From 0f51cf5a216853cc5256eed26db2753a2fe92496 Mon Sep 17 00:00:00 2001 Message-Id: <0f51cf5a216853cc5256eed26db2753a2fe92496.1714725172.git.mdw@distorted.org.uk> From: Mark Wooding Date: Fri, 24 Apr 2015 10:11:23 +0100 Subject: [PATCH 1/1] contrib/knock.in: Can now be called from an ordinary shell. Organization: Straylight/Edgeware From: Mark Wooding The script can now pick up information from environment variables rather than the forced command, which makes the `tripe' user much more sane. This also fits a little better with `sshsvc-mkauthkeys'. --- contrib/knock.in | 37 +++++++++++++++++++++---------------- 1 file changed, 21 insertions(+), 16 deletions(-) diff --git a/contrib/knock.in b/contrib/knock.in index 28d8e532..b1754d93 100755 --- a/contrib/knock.in +++ b/contrib/knock.in @@ -3,21 +3,29 @@ set -e ### This script performs the passive side of a dynamic association. It is -### intended to be set as the `tripe' user's shell, and invoked via ssh(1). -### Specifically, for each dynamic peer, add a line to `.ssh/authorized_keys' -### of the form +### intended to be set as the forced command in an `.ssh/authorized_keys' +### file. Specifically, for each dynamic peer, add a line to +### `.ssh/authorized_keys' of the form ### -### command="PEER" ssh-rsa ... +### environment="TRIPE_USER=PEER" ssh-rsa ... ### ### There's an additional wrinkle. Suppose that the passive TrIPE endpoint ### is behind a NAT, and the SSH gateway is on a different machine. The ### gateway should have its own `tripe' user, and this script should again be ### its shell. On the gateway, add a `.ssh/authorized_keys' entry ### -### command="tripe@SERVER:PEER" ssh-rsa ... +### environment="TRIPE_USER=tripe@SERVER:PEER" ssh-rsa ... ### ### for the dynamic endpoint. On the passive endpoint itself, you need an -### entry for the gateway's `tripe' user's key, with no command. +### entry for the gateway's `tripe' user's key, with `TRIPE_GATEWAY' set to +### any value, like +### +### environment="TRIPE_GATEWAY=t" ssh-rsa ... +### +### For backwards compatibility, it can also be set as the `tripe' user's +### shell, with the `[tripe@SERVER:]PEER' indicator set as the forced +### command. If there are no forced command or `TRIPE_*' environment +### variables then it is assumed that a gateway is calling. : ${prefix=@prefix@} ${exec_prefix=@exec_prefix@} : ${bindir=@bindir@} @@ -26,28 +34,25 @@ set -e export TRIPEDIR TRIPESOCK ## Make sure we're being called properly, and figure out the peer identity. -case "$#,$1" in - 2,-c) ;; +case "${TRIPE_USER+t},${TRIPE_GATEWAY+t},$#,$1" in + t,,0,) set -- "$TRIPE_USER" ;; + ,t,0,) set -- $SSH_ORIGINAL_COMMAND; unset SSH_ORIGINAL_COMMAND ;; + ,,2,-c) ;; *) - echo >&2 "usage: $0 -c '[SERVER:]PEER [hello|goodbye]'" + echo >&2 "usage: $0 -c [SERVER:]PEER [ACTION]" exit 1 ;; esac -## SSH has smushed all of our arguments together, so let's split them apart -## again. -set -- $2 - ## Examine the peer identifier and work out how to proceed. case "$#,$1" in - 0,*) echo >&2 "$0: missing peer identifier"; exit 1 ;; + 0,*) echo >&2 "missing peer identifier"; exit 1 ;; *:*) mode=proxy server=${1%:*} user=${1##*:} ;; *) mode=local user=$1 ;; esac shift -## If there's no action then check to see whether SSH has hidden one -## somewhere. Make sure the command looks sensible. +## Fetch the optional command from where SSH stashed it. case "$#" in 0) set -- $SSH_ORIGINAL_COMMAND ;; esac case "$#,$1" in 0, | 1,hello) act=hello ;; -- [mdw]