diff options
author | Andrew Cady <d@cryptonomic.net> | 2021-10-09 17:45:18 -0400 |
---|---|---|
committer | Andrew Cady <d@cryptonomic.net> | 2021-10-09 17:45:18 -0400 |
commit | 116cde3f9debaf485b57b5a4991c58f39c0377c8 (patch) | |
tree | ec736521ec64e1c1995f97882fd866cb42094af1 | |
parent | ee67afd21ccecbc29f72e763def7dafe6229b31b (diff) |
Use SSHFP keyhash-based filename for private key
The same should be used for the public key, but isn't (yet).
-rwxr-xr-x | cryptonomic-vpn | 17 |
1 files changed, 11 insertions, 6 deletions
diff --git a/cryptonomic-vpn b/cryptonomic-vpn index 68669da..364606c 100755 --- a/cryptonomic-vpn +++ b/cryptonomic-vpn | |||
@@ -48,11 +48,6 @@ NO_ACT=y | |||
48 | REMOTE_KEY_TYPE=rsa | 48 | REMOTE_KEY_TYPE=rsa |
49 | LOCAL_KEY=ssh_host_rsa_key | 49 | LOCAL_KEY=ssh_host_rsa_key |
50 | 50 | ||
51 | # Hard-coded private key source and destinations. | ||
52 | LOCAL_KEY_DEST_BASENAME=ssh_host_rsa_key | ||
53 | LOCAL_PRIVATE_KEY_DEST=/etc/swanctl/private/$LOCAL_KEY_DEST_BASENAME | ||
54 | LOCAL_PUBLIC_KEY_DEST=/etc/swanctl/pubkey/$LOCAL_KEY_DEST_BASENAME.pub | ||
55 | |||
56 | die() { printf 'Error: %s\n' "$*" >&2; exit 1; } | 51 | die() { printf 'Error: %s\n' "$*" >&2; exit 1; } |
57 | warn() { printf 'Warning: %s\n' "$*" >&2; } | 52 | warn() { printf 'Warning: %s\n' "$*" >&2; } |
58 | 53 | ||
@@ -129,12 +124,15 @@ validate_remote_key_type() | |||
129 | 124 | ||
130 | validate_local_key() | 125 | validate_local_key() |
131 | { | 126 | { |
132 | # TODO: check that it is RSA | ||
133 | case "$LOCAL_KEY" in | 127 | case "$LOCAL_KEY" in |
134 | */*) ;; | 128 | */*) ;; |
135 | *) LOCAL_KEY=/etc/ssh/$LOCAL_KEY ;; | 129 | *) LOCAL_KEY=/etc/ssh/$LOCAL_KEY ;; |
136 | esac | 130 | esac |
137 | [ -f "$LOCAL_KEY" -a -r "$LOCAL_KEY" ] || die "could not read local key (filename=$LOCAL_KEY)" | 131 | [ -f "$LOCAL_KEY" -a -r "$LOCAL_KEY" ] || die "could not read local key (filename=$LOCAL_KEY)" |
132 | |||
133 | LOCAL_KEY_DEST_BASENAME=$(sshfp_filename_string "$LOCAL_KEY") || die "parsing local key (filename=$LOCAL_KEY)" | ||
134 | LOCAL_PRIVATE_KEY_DEST=/etc/swanctl/private/$LOCAL_KEY_DEST_BASENAME | ||
135 | LOCAL_PUBLIC_KEY_DEST=/etc/swanctl/pubkey/$LOCAL_KEY_DEST_BASENAME.pub | ||
138 | } | 136 | } |
139 | 137 | ||
140 | main() | 138 | main() |
@@ -248,6 +246,13 @@ write_remote_key() | |||
248 | esac | 246 | esac |
249 | } | 247 | } |
250 | 248 | ||
249 | sshfp_filename_string() | ||
250 | { | ||
251 | local keytype=1 hashtype=2 | ||
252 | ssh-keygen -r. -f "$1" | sed -ne "/^. IN SSHFP $keytype $hashtype / { s/. IN //; y/ /_/; p; q; }" | ||
253 | } | ||
254 | |||
255 | |||
251 | install_local_private_key() | 256 | install_local_private_key() |
252 | { | 257 | { |
253 | private_key_tmp=$(mktemp) || return | 258 | private_key_tmp=$(mktemp) || return |