samizdat-ssh-uid can now be used locally

In this case, it outputs the cryptonomic name corresponding to the ssh daemon's host key.
author: Andrew Cady <d@jerkface.net> 2020-09-15 15:53:55 -0400
committer: Andrew Cady <d@jerkface.net> 2020-09-15 15:59:36 -0400
commit: 3edccf5f39cbdcd81ec47d282572542bfe89b86d (patch)
tree: a6f6955cfa75d494986e0f92b653f254ae53fb23
parent: 44ee7c0f5ad0e48b30d8cda9b5a00aa65f7a36f9 (diff)
1 files changed, 64 insertions, 34 deletions
diff --git a/bin/samizdat-ssh-uid b/bin/samizdat-ssh-uid
index 33cb2b4..de81a46 100755
--- a/bin/samizdat-ssh-uid
+++ b/bin/samizdat-ssh-uid
@@ -1,56 +1,86 @@
 #!/bin/dash
+set -e
+DEFAULT_AUTH_TYPE=ed25519
 die() { echo "$0: Error: $*" >&2; exit 1; }
 b16_to_b32()
 {
-    echo -n "$1" | basez -x -d | basez -j -l | tr -d =
+    printf %s "$1" | basez -x -d | basez -j -l | tr -d =
 }
-[ "$SSH_USER_AUTH" ] || die "not defined: \$SSH_USER_AUTH"
+get_domain()
-[ -f "$SSH_USER_AUTH" ] || die "file does not exist: \$SSH_USER_AUTH=${SSH_USER_AUTH}"
+{
+    get_sshfp "$1"
-PEMFILE="${SSH_USER_AUTH}.tmp"
+    get_key_path_fragment "$1"
-sed -ne 's/^publickey //p' < "${SSH_USER_AUTH}" > "${PEMFILE}" || die "could not rewrite SSH_USER_AUTH file"
+    domain=$(printf %s "$sshfp_b32.$keyfrag.cryptonomic.net" | tail -c64)
+}
-SSH_CLIENT_FINGERPRINT=$(ssh-keygen -r . -f "${PEMFILE}" | sed -ne 's/^. IN SSHFP [0-9]* 2 //p') &&
+get_sshfp()
-  [ "$SSH_CLIENT_FINGERPRINT" ] || die "could not determine ssh client fingerprint"
+{
-SSH_CLIENT_FINGERPRINT_B32=$(b16_to_b32 "$SSH_CLIENT_FINGERPRINT")
+    [ -f "$1" ] || return
+    sshfp_b16=$(ssh-keygen -r . -f "$1" | sed -ne 's/^. IN SSHFP [0-9]* 2 //p') &&
+        [ "$sshfp_b16" ] || die "could not determine ssh client fingerprint"
+    sshfp_b32=$(b16_to_b32 "$sshfp_b16")
+}
-read keytype keydata < "${PEMFILE}" || die "reading from PEMFILE=$PEMFILE"
+get_key_path_fragment()
+{
+    [ -f "$1" ] || return
+    read keytype keydata < "$1" || die "could not read from PEM file '$1'"
+    keyfrag=$(ssh_keytag_to_path_fragment "$keytype") || die "Unsupported key type: $keytype"
+}
 ssh_keytag_to_path_fragment()
 {
-        case "$1" in
+    case "$1" in
-                ssh-dss) echo dsa ;;
+        ssh-dss) echo dsa ;;
-                ecdsa-sha2-nistp256) echo ecdsa ;;
+        ecdsa-sha2-nistp256) echo ecdsa ;;
-                ssh-rsa|ssh-ed25519) echo ${1#ssh-} ;;
+        ssh-rsa|ssh-ed25519) echo ${1#ssh-} ;;
-                *) return 1 ;;
+        *) return 1 ;;
-        esac
+    esac
 }
-if keyfrag=$(ssh_keytag_to_path_fragment "$keytype")
+if [ ! "$SSH_USER_AUTH" ]
 then
-    domain=${keyfrag}.cryptonomic.net
+    get_domain /etc/ssh/ssh_host_ed25519_key.pub || exit
-else
+    printf '%s\n' "$domain"
-    die "Unsupported key type: $keytype"
+    exit
 fi
-if [ "$1" = '--copy-pem' -a "$2" ]
+[ -f "$SSH_USER_AUTH" ] || die "file does not exist: \$SSH_USER_AUTH=${SSH_USER_AUTH}"
-then
-  if [ -d "$2" ] || mkdir "$2"
+dispose_of_temp_pem_files()
-  then
+{
-    mv "${PEMFILE}" "$2"/${SSH_CLIENT_FINGERPRINT}.${keytype}.pem
+    if [ "$1" = '--copy-pem' -a "$2" ]
-  fi
+    then
-else
+        [ -d "$2" ] || mkdir "$2"
-  rm -f "${PEMFILE}"
+        t=$2/${SSH_CLIENT_FINGERPRINT}.${keytype}.pem
-fi
+        mv -T "$our_pem" "$t"
+        our_pem=$(realpath "$t")
+    else
+        rm -f "$our_pem"
+    fi
+}
+fixup_ssh_user_auth()
+{
+    sed -ne 's/^publickey //p'
+}
+our_pem=$SSH_USER_AUTH.pem
+fixup_ssh_user_auth < "$SSH_USER_AUTH" > "$our_pem" || die "could not rewrite SSH_USER_AUTH file"
+get_domain "$our_pem"
+dispose_of_temp_pem_files "$@"
+# ip=${SSH_CLIENT%% *}
+# known_host="$domain,$ip $keytype $keydata"
 env -i \
-  SSH_CLIENT_FINGERPRINT="$SSH_CLIENT_FINGERPRINT_B32" \
+    SSH_CLIENT_DOMAIN="$domain" \
-  SSH_CLIENT_KEYTYPE="$keytype" \
+    SSH_CLIENT_FINGERPRINT="$sshfp_b32" \
-  SSH_CLIENT_DOMAIN="$domain" \
+    SSH_CLIENT_KEYTYPE="$keytype" \
-  SSH_CLIENT_PEMFILE="$PEMFILE" \
+    SSH_CLIENT_KEYDATA="$keydata"
-  SSH_CLIENT_KEYDATA="$keydata"
author	Andrew Cady <d@jerkface.net>	2020-09-15 15:53:55 -0400
committer	Andrew Cady <d@jerkface.net>	2020-09-15 15:59:36 -0400
commit	3edccf5f39cbdcd81ec47d282572542bfe89b86d (patch)
tree	a6f6955cfa75d494986e0f92b653f254ae53fb23
parent	44ee7c0f5ad0e48b30d8cda9b5a00aa65f7a36f9 (diff)

diff --git a/bin/samizdat-ssh-uid b/bin/samizdat-ssh-uid index 33cb2b4..de81a46 100755 --- a/bin/samizdat-ssh-uid +++ b/bin/samizdat-ssh-uid
@@ -1,56 +1,86 @@
1	#!/bin/dash	1	#!/bin/dash
		2	set -e
		3
		4	DEFAULT_AUTH_TYPE=ed25519
2		5
3	die() { echo "$0: Error: $*" >&2; exit 1; }	6	die() { echo "$0: Error: $*" >&2; exit 1; }
4		7
5	b16_to_b32()	8	b16_to_b32()
6	{	9	{
7	echo -n "$1" \| basez -x -d \| basez -j -l \| tr -d =	10	printf %s "$1" \| basez -x -d \| basez -j -l \| tr -d =
8	}	11	}
9		12
10	[ "$SSH_USER_AUTH" ] \|\| die "not defined: \$SSH_USER_AUTH"	13	get_domain()
11	[ -f "$SSH_USER_AUTH" ] \|\| die "file does not exist: \$SSH_USER_AUTH=${SSH_USER_AUTH}"	14	{
12		15	get_sshfp "$1"
13	PEMFILE="${SSH_USER_AUTH}.tmp"	16	get_key_path_fragment "$1"
14		17
15	sed -ne 's/^publickey //p' < "${SSH_USER_AUTH}" > "${PEMFILE}" \|\| die "could not rewrite SSH_USER_AUTH file"	18	domain=$(printf %s "$sshfp_b32.$keyfrag.cryptonomic.net" \| tail -c64)
		19	}
16		20
17	SSH_CLIENT_FINGERPRINT=$(ssh-keygen -r . -f "${PEMFILE}" \| sed -ne 's/^. IN SSHFP [0-9]* 2 //p') &&	21	get_sshfp()
18	[ "$SSH_CLIENT_FINGERPRINT" ] \|\| die "could not determine ssh client fingerprint"	22	{
19	SSH_CLIENT_FINGERPRINT_B32=$(b16_to_b32 "$SSH_CLIENT_FINGERPRINT")	23	[ -f "$1" ] \|\| return
		24	sshfp_b16=$(ssh-keygen -r . -f "$1" \| sed -ne 's/^. IN SSHFP [0-9]* 2 //p') &&
		25	[ "$sshfp_b16" ] \|\| die "could not determine ssh client fingerprint"
		26	sshfp_b32=$(b16_to_b32 "$sshfp_b16")
		27	}
20		28
21	read keytype keydata < "${PEMFILE}" \|\| die "reading from PEMFILE=$PEMFILE"	29	get_key_path_fragment()
		30	{
		31	[ -f "$1" ] \|\| return
		32	read keytype keydata < "$1" \|\| die "could not read from PEM file '$1'"
		33	keyfrag=$(ssh_keytag_to_path_fragment "$keytype") \|\| die "Unsupported key type: $keytype"
		34	}
22		35
23	ssh_keytag_to_path_fragment()	36	ssh_keytag_to_path_fragment()
24	{	37	{
25	case "$1" in	38	case "$1" in
26	ssh-dss) echo dsa ;;	39	ssh-dss) echo dsa ;;
27	ecdsa-sha2-nistp256) echo ecdsa ;;	40	ecdsa-sha2-nistp256) echo ecdsa ;;
28	ssh-rsa\|ssh-ed25519) echo ${1#ssh-} ;;	41	ssh-rsa\|ssh-ed25519) echo ${1#ssh-} ;;
29	*) return 1 ;;	42	*) return 1 ;;
30	esac	43	esac
31	}	44	}
32		45
33	if keyfrag=$(ssh_keytag_to_path_fragment "$keytype")	46	if [ ! "$SSH_USER_AUTH" ]
34	then	47	then
35	domain=${keyfrag}.cryptonomic.net	48	get_domain /etc/ssh/ssh_host_ed25519_key.pub \|\| exit
36	else	49	printf '%s\n' "$domain"
37	die "Unsupported key type: $keytype"	50	exit
38	fi	51	fi
39		52
40	if [ "$1" = '--copy-pem' -a "$2" ]	53	[ -f "$SSH_USER_AUTH" ] \|\| die "file does not exist: \$SSH_USER_AUTH=${SSH_USER_AUTH}"
41	then	54
42	if [ -d "$2" ] \|\| mkdir "$2"	55	dispose_of_temp_pem_files()
43	then	56	{
44	mv "${PEMFILE}" "$2"/${SSH_CLIENT_FINGERPRINT}.${keytype}.pem	57	if [ "$1" = '--copy-pem' -a "$2" ]
45	fi	58	then
46	else	59	[ -d "$2" ] \|\| mkdir "$2"
47	rm -f "${PEMFILE}"	60	t=$2/${SSH_CLIENT_FINGERPRINT}.${keytype}.pem
48	fi	61	mv -T "$our_pem" "$t"
		62	our_pem=$(realpath "$t")
		63	else
		64	rm -f "$our_pem"
		65	fi
		66	}
		67
		68	fixup_ssh_user_auth()
		69	{
		70	sed -ne 's/^publickey //p'
		71	}
		72
		73	our_pem=$SSH_USER_AUTH.pem
		74	fixup_ssh_user_auth < "$SSH_USER_AUTH" > "$our_pem" \|\| die "could not rewrite SSH_USER_AUTH file"
		75	get_domain "$our_pem"
		76	dispose_of_temp_pem_files "$@"
		77
		78	# ip=${SSH_CLIENT%% *}
		79	# known_host="$domain,$ip $keytype $keydata"
49		80
50	env -i \	81	env -i \
51	SSH_CLIENT_FINGERPRINT="$SSH_CLIENT_FINGERPRINT_B32" \	82	SSH_CLIENT_DOMAIN="$domain" \
52	SSH_CLIENT_KEYTYPE="$keytype" \	83	SSH_CLIENT_FINGERPRINT="$sshfp_b32" \
53	SSH_CLIENT_DOMAIN="$domain" \	84	SSH_CLIENT_KEYTYPE="$keytype" \
54	SSH_CLIENT_PEMFILE="$PEMFILE" \	85	SSH_CLIENT_KEYDATA="$keydata"
55	SSH_CLIENT_KEYDATA="$keydata"
56		86