summaryrefslogtreecommitdiff
path: root/src/subcommands/m/ssh-proxycommand
blob: a6091994f80dd0e8eef06dfdb1fb2b244656cdfe (plain)
  1. #!/usr/bin/env bash
  2. # monkeysphere-ssh-proxycommand: MonkeySphere ssh ProxyCommand hook
  3. #
  4. # The monkeysphere scripts are written by:
  5. # Jameson Rollins <jrollins@fifthhorseman.net>
  6. #
  7. # They are Copyright 2008, and are all released under the GPL, version 3
  8. # or later.
  9. # This is meant to be run as an ssh ProxyCommand to initiate a
  10. # monkeysphere known_hosts update before an ssh connection to host is
  11. # established. Can be added to ~/.ssh/config as follows:
  12. # ProxyCommand monkeysphere-ssh-proxycommand %h %p
  13. ########################################################################
  14. PGRM=$(basename $0)
  15. SYSSHAREDIR=${MONKEYSPHERE_SYSSHAREDIR:-"/usr/share/monkeysphere"}
  16. export SYSSHAREDIR
  17. . "${SYSSHAREDIR}/common" || exit 1
  18. ########################################################################
  19. # FUNCTIONS
  20. ########################################################################
  21. usage() {
  22. cat <<EOF >&2
  23. usage: ssh -o ProxyCommand="$(basename $0) %h %p" ...
  24. EOF
  25. }
  26. log() {
  27. echo "$@" >&2
  28. }
  29. output_no_valid_key() {
  30. local sshKeyOffered
  31. local userID
  32. local type
  33. local validity
  34. local keyid
  35. local uidfpr
  36. local usage
  37. local sshKeyGPG
  38. local tmpkey
  39. local sshFingerprint
  40. local gpgSigOut
  41. userID="ssh://${HOSTP}"
  42. log "-------------------- Monkeysphere warning -------------------"
  43. log "Monkeysphere found OpenPGP keys for this hostname, but none had full validity."
  44. # retrieve the actual ssh key
  45. sshKeyOffered=$(ssh-keyscan -t rsa -p "$PORT" "$HOST" 2>/dev/null | awk '{ print $2, $3 }')
  46. # FIXME: should we do any checks for failed keyscans, eg. host not
  47. # found?
  48. # get the gpg info for userid
  49. gpgOut=$(gpg --list-key --fixed-list-mode --with-colon \
  50. --with-fingerprint --with-fingerprint \
  51. ="$userID" 2>/dev/null)
  52. # find all 'pub' and 'sub' lines in the gpg output, which each
  53. # represent a retrieved key for the user ID
  54. echo "$gpgOut" | cut -d: -f1,2,5,10,12 | \
  55. while IFS=: read -r type validity keyid uidfpr usage ; do
  56. case $type in
  57. 'pub'|'sub')
  58. # get the ssh key of the gpg key
  59. sshKeyGPG=$(gpg2ssh "$keyid")
  60. # if one of keys found matches the one offered by the
  61. # host, then output info
  62. if [ "$sshKeyGPG" = "$sshKeyOffered" ] ; then
  63. log "An OpenPGP key matching the ssh key offered by the host was found:"
  64. log
  65. # do some crazy "Here Strings" redirection to get the key to
  66. # ssh-keygen, since it doesn't read from stdin cleanly
  67. sshFingerprint=$(ssh-keygen -l -f /dev/stdin \
  68. <<<$(echo "$sshKeyGPG") | \
  69. awk '{ print $2 }')
  70. # get the sigs for the matching key
  71. gpgSigOut=$(gpg --check-sigs \
  72. --list-options show-uid-validity \
  73. "$keyid")
  74. # output the sigs, but only those on the user ID
  75. # we are looking for
  76. echo "$gpgSigOut" | awk '
  77. {
  78. if (match($0,"^pub")) { print; }
  79. if (match($0,"^uid")) { ok=0; }
  80. if (match($0,"^uid.*'$userID'$")) { ok=1; print; }
  81. if (ok) { if (match($0,"^sig")) { print; } }
  82. }
  83. ' >&2
  84. log
  85. # output the other user IDs for reference
  86. if (echo "$gpgSigOut" | grep "^uid" | grep -v -q "$userID") ; then
  87. log "Other user IDs on this key:"
  88. echo "$gpgSigOut" | grep "^uid" | grep -v "$userID" >&2
  89. log
  90. fi
  91. # output ssh fingerprint
  92. log "RSA key fingerprint is ${sshFingerprint}."
  93. # this whole process is in a "while read"
  94. # subshell. the only way to get information out
  95. # of the subshell is to change the return code.
  96. # therefore we return 1 here to indicate that a
  97. # matching gpg key was found for the ssh key
  98. # offered by the host
  99. return 1
  100. fi
  101. ;;
  102. esac
  103. done
  104. # if no key match was made (and the "while read" subshell returned
  105. # 1) output how many keys were found
  106. if (($? != 1)) ; then
  107. log "None of the found keys matched the key offered by the host."
  108. log "Run the following command for more info about the found keys:"
  109. log "gpg --check-sigs --list-options show-uid-validity =${userID}"
  110. # FIXME: should we do anything extra here if the retrieved
  111. # host key is actually in the known_hosts file and the ssh
  112. # connection will succeed? Should the user be warned?
  113. # prompted?
  114. fi
  115. log "-------------------- ssh continues below --------------------"
  116. }
  117. ########################################################################
  118. # export the monkeysphere log level
  119. export MONKEYSPHERE_LOG_LEVEL
  120. if [ "$1" = '--no-connect' ] ; then
  121. NO_CONNECT='true'
  122. shift 1
  123. fi
  124. HOST="$1"
  125. PORT="$2"
  126. if [ -z "$HOST" ] ; then
  127. log "Host not specified."
  128. usage
  129. exit 255
  130. fi
  131. if [ -z "$PORT" ] ; then
  132. PORT=22
  133. fi
  134. # set the host URI
  135. if [ "$PORT" != '22' ] ; then
  136. HOSTP="${HOST}:${PORT}"
  137. else
  138. HOSTP="${HOST}"
  139. fi
  140. URI="ssh://${HOSTP}"
  141. # specify keyserver checking. the behavior of this proxy command is
  142. # intentionally different than that of running monkeyesphere normally,
  143. # and keyserver checking is intentionally done under certain
  144. # circumstances. This can be overridden by setting the
  145. # MONKEYSPHERE_CHECK_KEYSERVER environment variable.
  146. # if the host is in the gpg keyring...
  147. if gpg --list-key ="${URI}" 2>&1 >/dev/null ; then
  148. # do not check the keyserver
  149. CHECK_KEYSERVER="false"
  150. # if the host is NOT in the keyring...
  151. else
  152. # if the host key is found in the known_hosts file...
  153. # FIXME: this only works for default known_hosts location
  154. hostKey=$(ssh-keygen -F "$HOST" 2>/dev/null)
  155. if [ "$hostKey" ] ; then
  156. # do not check the keyserver
  157. # FIXME: more nuanced checking should be done here to properly
  158. # take into consideration hosts that join monkeysphere by
  159. # converting an existing and known ssh key
  160. CHECK_KEYSERVER="false"
  161. # if the host key is not found in the known_hosts file...
  162. else
  163. # check the keyserver
  164. CHECK_KEYSERVER="true"
  165. fi
  166. fi
  167. # set and export the variable for use by monkeysphere
  168. MONKEYSPHERE_CHECK_KEYSERVER=${MONKEYSPHERE_CHECK_KEYSERVER:="$CHECK_KEYSERVER"}
  169. export MONKEYSPHERE_CHECK_KEYSERVER
  170. # update the known_hosts file for the host
  171. monkeysphere update-known_hosts "$HOSTP"
  172. # output on depending on the return of the update-known_hosts
  173. # subcommand, which is (ultimately) the return code of the
  174. # update_known_hosts function in common
  175. case $? in
  176. 0)
  177. # acceptable host key found so continue to ssh
  178. true
  179. ;;
  180. 1)
  181. # no hosts at all found so also continue (drop through to
  182. # regular ssh host verification)
  183. true
  184. ;;
  185. 2)
  186. # at least one *bad* host key (and no good host keys) was
  187. # found, so output some usefull information
  188. output_no_valid_key
  189. ;;
  190. *)
  191. # anything else drop through
  192. true
  193. ;;
  194. esac
  195. # FIXME: what about the case where monkeysphere successfully finds a
  196. # valid key for the host and adds it to the known_hosts file, but a
  197. # different non-monkeysphere key for the host already exists in the
  198. # known_hosts, and it is this non-ms key that is offered by the host?
  199. # monkeysphere will succeed, and the ssh connection will succeed, and
  200. # the user will be left with the impression that they are dealing with
  201. # a OpenPGP/PKI host key when in fact they are not. should we use
  202. # ssh-keyscan to compare the keys first?
  203. # exec a netcat passthrough to host for the ssh connection
  204. if [ -z "$NO_CONNECT" ] ; then
  205. if (which nc 2>/dev/null >/dev/null); then
  206. exec nc "$HOST" "$PORT"
  207. elif (which socat 2>/dev/null >/dev/null); then
  208. exec socat STDIO "TCP:$HOST:$PORT"
  209. else
  210. echo "Neither netcat nor socat found -- could not complete monkeysphere-ssh-proxycommand connection to $HOST:$PORT" >&2
  211. exit 255
  212. fi
  213. fi