path: root/bin/samizdat-ssh-uid

#!/bin/dash
set -e

DEFAULT_AUTH_TYPE=ed25519

die() { echo "$0: Error: $*" >&2; exit 1; }

b16_to_b32()
{
    printf %s "$1" | basez -x -d | basez -j -l | tr -d =
}

get_domain()
{
    get_sshfp "$1"
    get_key_path_fragment "$1"

    domain=$(printf %s "$sshfp_b32.$keyfrag.cryptonomic.net" | tail -c64)
}

get_sshfp()
{
    [ -f "$1" ] || return
    sshfp_b16=$(ssh-keygen -r . -f "$1" | sed -ne 's/^. IN SSHFP [0-9]* 2 //p') &&
        [ "$sshfp_b16" ] || die "could not determine ssh client fingerprint"
    sshfp_b32=$(b16_to_b32 "$sshfp_b16")
}

get_key_path_fragment()
{
    [ -f "$1" ] || return
    read keytype keydata < "$1" || die "could not read from PEM file '$1'"
    keyfrag=$(ssh_keytag_to_path_fragment "$keytype") || die "Unsupported key type: $keytype"
}

ssh_keytag_to_path_fragment()
{
    case "$1" in
        ssh-dss) echo dsa ;;
        ecdsa-sha2-nistp256) echo ecdsa ;;
        ssh-rsa|ssh-ed25519) echo ${1#ssh-} ;;
        *) return 1 ;;
    esac
}

dispose_of_temp_pem_files()
{
    if [ "$1" = '--copy-pem' -a "$2" ]
    then
        [ -d "$2" ] || mkdir "$2"
        t=$2/${SSH_CLIENT_FINGERPRINT}.${keytype}.pem
        mv -T "$our_pem" "$t"
        our_pem=$(realpath "$t")
    else
        rm -f "$our_pem"
    fi
}

fixup_ssh_user_auth()
{
    sed -ne 's/^publickey //p'
}


if [ "$1" = self ]
then
    get_domain /etc/ssh/ssh_host_ed25519_key.pub || exit
    printf '%s\n' "$domain"
    exit
fi

[ "$SSH_USER_AUTH" ] || die "empty \$SSH_USER_AUTH; try ExposeAuthInfo=yes"
[ -f "$SSH_USER_AUTH" ] || die "file does not exist: \$SSH_USER_AUTH=${SSH_USER_AUTH}"

our_pem=$SSH_USER_AUTH.pem
fixup_ssh_user_auth < "$SSH_USER_AUTH" > "$our_pem" || die "could not rewrite SSH_USER_AUTH file"
get_domain "$our_pem"
dispose_of_temp_pem_files "$@"

# ip=${SSH_CLIENT%% *}
# known_host="$domain,$ip $keytype $keydata"

env -i \
    SSH_CLIENT_DOMAIN="$domain" \
    SSH_CLIENT_FINGERPRINT="$sshfp_b32" \
    SSH_CLIENT_KEYTYPE="$keytype" \
    SSH_CLIENT_KEYDATA="$keydata"