# Contributor: Thomas Mudrunka <harvie@@email..cz>
# Maintainer: Thomas Mudrunka <harvie@@email..cz>
# You can also contact me on http://blog.harvie.cz/
+# Patches welcome: http://github.com/harvie/archlinux-packages
pkgname=openssh-dnssec
-pkgver=0.1
+pkgver=0.2
pkgrel=1
pkgdesc="DNSSEC wrapper for OpenSSH client which will simply prevent you from connecting to hosts with fraudent DNS records"
arch=('any')
license=('GPL')
url="http://github.com/Harvie/Programs/tree/master/bash/ssh-dnssec/"
-depends=('openssh' 'ldns' 'bash')
+depends=('openssh' 'ldns' 'dnssec-root-zone-trust-anchors' 'bash')
+#actually will work without dnssec-root-zone-trust-anchors but being less secure
source=('ssh-dnssec.sh')
-md5sums=('0576e782eb937c4607c8a9dd0d5f8437')
+md5sums=('7ee88323823c448162ef79c514509f0d')
build() {
mkdir -p ${pkgdir}/usr/bin
#!/bin/sh
+#OpenSSH wrapper for DNSSEC (see $0 -h for help)
+
+#keys from lowest priority to highest:
+for key in\
+ '/usr/share/dnssec-trust-anchors/root-zone.key'\
+ '/etc/trusted-key.key'\
+ ; do
+ [ -r "$key" ] && drillargs="-k $key";
+done;
+
drill="$(which drill)"
ssh="$(which ssh)"
-
check_ssh_cmdline() {
while getopts "a:c:e:i:l:n:k:V:o:p:q:P:t:v:x:C:L:R:h" OPT; do
if [ "$OPT" == 'h' ]; then
$0 user@rhybar.cz
(both commands should fail with DNSSEC error)
+ Known issues:
+ - DNS record can change between DNSSEC validation and SSH connection
+ - we should pass IP address directly to SSH binary (patches welcome)
+
+ If there are some autodetected drill arguments, you can see them here:
+ $drillargs
+
"
"$ssh" --help
exit 0;
done
shift $(($OPTIND -1));
host="${1##*@}";
- echo "$drill -TD $host"
- out="$("$drill" -TD "$host")"; ret=$?;
+ echo "$drill $drillargs -TD $host"
+ out="$("$drill" $drillargs -TD "$host")"; ret=$?;
echo "$out" | grep -i NO.DNSKEY;
return $ret;
}
GIT.Harvie.CZ / mirrors / Programs.git / commitdiff
