From 019e1237fb2de042a139add32f75308df8d4d965 Mon Sep 17 00:00:00 2001
From: Harvie <tomas@mudrunka.cz>
Date: Sun, 1 Aug 2010 00:35:09 +0200
Subject: [PATCH] Now using DNSSEC root zone certificate + Known issues added
 to help

---
 bash/ssh-dnssec/PKGBUILD      |  8 +++++---
 bash/ssh-dnssec/ssh-dnssec.sh | 22 +++++++++++++++++++---
 2 files changed, 24 insertions(+), 6 deletions(-)

diff --git a/bash/ssh-dnssec/PKGBUILD b/bash/ssh-dnssec/PKGBUILD
index 9b6ffea..ac9cc03 100644
--- a/bash/ssh-dnssec/PKGBUILD
+++ b/bash/ssh-dnssec/PKGBUILD
@@ -1,17 +1,19 @@
 # Contributor: Thomas Mudrunka <harvie@@email..cz>
 # Maintainer: Thomas Mudrunka <harvie@@email..cz>
 # You can also contact me on http://blog.harvie.cz/
+# Patches welcome: http://github.com/harvie/archlinux-packages
 
 pkgname=openssh-dnssec
-pkgver=0.1
+pkgver=0.2
 pkgrel=1
 pkgdesc="DNSSEC wrapper for OpenSSH client which will simply prevent you from connecting to hosts with fraudent DNS records"
 arch=('any')
 license=('GPL')
 url="http://github.com/Harvie/Programs/tree/master/bash/ssh-dnssec/"
-depends=('openssh' 'ldns' 'bash')
+depends=('openssh' 'ldns' 'dnssec-root-zone-trust-anchors' 'bash')
+#actually will work without dnssec-root-zone-trust-anchors but being less secure
 source=('ssh-dnssec.sh')
-md5sums=('0576e782eb937c4607c8a9dd0d5f8437')
+md5sums=('7ee88323823c448162ef79c514509f0d')
 
 build() {
 	mkdir -p ${pkgdir}/usr/bin
diff --git a/bash/ssh-dnssec/ssh-dnssec.sh b/bash/ssh-dnssec/ssh-dnssec.sh
index 74ce22a..60ffb81 100755
--- a/bash/ssh-dnssec/ssh-dnssec.sh
+++ b/bash/ssh-dnssec/ssh-dnssec.sh
@@ -1,7 +1,16 @@
 #!/bin/sh
+#OpenSSH wrapper for DNSSEC (see $0 -h for help)
+
+#keys from lowest priority to highest:
+for key in\
+	'/usr/share/dnssec-trust-anchors/root-zone.key'\
+	'/etc/trusted-key.key'\
+	; do
+		[ -r "$key" ] && drillargs="-k $key";
+done;
+
 drill="$(which drill)"
 ssh="$(which ssh)"
-
 check_ssh_cmdline() {
 	while getopts "a:c:e:i:l:n:k:V:o:p:q:P:t:v:x:C:L:R:h" OPT; do
 		if [ "$OPT" == 'h' ]; then
@@ -21,6 +30,13 @@ check_ssh_cmdline() {
 		$0 user@rhybar.cz
 		(both commands should fail with DNSSEC error)
 
+	Known issues:
+		- DNS record can change between DNSSEC validation and SSH connection
+			- we should pass IP address directly to SSH binary (patches welcome)
+
+	If there are some autodetected drill arguments, you can see them here:
+		$drillargs
+
 "
 			"$ssh" --help
 			exit 0;
@@ -28,8 +44,8 @@ check_ssh_cmdline() {
 	done
 	shift $(($OPTIND -1));
 	host="${1##*@}";
-	echo "$drill -TD $host"
-	out="$("$drill" -TD "$host")"; ret=$?;
+	echo "$drill $drillargs -TD $host"
+	out="$("$drill" $drillargs -TD "$host")"; ret=$?;
 	echo "$out" | grep -i NO.DNSKEY;
 	return $ret;
 }
-- 
2.30.2