diff options
-rw-r--r-- | debian/changelog | 7 | ||||
-rwxr-xr-x | debian/monkeysphere.postinst | 4 | ||||
-rwxr-xr-x | debian/monkeysphere.preinst | 22 | ||||
-rw-r--r-- | etc/gnupg-authentication.conf | 7 | ||||
-rw-r--r-- | etc/gnupg-host.conf | 2 | ||||
-rw-r--r-- | src/common | 26 | ||||
-rwxr-xr-x | src/monkeysphere | 8 | ||||
-rwxr-xr-x | src/monkeysphere-server | 50 | ||||
-rw-r--r-- | website/bugs/genericize-filesystem-locations-for-testsuite.mdwn | 4 | ||||
-rw-r--r-- | website/bugs/postinst-clobbers-gpg.conf-settings.mdwn | 7 |
10 files changed, 92 insertions, 45 deletions
diff --git a/debian/changelog b/debian/changelog index 32d5a19..7acf323 100644 --- a/debian/changelog +++ b/debian/changelog @@ -13,7 +13,12 @@ monkeysphere (0.16~pre-1) UNRELEASED; urgency=low * monkeysphere-server diagnostics now counts problems and suggests a re-run after they have been resolved. - -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 11 Sep 2008 23:16:31 -0400 + [ Jameson Graef Rollins ] + * Genericize fs location variables. + * break out gpg.conf files into SYSCONFIGDIR, and not auto-generated at + install. + + -- Jameson Graef Rollins <jrollins@phys.columbia.edu> Sat, 11 Oct 2008 14:27:17 -0400 monkeysphere (0.15-1) experimental; urgency=low diff --git a/debian/monkeysphere.postinst b/debian/monkeysphere.postinst index bd3062f..27a50e0 100755 --- a/debian/monkeysphere.postinst +++ b/debian/monkeysphere.postinst @@ -20,9 +20,9 @@ fi # install host gnupg home directory install --owner root --group monkeysphere --mode 750 -d "$VARLIB"/gnupg-host # link in the gpg.conf -ln -s "$ETC"/gnupg-host.conf "$VARLIB"/gnupg-host/gpg.conf +ln -sTf "$ETC"/gpg-host.conf "$VARLIB"/gnupg-host/gpg.conf # install authentication gnupg home directory install --owner monkeysphere --group monkeysphere --mode 700 -d "$VARLIB"/gnupg-authentication # link in the gpg.conf -ln -s "$ETC"/gnupg-authentication.conf "$VARLIB"/gnupg-authentication/gpg.conf +ln -sTf "$ETC"/gpg-authentication.conf "$VARLIB"/gnupg-authentication/gpg.conf diff --git a/debian/monkeysphere.preinst b/debian/monkeysphere.preinst new file mode 100755 index 0000000..860286b --- /dev/null +++ b/debian/monkeysphere.preinst @@ -0,0 +1,22 @@ +#!/bin/sh -e + +# preinst script for monkeysphere + +# Author: Jameson Rollins <jrollins@fifthhorseman.net> +# Copyright 2008 + +ETC="/etc/monkeysphere" +VARLIB="/var/lib/monkeysphere" + +# move the gpg.conf files from the GNUPGHOMEs if they're there to +# /etc, where they will be linked back into the GNUPGHOMEs later +if [ -f "$VARLIB"/gnupg-host/gpg.conf -a ! -L "$VARLIB"/gnupg-host/gpg.conf ] ; then + mv "$VARLIB"/gnupg-host/gpg.conf "$ETC"/gpg-host.conf + chown root:root "$ETC"/gpg-host.conf + ln -s "$ETC"/gpg-host.conf "$VARLIB"/gnupg-host/gpg.conf +fi +if [ -f "$VARLIB"/gnupg-authentication/gpg.conf -a ! -L "$VARLIB"/gnupg-authentication/gpg.conf ] ; then + mv "$VARLIB"/gnupg-authentication/gpg.conf "$ETC"/gpg-authentication.conf + chown root:root "$ETC"/gpg-authentication.conf + ln -s "$ETC"/gpg-authentication.conf "$VARLIB"/gnupg-authentication/gpg.conf +fi diff --git a/etc/gnupg-authentication.conf b/etc/gnupg-authentication.conf index 760c5e3..e00d317 100644 --- a/etc/gnupg-authentication.conf +++ b/etc/gnupg-authentication.conf @@ -1,8 +1,15 @@ # Monkeysphere authentication GNUPG home gpg.conf +# Location of the various Monkeysphere keyrings. +# It is highly recommended that you +# DO NOT MODIFY +# these variables. primary-keyring /var/lib/monkeysphere/gnupg-authentication/pubring.gpg keyring /var/lib/monkeysphere/gnupg-host/pubring.gpg +# PGP keyserver to use for PGP queries. keyserver hkp://pgp.mit.edu +# GPG list options. It is recommended that you have at least +# "show-uid-validity". list-options show-uid-validity diff --git a/etc/gnupg-host.conf b/etc/gnupg-host.conf index c450910..66c668b 100644 --- a/etc/gnupg-host.conf +++ b/etc/gnupg-host.conf @@ -1,3 +1,5 @@ # Monkeysphere host GNUPG home gpg.conf +# GPG list options. It is recommended that you have at least +# "show-uid-validity". list-options show-uid-validity @@ -515,7 +515,7 @@ gpg_fetch_userid() { userID="$1" - log info " checking keyserver $KEYSERVER... " + log verbose " checking keyserver $KEYSERVER... " echo 1,2,3,4,5 | \ gpg --quiet --batch --with-colons \ --command-fd 0 --keyserver "$KEYSERVER" \ @@ -608,17 +608,17 @@ process_user_id() { # if overall key is not valid, skip if [ "$validity" != 'u' -a "$validity" != 'f' ] ; then - log error " - unacceptable primary key validity ($validity)." + log debug " - unacceptable primary key validity ($validity)." continue fi # if overall key is disabled, skip if check_capability "$usage" 'D' ; then - log error " - key disabled." + log debug " - key disabled." continue fi # if overall key capability is not ok, skip if ! check_capability "$usage" $requiredPubCapability ; then - log error " - unacceptable primary key capability ($usage)." + log debug " - unacceptable primary key capability ($usage)." continue fi @@ -632,7 +632,7 @@ process_user_id() { ;; 'uid') # user ids if [ "$lastKey" != pub ] ; then - log error " - got a user ID after a sub key?! user IDs should only follow primary keys!" + log verbose " - got a user ID after a sub key?! user IDs should only follow primary keys!" continue fi # if an acceptable user ID was already found, skip @@ -660,7 +660,7 @@ process_user_id() { echo "0:${sshKey}" fi else - log error " - unacceptable primary key." + log debug " - unacceptable primary key." if [ -z "$sshKey" ] ; then log error " ! primary key could not be translated (not RSA or DSA?)." else @@ -716,7 +716,7 @@ process_user_id() { echo "0:${sshKey}" fi else - log error " - unacceptable sub key." + log debug " - unacceptable sub key." if [ -z "$sshKey" ] ; then log error " ! sub key could not be translated (not RSA or DSA?)." else @@ -845,7 +845,7 @@ update_known_hosts() { # note if the known_hosts file was updated if [ "$(file_hash "$KNOWN_HOSTS")" != "$fileCheck" ] ; then - log verbose "known_hosts file updated." + log debug "known_hosts file updated." fi # if an acceptable host was found, return 0 @@ -868,12 +868,12 @@ update_known_hosts() { process_known_hosts() { local hosts - log verbose "processing known_hosts file..." + log debug "processing known_hosts file..." hosts=$(meat "$KNOWN_HOSTS" | cut -d ' ' -f 1 | grep -v '^|.*$' | tr , ' ' | tr '\n' ' ') if [ -z "$hosts" ] ; then - log error "no hosts to process." + log debug "no hosts to process." return fi @@ -988,7 +988,7 @@ update_authorized_keys() { # note if the authorized_keys file was updated if [ "$(file_hash "$AUTHORIZED_KEYS")" != "$fileCheck" ] ; then - log verbose "authorized_keys file updated." + log debug "authorized_keys file updated." fi # if an acceptable id was found, return 0 @@ -1015,10 +1015,10 @@ process_authorized_user_ids() { authorizedUserIDs="$1" - log verbose "processing authorized_user_ids file..." + log debug "processing authorized_user_ids file..." if ! meat "$authorizedUserIDs" > /dev/null ; then - log error "no user IDs to process." + log debug "no user IDs to process." return fi diff --git a/src/monkeysphere b/src/monkeysphere index 78bf50d..1db4f20 100755 --- a/src/monkeysphere +++ b/src/monkeysphere @@ -13,9 +13,9 @@ ######################################################################## PGRM=$(basename $0) -SHARE=${MONKEYSPHERE_SHARE:-"/usr/share/monkeysphere"} -export SHARE -. "${SHARE}/common" || exit 1 +SYSSHAREDIR=${MONKEYSPHERE_SYSSHAREDIR:-"/usr/share/monkeysphere"} +export SYSSHAREDIR +. "${SYSSHAREDIR}/common" || exit 1 # UTC date in ISO 8601 format if needed DATE=$(date -u '+%FT%T') @@ -36,7 +36,7 @@ umask 077 usage() { cat <<EOF >&2 usage: $PGRM <subcommand> [options] [args] -MonkeySphere client tool. +Monkeysphere client tool. subcommands: update-known_hosts (k) [HOST]... update known_hosts file diff --git a/src/monkeysphere-server b/src/monkeysphere-server index 6cef897..60a83af 100755 --- a/src/monkeysphere-server +++ b/src/monkeysphere-server @@ -13,11 +13,11 @@ ######################################################################## PGRM=$(basename $0) -SHARE=${MONKEYSPHERE_SHARE:-"/usr/share/monkeysphere"} -export SHARE -. "${SHARE}/common" || exit 1 +SYSSHAREDIR=${MONKEYSPHERE_SYSSHAREDIR:-"/usr/share/monkeysphere"} +export SYSSHAREDIR +. "${SYSSHAREDIR}/common" || exit 1 -SYSDATADIR=${MONKEYSPHERE_SYSDATADIR:-"/var/lib/monkeysphere" +SYSDATADIR=${MONKEYSPHERE_SYSDATADIR:-"/var/lib/monkeysphere"} export SYSDATADIR # UTC date in ISO 8601 format if needed @@ -36,7 +36,7 @@ RETURN=0 usage() { cat <<EOF >&2 usage: $PGRM <subcommand> [options] [args] -MonkeySphere server admin tool. +Monkeysphere server admin tool. subcommands: update-users (u) [USER]... update user authorized_keys files @@ -151,7 +151,7 @@ update_users() { fi # make sure the authorized_keys directory exists - mkdir -p "${VARLIB}/authorized_keys" + mkdir -p "${SYSDATADIR}/authorized_keys" # loop over users for uname in $unames ; do @@ -221,7 +221,7 @@ update_users() { # process authorized_user_ids file, as monkeysphere # user su_monkeysphere_user \ - ". ${SHARE}/common; process_authorized_user_ids $TMP_AUTHORIZED_USER_IDS" + ". ${SYSSHAREDIR}/common; process_authorized_user_ids $TMP_AUTHORIZED_USER_IDS" RETURN="$?" fi @@ -240,7 +240,7 @@ update_users() { chmod g+r "$AUTHORIZED_KEYS" # move the resulting authorized_keys file into place - mv -f "$AUTHORIZED_KEYS" "${VARLIB}/authorized_keys/${uname}" + mv -f "$AUTHORIZED_KEYS" "${SYSDATADIR}/authorized_keys/${uname}" # destroy temporary directory rm -rf "$TMPLOC" @@ -364,8 +364,8 @@ EOF # NOTE: assumes that the primary key is the proper key to use (umask 077 && \ gpg_host --export-secret-key "$fingerprint" | \ - openpgp2ssh "$fingerprint" > "${VARLIB}/ssh_host_rsa_key") - log info "Private SSH host key output to file: ${VARLIB}/ssh_host_rsa_key" + openpgp2ssh "$fingerprint" > "${SYSDATADIR}/ssh_host_rsa_key") + log info "Private SSH host key output to file: ${SYSDATADIR}/ssh_host_rsa_key" } # extend the lifetime of a host key: @@ -575,8 +575,8 @@ diagnostics() { problemsfound=$(($problemsfound+1)) fi - if ! [ -d "$VARLIB" ] ; then - echo "! no $VARLIB directory found. Please create it." + if ! [ -d "$SYSDATADIR" ] ; then + echo "! no $SYSDATADIR directory found. Please create it." problemsfound=$(($problemsfound+1)) fi @@ -650,22 +650,22 @@ diagnostics() { # Ensure that the ssh_host_rsa_key file is present and non-empty: echo echo "Checking host SSH key..." - if [ ! -s "${VARLIB}/ssh_host_rsa_key" ] ; then - echo "! The host key as prepared for SSH (${VARLIB}/ssh_host_rsa_key) is missing or empty." + if [ ! -s "${SYSDATADIR}/ssh_host_rsa_key" ] ; then + echo "! The host key as prepared for SSH (${SYSDATADIR}/ssh_host_rsa_key) is missing or empty." problemsfound=$(($problemsfound+1)) else - if [ $(ls -l "${VARLIB}/ssh_host_rsa_key" | cut -f1 -d\ ) != '-rw-------' ] ; then - echo "! Permissions seem wrong for ${VARLIB}/ssh_host_rsa_key -- should be 0600." + if [ $(ls -l "${SYSDATADIR}/ssh_host_rsa_key" | cut -f1 -d\ ) != '-rw-------' ] ; then + echo "! Permissions seem wrong for ${SYSDATADIR}/ssh_host_rsa_key -- should be 0600." problemsfound=$(($problemsfound+1)) fi # propose changes needed for sshd_config (if any) - if ! grep -q "^HostKey[[:space:]]\+${VARLIB}/ssh_host_rsa_key$" "$sshd_config"; then - echo "! $sshd_config does not point to the monkeysphere host key (${VARLIB}/ssh_host_rsa_key)." - echo " - Recommendation: add a line to $sshd_config: 'HostKey ${VARLIB}/ssh_host_rsa_key'" + if ! grep -q "^HostKey[[:space:]]\+${SYSDATADIR}/ssh_host_rsa_key$" "$sshd_config"; then + echo "! $sshd_config does not point to the monkeysphere host key (${SYSDATADIR}/ssh_host_rsa_key)." + echo " - Recommendation: add a line to $sshd_config: 'HostKey ${SYSDATADIR}/ssh_host_rsa_key'" problemsfound=$(($problemsfound+1)) fi - if badhostkeys=$(grep -i '^HostKey' "$sshd_config" | grep -v "^HostKey[[:space:]]\+${VARLIB}/ssh_host_rsa_key$") ; then + if badhostkeys=$(grep -i '^HostKey' "$sshd_config" | grep -v "^HostKey[[:space:]]\+${SYSDATADIR}/ssh_host_rsa_key$") ; then echo "! $sshd_config refers to some non-monkeysphere host keys:" echo "$badhostkeys" echo " - Recommendation: remove the above HostKey lines from $sshd_config" @@ -689,12 +689,12 @@ diagnostics() { echo echo "Checking for MonkeySphere-enabled public-key authentication for users ..." # Ensure that User ID authentication is enabled: - if ! grep -q "^AuthorizedKeysFile[[:space:]]\+${VARLIB}/authorized_keys/%u$" "$sshd_config"; then + if ! grep -q "^AuthorizedKeysFile[[:space:]]\+${SYSDATADIR}/authorized_keys/%u$" "$sshd_config"; then echo "! $sshd_config does not point to monkeysphere authorized keys." - echo " - Recommendation: add a line to $sshd_config: 'AuthorizedKeysFile ${VARLIB}/authorized_keys/%u'" + echo " - Recommendation: add a line to $sshd_config: 'AuthorizedKeysFile ${SYSDATADIR}/authorized_keys/%u'" problemsfound=$(($problemsfound+1)) fi - if badauthorizedkeys=$(grep -i '^AuthorizedKeysFile' "$sshd_config" | grep -v "^AuthorizedKeysFile[[:space:]]\+${VARLIB}/authorized_keys/%u$") ; then + if badauthorizedkeys=$(grep -i '^AuthorizedKeysFile' "$sshd_config" | grep -v "^AuthorizedKeysFile[[:space:]]\+${SYSDATADIR}/authorized_keys/%u$") ; then echo "! $sshd_config refers to non-monkeysphere authorized_keys files:" echo "$badauthorizedkeys" echo " - Recommendation: remove the above AuthorizedKeysFile lines from $sshd_config" @@ -927,8 +927,8 @@ MONKEYSPHERE_USER=${MONKEYSPHERE_MONKEYSPHERE_USER:=${MONKEYSPHERE_USER:="monkey # other variables CHECK_KEYSERVER=${MONKEYSPHERE_CHECK_KEYSERVER:="true"} REQUIRED_USER_KEY_CAPABILITY=${MONKEYSPHERE_REQUIRED_USER_KEY_CAPABILITY:="a"} -GNUPGHOME_HOST=${MONKEYSPHERE_GNUPGHOME_HOST:="${VARLIB}/gnupg-host"} -GNUPGHOME_AUTHENTICATION=${MONKEYSPHERE_GNUPGHOME_AUTHENTICATION:="${VARLIB}/gnupg-authentication"} +GNUPGHOME_HOST=${MONKEYSPHERE_GNUPGHOME_HOST:="${SYSDATADIR}/gnupg-host"} +GNUPGHOME_AUTHENTICATION=${MONKEYSPHERE_GNUPGHOME_AUTHENTICATION:="${SYSDATADIR}/gnupg-authentication"} # export variables needed in su invocation export DATE diff --git a/website/bugs/genericize-filesystem-locations-for-testsuite.mdwn b/website/bugs/genericize-filesystem-locations-for-testsuite.mdwn index 1d70313..d52908e 100644 --- a/website/bugs/genericize-filesystem-locations-for-testsuite.mdwn +++ b/website/bugs/genericize-filesystem-locations-for-testsuite.mdwn @@ -26,3 +26,7 @@ I guess i'm proposing something like: Thoughts? --dkg + +--- + +[[bugs/done]] on 2008-10-11 diff --git a/website/bugs/postinst-clobbers-gpg.conf-settings.mdwn b/website/bugs/postinst-clobbers-gpg.conf-settings.mdwn index e58b9c7..1463ebd 100644 --- a/website/bugs/postinst-clobbers-gpg.conf-settings.mdwn +++ b/website/bugs/postinst-clobbers-gpg.conf-settings.mdwn @@ -26,3 +26,10 @@ apparatus, which is nice. If we do want to do that, I guess we'd symlink to them from the monkeysphere-specific `$GNUPGHOME`s in `/var/lib/monkeysphere`, since `gpg` does not seem to allow for overriding the location of the `gpg.conf` independent of `$GNUPGHOME`. + +--- + +All the gpg.conf files now reside in /etc/monkeysphere, and are linked +in into the GNUPGHOMEs in /var/lib/monkeysphere. + +[[bugs/done]] on 2008-10-11 |