From b147e573818624ac77eab9de38d4f05346d60f5d Mon Sep 17 00:00:00 2001 Message-Id: From: Mark Wooding Date: Wed, 25 Apr 2012 21:14:16 +0100 Subject: [PATCH] contrib/knock.in: Login script for establishing dynamic associations. Organization: Straylight/Edgeware From: Mark Wooding --- contrib/Makefile.am | 9 +++++++++ contrib/README | 3 +++ contrib/knock.in | 47 +++++++++++++++++++++++++++++++++++++++++++++ debian/rules | 2 +- 4 files changed, 60 insertions(+), 1 deletion(-) create mode 100755 contrib/knock.in diff --git a/contrib/Makefile.am b/contrib/Makefile.am index a81e14a8..8dfc7106 100644 --- a/contrib/Makefile.am +++ b/contrib/Makefile.am @@ -64,4 +64,13 @@ greet: greet.in Makefile chmod +x $@.new && mv $@.new $@ endif +## `knock' script for accepting incoming dynamic associations. +noinst_SCRIPTS += knock +EXTRA_DIST += knock.in +CLEANFILES += knock + +knock: knock.in Makefile + $(SUBST) $(srcdir)/knock.in >$@.new $(SUBSTITUTIONS) && \ + chmod +x $@.new && mv $@.new $@ + ###----- That's all, folks -------------------------------------------------- diff --git a/contrib/README b/contrib/README index 644f3067..b48c5a53 100644 --- a/contrib/README +++ b/contrib/README @@ -16,3 +16,6 @@ tripe-upstart greet A simple tool for stimulating a passive association by sending a `greet' packet. + +knock A script which acts as a login shell for a `tripe' user, estabishing + dynamic assocations on demand. diff --git a/contrib/knock.in b/contrib/knock.in new file mode 100755 index 00000000..be55f2b9 --- /dev/null +++ b/contrib/knock.in @@ -0,0 +1,47 @@ +#! /bin/sh + +set -e + +### This script performs the passive side of a dynamic association. It is +### intended to be set as the `tripe' user's shell, and invoked via ssh(1). +### Specifically, for each dynamic peer, add a line to `.ssh/authorized_keys' +### of the form +### +### command="PEER" ssh-rsa ... +### +### There's an additional wrinkle. Suppose that the passive TrIPE endpoint +### is behind a NAT, and the SSH gateway is on a different machine. The +### gateway should have its own `tripe' user, and this script should again be +### its shell. On the gateway, add a `.ssh/authorized_keys' entry +### +### command="tripe@SERVER:PEER" ssh-rsa ... +### +### for the dynamic endpoint. On the passive endpoint itself, you need an +### entry for the gateway's `tripe' user's key, with no command. + +: ${prefix=@prefix@} ${exec_prefix=@exec_prefix@} +: ${bindir=@bindir@} +: ${TRIPEDIR=@configdir@} ${TRIPESOCK=@socketdir@/tripesock} +: ${tripectl=$bindir/tripectl} +export TRIPEDIR TRIPESOCK + +case "$#,$1,$2" in + + 2,-c,*:*) + ## Proxy through to another server. + server=${2%:*} user=${2##*:} + exec ssh "$server" "$user" + ;; + + 2,-c,*) + ## Connect to the local tripe server. + exec $tripectl SVCSUBMIT connect passive "$2" + ;; + + *) + ## Anything else is an error. + echo >&2 "usage: $0 -c [SERVER:]PEER" + exit 1 + ;; + +esac diff --git a/debian/rules b/debian/rules index ad785081..9525b985 100755 --- a/debian/rules +++ b/debian/rules @@ -41,7 +41,7 @@ install/tripe:: sed 's/^#\(user\|group\)/\1/' \ $(DEB_SRCDIR)/init/tripe.conf >debian/tripe.default mkdir -p debian/tripe/usr/share/doc/tripe/examples - for i in tripe-ipif ipif-peers tripe-upstart greet; do \ + for i in tripe-ipif ipif-peers tripe-upstart greet knock; do \ cp $(DEB_BUILDDIR)/contrib/$$i \ debian/tripe/usr/share/doc/tripe/examples; \ done -- [mdw]