diff options
author | Andrew Cady <d@jerkface.net> | 2021-10-10 04:45:06 -0400 |
---|---|---|
committer | Andrew Cady <d@jerkface.net> | 2021-10-10 04:45:06 -0400 |
commit | e8d88f65f906f7be5b36e2c6b56e0d5ba633f368 (patch) | |
tree | f4cfe8b70d7a4764949091a6407d7d160b22dfaa | |
parent | 4eefb9b31fdc485ab4b144ad41aa53ce96cc7432 (diff) |
get-host-keys improvements
-rwxr-xr-x | get-host-keys | 22 |
1 files changed, 14 insertions, 8 deletions
diff --git a/get-host-keys b/get-host-keys index 1133565..4fbf9a0 100755 --- a/get-host-keys +++ b/get-host-keys | |||
@@ -1,4 +1,6 @@ | |||
1 | #!/bin/sh | 1 | #!/bin/sh |
2 | public_suffix=cryptonomic.net | ||
3 | |||
2 | die() | 4 | die() |
3 | { | 5 | { |
4 | printf "Error: %s\n" "$*" >&2 | 6 | printf "Error: %s\n" "$*" >&2 |
@@ -10,7 +12,7 @@ b16_to_b32() | |||
10 | printf %s "$1" | basez -x -d | basez -j -l | tr -d = | 12 | printf %s "$1" | basez -x -d | basez -j -l | tr -d = |
11 | } | 13 | } |
12 | 14 | ||
13 | to_domain_suffix() | 15 | openssh_knownhost_to_dnsname() |
14 | { | 16 | { |
15 | local hashtype=2 | 17 | local hashtype=2 |
16 | local keystring keytype sshfp_b16 sshfp_b32 | 18 | local keystring keytype sshfp_b16 sshfp_b32 |
@@ -26,23 +28,23 @@ to_domain_suffix() | |||
26 | [ "$sshfp_b16" ] || die "could not determine ssh client fingerprint" | 28 | [ "$sshfp_b16" ] || die "could not determine ssh client fingerprint" |
27 | sshfp_b32=$(b16_to_b32 "$sshfp_b16") | 29 | sshfp_b32=$(b16_to_b32 "$sshfp_b16") |
28 | 30 | ||
29 | printf %s.%s.%s "$sshfp_b32" "$keystring" cryptonomic.net | tail -c64 | 31 | printf %s.%s.%s "$sshfp_b32" "$keystring" "$public_suffix" | tail -c64 |
30 | } | 32 | } |
31 | 33 | ||
32 | crypto_validate_hostname() | 34 | dnsname_to_openssh_knownhost() |
33 | { | 35 | { |
34 | local host="$1" t r | 36 | local host="$1" t r |
35 | t=$(mktemp) | 37 | t=$(mktemp) |
36 | case "$host" in | 38 | case "$host" in |
37 | *.ed25519.cryptonomic.net ) ;; | 39 | *.ed25519."$public_suffix" ) ;; |
38 | * ) die "unsupported hostname: $host" ;; | 40 | * ) return 1 ;; |
39 | esac | 41 | esac |
40 | ssh-keyscan -t ed25519 "$host" 2>/dev/null | ( | 42 | ssh-keyscan -t ed25519 "$host" 2>/dev/null | ( |
41 | while read h keytype keydata comment | 43 | while read h keytype keydata comment |
42 | do | 44 | do |
43 | [ "$h $keytype" = "$host ssh-ed25519" ] || continue | 45 | [ "$h $keytype" = "$host ssh-ed25519" ] || continue |
44 | echo "$keytype $keydata" > "$t" | 46 | echo "$keytype $keydata" > "$t" |
45 | validated=$(to_domain_suffix "$t") || continue | 47 | validated=$(openssh_knownhost_to_dnsname "$t") || continue |
46 | case "$host" in | 48 | case "$host" in |
47 | "$validated" | *."$validated" ) | 49 | "$validated" | *."$validated" ) |
48 | read line < "$t" | 50 | read line < "$t" |
@@ -58,17 +60,21 @@ crypto_validate_hostname() | |||
58 | } | 60 | } |
59 | 61 | ||
60 | set -e | 62 | set -e |
63 | |||
64 | [ $# = 1 ] || die 'usage' | ||
65 | host=$1 | ||
66 | shift | ||
67 | |||
61 | _TEMP_DIR_=$(mktemp -d) | 68 | _TEMP_DIR_=$(mktemp -d) |
62 | cd "$_TEMP_DIR_" | 69 | cd "$_TEMP_DIR_" |
63 | trap 'rm -rf "$_TEMP_DIR_"' EXIT | 70 | trap 'rm -rf "$_TEMP_DIR_"' EXIT |
64 | host=${1:-borges} | ||
65 | 71 | ||
66 | if ssh-keygen -F "${host#*@}" | grep -v '^#' > ssh_known_hosts 2>/dev/null | 72 | if ssh-keygen -F "${host#*@}" | grep -v '^#' > ssh_known_hosts 2>/dev/null |
67 | then | 73 | then |
68 | cp ssh_known_hosts ssh_known_hosts~ | 74 | cp ssh_known_hosts ssh_known_hosts~ |
69 | else | 75 | else |
70 | touch ssh_known_hosts~ | 76 | touch ssh_known_hosts~ |
71 | crypto_validate_hostname "${host##*@}" >> ssh_known_hosts || die "could not validate hostname cryptographically" | 77 | dnsname_to_openssh_knownhost "${host##*@}" >> ssh_known_hosts || die "could not validate hostname cryptographically" |
72 | fi | 78 | fi |
73 | 79 | ||
74 | ssh \ | 80 | ssh \ |