diff options
author | Andrew Cady <d@jerkface.net> | 2021-10-10 05:30:56 -0400 |
---|---|---|
committer | Andrew Cady <d@jerkface.net> | 2021-10-10 05:30:56 -0400 |
commit | a5dc38245e1e76d4bf8b321aac488b76ad399b43 (patch) | |
tree | 9fc686d5ac5c3d79d6092b607ae0b5b5f2358545 | |
parent | 015ec452bf5eaf2c56d9f311634d19b09f158269 (diff) |
cryptonomic-vpn calls out to ./get-host-keys
cryptonomic-vpn calls out to ./get-host-keys to get host keys.
That path has to be changed. OK for here since both need to be merged
into selfpublish.sh.
-rwxr-xr-x | cryptonomic-vpn | 68 |
1 files changed, 24 insertions, 44 deletions
diff --git a/cryptonomic-vpn b/cryptonomic-vpn index 855793b..2ca1fc0 100755 --- a/cryptonomic-vpn +++ b/cryptonomic-vpn | |||
@@ -268,48 +268,6 @@ install_local_private_key() | |||
268 | rm -f "$private_key_tmp" | 268 | rm -f "$private_key_tmp" |
269 | } | 269 | } |
270 | 270 | ||
271 | b16_to_b32() | ||
272 | { | ||
273 | printf %s "$1" | basez -x -d | basez -j -l | tr -d = | ||
274 | } | ||
275 | |||
276 | key_to_domain_suffix() | ||
277 | { | ||
278 | [ -f "$1" ] || return | ||
279 | local keytype=1 hashtype=2 sshfp_b16 sshfp_b32 | ||
280 | sshfp_b16=$(ssh-keygen -r . -f "$1" | sed -ne "s/^. IN SSHFP $keytype $hashtype //p") && | ||
281 | [ "$sshfp_b16" ] || die "could not determine ssh client fingerprint" | ||
282 | sshfp_b32=$(b16_to_b32 "$sshfp_b16") | ||
283 | |||
284 | printf %s.%s.%s "$sshfp_b32" "$REMOTE_KEY_TYPE" cryptonomic.net | tail -c64 | ||
285 | } | ||
286 | |||
287 | validate_public_key_name() | ||
288 | { | ||
289 | local suffix keyfile="$1" name="$2" | ||
290 | case "$name" in | ||
291 | *.cryptonomic.net) validate_cryptonomic_public_key_name "$@" ;; | ||
292 | *) validate_generic_public_key_name "$@" ;; | ||
293 | esac | ||
294 | } | ||
295 | |||
296 | validate_cryptonomic_public_key_name() | ||
297 | { | ||
298 | [ "$keyfile" ] | ||
299 | [ "$name" ] | ||
300 | suffix=$(key_to_domain_suffix "$keyfile") | ||
301 | case "$name" in | ||
302 | *."$suffix" | "$suffix" ) true ;; | ||
303 | * ) false ;; | ||
304 | esac | ||
305 | } | ||
306 | |||
307 | validate_generic_public_key_name() | ||
308 | { | ||
309 | read expected < "$1" | ||
310 | scan_knownhosts_files "$2" | grep -q -F -e "$expected" | ||
311 | } | ||
312 | |||
313 | scan_knownhosts_files() | 271 | scan_knownhosts_files() |
314 | { | 272 | { |
315 | local host="$1" f files | 273 | local host="$1" f files |
@@ -325,16 +283,38 @@ scan_knownhosts_files() | |||
325 | done | 283 | done |
326 | } | 284 | } |
327 | 285 | ||
286 | find_known_ssh_host_rsa_key_by_name() | ||
287 | { | ||
288 | local target="$1" name="$2" keytype_wanted='ssh-rsa' | ||
289 | scan_knownhosts_files "$name" | ( | ||
290 | while read keytype key | ||
291 | do | ||
292 | [ "$keytype" = "$keytype_wanted" ] || continue | ||
293 | echo "Notice: found $name $keytype $key" >&2 | ||
294 | echo "$keytype $key" > "$target" | ||
295 | exit | ||
296 | done | ||
297 | false | ||
298 | ) | ||
299 | } | ||
300 | |||
328 | install_remote_public_key() | 301 | install_remote_public_key() |
329 | { | 302 | { |
330 | trap 'rm -f "$t"' EXIT | 303 | trap 'rm -f "$t"' EXIT |
331 | t=$(mktemp) | 304 | t=$(mktemp) |
332 | keyscan "$REMOTE_IP" | match_and_drop_first_word "$REMOTE_IP" > "$t" | ||
333 | validate_public_key_name "$t" "$REMOTE_NAME" || die 'cannot authenticate remote public key' | ||
334 | 305 | ||
306 | if find_known_ssh_host_rsa_key_by_name "$t" "$REMOTE_NAME" | ||
307 | then | ||
308 | echo "Notice: using host key from OpenSSH KnownHostsFiles for $REMOTE_NAME" >&2 | ||
309 | else | ||
310 | echo "Notice: scanning the network for host keys for $REMOTE_NAME" >&2 | ||
311 | ./get-host-keys "$REMOTE_NAME" || die 'get-host-keys' | ||
312 | find_known_ssh_host_rsa_key_by_name "$t" "$REMOTE_NAME" || die "could not find host rsa key for $REMOTE_NAME" | ||
313 | fi | ||
335 | 314 | ||
336 | REMOTE_PUBLIC_KEY_DEST=/etc/swanctl/pubkey/$(sshfp_rsa_filename_string "$t").pub | 315 | REMOTE_PUBLIC_KEY_DEST=/etc/swanctl/pubkey/$(sshfp_rsa_filename_string "$t").pub |
337 | write_successfully "$REMOTE_PUBLIC_KEY_DEST" -- write_remote_key "$t" | 316 | write_successfully "$REMOTE_PUBLIC_KEY_DEST" -- write_remote_key "$t" |
317 | |||
338 | trap - EXIT | 318 | trap - EXIT |
339 | rm -f "$t" | 319 | rm -f "$t" |
340 | } | 320 | } |