diff options
author | Jameson Graef Rollins <jrollins@finestructure.net> | 2009-01-31 23:05:23 -0500 |
---|---|---|
committer | Jameson Graef Rollins <jrollins@finestructure.net> | 2009-01-31 23:06:56 -0500 |
commit | 33888714f26a775b3be54edb27d77de719d5939c (patch) | |
tree | 0eacf9b1424198458ec7f2641c9353f18640bd86 /src/share/mh/diagnostics | |
parent | abedd439e7b62428e1c76baf008f2d6b1afccc5a (diff) |
move src/subcommands to srv/share, and add common file to src/share (update Makefile as well)
Diffstat (limited to 'src/share/mh/diagnostics')
-rw-r--r-- | src/share/mh/diagnostics | 185 |
1 files changed, 185 insertions, 0 deletions
diff --git a/src/share/mh/diagnostics b/src/share/mh/diagnostics new file mode 100644 index 0000000..7e76da6 --- /dev/null +++ b/src/share/mh/diagnostics @@ -0,0 +1,185 @@ +# -*-shell-script-*- +# This should be sourced by bash (though we welcome changes to make it POSIX sh compliant) + +# Monkeysphere host diagnostics subcommand +# +# The monkeysphere scripts are written by: +# Jameson Rollins <jrollins@finestructure.net> +# Jamie McClelland <jm@mayfirst.org> +# Daniel Kahn Gillmor <dkg@fifthhorseman.net> +# +# They are Copyright 2008-2009, and are all released under the GPL, +# version 3 or later. + +# check on the status and validity of the key and public certificates + +diagnostics() { + +local seckey +local keysfound +local curdate +local warnwindow +local warndate +local create +local expire +local uid +local fingerprint +local badhostkeys +local sshd_config +local problemsfound=0 + +# FIXME: what's the correct, cross-platform answer? +sshd_config=/etc/ssh/sshd_config +seckey=$(gpg_host --list-secret-keys --fingerprint --with-colons --fixed-list-mode) +keysfound=$(echo "$seckey" | grep -c ^sec:) +curdate=$(date +%s) +# warn when anything is 2 months away from expiration +warnwindow='2 months' +warndate=$(advance_date $warnwindow +%s) + +if ! id monkeysphere >/dev/null ; then + echo "! No monkeysphere user found! Please create a monkeysphere system user with bash as its shell." + problemsfound=$(($problemsfound+1)) +fi + +if ! [ -d "$SYSDATADIR" ] ; then + echo "! no $SYSDATADIR directory found. Please create it." + problemsfound=$(($problemsfound+1)) +fi + +echo "Checking host GPG key..." +if (( "$keysfound" < 1 )); then + echo "! No host key found." + echo " - Recommendation: run 'monkeysphere-server gen-key'" + problemsfound=$(($problemsfound+1)) +elif (( "$keysfound" > 1 )); then + echo "! More than one host key found?" + # FIXME: recommend a way to resolve this + problemsfound=$(($problemsfound+1)) +else + create=$(echo "$seckey" | grep ^sec: | cut -f6 -d:) + expire=$(echo "$seckey" | grep ^sec: | cut -f7 -d:) + fingerprint=$(echo "$seckey" | grep ^fpr: | head -n1 | cut -f10 -d:) + # check for key expiration: + if [ "$expire" ]; then + if (( "$expire" < "$curdate" )); then + echo "! Host key is expired." + echo " - Recommendation: extend lifetime of key with 'monkeysphere-server extend-key'" + problemsfound=$(($problemsfound+1)) + elif (( "$expire" < "$warndate" )); then + echo "! Host key expires in less than $warnwindow:" $(advance_date $(( $expire - $curdate )) seconds +%F) + echo " - Recommendation: extend lifetime of key with 'monkeysphere-server extend-key'" + problemsfound=$(($problemsfound+1)) + fi + fi + + # and weirdnesses: + if [ "$create" ] && (( "$create" > "$curdate" )); then + echo "! Host key was created in the future(?!). Is your clock correct?" + echo " - Recommendation: Check clock ($(date +%F_%T)); use NTP?" + problemsfound=$(($problemsfound+1)) + fi + + # check for UserID expiration: + echo "$seckey" | grep ^uid: | cut -d: -f6,7,10 | \ + while IFS=: read create expire uid ; do + # FIXME: should we be doing any checking on the form + # of the User ID? Should we be unmangling it somehow? + + if [ "$create" ] && (( "$create" > "$curdate" )); then + echo "! User ID '$uid' was created in the future(?!). Is your clock correct?" + echo " - Recommendation: Check clock ($(date +%F_%T)); use NTP?" + problemsfound=$(($problemsfound+1)) + fi + if [ "$expire" ] ; then + if (( "$expire" < "$curdate" )); then + echo "! User ID '$uid' is expired." + # FIXME: recommend a way to resolve this + problemsfound=$(($problemsfound+1)) + elif (( "$expire" < "$warndate" )); then + echo "! User ID '$uid' expires in less than $warnwindow:" $(advance_date $(( $expire - $curdate )) seconds +%F) + # FIXME: recommend a way to resolve this + problemsfound=$(($problemsfound+1)) + fi + fi + done + +# FIXME: verify that the host key is properly published to the +# keyservers (do this with the non-privileged user) + +# FIXME: check that there are valid, non-expired certifying signatures +# attached to the host key after fetching from the public keyserver +# (do this with the non-privileged user as well) + +# FIXME: propose adding a revoker to the host key if none exist (do we +# have a way to do that after key generation?) + + # Ensure that the ssh_host_rsa_key file is present and non-empty: + echo + echo "Checking host SSH key..." + if [ ! -s "${SYSDATADIR}/ssh_host_rsa_key" ] ; then + echo "! The host key as prepared for SSH (${SYSDATADIR}/ssh_host_rsa_key) is missing or empty." + problemsfound=$(($problemsfound+1)) + else + if [ $(ls -l "${SYSDATADIR}/ssh_host_rsa_key" | cut -f1 -d\ ) != '-rw-------' ] ; then + echo "! Permissions seem wrong for ${SYSDATADIR}/ssh_host_rsa_key -- should be 0600." + problemsfound=$(($problemsfound+1)) + fi + + # propose changes needed for sshd_config (if any) + if ! grep -q "^HostKey[[:space:]]\+${SYSDATADIR}/ssh_host_rsa_key$" "$sshd_config"; then + echo "! $sshd_config does not point to the monkeysphere host key (${SYSDATADIR}/ssh_host_rsa_key)." + echo " - Recommendation: add a line to $sshd_config: 'HostKey ${SYSDATADIR}/ssh_host_rsa_key'" + problemsfound=$(($problemsfound+1)) + fi + if badhostkeys=$(grep -i '^HostKey' "$sshd_config" | grep -v "^HostKey[[:space:]]\+${SYSDATADIR}/ssh_host_rsa_key$") ; then + echo "! $sshd_config refers to some non-monkeysphere host keys:" + echo "$badhostkeys" + echo " - Recommendation: remove the above HostKey lines from $sshd_config" + problemsfound=$(($problemsfound+1)) + fi + + # FIXME: test (with ssh-keyscan?) that the running ssh + # daemon is actually offering the monkeysphere host key. + + fi +fi + +# FIXME: look at the ownership/privileges of the various keyrings, +# directories housing them, etc (what should those values be? can +# we make them as minimal as possible?) + +# FIXME: look to see that the ownertrust rules are set properly on the +# authentication keyring + +# FIXME: make sure that at least one identity certifier exists + +# FIXME: look at the timestamps on the monkeysphere-generated +# authorized_keys files -- warn if they seem out-of-date. + +# FIXME: check for a cronjob that updates monkeysphere-generated +# authorized_keys? + +echo +echo "Checking for MonkeySphere-enabled public-key authentication for users ..." +# Ensure that User ID authentication is enabled: +if ! grep -q "^AuthorizedKeysFile[[:space:]]\+${SYSDATADIR}/authorized_keys/%u$" "$sshd_config"; then + echo "! $sshd_config does not point to monkeysphere authorized keys." + echo " - Recommendation: add a line to $sshd_config: 'AuthorizedKeysFile ${SYSDATADIR}/authorized_keys/%u'" + problemsfound=$(($problemsfound+1)) +fi +if badauthorizedkeys=$(grep -i '^AuthorizedKeysFile' "$sshd_config" | grep -v "^AuthorizedKeysFile[[:space:]]\+${SYSDATADIR}/authorized_keys/%u$") ; then + echo "! $sshd_config refers to non-monkeysphere authorized_keys files:" + echo "$badauthorizedkeys" + echo " - Recommendation: remove the above AuthorizedKeysFile lines from $sshd_config" + problemsfound=$(($problemsfound+1)) +fi + +if [ "$problemsfound" -gt 0 ]; then + echo "When the above $problemsfound issue"$(if [ "$problemsfound" -eq 1 ] ; then echo " is" ; else echo "s are" ; fi)" resolved, please re-run:" + echo " monkeysphere-server diagnostics" +else + echo "Everything seems to be in order!" +fi + +} |