#! /bin/sh # mail OE DNS RR info to relevent administrator # # Copyright (C) 2003 Sam Sgro # # This program is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License as published by the # Free Software Foundation; either version 2 of the License, or (at your # option) any later version. See . # # This program is distributed in the hope that it will be useful, but # WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY # or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License # for more details. # # RCSID $Id: mailkey.in,v 1.1 2004/03/15 20:35:28 as Exp $ me="ipsec mailkey" PATH=/sbin:/usr/bin:/usr/local/sbin:@IPSEC_SBINDIR@:$PATH export PATH reverse=0 forward=0 mymail="" usage="Usage: $me --me my@address.tld --forward hostname.domain.tld $me --me my@address.tld --reverse 1.2.3.4" for dummy do case "$1" in --help) echo "$usage" ; exit 0 ;; --forward) forward=1 ; reverse=0 ; hostname="$2" ; shift ;; --reverse) reverse=1 ; forward=0 ; reverseip="$2" ; shift ;; --me) mymail="$2" ; shift ;; --) shift ; break ;; -*) echo "$0: unknown option \`$1'" >&2 ; exit 2 ;; *) break ;; esac shift done # only do one of iOE || (pOE/rOE/fOE/insert acronym here) at a time # but you have to choose one. Plus, if ya ain't specified your mail address... if [ "$forward" -eq "$reverse" ] || [ ! "$mymail" ] then { echo "$usage"; exit 0; } fi # Test to see if there is a key to process in the first place. test1st=`ipsec showhostkey --txt 1.2.3.4 2>&1` test2nd=`echo $test1st | grep TXT` if [ ! "$test2nd" ] then { echo "Our attempt to retrieve your RSA key using 'ipsec showhostkey' failed with the following error: "$test1st" Common concerns: This account must be able to read /etc/ipsec.secrets. If you haven't generated your key yet, please run 'ipsec newhostkey'." exit 0 } fi # This is where we will save the script. save_mail_file=~/"OE_mail_""$reverseip$hostname" # RSA/SOA processing functions. # takes two arguments - the IP address/hostname to be used, and an attempt to guess the # beginning of the DNS record for the administrator txtprocess(){ ipsec showhostkey --txt $1 | sed "s/^.* IN TXT/$2. IN TXT/" | grep TXT } # Find the hostmaster part of the SOA. # This only works with the "net" portion of in-addr.arpa. commands - 20.168.192.in-addr.arpa. - # or the domain portion of FQDNs. The data is prepped using host_data in the individual sections # for $forward and $reverse. # Note: I've experienced it returning SOAs for non-routeable IP addresses! This needs to be # addressed. hostprocess(){ host -t soa $1 | grep SOA | while read a b c d e do echo $d | sed -e "s/\(^[a-zA-Z0-9-]*\)\.\([a-zA-Z0-9-\.]*\).$/\1@\2/" done } # generate the pieces that go into the template, which are dependent on the type of OE. if [ "$reverse" -eq 1 ]; then { # convert the reverse ip to something appropriate for a DNS record. arpaip=`echo $reverseip | sed -e "s/\([0-9]*\)\.\([0-9]*\)\.\([0-9]*\)\.\([0-9]*\)/\4.\3.\2.\1.in-addr.arpa/"` # prepare data for hostprocess() host_data=`echo $arpaip | sed -e "s/^[0-9]*\.\(.*\)/\1/"` firstsub=" I'm contacting you in your role as the administrator of the domain \"$arpaip\" as listed in its SOA record. My network security software, which employs IPSec, requires the below keying information to be published as a RR in the DNS domain which you are responsible for. " txt=`txtprocess $reverseip $arpaip` secondsub=" To this end, I need you to publish the following TXT record: --DNS_RESOURCE_RECORDS-- "$txt" --DNS_RESOURCE_RECORDS--" thirdsub="to enable full Opportunistic Encryption using the IP address: "$reverseip fourthsub="and TXT records are" proposed_email=`hostprocess $host_data` } elif [ "$forward" -eq 1 ]; then { # prepare data for hostprocess() # leave only the domain name domain_data=`echo $hostname | sed -e "s/.*\.\([a-zA-Z0-9-]*\.[a-zA-Z0-9-]*$\)/\1/"` # leave only the host name host_data=`echo $hostname | sed -e "s/\(.*\)\.[a-zA-Z0-9-]*\.[a-zA-Z0-9-]*$/\1/"` firstsub=" I'm contacting you in your role as the administrator of the domain \"$hostname\" as listed in its SOA record. My network security software, which employs IPSec, requires the below keying information to be published as a RR in the DNS domain which you are responsible for. " txt=`txtprocess @$hostname $host_data` secondsub=" To this end, please publish the following TXT record for the hostname $hostname: --DNS_RESOURCE_RECORDS-- $txt --DNS_RESOURCE_RECORDS--" thirdsub="to allow me to use the hostname: "$hostname" for initiator-only Opportunistic Encryption." fourthsub="record is" proposed_email=`hostprocess $domain_data` } fi # Create the template used for the body of the e-mail. mailbody=$firstsub$secondsub" Please be careful to preserve the spaces and/or quotation marks as written. These are important for the RSA key to survive DNS processing. Thanks for your help in securing the 'net! $mymail (Generated by '$me' for $mymail) Opportunistic Encryption (OE) is the result of ongoing effort by the FreeS/WAN project (www.freeswan.org). It allows for the creation of dynamic IPSec connections between hosts without pre-arrangement, authenticated via RSA keys stored in DNS records. Technical information on OE can be found in this RFC draft: http://www.freeswan.org/freeswan_snaps/CURRENT-SNAP/doc/draft-richardson-ipsec-opportunistic.txt If you have any questions about these TXT records, or about OE in general, please direct them to the FreeS/WAN support lists: users@lists.freeswan.org " # If we managed to find a hostmaster, make the appropriate modifications to the mail's body and # our instructions to the user. if [ "$proposed_email" ]; then { # This is now converting the mail test into an executable script. # Most users will have reached this stage; they can edit the contact_email # if they know better than us. # -s - Subject line. By extending it, we can "hack" the mail program to # include a customized Reply-To header. mailbody="#!/bin/sh # # Edit this variable to send this message to an alternate destination contact_email=$proposed_email mail \$contact_email -s 'DNS records for Opportunistic Encryption ($hostname$reverseip) Reply-To: $mymail' < $save_mail_file # Only make it executable if we've guessed a destination e-mail address. if [ "$proposed_email" ]; then { chmod u+x $save_mail_file } fi # Tell the user what'sgoing on. echo "$screenoutput"