Commit | Line | Data |
---|---|---|
4aac214a H |
1 | #!/bin/sh |
2 | drill="$(which drill)" | |
3 | ssh="$(which ssh)" | |
4 | ||
5 | check_ssh_cmdline() { | |
6 | while getopts "a:c:e:i:l:n:k:V:o:p:q:P:t:v:x:C:L:R:h" OPT; do | |
7 | if [ "$OPT" == 'h' ]; then | |
8 | echo "$0 help"; echo " | |
9 | This is DNSSEC wrapper for OpenSSH client which will simply prevent you | |
10 | from connecting to hosts with fraudent DNS records. | |
11 | ||
12 | You can use alias ssh='$0' (and you can add it to your ~/.bashrc) | |
13 | ||
14 | Command line options are just the same as for SSH, but you have to | |
15 | specify all the options before hostname and optional command. eg.: | |
16 | $0 -p2222 user@example.com (good) | |
17 | $0 user@example.com -p2222 (baad) | |
18 | ||
19 | To test if $0 works as it's supposed to be working, you can try following: | |
20 | $0 user@badsign-a.test.dnssec-tools.org | |
21 | $0 user@rhybar.cz | |
22 | (both commands should fail with DNSSEC error) | |
23 | ||
24 | " | |
25 | "$ssh" --help | |
26 | exit 0; | |
27 | fi; | |
28 | done | |
29 | shift $(($OPTIND -1)); | |
30 | host="${1##*@}"; | |
31 | echo "$drill -TD $host" | |
32 | out="$("$drill" -TD "$host")"; ret=$?; | |
33 | echo "$out" | grep -i NO.DNSKEY; | |
34 | return $ret; | |
35 | } | |
36 | ||
37 | if check_ssh_cmdline $@; then | |
38 | echo -e 'DNSSEC verification OK :-)\n' | |
39 | echo "ssh $@"; | |
40 | "$ssh" $@; | |
41 | else | |
42 | echo 'DNSSEC verification FAILED!' | |
43 | exit 1; | |
44 | fi; |