#!/bin/ksh # $Id: sshfp,v 1.3 2011/12/01 20:46:02 ksb Exp $ # We're a netlint plugin that reports missing sshfp records (ksb) PROGNAME=`basename $0` : ${CARP:=echo} if [ _"$1" = _"-V" ]; then echo "$PROGNAME: "'$Id: sshfp,v 1.3 2011/12/01 20:46:02 ksb Exp $' exit 0 fi HOST=`hostname` if expr "$HOST" : "[^.]*" >/dev/null; then HOST="$HOST[^ ]*" fi #****a* sshfp/dns # NAME # SSHFP # FORMAT # SSHFP: new record information # DESCRIPTION # This is the list of DNS SSHFP records the host is missing from the local # resolver. # REMEDIATION # Add missing records in a zone file in master-source in /etc/namedb/master. #*** typeset FP1 FP2 FP3 CP1 CP2 CP3 typeset -u Dn Gn # Get a list of IPs our hostname resolves to and check them # msrc.sac.fedex.com canonical name = svr6.sac.fedex.com. # svr6.sac.fedex.com rdata_44 = 2 1 BFDA52C803F54BB72C345D9C8CCBB7D076369A04 # svr6.sac.fedex.com rdata_44 = 1 1 20CE7DF2238D9DC3D6657CEDCAEEE38D39106799 CN=`hostname` eval `nslookup -q=sshfp $CN 2>/dev/null | tr -s '\t ' ' ' | sed -n -e "s,[^ ]* canonical *name = \(.*\),CN='\1',p" \ -e "s,[^ ]* [^ ]* = \([0-9]*\) \([0-9]* .*\),FP\1='\2',p"| sed -e "s/[.]' *$/'/" ` # Presently there are only 2 type (dsa, rsa) but who knows? --ksb typeset -x D T1 T2 T3 T4 T5 T6 T7 T8 T9 T0 T1=rsa T2=dsa D='$' eval $(if whence openssl >/dev/null ; then xapply "cat /etc/ssh*/*_${D}{T%1}_key.pub | cut -d ' ' -f 2 | openssl base64 -d -A | openssl sha1 | sed -e 's/^/CP%1=\"1 /' -e 's/$D/\"/'" 1 2 elif ssh-keygen -r test -f /etc/ssh*/*_${D}{T1}_key.pub >/dev/null 2>&1 ; then xapply "ssh-keygen -r ksb -f /etc/ssh*/*_${D}T%1_key.pub" 1 2 | tr -s '\t ' ' ' | sed -n -e "s,.* [sS][sS][hH][fF][pP] \([\([0-9]*\) \([0-9]* .*\),CP\1='\2',p" else echo \$CARP \""SSHFP: no ssh-keygen option to check keys or openssl installed"\" \; exit 0 fi) # If ssh-keygen doesn't take -r and we do not have openssl we could use # perl to do it. ZZZ for i in 1 2 3 4 5 6 7 8 9 0 ; do eval [ -z "$CP$i" ] && continue eval Dn=\${CP$i##*\ } Gn=\${FP$i##*\ } [ "$Dn" = "$Gn" ] && continue eval \$CARP "SSHFP: missing $i \$CP$i" done exit 0