From dbc0f893f4e3e51b8bd965dfa4f575a8d049ba83 Mon Sep 17 00:00:00 2001
From: Artem Sheremet <dot.doom@gmail.com>
Date: Thu, 26 Mar 2026 18:34:15 +0100
Subject: [PATCH] Make ephemeral_sshd a bit safer

---
 legacy/.ssh/ephemeral_sshd/README.md   |  9 ---------
 legacy/.ssh/ephemeral_sshd/shell       | 17 +++++++++++++++++
 legacy/.ssh/ephemeral_sshd/sshd_config | 10 ++++++++++
 legacy/.ssh/ephemeral_sshd/start       | 22 ++++++++++++++++++++++
 4 files changed, 49 insertions(+), 9 deletions(-)
 delete mode 100644 legacy/.ssh/ephemeral_sshd/README.md
 create mode 100755 legacy/.ssh/ephemeral_sshd/shell
 create mode 100755 legacy/.ssh/ephemeral_sshd/start

diff --git a/legacy/.ssh/ephemeral_sshd/README.md b/legacy/.ssh/ephemeral_sshd/README.md
deleted file mode 100644
index d445173..0000000
--- a/legacy/.ssh/ephemeral_sshd/README.md
+++ /dev/null
@@ -1,9 +0,0 @@
-User-local SSH server.
-
-Remember to populate `authorized_keys`.
-
-```shell
-cd ~/.ssh/ephemeral_sshd/
-ssh-keygen -t ed25519 -f ssh_host_ed25519_key -N ''
-/usr/sbin/sshd -f sshd_config -D
-```
diff --git a/legacy/.ssh/ephemeral_sshd/shell b/legacy/.ssh/ephemeral_sshd/shell
new file mode 100755
index 0000000..518916e
--- /dev/null
+++ b/legacy/.ssh/ephemeral_sshd/shell
@@ -0,0 +1,17 @@
+#!/bin/sh
+
+# Disable globbing, e.g. "*".
+set -f
+
+set -- $SSH_ORIGINAL_COMMAND
+if [ "$1" = "age-plugin-se" ]; then
+	shift
+	exec /nix/var/nix/profiles/default/bin/nix run nixpkgs#age-plugin-se -- "$@"
+fi
+if [ "$1" = "age-plugin-yubikey" ]; then
+	shift
+	export LC_ALL=en_US.UTF-8
+	exec /nix/var/nix/profiles/default/bin/nix run nixpkgs#age-plugin-yubikey -- "$@"
+fi
+
+exit 22
diff --git a/legacy/.ssh/ephemeral_sshd/sshd_config b/legacy/.ssh/ephemeral_sshd/sshd_config
index 1e9debe..351c247 100644
--- a/legacy/.ssh/ephemeral_sshd/sshd_config
+++ b/legacy/.ssh/ephemeral_sshd/sshd_config
@@ -10,6 +10,16 @@ AuthorizedKeysFile ~/.ssh/ephemeral_sshd/authorized_keys
 UsePAM no
 PidFile ~/.ssh/ephemeral_sshd/sshd.pid
 
+# Only allow running a specific command
+ForceCommand ~/.ssh/ephemeral_sshd/shell
+
 # Disable less secure authentication methods
 PasswordAuthentication no
 ChallengeResponseAuthentication no
+
+# Disable unused features
+AllowTcpForwarding no
+X11Forwarding no
+PermitTTY no
+PermitTunnel no
+AllowAgentForwarding no
diff --git a/legacy/.ssh/ephemeral_sshd/start b/legacy/.ssh/ephemeral_sshd/start
new file mode 100755
index 0000000..74d069e
--- /dev/null
+++ b/legacy/.ssh/ephemeral_sshd/start
@@ -0,0 +1,22 @@
+#!/bin/sh
+
+set -eu
+
+cd ~/.ssh/ephemeral_sshd/
+
+if [ ! -f ssh_host_ed25519_key ]; then
+  echo "Host key missing, generating..."
+  ssh-keygen -q -t ed25519 -f ssh_host_ed25519_key -N ''
+  rm -f ssh_host_ed25519_key.pub
+fi
+
+if [ ! -f authorized_keys ]; then
+  echo "Client key missing, generating..."
+  ssh-keygen -q -t ed25519 -f id_ed25519 -N ''
+  mv id_ed25519.pub authorized_keys
+  echo "Put id_ed25519 into ~/.ssh/id_ed25519_reverse_ssh on the server"
+fi
+
+echo "Starting SSH server with fingerprint:"
+ssh-keygen -lf ssh_host_ed25519_key
+exec /usr/sbin/sshd -f sshd_config -D -e