5 ### This script performs the passive side of a dynamic association. It is
6 ### intended to be set as the `tripe' user's shell, and invoked via ssh(1).
7 ### Specifically, for each dynamic peer, add a line to `.ssh/authorized_keys'
10 ### command="PEER" ssh-rsa ...
12 ### There's an additional wrinkle. Suppose that the passive TrIPE endpoint
13 ### is behind a NAT, and the SSH gateway is on a different machine. The
14 ### gateway should have its own `tripe' user, and this script should again be
15 ### its shell. On the gateway, add a `.ssh/authorized_keys' entry
17 ### command="tripe@SERVER:PEER" ssh-rsa ...
19 ### for the dynamic endpoint. On the passive endpoint itself, you need an
20 ### entry for the gateway's `tripe' user's key, with no command.
22 : ${prefix=@prefix@} ${exec_prefix=@exec_prefix@}
24 : ${TRIPEDIR=@configdir@} ${TRIPESOCK=@socketdir@/tripesock}
25 : ${tripectl=$bindir/tripectl}
26 export TRIPEDIR TRIPESOCK
28 ## Make sure we're being called properly, and figure out the peer identity.
32 echo >&2 "usage: $0 -c '[SERVER:]PEER [hello|goodbye]'"
37 ## SSH has smushed all of our arguments together, so let's split them apart
41 ## Examine the peer identifier and work out how to proceed.
43 0,*) echo >&2 "$0: missing peer identifier"; exit 1 ;;
44 *:*) mode=proxy server=${1%:*} user=${1##*:} ;;
45 *) mode=local user=$1 ;;
49 ## If there's no action then check to see whether SSH has hidden one
50 ## somewhere. Make sure the command looks sensible.
51 case "$#" in 0) set -- $SSH_ORIGINAL_COMMAND ;; esac
53 0, | 1,hello) act=hello ;;
54 1,goodbye) act=goodbye ;;
55 *) echo >&2 "$0: unknown action spec \`$*'"; exit 1 ;;
58 ## Now actually do something.
61 exec ssh "$server" "$user" "$act"
64 exec $tripectl SVCSUBMIT connect passive "$user"
67 peer=$($tripectl SVCSUBMIT connect userpeer "$user")
68 exec $tripectl KILL "$peer"
71 echo >&2 "$0: unknown mode/action $mode/$act"