1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
|
#! /bin/sh
# mail OE DNS RR info to relevent administrator
#
# Copyright (C) 2003 Sam Sgro <sam@freeswan.org>
#
# This program is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by the
# Free Software Foundation; either version 2 of the License, or (at your
# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
#
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
# for more details.
#
# RCSID $Id: mailkey.in,v 1.1 2004/03/15 20:35:28 as Exp $
me="ipsec mailkey"
PATH=/sbin:/usr/bin:/usr/local/sbin:@IPSEC_SBINDIR@:$PATH export PATH
reverse=0
forward=0
mymail=""
usage="Usage:
$me --me my@address.tld --forward hostname.domain.tld
$me --me my@address.tld --reverse 1.2.3.4"
for dummy
do
case "$1" in
--help) echo "$usage" ; exit 0 ;;
--forward) forward=1 ; reverse=0 ; hostname="$2" ; shift ;;
--reverse) reverse=1 ; forward=0 ; reverseip="$2" ; shift ;;
--me) mymail="$2" ; shift ;;
--) shift ; break ;;
-*) echo "$0: unknown option \`$1'" >&2 ; exit 2 ;;
*) break ;;
esac
shift
done
# only do one of iOE || (pOE/rOE/fOE/insert acronym here) at a time
# but you have to choose one. Plus, if ya ain't specified your mail address...
if [ "$forward" -eq "$reverse" ] || [ ! "$mymail" ]
then
{
echo "$usage"; exit 0;
}
fi
# Test to see if there is a key to process in the first place.
test1st=`ipsec showhostkey --txt 1.2.3.4 2>&1`
test2nd=`echo $test1st | grep TXT`
if [ ! "$test2nd" ]
then
{
echo "Our attempt to retrieve your RSA key using 'ipsec showhostkey' failed
with the following error:
"$test1st"
Common concerns: This account must be able to read /etc/ipsec.secrets.
If you haven't generated your key yet, please run 'ipsec newhostkey'."
exit 0
}
fi
# This is where we will save the script.
save_mail_file=~/"OE_mail_""$reverseip$hostname"
# RSA/SOA processing functions.
# takes two arguments - the IP address/hostname to be used, and an attempt to guess the
# beginning of the DNS record for the administrator
txtprocess(){
ipsec showhostkey --txt $1 | sed "s/^.* IN TXT/$2. IN TXT/" | grep TXT
}
# Find the hostmaster part of the SOA.
# This only works with the "net" portion of in-addr.arpa. commands - 20.168.192.in-addr.arpa. -
# or the domain portion of FQDNs. The data is prepped using host_data in the individual sections
# for $forward and $reverse.
# Note: I've experienced it returning SOAs for non-routeable IP addresses! This needs to be
# addressed.
hostprocess(){
host -t soa $1 | grep SOA | while read a b c d e
do
echo $d | sed -e "s/\(^[a-zA-Z0-9-]*\)\.\([a-zA-Z0-9-\.]*\).$/\1@\2/"
done
}
# generate the pieces that go into the template, which are dependent on the type of OE.
if [ "$reverse" -eq 1 ]; then
{
# convert the reverse ip to something appropriate for a DNS record.
arpaip=`echo $reverseip | sed -e "s/\([0-9]*\)\.\([0-9]*\)\.\([0-9]*\)\.\([0-9]*\)/\4.\3.\2.\1.in-addr.arpa/"`
# prepare data for hostprocess()
host_data=`echo $arpaip | sed -e "s/^[0-9]*\.\(.*\)/\1/"`
firstsub=" I'm contacting you in your role as the administrator of the domain
\"$arpaip\" as listed in its SOA record.
My network security software, which employs IPSec, requires the
below keying information to be published as a RR in the DNS domain
which you are responsible for.
"
txt=`txtprocess $reverseip $arpaip`
secondsub=" To this end, I need you to publish the following TXT record:
--DNS_RESOURCE_RECORDS--
"$txt"
--DNS_RESOURCE_RECORDS--"
thirdsub="to enable full Opportunistic Encryption using the IP address:
"$reverseip
fourthsub="and TXT records are"
proposed_email=`hostprocess $host_data`
}
elif [ "$forward" -eq 1 ]; then
{
# prepare data for hostprocess()
# leave only the domain name
domain_data=`echo $hostname | sed -e "s/.*\.\([a-zA-Z0-9-]*\.[a-zA-Z0-9-]*$\)/\1/"`
# leave only the host name
host_data=`echo $hostname | sed -e "s/\(.*\)\.[a-zA-Z0-9-]*\.[a-zA-Z0-9-]*$/\1/"`
firstsub=" I'm contacting you in your role as the administrator of the domain
\"$hostname\" as listed in its SOA record.
My network security software, which employs IPSec, requires the
below keying information to be published as a RR in the DNS domain
which you are responsible for.
"
txt=`txtprocess @$hostname $host_data`
secondsub=" To this end, please publish the following TXT record for the hostname
$hostname:
--DNS_RESOURCE_RECORDS--
$txt
--DNS_RESOURCE_RECORDS--"
thirdsub="to allow me to use the hostname:
"$hostname"
for initiator-only Opportunistic Encryption."
fourthsub="record is"
proposed_email=`hostprocess $domain_data`
}
fi
# Create the template used for the body of the e-mail.
mailbody=$firstsub$secondsub"
Please be careful to preserve the spaces and/or quotation marks as written.
These are important for the RSA key to survive DNS processing.
Thanks for your help in securing the 'net!
$mymail
(Generated by '$me' for $mymail)
Opportunistic Encryption (OE) is the result of ongoing effort by the FreeS/WAN
project (www.freeswan.org). It allows for the creation of dynamic IPSec
connections between hosts without pre-arrangement, authenticated via RSA keys
stored in DNS records.
Technical information on OE can be found in this RFC draft:
http://www.freeswan.org/freeswan_snaps/CURRENT-SNAP/doc/draft-richardson-ipsec-opportunistic.txt
If you have any questions about these TXT records, or about OE in general,
please direct them to the FreeS/WAN support lists:
users@lists.freeswan.org
"
# If we managed to find a hostmaster, make the appropriate modifications to the mail's body and
# our instructions to the user.
if [ "$proposed_email" ]; then
{
# This is now converting the mail test into an executable script.
# Most users will have reached this stage; they can edit the contact_email
# if they know better than us.
# -s - Subject line. By extending it, we can "hack" the mail program to
# include a customized Reply-To header.
mailbody="#!/bin/sh
#
# Edit this variable to send this message to an alternate destination
contact_email=$proposed_email
mail \$contact_email -s 'DNS records for Opportunistic Encryption ($hostname$reverseip)
Reply-To: $mymail' <<EOF
"$mailbody"
EOF
"
screenoutput="Executable mail file saved to: "$save_mail_file
}
else
{
# Slightly different instructions if we have nothing to tell the user.
screenoutput="$me: error: Unable to locate SOA record for this domain. Not generating executable file.
Sample mail file saved to: "$save_mail_file
}
fi
# Create the output that has been prepared.
echo "$mailbody" > $save_mail_file
# Only make it executable if we've guessed a destination e-mail address.
if [ "$proposed_email" ]; then
{
chmod u+x $save_mail_file
}
fi
# Tell the user what'sgoing on.
echo "$screenoutput"
|