1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241
|
#! /bin/sh
# mail OE DNS RR info to relevent administrator
#
# Copyright (C) 2003 Sam Sgro <sam@freeswan.org>
#
# This program is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by the
# Free Software Foundation; either version 2 of the License, or (at your
# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
#
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
# for more details.
#
# RCSID $Id: mailkey.in,v 1.1 2004/03/15 20:35:28 as Exp $
me="ipsec mailkey"
PATH=/sbin:/usr/bin:/usr/local/sbin:@IPSEC_SBINDIR@:$PATH export PATH
reverse=0
forward=0
mymail=""
usage="Usage:
$me --me my@address.tld --forward hostname.domain.tld
$me --me my@address.tld --reverse 1.2.3.4"
for dummy
do
case "$1" in
--help) echo "$usage" ; exit 0 ;;
--forward) forward=1 ; reverse=0 ; hostname="$2" ; shift ;;
--reverse) reverse=1 ; forward=0 ; reverseip="$2" ; shift ;;
--me) mymail="$2" ; shift ;;
--) shift ; break ;;
-*) echo "$0: unknown option \`$1'" >&2 ; exit 2 ;;
*) break ;;
esac
shift
done
# only do one of iOE || (pOE/rOE/fOE/insert acronym here) at a time
# but you have to choose one. Plus, if ya ain't specified your mail address...
if [ "$forward" -eq "$reverse" ] || [ ! "$mymail" ]
then
{
echo "$usage"; exit 0;
}
fi
# Test to see if there is a key to process in the first place.
test1st=`ipsec showhostkey --txt 1.2.3.4 2>&1`
test2nd=`echo $test1st | grep TXT`
if [ ! "$test2nd" ]
then
{
echo "Our attempt to retrieve your RSA key using 'ipsec showhostkey' failed
with the following error:
"$test1st"
Common concerns: This account must be able to read /etc/ipsec.secrets.
If you haven't generated your key yet, please run 'ipsec newhostkey'."
exit 0
}
fi
# This is where we will save the script.
save_mail_file=~/"OE_mail_""$reverseip$hostname"
# RSA/SOA processing functions.
# takes two arguments - the IP address/hostname to be used, and an attempt to guess the
# beginning of the DNS record for the administrator
txtprocess(){
ipsec showhostkey --txt $1 | sed "s/^.* IN TXT/$2. IN TXT/" | grep TXT
}
# Find the hostmaster part of the SOA.
# This only works with the "net" portion of in-addr.arpa. commands - 20.168.192.in-addr.arpa. -
# or the domain portion of FQDNs. The data is prepped using host_data in the individual sections
# for $forward and $reverse.
# Note: I've experienced it returning SOAs for non-routeable IP addresses! This needs to be
# addressed.
hostprocess(){
host -t soa $1 | grep SOA | while read a b c d e
do
echo $d | sed -e "s/\(^[a-zA-Z0-9-]*\)\.\([a-zA-Z0-9-\.]*\).$/\1@\2/"
done
}
# generate the pieces that go into the template, which are dependent on the type of OE.
if [ "$reverse" -eq 1 ]; then
{
# convert the reverse ip to something appropriate for a DNS record.
arpaip=`echo $reverseip | sed -e "s/\([0-9]*\)\.\([0-9]*\)\.\([0-9]*\)\.\([0-9]*\)/\4.\3.\2.\1.in-addr.arpa/"`
# prepare data for hostprocess()
host_data=`echo $arpaip | sed -e "s/^[0-9]*\.\(.*\)/\1/"`
firstsub=" I'm contacting you in your role as the administrator of the domain
\"$arpaip\" as listed in its SOA record.
My network security software, which employs IPSec, requires the
below keying information to be published as a RR in the DNS domain
which you are responsible for.
"
txt=`txtprocess $reverseip $arpaip`
secondsub=" To this end, I need you to publish the following TXT record:
--DNS_RESOURCE_RECORDS--
"$txt"
--DNS_RESOURCE_RECORDS--"
thirdsub="to enable full Opportunistic Encryption using the IP address:
"$reverseip
fourthsub="and TXT records are"
proposed_email=`hostprocess $host_data`
}
elif [ "$forward" -eq 1 ]; then
{
# prepare data for hostprocess()
# leave only the domain name
domain_data=`echo $hostname | sed -e "s/.*\.\([a-zA-Z0-9-]*\.[a-zA-Z0-9-]*$\)/\1/"`
# leave only the host name
host_data=`echo $hostname | sed -e "s/\(.*\)\.[a-zA-Z0-9-]*\.[a-zA-Z0-9-]*$/\1/"`
firstsub=" I'm contacting you in your role as the administrator of the domain
\"$hostname\" as listed in its SOA record.
My network security software, which employs IPSec, requires the
below keying information to be published as a RR in the DNS domain
which you are responsible for.
"
txt=`txtprocess @$hostname $host_data`
secondsub=" To this end, please publish the following TXT record for the hostname
$hostname:
--DNS_RESOURCE_RECORDS--
$txt
--DNS_RESOURCE_RECORDS--"
thirdsub="to allow me to use the hostname:
"$hostname"
for initiator-only Opportunistic Encryption."
fourthsub="record is"
proposed_email=`hostprocess $domain_data`
}
fi
# Create the template used for the body of the e-mail.
mailbody=$firstsub$secondsub"
Please be careful to preserve the spaces and/or quotation marks as written.
These are important for the RSA key to survive DNS processing.
Thanks for your help in securing the 'net!
$mymail
(Generated by '$me' for $mymail)
Opportunistic Encryption (OE) is the result of ongoing effort by the FreeS/WAN
project (www.freeswan.org). It allows for the creation of dynamic IPSec
connections between hosts without pre-arrangement, authenticated via RSA keys
stored in DNS records.
Technical information on OE can be found in this RFC draft:
http://www.freeswan.org/freeswan_snaps/CURRENT-SNAP/doc/draft-richardson-ipsec-opportunistic.txt
If you have any questions about these TXT records, or about OE in general,
please direct them to the FreeS/WAN support lists:
users@lists.freeswan.org
"
# If we managed to find a hostmaster, make the appropriate modifications to the mail's body and
# our instructions to the user.
if [ "$proposed_email" ]; then
{
# This is now converting the mail test into an executable script.
# Most users will have reached this stage; they can edit the contact_email
# if they know better than us.
# -s - Subject line. By extending it, we can "hack" the mail program to
# include a customized Reply-To header.
mailbody="#!/bin/sh
#
# Edit this variable to send this message to an alternate destination
contact_email=$proposed_email
mail \$contact_email -s 'DNS records for Opportunistic Encryption ($hostname$reverseip)
Reply-To: $mymail' <<EOF
"$mailbody"
EOF
"
screenoutput="Executable mail file saved to: "$save_mail_file
}
else
{
# Slightly different instructions if we have nothing to tell the user.
screenoutput="$me: error: Unable to locate SOA record for this domain. Not generating executable file.
Sample mail file saved to: "$save_mail_file
}
fi
# Create the output that has been prepared.
echo "$mailbody" > $save_mail_file
# Only make it executable if we've guessed a destination e-mail address.
if [ "$proposed_email" ]; then
{
chmod u+x $save_mail_file
}
fi
# Tell the user what'sgoing on.
echo "$screenoutput"
|