#! /bin/sh

set -e

### This script performs the passive side of a dynamic association.  It is
### intended to be set as the `tripe' user's shell, and invoked via ssh(1).
### Specifically, for each dynamic peer, add a line to `.ssh/authorized_keys'
### of the form
###
###	command="PEER" ssh-rsa ...
###
### There's an additional wrinkle.  Suppose that the passive TrIPE endpoint
### is behind a NAT, and the SSH gateway is on a different machine.  The
### gateway should have its own `tripe' user, and this script should again be
### its shell.  On the gateway, add a `.ssh/authorized_keys' entry
###
###	command="tripe@SERVER:PEER" ssh-rsa ...
###
### for the dynamic endpoint.  On the passive endpoint itself, you need an
### entry for the gateway's `tripe' user's key, with no command.

: ${prefix=@prefix@} ${exec_prefix=@exec_prefix@}
: ${bindir=@bindir@}
: ${TRIPEDIR=@configdir@} ${TRIPESOCK=@socketdir@/tripesock}
: ${tripectl=$bindir/tripectl}
export TRIPEDIR TRIPESOCK

case "$#,$1,$2" in

  2,-c,*:*)
    ## Proxy through to another server.
    server=${2%:*} user=${2##*:}
    exec ssh "$server" "$user"
    ;;

  2,-c,*)
    ## Connect to the local tripe server.
    exec $tripectl SVCSUBMIT connect passive "$2"
    ;;

  *)
    ## Anything else is an error.
    echo >&2 "usage: $0 -c [SERVER:]PEER"
    exit 1
    ;;

esac