====== authfilter ======

===== installation =====

==== @ dns ====

<code>
KEYUSER=wiki.fischglas.de
TMPDIR=$( mktemp -d /tmp/dnssec-keygen-XXXXXXXXXX )
KEY=$(
      cd $TMPDIR
      KN=$( dnssec-keygen -a HMAC-SHA512 -b 512 -n USER $KEYUSER-ddns )
      awk '/^Key: / { print $2}' $KN.private
      rm $KN.private $KN.key
)
rmdir $TMPDIR

cat << EOF > /etc/bind/k.ssh-rbl.$KEYUSER
key "k.ssh-rbl.$KEYUSER" {
        algorithm hmac-sha512;
        secret "$KEY";
};
EOF

vo -o /etc/bind/named.conf
sed -i '/^acl "update-ssh-rbl"/,/^};/{
	/^}/i\\tkey k.ssh-rbl.'"$KEYUSER"';
}' /etc/bind/named.conf
rcsdiff -u /etc/bind/named.conf
vo -i /etc/bind/named.conf

tail -n0 -f /var/log/daemon.log & TAILPID=$!
rndc reconfig
sleep 10
kill $TAILPID

cat << EOF 
# on '$KEYUSER' run:
echo "k.ssh-rbl.$KEYUSER $KEY" > /etc/authfilter.key
chmod 600 /etc/authfilter.key
EOF

</code>

==== @ client ====

import the k.ssh-rbl.* key to /etc/authfilter.key
as shown above

<code>
# UNIX::Syslog.pm 
apt-get install libunix-syslog-perl ; apt-get clean

wget http://www.fischglas.de/software -O /usr/local/bin/authfilter
chmod 755 /usr/local/bin/authfilter

mknod -m 640 /dev/authfilter p

if [ -d /etc/rsyslog.d ]; then 
	touch /etc/rsyslog.d/authfilter.conf
	mkdir -p /etc/rsyslog.d/RCS
	vo -o /etc/rsyslog.d/authfilter.conf
	echo -e "auth,authpriv.*\t|/dev/authfilter" >> /etc/rsyslog.d/authfilter.conf
	vo -i /etc/rsyslog.d/authfilter.conf
	/etc/init.d/rsyslog restart
fi 

mkdir -p /etc/RCS
vo -o /etc/inittab
echo "AF:23:respawn:/usr/local/bin/authfilter /dev/authfilter" >> /etc/inittab
vo -i /etc/inittab

#kill -1 1
telinit q

</code>