diff options
author | Jameson Graef Rollins <jrollins@finestructure.net> | 2009-02-17 23:13:31 -0500 |
---|---|---|
committer | Jameson Graef Rollins <jrollins@finestructure.net> | 2009-02-17 23:13:31 -0500 |
commit | c1924de73702d0f999a44bc63df9bee0d432636a (patch) | |
tree | 0f3ef7031c6a30a30e2c6aefac204d9cd67a7e12 /src | |
parent | 79c139755848692f514080c470fcba3f48b77112 (diff) |
fix ma so that the setup command is folded into the other commands, so
it's never needed to be run manually, and can therefore be supressed
in the usage/documentation. Also, add setup to the postinst script so
that it's setup on installation.
Also add pipefail to ma, and try to supress unnecessary gpg output,
and redirect other to log debug.
Diffstat (limited to 'src')
-rwxr-xr-x | src/monkeysphere-authentication | 36 | ||||
-rwxr-xr-x | src/monkeysphere-host | 7 | ||||
-rw-r--r-- | src/share/ma/add_certifier | 5 | ||||
-rw-r--r-- | src/share/ma/setup | 12 | ||||
-rw-r--r-- | src/share/mh/import_key | 4 | ||||
-rw-r--r-- | src/share/mh/set_expire | 2 |
6 files changed, 36 insertions, 30 deletions
diff --git a/src/monkeysphere-authentication b/src/monkeysphere-authentication index c349e6f..8a4146f 100755 --- a/src/monkeysphere-authentication +++ b/src/monkeysphere-authentication @@ -14,6 +14,9 @@ ######################################################################## set -e +# set the pipefail option so pipelines fail on first command failure +set -o pipefail + PGRM=$(basename $0) SYSSHAREDIR=${MONKEYSPHERE_SYSSHAREDIR:-"/usr/share/monkeysphere"} @@ -52,7 +55,6 @@ usage: $PGRM <subcommand> [options] [args] Monkeysphere authentication admin tool. subcommands: - setup (s) setup monkeysphere user authentication update-users (u) [USER]... update user authorized_keys files add-id-certifier (c+) KEYID import and tsign a certification key --domain (-n) DOMAIN limit ID certifications to DOMAIN @@ -95,19 +97,12 @@ core_fingerprint() { | grep ^fpr: | cut -d: -f10 } -# fail if authentication has not been setup -check_no_setup() { - # FIXME: what is the right test to do here? - [ -d "$MADATADIR" ] \ - || failure "This host appears to have not yet been set up for Monkeysphere authentication. -Please run 'monkeysphere-authentication setup' first." -} - # export signatures from core to sphere gpg_core_sphere_sig_transfer() { log debug "exporting core local sigs to sphere..." gpg_core --export-options export-local-sigs --export | \ - gpg_sphere "--import-options import-local-sigs --import" + gpg_sphere "--import-options import-local-sigs --import" \ + 2>&1 | log debug } ######################################################################## @@ -164,40 +159,47 @@ shift case $COMMAND in 'setup'|'setup'|'s') source "${MASHAREDIR}/setup" - setup "$@" + setup ;; 'update-users'|'update-user'|'u') - check_no_setup + source "${MASHAREDIR}/setup" + setup source "${MASHAREDIR}/update_users" update_users "$@" ;; 'add-identity-certifier'|'add-id-certifier'|'add-certifier'|'c+') - check_no_setup + source "${MASHAREDIR}/setup" + setup source "${MASHAREDIR}/add_certifier" add_certifier "$@" ;; 'remove-identity-certifier'|'remove-id-certifier'|'remove-certifier'|'c-') - check_no_setup + source "${MASHAREDIR}/setup" + setup source "${MASHAREDIR}/remove_certifier" remove_certifier "$@" ;; 'list-identity-certifiers'|'list-id-certifiers'|'list-certifiers'|'list-certifier'|'c') - check_no_setup + source "${MASHAREDIR}/setup" + setup source "${MASHAREDIR}/list_certifiers" - list_certifiers "$@" + list_certifiers ;; 'diagnostics'|'d') + source "${MASHAREDIR}/setup" + setup source "${MASHAREDIR}/diagnostics" diagnostics ;; 'gpg-cmd') - check_no_setup + source "${MASHAREDIR}/setup" + setup gpg_sphere "$@" ;; diff --git a/src/monkeysphere-host b/src/monkeysphere-host index 11121cc..3bee007 100755 --- a/src/monkeysphere-host +++ b/src/monkeysphere-host @@ -80,7 +80,8 @@ gpg_host() { GNUPGHOME="$GNUPGHOME_HOST" gpg "$@" } -# command to list the info about the host key, in colon format +# command to list the info about the host key, in colon format, to +# stdout gpg_host_list() { gpg_host --list-keys --with-colons --fixed-list-mode \ --with-fingerprint --with-fingerprint \ @@ -92,8 +93,8 @@ gpg_host_list() { # FIXME: should we supress all the edit script spew? or pipe it # through log debug? gpg_host_edit() { - gpg_host --quiet --command-fd 0 --edit-key \ - "0x${HOST_FINGERPRINT}!" "$@" + gpg_host --quiet --command-fd 0 --no-tty --edit-key \ + "0x${HOST_FINGERPRINT}!" "$@" 2>&1 | log debug } # export the host public key to the monkeysphere gpg pub key file diff --git a/src/share/ma/add_certifier b/src/share/ma/add_certifier index 54ea673..d34f0de 100644 --- a/src/share/ma/add_certifier +++ b/src/share/ma/add_certifier @@ -151,14 +151,15 @@ EOF # core ltsigns the newly imported certifier key log debug "executing core ltsign script..." if echo "$ltsignCommand" | \ - gpg_core --quiet --command-fd 0 --edit-key "0x${fingerprint}!" ; then + gpg_core --quiet --command-fd 0 --no-tty --edit-key "0x${fingerprint}!" \ + 2>&1 | log debug ; then # transfer the new sigs back to the sphere keyring gpg_core_sphere_sig_transfer # update the sphere trustdb log debug "updating sphere trustdb..." - gpg_sphere "--check-trustdb" + gpg_sphere "--check-trustdb" 2>&1 | log debug log info "Identity certifier added." else diff --git a/src/share/ma/setup b/src/share/ma/setup index f59187b..a17e4f2 100644 --- a/src/share/ma/setup +++ b/src/share/ma/setup @@ -59,7 +59,7 @@ EOF log debug "generating monkeysphere authentication trust core key ($CORE_KEYLENGTH bits)..." PEM2OPENPGP_USAGE_FLAGS=certify \ PEM2OPENPGP_NEWKEY=$CORE_KEYLENGTH pem2openpgp "$CORE_UID" \ - | gpg_core --import \ + | gpg_core --import 2>&1 | log debug \ || failure "Could not import new key for Monkeysphere authentication trust core" # get fingerprint of core key. should definitely not be empty at this point @@ -75,17 +75,17 @@ EOF # export the core key to the sphere keyring log debug "exporting core pub key to sphere keyring..." - gpg_core --export | gpg_sphere --import + gpg_core --quiet --export | gpg_sphere "--quiet --import" # ensure that the authentication sphere checker has absolute ownertrust on the expected key. log debug "setting ultimate owner trust on core key in gpg_sphere..." - printf "%s:6:\n" "$CORE_FPR" | gpg_sphere --import-ownertrust - gpg_sphere --export-ownertrust | log debug + printf "%s:6:\n" "$CORE_FPR" | gpg_sphere "--quiet --import-ownertrust" + gpg_sphere "--export-ownertrust" 2>&1 | log debug # check the owner trust log debug "checking gpg_sphere owner trust set properly..." local ORIG_TRUST - if ORIG_TRUST=$(gpg_sphere --export-ownertrust | grep '^[^#]') ; then + if ORIG_TRUST=$(gpg_sphere "--quiet --export-ownertrust" | grep '^[^#]') ; then if [ "${CORE_FPR}:6:" != "$ORIG_TRUST" ] ; then failure "Monkeysphere authentication trust sphere should explicitly trust the core. It does not have proper ownertrust settings." fi @@ -98,7 +98,7 @@ EOF # our preferences are reasonable (i.e. 3 marginal OR 1 fully # trusted certifications are sufficient to grant full validity. log debug "checking trust model for authentication ..." - local TRUST_MODEL=$(gpg_sphere "--with-colons --fixed-list-mode --list-keys" \ + local TRUST_MODEL=$(gpg_sphere "--quiet --with-colons --fixed-list-mode --list-keys" \ | head -n1 | grep "^tru:" | cut -d: -f3,6,7) log debug "sphere trust model: $TRUST_MODEL" if [ "$TRUST_MODEL" != '1:3:1' ] ; then diff --git a/src/share/mh/import_key b/src/share/mh/import_key index d14fc13..557bb7f 100644 --- a/src/share/mh/import_key +++ b/src/share/mh/import_key @@ -46,7 +46,7 @@ chmod 700 "${GNUPGHOME_HOST}" log verbose "importing ssh key..." # translate ssh key to a private key PEM2OPENPGP_USAGE_FLAGS=authenticate pem2openpgp "$userID" \ - | gpg_host --import + | gpg_host --import 2>&1 | log debug # load the new host fpr into the fpr variable. this is so we can # create the gpg pub key file. we have to do this from the secret key @@ -57,6 +57,8 @@ load_fingerprint_secret # export to gpg public key to file update_gpg_pub_file +log info "host key imported:" + # show info about new key show_key diff --git a/src/share/mh/set_expire b/src/share/mh/set_expire index 14d2501..ae7c13a 100644 --- a/src/share/mh/set_expire +++ b/src/share/mh/set_expire @@ -30,7 +30,7 @@ else log debug "extending without prompting." fi -log info "setting host key expiration to ${extendTo}:" +log info "setting host key expiration to ${extendTo}." log debug "executing host expire script..." gpg_host_edit expire <<EOF |