diff options
| -rwxr-xr-x | Makefile | 1 | ||||
| -rw-r--r-- | man/man1/monkeysphere.1 | 2 | ||||
| -rw-r--r-- | man/man8/monkeysphere-authentication.8 | 7 | ||||
| -rwxr-xr-x | src/monkeysphere-authentication | 6 | ||||
| -rwxr-xr-x | src/monkeysphere-authentication-keys-for-user | 2 | ||||
| -rwxr-xr-x | src/share/checkperms | 2 | ||||
| -rw-r--r-- | src/share/ma/keys_for_user | 50 |
7 files changed, 67 insertions, 3 deletions
@@ -42,6 +42,7 @@ install: all installman printf "Monkeysphere %s\n" $(MONKEYSPHERE_VERSION) > $(DESTDIR)$(PREFIX)/share/monkeysphere/VERSION install src/monkeysphere $(DESTDIR)$(PREFIX)/bin install src/monkeysphere-host src/monkeysphere-authentication $(DESTDIR)$(PREFIX)/sbin + install src/monkeysphere-authentication-keys-for-user $(DESTDIR)$(PREFIX)/share/monkeysphere install -m 0644 src/share/common $(DESTDIR)$(PREFIX)/share/monkeysphere install -m 0644 src/share/defaultenv $(DESTDIR)$(PREFIX)/share/monkeysphere install -m 0755 src/share/checkperms $(DESTDIR)$(PREFIX)/share/monkeysphere diff --git a/man/man1/monkeysphere.1 b/man/man1/monkeysphere.1 index 25421ce..91a9b1c 100644 --- a/man/man1/monkeysphere.1 +++ b/man/man1/monkeysphere.1 @@ -1,4 +1,4 @@ -.TH MONKEYSPHERE "1" "June 2008" "monkeysphere 0.1" "User Commands" +.TH MONKEYSPHERE "1" "June 2008" "monkeysphere" "User Commands" .SH NAME diff --git a/man/man8/monkeysphere-authentication.8 b/man/man8/monkeysphere-authentication.8 index 7c12673..e9e24b0 100644 --- a/man/man8/monkeysphere-authentication.8 +++ b/man/man8/monkeysphere-authentication.8 @@ -1,4 +1,4 @@ -.TH MONKEYSPHERE-AUTHENTICATION "8" "January 2010" "monkeysphere" "System Commands" +.TH MONKEYSPHERE-AUTHENTICATION "8" "July 3, 2010" "monkeysphere" "System Commands" .SH NAME @@ -42,6 +42,11 @@ Refresh all keys in the monkeysphere-authentication keyring. If no accounts are specified, then all accounts on the system are processed. `r' may be used in place of `refresh\-keys'. .TP +.B keys\-for\-user USER +Output to stdout all acceptable keys for a given user. User IDs are +read from the user's authorized_user_ids file (see +MONKEYSPHERE_AUTHORIZED_USER_IDS below). +.TP .B add\-id\-certifier KEYID|FILE Instruct system to trust user identity certifications made by KEYID. The key ID will be loaded from the keyserver. A file may be loaded diff --git a/src/monkeysphere-authentication b/src/monkeysphere-authentication index 8c58645..af8c40d 100755 --- a/src/monkeysphere-authentication +++ b/src/monkeysphere-authentication @@ -55,6 +55,7 @@ Monkeysphere authentication admin tool. subcommands: update-users (u) [USER]... update user authorized_keys files refresh-keys (r) refresh keys in keyring + keys-for-user USER output valid keys for user add-id-certifier (c+) KEYID|FILE import and tsign a certification key [--domain (-n) DOMAIN] limit ID certifications to DOMAIN @@ -177,6 +178,11 @@ case $COMMAND in gpg_sphere "--keyserver $KEYSERVER --refresh-keys" ;; + 'keys-for-user') + source "${MASHAREDIR}/keys_for_user" + keys_for_user "$@" + ;; + 'add-identity-certifier'|'add-id-certifier'|'add-certifier'|'c+') source "${MASHAREDIR}/setup" setup diff --git a/src/monkeysphere-authentication-keys-for-user b/src/monkeysphere-authentication-keys-for-user new file mode 100755 index 0000000..fb589ea --- /dev/null +++ b/src/monkeysphere-authentication-keys-for-user @@ -0,0 +1,2 @@ +#!/usr/bin/env sh +exec monkeysphere-authentication keys-for-user "$@" diff --git a/src/share/checkperms b/src/share/checkperms index aa67d96..3f8ad56 100755 --- a/src/share/checkperms +++ b/src/share/checkperms @@ -88,7 +88,7 @@ sub permissions_ok { # OpenSSH sources for an explanation of this bailout (see also # monkeysphere #675): if ($path eq $user->dir) { - mslog('DEBUG', "stopping at the %s's home directory '%s'\n", $user->name, $path); + mslog('DEBUG', "stopping at %s's home directory '%s'\n", $user->name, $path); return undef; } diff --git a/src/share/ma/keys_for_user b/src/share/ma/keys_for_user new file mode 100644 index 0000000..f48d5d3 --- /dev/null +++ b/src/share/ma/keys_for_user @@ -0,0 +1,50 @@ +# -*-shell-script-*- +# This should be sourced by bash (though we welcome changes to make it POSIX sh compliant) + +# Monkeysphere authentication keys-for-user subcommand +# +# The monkeysphere scripts are written by: +# Jameson Rollins <jrollins@finestructure.net> +# Daniel Kahn Gillmor <dkg@fifthhorseman.net> +# +# They are Copyright 2008-2010, and are all released under the GPL, +# version 3 or later. + +# This command could be run as an sshd AuthorizedKeysCommand to +# provide the authorized keys for a user, based on OpenPGP user id's +# listed in the user's authorized_user_ids file. + +keys_for_user() { + +local uname +local authorizedUserIDs +local line +local userIDs + +# get users from command line +uname="$1" + +# path to authorized_user_ids file, translating ssh-style path +# variables +authorizedUserIDs=$(translate_ssh_variables "$uname" "$AUTHORIZED_USER_IDS") + +# exit if the authorized_user_ids file is empty +if [ ! -s "$authorizedUserIDs" ] ; then + failure "authorized_user_ids file '$authorizedUserIDs' is empty or does not exist." +fi + +log debug "authorized_user_ids file: $authorizedUserIDs" + +# check permissions on the authorized_user_ids file path +check_key_file_permissions "$uname" "$authorizedUserIDs" || failure + +GNUPGHOME="$GNUPGHOME_SPHERE" +export GNUPGHOME + +# extract user IDs from authorized_user_ids file +IFS=$'\n' +for line in $(meat "$authorizedUserIDs") ; do + su_monkeysphere_user ". ${SYSSHAREDIR}/common; keys_for_userid '$line'" +done + +} |