From 3024870b3cb841eaa7266ffe6c0a2619a5fc1580 Mon Sep 17 00:00:00 2001 From: Andrew Cady Date: Sat, 9 Oct 2021 20:15:12 -0400 Subject: OpenSSH based authentication of remote host key works!!! --- cryptonomic-vpn | 34 +++++++++++++++++++++++++++++++--- 1 file changed, 31 insertions(+), 3 deletions(-) diff --git a/cryptonomic-vpn b/cryptonomic-vpn index 02a8a14..0101e76 100755 --- a/cryptonomic-vpn +++ b/cryptonomic-vpn @@ -284,25 +284,53 @@ key_to_domain_suffix() printf %s.%s.%s "$sshfp_b32" "$REMOTE_KEY_TYPE" cryptonomic.net | tail -c64 } -validate_public_key() +validate_public_key_name() { local suffix keyfile="$1" name="$2" + case "$name" in + *.cryptonomic.net) validate_cryptonomic_public_key_name "$@" ;; + *) validate_generic_public_key_name "$@" ;; + esac +} + +validate_cryptonomic_public_key_name() +{ [ "$keyfile" ] [ "$name" ] suffix=$(key_to_domain_suffix "$keyfile") - case "$name" in *."$suffix" | "$suffix" ) true ;; * ) false ;; esac } +validate_generic_public_key_name() +{ + read expected < "$1" + scan_knownhosts_files "$2" | grep -q -F -e "$expected" +} + +scan_knownhosts_files() +{ + local host="$1" f files + [ "$host" ] || return + files=$(ssh -G "$host" | sed -E -ne 's/(global|user)knownhostsfile //p') + for f in $files + do + [ -e "$f" ] || continue + egrep -v '^(#|$)' "$f" | while read _hosts keytype key comment + do + echo "$keytype $key" + done + done +} + install_remote_public_key() { trap 'rm -f "$t"' EXIT t=$(mktemp) keyscan "$REMOTE_IP" | match_and_drop_first_word "$REMOTE_IP" > "$t" - validate_public_key "$t" "$REMOTE_NAME" || die 'cannot authenticate remote public key' + validate_public_key_name "$t" "$REMOTE_NAME" || die 'cannot authenticate remote public key' write_successfully /etc/swanctl/pubkey/"$REMOTE_NAME".pub -- write_remote_key "$t" trap - EXIT rm -f "$t" -- cgit v1.2.3