Skip to content

Instantly share code, notes, and snippets.

@hall757
Created December 8, 2023 14:29
Show Gist options
  • Save hall757/db95e8e478d86769c58d3f06b9a0ee1b to your computer and use it in GitHub Desktop.
Save hall757/db95e8e478d86769c58d3f06b9a0ee1b to your computer and use it in GitHub Desktop.
useful bash function for aspera deployments
alias ssh='ssh -o ServerAliveInterval=5 -o ServerAliveCountMax=1'
export RPROXYKEY=/opt/aspera/proxy/var/aspera_rproxy_id_rsa.pub
export HSTSKEY=/opt/aspera/var/aspera_tokenauth_id_rsa.pub
export ASPERAPUBLICKEY1="command=\"/bin/aspshell -t\",no-agent-forwarding,no-port-forwarding,no-X11-forwarding,no-pty ssh-dss AAAAB3NzaC1kc3MAAACBAOQpAcPqbjIjGCOx7Lo+fLjppxlcRGwkfLnin8GpcjJiRU4CQSkqC9PepNM2bKRZbDii84/X4OLVz/YWlhyWVxOmGRZxLyUDuPTXaZQR5xdq9eM88bSLe3m+0HzEvLfeRDd72/38vCHTFxF+5rR3lR8XCikEgBe8kCvcHqtqmzz5AAAAFQC8LMnqrMdxKJQmglVyX/utXHiaaQAAAIA+g+0Q/jLMcbZe1zEJ9dpvi73MTrA/Ph48m3RROfd9S+dCYlPuLQpUJGveDYfY5kxYXXbLSNSrxAG5nayjcId57tbVWYB1s3sXFz5zJX2cTrNRGoBo/K3ZsT6uAzWk/otBRjGAPfEp2/Vkb6QMgMR/pTeieNwpuYDpyTFPoZq+gAAAAIEAobapDv5p2foH+cG5K07sIFD9r0RD7uKJnlqjYAXzFc8U76wXKgu6WXup2ac0Co+RnZp7Hsa9G+E+iJ6poI9pOR08XTdPly4yDULNST4PwlfrbSFT9FVhzkWfpOvAUc8fkQAhZqv/PE6VhFQ8w03Z8GpqXx7b3NvBR+EfIx368Ko= Aspera public access"
export ASPERAPUBLICKEY2="command=\"/bin/aspshell -t\",no-agent-forwarding,no-port-forwarding,no-X11-forwarding,no-pty ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDgVtYAGrv/GSypo1IlauFMjDCawMoRQAvLO71Tc5KwlrAFRXklcTRZ2QXsiDHssh0KTVjmNSy7FXccMlJCXMATyXeR3sjY2Jdck3NWE89KFIaSp/+A6AFYv6rJqpq8axbHmBuQA7GRbOShWt15tZ0axWCP0sRr0291bDr9uWbgkFS0ljr53839AOZ9ebWcNWpAavB9FU5RMPwmYm2hhvhKM7S0qaq30gN3HmrERcNf3MenKXSuTp6hKO00D8ohWS5SJPsjut6O/aV4d66L3VD6PmN+JdxWrzzNWX7syvQd/W7ppfw2Z/Su8xh2nUC09G7ON3j6rlKX4Rk3jYgOM0i1y8VwCPnY2+DdRWyqwOFZlv5tmZVIYkC8UdhRu3hdImnnuDvHDL88g/CaEzuOGYLoMVtRH82gaoQY4n7jyJk4inc4d9i8Jknl6JtOPfc5peHRmHjnSupvuHaAs4aZp0waid/F4UyI0mCfIKe+/VbxyOZn9m4b38XCMoTyfEmjS7s59RhxfK7JEdzJC1lpWD93bZ/J6jzMzDJfJpN4cDISY9p3hLfR1M1tulF44scv56n38XDyzktj6dqa1P/hJOgOWhnsRe8TaiwdEA6EEqHwUEp2sSnLNnk5jfQetni3evzai4Ly58DKY+E31l5M60+CC2dMcHEJvF/5AqJmoPjOzQ== Aspera public access"
function randompassword {
## parameter: length
## generates a random value that can be used as a password
## based on lenth provided. length defaults to 24
##
len=$1
if [ "_${len}_" == "__" ]; then
len=24
fi
pw=failed
false # force first pass through while loop
while [ $? -eq 1 ]; do
pw=$(cat /dev/urandom | tr -dc 'A-Za-z0-9#_.+=;' | head -c$len)
echo $pw|egrep -q '[#_\.+=;]' # keep going if no special characters
done
echo $pw
}
function add_aspera_connect_user {
## parameters: user docroot optional_encryption_key
## create hsts account and configure aspera.conf
## if optional_encryption_key in included, the
## account will be provisioned as a connect user
## using the aspera public access ssh key and
## token authentication
##
if [ "__" == "_$1_" ]; then
echo no user passed to add_aspera_connect_user
exit 1
fi
if [ "__" == "_$2_" ]; then
echo no docroot passed to add_aspera_connect_user
exit 1
fi
adduser $1
chsh -s /bin/aspshell ${1}
chage -I -1 -m 0 -M 99999 -E -1 ${1}
asconfigurator \
-x "set_user_data;user_name,${1};absolute,${2}" \
-x "set_user_data;user_name,${1};dir_allowed,true" \
-x "set_user_data;user_name,${1};write_allowed,true" \
-x "set_user_data;user_name,${1};read_allowed,true"
if [ ! "_${3}_" == "__" ]; then
# This account is for use by aspara connect plugin
mkdir -p /home/${1}/.ssh
\cp -a ${HSTSKEY} /home/${1}/.ssh/authorized_keys
chown -R ${1}.${1} /home/${1}
chmod -R go-rwx /home/${1}/.ssh
asconfigurator \
-x "set_user_data;user_name,${1};token_encryption_key,${3}" \
-x "set_user_data;user_name,${1};authorization_transfer_in_value,token" \
-x "set_user_data;user_name,${1};authorization_transfer_out_value,token"
fi
}
function private_public_from_private {
ssh-keygen -yf /dev/stdin <<< "$1"
}
function private_fix_rsa_key_format {
echo "$1" | sed -e 's/ /\n/g' -e 's/-----\([A-Z]*\).RSA.PRIVATE.KEY-----/-----\1 RSA PRIVATE KEY-----/g'
}
function private_aws_token {
curl -sS -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"
}
function aws_localip {
## returns localip of host on aws
##
curl -sS -H "X-aws-ec2-metadata-token: $(private_aws_token)" http://169.254.169.254/latest/meta-data/local-ipv4
}
function aws_publicip {
## aws_publicip - returns publicip of host on aws if present
##
curl -sS -H "X-aws-ec2-metadata-token: $(private_aws_token)" http://169.254.169.254/latest/meta-data/public-ipv4
}
function private_configure_nonprod_params {
if [ "_$(secrets_get env)_" == "_nonprod_" ]; then
sed -i 's/^TMOUT=.*/TMOUT=6000/' /etc/profile.d/tmout.sh
sed -i 's/^cloud-user\s*.*/cloud-user ALL=(ALL) NOPASSWD: ALL/' /etc/sudoers.d/90-cloud-init-users
sed -i 's/^%wheel\s*.*/cloud-user ALL=(ALL) NOPASSWD: ALL/' /etc/sudoers.d/local-admin-groups
fi
}
function fix_password_expirations {
## set all aspshell users to not expire
##
users="$(grep bin.aspshell /etc/passwd | sed 's/:.*//')"
for u in $users; do
sudo chage -I -1 -m 0 -M 99999 -E -1 $u
done
}
function token_users_from_aspera_conf {
## returns users with token authentication based on aspera.conf
##
CONF=/opt/aspera/etc/aspera.conf
if [ -f $CONF ]; then
egrep "(encryption_key|name)" $CONF | grep encryption_key -B 1 | grep name | sed -e 's:[[:space:]]*::g' -e 's:</*name>::g' | uniq | sort
else
echo "This can only be run on an hsts node"
fi
}
function token_users_from_authorized_keys {
## returns users with token authencitaion based on authorized keys
##
CONF=/opt/aspera/etc/aspera.conf
if [ ! -f $CONF ]; then
CONF=/opt/aspera/proxy/etc/aspera.conf
fi
if [ -f $CONF ]; then
grep -i "aspera public access" $(find /home -type f -name "authorized_keys") | sed -e 's:/\.ssh.*::' -e 's:^/home/::' | uniq | sort
else
echo "This can only be run on an hsts node or proxy"
fi
}
function enable_nodeapi_through_proxy {
## parameters: user
## enable the proxy to pass authenticated api calls directly to the hsts
## servers. Doing this is the exception rather than the norm.
##
if [[ "_$(whoami)_" == "_root_" ]]&&[ -f /opt/aspera/proxy/etc/aspera.conf ]; then
add_proxy_user $1
sed -i "s/${1}.*//" /etc/nginx/.htpasswd
secrets_get hsts_user_node_$1 | htpasswd -i -c /etc/nginx/.htpasswd.tmp $1
cat /etc/nginx/.htpasswd.tmp >> /etc/nginx/.htpasswd
else
echo must be root on aspera proxy
fi
}
function ascp_logs_from_uuid {
## parameters: transfer_uuid
## gets the associated ascp pid for a transfer id and outouts all logs
## for that pid
##
LOG=/var/log/aspera*
pid=$(egrep "ascp.*$1" $LOG | head -n 1 | awk '{print $5}' | sed -e 's/ascp.\(.*\).:/\1/')
grep ascp.${pid}.: $LOG
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment