[tripe] / contrib / knock.in

#! /bin/sh
###
### SSH forced-command script for establishing dynamic associations.
###
### (c) 2012 Mark Wooding
###

###----- Licensing notice ---------------------------------------------------
###
### This file is part of Trivial IP Encryption (TrIPE).
###
### TrIPE is free software: you can redistribute it and/or modify it under
### the terms of the GNU General Public License as published by the Free
### Software Foundation; either version 3 of the License, or (at your
### option) any later version.
###
### TrIPE is distributed in the hope that it will be useful, but WITHOUT
### ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
### FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
### for more details.
###
### You should have received a copy of the GNU General Public License
### along with TrIPE.  If not, see <https://www.gnu.org/licenses/>.

set -e

### This script performs the passive side of a dynamic association.  It is
### intended to be set as the forced command in an `.ssh/authorized_keys'
### file.  Specifically, for each dynamic peer, add a line to
### `.ssh/authorized_keys' of the form
###
###	environment="TRIPE_USER=PEER" ssh-rsa ...
###
### There's an additional wrinkle.  Suppose that the passive TrIPE endpoint
### is behind a NAT, and the SSH gateway is on a different machine.  The
### gateway should have its own `tripe' user, and this script should again be
### its shell.  On the gateway, add a `.ssh/authorized_keys' entry
###
###	environment="TRIPE_USER=tripe@SERVER:PEER" ssh-rsa ...
###
### for the dynamic endpoint.  On the passive endpoint itself, you need an
### entry for the gateway's `tripe' user's key, with `TRIPE_GATEWAY' set to
### any value, like
###
###	environment="TRIPE_GATEWAY=t" ssh-rsa ...
###
### For backwards compatibility, it can also be set as the `tripe' user's
### shell, with the `[tripe@SERVER:]PEER' indicator set as the forced
### command.  If there are no forced command or `TRIPE_*' environment
### variables then it is assumed that a gateway is calling.

: ${prefix=@prefix@} ${exec_prefix=@exec_prefix@}
: ${bindir=@bindir@}
: ${TRIPEDIR=@configdir@} ${TRIPESOCK=@socketdir@/tripesock}
: ${tripectl=$bindir/tripectl}
export TRIPEDIR TRIPESOCK

## Make sure we're being called properly, and figure out the peer identity.
case "${TRIPE_USER+t},${TRIPE_GATEWAY+t},$#,$1" in
  t,,0,) set -- "$TRIPE_USER" ;;
  ,t,0,) set -- $SSH_ORIGINAL_COMMAND; unset SSH_ORIGINAL_COMMAND ;;
  ,,2,-c) ;;
  *)
    echo >&2 "usage: $0 -c [SERVER:]PEER [ACTION]"
    exit 1
    ;;
esac

## Examine the peer identifier and work out how to proceed.
case "$#,$1" in
  0,*) echo >&2 "missing peer identifier"; exit 1 ;;
  *:*) mode=proxy server=${1%:*} user=${1##*:} ;;
  *) mode=local user=$1 ;;
esac
shift

## Fetch the optional command from where SSH stashed it.
case "$#" in 0) set -- $SSH_ORIGINAL_COMMAND ;; esac
case "$#,$1" in
  0, | 1,hello) act=hello ;;
  1,goodbye) act=goodbye ;;
  *) echo >&2 "$0: unknown action spec \`$*'"; exit 1 ;;
esac

## Now actually do something.
case "$mode,$act" in
  proxy,*)
    exec ssh "$server" "$user" "$act"
    ;;
  local,hello)
    exec $tripectl SVCSUBMIT connect passive "$user"
    ;;
  local,goodbye)
    peer=$($tripectl SVCSUBMIT connect userpeer "$user")
    exec $tripectl KILL "$peer"
    ;;
  *)
    echo >&2 "$0: unknown mode/action $mode/$act"
    exit 1
    ;;
esac
Commit	Line	Data
b147e573	1	#! /bin/sh
ca1e21b0 MW	2	###
	3	### SSH forced-command script for establishing dynamic associations.
	4	###
	5	### (c) 2012 Mark Wooding
	6	###
	7
	8	###----- Licensing notice ---------------------------------------------------
	9	###
	10	### This file is part of Trivial IP Encryption (TrIPE).
	11	###
	12	### TrIPE is free software: you can redistribute it and/or modify it under
	13	### the terms of the GNU General Public License as published by the Free
	14	### Software Foundation; either version 3 of the License, or (at your
	15	### option) any later version.
	16	###
	17	### TrIPE is distributed in the hope that it will be useful, but WITHOUT
	18	### ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
	19	### FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
	20	### for more details.
	21	###
	22	### You should have received a copy of the GNU General Public License
	23	### along with TrIPE. If not, see <https://www.gnu.org/licenses/>.
b147e573 MW	24
	25	set -e
	26
	27	### This script performs the passive side of a dynamic association. It is
0f51cf5a MW	28	### intended to be set as the forced command in an `.ssh/authorized_keys'
	29	### file. Specifically, for each dynamic peer, add a line to
	30	### `.ssh/authorized_keys' of the form
b147e573	31	###
0f51cf5a	32	### environment="TRIPE_USER=PEER" ssh-rsa ...
b147e573 MW	33	###
	34	### There's an additional wrinkle. Suppose that the passive TrIPE endpoint
	35	### is behind a NAT, and the SSH gateway is on a different machine. The
	36	### gateway should have its own `tripe' user, and this script should again be
	37	### its shell. On the gateway, add a `.ssh/authorized_keys' entry
	38	###
0f51cf5a	39	### environment="TRIPE_USER=tripe@SERVER:PEER" ssh-rsa ...
b147e573 MW	40	###
b147e573 MW	41	### for the dynamic endpoint. On the passive endpoint itself, you need an
0f51cf5a MW	42	### entry for the gateway's `tripe' user's key, with `TRIPE_GATEWAY' set to
	43	### any value, like
	44	###
	45	### environment="TRIPE_GATEWAY=t" ssh-rsa ...
	46	###
	47	### For backwards compatibility, it can also be set as the `tripe' user's
	48	### shell, with the `[tripe@SERVER:]PEER' indicator set as the forced
	49	### command. If there are no forced command or `TRIPE_*' environment
	50	### variables then it is assumed that a gateway is calling.
b147e573 MW	51
	52	: ${prefix=@prefix@} ${exec_prefix=@exec_prefix@}
	53	: ${bindir=@bindir@}
	54	: ${TRIPEDIR=@configdir@} ${TRIPESOCK=@socketdir@/tripesock}
	55	: ${tripectl=$bindir/tripectl}
	56	export TRIPEDIR TRIPESOCK
	57
d3731285	58	## Make sure we're being called properly, and figure out the peer identity.
0f51cf5a MW	59	case "${TRIPE_USER+t},${TRIPE_GATEWAY+t},$#,$1" in
	60	t,,0,) set -- "$TRIPE_USER" ;;
	61	,t,0,) set -- $SSH_ORIGINAL_COMMAND; unset SSH_ORIGINAL_COMMAND ;;
	62	,,2,-c) ;;
d3731285	63	*)
0f51cf5a	64	echo >&2 "usage: $0 -c [SERVER:]PEER [ACTION]"
d3731285	65	exit 1
b147e573	66	;;
d3731285	67	esac
b147e573	68
d3731285 MW	69	## Examine the peer identifier and work out how to proceed.
d3731285 MW	70	case "$#,$1" in
0f51cf5a	71	0,*) echo >&2 "missing peer identifier"; exit 1 ;;
d3731285 MW	72	:) mode=proxy server=${1%:} user=${1##:} ;;
	73	*) mode=local user=$1 ;;
	74	esac
	75	shift
b147e573	76
0f51cf5a	77	## Fetch the optional command from where SSH stashed it.
d3731285 MW	78	case "$#" in 0) set -- $SSH_ORIGINAL_COMMAND ;; esac
	79	case "$#,$1" in
	80	0, \| 1,hello) act=hello ;;
	81	1,goodbye) act=goodbye ;;
	82	) echo >&2 "$0: unknown action spec \`$'"; exit 1 ;;
	83	esac
	84
	85	## Now actually do something.
	86	case "$mode,$act" in
	87	proxy,*)
	88	exec ssh "$server" "$user" "$act"
	89	;;
	90	local,hello)
	91	exec $tripectl SVCSUBMIT connect passive "$user"
	92	;;
	93	local,goodbye)
	94	peer=$($tripectl SVCSUBMIT connect userpeer "$user")
	95	exec $tripectl KILL "$peer"
	96	;;
b147e573	97	*)
d3731285	98	echo >&2 "$0: unknown mode/action $mode/$act"
b147e573 MW	99	exit 1
b147e573 MW	100	;;
b147e573	101	esac