From: Mark Wooding Date: Fri, 24 Apr 2015 09:11:23 +0000 (+0100) Subject: contrib/knock.in: Can now be called from an ordinary shell. X-Git-Tag: 1.0.0pre17~5 X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~mdw/git/tripe/commitdiff_plain/0f51cf5a216853cc5256eed26db2753a2fe92496?hp=02c995246c1aa9703c9ab6d476884748f497f510 contrib/knock.in: Can now be called from an ordinary shell. The script can now pick up information from environment variables rather than the forced command, which makes the `tripe' user much more sane. This also fits a little better with `sshsvc-mkauthkeys'. --- diff --git a/contrib/knock.in b/contrib/knock.in index 28d8e532..b1754d93 100755 --- a/contrib/knock.in +++ b/contrib/knock.in @@ -3,21 +3,29 @@ set -e ### This script performs the passive side of a dynamic association. It is -### intended to be set as the `tripe' user's shell, and invoked via ssh(1). -### Specifically, for each dynamic peer, add a line to `.ssh/authorized_keys' -### of the form +### intended to be set as the forced command in an `.ssh/authorized_keys' +### file. Specifically, for each dynamic peer, add a line to +### `.ssh/authorized_keys' of the form ### -### command="PEER" ssh-rsa ... +### environment="TRIPE_USER=PEER" ssh-rsa ... ### ### There's an additional wrinkle. Suppose that the passive TrIPE endpoint ### is behind a NAT, and the SSH gateway is on a different machine. The ### gateway should have its own `tripe' user, and this script should again be ### its shell. On the gateway, add a `.ssh/authorized_keys' entry ### -### command="tripe@SERVER:PEER" ssh-rsa ... +### environment="TRIPE_USER=tripe@SERVER:PEER" ssh-rsa ... ### ### for the dynamic endpoint. On the passive endpoint itself, you need an -### entry for the gateway's `tripe' user's key, with no command. +### entry for the gateway's `tripe' user's key, with `TRIPE_GATEWAY' set to +### any value, like +### +### environment="TRIPE_GATEWAY=t" ssh-rsa ... +### +### For backwards compatibility, it can also be set as the `tripe' user's +### shell, with the `[tripe@SERVER:]PEER' indicator set as the forced +### command. If there are no forced command or `TRIPE_*' environment +### variables then it is assumed that a gateway is calling. : ${prefix=@prefix@} ${exec_prefix=@exec_prefix@} : ${bindir=@bindir@} @@ -26,28 +34,25 @@ set -e export TRIPEDIR TRIPESOCK ## Make sure we're being called properly, and figure out the peer identity. -case "$#,$1" in - 2,-c) ;; +case "${TRIPE_USER+t},${TRIPE_GATEWAY+t},$#,$1" in + t,,0,) set -- "$TRIPE_USER" ;; + ,t,0,) set -- $SSH_ORIGINAL_COMMAND; unset SSH_ORIGINAL_COMMAND ;; + ,,2,-c) ;; *) - echo >&2 "usage: $0 -c '[SERVER:]PEER [hello|goodbye]'" + echo >&2 "usage: $0 -c [SERVER:]PEER [ACTION]" exit 1 ;; esac -## SSH has smushed all of our arguments together, so let's split them apart -## again. -set -- $2 - ## Examine the peer identifier and work out how to proceed. case "$#,$1" in - 0,*) echo >&2 "$0: missing peer identifier"; exit 1 ;; + 0,*) echo >&2 "missing peer identifier"; exit 1 ;; *:*) mode=proxy server=${1%:*} user=${1##*:} ;; *) mode=local user=$1 ;; esac shift -## If there's no action then check to see whether SSH has hidden one -## somewhere. Make sure the command looks sensible. +## Fetch the optional command from where SSH stashed it. case "$#" in 0) set -- $SSH_ORIGINAL_COMMAND ;; esac case "$#,$1" in 0, | 1,hello) act=hello ;;