Skip to content
Snippets Groups Projects
awit-ssh 11.7 KiB
Newer Older
Nigel Kukard's avatar
Nigel Kukard committed
# awit-ssh - SSH initiator which searches LDAP for host details
# Copyright (c) 2016, AllWorldIT
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with this program.  If not, see <>.

use strict;
use warnings;

Nigel Kukard's avatar
Nigel Kukard committed

use Term::ANSIColor;
Nigel Kukard's avatar
Nigel Kukard committed
use Getopt::Long;
Robert Spencer's avatar
Robert Spencer committed
use Net::DBus qw(:typing);
# Check Config::IniFiles
if (!eval {require Config::IniFiles; 1;}) {
	print STDERR "You're missing Config::IniFiles, try 'apt-get install libconfig-inifiles-perl'\n";
	exit 1;
Nigel Kukard's avatar
Nigel Kukard committed
# Check IO::Socket::INET6
if (!eval {require IO::Socket::INET6; 1;}) {
	print STDERR "You're missing IO::Socket::INET6, try 'apt-get install libio-socket-inet6-perl'\n";
	exit 1;
# Check Net::LDAP
if (!eval {require Net::LDAP; 1;}) {
	print STDERR "You're missing Net::LDAP, try 'apt-get install libnet-ldap-perl'\n";
	exit 1;
# Check Term::ReadKey
if (!eval {require Term::ReadKey; 1;}) {
	print STDERR "You're missing Term::ReadKey, try 'apt-get install libterm-readkey-perl'\n";
	exit 1;
use User::pwent;
Nigel Kukard's avatar
Nigel Kukard committed

Robert Spencer's avatar
Robert Spencer committed
my $NAME = "AWIT-SSH-Client";
my $VERSION = "0.3.0";
Nigel Kukard's avatar
Nigel Kukard committed

Robert Spencer's avatar
Robert Spencer committed
print(STDERR "$NAME v$VERSION - Copyright (c) 2016, AllWorldIT\n\n");
Nigel Kukard's avatar
Nigel Kukard committed

# Grab options
my %optctl = ();


) or exit 1;

# Check for help
if (defined($optctl{'help'})) {
	exit 0;

# Check for version
if (defined($optctl{'version'})) {
	exit 0;

# Variables we may set below
my $loginUsername;

# Pull in hostname
my $hostSpec = shift(@ARGV) // "";
my ($loginHost,$loginPort) = split(':',$hostSpec);
if (defined($loginHost)) {
	# Suck in username if specified
Nigel Kukard's avatar
Nigel Kukard committed
	my ($userBit,$hostBit) = split('@',$loginHost);
	if (defined($hostBit)) {
		$loginUsername = $userBit;
		$loginHost = $hostBit;
} else {
	logger('ERROR',color('magenta')."No hostname provided".color('reset'));
# Check for config and read
my $configFile = $ENV{"HOME"}.'/.awit-ssh.conf';
if (! -f $configFile) {
	print STDERR "No configuration file found. Please answer the questions below to generate it.\n\n";

	tie %iniSetup, 'Config::IniFiles';
	$iniSetup{server} = {};
	print STDERR "Your LDAP URI     : ";
	chomp($iniSetup{server}{uri} = <STDIN>);
	$iniSetup{server}{uri} =~ s/^uri=//;
	print STDERR "Your LDAP Base    : ";
	chomp($iniSetup{server}{base} = <STDIN>);
	$iniSetup{server}{base} =~ s/^base=//;
	tied(%iniSetup)->WriteConfig($configFile) or die "Could not write settings to new configuration file.";
	untie %iniSetup;
} else {
	# Flag, so we don't echo the same output lower down immediately after a setup.
	$iniSetup{server} = 'installed';
my $config = Config::IniFiles->new(-file => $configFile);

my $ldapURI = $config->val("server","uri");
if (!defined($ldapURI) || $ldapURI eq "") {
	logger('ERROR',color('magenta')."Server URI not defined in config file".color('reset'));
	exit 1;

my $ldapBase = $config->val("server","base");
if (!defined($ldapBase) || $ldapBase eq "") {
	logger('ERROR',color('magenta')."Server base DN not defined in config file".color('reset'));
my $pkcsProvider = $config->val("pkcs11","provider");
if (defined($pkcsProvider) && $pkcsProvider ne "") {
	if (! -f $pkcsProvider) {
		logger('ERROR',color('magenta')."PKCS11 provider '$pkcsProvider' does not exist".color('reset'));
		exit 1;

Nigel Kukard's avatar
Nigel Kukard committed

# Check if we should be doing port knocking
if (defined(my $knock = $optctl{'knock'})) {
	# If so, split off the host and the port
	my ($host,$port) = split(':',$knock);
	if (!defined($port)) {
		logger('ERROR',color('magenta')."Port knock specifications should be in the format of HOST:PORT".color('reset'));
Nigel Kukard's avatar
Nigel Kukard committed
		exit 1;
	print STDERR "Port knocking '$host' on port '$port'...";
	# Do the port knock
	my $sock = IO::Socket::INET6->new(
		PeerAddr => $host,
		PeerPort => $port,
		Proto => 'tcp',
		Timeout => 3
	# We should get a failure of "Connection refused", if not ERR
	if (defined($sock) || $! ne "Connection refused") {
		print STDERR "FAILED\n";
		exit 1;
	print STDERR "success\n";

if (%iniSetup) {
	print STDERR "LDAP server URI   : $ldapURI\n";
	print STDERR "LDAP server base  : $ldapBase\n";
# Try get name automatically
my $pwent = getpwnam($ENV{'USER'});
(my $username) = split(/,/,$pwent->gecos);
if (!defined($username) || $username eq "") {
	print STDERR "WARNING: Cannot determine your name, set your gecos field.\n\n";
	print STDERR "Your LDAP CN      : ";
	$username = <STDIN>;
} else {
	print STDERR "Your LDAP CN      : $username (passwd->gecos)\n";
Nigel Kukard's avatar
Nigel Kukard committed

Robert Spencer's avatar
Robert Spencer committed
my $password;

if ($config->SectionExists("kwallet")) {
	my $dbus = Net::DBus->find();

	# Grab the kwallet service off DBus
	my $kwalletService = $dbus->get_service('org.kde.kwalletd');
	if (!defined($kwalletService)) {
		logger('WARNING',color('magenta')."Kwallet not found on DBus".color('reset'));
Robert Spencer's avatar
Robert Spencer committed
	my $kwalletObject = $kwalletService->get_object('/modules/kwalletd','org.kde.KWallet');
	# Grab a handle to the network wallet
	my $networkWalletName = $kwalletObject->networkWallet();
	my $kwalletHandle = $kwalletObject->open($networkWalletName,0,$NAME);
Robert Spencer's avatar
Robert Spencer committed
	my $kwalletFolder = $config->val("kwallet","folder");
	if (!defined($kwalletFolder) || $kwalletFolder eq "") {
		logger('ERROR',color('magenta')."Kwallet folder not defined in config file".color('reset'));
		exit 1;
	my $kwalletFolderEntry = $config->val("kwallet","entry");
	if (!defined($kwalletFolderEntry) || $kwalletFolderEntry eq "") {
		logger('ERROR',color('magenta')."Kwallet folder entry not defined in config file".color('reset'));
		exit 1;
	$password = $kwalletObject->readPassword($kwalletHandle,$kwalletFolder,$kwalletFolderEntry,$NAME);
Robert Spencer's avatar
Robert Spencer committed

if (!defined($password) || $password eq "") {
	print STDERR "Your LDAP Password: ";
	# Don't echo password
	chomp($password = <STDIN>);
	# Turn echo back on
Nigel Kukard's avatar
Nigel Kukard committed
print STDERR "\n";

my $ldap = Net::LDAP->new($ldapURI,
Nigel Kukard's avatar
Nigel Kukard committed
#	'debug' => 15
if (!defined($ldap)) {
	logger('ERROR',color('magenta')."Failed to setup LDAP object '%s'".color('reset'),$@);
Nigel Kukard's avatar
Nigel Kukard committed
	exit 2;

# Bind
my $mesg = $ldap->bind("cn=$username,ou=Users,$ldapBase",password => $password);
Nigel Kukard's avatar
Nigel Kukard committed

# Search
$mesg = $ldap->search(
	base => "ou=Servers,$ldapBase",
	filter => "(|(cn=$loginHost)(awitLoginHost=$loginHost)(awitLoginHostAlias=$loginHost))",
Nigel Kukard's avatar
Nigel Kukard committed
# Check for error
if (my $mesgCode = $mesg->code()) {
	if ($mesgCode eq "No such object") {
		logger('ERROR',color('magenta')."LDAP returned '%s', this more than likely means a Username/Password error or your BaseDN is wrong.".color('reset'),$mesgCode);
		logger('ERROR',color('magenta')."LDAP returned '%s'".color('reset'),$mesgCode);
Nigel Kukard's avatar
Nigel Kukard committed
	exit 2;

Nigel Kukard's avatar
Nigel Kukard committed

# If no matches
my @ldapResults = $mesg->entries();
my $ldapNumResults = @ldapResults;
my $ldapEntry;
if ($ldapNumResults < 1) {
	logger('NOTICE',color('bold blue')."No LDAP results, using defaults".color('reset'));
Nigel Kukard's avatar
Nigel Kukard committed

} elsif ($ldapNumResults == 1) {
	$ldapEntry = $ldapResults[0];

} elsif ($ldapNumResults > 1) {
	logger('WARNING',color('red')."Found multiple entries!".color('reset'));
	print STDERR "\n";
	foreach my $key (sort(keys %{$mesg->as_struct()})) {
		logger('MENU '.$counter,"  ".color('red')."%s".color('reset'),$key);
Nigel Kukard's avatar
Nigel Kukard committed
	print STDERR "Your selection: ";
	chomp(my $menuSelection = <STDIN>);
	if ($menuSelection =~ /\D/) {
		exit 3;
	$ldapEntry = $ldapResults[$menuSelection];
Nigel Kukard's avatar
Nigel Kukard committed

print STDERR "\n";

# Check if we got a result and modify our connection details
if ($ldapEntry) {
	my $ldapEntryName = $ldapEntry->get_value('cn');
	logger('INFO',"Found server entry '".color('green')."$ldapEntryName".color('reset')."'");
Nigel Kukard's avatar
Nigel Kukard committed

	# Check if we need to set the host
	$loginHost = $ldapEntryName;
Nigel Kukard's avatar
Nigel Kukard committed
	if (my $ldapLoginHost = $ldapEntry->get_value('awitLoginHost')) {
		logger('INFO',"  - Host ".color('green')."%s".color('reset')." (awitLoginHost)",$ldapLoginHost);
		$loginHost = $ldapLoginHost;
Nigel Kukard's avatar
Nigel Kukard committed

	# Check if we need to set the port
	if (my $ldapLoginPort = $ldapEntry->get_value('awitLoginPort')) {
		logger('INFO',"  - Port ".color('green')."%s".color('reset')." (awitLoginPort)",$ldapLoginPort);
		$loginPort = $ldapLoginPort if (!defined($loginPort));
Nigel Kukard's avatar
Nigel Kukard committed

	# Check if we need to set the username
	if (my $ldapLoginUsername = $ldapEntry->get_value('awitLoginUsername')) {
		logger('INFO',"  - Username ".color('green')."%s".color('reset')." (awitLoginUsername)",$ldapLoginUsername);
		$loginUsername = $ldapLoginUsername if (!defined($loginUsername));
Nigel Kukard's avatar
Nigel Kukard committed
	# Check if we have a description
	if (my $ldapDescription = $ldapEntry->get_value('description')) {
		foreach my $line (split(/\n/,$ldapDescription)) {
			logger('INFO',"    ".color('green')."%s".color('reset'),$line);
Nigel Kukard's avatar
Nigel Kukard committed
		# Hack'ish ... look if the description mentions dss is required...
		if ($ldapDescription =~ /needs ssh-dss/i) {
			$needDSS = 1;
Nigel Kukard's avatar
Nigel Kukard committed

	# Check if we have a wiki page
	if (my $ldapLoginWikiPage = $ldapEntry->get_value('awitLoginWikiPage')) {
Nigel Kukard's avatar
Nigel Kukard committed
		logger('INFO',"Wiki Page");
		logger('INFO',"    ".color('green')."%s".color('reset'),$ldapLoginWikiPage);
# TODO for forwarding
Robert Spencer's avatar
Robert Spencer committed
if (defined($pkcsProvider)) {

Nigel Kukard's avatar
Nigel Kukard committed
# Check if we have a port defined, if so specify it
if (defined($loginPort)) {
Nigel Kukard's avatar
Nigel Kukard committed

# Check if we have a different username defined to login as
if (defined($loginUsername)) {

# If the server is ancient, we need to enable DSS
if (defined($needDSS)) {
	logger('WARNING',color('red')."Host needs ssh-dss".color('reset'));

logger('NOTICE',"Connecting to host '".color('green')."$loginHost".color('reset')."'" .
		(defined($loginPort) ? " on port '".color('green')."$loginPort".color('reset')."'" : "") . "...\n\n\n");

# Fixup environment
$ENV{'LANG'} = "en_US.UTF-8";

Nigel Kukard's avatar
Nigel Kukard committed
Nigel Kukard's avatar
Nigel Kukard committed
		# Try our key only, we should never need to fall back to password
Nigel Kukard's avatar
Nigel Kukard committed
		# Use TCP keepalive
Nigel Kukard's avatar
Nigel Kukard committed
Nigel Kukard's avatar
Nigel Kukard committed
Nigel Kukard's avatar
Nigel Kukard committed
		'-o','ServerAliveCountMax=24', # 120s
		# Timeout for our connect
Nigel Kukard's avatar
Nigel Kukard committed
		# Use basic compression
Nigel Kukard's avatar
Nigel Kukard committed
Nigel Kukard's avatar
Nigel Kukard committed
		# Fail if we cannot forward ports
Nigel Kukard's avatar
Nigel Kukard committed
Nigel Kukard's avatar
Nigel Kukard committed
Nigel Kukard's avatar
Nigel Kukard committed
Nigel Kukard's avatar
Nigel Kukard committed

Nigel Kukard's avatar
Nigel Kukard committed
exit 0;

# Internal Functions

Nigel Kukard's avatar
Nigel Kukard committed

# Log something
sub logger
	my ($level,$arg1,@args) = @_;

Nigel Kukard's avatar
Nigel Kukard committed
	printf(STDERR '%-7s: '.$arg1.color('reset')."\n",$level,@args);
Nigel Kukard's avatar
Nigel Kukard committed

# Display version
sub displayVersion
	print("Version: $VERSION\n");

# Display usage
sub displayHelp
Usage: $0 <options> [USER@]HOST
Nigel Kukard's avatar
Nigel Kukard committed

    General Options:
      --help                             What you're seeing now.
      --version                          Display version.
      --debug                            Enable debugging.

    Port Knocking:
      --knock HOST:PORT                  Port knock a host to get access.