#!/bin/ksh
# $Id: sshfp,v 1.3 2011/12/01 20:46:02 ksb Exp $
# We're a netlint plugin that reports missing sshfp records		(ksb)

PROGNAME=`basename $0`
: ${CARP:=echo}
if [ _"$1" = _"-V" ]; then
	echo "$PROGNAME: "'$Id: sshfp,v 1.3 2011/12/01 20:46:02 ksb Exp $'
	exit 0
fi

HOST=`hostname`
if expr "$HOST" : "[^.]*" >/dev/null; then
	HOST="$HOST[^ 	]*"
fi

#****a* sshfp/dns
# NAME
#   SSHFP
# FORMAT
#   SSHFP: new record information
# DESCRIPTION
#   This is the list of DNS SSHFP records the host is missing from the local
#   resolver.
# REMEDIATION
#   Add missing records in a zone file in master-source in /etc/namedb/master.
#***


typeset FP1 FP2 FP3  CP1 CP2 CP3
typeset -u Dn Gn

# Get a list of IPs our hostname resolves to and check them
# msrc.sac.fedex.com canonical name = svr6.sac.fedex.com.
# svr6.sac.fedex.com rdata_44 = 2 1 BFDA52C803F54BB72C345D9C8CCBB7D076369A04
# svr6.sac.fedex.com rdata_44 = 1 1 20CE7DF2238D9DC3D6657CEDCAEEE38D39106799
CN=`hostname`
eval `nslookup -q=sshfp $CN 2>/dev/null | tr -s '\t ' '  ' |
	sed -n -e "s,[^ ]* canonical *name = \(.*\),CN='\1',p" \
		-e "s,[^ ]* [^ ]* = \([0-9]*\) \([0-9]* .*\),FP\1='\2',p"|
	sed -e "s/[.]' *$/'/" `


# Presently there are only 2 type (dsa, rsa) but who knows? --ksb
typeset -x D T1 T2 T3 T4 T5 T6 T7 T8 T9 T0
T1=rsa T2=dsa
D='$'

eval $(if whence openssl >/dev/null ; then
	xapply "cat /etc/ssh*/*_${D}{T%1}_key.pub | cut -d ' ' -f 2 | openssl base64 -d -A | openssl sha1 | sed -e 's/^/CP%1=\"1 /' -e 's/$D/\"/'"  1 2
elif ssh-keygen -r test -f /etc/ssh*/*_${D}{T1}_key.pub >/dev/null 2>&1 ; then
	xapply "ssh-keygen -r ksb -f /etc/ssh*/*_${D}T%1_key.pub"  1 2 |
		tr -s '\t ' '  ' |
		sed -n -e "s,.* [sS][sS][hH][fF][pP] \([\([0-9]*\) \([0-9]* .*\),CP\1='\2',p"
else
	echo \$CARP \""SSHFP: no ssh-keygen option to check keys or openssl installed"\" \; exit 0
fi)

# If ssh-keygen doesn't take -r and we do not have openssl we could use
# perl to do it. ZZZ

for i in 1 2 3 4 5 6 7 8 9 0 ; do
	eval [ -z "$CP$i" ] && continue
	eval Dn=\${CP$i##*\ }  Gn=\${FP$i##*\ }
	[ "$Dn" = "$Gn" ] && continue
	eval \$CARP "SSHFP: missing $i \$CP$i"
done

exit 0