Make ephemeral_sshd a bit safer

legacy/.ssh/ephemeral_sshd/README.md

@@ -1,9 +0,0 @@
-User-local SSH server.
-
-Remember to populate `authorized_keys`.
-
-```shell
-cd ~/.ssh/ephemeral_sshd/
-ssh-keygen -t ed25519 -f ssh_host_ed25519_key -N ''
-/usr/sbin/sshd -f sshd_config -D
-```

legacy/.ssh/ephemeral_sshd/shell

@@ -0,0 +1,17 @@
+#!/bin/sh
+
+# Disable globbing, e.g. "*".
+set -f
+
+set -- $SSH_ORIGINAL_COMMAND
+if [ "$1" = "age-plugin-se" ]; then
+	shift
+	exec /nix/var/nix/profiles/default/bin/nix run nixpkgs#age-plugin-se -- "$@"
+fi
+if [ "$1" = "age-plugin-yubikey" ]; then
+	shift
+	export LC_ALL=en_US.UTF-8
+	exec /nix/var/nix/profiles/default/bin/nix run nixpkgs#age-plugin-yubikey -- "$@"
+fi
+
+exit 22

legacy/.ssh/ephemeral_sshd/sshd_config

@@ -10,6 +10,16 @@ AuthorizedKeysFile ~/.ssh/ephemeral_sshd/authorized_keys
 UsePAM no
 PidFile ~/.ssh/ephemeral_sshd/sshd.pid
 
+# Only allow running a specific command
+ForceCommand ~/.ssh/ephemeral_sshd/shell
+
 # Disable less secure authentication methods
 PasswordAuthentication no
 ChallengeResponseAuthentication no
+
+# Disable unused features
+AllowTcpForwarding no
+X11Forwarding no
+PermitTTY no
+PermitTunnel no
+AllowAgentForwarding no

legacy/.ssh/ephemeral_sshd/start

@@ -0,0 +1,22 @@
+#!/bin/sh
+
+set -eu
+
+cd ~/.ssh/ephemeral_sshd/
+
+if [ ! -f ssh_host_ed25519_key ]; then
+  echo "Host key missing, generating..."
+  ssh-keygen -q -t ed25519 -f ssh_host_ed25519_key -N ''
+  rm -f ssh_host_ed25519_key.pub
+fi
+
+if [ ! -f authorized_keys ]; then
+  echo "Client key missing, generating..."
+  ssh-keygen -q -t ed25519 -f id_ed25519 -N ''
+  mv id_ed25519.pub authorized_keys
+  echo "Put id_ed25519 into ~/.ssh/id_ed25519_reverse_ssh on the server"
+fi
+
+echo "Starting SSH server with fingerprint:"
+ssh-keygen -lf ssh_host_ed25519_key
+exec /usr/sbin/sshd -f sshd_config -D -e