3 ### SSH forced-command script for establishing dynamic associations.
5 ### (c) 2012 Mark Wooding
8 ###----- Licensing notice ---------------------------------------------------
10 ### This file is part of Trivial IP Encryption (TrIPE).
12 ### TrIPE is free software: you can redistribute it and/or modify it under
13 ### the terms of the GNU General Public License as published by the Free
14 ### Software Foundation; either version 3 of the License, or (at your
15 ### option) any later version.
17 ### TrIPE is distributed in the hope that it will be useful, but WITHOUT
18 ### ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
19 ### FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
22 ### You should have received a copy of the GNU General Public License
23 ### along with TrIPE. If not, see <https://www.gnu.org/licenses/>.
27 ### This script performs the passive side of a dynamic association. It is
28 ### intended to be set as the forced command in an `.ssh/authorized_keys'
29 ### file. Specifically, for each dynamic peer, add a line to
30 ### `.ssh/authorized_keys' of the form
32 ### environment="TRIPE_USER=PEER" ssh-rsa ...
34 ### There's an additional wrinkle. Suppose that the passive TrIPE endpoint
35 ### is behind a NAT, and the SSH gateway is on a different machine. The
36 ### gateway should have its own `tripe' user, and this script should again be
37 ### its shell. On the gateway, add a `.ssh/authorized_keys' entry
39 ### environment="TRIPE_USER=tripe@SERVER:PEER" ssh-rsa ...
41 ### for the dynamic endpoint. On the passive endpoint itself, you need an
42 ### entry for the gateway's `tripe' user's key, with `TRIPE_GATEWAY' set to
45 ### environment="TRIPE_GATEWAY=t" ssh-rsa ...
47 ### For backwards compatibility, it can also be set as the `tripe' user's
48 ### shell, with the `[tripe@SERVER:]PEER' indicator set as the forced
49 ### command. If there are no forced command or `TRIPE_*' environment
50 ### variables then it is assumed that a gateway is calling.
52 : ${prefix=@prefix@} ${exec_prefix=@exec_prefix@}
54 : ${TRIPEDIR=@configdir@} ${TRIPESOCK=@socketdir@/tripesock}
55 : ${tripectl=$bindir/tripectl}
56 export TRIPEDIR TRIPESOCK
58 ## Make sure we're being called properly, and figure out the peer identity.
59 case "${TRIPE_USER+t},${TRIPE_GATEWAY+t},$#,$1" in
60 t
,,0,) set -- "$TRIPE_USER" ;;
61 ,t
,0,) set -- $SSH_ORIGINAL_COMMAND; unset SSH_ORIGINAL_COMMAND
;;
64 echo >&2 "usage: $0 -c [SERVER:]PEER [ACTION]"
69 ## Examine the peer identifier and work out how to proceed.
71 0,*) echo >&2 "missing peer identifier"; exit 1 ;;
72 *:*) mode
=proxy server
=${1%:*} user
=${1##*:} ;;
73 *) mode
=local user
=$1 ;;
77 ## Fetch the optional command from where SSH stashed it.
78 case "$#" in 0) set -- $SSH_ORIGINAL_COMMAND ;; esac
80 0, |
1,hello
) act
=hello
;;
81 1,goodbye
) act
=goodbye
;;
82 *) echo >&2 "$0: unknown action spec \`$*'"; exit 1 ;;
85 ## Now actually do something.
88 exec ssh "$server" "$user" "$act"
91 exec $tripectl SVCSUBMIT connect passive
"$user"
94 peer
=$
($tripectl SVCSUBMIT connect userpeer
"$user")
95 exec $tripectl KILL
"$peer"
98 echo >&2 "$0: unknown mode/action $mode/$act"