| 1 | #!/bin/sh |
| 2 | #OpenSSH wrapper for DNSSEC (see $0 -h for help) |
| 3 | |
| 4 | #keys from lowest priority to highest: |
| 5 | for key in\ |
| 6 | '/usr/share/dnssec-trust-anchors/root-zone.key'\ |
| 7 | '/etc/trusted-key.key'\ |
| 8 | ; do |
| 9 | [ -r "$key" ] && drillargs="-k $key"; |
| 10 | done; |
| 11 | |
| 12 | drill="$(which drill)" |
| 13 | ssh="$(which ssh)" |
| 14 | check_ssh_cmdline() { |
| 15 | while getopts "a:c:e:i:l:n:k:V:o:p:q:P:t:v:x:C:L:R:h" OPT; do |
| 16 | if [ "$OPT" == 'h' ]; then |
| 17 | echo "$0 help"; echo " |
| 18 | This is DNSSEC wrapper for OpenSSH client which will simply prevent you |
| 19 | from connecting to hosts with fraudent DNS records. |
| 20 | |
| 21 | You can use alias ssh='$0' (and you can add it to your ~/.bashrc) |
| 22 | |
| 23 | Command line options are just the same as for SSH |
| 24 | |
| 25 | To test if $0 works as it's supposed to be working, you can try following: |
| 26 | $0 user@badsign-a.test.dnssec-tools.org |
| 27 | $0 user@rhybar.cz |
| 28 | (both commands should fail with DNSSEC error) |
| 29 | |
| 30 | Known issues: |
| 31 | - DNS record can change between DNSSEC validation and SSH connection |
| 32 | - we should pass IP address directly to SSH binary (patches welcome) |
| 33 | |
| 34 | If there are some autodetected drill arguments, you can see them here: |
| 35 | $drillargs |
| 36 | |
| 37 | " |
| 38 | "$ssh" --help |
| 39 | exit 0; |
| 40 | fi; |
| 41 | done |
| 42 | shift $(($OPTIND -1)); |
| 43 | host="${1##*@}"; |
| 44 | echo "$drill $drillargs -TD $host" |
| 45 | out="$("$drill" $drillargs -TD "$host")"; ret=$?; |
| 46 | echo "$out" | grep -i NO.DNSKEY; |
| 47 | return $ret; |
| 48 | } |
| 49 | |
| 50 | if check_ssh_cmdline $@; then |
| 51 | echo -e 'DNSSEC verification OK :-)\n' |
| 52 | echo "ssh $@"; |
| 53 | "$ssh" $@; |
| 54 | else |
| 55 | echo 'DNSSEC verification FAILED!' |
| 56 | exit 1; |
| 57 | fi; |