#!/bin/sh # # $Id: setup_skip,v 1.2 1998/01/17 11:01:24 dgregor Exp $ # # Address correspondence to # # Copyright (c) 1998 Daniel J. Gregor Jr., All rights reserved. # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions # are met: # 1. Redistributions of source code must retain the above copyright # notice, this list of conditions and the following disclaimer. # 2. Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in the # documentation and/or other materials provided with the distribution. # 3. All advertising materials mentioning features or use of this software # must display the following acknowledgement: # This product includes software developed by Daniel J. Gregor Jr. # 4. The name of Daniel J. Gregor Jr. may not be used to endorse or promote # products derived from this software without specific prior written # permission. # # THIS SOFTWARE IS PROVIDED BY DANIEL J. GREGOR JR. ``AS IS'' AND # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE # ARE DISCLAIMED. IN NO EVENT SHALL DANIEL J. GREGOR JR. BE LIABLE # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF # SUCH DAMAGE. # SKIPBINDIR=/opt/SUNWicg/bin # These should only be modified by the system administrator that # maintains the SKIP "server" system. CERTTYPE=udh # What is the type of this certificate? NSID=8 # what is it's NSID NETWORK="192.168.0.0" # this must be specified NETMASK="255.255.0.0" # optional TUNNEL="209.115.10.130" # optional - leave this blank if there is no tunnel KEYALG="DES-CBC" # optional CRYPTALG="DES-CBC" # optional MACALG="MD5" # optional KEYSIZE="1024" # optional # Replace the lines below with your server certficiate file. # # Run: # uuencode certfile < your_actual_cert_file | sed 's/^/##CERT /' # # and replace the below lines with the output from the above command. # #################################################################### ##CERT begin 644 certfile ##CERT MN ^2=,%UD_0 @/2(_5A.2=O-(+2=Y)$'-FLS;#@-11T/?(BS''Q;+8[V\\DC ##CERT MP$/PI5L8C8Z[58RX73C3-/U\%U=#HQT8;-XS(2RU*O\\X;$I0!@1C7R$IPIR ##CERT MUH;$ QG(!REZRI4,V9:?J] *4)L"1M,(/6:D74&?G'R]B4LB&2:ZJZ)>PU7I ##CERT M+WC' $" (!2,,\R]D) E3?43<+8_FPI6XQ-;8#1,Y9_*%@Z1#JHB;(H$\RZ ##CERT M5OMW[ CU T*KSL ##CERT MD0J.!,.RV=/=7[7OOU%PNM9)<'>HYT*U;Q"J\_&(4D"!5U1)=?N!W\&W]@.0 ##CERT !M@J. ##CERT ##CERT end #################################################################### # Various variables TMPDIR=/tmp/setup_skip.$$ CERTFILE=${TMPDIR}/certfile # A simple PERL-like "die" function BASENAME="`basename $0`" die(){ echo "${BASENAME}: $*" >&2 exit 1 } # Check that a local key of the appropriate size exists if [ "x${KEYSIZE}" != "x" ] then LOCALKEY=`${SKIPBINDIR}/skiplocal list | \ /usr/bin/egrep 'MKID|Modulus size' | \ /usr/bin/sed -e 's/.*: //' -e 's/ bits//' | \ /usr/bin/paste - - | \ /usr/bin/grep "${KEYSIZE}"'$' | \ /usr/bin/head -1 | \ /usr/bin/cut -f 1` if [ "x${LOCALKEY}" = "x" ] then die "Could not find a ${KEYSIZE} bit local key -- you need to make one" fi fi echo "Using local key: ${LOCALKEY}" # Atomically (and securely) make a directory to hold temporary files. mkdir ${TMPDIR} || die "Could not make temporary directory: ${TMPDIR}" # Remove the directory when we exit. trap "/usr/bin/rm -rf ${TMPDIR}" 0 # Grab the certificate out of this script grep '^##CERT ' ${BASENAME} | \ /usr/bin/sed -e 's/^##CERT //' | \ /usr/bin/uudecode -p > ${CERTFILE} # Turn the output of print_cert into data that is useable by skiphost # Name/Hash: dd 83 f7 9d 3b 9f 53 e2 14 83 ea 10 ef a9 cf dc MKID=`${SKIPBINDIR}/print_cert -t ${CERTTYPE} ${CERTFILE} | \ /usr/bin/grep "^Name/Hash:" | \ /usr/bin/sed -e 's/^Name\/Hash: //' -e 's/ //g'` if [ "x${NETWORK}" = "x" ] then die "The NETWORK in this shell script is unset -- it must be set" fi NETWORKARGS="-a ${NETWORK}" if [ "x${NETMASK}" != "x" ] then NETWORKARGS="${NETWORKARGS} -M ${NETMASK}" fi if [ "x${TUNNEL}" != "x" ] then TUNNELARGS="-A ${TUNNEL}" fi if [ "x${KEYALG}" != "x" ] then ARGS="${ARGS} -k ${KEYALG}" fi if [ "x${CRYPTALG}" != "x" ] then ARGS="${ARGS} -t ${CRYPTALG}" fi if [ "x${MACALG}" != "x" ] then ARGS="${ARGS} -m ${MACALG}" fi ARGS="${ARGS} -R ${MKID} -r ${NSID}" if [ "x${KEYSIZE}" != "x" ] then ARGS="${ARGS} -s 8 -S 0x${LOCALKEY}" fi # Add the certificate ${SKIPBINDIR}/skipdb add -t ${CERTTYPE} -n ${NSID} ${CERTFILE} || \ die "Could not add certficicate with skipdb" # Setup a default ACL entry ${SKIPBINDIR}/skiphost -a default || \ die "Could not setup default ACL entry" # Setup an entry for the tunnel, if there is a tunnel if [ "x${TUNNEL}" != "x" ] then ${SKIPBINDIR}/skiphost -a ${TUNNEL} ${ARGS} || \ die "Could not create ACL entry for tunnel" fi # lastly, do the REAL work ${SKIPBINDIR}/skiphost ${NETWORKARGS} ${ARGS} ${TUNNELARGS} || \ die "Could not create ACL entry for destination network" # tell the user what they he/she needs to do to finish up echo "Run \"${SKIPBINDIR}/skiphost -o on\" to enable SKIP's ACLs" echo "Use \"${SKIPBINDIR}/skipif -s\" to make the changes take effect after reboots"