sshenc.sh chmod +x sshenc.sh
``` ```
@@ -42,7 +42,7 @@ sshenc.sh -s ~/.ssh/id_rsa < encrypted.txt
Also, a new `-iter` parameter to explicitly specify a given number of iterations on the password in deriving the encryption key was added. Also, a new `-iter` parameter to explicitly specify a given number of iterations on the password in deriving the encryption key was added.
Before OpenSSL 1.1.1 this option was not available. Before OpenSSL 1.1.1 this option was not available.
Since the new parameters are more secure, `sshenc.sh` changed to adopt them, so since 2019-11-26, files encrypted with a previous version of `sshenc.sh` will not decrypt. Since the new parameters are more secure, `sshenc.sh` changed to adopt them, so since 2019-11-26, files encrypted with a previous version of `sshenc.sh` will not decrypt.
To do so, use the prevous `sshenc.sh` script, located at [https://sshenc.sh/sshenc-pre1.1.1.sh](https://sshenc.sh/sshenc-pre1.1.1.sh). To do so, use the prevous `sshenc.sh` script, located at [https://raw.githubusercontent.com/5im-0n/sshenc.sh/master/sshenc-pre1.1.1.sh](https://raw.githubusercontent.com/5im-0n/sshenc.sh/master/sshenc-pre1.1.1.sh).
## License ## License
[MIT](https://opensource.org/licenses/MIT) [MIT](https://opensource.org/licenses/MIT)

4
sshenc-pre1.1.1.sh
View File

@@ -15,7 +15,7 @@ examples:
- decrypt a file - decrypt a file
$me -s ~/.ssh/id_rsa < encrypted.txt $me -s ~/.ssh/id_rsa < encrypted.txt
$me home page: https://sshenc.sh/ $me home page: https://github.com/5im-0n/sshenc.sh/
EOF EOF
} }
@@ -49,7 +49,7 @@ trap cleanup EXIT
if [[ "${#public_key[@]}" > 0 ]]; then if [[ "${#public_key[@]}" > 0 ]]; then
openssl rand 32 > $temp_file_key openssl rand 32 > $temp_file_key
echo "-- encrypted with https://sshenc.sh/" echo "-- encrypted with https://github.com/5im-0n/sshenc.sh/"
echo "-- keys" echo "-- keys"
for pubkey in "${public_key[@]}" for pubkey in "${public_key[@]}"
do do

83
sshenc.sh
View File

@@ -1,7 +1,6 @@
#!/usr/bin/env bash #!/usr/bin/env bash
OPTIND=1 # reset in case getopts has been used previously in the shell. # --- constants
me=sshenc.sh me=sshenc.sh
show_help() { show_help() {
@@ -9,23 +8,25 @@ cat << EOF
usage: $me [[-p <public ssh key> | -g <github handle>]| -s <private ssh key>] [-h] usage: $me [[-p <public ssh key> | -g <github handle>]| -s <private ssh key>] [-h]
examples: examples:
- encrypt a file
$me -p ~/.ssh/id_rsa.pub < plain-text-file.txt > encrypted.txt
- decrypt a file - decrypt a file
$me -s ~/.ssh/id_rsa < encrypted.txt $me -s ~/.ssh/id_rsa < encrypted.txt
- encrypt a file to a GitHub user (requires curl and bash 4) - encrypt a file
$me -p ~/.ssh/id_rsa.pub < plain-text-file.txt > encrypted.txt
- encrypt using a GitHub users public SSH key (requires curl and bash 3.2)
$me -g foo < plain-text-file.txt > encrypted.txt $me -g foo < plain-text-file.txt > encrypted.txt
$me home page: https://sshenc.sh/ - encrypt using multiple public keys (file can be read by any associated private key)
$me -g foo -g bar -p baz -p ~/.ssh/id_rsa.pub < plain-text-file.txt > encrypted.txt
$me home page: https://github.com/5im-0n/sshenc.sh/
EOF EOF
} }
cleanup() { # --- process option parameters
rm -rf "$temp_dir" OPTIND=1 # reset in case getopts has been used previously in the shell
}
while getopts "h?p:s:g:" opt; do while getopts "h?p:s:g:" opt; do
case "$opt" in case "$opt" in
h|\?) h|\?)
@@ -40,31 +41,48 @@ while getopts "h?p:s:g:" opt; do
esac esac
done done
shift $((OPTIND -1)) shift $((OPTIND -1)) # pop the processed options off the stack
[ "$1" = "--" ] && shift [ "$1" = "--" ] && shift
# --- setup environment
# data cache files
temp_dir="$(mktemp -d -t "$me.XXXXXX")" temp_dir="$(mktemp -d -t "$me.XXXXXX")"
temp_file_key="$(mktemp "$temp_dir/$me.XXXXXX.key")" temp_file_key="$(mktemp "$temp_dir/$me.XXXXXX.key")"
temp_file="$(mktemp "$temp_dir/$me.XXXXXX.cypher")" temp_file="$(mktemp "$temp_dir/$me.XXXXXX.cypher")"
cleanup() {
rm -rf "$temp_dir"
}
trap cleanup EXIT trap cleanup EXIT
uname=$(uname -s 2>/dev/null) # os specific configuration
case "$(uname -s 2>/dev/null)" in
case "${uname}x" in Darwin)
Darwinx) if [[ -n $(openssl version | grep -Eo "LibreSSL [2-9]") ]]; then
openssl_path=$(command -v openssl 2>/dev/null) openssl_params=''
if [ "${openssl_path}x" = "/usr/bin/opensslx" ]; then else
echo >&2 "You need openssl 1.1.1 installed and in the \$PATH" echo >&2 "Install openssl 1.1.1 or higher and add it to your \$PATH"
echo ''
echo ' brew install openssl'
echo ' echo 'export PATH="/usr/local/opt/openssl/bin:$PATH"' >> ~/.bash_profile'
echo ' source ~/.bash_profile'
echo ''
exit 1 exit 1
fi fi
;; ;;
*)
openssl_params='-pbkdf2 -iter 100000'
esac esac
# retrieve ssh keys from github # --- retrieve ssh keys from github
OLDMASK=$(umask)
umask 0266
if [[ "${#github_handle[@]}" -gt 0 ]]; then if [[ "${#github_handle[@]}" -gt 0 ]]; then
if ! which curl >/dev/null ; then
>&2 echo "curl command not found"
exit 1
fi
OLDMASK=$(umask); umask 0266
for handle in "${github_handle[@]}" for handle in "${github_handle[@]}"
do do
curl -s "https://github.com/$handle.keys" | grep ssh-rsa > "$temp_dir/$handle" curl -s "https://github.com/$handle.keys" | grep ssh-rsa > "$temp_dir/$handle"
@@ -77,16 +95,14 @@ if [[ "${#github_handle[@]}" -gt 0 ]]; then
done < "$temp_dir/$handle" done < "$temp_dir/$handle"
fi fi
done done
umask "$OLDMASK"
fi fi
umask "$OLDMASK" # --- encrypt stdin
#encrypt
if [[ "${#public_key[@]}" > 0 ]]; then if [[ "${#public_key[@]}" > 0 ]]; then
openssl rand 32 > $temp_file_key openssl rand 32 > $temp_file_key
echo "-- encrypted with https://sshenc.sh/" echo "-- encrypted with https://github.com/5im-0n/sshenc.sh/"
echo "-- keys" echo "-- keys"
for pubkey in "${public_key[@]}" for pubkey in "${public_key[@]}"
do do
@@ -103,11 +119,11 @@ if [[ "${#public_key[@]}" > 0 ]]; then
done done
echo "-- /keys" echo "-- /keys"
if cat | openssl enc -aes-256-cbc -pbkdf2 -iter 100000 -salt -pass file:"$temp_file_key" > "$temp_file"; then if cat | openssl enc -aes-256-cbc -salt $openssl_params -pass file:"$temp_file_key" > "$temp_file"; then
openssl base64 -A < "$temp_file" openssl base64 -A < "$temp_file"
fi fi
#decrypt # --- decrypt stdin
elif [[ -e "$private_key" ]]; then elif [[ -e "$private_key" ]]; then
stdin=`cat` stdin=`cat`
keys_enc=$(echo "$stdin" | awk '/-- keys/{f=1;next} /-- \/keys/{f=0} f') keys_enc=$(echo "$stdin" | awk '/-- keys/{f=1;next} /-- \/keys/{f=0} f')
@@ -115,7 +131,6 @@ elif [[ -e "$private_key" ]]; then
install -m 0600 "$private_key" "$temp_dir/private_key" install -m 0600 "$private_key" "$temp_dir/private_key"
ssh-keygen -p -m PEM -N '' -f "$temp_dir/private_key" >/dev/null ssh-keygen -p -m PEM -N '' -f "$temp_dir/private_key" >/dev/null
i=0 i=0
while read line ; do \ while read line ; do \
if [ "$line" == "-- key" ]; then if [ "$line" == "-- key" ]; then
@@ -129,8 +144,8 @@ elif [[ -e "$private_key" ]]; then
decrypted=false decrypted=false
for key in "${keys[@]}"; do for key in "${keys[@]}"; do
if $(echo "$key" | openssl base64 -d -A | openssl rsautl -decrypt -oaep -inkey "$temp_dir/private_key" >"$temp_file" 2>/dev/null); then if $(echo "$key" | openssl base64 -d -A | openssl rsautl -decrypt -oaep -inkey "$temp_dir/private_key" >"$temp_file_key" 2>/dev/null); then
if echo "$cypher" | openssl base64 -d -A | openssl aes-256-cbc -pbkdf2 -iter 100000 -d -pass file:"$temp_file"; then if echo "$cypher" | openssl base64 -d -A | openssl aes-256-cbc -d $openssl_params -pass file:"$temp_file_key"; then
decrypted=true decrypted=true
fi fi
fi fi
@@ -141,7 +156,7 @@ elif [[ -e "$private_key" ]]; then
exit 1 exit 1
fi fi
#help # --- help
else else
show_help show_help
exit 1 exit 1