diff options
author | Jameson Graef Rollins <jrollins@finestructure.net> | 2008-11-16 03:17:36 -0500 |
---|---|---|
committer | Jameson Graef Rollins <jrollins@finestructure.net> | 2008-11-16 03:17:36 -0500 |
commit | dd002c89fc4dccabc16d488a15a40cc88383605f (patch) | |
tree | f58629b241f2d0bcac7b03ee41a0c735262fd327 | |
parent | 2459fa3ea277d7b9289945748619eab1e3441e5c (diff) |
added some useful output to the ssh-proxycommand for "marginal" cases
where keys are found for host but do not have full validity. this
uses ssh-keyscan to pull the key for the host in question, check this
key against the keys against those found via gpg, and output some
useful information about the one that matches.
l--------- | changelog | 2 | ||||
-rw-r--r-- | packaging/debian/changelog | 6 | ||||
-rwxr-xr-x | src/monkeysphere-server | 2 | ||||
-rwxr-xr-x | src/monkeysphere-ssh-proxycommand | 98 |
4 files changed, 102 insertions, 6 deletions
@@ -1 +1 @@ -website/changelog
\ No newline at end of file +packaging/debian/changelog
\ No newline at end of file diff --git a/packaging/debian/changelog b/packaging/debian/changelog index f1db037..e8ea1a9 100644 --- a/packaging/debian/changelog +++ b/packaging/debian/changelog @@ -1,9 +1,11 @@ monkeysphere (0.22-1) UNRELEASED; urgency=low * New upstream release: - - Added info log output when a new key is added to known_hosts file. + - added info log output when a new key is added to known_hosts file. + - added some useful output to the ssh-proxycommand for "marginal" + cases where keys are found for host but do not have full validity. - -- Jameson Graef Rollins <jrollins@finestructure.net> Sat, 15 Nov 2008 20:49:13 -0500 + -- Jameson Graef Rollins <jrollins@finestructure.net> Sun, 16 Nov 2008 03:17:16 -0500 monkeysphere (0.21-2) unstable; urgency=low diff --git a/src/monkeysphere-server b/src/monkeysphere-server index 5edaa4f..665d916 100755 --- a/src/monkeysphere-server +++ b/src/monkeysphere-server @@ -137,7 +137,7 @@ show_server_key() { tmpkey=$(mktemp ${TMPDIR:-/tmp}/tmp.XXXXXXXXXX) || failure "Could not create temporary directory!" gpg_authentication "--export $fingerprint" | openpgp2ssh "$fingerprint" 2>/dev/null > "$tmpkey" echo -n "ssh fingerprint: " - ssh-keygen -l -f $tmpkey | awk '{ print $1, $2, $4 }' + ssh-keygen -l -f "$tmpkey" | awk '{ print $1, $2, $4 }' rm -rf "$tmpkey" echo -n "OpenPGP fingerprint: " echo "$fingerprint" diff --git a/src/monkeysphere-ssh-proxycommand b/src/monkeysphere-ssh-proxycommand index 6276092..b039844 100755 --- a/src/monkeysphere-ssh-proxycommand +++ b/src/monkeysphere-ssh-proxycommand @@ -14,13 +14,83 @@ # ProxyCommand monkeysphere-ssh-proxycommand %h %p ######################################################################## +PGRM=$(basename $0) + +SYSSHAREDIR=${MONKEYSPHERE_SYSSHAREDIR:-"/usr/share/monkeysphere"} +export SYSSHAREDIR +. "${SYSSHAREDIR}/common" || exit 1 + +######################################################################## +# FUNCTIONS +######################################################################## usage() { -cat <<EOF >&2 + cat <<EOF >&2 usage: ssh -o ProxyCommand="$(basename $0) %h %p" ... EOF } +log() { + echo "$@" >&2 +} + +output_no_valid_key() { + local sshKeyOffered + local userID + local type + local validity + local keyid + local uidfpr + local usage + local sshKeyGPG + local sshFingerprint + + log "OpenPGP keys with*out* full validity found for this host:" + log + + # retrieve the actual ssh key + sshKeyOffered=$(ssh-keyscan -t rsa -p "$PORT" "$HOST" 2>/dev/null | awk '{ print $2, $3 }') + + userID="ssh://${HOSTP}" + + # output gpg info for (exact) userid and store + gpgOut=$(gpg --list-key --fixed-list-mode --with-colon \ + --with-fingerprint --with-fingerprint \ + ="$userID" 2>/dev/null) + + # loop over all lines in the gpg output and process. + echo "$gpgOut" | cut -d: -f1,2,5,10,12 | \ + while IFS=: read -r type validity keyid uidfpr usage ; do + case $type in + 'pub'|'sub') + # get the ssh key of the gpg key + sshKeyGPG=$(gpg2ssh "$keyid") + + # if one of keys found matches the one offered by the + # host, then output info + if [ "$sshKeyGPG" = "$sshKeyOffered" ] ; then + + # get the fingerprint of the ssh key + tmpkey=$(mktemp ${TMPDIR:-/tmp}/tmp.XXXXXXXXXX) + echo "$sshKeyGPG" > "$tmpkey" + sshFingerprint=$(ssh-keygen -l -f "$tmpkey" | awk '{ print $2 }') + rm -rf "$tmpkey" + + # output gpg info + gpg --check-sigs \ + --list-options show-uid-validity \ + "$keyid" >&2 + + # output ssh fingerprint + log "RSA key fingerprint is ${sshFingerprint}." + log "Falling through to standard ssh host checking." + log + fi + ;; + esac + done +} + ######################################################################## # export the monkeysphere log level @@ -35,7 +105,7 @@ HOST="$1" PORT="$2" if [ -z "$HOST" ] ; then - echo "Host not specified." >&2 + log "Host not specified." usage exit 255 fi @@ -88,6 +158,30 @@ export MONKEYSPHERE_CHECK_KEYSERVER # update the known_hosts file for the host monkeysphere update-known_hosts "$HOSTP" +# output on depending on the return of the update-known_hosts +# subcommand, which is (ultimately) the return code of the +# update_known_hosts function in common +case $? in + 0) + # acceptable host key found so continue to ssh + true + ;; + 1) + # no hosts at all found so also continue (drop through to + # regular ssh host verification) + true + ;; + 2) + # at least one *bad* host key (and no good host keys) was + # found, so output some usefull information + output_no_valid_key + ;; + *) + # anything else drop through + true + ;; +esac + # exec a netcat passthrough to host for the ssh connection if [ -z "$NO_CONNECT" ] ; then if (which nc 2>/dev/null >/dev/null); then |