X-Git-Url: https://codewiz.org/gitweb?a=blobdiff_plain;f=src%2Fmonkeysphere-ssh-proxycommand;h=b03984449316d039ba1d971d221be60a2496ff88;hb=5d9949335aeb1dec04f530cbb3dfcac24288706a;hp=4b90a0d21fe5e884335a43e277c96473d760c45c;hpb=308aa104f66a40f2426c13b96f48631937502f6b;p=monkeysphere.git diff --git a/src/monkeysphere-ssh-proxycommand b/src/monkeysphere-ssh-proxycommand index 4b90a0d..b039844 100755 --- a/src/monkeysphere-ssh-proxycommand +++ b/src/monkeysphere-ssh-proxycommand @@ -1,4 +1,4 @@ -#!/bin/sh -e +#!/usr/bin/env bash # monkeysphere-ssh-proxycommand: MonkeySphere ssh ProxyCommand hook # @@ -13,11 +13,19 @@ # established. Can be added to ~/.ssh/config as follows: # ProxyCommand monkeysphere-ssh-proxycommand %h %p -HOST="$1" -PORT="$2" +######################################################################## +PGRM=$(basename $0) + +SYSSHAREDIR=${MONKEYSPHERE_SYSSHAREDIR:-"/usr/share/monkeysphere"} +export SYSSHAREDIR +. "${SYSSHAREDIR}/common" || exit 1 + +######################################################################## +# FUNCTIONS +######################################################################## usage() { -cat <&2 + cat <&2 usage: ssh -o ProxyCommand="$(basename $0) %h %p" ... EOF } @@ -26,31 +34,162 @@ log() { echo "$@" >&2 } +output_no_valid_key() { + local sshKeyOffered + local userID + local type + local validity + local keyid + local uidfpr + local usage + local sshKeyGPG + local sshFingerprint + + log "OpenPGP keys with*out* full validity found for this host:" + log + + # retrieve the actual ssh key + sshKeyOffered=$(ssh-keyscan -t rsa -p "$PORT" "$HOST" 2>/dev/null | awk '{ print $2, $3 }') + + userID="ssh://${HOSTP}" + + # output gpg info for (exact) userid and store + gpgOut=$(gpg --list-key --fixed-list-mode --with-colon \ + --with-fingerprint --with-fingerprint \ + ="$userID" 2>/dev/null) + + # loop over all lines in the gpg output and process. + echo "$gpgOut" | cut -d: -f1,2,5,10,12 | \ + while IFS=: read -r type validity keyid uidfpr usage ; do + case $type in + 'pub'|'sub') + # get the ssh key of the gpg key + sshKeyGPG=$(gpg2ssh "$keyid") + + # if one of keys found matches the one offered by the + # host, then output info + if [ "$sshKeyGPG" = "$sshKeyOffered" ] ; then + + # get the fingerprint of the ssh key + tmpkey=$(mktemp ${TMPDIR:-/tmp}/tmp.XXXXXXXXXX) + echo "$sshKeyGPG" > "$tmpkey" + sshFingerprint=$(ssh-keygen -l -f "$tmpkey" | awk '{ print $2 }') + rm -rf "$tmpkey" + + # output gpg info + gpg --check-sigs \ + --list-options show-uid-validity \ + "$keyid" >&2 + + # output ssh fingerprint + log "RSA key fingerprint is ${sshFingerprint}." + log "Falling through to standard ssh host checking." + log + fi + ;; + esac + done +} + +######################################################################## + +# export the monkeysphere log level +export MONKEYSPHERE_LOG_LEVEL + +if [ "$1" = '--no-connect' ] ; then + NO_CONNECT='true' + shift 1 +fi + +HOST="$1" +PORT="$2" + if [ -z "$HOST" ] ; then - log "host must be specified." + log "Host not specified." usage - exit 1 + exit 255 fi if [ -z "$PORT" ] ; then - log "port must be specified." - usage - exit 1 + PORT=22 fi -# check for the host key in the known_hosts file -hostKey=$(ssh-keygen -F "$HOST") +# set the host URI +if [ "$PORT" != '22' ] ; then + HOSTP="${HOST}:${PORT}" +else + HOSTP="${HOST}" +fi +URI="ssh://${HOSTP}" + +# specify keyserver checking. the behavior of this proxy command is +# intentionally different than that of running monkeyesphere normally, +# and keyserver checking is intentionally done under certain +# circumstances. This can be overridden by setting the +# MONKEYSPHERE_CHECK_KEYSERVER environment variable. -# if the host key is found in the known_hosts file, -# don't check the keyserver -if [ "$hostKey" ] ; then +# if the host is in the gpg keyring... +if gpg --list-key ="${URI}" 2>&1 >/dev/null ; then + # do not check the keyserver CHECK_KEYSERVER="false" + +# if the host is NOT in the keyring... else - CHECK_KEYSERVER="true" + # if the host key is found in the known_hosts file... + # FIXME: this only works for default known_hosts location + hostKey=$(ssh-keygen -F "$HOST" 2>/dev/null) + + if [ "$hostKey" ] ; then + # do not check the keyserver + # FIXME: more nuanced checking should be done here to properly + # take into consideration hosts that join monkeysphere by + # converting an existing and known ssh key + CHECK_KEYSERVER="false" + + # if the host key is not found in the known_hosts file... + else + # check the keyserver + CHECK_KEYSERVER="true" + fi fi -export CHECK_KEYSERVER +# set and export the variable for use by monkeysphere +MONKEYSPHERE_CHECK_KEYSERVER=${MONKEYSPHERE_CHECK_KEYSERVER:="$CHECK_KEYSERVER"} +export MONKEYSPHERE_CHECK_KEYSERVER # update the known_hosts file for the host -monkeysphere update-known-hosts "$HOST" +monkeysphere update-known_hosts "$HOSTP" + +# output on depending on the return of the update-known_hosts +# subcommand, which is (ultimately) the return code of the +# update_known_hosts function in common +case $? in + 0) + # acceptable host key found so continue to ssh + true + ;; + 1) + # no hosts at all found so also continue (drop through to + # regular ssh host verification) + true + ;; + 2) + # at least one *bad* host key (and no good host keys) was + # found, so output some usefull information + output_no_valid_key + ;; + *) + # anything else drop through + true + ;; +esac # exec a netcat passthrough to host for the ssh connection -exec nc "$HOST" "$PORT" +if [ -z "$NO_CONNECT" ] ; then + if (which nc 2>/dev/null >/dev/null); then + exec nc "$HOST" "$PORT" + elif (which socat 2>/dev/null >/dev/null); then + exec socat STDIO "TCP:$HOST:$PORT" + else + echo "Neither netcat nor socat found -- could not complete monkeysphere-ssh-proxycommand connection to $HOST:$PORT" >&2 + exit 255 + fi +fi