X-Git-Url: http://git.harvie.cz/?a=blobdiff_plain;f=bash%2Fssh-dnssec%2Fssh-dnssec.sh;h=737384e8063b81487da52ba59226a998473d61a4;hb=a012c85ab43bd65ba2df55ebbebb161885e29ae2;hp=74ce22a546275f2b2cf876c58a7d900a35d111c3;hpb=4aac214ac8835a4535275a876b4b577486e96e77;p=mirrors%2FPrograms.git diff --git a/bash/ssh-dnssec/ssh-dnssec.sh b/bash/ssh-dnssec/ssh-dnssec.sh index 74ce22a..737384e 100755 --- a/bash/ssh-dnssec/ssh-dnssec.sh +++ b/bash/ssh-dnssec/ssh-dnssec.sh @@ -1,7 +1,16 @@ #!/bin/sh +#OpenSSH wrapper for DNSSEC (see $0 -h for help) + +#keys from lowest priority to highest: +for key in\ + '/usr/share/dnssec-trust-anchors/root-zone.key'\ + '/etc/trusted-key.key'\ + ; do + [ -r "$key" ] && drillargs="-k $key"; +done; + drill="$(which drill)" ssh="$(which ssh)" - check_ssh_cmdline() { while getopts "a:c:e:i:l:n:k:V:o:p:q:P:t:v:x:C:L:R:h" OPT; do if [ "$OPT" == 'h' ]; then @@ -11,16 +20,20 @@ check_ssh_cmdline() { You can use alias ssh='$0' (and you can add it to your ~/.bashrc) - Command line options are just the same as for SSH, but you have to - specify all the options before hostname and optional command. eg.: - $0 -p2222 user@example.com (good) - $0 user@example.com -p2222 (baad) + Command line options are just the same as for SSH To test if $0 works as it's supposed to be working, you can try following: $0 user@badsign-a.test.dnssec-tools.org $0 user@rhybar.cz (both commands should fail with DNSSEC error) + Known issues: + - DNS record can change between DNSSEC validation and SSH connection + - we should pass IP address directly to SSH binary (patches welcome) + + If there are some autodetected drill arguments, you can see them here: + $drillargs + " "$ssh" --help exit 0; @@ -28,8 +41,8 @@ check_ssh_cmdline() { done shift $(($OPTIND -1)); host="${1##*@}"; - echo "$drill -TD $host" - out="$("$drill" -TD "$host")"; ret=$?; + echo "$drill $drillargs -TD $host" + out="$("$drill" $drillargs -TD "$host")"; ret=$?; echo "$out" | grep -i NO.DNSKEY; return $ret; }