diff options
author | Jameson Graef Rollins <jrollins@finestructure.net> | 2009-02-01 13:08:46 -0500 |
---|---|---|
committer | Jameson Graef Rollins <jrollins@finestructure.net> | 2009-02-01 13:23:30 -0500 |
commit | 0ae461de6b7bf10d3b085dfd9a5d6d29ffd29116 (patch) | |
tree | 9c870e437f06207013d9a6ec0d7b554c35e58612 /src/share/mh | |
parent | 89e447e2001c0406fab6d2e6ca300a19d492435b (diff) |
some general fixes:
- fix some references to old function names
- move fingerprint_server_key to be fingerprint_host_key
- update diagnostic scripts
Diffstat (limited to 'src/share/mh')
-rw-r--r-- | src/share/mh/add_hostname | 2 | ||||
-rw-r--r-- | src/share/mh/diagnostics | 35 | ||||
-rw-r--r-- | src/share/mh/extend_key | 2 | ||||
-rw-r--r-- | src/share/mh/gen_key | 4 | ||||
-rw-r--r-- | src/share/mh/import_key | 4 | ||||
-rw-r--r-- | src/share/mh/publish_key | 2 | ||||
-rw-r--r-- | src/share/mh/revoke_hostname | 2 |
7 files changed, 13 insertions, 38 deletions
diff --git a/src/share/mh/add_hostname b/src/share/mh/add_hostname index 10d5f58..267f109 100644 --- a/src/share/mh/add_hostname +++ b/src/share/mh/add_hostname @@ -27,7 +27,7 @@ fi userID="ssh://${1}" -fingerprint=$(fingerprint_server_key) +fingerprint=$(fingerprint_host_key) # match to only ultimately trusted user IDs tmpuidMatch="u:$(echo $userID | gpg_escape)" diff --git a/src/share/mh/diagnostics b/src/share/mh/diagnostics index 7e76da6..96065e6 100644 --- a/src/share/mh/diagnostics +++ b/src/share/mh/diagnostics @@ -50,7 +50,7 @@ fi echo "Checking host GPG key..." if (( "$keysfound" < 1 )); then echo "! No host key found." - echo " - Recommendation: run 'monkeysphere-server gen-key'" + echo " - Recommendation: run 'monkeysphere-host gen-key' or 'monkeysphere-host import-key'" problemsfound=$(($problemsfound+1)) elif (( "$keysfound" > 1 )); then echo "! More than one host key found?" @@ -64,11 +64,11 @@ else if [ "$expire" ]; then if (( "$expire" < "$curdate" )); then echo "! Host key is expired." - echo " - Recommendation: extend lifetime of key with 'monkeysphere-server extend-key'" + echo " - Recommendation: extend lifetime of key with 'monkeysphere-host extend-key'" problemsfound=$(($problemsfound+1)) elif (( "$expire" < "$warndate" )); then echo "! Host key expires in less than $warnwindow:" $(advance_date $(( $expire - $curdate )) seconds +%F) - echo " - Recommendation: extend lifetime of key with 'monkeysphere-server extend-key'" + echo " - Recommendation: extend lifetime of key with 'monkeysphere-host extend-key'" problemsfound=$(($problemsfound+1)) fi fi @@ -97,7 +97,7 @@ else # FIXME: recommend a way to resolve this problemsfound=$(($problemsfound+1)) elif (( "$expire" < "$warndate" )); then - echo "! User ID '$uid' expires in less than $warnwindow:" $(advance_date $(( $expire - $curdate )) seconds +%F) + echo "! User ID '$uid' expires in less than $warnwindow:" $(advance_date $(( $expire - $curdate )) seconds +%F) # FIXME: recommend a way to resolve this problemsfound=$(($problemsfound+1)) fi @@ -149,35 +149,10 @@ fi # directories housing them, etc (what should those values be? can # we make them as minimal as possible?) -# FIXME: look to see that the ownertrust rules are set properly on the -# authentication keyring - -# FIXME: make sure that at least one identity certifier exists - -# FIXME: look at the timestamps on the monkeysphere-generated -# authorized_keys files -- warn if they seem out-of-date. - -# FIXME: check for a cronjob that updates monkeysphere-generated -# authorized_keys? - -echo -echo "Checking for MonkeySphere-enabled public-key authentication for users ..." -# Ensure that User ID authentication is enabled: -if ! grep -q "^AuthorizedKeysFile[[:space:]]\+${SYSDATADIR}/authorized_keys/%u$" "$sshd_config"; then - echo "! $sshd_config does not point to monkeysphere authorized keys." - echo " - Recommendation: add a line to $sshd_config: 'AuthorizedKeysFile ${SYSDATADIR}/authorized_keys/%u'" - problemsfound=$(($problemsfound+1)) -fi -if badauthorizedkeys=$(grep -i '^AuthorizedKeysFile' "$sshd_config" | grep -v "^AuthorizedKeysFile[[:space:]]\+${SYSDATADIR}/authorized_keys/%u$") ; then - echo "! $sshd_config refers to non-monkeysphere authorized_keys files:" - echo "$badauthorizedkeys" - echo " - Recommendation: remove the above AuthorizedKeysFile lines from $sshd_config" - problemsfound=$(($problemsfound+1)) -fi if [ "$problemsfound" -gt 0 ]; then echo "When the above $problemsfound issue"$(if [ "$problemsfound" -eq 1 ] ; then echo " is" ; else echo "s are" ; fi)" resolved, please re-run:" - echo " monkeysphere-server diagnostics" + echo " monkeysphere-host expert diagnostics" else echo "Everything seems to be in order!" fi diff --git a/src/share/mh/extend_key b/src/share/mh/extend_key index ccbaf0e..d03b89a 100644 --- a/src/share/mh/extend_key +++ b/src/share/mh/extend_key @@ -15,7 +15,7 @@ extend_key() { -local fpr=$(fingerprint_server_key) +local fpr=$(fingerprint_host_key) local extendTo="$1" # get the new expiration date diff --git a/src/share/mh/gen_key b/src/share/mh/gen_key index c0445db..a73d85e 100644 --- a/src/share/mh/gen_key +++ b/src/share/mh/gen_key @@ -24,7 +24,7 @@ local fingerprint # check for presense of secret key # FIXME: is this the proper test to be doing here? -fingerprint_server_key >/dev/null \ +fingerprint_host_key >/dev/null \ && failure "An OpenPGP host key already exists." # get options @@ -83,7 +83,7 @@ log verbose "generating host key..." echo "$keyParameters" | gpg_host --batch --gen-key # find the key fingerprint of the newly generated key -fingerprint=$(fingerprint_server_key) +fingerprint=$(fingerprint_host_key) # translate the private key to ssh format, and export to a file # for sshs usage. diff --git a/src/share/mh/import_key b/src/share/mh/import_key index 0f16d27..e7b713f 100644 --- a/src/share/mh/import_key +++ b/src/share/mh/import_key @@ -20,7 +20,7 @@ local userID # check for presense of secret key # FIXME: is this the proper test to be doing here? -fingerprint_server_key >/dev/null \ +fingerprint_host_key >/dev/null \ && failure "An OpenPGP host key already exists." # get options @@ -72,7 +72,7 @@ log verbose "importing ssh key..." pem2openpgp "$userID" "$keyExpire" < "$sshKey" | gpg_host --import) # find the key fingerprint of the newly converted key -fingerprint=$(fingerprint_server_key) +fingerprint=$(fingerprint_host_key) # export host ownertrust to authentication keyring log verbose "setting ultimate owner trust for host key..." diff --git a/src/share/mh/publish_key b/src/share/mh/publish_key index b7ab01d..988b450 100644 --- a/src/share/mh/publish_key +++ b/src/share/mh/publish_key @@ -21,7 +21,7 @@ if [ ${OK/y/Y} != 'Y' ] ; then fi # find the key fingerprint -fingerprint=$(fingerprint_server_key) +fingerprint=$(fingerprint_host_key) # publish host key # FIXME: need to define how to do this diff --git a/src/share/mh/revoke_hostname b/src/share/mh/revoke_hostname index b519cf6..06b5810 100644 --- a/src/share/mh/revoke_hostname +++ b/src/share/mh/revoke_hostname @@ -38,7 +38,7 @@ fi userID="ssh://${1}" -fingerprint=$(fingerprint_server_key) +fingerprint=$(fingerprint_host_key) # match to only ultimately trusted user IDs tmpuidMatch="u:$(echo $userID | gpg_escape)" |