From db4cdab4a87e5cbe118535039e7a4cae0c140211 Mon Sep 17 00:00:00 2001
From: Andrew Cady <d@jerkface.net>
Date: Tue, 5 May 2020 19:09:56 -0400
Subject: avoid use of SHA-1

refactor producing samizdat-ssh-uid
---
 src/samizdat-ssh-uid | 39 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 39 insertions(+)
 create mode 100755 src/samizdat-ssh-uid

(limited to 'src/samizdat-ssh-uid')

diff --git a/src/samizdat-ssh-uid b/src/samizdat-ssh-uid
new file mode 100755
index 0000000..c87232b
--- /dev/null
+++ b/src/samizdat-ssh-uid
@@ -0,0 +1,39 @@
+#!/bin/dash
+
+die() { echo "$0: Error: $*" >&2; exit 1; }
+
+[ "$SSH_USER_AUTH" ] || die "not defined: \$SSH_USER_AUTH"
+[ -f "$SSH_USER_AUTH" ] || die "file does not exist: \$SSH_USER_AUTH=${SSH_USER_AUTH}"
+
+PEMFILE="${SSH_USER_AUTH}.tmp"
+
+sed -ne 's/^publickey //p' < "${SSH_USER_AUTH}" > "${PEMFILE}" || die "could not rewrite SSH_USER_AUTH file"
+
+SSH_CLIENT_FINGERPRINT=$(ssh-keygen -r . -f "${PEMFILE}" | sed -ne 's/^. IN SSHFP [0-9]* 1 //p') &&
+  [ "$SSH_CLIENT_FINGERPRINT" ] || die "could not determine ssh client fingerprint"
+
+read keytype keydata < "${PEMFILE}" || die "reading from PEMFILE=$PEMFILE"
+case "$keytype" in
+        ssh-rsa|ssh-dss|ecdsa-sha2-nistp256|ssh-ed25519)
+                domain=$keytype.cryptonomic.net ;;
+        *)
+                die "Unsupported key type: $keytype" ;;
+esac
+
+if [ "$1" = '--copy-pem' -a "$2" ]
+then
+  if [ -d "$2" ] || mkdir "$2"
+  then
+    mv "${PEMFILE}" "$2"/${SSH_CLIENT_FINGERPRINT}.${keytype}.pem
+  fi
+else
+  rm -f "${PEMFILE}"
+fi
+
+env -i \
+  SSH_CLIENT_FINGERPRINT="$SSH_CLIENT_FINGERPRINT" \
+  SSH_CLIENT_KEYTYPE="$keytype" \
+  SSH_CLIENT_DOMAIN="$domain" \
+  SSH_CLIENT_PEMFILE="$PEMFILE" \
+  SSH_CLIENT_KEYDATA="$keydata"
+
-- 
cgit v1.2.3