From 3edccf5f39cbdcd81ec47d282572542bfe89b86d Mon Sep 17 00:00:00 2001 From: Andrew Cady Date: Tue, 15 Sep 2020 15:53:55 -0400 Subject: samizdat-ssh-uid can now be used locally In this case, it outputs the cryptonomic name corresponding to the ssh daemon's host key. --- bin/samizdat-ssh-uid | 98 ++++++++++++++++++++++++++++++++++------------------ 1 file changed, 64 insertions(+), 34 deletions(-) diff --git a/bin/samizdat-ssh-uid b/bin/samizdat-ssh-uid index 33cb2b4..de81a46 100755 --- a/bin/samizdat-ssh-uid +++ b/bin/samizdat-ssh-uid @@ -1,56 +1,86 @@ #!/bin/dash +set -e + +DEFAULT_AUTH_TYPE=ed25519 die() { echo "$0: Error: $*" >&2; exit 1; } b16_to_b32() { - echo -n "$1" | basez -x -d | basez -j -l | tr -d = + printf %s "$1" | basez -x -d | basez -j -l | tr -d = } -[ "$SSH_USER_AUTH" ] || die "not defined: \$SSH_USER_AUTH" -[ -f "$SSH_USER_AUTH" ] || die "file does not exist: \$SSH_USER_AUTH=${SSH_USER_AUTH}" - -PEMFILE="${SSH_USER_AUTH}.tmp" +get_domain() +{ + get_sshfp "$1" + get_key_path_fragment "$1" -sed -ne 's/^publickey //p' < "${SSH_USER_AUTH}" > "${PEMFILE}" || die "could not rewrite SSH_USER_AUTH file" + domain=$(printf %s "$sshfp_b32.$keyfrag.cryptonomic.net" | tail -c64) +} -SSH_CLIENT_FINGERPRINT=$(ssh-keygen -r . -f "${PEMFILE}" | sed -ne 's/^. IN SSHFP [0-9]* 2 //p') && - [ "$SSH_CLIENT_FINGERPRINT" ] || die "could not determine ssh client fingerprint" -SSH_CLIENT_FINGERPRINT_B32=$(b16_to_b32 "$SSH_CLIENT_FINGERPRINT") +get_sshfp() +{ + [ -f "$1" ] || return + sshfp_b16=$(ssh-keygen -r . -f "$1" | sed -ne 's/^. IN SSHFP [0-9]* 2 //p') && + [ "$sshfp_b16" ] || die "could not determine ssh client fingerprint" + sshfp_b32=$(b16_to_b32 "$sshfp_b16") +} -read keytype keydata < "${PEMFILE}" || die "reading from PEMFILE=$PEMFILE" +get_key_path_fragment() +{ + [ -f "$1" ] || return + read keytype keydata < "$1" || die "could not read from PEM file '$1'" + keyfrag=$(ssh_keytag_to_path_fragment "$keytype") || die "Unsupported key type: $keytype" +} ssh_keytag_to_path_fragment() { - case "$1" in - ssh-dss) echo dsa ;; - ecdsa-sha2-nistp256) echo ecdsa ;; - ssh-rsa|ssh-ed25519) echo ${1#ssh-} ;; - *) return 1 ;; - esac + case "$1" in + ssh-dss) echo dsa ;; + ecdsa-sha2-nistp256) echo ecdsa ;; + ssh-rsa|ssh-ed25519) echo ${1#ssh-} ;; + *) return 1 ;; + esac } -if keyfrag=$(ssh_keytag_to_path_fragment "$keytype") +if [ ! "$SSH_USER_AUTH" ] then - domain=${keyfrag}.cryptonomic.net -else - die "Unsupported key type: $keytype" + get_domain /etc/ssh/ssh_host_ed25519_key.pub || exit + printf '%s\n' "$domain" + exit fi -if [ "$1" = '--copy-pem' -a "$2" ] -then - if [ -d "$2" ] || mkdir "$2" - then - mv "${PEMFILE}" "$2"/${SSH_CLIENT_FINGERPRINT}.${keytype}.pem - fi -else - rm -f "${PEMFILE}" -fi +[ -f "$SSH_USER_AUTH" ] || die "file does not exist: \$SSH_USER_AUTH=${SSH_USER_AUTH}" + +dispose_of_temp_pem_files() +{ + if [ "$1" = '--copy-pem' -a "$2" ] + then + [ -d "$2" ] || mkdir "$2" + t=$2/${SSH_CLIENT_FINGERPRINT}.${keytype}.pem + mv -T "$our_pem" "$t" + our_pem=$(realpath "$t") + else + rm -f "$our_pem" + fi +} + +fixup_ssh_user_auth() +{ + sed -ne 's/^publickey //p' +} + +our_pem=$SSH_USER_AUTH.pem +fixup_ssh_user_auth < "$SSH_USER_AUTH" > "$our_pem" || die "could not rewrite SSH_USER_AUTH file" +get_domain "$our_pem" +dispose_of_temp_pem_files "$@" + +# ip=${SSH_CLIENT%% *} +# known_host="$domain,$ip $keytype $keydata" env -i \ - SSH_CLIENT_FINGERPRINT="$SSH_CLIENT_FINGERPRINT_B32" \ - SSH_CLIENT_KEYTYPE="$keytype" \ - SSH_CLIENT_DOMAIN="$domain" \ - SSH_CLIENT_PEMFILE="$PEMFILE" \ - SSH_CLIENT_KEYDATA="$keydata" + SSH_CLIENT_DOMAIN="$domain" \ + SSH_CLIENT_FINGERPRINT="$sshfp_b32" \ + SSH_CLIENT_KEYTYPE="$keytype" \ + SSH_CLIENT_KEYDATA="$keydata" -- cgit v1.2.3