2 #OpenSSH wrapper for DNSSEC (see $0 -h for help)
4 #keys from lowest priority to highest:
6 '/usr/share/dnssec-trust-anchors/root-zone.key'\
7 '/etc/trusted-key.key'\
9 [ -r "$key" ] && drillargs
="-k $key";
12 drill
="$(which drill)"
15 while getopts "a:c:e:i:l:n:k:V:o:p:q:P:t:v:x:C:L:R:h" OPT
; do
16 if [ "$OPT" == 'h' ]; then
17 echo "$0 help"; echo "
18 This is DNSSEC wrapper for OpenSSH client which will simply prevent you
19 from connecting to hosts with fraudent DNS records.
21 You can use alias ssh='$0' (and you can add it to your ~/.bashrc)
23 Command line options are just the same as for SSH
25 To test if $0 works as it's supposed to be working, you can try following:
26 $0 user@badsign-a.test.dnssec-tools.org
28 (both commands should fail with DNSSEC error)
31 - DNS record can change between DNSSEC validation and SSH connection
32 - we should pass IP address directly to SSH binary (patches welcome)
34 If there are some autodetected drill arguments, you can see them here:
42 shift $
(($OPTIND -1));
44 echo "$drill $drillargs -TD $host"
45 out
="$("$drill" $drillargs -TD "$host")"; ret
=$?
;
46 echo "$out" |
grep -i NO.DNSKEY
;
50 if check_ssh_cmdline $@
; then
51 echo -e 'DNSSEC verification OK :-)\n'
55 echo 'DNSSEC verification FAILED!'
This page took 0.691487 seconds and 4 git commands to generate.