From e8d88f65f906f7be5b36e2c6b56e0d5ba633f368 Mon Sep 17 00:00:00 2001
From: Andrew Cady <d@jerkface.net>
Date: Sun, 10 Oct 2021 04:45:06 -0400
Subject: get-host-keys improvements

---
 get-host-keys | 22 ++++++++++++++--------
 1 file changed, 14 insertions(+), 8 deletions(-)

diff --git a/get-host-keys b/get-host-keys
index 1133565..4fbf9a0 100755
--- a/get-host-keys
+++ b/get-host-keys
@@ -1,4 +1,6 @@
 #!/bin/sh
+public_suffix=cryptonomic.net
+
 die()
 {
     printf "Error: %s\n" "$*" >&2
@@ -10,7 +12,7 @@ b16_to_b32()
     printf %s "$1" | basez -x -d | basez -j -l | tr -d =
 }
 
-to_domain_suffix()
+openssh_knownhost_to_dnsname()
 {
     local hashtype=2
     local keystring keytype sshfp_b16 sshfp_b32
@@ -26,23 +28,23 @@ to_domain_suffix()
         [ "$sshfp_b16" ] || die "could not determine ssh client fingerprint"
     sshfp_b32=$(b16_to_b32 "$sshfp_b16")
 
-    printf %s.%s.%s "$sshfp_b32" "$keystring" cryptonomic.net | tail -c64
+    printf %s.%s.%s "$sshfp_b32" "$keystring" "$public_suffix" | tail -c64
 }
 
-crypto_validate_hostname()
+dnsname_to_openssh_knownhost()
 {
     local host="$1" t r
     t=$(mktemp)
     case "$host" in
-        *.ed25519.cryptonomic.net ) ;;
-        * ) die "unsupported hostname: $host" ;;
+        *.ed25519."$public_suffix" ) ;;
+        * ) return 1 ;;
     esac
     ssh-keyscan -t ed25519 "$host" 2>/dev/null | (
         while read h keytype keydata comment
         do
             [ "$h $keytype" = "$host ssh-ed25519" ] || continue
             echo "$keytype $keydata" > "$t"
-            validated=$(to_domain_suffix "$t") || continue
+            validated=$(openssh_knownhost_to_dnsname "$t") || continue
             case "$host" in
                 "$validated" | *."$validated" )
                     read line < "$t"
@@ -58,17 +60,21 @@ crypto_validate_hostname()
 }
 
 set -e
+
+[ $# = 1 ] || die 'usage'
+host=$1
+shift
+
 _TEMP_DIR_=$(mktemp -d)
 cd "$_TEMP_DIR_"
 trap 'rm -rf "$_TEMP_DIR_"' EXIT
-host=${1:-borges}
 
 if ssh-keygen -F "${host#*@}" | grep -v '^#' > ssh_known_hosts 2>/dev/null
 then
     cp ssh_known_hosts ssh_known_hosts~
 else
     touch ssh_known_hosts~
-    crypto_validate_hostname "${host##*@}" >> ssh_known_hosts || die "could not validate hostname cryptographically"
+    dnsname_to_openssh_knownhost "${host##*@}" >> ssh_known_hosts || die "could not validate hostname cryptographically"
 fi
 
 ssh \
-- 
cgit v1.2.3