From b5991fe14343912cad879b53d357e937669464c3 Mon Sep 17 00:00:00 2001 From: Pino de Candia Date: Fri, 19 Jan 2018 06:56:21 +0000 Subject: [PATCH] Added a script that wraps ssh and does an SRV lookup. --- scripts/srvssh | 124 ++++++++++++++++++++++++++++++++++++++++++++++ tatu/db/models.py | 4 +- 2 files changed, 126 insertions(+), 2 deletions(-) create mode 100755 scripts/srvssh diff --git a/scripts/srvssh b/scripts/srvssh new file mode 100755 index 0000000..d7c8104 --- /dev/null +++ b/scripts/srvssh @@ -0,0 +1,124 @@ +#!/bin/bash +# Name: ssh-srv-wrapper +# +# Purpose: Check DNS SRV records and use the entry when possible. +# +# This code is hereby released to the public domain and may be used for any +# purpose whatsoever without permission or acknowledgment. +# +# Taylor Carpenter + + +#echo $* > /tmp/fooo +#exit +DEBUG_ME=1 + +me=`basename $0` +mydir=$(dirname $0) + +function _dmsg() { if [ "${DEBUG_ME}" = 1 ] ; then echo $* ; fi ; } + +SSH=`which ssh` +if [ "$me" = "ssh" -a "$0" = "${SSH}" ] ; then + SSH=`PATH=${PATH/$mydir:} which ssh` +fi + +function usage() { + echo "usage: $me [args] [user@] [args]" + echo "See man ssh (1)" +} + +if [ "$1" = "" ] ; then + usage + exit 1 +elif [ "$1" = "-V" -o "$1" = "-version" ] ; then + exec $SSH -V +else + args=("$@") +fi + +preargs=() +postargs=() +nao=1246AaCfgKkMNnqsTtVvXxYy +userhost= +check_srv=true +i=0 + +# Only parse args up to [user@]host +for (( i=0; i<${#args[*]}; i++ )) ; do + case ${args[i]} in + -[$nao]|-[$nao]*[$nao]) + preargs[${#preargs[*]}]="${args[i]}" + args[i]= + ;; + -*p) + preargs[${#preargs[*]}]="${args[i]}" + args[i]= + ((i++)) + preargs[${#preargs[*]}]="${args[i]}" + args[i]= + check_srv=false # ignore SRV record + ;; + -*) + preargs[${#preargs[*]}]="${args[i]}" + args[i]= + ((i++)) + preargs[${#preargs[*]}]="${args[i]}" + args[i]= + ;; + *) + userhost="${args[i]}" + args[i]= + postargs=($(echo "${args[@]}")) + break + ;; + esac +done + +if [ -z "$userhost" ] ; then + usage + exit 1 +fi + +host=${userhost##*@} +user=${userhost%%@*} +[ "$user" = "$host" ] && user= + +if [ "$check_srv" = "true" ] ; then + _dmsg "Checking SRV" + echo $host | grep '[A-Za-z]' > /dev/null + if [ $? = 0 ] ; then + srv=$(host -s -W 1 -t SRV _ssh._tcp.${host} localhost|grep "has SRV") + if [ $? = 0 ] ; then + echo "srv: '$srv'" + shost=${srv##* } + host=${shost%*.} + sport=${srv%* $host.} + port=${sport##* } + + if [ -z "$host" ] ; then + echo "Could not figure out hostname in SRV record" + exit 1 + fi + fi + srv=$(host -s -W 1 -t A ${host} localhost|grep "has address") + if [ $? = 0 ] ; then + echo "srv: '$srv'" + host=${srv##* } + + if [ -z "$host" ] ; then + echo "Could not figure out ip address in A record" + exit 1 + fi + fi + fi + [ "$port" != "" ] && preargs[${#preargs[*]}]="-p ${port}" + _dmsg "After SRV lookup -- HOST: $host PORT: $port" +fi + +[ "$user" != "" ] && userat="${user}@" || userat="" + +args=("${preargs[@]}" "${userat}${host}" "${postargs[@]}") + +_dmsg $SSH ${args[@]} +exec $SSH ${args[@]} diff --git a/tatu/db/models.py b/tatu/db/models.py index c25eb55..062acce 100644 --- a/tatu/db/models.py +++ b/tatu/db/models.py @@ -117,7 +117,7 @@ class Token(Base): hostname = sa.Column(sa.String(36)) used = sa.Column(sa.Boolean, default=False) date_used = sa.Column(sa.DateTime, default=datetime.min) - fingerprint_used = sa.Column(sa.String(36)) + fingerprint_used = sa.Column(sa.String(60)) def createToken(session, host_id, auth_id, hostname): @@ -146,7 +146,7 @@ class HostCert(Base): __tablename__ = 'host_certs' host_id = sa.Column(sa.String(36), primary_key=True) - fingerprint = sa.Column(sa.String(36), primary_key=True) + fingerprint = sa.Column(sa.String(60), primary_key=True) auth_id = sa.Column(sa.String(36), sa.ForeignKey('authorities.auth_id')) token_id = sa.Column(sa.String(36), sa.ForeignKey('tokens.token_id')) pubkey = sa.Column(sa.Text)