summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJameson Graef Rollins <jrollins@phys.columbia.edu>2008-08-03 00:55:19 -0700
committerJameson Graef Rollins <jrollins@phys.columbia.edu>2008-08-03 00:55:19 -0700
commitdbbd1bd42f084dfe780f18875c6f36eb6d4f33b1 (patch)
tree57ddfa527c2ed022422acc7e108194a5c462ed73
parent8e1439bc18f8203d71c1237a25c21374ca17c38c (diff)
- Fixed bug in monkeysphere update-authorized_keys subcommand that had
been preventing disallowed user ids from being properly removed from authorized_keys file. - Fixed file md5sum checking.
-rw-r--r--debian/changelog4
-rw-r--r--man/man1/monkeysphere.123
-rw-r--r--src/common75
3 files changed, 44 insertions, 58 deletions
diff --git a/debian/changelog b/debian/changelog
index 3e7abb8..b03e0e4 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -7,8 +7,10 @@ monkeysphere (0.7-1) UNRELEASED; urgency=low
* fix how check for file modification is done.
* rework out user id processing is done to provide more verbose log
output.
+ * fix bug in monkeysphpere update-authorized_keys subcommand where
+ disallowed keys failed to be remove from authorized_keys file.
- -- Jameson Graef Rollins <jrollins@phys.columbia.edu> Sun, 03 Aug 2008 00:00:06 -0700
+ -- Jameson Graef Rollins <jrollins@phys.columbia.edu> Sun, 03 Aug 2008 00:55:05 -0700
monkeysphere (0.6-1) experimental; urgency=low
diff --git a/man/man1/monkeysphere.1 b/man/man1/monkeysphere.1
index 1d1c0e5..43e3fd5 100644
--- a/man/man1/monkeysphere.1
+++ b/man/man1/monkeysphere.1
@@ -37,17 +37,18 @@ if matching keys were found but none were acceptable. `k' may be used
in place of `update-known_hosts'.
.TP
.B update-authorized_keys
-Update the authorized_keys file. For each user ID in the user's
-authorized_user_ids file, gpg will be queried for keys associated with
-that user ID, optionally querying a keyserver. If an acceptable key
-is found (see KEY ACCEPTABILITY in monkeysphere(5)), the key is added
-to the user's authorized_keys file. If a key is found but is
-unacceptable for the user ID, any matching keys are removed from the
-user's authorized_keys file. If no gpg key is found for the user ID,
-nothing is done. This subcommand will exit with a status of 0 if at
-least one acceptable key was found for a user ID, 1 if no matching
-keys were found at all, and 2 if matching keys were found but none
-were acceptable. `a' may be used in place of
+Update the authorized_keys file. First all monkeysphere keys are
+cleared from the authorized_keys file. Then, for each user ID in the
+user's authorized_user_ids file, gpg will be queried for keys
+associated with that user ID, optionally querying a keyserver. If an
+acceptable key is found (see KEY ACCEPTABILITY in monkeysphere(5)),
+the key is added to the user's authorized_keys file. If a key is
+found but is unacceptable for the user ID, any matching keys are
+removed from the user's authorized_keys file. If no gpg key is found
+for the user ID, nothing is done. This subcommand will exit with a
+status of 0 if at least one acceptable key was found for a user ID, 1
+if no matching keys were found at all, and 2 if matching keys were
+found but none were acceptable. `a' may be used in place of
`update-authorized_keys'.
.TP
.B gen-subkey KEYID
diff --git a/src/common b/src/common
index f5bb3bb..3966705 100644
--- a/src/common
+++ b/src/common
@@ -83,6 +83,10 @@ remove_line() {
return 1
fi
+ if [ ! -e "$file" ] ; then
+ return 1
+ fi
+
# if the string is in the file...
if grep -q -F "$string" "$file" 2> /dev/null ; then
# remove the line with the string, and return 0
@@ -94,6 +98,24 @@ remove_line() {
fi
}
+# remove all lines with MonkeySphere strings in file
+remove_monkeysphere_lines() {
+ local file
+
+ file="$1"
+
+ if [ -z "$file" ] ; then
+ return 1
+ fi
+
+ if [ ! -e "$file" ] ; then
+ return 1
+ fi
+
+ egrep -v '^MonkeySphere[[:digit:]]{4}(-[[:digit:]]{2}){2}T[[:digit:]]{2}(:[[:digit:]]{2}){2}$' \
+ "$file" | sponge "$file"
+}
+
# translate ssh-style path variables %h and %u
translate_ssh_variables() {
local uname
@@ -533,7 +555,7 @@ update_known_hosts() {
lockfile-create "$KNOWN_HOSTS"
# note pre update file checksum
- fileCheck=$(md5sum "$KNOWN_HOSTS")
+ fileCheck="$(cat "$KNOWN_HOSTS" | md5sum)"
for host ; do
# process the host
@@ -556,7 +578,7 @@ update_known_hosts() {
lockfile-remove "$KNOWN_HOSTS"
# note if the known_hosts file was updated
- if [ "$(md5sum "$KNOWN_HOSTS")" != "$fileCheck" ] ; then
+ if [ "$(cat "$KNOWN_HOSTS" | md5sum)" != "$fileCheck" ] ; then
log "known_hosts file updated."
fi
@@ -671,7 +693,10 @@ update_authorized_keys() {
lockfile-create "$AUTHORIZED_KEYS"
# note pre update file checksum
- fileCheck=$(md5sum "$AUTHORIZED_KEYS")
+ fileCheck="$(cat "$AUTHORIZED_KEYS" | md5sum)"
+
+ # remove any monkeysphere lines from authorized_keys file
+ remove_monkeysphere_lines "$AUTHORIZED_KEYS"
for userID ; do
# process the user ID, change return code if key not found for
@@ -696,7 +721,7 @@ update_authorized_keys() {
lockfile-remove "$AUTHORIZED_KEYS"
# note if the authorized_keys file was updated
- if [ "$(md5sum "$AUTHORIZED_KEYS")" != "$fileCheck" ] ; then
+ if [ "$(cat "$AUTHORIZED_KEYS" | md5sum)" != "$fileCheck" ] ; then
log "authorized_keys file updated."
fi
@@ -742,45 +767,3 @@ process_authorized_user_ids() {
update_authorized_keys "${userIDs[@]}"
}
-
-# EXPERIMENTAL (unused) process userids found in authorized_keys file
-# go through line-by-line, extract monkeysphere userids from comment
-# fields, and process each userid
-# NOT WORKING
-process_authorized_keys() {
- local authorizedKeys
- local userID
- local returnCode
-
- # default return code is 0, and is set to 1 if a key for a user
- # is not found
- returnCode=0
-
- authorizedKeys="$1"
-
- # take all the monkeysphere userids from the authorized_keys file
- # comment field (third field) that starts with "MonkeySphere uid:"
- # FIXME: needs to handle authorized_keys options (field 0)
- meat "$authorizedKeys" | \
- while read -r options keytype key comment ; do
- # if the comment field is empty, assume the third field was
- # the comment
- if [ -z "$comment" ] ; then
- comment="$key"
- fi
-
- if echo "$comment" | egrep -v -q '^MonkeySphere[[:digit:]]{4}(-[[:digit:]]{2}){2}T[[:digit:]]{2}(:[[:digit:]]{2}){2}' ; then
- continue
- fi
- userID=$(echo "$comment" | awk "{ print $2 }")
- if [ -z "$userID" ] ; then
- continue
- fi
-
- # process the userid
- log "processing userid: '$userID'"
- process_user_id "$userID" > /dev/null || returnCode=1
- done
-
- return "$returnCode"
-}