bash/ssh-dnssec/ssh-dnssec.sh

   1 #!/bin/sh
   2 drill="$(which drill)"
   3 ssh="$(which ssh)"
   4
   5 check_ssh_cmdline() {
   6         while getopts "a:c:e:i:l:n:k:V:o:p:q:P:t:v:x:C:L:R:h" OPT; do
   7                 if [ "$OPT" == 'h' ]; then
   8                         echo "$0 help"; echo "
   9         This is DNSSEC wrapper for OpenSSH client which will simply prevent you
  10         from connecting to hosts with fraudent DNS records.
  11
  12         You can use alias ssh='$0' (and you can add it to your ~/.bashrc)
  13
  14         Command line options are just the same as for SSH, but you have to
  15         specify all the options before hostname and optional command. eg.:
  16                 $0 -p2222 user@example.com              (good)
  17                 $0 user@example.com -p2222              (baad)
  18
  19         To test if $0 works as it's supposed to be working, you can try following:
  20                 $0 user@badsign-a.test.dnssec-tools.org
  21                 $0 user@rhybar.cz
  22                 (both commands should fail with DNSSEC error)
  23
  24 "
  25                         "$ssh" --help
  26                         exit 0;
  27                 fi;
  28         done
  29         shift $(($OPTIND -1));
  30         host="${1##*@}";
  31         echo "$drill -TD $host"
  32         out="$("$drill" -TD "$host")"; ret=$?;
  33         echo "$out" | grep -i NO.DNSKEY;
  34         return $ret;
  35 }
  36
  37 if check_ssh_cmdline $@; then
  38         echo -e 'DNSSEC verification OK :-)\n'
  39         echo "ssh $@";
  40         "$ssh" $@;
  41 else
  42         echo 'DNSSEC verification FAILED!'
  43         exit 1;
  44 fi;