Commit | Line | Data |
---|---|---|
4aac214a | 1 | #!/bin/sh |
019e1237 H |
2 | #OpenSSH wrapper for DNSSEC (see $0 -h for help) |
3 | ||
4 | #keys from lowest priority to highest: | |
5 | for key in\ | |
6 | '/usr/share/dnssec-trust-anchors/root-zone.key'\ | |
7 | '/etc/trusted-key.key'\ | |
8 | ; do | |
9 | [ -r "$key" ] && drillargs="-k $key"; | |
10 | done; | |
11 | ||
4aac214a H |
12 | drill="$(which drill)" |
13 | ssh="$(which ssh)" | |
4aac214a H |
14 | check_ssh_cmdline() { |
15 | while getopts "a:c:e:i:l:n:k:V:o:p:q:P:t:v:x:C:L:R:h" OPT; do | |
16 | if [ "$OPT" == 'h' ]; then | |
17 | echo "$0 help"; echo " | |
18 | This is DNSSEC wrapper for OpenSSH client which will simply prevent you | |
19 | from connecting to hosts with fraudent DNS records. | |
20 | ||
21 | You can use alias ssh='$0' (and you can add it to your ~/.bashrc) | |
22 | ||
54c7d5c9 | 23 | Command line options are just the same as for SSH |
4aac214a H |
24 | |
25 | To test if $0 works as it's supposed to be working, you can try following: | |
26 | $0 user@badsign-a.test.dnssec-tools.org | |
27 | $0 user@rhybar.cz | |
28 | (both commands should fail with DNSSEC error) | |
29 | ||
019e1237 H |
30 | Known issues: |
31 | - DNS record can change between DNSSEC validation and SSH connection | |
32 | - we should pass IP address directly to SSH binary (patches welcome) | |
33 | ||
34 | If there are some autodetected drill arguments, you can see them here: | |
35 | $drillargs | |
36 | ||
4aac214a H |
37 | " |
38 | "$ssh" --help | |
39 | exit 0; | |
40 | fi; | |
41 | done | |
42 | shift $(($OPTIND -1)); | |
43 | host="${1##*@}"; | |
019e1237 H |
44 | echo "$drill $drillargs -TD $host" |
45 | out="$("$drill" $drillargs -TD "$host")"; ret=$?; | |
4aac214a H |
46 | echo "$out" | grep -i NO.DNSKEY; |
47 | return $ret; | |
48 | } | |
49 | ||
50 | if check_ssh_cmdline $@; then | |
51 | echo -e 'DNSSEC verification OK :-)\n' | |
52 | echo "ssh $@"; | |
53 | "$ssh" $@; | |
54 | else | |
55 | echo 'DNSSEC verification FAILED!' | |
56 | exit 1; | |
57 | fi; |