From: Florian Weimer <fw@deneb.enyo.de>
Date: Tue, 20 May 2008 19:39:25 +0000 (+0200)
Subject: Add "quick" host check command
X-Git-Tag: v0.9.2~1
X-Git-Url: https://repo.or.cz/w/dowkd.git/commitdiff_plain/6025284129e70bc703476f320d90a8e0090fb925

Add "quick" host check command
---

diff --git a/dowkd.in b/dowkd.in
index a42220a..605080f 100644
--- a/dowkd.in
+++ b/dowkd.in
@@ -34,12 +34,14 @@ usage: $0 [OPTIONS...] COMMAND [ARGUMENTS...]
 
 COMMAND is one of:
 
-  file: examine files on the command line for weak keys
-  host: examine the specified hosts for weak SSH keys
-        (change destination port with "host -p PORT HOST...")
-  user: examine user SSH keys for weakness; examine all users if no
-        users are given
-  help: show this help screen
+  file:  examine files on the command line for weak keys
+  host:  examine the specified hosts for weak SSH keys
+         (change destination port with "host -p PORT HOST...")
+  user:  examine user SSH keys for weakness; examine all users if no
+         users are given
+  quick: check this host for weak keys (encompasses "user" plus
+         heuristics to find keys in /etc)
+  help:  show this help screen
   version: show version information
 
 OPTIONS is one of:
@@ -445,6 +447,30 @@ sub from_user_all () {
     from_user $_ for @names;
 }
 
+sub from_any_file ($) {
+    my $name = shift;
+    from_openvpn_key $name and return;
+    from_pem $name and return;
+    from_ssh_auth_file $name;
+}
+
+sub from_etc () {
+    my $find;
+    open $find, '-|', qw!find /etc -type f (
+            -name *.key -o -name *.pem -o -name *.crt
+        ) -print0! or die "error: could not spawn find: $!";
+    my @files;
+    {
+	local $/ = "\0";
+	@files = <$find>;
+    }
+    close $find;
+    $? == 0 or die "error: find failed with exit status $?\n";
+    for my $file (@files) {
+	-e $file and from_any_file $file;
+    }
+}
+
 if (@ARGV && $ARGV[0] eq '-c') {
     shift @ARGV;
     $db_file = shift @ARGV if @ARGV;
@@ -454,9 +480,7 @@ if (@ARGV) {
     my $cmd = shift @ARGV;
     if ($cmd eq 'file') {
 	for my $name (@ARGV) {
-	    next if from_openvpn_key $name;
-	    next if from_pem $name;
-	    from_ssh_auth_file $name;
+	    from_any_file $name;
 	}
     } elsif ($cmd eq 'host') {
 	unless (@ARGV) {
@@ -484,6 +508,13 @@ if (@ARGV) {
 	} else {
 	    from_user_all;
 	}
+    } elsif ($cmd eq 'quick') {
+	from_user_all;
+	for my $file (qw/ssh_host_rsa_key.pub ssh_host_dsa_key.pub
+                        ssh_host_key known_hosts known_hosts2/) {
+	    -e $file and from_ssh_auth_file $file;
+	}
+	from_etc;
     } elsif ($cmd eq 'help') {
 	help;
 	exit 0;