Signed-off-by: Christoph Anton Mitterer <mail@christoph.anton.mitterer.name>

Removal after `0` minutes is ambiguius, as immediate removal (which is what
would actually happen with `at`) makes operationally no sense but it’s not a
special value as in “never” either.

Therefore, disallow `0` as value altogether.

Signed-off-by: Christoph Anton Mitterer <mail@christoph.anton.mitterer.name>

Signed-off-by: Christoph Anton Mitterer <mail@christoph.anton.mitterer.name>

Signed-off-by: Christoph Anton Mitterer <mail@christoph.anton.mitterer.name>

Disabled several functionalities which should never be necessary for `ssh`
connections made by this program.

I shall be noted that `-o SendEnv='-*'` couldn’t be used as an alternative to
`env -i` as it would only remove any definitions that have already been made
(that is: at the command argument level) while such that were mad “later” (that
is: when parsing ssh_config) would still be added.
See also OpenSSH bug #3434 (https://bugzilla.mindrot.org/show_bug.cgi?id=3434

).

Signed-off-by: Christoph Anton Mitterer <mail@christoph.anton.mitterer.name>

Previously, options that were not ending with `=` didn’t receive a space when
being completed.

Signed-off-by: Christoph Anton Mitterer <mail@christoph.anton.mitterer.name>

Signed-off-by: Christoph Anton Mitterer <mail@christoph.anton.mitterer.name>

Signed-off-by: Christoph Anton Mitterer <mail@christoph.anton.mitterer.name>

Signed-off-by: Christoph Anton Mitterer <mail@christoph.anton.mitterer.name>

In addition to the subcommands file, subcommand configuration may also be
constructed from a subcommands directory.

Any regular, readable and executable file in that is taken as subcommand with
the file’s name and a command that executes the file with the positional
parameters as command arguments.

Signed-off-by: Christoph Anton Mitterer <mail@christoph.anton.mitterer.name>

That removing the proxy certificate fails may have several reasons.
Typically, these are either caused by the user himself (for example by replacing
the file with a directory) or by an intervention from the remote `root`-user.

If the remote `root`-user were malicious, sending an email abut the failed
removal wouldn’t help either and could be easily prevented by that `root`-user,
too.

Signed-off-by: Christoph Anton Mitterer <mail@christoph.anton.mitterer.name>

Signed-off-by: Christoph Anton Mitterer <mail@christoph.anton.mitterer.name>

Signed-off-by: Christoph Anton Mitterer <mail@christoph.anton.mitterer.name>

Signed-off-by: Christoph Anton Mitterer <mail@christoph.anton.mitterer.name>

Signed-off-by: Christoph Anton Mitterer <mail@christoph.anton.mitterer.name>

The term `validity` could lead to the assumption that somehow the certificate
itself actually expires, whereas this functionality merely schedule its removal.

Signed-off-by: Christoph Anton Mitterer <mail@christoph.anton.mitterer.name>

Security-wise it seems better to rather (try to) delete the already transferred
proxy certificate, when the creation of its removal `at`-job failed than to
leave it there.

A future commit shall add an option that allows to disable removal-job-creation,
for example for systems without `at`.

Signed-off-by: Christoph Anton Mitterer <mail@christoph.anton.mitterer.name>

Signed-off-by: Christoph Anton Mitterer <mail@christoph.anton.mitterer.name>

Signed-off-by: Christoph Anton Mitterer <mail@christoph.anton.mitterer.name>

Signed-off-by: Christoph Anton Mitterer <mail@christoph.anton.mitterer.name>

Signed-off-by: Christoph Anton Mitterer <mail@christoph.anton.mitterer.name>

In addition to the hashsum, which was added with commit 75865210 “sc/grid-proxy-
certificate: remote certificate removal only when hashsum still matches”, also
check whether the modification time matches.

This is in order to prevent removal of the remote certificate file by a
“previous” `at`-job, when the same certificate file had been uploaded again
(“refreshed”) in the meantime.

The later upload’s `at`-job will take care of the removal (possibly even sooner
than the previous one).

Signed-off-by: Christoph Anton Mitterer <mail@christoph.anton.mitterer.name>

Though unlikely, the remote certificate file might change between it was
forwarded and when it’s removed by the schedlued `at`-job.

For that reason, the hashsum of the file (at the time when it was forwarded) is
stored in the `at`-job and removal only happens if it still matches the file
when the job is run.

Signed-off-by: Christoph Anton Mitterer <mail@christoph.anton.mitterer.name>

The `env` which invokes `ssh` actually has also a “guarding” functionality in
that it tries to prevent local environment variables, which aren’t required for
this subcommand’s remote commands, to be sent via SSH’s `SendEnv`-option.

However, it does not prevent environment variables to be set remotely via SSH’s
`SetEnv`-option.

Signed-off-by: Christoph Anton Mitterer <mail@christoph.anton.mitterer.name>

The `LC_ALL='C'` is set especially in order to get well-known output of `at`
that can be parsed afterwards by the subcommand.
Moreover it serves generally as sanitisation for the remote execution
environment.

The `cd /` is set especially in order to guarantee that the created `at`-jobs,
which tries to change the current working directory to the one from which it was
created (and exits with an error if it fails to do so), can be run.

Signed-off-by: Christoph Anton Mitterer <mail@christoph.anton.mitterer.name>

Signed-off-by: Christoph Anton Mitterer <mail@christoph.anton.mitterer.name>

An attacker on the remote side (for example a regular user there) could create
a symbolic link at the destination pathname for the remote proxy certificate
(like `/tmp/x509up_u1000`).

If that symbolic link would refer to a directory writable by the user, the proxy
certificate file  would end up in the directory owned by the attacker.
This in turn may allow the attacker to read the file (for example when the
directory is a mountpoint controlled by the attacker).

Use `mv`’s `--no-target-directory`-option in order to prevent this.

If such symbolic link is owned by the user it would get overwritten.

Signed-off-by: Christoph Anton Mitterer <mail@christoph.anton.mitterer.name>

sc/grid-proxy-certificate: imported initial version of a subcommand for grid- respectively VOMS-proxy-certificates

Signed-off-by: Christoph Anton Mitterer <mail@christoph.anton.mitterer.name>

Previously, only a file with the name `<subcommand-name>` (in the configured
directory) was considered as subcommand completion file for the subcommand with
that name `<subcommand-name>`.

Like bash-completion, fall back to `<subcommand-name>.bash` when the former does
not exist, is not readable or is not a regular file.
Unlike bash-completion, don’t fall back to `_<subcommand-name>`, which is
considered for internal/legacy use only.

Signed-off-by: Christoph Anton Mitterer <mail@christoph.anton.mitterer.name>

This script provides bash completions for `remote-forward-credentials` in two
stages.
First, it completes the configured subcommands. Second, if a subcommand-specific
completion file is found, it “delegates” further completions to that.

Signed-off-by: Christoph Anton Mitterer <mail@christoph.anton.mitterer.name>

Signed-off-by: Christoph Anton Mitterer <mail@christoph.anton.mitterer.name>

Signed-off-by: Christoph Anton Mitterer <mail@christoph.anton.mitterer.name>