diff options
author | Andrew Cady <d@jerkface.net> | 2020-09-15 15:53:55 -0400 |
---|---|---|
committer | Andrew Cady <d@jerkface.net> | 2020-09-15 15:59:36 -0400 |
commit | 3edccf5f39cbdcd81ec47d282572542bfe89b86d (patch) | |
tree | a6f6955cfa75d494986e0f92b653f254ae53fb23 | |
parent | 44ee7c0f5ad0e48b30d8cda9b5a00aa65f7a36f9 (diff) |
samizdat-ssh-uid can now be used locally
In this case, it outputs the cryptonomic name corresponding to the ssh
daemon's host key.
-rwxr-xr-x | bin/samizdat-ssh-uid | 98 |
1 files changed, 64 insertions, 34 deletions
diff --git a/bin/samizdat-ssh-uid b/bin/samizdat-ssh-uid index 33cb2b4..de81a46 100755 --- a/bin/samizdat-ssh-uid +++ b/bin/samizdat-ssh-uid | |||
@@ -1,56 +1,86 @@ | |||
1 | #!/bin/dash | 1 | #!/bin/dash |
2 | set -e | ||
3 | |||
4 | DEFAULT_AUTH_TYPE=ed25519 | ||
2 | 5 | ||
3 | die() { echo "$0: Error: $*" >&2; exit 1; } | 6 | die() { echo "$0: Error: $*" >&2; exit 1; } |
4 | 7 | ||
5 | b16_to_b32() | 8 | b16_to_b32() |
6 | { | 9 | { |
7 | echo -n "$1" | basez -x -d | basez -j -l | tr -d = | 10 | printf %s "$1" | basez -x -d | basez -j -l | tr -d = |
8 | } | 11 | } |
9 | 12 | ||
10 | [ "$SSH_USER_AUTH" ] || die "not defined: \$SSH_USER_AUTH" | 13 | get_domain() |
11 | [ -f "$SSH_USER_AUTH" ] || die "file does not exist: \$SSH_USER_AUTH=${SSH_USER_AUTH}" | 14 | { |
12 | 15 | get_sshfp "$1" | |
13 | PEMFILE="${SSH_USER_AUTH}.tmp" | 16 | get_key_path_fragment "$1" |
14 | 17 | ||
15 | sed -ne 's/^publickey //p' < "${SSH_USER_AUTH}" > "${PEMFILE}" || die "could not rewrite SSH_USER_AUTH file" | 18 | domain=$(printf %s "$sshfp_b32.$keyfrag.cryptonomic.net" | tail -c64) |
19 | } | ||
16 | 20 | ||
17 | SSH_CLIENT_FINGERPRINT=$(ssh-keygen -r . -f "${PEMFILE}" | sed -ne 's/^. IN SSHFP [0-9]* 2 //p') && | 21 | get_sshfp() |
18 | [ "$SSH_CLIENT_FINGERPRINT" ] || die "could not determine ssh client fingerprint" | 22 | { |
19 | SSH_CLIENT_FINGERPRINT_B32=$(b16_to_b32 "$SSH_CLIENT_FINGERPRINT") | 23 | [ -f "$1" ] || return |
24 | sshfp_b16=$(ssh-keygen -r . -f "$1" | sed -ne 's/^. IN SSHFP [0-9]* 2 //p') && | ||
25 | [ "$sshfp_b16" ] || die "could not determine ssh client fingerprint" | ||
26 | sshfp_b32=$(b16_to_b32 "$sshfp_b16") | ||
27 | } | ||
20 | 28 | ||
21 | read keytype keydata < "${PEMFILE}" || die "reading from PEMFILE=$PEMFILE" | 29 | get_key_path_fragment() |
30 | { | ||
31 | [ -f "$1" ] || return | ||
32 | read keytype keydata < "$1" || die "could not read from PEM file '$1'" | ||
33 | keyfrag=$(ssh_keytag_to_path_fragment "$keytype") || die "Unsupported key type: $keytype" | ||
34 | } | ||
22 | 35 | ||
23 | ssh_keytag_to_path_fragment() | 36 | ssh_keytag_to_path_fragment() |
24 | { | 37 | { |
25 | case "$1" in | 38 | case "$1" in |
26 | ssh-dss) echo dsa ;; | 39 | ssh-dss) echo dsa ;; |
27 | ecdsa-sha2-nistp256) echo ecdsa ;; | 40 | ecdsa-sha2-nistp256) echo ecdsa ;; |
28 | ssh-rsa|ssh-ed25519) echo ${1#ssh-} ;; | 41 | ssh-rsa|ssh-ed25519) echo ${1#ssh-} ;; |
29 | *) return 1 ;; | 42 | *) return 1 ;; |
30 | esac | 43 | esac |
31 | } | 44 | } |
32 | 45 | ||
33 | if keyfrag=$(ssh_keytag_to_path_fragment "$keytype") | 46 | if [ ! "$SSH_USER_AUTH" ] |
34 | then | 47 | then |
35 | domain=${keyfrag}.cryptonomic.net | 48 | get_domain /etc/ssh/ssh_host_ed25519_key.pub || exit |
36 | else | 49 | printf '%s\n' "$domain" |
37 | die "Unsupported key type: $keytype" | 50 | exit |
38 | fi | 51 | fi |
39 | 52 | ||
40 | if [ "$1" = '--copy-pem' -a "$2" ] | 53 | [ -f "$SSH_USER_AUTH" ] || die "file does not exist: \$SSH_USER_AUTH=${SSH_USER_AUTH}" |
41 | then | 54 | |
42 | if [ -d "$2" ] || mkdir "$2" | 55 | dispose_of_temp_pem_files() |
43 | then | 56 | { |
44 | mv "${PEMFILE}" "$2"/${SSH_CLIENT_FINGERPRINT}.${keytype}.pem | 57 | if [ "$1" = '--copy-pem' -a "$2" ] |
45 | fi | 58 | then |
46 | else | 59 | [ -d "$2" ] || mkdir "$2" |
47 | rm -f "${PEMFILE}" | 60 | t=$2/${SSH_CLIENT_FINGERPRINT}.${keytype}.pem |
48 | fi | 61 | mv -T "$our_pem" "$t" |
62 | our_pem=$(realpath "$t") | ||
63 | else | ||
64 | rm -f "$our_pem" | ||
65 | fi | ||
66 | } | ||
67 | |||
68 | fixup_ssh_user_auth() | ||
69 | { | ||
70 | sed -ne 's/^publickey //p' | ||
71 | } | ||
72 | |||
73 | our_pem=$SSH_USER_AUTH.pem | ||
74 | fixup_ssh_user_auth < "$SSH_USER_AUTH" > "$our_pem" || die "could not rewrite SSH_USER_AUTH file" | ||
75 | get_domain "$our_pem" | ||
76 | dispose_of_temp_pem_files "$@" | ||
77 | |||
78 | # ip=${SSH_CLIENT%% *} | ||
79 | # known_host="$domain,$ip $keytype $keydata" | ||
49 | 80 | ||
50 | env -i \ | 81 | env -i \ |
51 | SSH_CLIENT_FINGERPRINT="$SSH_CLIENT_FINGERPRINT_B32" \ | 82 | SSH_CLIENT_DOMAIN="$domain" \ |
52 | SSH_CLIENT_KEYTYPE="$keytype" \ | 83 | SSH_CLIENT_FINGERPRINT="$sshfp_b32" \ |
53 | SSH_CLIENT_DOMAIN="$domain" \ | 84 | SSH_CLIENT_KEYTYPE="$keytype" \ |
54 | SSH_CLIENT_PEMFILE="$PEMFILE" \ | 85 | SSH_CLIENT_KEYDATA="$keydata" |
55 | SSH_CLIENT_KEYDATA="$keydata" | ||
56 | 86 | ||