| 1 | #! /bin/sh |
| 2 | |
| 3 | set -e |
| 4 | |
| 5 | ### This script performs the passive side of a dynamic association. It is |
| 6 | ### intended to be set as the `tripe' user's shell, and invoked via ssh(1). |
| 7 | ### Specifically, for each dynamic peer, add a line to `.ssh/authorized_keys' |
| 8 | ### of the form |
| 9 | ### |
| 10 | ### command="PEER" ssh-rsa ... |
| 11 | ### |
| 12 | ### There's an additional wrinkle. Suppose that the passive TrIPE endpoint |
| 13 | ### is behind a NAT, and the SSH gateway is on a different machine. The |
| 14 | ### gateway should have its own `tripe' user, and this script should again be |
| 15 | ### its shell. On the gateway, add a `.ssh/authorized_keys' entry |
| 16 | ### |
| 17 | ### command="tripe@SERVER:PEER" ssh-rsa ... |
| 18 | ### |
| 19 | ### for the dynamic endpoint. On the passive endpoint itself, you need an |
| 20 | ### entry for the gateway's `tripe' user's key, with no command. |
| 21 | |
| 22 | : ${prefix=@prefix@} ${exec_prefix=@exec_prefix@} |
| 23 | : ${bindir=@bindir@} |
| 24 | : ${TRIPEDIR=@configdir@} ${TRIPESOCK=@socketdir@/tripesock} |
| 25 | : ${tripectl=$bindir/tripectl} |
| 26 | export TRIPEDIR TRIPESOCK |
| 27 | |
| 28 | case "$#,$1,$2" in |
| 29 | |
| 30 | 2,-c,*:*) |
| 31 | ## Proxy through to another server. |
| 32 | server=${2%:*} user=${2##*:} |
| 33 | exec ssh "$server" "$user" |
| 34 | ;; |
| 35 | |
| 36 | 2,-c,*) |
| 37 | ## Connect to the local tripe server. |
| 38 | exec $tripectl SVCSUBMIT connect passive "$2" |
| 39 | ;; |
| 40 | |
| 41 | *) |
| 42 | ## Anything else is an error. |
| 43 | echo >&2 "usage: $0 -c [SERVER:]PEER" |
| 44 | exit 1 |
| 45 | ;; |
| 46 | |
| 47 | esac |