#!/usr/bin/env bash
# ==========================================================================
#         ____            _                     _____           _
#        / ___| _   _ ___| |_ ___ _ __ ___     |_   _|__   ___ | |___
#        \___ \| | | / __| __/ _ \ '_ ` _ \ _____| |/ _ \ / _ \| / __|
#         ___) | |_| \__ \ ||  __/ | | | | |_____| | (_) | (_) | \__ \
#        |____/ \__, |___/\__\___|_| |_| |_|     |_|\___/ \___/|_|___/
#               |___/
#                             --- System-Tools ---
#                  https://www.nntb.no/~dreibh/system-tools/
# ==========================================================================
#
# Fingerprint-SSH-Keys
# Copyright (C) 2013-2025 by Thomas Dreibholz
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.
#
# Contact: thomas.dreibholz@gmail.com

# Bash options:
set -eu


export TEXTDOMAIN="Fingerprint-SSH-Keys"
# export TEXTDOMAINDIR="${PWD}/locale"   # Default: "/usr/share/locale"

# shellcheck disable=SC1091
. gettext.sh



# ###### Main program #######################################################

# ====== Handle arguments ===================================================
FORMATS="raw ssh dns"
INCLUDE_DEPRECATED=0
INCLUDE_RAW=0

while [ $# -gt 0 ] ; do
   if [ "$1" == "--include-deprecated" ] || [ "$1" == "-d" ] || [ "$1" == "-include-deprecated" ] ; then
      INCLUDE_DEPRECATED=1
   elif [ "$1" == "--include-raw" ] || [ "$1" == "-r" ] || [ "$1" == "-include-raw" ] ; then
      INCLUDE_RAW=1
   elif [ "$1" == "--include-raw-python" ] || [ "$1" == "-p" ] || [ "$1" == "-include-raw-python" ] ; then
      INCLUDE_RAW=2
   else
      echo 2>&1 "$(gettext "Usage:") $0 [--include-deprecated|-d] [--include-raw|r] [--include-python|p]"
      exit 1
   fi
   shift
done


# ====== Print SSH key fingerprints =========================================
if [ -d /etc/ssh ] ; then
   hostname="$(hostname -f)"
   keys=$(find /etc/ssh -maxdepth 1 -name "ssh_host_*.pub" | sort)

   for format in ${FORMATS} ; do

      # ====== Print fingerprints in SSH format =============================
      if [ "${format}" == "raw" ] ; then
         if [ ${INCLUDE_RAW} -ne 0 ] ; then
            echo -e "\x1b[34m$(date +%FT%H:%M:%S): $(eval_gettext "Fingerprints of \${hostname} in raw format:")\x1b[0m"
            keyNumber=1
            if [ ${INCLUDE_RAW} -eq 2 ] ; then
               echo "'public-keys': {"
            fi
            for key in ${keys} ; do
               if [ ${INCLUDE_RAW} -eq 1 ] ; then
                  echo -n "#${keyNumber}: "
                  cut -d' ' -f1,2 <"${key}"
               else
                  type="$(cut -d' ' -f1 <"${key}")"
                  key="$(cut -d' ' -f2 <"${key}")"
                  if [ ${keyNumber} -gt 1 ] ; then
                     echo ","
                  fi
                  echo -n "   '${type}': '${key}'"
               fi
               keyNumber=$((keyNumber+1))
            done
            if [ ${INCLUDE_RAW} -eq 2 ] ; then
               echo -e "\n}"
            fi
            echo ""
         fi

      # ====== Print fingerprints in SSH format =============================
      elif [ "${format}" == "ssh" ] ; then
         echo -e "\x1b[34m$(date +%FT%H:%M:%S): $(eval_gettext "Fingerprints of \${hostname} in SSH format:")\x1b[0m"
         keyNumber=1
         for key in ${keys} ; do
            echo -n "#${keyNumber}: "
            ssh-keygen -lf "${key}" | sed -e "s/^\([0-9]*\) \([^ ]*\) \(.*\) (\(.*\))$/\2 (\4 \1)/g"
            keyNumber=$((keyNumber+1))
         done
         echo ""

      # ====== Print fingerprints in DNS format =============================
      elif [ "${format}" == "dns" ] ; then
         echo -e "\x1b[34m$(date +%FT%H:%M:%S): $(eval_gettext "Fingerprints of \${hostname} in DNS RR format:")\x1b[0m"
         for key in ${keys} ; do
            if [ ${INCLUDE_DEPRECATED} -eq 1 ] ; then
               ssh-keygen -r "${hostname}" -f "${key}" | cut -d' ' -f2,3,4,5,6 | grep '^IN SSHFP [1-9] [1-9]'
            else
               # Filter out deprecated DSA key type or SSH-1 hash:
               ssh-keygen -r "${hostname}" -f "${key}" | cut -d' ' -f2,3,4,5,6 | grep '^IN SSHFP [13-9] [2-9]'
            fi | while read -r in rrType algorithmID hashID fingerprint ; do
               echo -e "${hostname}\t${in}\t${rrType}\t${algorithmID}\t${hashID}\t${fingerprint}"
            done
         done
         echo ""
      fi

   done
fi
