get-host-keys command is working

The command fetches and validates the host key of a self-authenticating cryptonomic url. Then it tries to log in on the server and obtain proof of all the system's other host keys. That way, we can use SSH to share the RSA key that Strongswan needs. But still use ed25519 for the primary identity in the URL. This is the functionality that needs to be incorporated into 'cryptonomic-vpn' to make ed25519.cryptonomic.net urls work.
author: Andrew Cady <d@jerkface.net> 2021-10-10 03:31:22 -0400
committer: Andrew Cady <d@jerkface.net> 2021-10-10 03:34:58 -0400
commit: 03d3d89cdcae262065dbafd72d0d88d052cfc56b (patch)
tree: fc8db27dfee2ebef32cd3955dc0e8cd10689d14f
parent: c38fcfab61b2c38bdd2aaac10adbbc23a08cd30d (diff)
2 files changed, 89 insertions, 26 deletions
diff --git a/get-host-keys b/get-host-keys
new file mode 100755
index 0000000..f55b6cd
--- /dev/null
+++ b/get-host-keys
@@ -0,0 +1,89 @@
+#!/bin/sh
+die()
+{
+    printf "Error: %s\n" "$*" >&2
+    exit 1
+}
+b16_to_b32()
+{
+    printf %s "$1" | basez -x -d | basez -j -l | tr -d =
+}
+to_domain_suffix()
+{
+    local hashtype=2
+    local keystring keytype sshfp_b16 sshfp_b32
+    [ -f "$1" ] || return
+    [ -s "$1" ] || return
+    sshfp_raw=$(ssh-keygen -r . -f "$1" | grep -E -e "^. IN SSHFP [0-9]+ $hashtype ")
+    case "$sshfp_raw" in
+        '. IN SSHFP 1 '*) keytype=1; keystring=rsa ;;
+        '. IN SSHFP 4 '*) keytype=4; keystring=ed25519 ;;
+        *) return 1 ;;
+    esac
+    sshfp_b16=$(printf '%s' "$sshfp_raw" | sed -ne "s/^. IN SSHFP $keytype $hashtype //p") &&
+        [ "$sshfp_b16" ] || die "could not determine ssh client fingerprint"
+    sshfp_b32=$(b16_to_b32 "$sshfp_b16")
+    printf %s.%s.%s "$sshfp_b32" "$keystring" cryptonomic.net | tail -c64
+}
+crypto_validate_hostname()
+{
+    local host="$1" t r
+    t=$(mktemp)
+    case "$host" in
+        *.ed25519.cryptonomic.net)
+            ssh-keyscan -t ed25519 "$host" 2>/dev/null | while read h keytype keydata comment
+            do
+                case "$h $keytype" in
+                    "$host ssh-ed25519")
+                        echo "$keytype $keydata" >> "$t"
+                        break
+                        ;;
+                esac
+            done ;;
+        *) die "unsupported hostname: $host" ;;
+    esac
+    if validated=$(to_domain_suffix "$t")
+    then
+        case "$host" in
+            "$validated" | *."$validated" )
+                read line < "$t"
+                echo "$host $line"
+                rm -f "$t"
+                return 0
+                ;;
+        esac
+    fi
+    rm -f "$t"
+    false
+}
+set -e
+_TEMP_DIR_=$(mktemp -d)
+cd "$_TEMP_DIR_"
+trap 'rm -rf "$_TEMP_DIR_"' EXIT
+host=${1:-borges}
+# ssh-keygen -F "${host#*@}" | grep -v '^#' > ssh_known_hosts 2>/dev/null
+# touch ssh_known_hosts.stamp -r ssh_known_hosts
+line=$(crypto_validate_hostname "$host") || die "could not validate hostname cryptographically"
+echo "$line" > ssh_known_hosts
+cp ssh_known_hosts ssh_known_hosts~
+ssh \
+    -F /dev/null \
+    -o GlobalKnownHostsFile=$PWD/ssh_known_hosts \
+    -o UserKnownHostsFile=$PWD/ssh_known_hosts \
+    -o UpdateHostKeys=yes \
+    -o PasswordAuthentication=no \
+    -o StrictHostKeyChecking=yes \
+    -n -T \
+    "$host" >/dev/null 2>&1
+cat ssh_known_hosts
diff --git a/notes/update-host-keys b/notes/update-host-keys
deleted file mode 100755
index 4ef0e0b..0000000
--- a/notes/update-host-keys
+++ /dev/null
@@ -1,26 +0,0 @@
-#!/bin/sh
-set -e
-_TEMP_DIR_=$(mktemp -d)
-cd "$_TEMP_DIR_"
-trap 'rm -rf "$_TEMP_DIR_"' EXIT
-host=${1:-borges}
-ssh-keygen -F "${host#*@}" | grep -v '^#' > ssh_known_hosts 2>/dev/null
-touch ssh_known_hosts.stamp -r ssh_known_hosts
-ssh()
-{
-    command ssh \
-        -F /dev/null \
-        -o GlobalKnownHostsFile=$PWD/ssh_known_hosts \
-        -o UserKnownHostsFile=$PWD/ssh_known_hosts \
-        -o UpdateHostKeys=yes \
-        -o PasswordAuthentication=no \
-        -o StrictHostKeyChecking=yes \
-        "$@"
-}
-have=ecdsa-sha2-nistp256
-want=rsa-sha2-256
-ssh -q -n "$host" || true
-cat ssh_known_hosts
author	Andrew Cady <d@jerkface.net>	2021-10-10 03:31:22 -0400
committer	Andrew Cady <d@jerkface.net>	2021-10-10 03:34:58 -0400
commit	03d3d89cdcae262065dbafd72d0d88d052cfc56b (patch)
tree	fc8db27dfee2ebef32cd3955dc0e8cd10689d14f
parent	c38fcfab61b2c38bdd2aaac10adbbc23a08cd30d (diff)

diff --git a/get-host-keys b/get-host-keys new file mode 100755 index 0000000..f55b6cd --- /dev/null +++ b/get-host-keys
@@ -0,0 +1,89 @@
		1	#!/bin/sh
		2	die()
		3	{
		4	printf "Error: %s\n" "$*" >&2
		5	exit 1
		6	}
		7
		8	b16_to_b32()
		9	{
		10	printf %s "$1" \| basez -x -d \| basez -j -l \| tr -d =
		11	}
		12
		13	to_domain_suffix()
		14	{
		15	local hashtype=2
		16	local keystring keytype sshfp_b16 sshfp_b32
		17	[ -f "$1" ] \|\| return
		18	[ -s "$1" ] \|\| return
		19	sshfp_raw=$(ssh-keygen -r . -f "$1" \| grep -E -e "^. IN SSHFP [0-9]+ $hashtype ")
		20	case "$sshfp_raw" in
		21	'. IN SSHFP 1 '*) keytype=1; keystring=rsa ;;
		22	'. IN SSHFP 4 '*) keytype=4; keystring=ed25519 ;;
		23	*) return 1 ;;
		24	esac
		25	sshfp_b16=$(printf '%s' "$sshfp_raw" \| sed -ne "s/^. IN SSHFP $keytype $hashtype //p") &&
		26	[ "$sshfp_b16" ] \|\| die "could not determine ssh client fingerprint"
		27	sshfp_b32=$(b16_to_b32 "$sshfp_b16")
		28
		29	printf %s.%s.%s "$sshfp_b32" "$keystring" cryptonomic.net \| tail -c64
		30	}
		31
		32	crypto_validate_hostname()
		33	{
		34	local host="$1" t r
		35	t=$(mktemp)
		36	case "$host" in
		37	*.ed25519.cryptonomic.net)
		38	ssh-keyscan -t ed25519 "$host" 2>/dev/null \| while read h keytype keydata comment
		39	do
		40	case "$h $keytype" in
		41	"$host ssh-ed25519")
		42	echo "$keytype $keydata" >> "$t"
		43	break
		44	;;
		45	esac
		46	done ;;
		47	*) die "unsupported hostname: $host" ;;
		48	esac
		49	if validated=$(to_domain_suffix "$t")
		50	then
		51	case "$host" in
		52	"$validated" \| *."$validated" )
		53	read line < "$t"
		54	echo "$host $line"
		55	rm -f "$t"
		56	return 0
		57	;;
		58	esac
		59	fi
		60	rm -f "$t"
		61	false
		62	}
		63
		64	set -e
		65	_TEMP_DIR_=$(mktemp -d)
		66	cd "$_TEMP_DIR_"
		67	trap 'rm -rf "$_TEMP_DIR_"' EXIT
		68	host=${1:-borges}
		69
		70	# ssh-keygen -F "${host#*@}" \| grep -v '^#' > ssh_known_hosts 2>/dev/null
		71	# touch ssh_known_hosts.stamp -r ssh_known_hosts
		72
		73	line=$(crypto_validate_hostname "$host") \|\| die "could not validate hostname cryptographically"
		74
		75	echo "$line" > ssh_known_hosts
		76	cp ssh_known_hosts ssh_known_hosts~
		77
		78	ssh \
		79	-F /dev/null \
		80	-o GlobalKnownHostsFile=$PWD/ssh_known_hosts \
		81	-o UserKnownHostsFile=$PWD/ssh_known_hosts \
		82	-o UpdateHostKeys=yes \
		83	-o PasswordAuthentication=no \
		84	-o StrictHostKeyChecking=yes \
		85	-n -T \
		86	"$host" >/dev/null 2>&1
		87
		88	cat ssh_known_hosts
		89


diff --git a/notes/update-host-keys b/notes/update-host-keys deleted file mode 100755 index 4ef0e0b..0000000 --- a/notes/update-host-keys +++ /dev/null
@@ -1,26 +0,0 @@
1	#!/bin/sh
2	set -e
3	_TEMP_DIR_=$(mktemp -d)
4	cd "$_TEMP_DIR_"
5	trap 'rm -rf "$_TEMP_DIR_"' EXIT
6	host=${1:-borges}
7	ssh-keygen -F "${host#*@}" \| grep -v '^#' > ssh_known_hosts 2>/dev/null
8	touch ssh_known_hosts.stamp -r ssh_known_hosts
9
10	ssh()
11	{
12	command ssh \
13	-F /dev/null \
14	-o GlobalKnownHostsFile=$PWD/ssh_known_hosts \
15	-o UserKnownHostsFile=$PWD/ssh_known_hosts \
16	-o UpdateHostKeys=yes \
17	-o PasswordAuthentication=no \
18	-o StrictHostKeyChecking=yes \
19	"$@"
20	}
21
22	have=ecdsa-sha2-nistp256
23	want=rsa-sha2-256
24	ssh -q -n "$host" \|\| true
25
26	cat ssh_known_hosts