Fed up with the 'upgrade to a paid version' and 'confirm that you are still using this hostname' nagging of the free DynDNS providers I have put together a simple 'roll your own' dynamic DNS system, based on an NSD docker container and a trivial script which writes a zone file updated by SSH logins*.
I therefore want to be able to regularly ssh to the name server from my UTM - after faffing with /etc/crontab.dyndns and getting nowhere I realised that loginuser wasn't in the cron.deny file, it just wasn't allowed to run crontab -e.
I therefore ran crontab -u loginuser -e as root, and that allowed me to configure the crontab, which sprang into life - brilliant.
Two questions occur at this point...
- Is there something obvious I should/could have done as root to load /etc/crontab.dyndns into the active crontab?
- Is there a way to trigger the same ssh login in the event that I get an IP update (in which case I could reduce the crontab frequency)
* The server limits logins to SSH keys, and the key in use for this task is limited to running a single script.
The script takes the IP from the SSH connection, and uses the SSH_ORIGINAL_COMMAND (sanitised) as the hostname into a single subdomain of mine.
SO I just call:
ssh user@server -I dynamicDNSkey host
and the server recognises the key, sanitises 'host' and uses that as an entry in the domain zone file pointing to wherever the connection was made from. It also increments the zone serial.
There is a second script that watches the config directory and prompts NSD to reload when a change is made.
Important lines from the script (bash):
DYNHOST=${SSH_ORIGINAL_COMMAND//[^a-zA-Z]/}
DYNIP=`echo $SSH_CONNECTION | awk '{print $1}'`
Yes I do know that the DYNHOST definition here limits valid hostnames well beyond the official DNS limitations (and that it doesn't check for things like 'not starting with a digit') but it is, I believe, a reasonably safe way of completely sanitising the input and avoiding injections. Of course to get to the script you are logged on, or have managed to obtain my SSH key - if you think it is still vulnerable to injection then do shout...
This thread was automatically locked due to age.
