blob: 2180cd585332d4807858e94d8abd4801fc320696 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
|
#!/bin/dash
set -e
DEFAULT_AUTH_TYPE=ed25519
die() { echo "$0: Error: $*" >&2; exit 1; }
b16_to_b32()
{
printf %s "$1" | basez -x -d | basez -j -l | tr -d =
}
get_domain()
{
get_sshfp "$1"
get_key_path_fragment "$1"
domain=$(printf %s "$sshfp_b32.$keyfrag.cryptonomic.net" | tail -c64)
}
get_sshfp()
{
[ -f "$1" ] || return
sshfp_raw=$(ssh-keygen -r . -f "$1" | sed -ne 's/^. IN SSHFP \([0-9]* 2 \)/\1/p' | head -n1) || die 'ssh-keygen'
sshfp_b16=$(echo "$sshfp_raw" | sed -ne 's/^[0-9]* 2 //p') &&
[ "$sshfp_b16" ] || die "could not determine ssh client fingerprint"
sshfp_b32=$(b16_to_b32 "$sshfp_b16")
}
get_key_path_fragment()
{
[ -f "$1" ] || return
read keytype keydata < "$1" || die "could not read from PEM file '$1'"
keyfrag=$(ssh_keytag_to_path_fragment "$keytype") || die "Unsupported key type: $keytype"
}
ssh_keytag_to_path_fragment()
{
case "$1" in
ssh-dss) echo dsa ;;
ecdsa-sha2-nistp256) echo ecdsa ;;
ssh-rsa|ssh-ed25519) echo ${1#ssh-} ;;
*) return 1 ;;
esac
}
dispose_of_temp_pem_files()
{
if [ "$1" = '--copy-pem' -a "$2" ]
then
[ -d "$2" ] || mkdir "$2"
t=$2/${SSH_CLIENT_FINGERPRINT}.${keytype}.pem
mv -T "$our_pem" "$t"
our_pem=$(realpath "$t")
else
rm -f "$our_pem"
fi
}
fixup_ssh_user_auth()
{
sed -ne 's/^publickey //p'
}
if [ "$1" = self ]
then
get_domain /etc/ssh/ssh_host_ed25519_key.pub || exit
printf '%s\n' "$domain"
exit
fi
[ "$SSH_USER_AUTH" ] || die "empty \$SSH_USER_AUTH; try ExposeAuthInfo=yes"
[ -f "$SSH_USER_AUTH" ] || die "file does not exist: \$SSH_USER_AUTH=${SSH_USER_AUTH}"
our_pem=$SSH_USER_AUTH.pem
fixup_ssh_user_auth < "$SSH_USER_AUTH" > "$our_pem" || die "could not rewrite SSH_USER_AUTH file"
get_domain "$our_pem"
dispose_of_temp_pem_files "$@"
# ip=${SSH_CLIENT%% *}
# known_host="$domain,$ip $keytype $keydata"
env -i \
SSH_CLIENT_DOMAIN="$domain" \
SSH_CLIENT_SSHFP_DATA="'$sshfp_raw'" \
SSH_CLIENT_FINGERPRINT="$sshfp_b32" \
SSH_CLIENT_KEYTYPE="$keytype" \
SSH_CLIENT_KEYDATA="$keydata"
|