Merge branch 'master' into no-cache

Conflicts:

	src/common
	src/monkeysphere
	src/monkeysphere-ssh-proxycommand

6 files changed, 56 insertions, 37 deletions

diff --git a/etc/monkeysphere-server.conf b/etc/monkeysphere-server.conf
index 82da497..3915bf4 100644
--- a/etc/monkeysphere-server.conf
+++ b/etc/monkeysphere-server.conf
@@ -20,4 +20,5 @@
 # Whether to add user controlled authorized_keys file to
 # monkeysphere-generated authorized_keys file.  Should be path to file
 # where '%h' will be replaced by the home directory of the user.
+# To not add any user-controlled file, put "-"
 #USER_CONTROLLED_AUTHORIZED_KEYS=%h/.ssh/authorized_keys
diff --git a/etc/monkeysphere.conf b/etc/monkeysphere.conf
index d478b93..003ecf6 100644
--- a/etc/monkeysphere.conf
+++ b/etc/monkeysphere.conf
@@ -22,14 +22,13 @@
 #REQUIRED_USER_KEY_CAPABILITY="a"
 
 # Path to user-controlled authorized_keys file to add to
-# Monkeysphere-generated authorized_keys file. If empty, then no
-# user-controlled file will be added.
+# Monkeysphere-generated authorized_keys file.
+# To not add any user-controlled file, put "-"
 #USER_CONTROLLED_AUTHORIZED_KEYS=~/.ssh/authorized_keys
 
 # User known_hosts file
 #USER_KNOWN_HOSTS=~/.ssh/known_hosts
 
-# Whether or not to hash the generated known_hosts lines
-# (empty mean "no").
-#HASH_KNOWN_HOSTS=
-
+# Whether or not to hash the generated known_hosts lines.
+# Should be "true" or "false"
+#HASH_KNOWN_HOSTS=true
diff --git a/src/common b/src/common
index 8b078d6..64d28cb 100644
--- a/src/common
+++ b/src/common
@@ -44,19 +44,20 @@ cutline() {
 # (not just first 5)
 gpg_fetch_userid() {
     local userID
-    userID="$1"
 
-    # if CHECK_KEYSERVER variable set, check the keyserver
-    # for the user ID
-    if [ "CHECK_KEYSERVER" ] ; then
-	echo 1,2,3,4,5 | \
-	    gpg --quiet --batch --command-fd 0 --with-colons \
-	    --keyserver "$KEYSERVER" \
-	    --search ="$userID" >/dev/null 2>&1
+    userID="$1"
 
-    # otherwise just return true
+    log "checking keyserver $KEYSERVER..."
+    echo 1,2,3,4,5 | \
+	gpg --quiet --batch --command-fd 0 --with-colons \
+	--keyserver "$KEYSERVER" \
+	--search ="$userID" >/dev/null 2>&1
+    if [ "$?" = 0 ] ; then
+	log "  user ID found on keyserver."
+	return 0
     else
-	return
+	log "  user ID not found on keyserver."
+	return 1
     fi
 }
 
@@ -167,8 +168,11 @@ process_user_id() {
     fi
     requiredPubCapability=$(echo "$requiredCapability" | tr "[:lower:]" "[:upper:]")
 
-    # fetch keys from keyserver, return 1 if none found
-    gpg_fetch_userid "$userID" || return 1
+    # if CHECK_KEYSERVER variable set, check the keyserver
+    # for the user ID
+    if [ "$CHECK_KEYSERVER" = "true" ] ; then
+	gpg_fetch_userid "$userID"
+    fi
 
     # output gpg info for (exact) userid and store
     gpgOut=$(gpg --list-key --fixed-list-mode --with-colon \
@@ -428,7 +432,7 @@ update_authorized_keys() {
     else
 	log "no gpg keys to add."
     fi
-    if [ "$userAuthorizedKeys" -a -s "$userAuthorizedKeys" ] ; then
+    if [ "$userAuthorizedKeys" != "-" -a -s "$userAuthorizedKeys" ] ; then
 	log -n "adding user authorized_keys file... "
 	cat "$userAuthorizedKeys" >> "$msAuthorizedKeys"
 	echo "done."
diff --git a/src/monkeysphere b/src/monkeysphere
index 91401b9..8e4c4eb 100755
--- a/src/monkeysphere
+++ b/src/monkeysphere
@@ -113,9 +113,10 @@ MS_CONF=${MS_CONF:-"${MS_HOME}/monkeysphere.conf"}
 AUTHORIZED_USER_IDS=${AUTHORIZED_USER_IDS:-"${MS_HOME}/authorized_user_ids"}
 GNUPGHOME=${GNUPGHOME:-"${HOME}/.gnupg"}
 KEYSERVER=${KEYSERVER:-"subkeys.pgp.net"}
+CHECK_KEYSERVER=${CHECK_KEYSERVER:="true"}
 REQUIRED_HOST_KEY_CAPABILITY=${REQUIRED_HOST_KEY_CAPABILITY:-"e a"}
 REQUIRED_USER_KEY_CAPABILITY=${REQUIRED_USER_KEY_CAPABILITY:-"a"}
-USER_CONTROLLED_AUTHORIZED_KEYS=${USER_CONTROLLED_AUTHORIZED_KEYS:-"%h/.ssh/authorized_keys"}
+USER_CONTROLLED_AUTHORIZED_KEYS=${USER_CONTROLLED_AUTHORIZED_KEYS:-"${HOME}/.ssh/authorized_keys"}
 USER_KNOWN_HOSTS=${USER_KNOWN_HOSTS:-"${HOME}/.ssh/known_hosts"}
 HASH_KNOWN_HOSTS=${HASH_KNOWN_HOSTS:-"true"}
 
@@ -157,7 +158,7 @@ case $COMMAND in
 		failure "known_hosts file '$USER_KNOWN_HOSTS' is empty."
 	    fi
 	    log "processing known_hosts file..."
-	    process_known_hosts "$USER_KNOWN_HOSTS"
+	    process_known_hosts
 	fi
 	;;
 
@@ -191,11 +192,8 @@ case $COMMAND in
 	    failure "$AUTHORIZED_USER_IDS is empty."
 	fi
 
-	# set user-controlled authorized_keys file path
-	userAuthorizedKeys=${USER_CONTROLLED_AUTHORIZED_KEYS/\%h/"$HOME"}
-
 	# update authorized_keys
-	update_authorized_keys "$msAuthorizedKeys" "$userAuthorizedKeys" "$userKeysCacheDir"
+	update_authorized_keys "$msAuthorizedKeys" "$USER_CONTROLLED_AUTHORIZED_KEYS" "$userKeysCacheDir"
 	;;
 
     'gen-subkey'|'g')
diff --git a/src/monkeysphere-server b/src/monkeysphere-server
index 3cc7454..6279c45 100755
--- a/src/monkeysphere-server
+++ b/src/monkeysphere-server
@@ -32,7 +32,7 @@ MonkeySphere server admin tool.
 
 subcommands:
   update-users (s) [USER]...            update users authorized_keys files
-  gen-key (g)                           generate gpg key for the server
+  gen-key (g) [HOSTNAME]                generate gpg key for the server
   publish-key (p)                       publish server key to keyserver
   trust-keys (t) KEYID...               mark keyids as trusted
   update-user-userids (u) USER UID...   add/update user IDs for a user
@@ -44,14 +44,26 @@ EOF
 
 # generate server gpg key
 gen_key() {
+    local hostName
+
+    hostName=${1:-$(hostname --fqdn)}
+
     # set key defaults
     KEY_TYPE=${KEY_TYPE:-"RSA"}
     KEY_LENGTH=${KEY_LENGTH:-"2048"}
     KEY_USAGE=${KEY_USAGE:-"auth,encrypt"}
-    SERVICE=${SERVICE:-"ssh"}
-    HOSTNAME_FQDN=${HOSTNAME_FQDN:-$(hostname -f)}
+    cat <<EOF
+Please specify how long the key should be valid.
+         0 = key does not expire
+      <n>  = key expires in n days
+      <n>w = key expires in n weeks
+      <n>m = key expires in n months
+      <n>y = key expires in n years
+EOF
+    read -p "Key is valid for? ($EXPIRE) " EXPIRE; EXPIRE=${EXPIRE:-"0"}
 
-    USERID=${USERID:-"$SERVICE"://"$HOSTNAME_FQDN"}
+    SERVICE=${SERVICE:-"ssh"}
+    USERID=${USERID:-"$SERVICE"://"$hostName"}
 
     # set key parameters
     keyParameters=$(cat <<EOF
@@ -59,6 +71,7 @@ Key-Type: $KEY_TYPE
 Key-Length: $KEY_LENGTH
 Key-Usage: $KEY_USAGE
 Name-Real: $USERID
+Expire-Date: $EXPIRE
 EOF
 )
 
@@ -91,8 +104,9 @@ EOF
 EOF
 )
 
-    log "generating server key..."
+    log -n "generating server key... "
     echo "$keyParameters" | gpg --batch --gen-key
+    echo "done."
 }
 
 ########################################################################
@@ -111,10 +125,10 @@ MS_CONF=${MS_CONF:-"$MS_HOME"/monkeysphere-server.conf}
 [ -e "$MS_CONF" ] && . "$MS_CONF"
 
 # set empty config variable with defaults
-GNUPGHOME=${GNUPGHOME:-"$MS_HOME"/gnupg}
-KEYSERVER=${KEYSERVER:-subkeys.pgp.net}
+GNUPGHOME=${GNUPGHOME:-"${MS_HOME}/gnupg"}
+KEYSERVER=${KEYSERVER:-"subkeys.pgp.net"}
 REQUIRED_USER_KEY_CAPABILITY=${REQUIRED_USER_KEY_CAPABILITY:-"a"}
-USER_CONTROLLED_AUTHORIZED_KEYS=${USER_CONTROLLED_AUTHORIZED_KEYS:-%h/.ssh/authorized_keys}
+USER_CONTROLLED_AUTHORIZED_KEYS=${USER_CONTROLLED_AUTHORIZED_KEYS:-"%h/.ssh/authorized_keys"}
 
 export GNUPGHOME
 
@@ -162,7 +176,7 @@ case $COMMAND in
 	;;
 
     'gen-key'|'g')
-	gen_key
+	gen_key "$1"
 	;;
 
     'publish-key'|'p')
diff --git a/src/monkeysphere-ssh-proxycommand b/src/monkeysphere-ssh-proxycommand
index ec162ab..4b90a0d 100755
--- a/src/monkeysphere-ssh-proxycommand
+++ b/src/monkeysphere-ssh-proxycommand
@@ -40,11 +40,14 @@ fi
 # check for the host key in the known_hosts file
 hostKey=$(ssh-keygen -F "$HOST")
 
-# if the host key is not found in the known_hosts file,
-# check the keyserver
-if [ -z "$hostKey" ] ; then
+# if the host key is found in the known_hosts file,
+# don't check the keyserver
+if [ "$hostKey" ] ; then
+    CHECK_KEYSERVER="false"
+else
     CHECK_KEYSERVER="true"
 fi
+export CHECK_KEYSERVER
 
 # update the known_hosts file for the host
 monkeysphere update-known-hosts "$HOST"