diff options
author | Andrew Cady <d@jerkface.net> | 2021-10-09 20:15:12 -0400 |
---|---|---|
committer | Andrew Cady <d@jerkface.net> | 2021-10-09 20:15:12 -0400 |
commit | 3024870b3cb841eaa7266ffe6c0a2619a5fc1580 (patch) | |
tree | 88c6db5f3b9d913b2015e778cf70f6746045b53c | |
parent | 59514348ec70163dfd5dab17d589c94f2c74b7d9 (diff) |
OpenSSH based authentication of remote host key works!!!
-rwxr-xr-x | cryptonomic-vpn | 34 |
1 files changed, 31 insertions, 3 deletions
diff --git a/cryptonomic-vpn b/cryptonomic-vpn index 02a8a14..0101e76 100755 --- a/cryptonomic-vpn +++ b/cryptonomic-vpn | |||
@@ -284,25 +284,53 @@ key_to_domain_suffix() | |||
284 | printf %s.%s.%s "$sshfp_b32" "$REMOTE_KEY_TYPE" cryptonomic.net | tail -c64 | 284 | printf %s.%s.%s "$sshfp_b32" "$REMOTE_KEY_TYPE" cryptonomic.net | tail -c64 |
285 | } | 285 | } |
286 | 286 | ||
287 | validate_public_key() | 287 | validate_public_key_name() |
288 | { | 288 | { |
289 | local suffix keyfile="$1" name="$2" | 289 | local suffix keyfile="$1" name="$2" |
290 | case "$name" in | ||
291 | *.cryptonomic.net) validate_cryptonomic_public_key_name "$@" ;; | ||
292 | *) validate_generic_public_key_name "$@" ;; | ||
293 | esac | ||
294 | } | ||
295 | |||
296 | validate_cryptonomic_public_key_name() | ||
297 | { | ||
290 | [ "$keyfile" ] | 298 | [ "$keyfile" ] |
291 | [ "$name" ] | 299 | [ "$name" ] |
292 | suffix=$(key_to_domain_suffix "$keyfile") | 300 | suffix=$(key_to_domain_suffix "$keyfile") |
293 | |||
294 | case "$name" in | 301 | case "$name" in |
295 | *."$suffix" | "$suffix" ) true ;; | 302 | *."$suffix" | "$suffix" ) true ;; |
296 | * ) false ;; | 303 | * ) false ;; |
297 | esac | 304 | esac |
298 | } | 305 | } |
299 | 306 | ||
307 | validate_generic_public_key_name() | ||
308 | { | ||
309 | read expected < "$1" | ||
310 | scan_knownhosts_files "$2" | grep -q -F -e "$expected" | ||
311 | } | ||
312 | |||
313 | scan_knownhosts_files() | ||
314 | { | ||
315 | local host="$1" f files | ||
316 | [ "$host" ] || return | ||
317 | files=$(ssh -G "$host" | sed -E -ne 's/(global|user)knownhostsfile //p') | ||
318 | for f in $files | ||
319 | do | ||
320 | [ -e "$f" ] || continue | ||
321 | egrep -v '^(#|$)' "$f" | while read _hosts keytype key comment | ||
322 | do | ||
323 | echo "$keytype $key" | ||
324 | done | ||
325 | done | ||
326 | } | ||
327 | |||
300 | install_remote_public_key() | 328 | install_remote_public_key() |
301 | { | 329 | { |
302 | trap 'rm -f "$t"' EXIT | 330 | trap 'rm -f "$t"' EXIT |
303 | t=$(mktemp) | 331 | t=$(mktemp) |
304 | keyscan "$REMOTE_IP" | match_and_drop_first_word "$REMOTE_IP" > "$t" | 332 | keyscan "$REMOTE_IP" | match_and_drop_first_word "$REMOTE_IP" > "$t" |
305 | validate_public_key "$t" "$REMOTE_NAME" || die 'cannot authenticate remote public key' | 333 | validate_public_key_name "$t" "$REMOTE_NAME" || die 'cannot authenticate remote public key' |
306 | write_successfully /etc/swanctl/pubkey/"$REMOTE_NAME".pub -- write_remote_key "$t" | 334 | write_successfully /etc/swanctl/pubkey/"$REMOTE_NAME".pub -- write_remote_key "$t" |
307 | trap - EXIT | 335 | trap - EXIT |
308 | rm -f "$t" | 336 | rm -f "$t" |