diff options
| -rw-r--r-- | etc/monkeysphere-server.conf | 9 | ||||
| -rw-r--r-- | etc/monkeysphere.conf | 6 | ||||
| -rw-r--r-- | src/common | 33 | ||||
| -rwxr-xr-x | src/monkeysphere | 3 | ||||
| -rwxr-xr-x | src/monkeysphere-server | 2 |
5 files changed, 34 insertions, 19 deletions
diff --git a/etc/monkeysphere-server.conf b/etc/monkeysphere-server.conf index 3c16c5f..82da497 100644 --- a/etc/monkeysphere-server.conf +++ b/etc/monkeysphere-server.conf @@ -1,20 +1,23 @@ # MonkeySphere server configuration file. +# This is an sh-style shell configuration file. Variable names should +# be separated from their assignements by a single '=' and no spaces. + # GPG home directory for server #GNUPGHOME=/etc/monkeysphere/gnupg # GPG keyserver to search for keys #KEYSERVER=subkeys.pgp.net -# Required key capabilities +# Required user key capabilities # Must be quoted, lowercase, space-seperated list of the following: # e = encrypt # s = sign # c = certify # a = authentication -#REQUIRED_KEY_CAPABILITY="e a" +#REQUIRED_USER_KEY_CAPABILITY="a" # Whether to add user controlled authorized_keys file to # monkeysphere-generated authorized_keys file. Should be path to file -# where '%h' will be substituted for the user's home directory. +# where '%h' will be replaced by the home directory of the user. #USER_CONTROLLED_AUTHORIZED_KEYS=%h/.ssh/authorized_keys diff --git a/etc/monkeysphere.conf b/etc/monkeysphere.conf index 385165a..d478b93 100644 --- a/etc/monkeysphere.conf +++ b/etc/monkeysphere.conf @@ -1,5 +1,8 @@ # MonkeySphere system-wide client configuration file. +# This is an sh-style shell configuration file. Variable names should +# be separated from their assignements by a single '=' and no spaces. + # authorized_user_ids file #AUTHORIZED_USER_IDS=~/.config/monkeysphere/authorized_user_ids @@ -15,7 +18,8 @@ # s = sign # c = certify # a = authentication -#REQUIRED_KEY_CAPABILITY="e a" +#REQUIRED_HOST_KEY_CAPABILITY="e a" +#REQUIRED_USER_KEY_CAPABILITY="a" # Path to user-controlled authorized_keys file to add to # Monkeysphere-generated authorized_keys file. If empty, then no @@ -1,13 +1,13 @@ # -*-shell-script-*- -# Shared bash functions for the monkeysphere +# Shared sh functions for the monkeysphere # # Written by # Jameson Rollins <jrollins@fifthhorseman.net> # # Copyright 2008, released under the GPL, version 3 or later -# all caps variables are meant to be user supplied (ie. from config +# all-caps variables are meant to be user supplied (ie. from config # file) and are considered global ######################################################################## @@ -123,13 +123,14 @@ gpg2authorized_keys() { # userid and key policy checking # the following checks policy on the returned keys # - checks that full key has appropriate valididy (u|f) -# - checks key has specified capability (REQUIRED_KEY_CAPABILITY) +# - checks key has specified capability (REQUIRED_*_KEY_CAPABILITY) # - checks that particular desired user id has appropriate validity # see /usr/share/doc/gnupg/DETAILS.gz # expects global variable: "MODE" process_user_id() { local userID local cacheDir + local requiredCapability local requiredPubCapability local gpgOut local line @@ -148,7 +149,13 @@ process_user_id() { userID="$1" cacheDir="$2" - requiredPubCapability=$(echo "$REQUIRED_KEY_CAPABILITY" | tr "[:lower:]" "[:upper:]") + # set the required key capability based on the mode + if [ "$MODE" = 'known_hosts' ] ; then + requiredCapability="$REQUIRED_HOST_KEY_CAPABILITY" + elif [ "$MODE" = 'authorized_keys' ] ; then + requiredCapability="$REQUIRED_USER_KEY_CAPABILITY" + fi + requiredPubCapability=$(echo "$requiredCapability" | tr "[:lower:]" "[:upper:]") # fetch keys from keyserver, return 1 if none found gpg_fetch_userid "$userID" || return 1 @@ -207,7 +214,7 @@ process_user_id() { keyOK=true # add primary key ID to key list if it has required capability - if check_capability "$capability" $REQUIRED_KEY_CAPABILITY ; then + if check_capability "$capability" $requiredCapability ; then keyIDs[${#keyIDs[*]}]="$keyid" fi ;; @@ -230,7 +237,7 @@ process_user_id() { ;; 'sub') # sub keys # add sub key ID to key list if it has required capability - if check_capability "$capability" $REQUIRED_KEY_CAPABILITY ; then + if check_capability "$capability" $requiredCapability ; then keyIDs[${#keyIDs[*]}]="$keyid" fi ;; @@ -282,16 +289,16 @@ process_user_id() { update_userid() { local userID local cacheDir - local userIDKeyCache + local keyCache userID="$1" cacheDir="$2" log "processing userid: '$userID'" - userIDKeyCache=$(process_user_id "$userID" "$cacheDir") + keyCachePath=$(process_user_id "$userID" "$cacheDir") - if [ -z "$userIDKeyCache" ] ; then + if [ -z "$keyCachePath" ] ; then return 1 fi if ! grep -q "^${userID}\$" "$AUTHORIZED_USER_IDS" ; then @@ -328,17 +335,17 @@ remove_userid() { process_host() { local host local cacheDir - local hostKeyCachePath + local keyCachePath host="$1" cacheDir="$2" log "processing host: '$host'" - hostKeyCachePath=$(process_user_id "ssh://${host}" "$cacheDir") + keyCachePath=$(process_user_id "ssh://${host}" "$cacheDir") if [ $? = 0 ] ; then ssh-keygen -R "$host" -f "$USER_KNOWN_HOSTS" - cat "$hostKeyCachePath" >> "$USER_KNOWN_HOSTS" + cat "$keyCachePath" >> "$USER_KNOWN_HOSTS" fi } @@ -425,7 +432,7 @@ process_authorized_ids() { # EXPERIMENTAL (unused) process userids found in authorized_keys file # go through line-by-line, extract monkeysphere userids from comment # fields, and process each userid -process_userids_from_authorized_keys() { +process_authorized_keys() { local authorizedKeys local cacheDir local userID diff --git a/src/monkeysphere b/src/monkeysphere index 1ba51d7..ff4423b 100755 --- a/src/monkeysphere +++ b/src/monkeysphere @@ -118,7 +118,8 @@ MS_CONF=${MS_CONF:-"${MS_HOME}/monkeysphere.conf"} AUTHORIZED_USER_IDS=${AUTHORIZED_USER_IDS:-"${MS_HOME}/authorized_user_ids"} GNUPGHOME=${GNUPGHOME:-"${HOME}/.gnupg"} KEYSERVER=${KEYSERVER:-"subkeys.pgp.net"} -REQUIRED_KEY_CAPABILITY=${REQUIRED_KEY_CAPABILITY:-"e a"} +REQUIRED_HOST_KEY_CAPABILITY=${REQUIRED_HOST_KEY_CAPABILITY:-"e a"} +REQUIRED_USER_KEY_CAPABILITY=${REQUIRED_USER_KEY_CAPABILITY:-"a"} USER_CONTROLLED_AUTHORIZED_KEYS=${USER_CONTROLLED_AUTHORIZED_KEYS:-"%h/.ssh/authorized_keys"} USER_KNOWN_HOSTS=${USER_KNOWN_HOSTS:-"${HOME}/.ssh/known_hosts"} HASH_KNOWN_HOSTS=${HASH_KNOWN_HOSTS:-"true"} diff --git a/src/monkeysphere-server b/src/monkeysphere-server index e05b4b7..7d11138 100755 --- a/src/monkeysphere-server +++ b/src/monkeysphere-server @@ -113,7 +113,7 @@ MS_CONF=${MS_CONF:-"$MS_HOME"/monkeysphere-server.conf} # set empty config variable with defaults GNUPGHOME=${GNUPGHOME:-"$MS_HOME"/gnupg} KEYSERVER=${KEYSERVER:-subkeys.pgp.net} -REQUIRED_KEY_CAPABILITY=${REQUIRED_KEY_CAPABILITY:-"e a"} +REQUIRED_USER_KEY_CAPABILITY=${REQUIRED_USER_KEY_CAPABILITY:-"a"} USER_CONTROLLED_AUTHORIZED_KEYS=${USER_CONTROLLED_AUTHORIZED_KEYS:-%h/.ssh/authorized_keys} export GNUPGHOME |