diff options
| author | Daniel Kahn Gillmor <dkg@fifthhorseman.net> | 2010-05-06 11:24:55 -0400 |
|---|---|---|
| committer | Daniel Kahn Gillmor <dkg@fifthhorseman.net> | 2010-05-06 12:21:25 -0400 |
| commit | e6a41995792ee8b7a3dbce1e763e40447e45755f (patch) | |
| tree | 76c9c2a3ad3854b4e356a59de6252a752bc68e5a | |
| parent | 8a0467b81b7ec01dcfffc2de40dc078a3caef7e3 (diff) | |
support x509 anchors for monkeysphere-host, allow shared anchors between m-a and mh (closes MS #2288)
| -rw-r--r-- | Changelog | 7 | ||||
| -rw-r--r-- | man/man8/monkeysphere-authentication.8 | 5 | ||||
| -rw-r--r-- | man/man8/monkeysphere-host.8 | 8 | ||||
| -rw-r--r-- | src/share/ma/setup | 10 | ||||
| -rw-r--r-- | src/share/mh/publish_key | 9 |
5 files changed, 36 insertions, 3 deletions
@@ -1,3 +1,10 @@ +monkeysphere (0.31~pre) UNRELEASED; urgency=low + + * support x509 anchors for monkeysphere-host, allow shared anchor + between m-h and m-a (closes MS #2288) + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 06 May 2010 11:23:38 -0400 + monkeysphere (0.30) unstable; urgency=low * changing tarball creation and packaging strategies diff --git a/man/man8/monkeysphere-authentication.8 b/man/man8/monkeysphere-authentication.8 index ea9debd..7c12673 100644 --- a/man/man8/monkeysphere-authentication.8 +++ b/man/man8/monkeysphere-authentication.8 @@ -177,10 +177,13 @@ false may expose users to abuse by other users on the system. (true) /etc/monkeysphere/monkeysphere\-authentication.conf System monkeysphere-authentication config file. .TP -/etc/monkeysphere/monkeysphere\-authentication\-x509\-anchors.crt +/etc/monkeysphere/monkeysphere\-authentication\-x509\-anchors.crt or\p \ +/etc/monkeysphere/monkeysphere\-x509\-anchors.crt If monkeysphere-authentication is configured to query an hkps keyserver, it will use X.509 Certificate Authority certificates in this file to validate any X.509 certificates used by the keyserver. +If the monkeysphere-authentication-x509 file is present, the +monkeysphere-x509 file will be ignored. .TP /var/lib/monkeysphere/authorized_keys/USER Monkeysphere-generated user authorized_keys files. diff --git a/man/man8/monkeysphere-host.8 b/man/man8/monkeysphere-host.8 index 00ea777..f3e0d43 100644 --- a/man/man8/monkeysphere-host.8 +++ b/man/man8/monkeysphere-host.8 @@ -222,6 +222,14 @@ Monkeysphere\-enabled services on the host. /var/lib/monkeysphere/host/ A locked directory (readable only by the superuser) containing copies of all imported secret keys (this is the host's GNUPGHOME directory). +.TP +/etc/monkeysphere/monkeysphere\-host\-x509\-anchors.crt or\p \ +/etc/monkeysphere/monkeysphere\-x509\-anchors.crt +If monkeysphere-host is configured to query an hkps keyserver for +publish-keys, it will use X.509 Certificate Authority certificates in +this file to validate any X.509 certificates used by the keyserver. +If the monkeysphere-host-x509 file is present, the monkeysphere-x509 +file will be ignored. .SH AUTHOR diff --git a/src/share/ma/setup b/src/share/ma/setup index f965487..3c82c45 100644 --- a/src/share/ma/setup +++ b/src/share/ma/setup @@ -36,6 +36,14 @@ setup() { no-greeting EOF + KEYSERVER_OPTIONS="" + for anchorfile in "${SYSCONFIGDIR}/monkeysphere-authentication-x509-anchors.crt" "${SYSCONFIGDIR}/monkeysphere-x509-anchors.crt"; do + if [ -z "$KEYSERVER_OPTIONS" ] && [ -r "$anchorfile" ] ; then + KEYSERVER_OPTIONS="keyserver-options ca-cert-file=$anchorfile" + log debug "using $anchorfile for keyserver X.509 anchor" + fi + done + log debug "writing sphere gpg.conf..." cat >"${GNUPGHOME_SPHERE}"/gpg.conf <<EOF # Monkeysphere trust sphere GnuPG configuration @@ -43,7 +51,7 @@ EOF # Edits will be overwritten. no-greeting list-options show-uid-validity -keyserver-options ca-cert-file=${SYSCONFIGDIR}/monkeysphere-authentication-x509-anchors.crt +${KEYSERVER_OPTIONS} EOF # make sure the monkeysphere user owns everything in the sphere diff --git a/src/share/mh/publish_key b/src/share/mh/publish_key index f1c1723..72d2693 100644 --- a/src/share/mh/publish_key +++ b/src/share/mh/publish_key @@ -40,9 +40,16 @@ trap "rm -rf $GNUPGHOME" EXIT su_monkeysphere_user \ "gpg --quiet --import" <"$HOST_KEY_FILE" +KEYSERVER_OPTIONS="" +for anchorfile in "${SYSCONFIGDIR}/monkeysphere-host-x509-anchors.crt" "${SYSCONFIGDIR}/monkeysphere-x509-anchors.crt"; do + if [ -z "$KEYSERVER_OPTIONS" ] && [ -r "$anchorfile" ] ; then + KEYSERVER_OPTIONS="--keyserver-options 'ca-cert-file=$anchorfile'" + fi +done + # publish key su_monkeysphere_user \ - "gpg --keyserver $KEYSERVER --send-keys '0x${keyID}!'" + "gpg --keyserver $KEYSERVER $KEYSERVER_OPTIONS --send-keys '0x${keyID}!'" # remove the tmp file trap - EXIT |