diff options
author | Timo Weingärtner <timo@tiwe.de> | 2013-01-04 21:16:37 +0100 |
---|---|---|
committer | Timo Weingärtner <timo@tiwe.de> | 2013-01-07 14:18:40 +0100 |
commit | 8d177fb1f42cb80ffbf678669cd726d40f26f123 (patch) | |
tree | 4d283d547e78b7a5e9a7f94fc60f68a1dcdf1c97 | |
parent | b976b61bd47d0a404d94e390c429ac5e336b261a (diff) | |
download | openssh-known-hosts-8d177fb1f42cb80ffbf678669cd726d40f26f123.tar.gz |
implement hostname filtering
Fixes GH-1.
-rw-r--r-- | README | 15 | ||||
-rw-r--r-- | examples/curl.filter | 9 | ||||
-rwxr-xr-x | update-openssh-known-hosts | 27 |
3 files changed, 50 insertions, 1 deletions
@@ -13,6 +13,21 @@ The rest of the variables is plugin-specific. For examples see /usr/share/doc/openssh-known-hosts/examples/*. +Writing a hostname filter: +========================== + +Place a file $source.filter next to your $source in +/etc/openssh-known-hosts/sources. + +Each line shall contain a rule consisting of an action, a space and a pattern. +The first rule with a matching pattern decides: If the action starts with a, +o, p or y (for accept, admit, allow, ok, pass, permit, print, yes, ...) the +hostname will be used, otherwise it is discarded. If a key has no hostnames +left it is discarded as a whole. + +An example filter can be found in +/usr/share/doc/openssh-known-hosts/examples/curl.filter. + Writing a plugin: ================= diff --git a/examples/curl.filter b/examples/curl.filter new file mode 100644 index 0000000..ff7f71b --- /dev/null +++ b/examples/curl.filter @@ -0,0 +1,9 @@ +# example filter file, can be used with any plugin +# deny some subareas first +# in most cases you won't need that +deny sub\.example\.com$ +deny ^2001:db8:f00: +# then allow what we are downloading the keys for +allow \.example\.com$ +allow ^2001:db8: +allow ^192\.0\.2\. diff --git a/update-openssh-known-hosts b/update-openssh-known-hosts index 8b77aee..e191f92 100755 --- a/update-openssh-known-hosts +++ b/update-openssh-known-hosts @@ -82,7 +82,32 @@ run-parts --list "${CONFDIR}/sources/" | while read sourcefile; do mv ${source}/new ${source}/current fi if [ -e ${source}/current ]; then - sort -u ${source}/current >&3 + if [ -e "${sourcefile}.filter" ]; then + mapfile -t filter < "${sourcefile}.filter" + for i in ${!filter[@]}; do + if [[ ${filter[$i]} =~ ^($|#) ]]; then + unset filter[$i] + fi + done + while read hostlist rest; do + IFS=, read -a hostarray <<<$hostlist + new_hostlist='' + for host in ${hostarray[@]}; do + for rule in "${filter[@]}"; do + if [[ ${host} =~ ${rule#* } ]]; then + if [[ ${rule%% *} =~ ^[aopy] ]]; then + new_hostlist="${new_hostlist}${host}," + fi + break + fi + done + done + [ "$new_hostlist" ] || continue + echo "${new_hostlist%,} ${rest}" + done < ${source}/current | sort -u >&3 + else + sort -u ${source}/current >&3 + fi fi done 3>| "${OUTFILE}.new" |