openssh-dnssec/ssh-dnssec.sh

   1 #!/bin/sh
   2 #OpenSSH wrapper for DNSSEC (see $0 -h for help)
   3
   4 #keys from lowest priority to highest:
   5 for key in\
   6         '/usr/share/dnssec-trust-anchors/root-zone.key'\
   7         '/etc/trusted-key.key'\
   8         ; do
   9                 [ -r "$key" ] && drillargs="-k $key";
  10 done;
  11
  12 drill="$(which drill)"
  13 ssh="$(which ssh)"
  14 check_ssh_cmdline() {
  15         while getopts "a:c:e:i:l:n:k:V:o:p:q:P:t:v:x:C:L:R:h" OPT; do
  16                 if [ "$OPT" == 'h' ]; then
  17                         echo "$0 help"; echo "
  18         This is DNSSEC wrapper for OpenSSH client which will simply prevent you
  19         from connecting to hosts with fraudent DNS records.
  20
  21         You can use alias ssh='$0' (and you can add it to your ~/.bashrc)
  22
  23         Command line options are just the same as for SSH, but you have to
  24         specify all the options before hostname and optional command. eg.:
  25                 $0 -p2222 user@example.com              (good)
  26                 $0 user@example.com -p2222              (baad)
  27
  28         To test if $0 works as it's supposed to be working, you can try following:
  29                 $0 user@badsign-a.test.dnssec-tools.org
  30                 $0 user@rhybar.cz
  31                 (both commands should fail with DNSSEC error)
  32
  33         Known issues:
  34                 - DNS record can change between DNSSEC validation and SSH connection
  35                         - we should pass IP address directly to SSH binary (patches welcome)
  36
  37         If there are some autodetected drill arguments, you can see them here:
  38                 $drillargs
  39
  40 "
  41                         "$ssh" --help
  42                         exit 0;
  43                 fi;
  44         done
  45         shift $(($OPTIND -1));
  46         host="${1##*@}";
  47         echo "$drill $drillargs -TD $host"
  48         out="$("$drill" $drillargs -TD "$host")"; ret=$?;
  49         echo "$out" | grep -i NO.DNSKEY;
  50         return $ret;
  51 }
  52
  53 if check_ssh_cmdline $@; then
  54         echo -e 'DNSSEC verification OK :-)\n'
  55         echo "ssh $@";
  56         "$ssh" $@;
  57 else
  58         echo 'DNSSEC verification FAILED!'
  59         exit 1;
  60 fi;