From 4aac214ac8835a4535275a876b4b577486e96e77 Mon Sep 17 00:00:00 2001 From: Harvie Date: Fri, 30 Jul 2010 18:59:24 +0200 Subject: [PATCH] Added OpenSSH client wrapper to support DNSSEC verifiing --- bash/ssh-dnssec/ssh-dnssec.sh | 44 +++++++++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+) create mode 100755 bash/ssh-dnssec/ssh-dnssec.sh diff --git a/bash/ssh-dnssec/ssh-dnssec.sh b/bash/ssh-dnssec/ssh-dnssec.sh new file mode 100755 index 0000000..74ce22a --- /dev/null +++ b/bash/ssh-dnssec/ssh-dnssec.sh @@ -0,0 +1,44 @@ +#!/bin/sh +drill="$(which drill)" +ssh="$(which ssh)" + +check_ssh_cmdline() { + while getopts "a:c:e:i:l:n:k:V:o:p:q:P:t:v:x:C:L:R:h" OPT; do + if [ "$OPT" == 'h' ]; then + echo "$0 help"; echo " + This is DNSSEC wrapper for OpenSSH client which will simply prevent you + from connecting to hosts with fraudent DNS records. + + You can use alias ssh='$0' (and you can add it to your ~/.bashrc) + + Command line options are just the same as for SSH, but you have to + specify all the options before hostname and optional command. eg.: + $0 -p2222 user@example.com (good) + $0 user@example.com -p2222 (baad) + + To test if $0 works as it's supposed to be working, you can try following: + $0 user@badsign-a.test.dnssec-tools.org + $0 user@rhybar.cz + (both commands should fail with DNSSEC error) + +" + "$ssh" --help + exit 0; + fi; + done + shift $(($OPTIND -1)); + host="${1##*@}"; + echo "$drill -TD $host" + out="$("$drill" -TD "$host")"; ret=$?; + echo "$out" | grep -i NO.DNSKEY; + return $ret; +} + +if check_ssh_cmdline $@; then + echo -e 'DNSSEC verification OK :-)\n' + echo "ssh $@"; + "$ssh" $@; +else + echo 'DNSSEC verification FAILED!' + exit 1; +fi; -- 2.30.2