# Remote accountd server process adduser --disabled-password --shell /bin/sh \ --home /home/lacme-account \ --gecos "lacme account user" \ --quiet lacme-account chown lacme-account: /etc/lacme/account.key DEBIAN_FRONTEND="noninteractive" apt install -y --no-install-recommends \ openssh-client openssh-server ssh-keygen -N "" -f ~root/.ssh/id_rsa install -olacme-account -glacme-account -dm0700 ~lacme-account/.ssh install -olacme-account -glacme-account -m0644 ~root/.ssh/id_rsa.pub ~lacme-account/.ssh/authorized_keys { echo -n "[127.0.0.1]:2222 "; cat /etc/ssh/ssh_host_rsa_key.pub; } >~root/.ssh/known_hosts cat >/etc/ssh/sshd_config <<-EOF Port 2222 ListenAddress 127.0.0.1 ChallengeResponseAuthentication no PasswordAuthentication no UsePAM yes EOF install -oroot -groot -dm0755 /run/sshd /usr/sbin/sshd sed -ri 's|^#?command\s*=.*/lacme-accountd$|command = ssh -Tp2222 -llacme-account 127.0.0.1 lacme-accountd|' /etc/lacme/lacme.conf sed -ri 's|^#?config\s*=.*|config = /etc/lacme/lacme-accountd.conf|' /etc/lacme/lacme.conf lacme newOrder --debug 2>"$STDERR" || fail # intentionally use --debug, ssh should tunnel stdin + stdout + stderr test /etc/lacme/simpletest.rsa.crt -nt /etc/lacme/simpletest.rsa.key # and now with an authorized_keys(5) restriction sed -ri "s|^[^#]|restrict,from=\"127.0.0.1\",command=\"/usr/bin/lacme-accountd --quiet --stdio\" &|" ~lacme-account/.ssh/authorized_keys rm -vf /etc/lacme/simpletest.rsa.crt ! lacme newOrder 2>"$STDERR" || fail # --config= (and --debug) should be ignored grepstderr -Fxq "Error: 'privkey' is not specified" grepstderr -Fxq "[simpletest-rsa] Error: Couldn't issue X.509 certificate!" install -olacme-account -glacme-account -Ddm0700 -- \ ~lacme-account/.config/lacme ~lacme-account/.local/share/lacme mv -t ~lacme-account/.config/lacme /etc/lacme/account.key cat >~lacme-account/.config/lacme/lacme-accountd.conf <<-EOF privkey = file:%E/lacme/account.key logfile = %h/.local/share/lacme/accountd.log EOF lacme newOrder test /etc/lacme/simpletest.rsa.crt -nt /etc/lacme/simpletest.rsa.key # ensure signature requests are logged grep -F "] SIGNED header=base64url({" ~lacme-account/.local/share/lacme/accountd.log # vim: set filetype=sh :