diff options
Diffstat (limited to 'programs/mailkey/mailkey.in')
| -rwxr-xr-x | programs/mailkey/mailkey.in | 241 |
1 files changed, 0 insertions, 241 deletions
diff --git a/programs/mailkey/mailkey.in b/programs/mailkey/mailkey.in deleted file mode 100755 index fecdcf62c..000000000 --- a/programs/mailkey/mailkey.in +++ /dev/null @@ -1,241 +0,0 @@ -#! /bin/sh -# mail OE DNS RR info to relevent administrator -# -# Copyright (C) 2003 Sam Sgro <sam@freeswan.org> -# -# This program is free software; you can redistribute it and/or modify it -# under the terms of the GNU General Public License as published by the -# Free Software Foundation; either version 2 of the License, or (at your -# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. -# -# This program is distributed in the hope that it will be useful, but -# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY -# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -# for more details. -# -# RCSID $Id: mailkey.in,v 1.1 2004/03/15 20:35:28 as Exp $ - -me="ipsec mailkey" - -PATH=/sbin:/usr/bin:/usr/local/sbin:@IPSEC_SBINDIR@:$PATH export PATH - -reverse=0 -forward=0 -mymail="" -usage="Usage: - $me --me my@address.tld --forward hostname.domain.tld - $me --me my@address.tld --reverse 1.2.3.4" - -for dummy -do - case "$1" in - --help) echo "$usage" ; exit 0 ;; - --forward) forward=1 ; reverse=0 ; hostname="$2" ; shift ;; - --reverse) reverse=1 ; forward=0 ; reverseip="$2" ; shift ;; - --me) mymail="$2" ; shift ;; - --) shift ; break ;; - -*) echo "$0: unknown option \`$1'" >&2 ; exit 2 ;; - *) break ;; - esac - shift -done - -# only do one of iOE || (pOE/rOE/fOE/insert acronym here) at a time -# but you have to choose one. Plus, if ya ain't specified your mail address... -if [ "$forward" -eq "$reverse" ] || [ ! "$mymail" ] -then -{ -echo "$usage"; exit 0; -} -fi - -# Test to see if there is a key to process in the first place. -test1st=`ipsec showhostkey --txt 1.2.3.4 2>&1` -test2nd=`echo $test1st | grep TXT` -if [ ! "$test2nd" ] -then -{ -echo "Our attempt to retrieve your RSA key using 'ipsec showhostkey' failed -with the following error: - -"$test1st" - -Common concerns: This account must be able to read /etc/ipsec.secrets. -If you haven't generated your key yet, please run 'ipsec newhostkey'." -exit 0 -} -fi - - -# This is where we will save the script. -save_mail_file=~/"OE_mail_""$reverseip$hostname" - -# RSA/SOA processing functions. -# takes two arguments - the IP address/hostname to be used, and an attempt to guess the -# beginning of the DNS record for the administrator -txtprocess(){ -ipsec showhostkey --txt $1 | sed "s/^.* IN TXT/$2. IN TXT/" | grep TXT -} - -# Find the hostmaster part of the SOA. -# This only works with the "net" portion of in-addr.arpa. commands - 20.168.192.in-addr.arpa. - -# or the domain portion of FQDNs. The data is prepped using host_data in the individual sections -# for $forward and $reverse. -# Note: I've experienced it returning SOAs for non-routeable IP addresses! This needs to be -# addressed. -hostprocess(){ -host -t soa $1 | grep SOA | while read a b c d e -do -echo $d | sed -e "s/\(^[a-zA-Z0-9-]*\)\.\([a-zA-Z0-9-\.]*\).$/\1@\2/" -done -} - -# generate the pieces that go into the template, which are dependent on the type of OE. -if [ "$reverse" -eq 1 ]; then -{ -# convert the reverse ip to something appropriate for a DNS record. -arpaip=`echo $reverseip | sed -e "s/\([0-9]*\)\.\([0-9]*\)\.\([0-9]*\)\.\([0-9]*\)/\4.\3.\2.\1.in-addr.arpa/"` -# prepare data for hostprocess() -host_data=`echo $arpaip | sed -e "s/^[0-9]*\.\(.*\)/\1/"` - -firstsub=" I'm contacting you in your role as the administrator of the domain -\"$arpaip\" as listed in its SOA record. - - My network security software, which employs IPSec, requires the -below keying information to be published as a RR in the DNS domain -which you are responsible for. - -" - -txt=`txtprocess $reverseip $arpaip` -secondsub=" To this end, I need you to publish the following TXT record: - ---DNS_RESOURCE_RECORDS-- - -"$txt" - ---DNS_RESOURCE_RECORDS--" - -thirdsub="to enable full Opportunistic Encryption using the IP address: - -"$reverseip - -fourthsub="and TXT records are" - -proposed_email=`hostprocess $host_data` -} -elif [ "$forward" -eq 1 ]; then -{ -# prepare data for hostprocess() -# leave only the domain name -domain_data=`echo $hostname | sed -e "s/.*\.\([a-zA-Z0-9-]*\.[a-zA-Z0-9-]*$\)/\1/"` -# leave only the host name -host_data=`echo $hostname | sed -e "s/\(.*\)\.[a-zA-Z0-9-]*\.[a-zA-Z0-9-]*$/\1/"` - -firstsub=" I'm contacting you in your role as the administrator of the domain -\"$hostname\" as listed in its SOA record. - - My network security software, which employs IPSec, requires the -below keying information to be published as a RR in the DNS domain -which you are responsible for. - -" - -txt=`txtprocess @$hostname $host_data` -secondsub=" To this end, please publish the following TXT record for the hostname -$hostname: - - ---DNS_RESOURCE_RECORDS-- - -$txt - ---DNS_RESOURCE_RECORDS--" -thirdsub="to allow me to use the hostname: - -"$hostname" - -for initiator-only Opportunistic Encryption." -fourthsub="record is" - -proposed_email=`hostprocess $domain_data` -} -fi - -# Create the template used for the body of the e-mail. - -mailbody=$firstsub$secondsub" - - - Please be careful to preserve the spaces and/or quotation marks as written. -These are important for the RSA key to survive DNS processing. - - Thanks for your help in securing the 'net! - - $mymail - (Generated by '$me' for $mymail) - - - -Opportunistic Encryption (OE) is the result of ongoing effort by the FreeS/WAN -project (www.freeswan.org). It allows for the creation of dynamic IPSec -connections between hosts without pre-arrangement, authenticated via RSA keys -stored in DNS records. - -Technical information on OE can be found in this RFC draft: - -http://www.freeswan.org/freeswan_snaps/CURRENT-SNAP/doc/draft-richardson-ipsec-opportunistic.txt - -If you have any questions about these TXT records, or about OE in general, -please direct them to the FreeS/WAN support lists: - -users@lists.freeswan.org -" - -# If we managed to find a hostmaster, make the appropriate modifications to the mail's body and -# our instructions to the user. -if [ "$proposed_email" ]; then -{ - -# This is now converting the mail test into an executable script. -# Most users will have reached this stage; they can edit the contact_email -# if they know better than us. -# -s - Subject line. By extending it, we can "hack" the mail program to -# include a customized Reply-To header. - -mailbody="#!/bin/sh -# -# Edit this variable to send this message to an alternate destination -contact_email=$proposed_email - -mail \$contact_email -s 'DNS records for Opportunistic Encryption ($hostname$reverseip) -Reply-To: $mymail' <<EOF - -"$mailbody" - -EOF -" - -screenoutput="Executable mail file saved to: "$save_mail_file -} -else -{ -# Slightly different instructions if we have nothing to tell the user. - -screenoutput="$me: error: Unable to locate SOA record for this domain. Not generating executable file. -Sample mail file saved to: "$save_mail_file -} -fi - -# Create the output that has been prepared. -echo "$mailbody" > $save_mail_file - -# Only make it executable if we've guessed a destination e-mail address. -if [ "$proposed_email" ]; then -{ -chmod u+x $save_mail_file -} -fi - -# Tell the user what'sgoing on. -echo "$screenoutput" |