From 019e1237fb2de042a139add32f75308df8d4d965 Mon Sep 17 00:00:00 2001 From: Harvie Date: Sun, 1 Aug 2010 00:35:09 +0200 Subject: [PATCH] Now using DNSSEC root zone certificate + Known issues added to help --- bash/ssh-dnssec/PKGBUILD | 8 +++++--- bash/ssh-dnssec/ssh-dnssec.sh | 22 +++++++++++++++++++--- 2 files changed, 24 insertions(+), 6 deletions(-) diff --git a/bash/ssh-dnssec/PKGBUILD b/bash/ssh-dnssec/PKGBUILD index 9b6ffea..ac9cc03 100644 --- a/bash/ssh-dnssec/PKGBUILD +++ b/bash/ssh-dnssec/PKGBUILD @@ -1,17 +1,19 @@ # Contributor: Thomas Mudrunka # Maintainer: Thomas Mudrunka # You can also contact me on http://blog.harvie.cz/ +# Patches welcome: http://github.com/harvie/archlinux-packages pkgname=openssh-dnssec -pkgver=0.1 +pkgver=0.2 pkgrel=1 pkgdesc="DNSSEC wrapper for OpenSSH client which will simply prevent you from connecting to hosts with fraudent DNS records" arch=('any') license=('GPL') url="http://github.com/Harvie/Programs/tree/master/bash/ssh-dnssec/" -depends=('openssh' 'ldns' 'bash') +depends=('openssh' 'ldns' 'dnssec-root-zone-trust-anchors' 'bash') +#actually will work without dnssec-root-zone-trust-anchors but being less secure source=('ssh-dnssec.sh') -md5sums=('0576e782eb937c4607c8a9dd0d5f8437') +md5sums=('7ee88323823c448162ef79c514509f0d') build() { mkdir -p ${pkgdir}/usr/bin diff --git a/bash/ssh-dnssec/ssh-dnssec.sh b/bash/ssh-dnssec/ssh-dnssec.sh index 74ce22a..60ffb81 100755 --- a/bash/ssh-dnssec/ssh-dnssec.sh +++ b/bash/ssh-dnssec/ssh-dnssec.sh @@ -1,7 +1,16 @@ #!/bin/sh +#OpenSSH wrapper for DNSSEC (see $0 -h for help) + +#keys from lowest priority to highest: +for key in\ + '/usr/share/dnssec-trust-anchors/root-zone.key'\ + '/etc/trusted-key.key'\ + ; do + [ -r "$key" ] && drillargs="-k $key"; +done; + drill="$(which drill)" ssh="$(which ssh)" - check_ssh_cmdline() { while getopts "a:c:e:i:l:n:k:V:o:p:q:P:t:v:x:C:L:R:h" OPT; do if [ "$OPT" == 'h' ]; then @@ -21,6 +30,13 @@ check_ssh_cmdline() { $0 user@rhybar.cz (both commands should fail with DNSSEC error) + Known issues: + - DNS record can change between DNSSEC validation and SSH connection + - we should pass IP address directly to SSH binary (patches welcome) + + If there are some autodetected drill arguments, you can see them here: + $drillargs + " "$ssh" --help exit 0; @@ -28,8 +44,8 @@ check_ssh_cmdline() { done shift $(($OPTIND -1)); host="${1##*@}"; - echo "$drill -TD $host" - out="$("$drill" -TD "$host")"; ret=$?; + echo "$drill $drillargs -TD $host" + out="$("$drill" $drillargs -TD "$host")"; ret=$?; echo "$out" | grep -i NO.DNSKEY; return $ret; } -- 2.30.2