diff options
| author | Jameson Rollins <jrollins@finestructure.net> | 2010-10-17 19:14:31 -0400 |
|---|---|---|
| committer | Jameson Rollins <jrollins@finestructure.net> | 2010-10-17 19:18:46 -0400 |
| commit | 267c6fcda592494466beed500ef78ad955edea8c (patch) | |
| tree | c5aa4225d04a6e36257e301999fdfd347c196b08 /src | |
| parent | cda9b459e520f608bd4fffb778dfc6235a95f4b6 (diff) | |
fix keys-for-user
This function now properly outputs to stdout exactly what would have
been written to the monkeysphere-controlled authorized_keys file, but
without actually touching it.
Diffstat (limited to 'src')
| -rwxr-xr-x | src/monkeysphere-authentication | 16 | ||||
| -rw-r--r-- | src/share/ma/keys_for_user | 53 | ||||
| -rw-r--r-- | src/share/ma/update_users | 28 |
3 files changed, 26 insertions, 71 deletions
diff --git a/src/monkeysphere-authentication b/src/monkeysphere-authentication index c9f6634..4249d21 100755 --- a/src/monkeysphere-authentication +++ b/src/monkeysphere-authentication @@ -51,8 +51,8 @@ Monkeysphere authentication admin tool. subcommands: update-users (u) [USER]... update user authorized_keys files + keys-for-user (k) USER output user authorized_keys lines to stdout refresh-keys (r) refresh keys in keyring - keys-for-user (k) USER output valid keys for user add-id-certifier (c+) KEYID|FILE import and tsign a certification key [--domain (-n) DOMAIN] limit ID certifications to DOMAIN @@ -164,18 +164,20 @@ case $COMMAND in source "${MASHAREDIR}/setup" setup source "${MASHAREDIR}/update_users" - update_users "$@" + OUTPUT_STDOUT= update_users "$@" ;; - 'refresh-keys'|'refresh'|'r') + 'keys-for-user'|'k') source "${MASHAREDIR}/setup" setup - gpg_sphere --keyserver "$KEYSERVER" --refresh-keys + source "${MASHAREDIR}/update_users" + OUTPUT_STDOUT=true update_users "$1" ;; - 'keys-for-user'|'k') - source "${MASHAREDIR}/keys_for_user" - keys_for_user "$@" + 'refresh-keys'|'refresh'|'r') + source "${MASHAREDIR}/setup" + setup + gpg_sphere --keyserver "$KEYSERVER" --refresh-keys ;; 'add-identity-certifier'|'add-id-certifier'|'add-certifier'|'c+') diff --git a/src/share/ma/keys_for_user b/src/share/ma/keys_for_user deleted file mode 100644 index 6f61828..0000000 --- a/src/share/ma/keys_for_user +++ /dev/null @@ -1,53 +0,0 @@ -# -*-shell-script-*- -# This should be sourced by bash (though we welcome changes to make it POSIX sh compliant) - -# Monkeysphere authentication keys-for-user subcommand -# -# The monkeysphere scripts are written by: -# Jameson Rollins <jrollins@finestructure.net> -# Daniel Kahn Gillmor <dkg@fifthhorseman.net> -# -# They are Copyright 2008-2010, and are all released under the GPL, -# version 3 or later. - -# This command could be run as an sshd AuthorizedKeysCommand to -# provide the authorized keys for a user, based on OpenPGP user id's -# listed in the user's authorized_user_ids file. - -keys_for_user() { - -local uname -local authorizedUserIDs -local line - -# get users from command line -uname="$1" - -# path to authorized_user_ids file, translating ssh-style path -# variables -authorizedUserIDs=$(translate_ssh_variables "$uname" "$AUTHORIZED_USER_IDS") - -# exit if the authorized_user_ids file is empty -if [ ! -s "$authorizedUserIDs" ] ; then - failure "authorized_user_ids file '$authorizedUserIDs' is empty or does not exist." -fi - -log debug "authorized_user_ids file: $authorizedUserIDs" - -# check permissions on the authorized_user_ids file path -check_key_file_permissions "$uname" "$authorizedUserIDs" || failure - -GNUPGHOME="$GNUPGHOME_SPHERE" -export GNUPGHOME - -# extract user IDs from authorized_user_ids file -IFS=$'\n' -for line in $(meat "$authorizedUserIDs") ; do - if [[ "$line" =~ ^[[:space:]] ]] ; then - continue - fi - printf '%s' "$line" | \ - su_monkeysphere_user ". ${SYSSHAREDIR}/common; read X; keys_for_userid \"\$X\"" || true -done - -} diff --git a/src/share/ma/update_users b/src/share/ma/update_users index 0086cd3..91acd66 100644 --- a/src/share/ma/update_users +++ b/src/share/ma/update_users @@ -129,17 +129,23 @@ for uname in $unames ; do # the same uid that sshd is launched as); change the group of # the file so that members of the user's group can read it. - # FIXME: is there a better way to do this? - chown $(whoami) "$AUTHORIZED_KEYS" && \ - chgrp $(id -g "$uname") "$AUTHORIZED_KEYS" && \ - chmod g+r "$AUTHORIZED_KEYS" && \ - mv -f "$AUTHORIZED_KEYS" "${authorizedKeysDir}/${uname}" || \ - { - log error "Failed to install authorized_keys for '$uname'!" - rm -f "${authorizedKeysDir}/${uname}" - # indicate that there has been a failure: - returnCode=1 - } + if [ "$OUTPUT_STDOUT" ] ; then + log debug "outputting keys to stdout..." + cat "$AUTHORIZED_KEYS" + else + log debug "moving new file to ${authorizedKeysDir}/${uname}..." + # FIXME: is there a better way to do this? + chown $(whoami) "$AUTHORIZED_KEYS" && \ + chgrp $(id -g "$uname") "$AUTHORIZED_KEYS" && \ + chmod g+r "$AUTHORIZED_KEYS" && \ + mv -f "$AUTHORIZED_KEYS" "${authorizedKeysDir}/${uname}" || \ + { + log error "Failed to install authorized_keys for '$uname'!" + rm -f "${authorizedKeysDir}/${uname}" + # indicate that there has been a failure: + returnCode=1 + } + fi else rm -f "${authorizedKeysDir}/${uname}" fi |