contrib/knock.in: Login script for establishing dynamic associations.

diff --git a/contrib/Makefile.am b/contrib/Makefile.am
index a81e14a8de9fe045eb6308c19f041d0c5b794ac9..8dfc7106d7ec1d70aac9ad306cf853f38fa7bbfd 100644 (file)
--- a/contrib/Makefile.am
+++ b/contrib/Makefile.am
@@ -64,4 +64,13 @@ greet: greet.in Makefile
                chmod +x $@.new && mv $@.new $@
 endif
 
+## `knock' script for accepting incoming dynamic associations.
+noinst_SCRIPTS         += knock
+EXTRA_DIST             += knock.in
+CLEANFILES             += knock
+
+knock: knock.in Makefile
+       $(SUBST) $(srcdir)/knock.in >$@.new $(SUBSTITUTIONS) && \
+               chmod +x $@.new && mv $@.new $@
+
 ###----- That's all, folks --------------------------------------------------

diff --git a/contrib/README b/contrib/README
index 644f306755b25c86c9c37fff72fe3972e568a667..b48c5a53d931f209eb65691a16d7f18e20917fb1 100644 (file)
--- a/contrib/README
+++ b/contrib/README
@@ -16,3 +16,6 @@ tripe-upstart
 
 greet  A simple tool for stimulating a passive association by sending a
        `greet' packet.
+
+knock  A script which acts as a login shell for a `tripe' user, estabishing
+       dynamic assocations on demand.

diff --git a/contrib/knock.in b/contrib/knock.in
new file mode 100755 (executable)
index 0000000..be55f2b
--- /dev/null
+++ b/contrib/knock.in
@@ -0,0 +1,47 @@
+#! /bin/sh
+
+set -e
+
+### This script performs the passive side of a dynamic association.  It is
+### intended to be set as the `tripe' user's shell, and invoked via ssh(1).
+### Specifically, for each dynamic peer, add a line to `.ssh/authorized_keys'
+### of the form
+###
+###    command="PEER" ssh-rsa ...
+###
+### There's an additional wrinkle.  Suppose that the passive TrIPE endpoint
+### is behind a NAT, and the SSH gateway is on a different machine.  The
+### gateway should have its own `tripe' user, and this script should again be
+### its shell.  On the gateway, add a `.ssh/authorized_keys' entry
+###
+###    command="tripe@SERVER:PEER" ssh-rsa ...
+###
+### for the dynamic endpoint.  On the passive endpoint itself, you need an
+### entry for the gateway's `tripe' user's key, with no command.
+
+: ${prefix=@prefix@} ${exec_prefix=@exec_prefix@}
+: ${bindir=@bindir@}
+: ${TRIPEDIR=@configdir@} ${TRIPESOCK=@socketdir@/tripesock}
+: ${tripectl=$bindir/tripectl}
+export TRIPEDIR TRIPESOCK
+
+case "$#,$1,$2" in
+
+  2,-c,*:*)
+    ## Proxy through to another server.
+    server=${2%:*} user=${2##*:}
+    exec ssh "$server" "$user"
+    ;;
+
+  2,-c,*)
+    ## Connect to the local tripe server.
+    exec $tripectl SVCSUBMIT connect passive "$2"
+    ;;
+
+  *)
+    ## Anything else is an error.
+    echo >&2 "usage: $0 -c [SERVER:]PEER"
+    exit 1
+    ;;
+
+esac

diff --git a/debian/rules b/debian/rules
index ad785081c79158edd1c83c01822fe6d570777dff..9525b985353cf970ce6ef22c9acb66b26562a312 100755 (executable)
--- a/debian/rules
+++ b/debian/rules
@@ -41,7 +41,7 @@ install/tripe::
        sed 's/^#\(user\|group\)/\1/' \
                $(DEB_SRCDIR)/init/tripe.conf >debian/tripe.default
        mkdir -p debian/tripe/usr/share/doc/tripe/examples
-       for i in tripe-ipif ipif-peers tripe-upstart greet; do \
+       for i in tripe-ipif ipif-peers tripe-upstart greet knock; do \
          cp $(DEB_BUILDDIR)/contrib/$$i \
                debian/tripe/usr/share/doc/tripe/examples; \
        done