summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJameson Graef Rollins <jrollins@phys.columbia.edu>2008-08-15 15:04:53 -0700
committerJameson Graef Rollins <jrollins@phys.columbia.edu>2008-08-15 15:10:02 -0700
commit46586fc0f24e24166a52c2a0efb3e2ab838eea81 (patch)
tree4e1986278410f4e90e3a5ec70b11b10b14d67220
parentcb05f332e617e346aa533d6dde02fb11c6148799 (diff)
parentc9acc1237d8e21d74fe7070af1b061c888664e8b (diff)
Merge commit 'dkg/master'
Conflicts: debian/changelog
-rw-r--r--debian/changelog2
-rw-r--r--debian/control2
-rwxr-xr-xsrc/monkeysphere14
-rwxr-xr-xsrc/monkeysphere-server2
-rw-r--r--website/bugs/list-id-certifiers-should-run-non-priv.mdwn15
-rw-r--r--website/bugs/monkeysphere-gen-subkey-fails-without-agent.mdwn7
6 files changed, 37 insertions, 5 deletions
diff --git a/debian/changelog b/debian/changelog
index b39ba44..64c2a09 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -5,7 +5,7 @@ monkeysphere (0.8-1) UNRELEASED; urgency=low
of my own.
* More monkeysphere-server diagnostics
* monkeysphere --gen-subkey now guesses what KeyID you meant.
- * set up host-key revocation
+ * added Recommends: ssh-askpass to ensure monkeysphere --gen-subkey works
[ Jameson Graef Rollins ]
* fix another bug for when ssh key files are missing.
diff --git a/debian/control b/debian/control
index 0b3d871..7fbcbc7 100644
--- a/debian/control
+++ b/debian/control
@@ -13,7 +13,7 @@ Format: 3.0 (git)
Package: monkeysphere
Architecture: any
Depends: openssh-client, gnupg | gnupg2, coreutils (>= 6), moreutils, lockfile-progs, adduser, ${shlibs:Depends}
-Recommends: netcat | socat
+Recommends: netcat | socat, ssh-askpass
Enhances: openssh-client, openssh-server
Description: use the OpenPGP web of trust to verify ssh connections
SSH key-based authentication is tried-and-true, but it lacks a true
diff --git a/src/monkeysphere b/src/monkeysphere
index 6d9e6c3..57597e2 100755
--- a/src/monkeysphere
+++ b/src/monkeysphere
@@ -48,7 +48,6 @@ EOF
}
# generate a subkey with the 'a' usage flags set
-# FIXME: this needs some tweaking to clean it up
gen_subkey(){
local keyLength
local keyExpire
@@ -163,7 +162,18 @@ EOF
)
log "generating subkey..."
- echo "$editCommands" | gpg --expert --command-fd 0 --edit-key "$keyID"
+ fifoDir=$(mktemp -d)
+ (umask 077 && mkfifo "$fifoDir/pass")
+ echo "$editCommands" | gpg --passphrase-fd 3 3< "$fifoDir/pass" --expert --command-fd 0 --edit-key "$keyID" &
+
+ if [ "$DISPLAY" ] && which ssh-askpass >/dev/null; then
+ ssh-askpass "Please enter your passphrase for $keyID: " > "$fifoDir/pass"
+ else
+ read -s -p "Please enter your passphrase for $keyID: " PASS
+ echo "$PASS" > "$fifoDir/pass"
+ fi
+ rm -rf "$fifoDir"
+ wait
log "done."
}
diff --git a/src/monkeysphere-server b/src/monkeysphere-server
index 4fb8265..69395a4 100755
--- a/src/monkeysphere-server
+++ b/src/monkeysphere-server
@@ -732,7 +732,7 @@ EOF
)
# ltsign the key
- echo "$ltsignCommand" | gpg_host --quiet --command-fd 0 --edit-key "$fingerprint"
+ echo "$ltsignCommand" | gpg_host --quiet --command-fd 0 --edit-key "0x${fingerprint}"\!
# update the trustdb for the authentication keyring
gpg_authentication "--check-trustdb"
diff --git a/website/bugs/list-id-certifiers-should-run-non-priv.mdwn b/website/bugs/list-id-certifiers-should-run-non-priv.mdwn
new file mode 100644
index 0000000..3cbd1af
--- /dev/null
+++ b/website/bugs/list-id-certifiers-should-run-non-priv.mdwn
@@ -0,0 +1,15 @@
+[[meta title="list-identity-certfiers should run as the non-privileged user"]]
+
+Right now, `monkeysphere-server list-identity-certifiers` runs as the
+superuser, and just lists the keys in the host's keyring. This might
+not be the actual list of valid id certifiers, for a number of reasons:
+
+* the keys themselves might have been revoked by the owner
+
+* the id-certifiers might have been added with a different trust
+ level, or a regexp/domain limitation.
+
+It would make more sense to derive the list of trusted certifiers
+directly from the keyrings as seen by the non-privileged
+`monkeysphere` user, since this user's keyrings are what are going to
+judge the validity of various user IDs.
diff --git a/website/bugs/monkeysphere-gen-subkey-fails-without-agent.mdwn b/website/bugs/monkeysphere-gen-subkey-fails-without-agent.mdwn
index 51cf57e..e97b49c 100644
--- a/website/bugs/monkeysphere-gen-subkey-fails-without-agent.mdwn
+++ b/website/bugs/monkeysphere-gen-subkey-fails-without-agent.mdwn
@@ -135,3 +135,10 @@ it.
Alternately, we could use `--passwd-fd` and `ssh-agent`, along the
lines i proposed [for handling passphrase-locked secret
keys](/bugs/handle-passphrase-locked-secret-keys).
+
+---
+
+[[bugs/done]] as of 2008-08-15 16:48:26-0400 (to be released in 0.8-1)
+
+I opted to go with the `ssh-askpass` route, and fall back to echoing
+stuff to a fifo directly if `ssh-askpass` is not available.