| 1 | #!/bin/sh |
| 2 | drill="$(which drill)" |
| 3 | ssh="$(which ssh)" |
| 4 | |
| 5 | check_ssh_cmdline() { |
| 6 | while getopts "a:c:e:i:l:n:k:V:o:p:q:P:t:v:x:C:L:R:h" OPT; do |
| 7 | if [ "$OPT" == 'h' ]; then |
| 8 | echo "$0 help"; echo " |
| 9 | This is DNSSEC wrapper for OpenSSH client which will simply prevent you |
| 10 | from connecting to hosts with fraudent DNS records. |
| 11 | |
| 12 | You can use alias ssh='$0' (and you can add it to your ~/.bashrc) |
| 13 | |
| 14 | Command line options are just the same as for SSH, but you have to |
| 15 | specify all the options before hostname and optional command. eg.: |
| 16 | $0 -p2222 user@example.com (good) |
| 17 | $0 user@example.com -p2222 (baad) |
| 18 | |
| 19 | To test if $0 works as it's supposed to be working, you can try following: |
| 20 | $0 user@badsign-a.test.dnssec-tools.org |
| 21 | $0 user@rhybar.cz |
| 22 | (both commands should fail with DNSSEC error) |
| 23 | |
| 24 | " |
| 25 | "$ssh" --help |
| 26 | exit 0; |
| 27 | fi; |
| 28 | done |
| 29 | shift $(($OPTIND -1)); |
| 30 | host="${1##*@}"; |
| 31 | echo "$drill -TD $host" |
| 32 | out="$("$drill" -TD "$host")"; ret=$?; |
| 33 | echo "$out" | grep -i NO.DNSKEY; |
| 34 | return $ret; |
| 35 | } |
| 36 | |
| 37 | if check_ssh_cmdline $@; then |
| 38 | echo -e 'DNSSEC verification OK :-)\n' |
| 39 | echo "ssh $@"; |
| 40 | "$ssh" $@; |
| 41 | else |
| 42 | echo 'DNSSEC verification FAILED!' |
| 43 | exit 1; |
| 44 | fi; |