X-Git-Url: https://git.distorted.org.uk/~mdw/tripe/blobdiff_plain/a334070153b52e58d29b02c0754f903979b899ec..b147e573818624ac77eab9de38d4f05346d60f5d:/contrib/knock.in

diff --git a/contrib/knock.in b/contrib/knock.in
new file mode 100755
index 00000000..be55f2b9
--- /dev/null
+++ b/contrib/knock.in
@@ -0,0 +1,47 @@
+#! /bin/sh
+
+set -e
+
+### This script performs the passive side of a dynamic association.  It is
+### intended to be set as the `tripe' user's shell, and invoked via ssh(1).
+### Specifically, for each dynamic peer, add a line to `.ssh/authorized_keys'
+### of the form
+###
+###	command="PEER" ssh-rsa ...
+###
+### There's an additional wrinkle.  Suppose that the passive TrIPE endpoint
+### is behind a NAT, and the SSH gateway is on a different machine.  The
+### gateway should have its own `tripe' user, and this script should again be
+### its shell.  On the gateway, add a `.ssh/authorized_keys' entry
+###
+###	command="tripe@SERVER:PEER" ssh-rsa ...
+###
+### for the dynamic endpoint.  On the passive endpoint itself, you need an
+### entry for the gateway's `tripe' user's key, with no command.
+
+: ${prefix=@prefix@} ${exec_prefix=@exec_prefix@}
+: ${bindir=@bindir@}
+: ${TRIPEDIR=@configdir@} ${TRIPESOCK=@socketdir@/tripesock}
+: ${tripectl=$bindir/tripectl}
+export TRIPEDIR TRIPESOCK
+
+case "$#,$1,$2" in
+
+  2,-c,*:*)
+    ## Proxy through to another server.
+    server=${2%:*} user=${2##*:}
+    exec ssh "$server" "$user"
+    ;;
+
+  2,-c,*)
+    ## Connect to the local tripe server.
+    exec $tripectl SVCSUBMIT connect passive "$2"
+    ;;
+
+  *)
+    ## Anything else is an error.
+    echo >&2 "usage: $0 -c [SERVER:]PEER"
+    exit 1
+    ;;
+
+esac