silence ssh-keygen

fix readme newlines
fix shell redirection bug
2025-08-02 19:30:05 +02:00 · 2020-02-29 16:43:42 +01:00 · 2020-02-29 15:08:00 +01:00 · 2020-02-27 01:53:42 +01:00 · 2020-02-27 01:53:42 +01:00 · 2020-02-27 01:46:33 +01:00
2 changed files with 38 additions and 8 deletions
--- a/README.md
+++ b/README.md
@@ -28,9 +28,9 @@ sshenc.sh -p ~/.ssh/id_rsa.pub -p id_rsa-alice.pub -p id_rsa-bob.pub < plain-tex

 ### encrypt a file using the public key of a github user
 ```
-sshenc.sh -p <(curl -sf "https://github.com/S2-.keys" | grep ssh-rsa | tail -n1) < plain-text-file.txt
+sshenc.sh -g S2- < plain-text-file.txt
 ```
-this line fetches the first public key for the github user S2- and encrypts the file plain-text-file.txt using this key.
+this line fetches the public keys for the github user S2- and encrypts the file plain-text-file.txt using its key(s).

 ### decrypt a file
 ```
--- a/sshenc.sh
+++ b/sshenc.sh
@@ -6,7 +6,7 @@ me=sshenc.sh

 show_help() {
 cat << EOF
-usage: $me [-p <public ssh key> | -s <private ssh key>] [-h]
+usage: $me [[-p <public ssh key> | -g <github handle>]| -s <private ssh key>] [-h]

 examples:
    - encrypt a file
@@ -15,6 +15,9 @@ examples:
    - decrypt a file
    $me -s ~/.ssh/id_rsa < encrypted.txt

+    - encrypt a file to a GitHub user (requires curl and bash 4)
+    $me -g foo < plain-text-file.txt > encrypted.txt
+
 $me home page: https://sshenc.sh/
 EOF
 }
@@ -23,7 +26,7 @@ cleanup() {
    rm -rf "$temp_dir"
 }

-while getopts "h?p:s:" opt; do
+while getopts "h?p:s:g:" opt; do
    case "$opt" in
    h|\?)
    show_help
@@ -33,6 +36,7 @@ while getopts "h?p:s:" opt; do
    ;;
    s)  private_key=$OPTARG
    ;;
+    g)  github_handle+=("$OPTARG")
    esac
 done

@@ -45,6 +49,30 @@ temp_file_key="$(mktemp "$temp_dir/$me.XXXXXX.key")"
 temp_file="$(mktemp "$temp_dir/$me.XXXXXX.cypher")"
 trap cleanup EXIT

+# retrieve ssh keys from github
+OLDMASK=$(umask)
+umask 0266
+if [[ "${#github_handle[@]}" -gt 0 ]]; then
+    for handle in "${github_handle[@]}"
+    do
+        curl -s "https://github.com/$handle.keys" | grep ssh-rsa > "$temp_dir/$handle"
+        if [ -s "$temp_dir/$handle" ]; then
+            # dont do this with big files
+            mapfile -t handle_keys < "$temp_dir/$handle"
+            for key in "${!handle_keys[@]}"
+            do
+                echo "${handle_keys[key]}"
+                printf "%s" "${handle_keys[key]}" > "$temp_dir/$handle.$key"
+                echo "$temp_dir/$handle.$key"
+                public_key+=("$temp_dir/$handle.$key")
+            done
+        fi
+    done
+
+fi
+
+umask "$OLDMASK"
+
 #encrypt
 if [[ "${#public_key[@]}" > 0 ]]; then
    openssl rand 32 > $temp_file_key
@@ -57,7 +85,7 @@ if [[ "${#public_key[@]}" > 0 ]]; then
            convertedpubkey=$temp_dir/$(basename "$pubkey").pem
            ssh-keygen -f "$pubkey" -e -m PKCS8 > $convertedpubkey
            #encrypt key with public keys
-            if openssl rsautl -encrypt -pubin -inkey "$convertedpubkey" -in "$temp_file_key" -out $temp_dir/$(basename "$pubkey").key.enc; then
+            if openssl rsautl -encrypt -oaep -pubin -inkey "$convertedpubkey" -in "$temp_file_key" -out $temp_dir/$(basename "$pubkey").key.enc; then
                echo "-- key"
                openssl base64 -in $temp_dir/$(basename "$pubkey").key.enc
                echo "-- /key"
@@ -75,6 +103,9 @@ elif [[ -e "$private_key" ]]; then
    stdin=`cat`
    keys_enc=$(echo "$stdin" | awk '/-- keys/{f=1;next} /-- \/keys/{f=0} f')
    cypher=$(echo "$stdin" | sed -e '1,/-- \/keys/d')
+    install -m 0600 "$private_key" "$temp_dir/private_key"
+    ssh-keygen -p -m PEM -N '' -f "$temp_dir/private_key" >/dev/null
+

    i=0
    while read line ; do \
@@ -88,9 +119,8 @@ elif [[ -e "$private_key" ]]; then
    done <<< "$keys_enc"

    decrypted=false
-    for key in "${keys[@]}"
-    do
-        if ((echo "$key" | openssl base64 -d -A | openssl rsautl -decrypt -ssl -inkey "$private_key" > "$temp_file") > /dev/null 2>&1); then
+    for key in "${keys[@]}"; do
+        if $(echo "$key" | openssl base64 -d -A | openssl rsautl -decrypt -oaep -inkey "$temp_dir/private_key" >"$temp_file" 2>/dev/null); then
            if echo "$cypher" | openssl base64 -d -A | openssl aes-256-cbc -pbkdf2 -iter 100000 -d -pass file:"$temp_file"; then
                decrypted=true
            fi
Author	SHA1	Message	Date
s2	817fc44da7	silence ssh-keygen	2020-02-29 16:43:42 +01:00
s2	1424021a2e	fix readme newlines	2020-02-29 15:08:00 +01:00
gustavo panizzo	b79df269c8	fix shell redirection bug	2020-02-27 01:53:42 +01:00
gustavo panizzo	f28a78ff82	change the padding to oaep	2020-02-27 01:53:42 +01:00
gustavo panizzo	845ad71fc4	convert newer ssh keys to a format that openssl can understand	2020-02-27 01:46:33 +01:00
gustavo panizzo	53d26c4163	update the README.md with the new functionality	2020-02-26 23:21:33 +01:00
gustavo panizzo	c56978f9fb	add support to automatically pull ssh keys from github handles	2020-02-26 23:16:11 +01:00