diff options
| author | Andrew Cady <d@jerkface.net> | 2021-10-10 04:45:06 -0400 |
|---|---|---|
| committer | Andrew Cady <d@jerkface.net> | 2021-10-10 04:45:06 -0400 |
| commit | e8d88f65f906f7be5b36e2c6b56e0d5ba633f368 (patch) | |
| tree | f4cfe8b70d7a4764949091a6407d7d160b22dfaa | |
| parent | 4eefb9b31fdc485ab4b144ad41aa53ce96cc7432 (diff) | |
get-host-keys improvements
| -rwxr-xr-x | get-host-keys | 22 |
1 files changed, 14 insertions, 8 deletions
diff --git a/get-host-keys b/get-host-keys index 1133565..4fbf9a0 100755 --- a/get-host-keys +++ b/get-host-keys | |||
| @@ -1,4 +1,6 @@ | |||
| 1 | #!/bin/sh | 1 | #!/bin/sh |
| 2 | public_suffix=cryptonomic.net | ||
| 3 | |||
| 2 | die() | 4 | die() |
| 3 | { | 5 | { |
| 4 | printf "Error: %s\n" "$*" >&2 | 6 | printf "Error: %s\n" "$*" >&2 |
| @@ -10,7 +12,7 @@ b16_to_b32() | |||
| 10 | printf %s "$1" | basez -x -d | basez -j -l | tr -d = | 12 | printf %s "$1" | basez -x -d | basez -j -l | tr -d = |
| 11 | } | 13 | } |
| 12 | 14 | ||
| 13 | to_domain_suffix() | 15 | openssh_knownhost_to_dnsname() |
| 14 | { | 16 | { |
| 15 | local hashtype=2 | 17 | local hashtype=2 |
| 16 | local keystring keytype sshfp_b16 sshfp_b32 | 18 | local keystring keytype sshfp_b16 sshfp_b32 |
| @@ -26,23 +28,23 @@ to_domain_suffix() | |||
| 26 | [ "$sshfp_b16" ] || die "could not determine ssh client fingerprint" | 28 | [ "$sshfp_b16" ] || die "could not determine ssh client fingerprint" |
| 27 | sshfp_b32=$(b16_to_b32 "$sshfp_b16") | 29 | sshfp_b32=$(b16_to_b32 "$sshfp_b16") |
| 28 | 30 | ||
| 29 | printf %s.%s.%s "$sshfp_b32" "$keystring" cryptonomic.net | tail -c64 | 31 | printf %s.%s.%s "$sshfp_b32" "$keystring" "$public_suffix" | tail -c64 |
| 30 | } | 32 | } |
| 31 | 33 | ||
| 32 | crypto_validate_hostname() | 34 | dnsname_to_openssh_knownhost() |
| 33 | { | 35 | { |
| 34 | local host="$1" t r | 36 | local host="$1" t r |
| 35 | t=$(mktemp) | 37 | t=$(mktemp) |
| 36 | case "$host" in | 38 | case "$host" in |
| 37 | *.ed25519.cryptonomic.net ) ;; | 39 | *.ed25519."$public_suffix" ) ;; |
| 38 | * ) die "unsupported hostname: $host" ;; | 40 | * ) return 1 ;; |
| 39 | esac | 41 | esac |
| 40 | ssh-keyscan -t ed25519 "$host" 2>/dev/null | ( | 42 | ssh-keyscan -t ed25519 "$host" 2>/dev/null | ( |
| 41 | while read h keytype keydata comment | 43 | while read h keytype keydata comment |
| 42 | do | 44 | do |
| 43 | [ "$h $keytype" = "$host ssh-ed25519" ] || continue | 45 | [ "$h $keytype" = "$host ssh-ed25519" ] || continue |
| 44 | echo "$keytype $keydata" > "$t" | 46 | echo "$keytype $keydata" > "$t" |
| 45 | validated=$(to_domain_suffix "$t") || continue | 47 | validated=$(openssh_knownhost_to_dnsname "$t") || continue |
| 46 | case "$host" in | 48 | case "$host" in |
| 47 | "$validated" | *."$validated" ) | 49 | "$validated" | *."$validated" ) |
| 48 | read line < "$t" | 50 | read line < "$t" |
| @@ -58,17 +60,21 @@ crypto_validate_hostname() | |||
| 58 | } | 60 | } |
| 59 | 61 | ||
| 60 | set -e | 62 | set -e |
| 63 | |||
| 64 | [ $# = 1 ] || die 'usage' | ||
| 65 | host=$1 | ||
| 66 | shift | ||
| 67 | |||
| 61 | _TEMP_DIR_=$(mktemp -d) | 68 | _TEMP_DIR_=$(mktemp -d) |
| 62 | cd "$_TEMP_DIR_" | 69 | cd "$_TEMP_DIR_" |
| 63 | trap 'rm -rf "$_TEMP_DIR_"' EXIT | 70 | trap 'rm -rf "$_TEMP_DIR_"' EXIT |
| 64 | host=${1:-borges} | ||
| 65 | 71 | ||
| 66 | if ssh-keygen -F "${host#*@}" | grep -v '^#' > ssh_known_hosts 2>/dev/null | 72 | if ssh-keygen -F "${host#*@}" | grep -v '^#' > ssh_known_hosts 2>/dev/null |
| 67 | then | 73 | then |
| 68 | cp ssh_known_hosts ssh_known_hosts~ | 74 | cp ssh_known_hosts ssh_known_hosts~ |
| 69 | else | 75 | else |
| 70 | touch ssh_known_hosts~ | 76 | touch ssh_known_hosts~ |
| 71 | crypto_validate_hostname "${host##*@}" >> ssh_known_hosts || die "could not validate hostname cryptographically" | 77 | dnsname_to_openssh_knownhost "${host##*@}" >> ssh_known_hosts || die "could not validate hostname cryptographically" |
| 72 | fi | 78 | fi |
| 73 | 79 | ||
| 74 | ssh \ | 80 | ssh \ |