[PATCH] Re: [linux-elitists] ssh hygiene

Jason Spence jspence@lightconsulting.com
Tue Apr 30 17:10:56 PDT 2002


On Mon, Apr 29, 2002 at 10:51:29PM -0700, Don Marti developed
a new theory of relativity and: 
> Should everyone stop using version 1.5 and previous of the ssh
> protocol?
> 
> When generating keys for SSH version 2 should you pick RSA or DSA?
> 
> Did they ever fix the "rsync over ssh hangs" bug?  I haven't seen
> it in a while but once saw it go away and then come back.
> 
> Any compelling reason to use Blowfish instead of triple-DES?
> 
> If you're going to go somewhere, set up a new account, and log in
> from there to your account back home, it makes sense to have the
> key fingerprints for your known_hosts on a piece of paper in your
> wallet -- right?
> 
> I am no good at either shell scripts or TeX, but will inflict this
> on those of you who are:
> http://zgp.org/~dmarti/warez/ssh-wallet.sh

Wow, what a neat script.  I looked at it and looked at it and then
something horrible happened:

--- ssh-wallet.sh.orig	Tue Apr 30 11:43:20 2002
+++ ssh-wallet.sh	Tue Apr 30 17:08:49 2002
@@ -1,19 +1,97 @@
 #!/bin/bash
+#
+# ssh-wallet.sh -- ssh wallet card script
+#
+# Creates a printable version of your SSH host keys.
+#
+# Note that duplicate hostnames in the known_hosts file will confuse
+# this program.
+#
+# First seen on Linux-elitists mailing list (linux-elitists@zgp.org)
+# (C) 2002 Some guy
+#
+# Probably licensed under the GPL.
+
+VERSION="1.1"
+
+function usage() {
+    echo "Usage: ssh-wallet.sh [-p] [FILE]"
+    echo "Creates a printable wallet-sized dvi with your SSH hostkeys in FILE"
+    echo 'Defaults to $HOME/.ssh/known_hosts if FILE not given'
+    echo ""
+    echo "  -B            bubblebabble output"
+    echo "  -i            do not group keys by fingerprint - print all keys"
+    echo "  -n            do not sort the keys before generating output"
+    echo "  -p            create PDF file in addition to PostScript"
+    echo "  -v            print version"
+    echo "  -h            print this help message"
+    echo ""
+    echo "Send bug reports to Linux-elitists: linux-elitists@zgp.org"
+    exit 1
+}
 
-#  ssh wallet card script
-
-SSHDIR="$HOME/.ssh"
-
-if [ ! -f $SSHDIR/known_hosts ]; then
-    echo "No ssh known hosts file." && exit 1
-fi
+function version() {
+    echo "ssh-wallet version $VERSION"
+    exit 0
+}
 
-if !(dvips --version &> /dev/null && latex --version &> /dev/null); then
+if !(dvips --version &> /dev/null || latex --version &> /dev/null); then
     echo "This script requires latex and dvips."
     echo "Please install latex and dvips and try it again."
     exit 1
 fi
 
+DO_BB=
+DO_GROUP=1
+DO_PDF=
+DO_SORT=1
+
+while getopts "Bhinpv" getopt_var; do
+    case "$getopt_var" in
+	B)
+	    DO_BB="-B"
+	    shift
+	    ;;
+	h)
+	    usage
+	    ;;
+	i)
+	    DO_GROUP=0
+	    shift
+	    ;;
+	n)
+	    DO_SORT=0
+	    shift
+	    ;;
+	p)
+	    DO_PDF=1;
+	    if ! [ -x "$(type -path ps2pdf)" ]; then
+		echo "This script requires ps2pdf."
+		echo "Please install ps2pdf and try it again."
+	    fi
+	    shift
+	    ;;
+        v)
+	    version
+	    ;;
+	\?)
+	    usage
+	    ;;
+    esac
+done
+
+if [ -z "$1" ]; then
+    KHFILE="$HOME/.ssh/known_hosts"
+    SSHDIR="$HOME/.ssh"
+else
+    KHFILE="$1"
+    SSHDIR="$(dirname $1)"
+fi
+
+if [ ! -f "$KHFILE" ]; then
+    echo "Could not open $KHFILE." && exit 1
+fi
+
 CARD="$SSHDIR/walletcard"  
 
 cat > $CARD.tex << END
@@ -27,13 +105,70 @@
 \keyfont{
 END
 
-ssh-keygen -l -f $SSHDIR/known_hosts | awk '{print $3 " " $1 "\\\\" $2 "\n"}' \
->> $CARD.tex
+awkscr="$SSHDIR/parse.awk"
+cat > "$awkscr" <<"EOF"
+{
+cmd = "grep '^"$3"' ~/.ssh/known_hosts | awk '{ print $2 }'";
+cmd | getline key ;
+close(cmd);
+
+if(! match(key, /^ssh/)) {
+  key = "v1 RSA";
+}
+if(match(key, /^ssh-rsa/)) {
+  key = "v2 RSA";
+}
+if(match(key, /^ssh-dss/)) {
+  key = "v2 DSA";
+}
+
+if(ENVIRON["DO_GROUP"] == "0") {
+  print "\\newline\n\n" $3 " " $1 " (" key ")\\\\" $2;
+}
+
+if(hosts[$2] == "") {
+  hosts[$2] = "\\newline\n\n" $3 " " $1 " (" key ")\\\\" $2;
+  hostseen[$2] = "1"
+}
+else if(hostseen[$2] == "1") {
+  hosts[$2] = hosts[$2] "\\\\\nAliases:\\\\" $3 " " $1 " (" key ")";
+  hostseen[$2] = "2"
+}
+else if(hostseen[$2] == "2") {
+  hosts[$2] = hosts[$2] "\\\\\n" $3 " " $1 " (" key ")";
+}
+}
+
+END {
+  "date" | getline current_date;
+  close("date");
+  printf("%s", "SSH known\\_hosts fingerprints generated " current_date);
+  if(ENVIRON["DO_GROUP"] == "1") {
+    asort(hosts);
+    for (i = 0; i < NR; i++) {
+      printf("%s", hosts[i]);
+    }
+  }
+  print "\\newline\n\nTotal hosts: " NR
+}
+EOF
+
+if [ "$DO_SORT" -eq 1 ]; then
+    ssh-keygen -l $DO_BB -f "$KHFILE" | sort +2 | DO_GROUP=$DO_GROUP gawk -f "$awkscr" >> $CARD.tex
+else
+    ssh-keygen -l $DO_BB -f "$KHFILE" | gawk -f "$awkscr" >> $CARD.tex
+fi
 
-echo "}" >> $CARD.tex
-echo "\end{document}" >> $CARD.tex
+echo "}" >> "$CARD.tex"
+echo "\end{document}" >> "$CARD.tex"
 
-(cd $SSHDIR && latex $CARD.tex &> /dev/null \
- && dvips $CARD.dvi &> /dev/null && rm $CARD.dvi)
+(cd "$SSHDIR" && latex "$CARD.tex" &> /dev/null \
+ && dvips "$CARD.dvi" &> /dev/null && rm "$CARD.dvi")
+
+if ! [ -z "$DO_PDF" ]; then
+    ps2pdf $CARD.ps
+    echo "Print the file $CARD.pdf"
+    exit 0
+fi
 
-echo "Print the file $SSHDIR/$CARD.ps"
+echo "Print the file $CARD.ps"


-- 
 - Jason

Conscious is when you are aware of something and conscience is when you
wish you weren't.



More information about the linux-elitists mailing list