OpenSSH based authentication of remote host key works!!!

author: Andrew Cady <d@jerkface.net> 2021-10-09 20:15:12 -0400
committer: Andrew Cady <d@jerkface.net> 2021-10-09 20:15:12 -0400
commit: 3024870b3cb841eaa7266ffe6c0a2619a5fc1580 (patch)
tree: 88c6db5f3b9d913b2015e778cf70f6746045b53c
parent: 59514348ec70163dfd5dab17d589c94f2c74b7d9 (diff)
1 files changed, 31 insertions, 3 deletions
diff --git a/cryptonomic-vpn b/cryptonomic-vpn
index 02a8a14..0101e76 100755
--- a/cryptonomic-vpn
+++ b/cryptonomic-vpn
@@ -284,25 +284,53 @@ key_to_domain_suffix()
    printf %s.%s.%s "$sshfp_b32" "$REMOTE_KEY_TYPE" cryptonomic.net | tail -c64
 }
-validate_public_key()
+validate_public_key_name()
 {
    local suffix keyfile="$1" name="$2"
+    case "$name" in
+        *.cryptonomic.net) validate_cryptonomic_public_key_name "$@" ;;
+        *) validate_generic_public_key_name "$@" ;;
+    esac
+}
+validate_cryptonomic_public_key_name()
+{
    [ "$keyfile" ]
    [ "$name" ]
    suffix=$(key_to_domain_suffix "$keyfile")
    case "$name" in
        *."$suffix" | "$suffix" ) true  ;;
        *                       ) false ;;
    esac
 }
+validate_generic_public_key_name()
+{
+    read expected < "$1"
+    scan_knownhosts_files "$2" | grep -q -F -e "$expected"
+}
+scan_knownhosts_files()
+{
+    local host="$1" f files
+    [ "$host" ] || return
+    files=$(ssh -G "$host" | sed -E -ne 's/(global|user)knownhostsfile //p')
+    for f in $files
+    do
+        [ -e "$f" ] || continue
+        egrep -v '^(#|$)' "$f" | while read _hosts keytype key comment
+        do
+            echo "$keytype $key"
+        done
+    done
+}
 install_remote_public_key()
 {
    trap 'rm -f "$t"' EXIT
    t=$(mktemp)
    keyscan "$REMOTE_IP" | match_and_drop_first_word "$REMOTE_IP" > "$t"
-    validate_public_key "$t" "$REMOTE_NAME" || die 'cannot authenticate remote public key'
+    validate_public_key_name "$t" "$REMOTE_NAME" || die 'cannot authenticate remote public key'
    write_successfully /etc/swanctl/pubkey/"$REMOTE_NAME".pub -- write_remote_key "$t"
    trap - EXIT
    rm -f "$t"
author	Andrew Cady <d@jerkface.net>	2021-10-09 20:15:12 -0400
committer	Andrew Cady <d@jerkface.net>	2021-10-09 20:15:12 -0400
commit	3024870b3cb841eaa7266ffe6c0a2619a5fc1580 (patch)
tree	88c6db5f3b9d913b2015e778cf70f6746045b53c
parent	59514348ec70163dfd5dab17d589c94f2c74b7d9 (diff)

diff --git a/cryptonomic-vpn b/cryptonomic-vpn index 02a8a14..0101e76 100755 --- a/cryptonomic-vpn +++ b/cryptonomic-vpn
@@ -284,25 +284,53 @@ key_to_domain_suffix()
284	printf %s.%s.%s "$sshfp_b32" "$REMOTE_KEY_TYPE" cryptonomic.net \| tail -c64	284	printf %s.%s.%s "$sshfp_b32" "$REMOTE_KEY_TYPE" cryptonomic.net \| tail -c64
285	}	285	}
286		286
287	validate_public_key()	287	validate_public_key_name()
288	{	288	{
289	local suffix keyfile="$1" name="$2"	289	local suffix keyfile="$1" name="$2"
		290	case "$name" in
		291	*.cryptonomic.net) validate_cryptonomic_public_key_name "$@" ;;
		292	*) validate_generic_public_key_name "$@" ;;
		293	esac
		294	}
		295
		296	validate_cryptonomic_public_key_name()
		297	{
290	[ "$keyfile" ]	298	[ "$keyfile" ]
291	[ "$name" ]	299	[ "$name" ]
292	suffix=$(key_to_domain_suffix "$keyfile")	300	suffix=$(key_to_domain_suffix "$keyfile")
293
294	case "$name" in	301	case "$name" in
295	*."$suffix" \| "$suffix" ) true ;;	302	*."$suffix" \| "$suffix" ) true ;;
296	* ) false ;;	303	* ) false ;;
297	esac	304	esac
298	}	305	}
299		306
		307	validate_generic_public_key_name()
		308	{
		309	read expected < "$1"
		310	scan_knownhosts_files "$2" \| grep -q -F -e "$expected"
		311	}
		312
		313	scan_knownhosts_files()
		314	{
		315	local host="$1" f files
		316	[ "$host" ] \|\| return
		317	files=$(ssh -G "$host" \| sed -E -ne 's/(global\|user)knownhostsfile //p')
		318	for f in $files
		319	do
		320	[ -e "$f" ] \|\| continue
		321	egrep -v '^(#\|$)' "$f" \| while read _hosts keytype key comment
		322	do
		323	echo "$keytype $key"
		324	done
		325	done
		326	}
		327
300	install_remote_public_key()	328	install_remote_public_key()
301	{	329	{
302	trap 'rm -f "$t"' EXIT	330	trap 'rm -f "$t"' EXIT
303	t=$(mktemp)	331	t=$(mktemp)
304	keyscan "$REMOTE_IP" \| match_and_drop_first_word "$REMOTE_IP" > "$t"	332	keyscan "$REMOTE_IP" \| match_and_drop_first_word "$REMOTE_IP" > "$t"
305	validate_public_key "$t" "$REMOTE_NAME" \|\| die 'cannot authenticate remote public key'	333	validate_public_key_name "$t" "$REMOTE_NAME" \|\| die 'cannot authenticate remote public key'
306	write_successfully /etc/swanctl/pubkey/"$REMOTE_NAME".pub -- write_remote_key "$t"	334	write_successfully /etc/swanctl/pubkey/"$REMOTE_NAME".pub -- write_remote_key "$t"
307	trap - EXIT	335	trap - EXIT
308	rm -f "$t"	336	rm -f "$t"