From dd3d60eb364727ee54282623d39737b2b85b6da2 Mon Sep 17 00:00:00 2001 From: Andrew Cady Date: Sun, 10 Oct 2021 05:35:28 -0400 Subject: rename ssh-update-host-keys --- cryptonomic-vpn | 2 +- get-host-keys | 103 --------------------------------------------------- ssh-update-host-keys | 103 +++++++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 104 insertions(+), 104 deletions(-) delete mode 100755 get-host-keys create mode 100755 ssh-update-host-keys diff --git a/cryptonomic-vpn b/cryptonomic-vpn index 2ca1fc0..0c60ae0 100755 --- a/cryptonomic-vpn +++ b/cryptonomic-vpn @@ -308,7 +308,7 @@ install_remote_public_key() echo "Notice: using host key from OpenSSH KnownHostsFiles for $REMOTE_NAME" >&2 else echo "Notice: scanning the network for host keys for $REMOTE_NAME" >&2 - ./get-host-keys "$REMOTE_NAME" || die 'get-host-keys' + ./ssh-update-host-keys "$REMOTE_NAME" || die ssh-update-host-keys find_known_ssh_host_rsa_key_by_name "$t" "$REMOTE_NAME" || die "could not find host rsa key for $REMOTE_NAME" fi diff --git a/get-host-keys b/get-host-keys deleted file mode 100755 index 896d983..0000000 --- a/get-host-keys +++ /dev/null @@ -1,103 +0,0 @@ -#!/bin/sh -public_suffix=cryptonomic.net - -die() -{ - printf "Error: %s\n" "$*" >&2 - exit 1 -} - -b16_to_b32() -{ - printf %s "$1" | basez -x -d | basez -j -l | tr -d = -} - -openssh_knownhost_to_dnsname() -{ - local hashtype=2 - local keystring keytype sshfp_b16 sshfp_b32 - [ -f "$1" ] || return - [ -s "$1" ] || return - sshfp_raw=$(ssh-keygen -r . -f "$1" | grep -E -e "^. IN SSHFP [0-9]+ $hashtype ") - case "$sshfp_raw" in - '. IN SSHFP 1 '*) keytype=1; keystring=rsa ;; - '. IN SSHFP 4 '*) keytype=4; keystring=ed25519 ;; - *) return 1 ;; - esac - sshfp_b16=$(printf '%s' "$sshfp_raw" | sed -ne "s/^. IN SSHFP $keytype $hashtype //p") && - [ "$sshfp_b16" ] || die "could not determine ssh client fingerprint" - sshfp_b32=$(b16_to_b32 "$sshfp_b16") - - printf %s.%s.%s "$sshfp_b32" "$keystring" "$public_suffix" | tail -c64 -} - -dnsname_to_openssh_knownhost() -{ - local host="$1" t r - t=$(mktemp) - case "$host" in - *.ed25519."$public_suffix" ) ;; - * ) return 1 ;; - esac - ssh-keyscan -t ed25519 "$host" 2>/dev/null | ( - while read h keytype keydata comment - do - [ "$h $keytype" = "$host ssh-ed25519" ] || continue - echo "$keytype $keydata" > "$t" - validated=$(openssh_knownhost_to_dnsname "$t") || continue - case "$host" in - "$validated" | *."$validated" ) - read line < "$t" - echo "$host $line" - rm -f "$t" - exit 0 - ;; - esac - done - rm -f "$t" - exit 1 - ) -} - -set -e - -[ $# = 1 ] || die 'usage' -host=$1 -shift - -_TEMP_DIR_=$(mktemp -d) -cd "$_TEMP_DIR_" -trap 'rm -rf "$_TEMP_DIR_"' EXIT - -if ssh-keygen -F "${host#*@}" | grep -v '^#' > ssh_known_hosts 2>/dev/null -then - cp ssh_known_hosts ssh_known_hosts~ -else - touch ssh_known_hosts~ - dnsname_to_openssh_knownhost "${host##*@}" >> ssh_known_hosts || die "could not validate hostname cryptographically" -fi - -modify_known_hosts=y - -set -- ssh -if [ ! "$modify_known_hosts" ] -then - set -- "$@" -F /dev/null - set -- "$@" -o GlobalKnownHostsFile=$PWD/ssh_known_hosts - set -- "$@" -o UserKnownHostsFile=$PWD/ssh_known_hosts -fi -set -- "$@" -o UpdateHostKeys=yes -set -- "$@" -o PasswordAuthentication=no -set -- "$@" -o StrictHostKeyChecking=yes -set -- "$@" -n -T -set -- "$@" "$host" - -"$@" || true - -if test -t 1 -then - diff -u ssh_known_hosts~ ssh_known_hosts || true -else - cat ssh_known_hosts -fi - diff --git a/ssh-update-host-keys b/ssh-update-host-keys new file mode 100755 index 0000000..896d983 --- /dev/null +++ b/ssh-update-host-keys @@ -0,0 +1,103 @@ +#!/bin/sh +public_suffix=cryptonomic.net + +die() +{ + printf "Error: %s\n" "$*" >&2 + exit 1 +} + +b16_to_b32() +{ + printf %s "$1" | basez -x -d | basez -j -l | tr -d = +} + +openssh_knownhost_to_dnsname() +{ + local hashtype=2 + local keystring keytype sshfp_b16 sshfp_b32 + [ -f "$1" ] || return + [ -s "$1" ] || return + sshfp_raw=$(ssh-keygen -r . -f "$1" | grep -E -e "^. IN SSHFP [0-9]+ $hashtype ") + case "$sshfp_raw" in + '. IN SSHFP 1 '*) keytype=1; keystring=rsa ;; + '. IN SSHFP 4 '*) keytype=4; keystring=ed25519 ;; + *) return 1 ;; + esac + sshfp_b16=$(printf '%s' "$sshfp_raw" | sed -ne "s/^. IN SSHFP $keytype $hashtype //p") && + [ "$sshfp_b16" ] || die "could not determine ssh client fingerprint" + sshfp_b32=$(b16_to_b32 "$sshfp_b16") + + printf %s.%s.%s "$sshfp_b32" "$keystring" "$public_suffix" | tail -c64 +} + +dnsname_to_openssh_knownhost() +{ + local host="$1" t r + t=$(mktemp) + case "$host" in + *.ed25519."$public_suffix" ) ;; + * ) return 1 ;; + esac + ssh-keyscan -t ed25519 "$host" 2>/dev/null | ( + while read h keytype keydata comment + do + [ "$h $keytype" = "$host ssh-ed25519" ] || continue + echo "$keytype $keydata" > "$t" + validated=$(openssh_knownhost_to_dnsname "$t") || continue + case "$host" in + "$validated" | *."$validated" ) + read line < "$t" + echo "$host $line" + rm -f "$t" + exit 0 + ;; + esac + done + rm -f "$t" + exit 1 + ) +} + +set -e + +[ $# = 1 ] || die 'usage' +host=$1 +shift + +_TEMP_DIR_=$(mktemp -d) +cd "$_TEMP_DIR_" +trap 'rm -rf "$_TEMP_DIR_"' EXIT + +if ssh-keygen -F "${host#*@}" | grep -v '^#' > ssh_known_hosts 2>/dev/null +then + cp ssh_known_hosts ssh_known_hosts~ +else + touch ssh_known_hosts~ + dnsname_to_openssh_knownhost "${host##*@}" >> ssh_known_hosts || die "could not validate hostname cryptographically" +fi + +modify_known_hosts=y + +set -- ssh +if [ ! "$modify_known_hosts" ] +then + set -- "$@" -F /dev/null + set -- "$@" -o GlobalKnownHostsFile=$PWD/ssh_known_hosts + set -- "$@" -o UserKnownHostsFile=$PWD/ssh_known_hosts +fi +set -- "$@" -o UpdateHostKeys=yes +set -- "$@" -o PasswordAuthentication=no +set -- "$@" -o StrictHostKeyChecking=yes +set -- "$@" -n -T +set -- "$@" "$host" + +"$@" || true + +if test -t 1 +then + diff -u ssh_known_hosts~ ssh_known_hosts || true +else + cat ssh_known_hosts +fi + -- cgit v1.2.3