#!/bin/dash set -e DEFAULT_AUTH_TYPE=ed25519 die() { echo "$0: Error: $*" >&2; exit 1; } b16_to_b32() { printf %s "$1" | basez -x -d | basez -j -l | tr -d = } get_domain() { get_sshfp "$1" get_key_path_fragment "$1" domain=$(printf %s "$sshfp_b32.$keyfrag.cryptonomic.net" | tail -c64) } get_sshfp() { [ -f "$1" ] || return sshfp_raw=$(ssh-keygen -r . -f "$1" | sed -ne 's/^. IN SSHFP \([0-9]* 2 \)/\1/p' | head -n1) || die 'ssh-keygen' sshfp_b16=$(echo "$sshfp_raw" | sed -ne 's/^[0-9]* 2 //p') && [ "$sshfp_b16" ] || die "could not determine ssh client fingerprint" sshfp_b32=$(b16_to_b32 "$sshfp_b16") } get_key_path_fragment() { [ -f "$1" ] || return read keytype keydata < "$1" || die "could not read from PEM file '$1'" keyfrag=$(ssh_keytag_to_path_fragment "$keytype") || die "Unsupported key type: $keytype" } ssh_keytag_to_path_fragment() { case "$1" in ssh-dss) echo dsa ;; ecdsa-sha2-nistp256) echo ecdsa ;; ssh-rsa|ssh-ed25519) echo ${1#ssh-} ;; *) return 1 ;; esac } dispose_of_temp_pem_files() { if [ "$1" = '--copy-pem' -a "$2" ] then [ -d "$2" ] || mkdir "$2" t=$2/${SSH_CLIENT_FINGERPRINT}.${keytype}.pem mv -T "$our_pem" "$t" our_pem=$(realpath "$t") else rm -f "$our_pem" fi } fixup_ssh_user_auth() { sed -ne 's/^publickey //p' } if [ "$1" = self ] then get_domain /etc/ssh/ssh_host_ed25519_key.pub || exit printf '%s\n' "$domain" exit fi [ "$SSH_USER_AUTH" ] || die "empty \$SSH_USER_AUTH; try ExposeAuthInfo=yes" [ -f "$SSH_USER_AUTH" ] || die "file does not exist: \$SSH_USER_AUTH=${SSH_USER_AUTH}" our_pem=$SSH_USER_AUTH.pem fixup_ssh_user_auth < "$SSH_USER_AUTH" > "$our_pem" || die "could not rewrite SSH_USER_AUTH file" get_domain "$our_pem" dispose_of_temp_pem_files "$@" # ip=${SSH_CLIENT%% *} # known_host="$domain,$ip $keytype $keydata" env -i \ SSH_CLIENT_DOMAIN="$domain" \ SSH_CLIENT_SSHFP_DATA="'$sshfp_raw'" \ SSH_CLIENT_FINGERPRINT="$sshfp_b32" \ SSH_CLIENT_KEYTYPE="$keytype" \ SSH_CLIENT_KEYDATA="$keydata"