diff options
| author | Jameson Graef Rollins <jrollins@phys.columbia.edu> | 2008-06-24 00:38:03 -0400 |
|---|---|---|
| committer | Jameson Graef Rollins <jrollins@phys.columbia.edu> | 2008-06-24 00:38:03 -0400 |
| commit | 7d02db7106da26f7705563297544a4ba1edfc71b (patch) | |
| tree | 59a188d94a3a26c65cd0fc5010d4e39fed10d39b | |
| parent | 014bf21eae8b5358d0fc10c92c065e5a5deadab5 (diff) | |
Move to /var/lib/monkeysphere instead of /var/cache/monkeysphere.
Improve ms-server update-user function. Update/fix config files to
remove some unwanted configs, and clarify some things.
| -rw-r--r-- | debian/changelog | 6 | ||||
| -rw-r--r-- | debian/dirs | 4 | ||||
| -rw-r--r-- | debian/monkeysphere.dirs | 4 | ||||
| -rw-r--r-- | doc/TODO | 28 | ||||
| -rw-r--r-- | etc/monkeysphere-server.conf | 27 | ||||
| -rw-r--r-- | etc/monkeysphere.conf | 26 | ||||
| -rw-r--r-- | src/common | 2 | ||||
| -rwxr-xr-x | src/monkeysphere | 11 | ||||
| -rwxr-xr-x | src/monkeysphere-server | 76 |
9 files changed, 75 insertions, 109 deletions
diff --git a/debian/changelog b/debian/changelog index 9807c8e..bfb188d 100644 --- a/debian/changelog +++ b/debian/changelog @@ -3,7 +3,11 @@ monkeysphere (0.3-1) UNRELEASED; urgency=low [ Daniel Kahn Gillmor ] * new version (above: change UNRELEASED to experimental when releasing) - -- Daniel Kahn Gillmor <dkg-debian.org@fifthhorseman.net> Mon, 23 Jun 2008 19:58:47 -0400 + [ Jameson Graef Rollins ] + * Move files in /var/cache/monkeysphere and GNUPGHOME for server to + the more appropriate /var/lib/monkeysphere. + + -- Jameson Graef Rollins <jrollins@phys.columbia.edu> Tue, 24 Jun 2008 00:22:09 -0400 monkeysphere (0.2-2) experimental; urgency=low diff --git a/debian/dirs b/debian/dirs index b458649..43b742a 100644 --- a/debian/dirs +++ b/debian/dirs @@ -1,5 +1,5 @@ -var/cache/monkeysphere -var/cache/monkeysphere/authorized_keys +var/lib/monkeysphere +var/lib/monkeysphere/authorized_keys usr/bin usr/sbin usr/share diff --git a/debian/monkeysphere.dirs b/debian/monkeysphere.dirs index 6e90899..b0b2d9c 100644 --- a/debian/monkeysphere.dirs +++ b/debian/monkeysphere.dirs @@ -1,4 +1,4 @@ usr/share/monkeysphere -var/cache/monkeysphere -var/cache/monkeysphere/authorized_keys +var/lib/monkeysphere +var/lib/monkeysphere/authorized_keys etc/monkeysphere @@ -5,9 +5,6 @@ Detail advantages of monkeysphere: detail the race conditions in ssh, and how the monkeysphere can help you reduce these threat vectors: threat model reduction diagrams. -Determine how openssh handles multiple processes writing to - known_hosts/authorized_keys files (lockfile, atomic appends?) - Handle unverified monkeysphere hosts in such a way that they're not always removed from known_hosts file. Ask user to lsign the host key? @@ -30,22 +27,10 @@ Ensure that authorized_user_ids are under as tight control as ssh expects from authorized_keys: we don't want monkeysphere to be a weak link in the filesystem. -What happens when a user account has no corresponding - /etc/monkeysphere/authorized_user_ids/$USER file? What gets placed - in /var/cache/monkeysphere/authorized_keys/$USER? It looks - currently untouched, which could mean bad things for such a user. - - if authorized_user_ids is empty, then the user's authorized_keys - file will be also, unless the user-controlled authorized_keys file - is added. I believe this is expected, correct behavior. - Consider the default permissions for - /var/cache/monkeysphere/authorized_keys/* (and indeed the whole + /var/lib/monkeysphere/authorized_keys/* (and indeed the whole directory path leading up to that) -As an administrator, how do i reverse the effect of a - "monkeysphere-server trust-keys" that i later decide i should not - have run? - Make sure alternate ports are handled for known_hosts. Script to import private key into ssh agent. @@ -105,9 +90,6 @@ When using ssh-proxycommand, if only host keys found are expired or Update monkeysphere-ssh-proxycommand man page with new keyserver checking policy info. -Update monkeysphere-ssh-proxycommand man page with info about - no-connect option. - File bug against seahorse about how, when creating new primary keys, it presents option for "RSA (sign only)" but then creates an "esca" key. @@ -118,18 +100,10 @@ Privilege separation: monkeysphere user to handle authn keyring and generate authorized_keys file (which would be moved into place by root). Host keyring would be owned by root. -Check permissions of authorized_user_ids file to be writable only by - user and root (same as authorized_keys) - -Improve function that sets owner trust for keys in server keychain. - Test and document what happens when any filesystem that the monkeysphere-server relies on and modifies (/tmp, /etc, and /var?) fills up. -Consider moving monkeysphere-managed files (gpg homedirs? temporary - files?) into /var. - Optimize keyserver access, particularly on monkeysphere-server update-users -- is there a way to query the keyserver all in a chunk? diff --git a/etc/monkeysphere-server.conf b/etc/monkeysphere-server.conf index 85b37c1..defb0f7 100644 --- a/etc/monkeysphere-server.conf +++ b/etc/monkeysphere-server.conf @@ -3,23 +3,9 @@ # This is an sh-style shell configuration file. Variable names should # be separated from their assignements by a single '=' and no spaces. -#FIXME: shouldn't this be in /var by default? These are not text -#files, and they should generally not be managed directly by the -#admin: -# GPG home directory for server -#GNUPGHOME=/etc/monkeysphere/gnupg - # GPG keyserver to search for keys #KEYSERVER=subkeys.pgp.net -# Required user key capabilities -# Must be quoted, lowercase, space-seperated list of the following: -# e = encrypt -# s = sign -# c = certify -# a = authentication -#REQUIRED_USER_KEY_CAPABILITY="a" - # Path to authorized_user_ids file to process to create # authorized_keys file. '%h' will be replaced by the home directory # of the user, and %u will be replaced by the username of the user. @@ -27,17 +13,10 @@ # in /etc/monkeysphere/authorized_user_ids/%u #AUTHORIZED_USER_IDS="%h/.config/monkeysphere/authorized_user_ids" -#FIXME: why is the following variable named USER_CONTROLLED_...? -#shouldn't this be something like MONKEYSPHERE_RAW_AUTHORIZED_KEYS -#instead? For example, what about a server where the administrator -#has locked down the authorized_keys file from user control, but still -#wants to combine raw authorized_keys for some users with the -#monkeysphere? - # Whether to add user controlled authorized_keys file to # monkeysphere-generated authorized_keys file. Should be path to file # where '%h' will be replaced by the home directory of the user or # '%u' by the username. To not add any user-controlled file, put "-" -#FIXME: this usage of "-" contravenes the normal convention where "-" -#means standard in/out. Why not use "none" or "" instead? -#USER_CONTROLLED_AUTHORIZED_KEYS="%h/.ssh/authorized_keys" +# FIXME: this usage of "-" contravenes the normal convention where "-" +# means standard in/out. Why not use "none" or "" instead? +#RAW_AUTHORIZED_KEYS="%h/.ssh/authorized_keys" diff --git a/etc/monkeysphere.conf b/etc/monkeysphere.conf index cce9366..aa3a664 100644 --- a/etc/monkeysphere.conf +++ b/etc/monkeysphere.conf @@ -9,16 +9,13 @@ # GPG keyserver to search for keys #KEYSERVER=subkeys.pgp.net -# FIXME: consider removing REQUIRED_*_KEY_CAPABILITY entirely from -# this example config, given our discussion -# Required key capabilities -# Must be quoted, lowercase, space-seperated list of the following: -# e = encrypt -# s = sign -# c = certify -# a = authentication -#REQUIRED_HOST_KEY_CAPABILITY="a" -#REQUIRED_USER_KEY_CAPABILITY="a" +# Set whether or not to check keyservers at every monkeysphere +# interaction, including all ssh connections if you use the +# monkeysphere-ssh-proxycommand. +# NOTE: setting CHECK_KEYSERVER to true will leak information about +# the timing and frequency of your ssh connections to the maintainer +# of the keyserver. +#CHECK_KEYSERVER=true # ssh known_hosts file #KNOWN_HOSTS=~/.ssh/known_hosts @@ -28,11 +25,4 @@ #HASH_KNOWN_HOSTS=true # ssh authorized_keys file (FIXME: why is this relevant in this file?) -#AUTHORIZED_KEYS=~/.ssh/known_hosts - -# check keyservers at every ssh connection: -# This overrides other environment variables (FIXME: what does this mean???) -# NOTE: setting CHECK_KEYSERVER to true will leak information about -# the timing and frequency of your ssh connections to the maintainer -# of the keyserver. -#CHECK_KEYSERVER=true +#AUTHORIZED_KEYS=~/.ssh/authorized_keys @@ -16,8 +16,6 @@ # managed directories ETC="/etc/monkeysphere" export ETC -CACHE="/var/cache/monkeysphere" -export CACHE ######################################################################## ### UTILITY FUNCTIONS diff --git a/src/monkeysphere b/src/monkeysphere index 11254e7..d8d4667 100755 --- a/src/monkeysphere +++ b/src/monkeysphere @@ -128,15 +128,17 @@ MS_CONF=${MS_CONF:-"${MS_HOME}/monkeysphere.conf"} [ -e "$MS_CONF" ] && . "$MS_CONF" # set empty config variable with defaults -AUTHORIZED_USER_IDS=${AUTHORIZED_USER_IDS:-"${MS_HOME}/authorized_user_ids"} GNUPGHOME=${GNUPGHOME:-"${HOME}/.gnupg"} KEYSERVER=${KEYSERVER:-"subkeys.pgp.net"} CHECK_KEYSERVER=${CHECK_KEYSERVER:="true"} -REQUIRED_HOST_KEY_CAPABILITY=${REQUIRED_HOST_KEY_CAPABILITY:-"a"} -REQUIRED_USER_KEY_CAPABILITY=${REQUIRED_USER_KEY_CAPABILITY:-"a"} KNOWN_HOSTS=${KNOWN_HOSTS:-"${HOME}/.ssh/known_hosts"} -AUTHORIZED_KEYS=${AUTHORIZED_KEYS:-"${HOME}/.ssh/authorized_keys"} HASH_KNOWN_HOSTS=${HASH_KNOWN_HOSTS:-"true"} +AUTHORIZED_KEYS=${AUTHORIZED_KEYS:-"${HOME}/.ssh/authorized_keys"} + +# other variables +AUTHORIZED_USER_IDS=${AUTHORIZED_USER_IDS:-"${MS_HOME}/authorized_user_ids"} +REQUIRED_HOST_KEY_CAPABILITY=${REQUIRED_HOST_KEY_CAPABILITY:-"a"} +REQUIRED_USER_KEY_CAPABILITY=${REQUIRED_USER_KEY_CAPABILITY:-"a"} export GNUPGHOME @@ -146,7 +148,6 @@ mkdir -p -m 0700 "$GNUPGHOME" # make sure the user monkeysphere home directory exists mkdir -p -m 0700 "$MS_HOME" touch "$AUTHORIZED_USER_IDS" -touch "$AUTHORIZED_KEYS" case $COMMAND in 'update-known_hosts'|'update-known-hosts'|'k') diff --git a/src/monkeysphere-server b/src/monkeysphere-server index db2f428..a198c33 100755 --- a/src/monkeysphere-server +++ b/src/monkeysphere-server @@ -11,9 +11,12 @@ ######################################################################## PGRM=$(basename $0) -SHAREDIR=${SHAREDIR:-"/usr/share/monkeysphere"} -export SHAREDIR -. "${SHAREDIR}/common" +SHARE=${SHARE:-"/usr/share/monkeysphere"} +export SHARE +. "${SHARE}/common" + +VARLIB="/var/lib/monkeysphere" +export VARLIB # date in UTF format if needed DATE=$(date -u '+%FT%T') @@ -49,8 +52,9 @@ gen_key() { local hostName hostName=${1:-$(hostname --fqdn)} - service=${SERVICE:-"ssh"} - userID="${service}://${hostName}" + + SERVICE=${SERVICE:-"ssh"} + userID="${SERVICE}://${hostName}" if gpg --list-key ="$userID" > /dev/null 2>&1 ; then failure "Key for '$userID' already exists" @@ -154,21 +158,20 @@ MS_CONF=${MS_CONF:-"$MS_HOME"/monkeysphere-server.conf} [ -e "$MS_CONF" ] && . "$MS_CONF" # set empty config variable with defaults -GNUPGHOME=${GNUPGHOME:-"${MS_HOME}/gnupg"} KEYSERVER=${KEYSERVER:-"subkeys.pgp.net"} CHECK_KEYSERVER=${CHECK_KEYSERVER:="true"} -REQUIRED_USER_KEY_CAPABILITY=${REQUIRED_USER_KEY_CAPABILITY:-"a"} AUTHORIZED_USER_IDS=${AUTHORIZED_USER_IDS:-"%h/.config/monkeysphere/authorized_user_ids"} -USER_CONTROLLED_AUTHORIZED_KEYS=${USER_CONTROLLED_AUTHORIZED_KEYS:-"%h/.ssh/authorized_keys"} +RAW_AUTHORIZED_KEYS=${RAW_AUTHORIZED_KEYS:-"%h/.ssh/authorized_keys"} -export GNUPGHOME +# other variables +REQUIRED_USER_KEY_CAPABILITY=${REQUIRED_USER_KEY_CAPABILITY:-"a"} +GNUPGHOME_HOST=${GNUPGHOME_HOST:-"${VARLIB}/gnupg-host"} +GNUPGHOME_AUTHENTICATION=${GNUPGHOME_AUTHENTICATION:-"${VARLIB}/gnupg-authentication"} -# make sure the monkeysphere home directory exists -mkdir -p "${MS_HOME}/authorized_user_ids" -# make sure gpg home exists with proper permissions +# set default GNUPGHOME, and make sure the directory exists +GNUPGHOME="$GNUPGHOME_HOST" +export GNUPGHOME mkdir -p -m 0700 "$GNUPGHOME" -# make sure the authorized_keys directory exists -mkdir -p "${CACHE}/authorized_keys" case $COMMAND in 'update-users'|'update-user'|'u') @@ -180,25 +183,43 @@ case $COMMAND in unames=$(getent passwd | cut -d: -f1) fi + # set mode + MODE="authorized_keys" + + # make sure the authorized_keys directory exists + mkdir -p "${VARLIB}/authorized_keys" + + # set GNUPGHOME, and make sure the directory exists + GNUPGHOME="$GNUPGHOME_AUTHENTICATION" + export GNUPGHOME + mkdir -p -m 0700 "$GNUPGHOME" + # loop over users for uname in $unames ; do - MODE="authorized_keys" - # check all specified users exist if ! getent passwd "$uname" >/dev/null ; then error "----- unknown user '$uname' -----" continue fi - log "----- user: $uname -----" - - # set authorized_user_ids variable, translating ssh-style - # path variables + # set authorized_user_ids and raw authorized_keys variables, + # translating ssh-style path variables authorizedUserIDs=$(translate_ssh_variables "$uname" "$AUTHORIZED_USER_IDS") + rawAuthorizedKeys=$(translate_ssh_variables "$uname" "$RAW_AUTHORIZED_KEYS") + + # if neither is found, skip user + if [ ! -s "$authorizedUserIDs" -a ! -s "$rawAuthorizedKeys" ] ; then + continue + fi + + log "----- user: $uname -----" # temporary authorized_keys file AUTHORIZED_KEYS=$(mktemp) + # trap to delete file on exit + trap "rm -f $AUTHORIZE_KEYS" EXIT + # process authorized_user_ids file if [ -s "$authorizedUserIDs" ] ; then log "processing authorized_user_ids file..." @@ -206,16 +227,16 @@ case $COMMAND in fi # add user-controlled authorized_keys file path if specified - if [ "$USER_CONTROLLED_AUTHORIZED_KEYS" != '-' ] ; then - userAuthorizedKeys=$(translate_ssh_variables "$uname" "$USER_CONTROLLED_AUTHORIZED_KEYS") - if [ -s "$userAuthorizedKeys" ] ; then - log -n "adding user's authorized_keys file... " - cat "$userAuthorizedKeys" >> "$AUTHORIZED_KEYS" + if [ "$RAW_AUTHORIZED_KEYS" != '-' ] ; then + if [ -s "$rawAuthorizedKeys" ] ; then + log -n "adding raw authorized_keys file... " + cat "$rawAuthorizedKeys" >> "$AUTHORIZED_KEYS" loge "done." fi fi - # if the resulting authorized_keys file is not empty + # if the resulting authorized_keys file is not empty, move + # the temp authorized_keys file into place if [ -s "$AUTHORIZED_KEYS" ] ; then # openssh appears to check the contents of the # authorized_keys file as the user in question, so the @@ -224,8 +245,7 @@ case $COMMAND in chgrp $(getent passwd "$uname" | cut -f4 -d:) "$AUTHORIZED_KEYS" chmod g+r "$AUTHORIZED_KEYS" - # move the temp authorized_keys file into place - mv -f "$AUTHORIZED_KEYS" "${CACHE}/authorized_keys/${uname}" + mv -f "$AUTHORIZED_KEYS" "${VARLIB}/authorized_keys/${uname}" log "authorized_keys file updated." |