diff options
author | Jameson Graef Rollins <jrollins@finestructure.net> | 2009-02-18 22:37:12 -0500 |
---|---|---|
committer | Jameson Graef Rollins <jrollins@finestructure.net> | 2009-02-19 00:54:23 -0500 |
commit | d09b0814096b1660c3a300e939091a58622a57a6 (patch) | |
tree | 02987d577979445c186b956600a4170db0d597e0 /src/share | |
parent | 62374dd1c16a2719202955ad3fe878be5cc14dba (diff) |
Cleanup how variables are specified and loaded:
- define more common variables in share/common
- cleanup how defaults are specified
- fix how CHECK_KEYSERVER was determined in monkeysphere
Fix calls to update_known_hosts and update_authorized_keys in
monkeysphere so that some of the checks are done within the functions
themselves, as opposed in the monkeysphere wrapper, so that other
functions can call them easier.
Fix ssh-proxycommand that had some left over cruft from the
transition.
Diffstat (limited to 'src/share')
-rw-r--r-- | src/share/common | 44 | ||||
-rw-r--r-- | src/share/m/ssh_proxycommand | 26 |
2 files changed, 57 insertions, 13 deletions
diff --git a/src/share/common b/src/share/common index 6b7d51b..96fea77 100644 --- a/src/share/common +++ b/src/share/common @@ -23,6 +23,21 @@ export SYSCONFIGDIR # monkeysphere version VERSION=__VERSION__ +# default log level +LOG_LEVEL="INFO" + +# default keyserver +KEYSERVER="pool.sks-keyservers.net" + +# whether or not to check keyservers by defaul +CHECK_KEYSERVER="true" + +# default monkeysphere user +MONKEYSPHERE_USER="monkeysphere" + +# default about whether or not to prompt +PROMPT="true" + ######################################################################## ### UTILITY FUNCTIONS @@ -800,6 +815,9 @@ process_host_known_hosts() { local sshKey local tmpfile + # set the key processing mode + export MODE='known_hosts' + host="$1" userID="ssh://${host}" @@ -879,6 +897,13 @@ update_known_hosts() { nHostsOK=0 nHostsBAD=0 + # touch the known_hosts file so that the file permission check + # below won't fail upon not finding the file + (umask 0022 && touch "$KNOWN_HOSTS") + + # check permissions on the known_hosts file path + check_key_file_permissions "$USER" "$KNOWN_HOSTS" || failure + # create a lockfile on known_hosts: lock create "$KNOWN_HOSTS" # FIXME: we're discarding any pre-existing EXIT trap; is this bad? @@ -933,6 +958,11 @@ update_known_hosts() { process_known_hosts() { local hosts + # exit if the known_hosts file does not exist + if [ ! -e "$KNOWN_HOSTS" ] ; then + failure "known_hosts file '$KNOWN_HOSTS' does not exist." + fi + log debug "processing known_hosts file..." hosts=$(meat "$KNOWN_HOSTS" | cut -d ' ' -f 1 | grep -v '^|.*$' | tr , ' ' | tr '\n' ' ') @@ -956,6 +986,9 @@ process_uid_authorized_keys() { local ok local sshKey + # set the key processing mode + export MODE='authorized_keys' + userID="$1" log verbose "processing: $userID" @@ -1017,6 +1050,9 @@ update_authorized_keys() { nIDsOK=0 nIDsBAD=0 + # check permissions on the authorized_keys file path + check_key_file_permissions "$USER" "$AUTHORIZED_KEYS" || failure + # create a lockfile on authorized_keys lock create "$AUTHORIZED_KEYS" # FIXME: we're discarding any pre-existing EXIT trap; is this bad? @@ -1082,6 +1118,14 @@ process_authorized_user_ids() { authorizedUserIDs="$1" + # exit if the authorized_user_ids file is empty + if [ ! -e "$authorizedUserIDs" ] ; then + failure "authorized_user_ids file '$authorizedUserIDs' does not exist." + fi + + # check permissions on the authorized_user_ids file path + check_key_file_permissions "$USER" "$authorizedUserIDs" || failure + log debug "processing authorized_user_ids file..." if ! meat "$authorizedUserIDs" > /dev/null ; then diff --git a/src/share/m/ssh_proxycommand b/src/share/m/ssh_proxycommand index cd0a1fb..29040d8 100644 --- a/src/share/m/ssh_proxycommand +++ b/src/share/m/ssh_proxycommand @@ -15,8 +15,6 @@ # established. Can be added to ~/.ssh/config as follows: # ProxyCommand monkeysphere ssh-proxycommand %h %p -ssh_proxycommand() { - # "marginal case" ouput in the case that there is not a full # validation path to the host output_no_valid_key() { @@ -136,10 +134,9 @@ EOF EOF } -######################################################################## -# export the monkeysphere log level -export MONKEYSPHERE_LOG_LEVEL +# the ssh proxycommand function itself +ssh_proxycommand() { if [ "$1" = '--no-connect' ] ; then NO_CONNECT='true' @@ -170,12 +167,13 @@ URI="ssh://${HOSTP}" # intentionally different than that of running monkeyesphere normally, # and keyserver checking is intentionally done under certain # circumstances. This can be overridden by setting the -# MONKEYSPHERE_CHECK_KEYSERVER environment variable. +# MONKEYSPHERE_CHECK_KEYSERVER environment variable, or by setting the +# CHECK_KEYSERVER variable in the monkeysphere.conf file. # if the host is in the gpg keyring... if gpg --list-key ="${URI}" 2>&1 >/dev/null ; then # do not check the keyserver - CHECK_KEYSERVER="false" + CHECK_KEYSERVER=${CHECK_KEYSERVER:="false"} # if the host is NOT in the keyring... else @@ -188,20 +186,22 @@ else # FIXME: more nuanced checking should be done here to properly # take into consideration hosts that join monkeysphere by # converting an existing and known ssh key - CHECK_KEYSERVER="false" + CHECK_KEYSERVER=${CHECK_KEYSERVER:="false"} # if the host key is not found in the known_hosts file... else # check the keyserver - CHECK_KEYSERVER="true" + CHECK_KEYSERVER=${CHECK_KEYSERVER:="true"} fi fi -# set and export the variable for use by monkeysphere -MONKEYSPHERE_CHECK_KEYSERVER=${MONKEYSPHERE_CHECK_KEYSERVER:="$CHECK_KEYSERVER"} -export MONKEYSPHERE_CHECK_KEYSERVER + +# finally look in the MONKEYSPHERE_ environment variable for a +# CHECK_KEYSERVER setting to override all else +CHECK_KEYSERVER=${MONKEYSPHERE_CHECK_KEYSERVER:=$CHECK_KEYSERVER} # update the known_hosts file for the host -monkeysphere update-known_hosts "$HOSTP" +source "${MSHAREDIR}/update_known_hosts" +update_known_hosts "$HOSTP" # output on depending on the return of the update-known_hosts # subcommand, which is (ultimately) the return code of the |