+#! /bin/sh
+
+set -e
+
+### This script performs the passive side of a dynamic association. It is
+### intended to be set as the `tripe' user's shell, and invoked via ssh(1).
+### Specifically, for each dynamic peer, add a line to `.ssh/authorized_keys'
+### of the form
+###
+### command="PEER" ssh-rsa ...
+###
+### There's an additional wrinkle. Suppose that the passive TrIPE endpoint
+### is behind a NAT, and the SSH gateway is on a different machine. The
+### gateway should have its own `tripe' user, and this script should again be
+### its shell. On the gateway, add a `.ssh/authorized_keys' entry
+###
+### command="tripe@SERVER:PEER" ssh-rsa ...
+###
+### for the dynamic endpoint. On the passive endpoint itself, you need an
+### entry for the gateway's `tripe' user's key, with no command.
+
+: ${prefix=@prefix@} ${exec_prefix=@exec_prefix@}
+: ${bindir=@bindir@}
+: ${TRIPEDIR=@configdir@} ${TRIPESOCK=@socketdir@/tripesock}
+: ${tripectl=$bindir/tripectl}
+export TRIPEDIR TRIPESOCK
+
+case "$#,$1,$2" in
+
+ 2,-c,*:*)
+ ## Proxy through to another server.
+ server=${2%:*} user=${2##*:}
+ exec ssh "$server" "$user"
+ ;;
+
+ 2,-c,*)
+ ## Connect to the local tripe server.
+ exec $tripectl SVCSUBMIT connect passive "$2"
+ ;;
+
+ *)
+ ## Anything else is an error.
+ echo >&2 "usage: $0 -c [SERVER:]PEER"
+ exit 1
+ ;;
+
+esac