diff options
| -rw-r--r-- | packaging/debian/changelog | 4 | ||||
| -rw-r--r-- | src/share/m/ssh_proxycommand | 137 | ||||
| -rw-r--r-- | website/download.mdwn | 3 | ||||
| -rw-r--r-- | website/news/0.24-accepted-in-Debian-testing.mdwn | 10 |
4 files changed, 88 insertions, 66 deletions
diff --git a/packaging/debian/changelog b/packaging/debian/changelog index 70fef9f..16e7f21 100644 --- a/packaging/debian/changelog +++ b/packaging/debian/changelog @@ -1,11 +1,11 @@ monkeysphere (0.25-1~pre) UNRELEASED; urgency=low * New upstream release: - - fix the marginal ui output so that it's not prefixed by the LOG_PREFIX + - update/fix the marginal ui output - use msmktempdir everywhere (avoid unwrapped calls to mktemp for portability) - -- Jameson Graef Rollins <jrollins@finestructure.net> Sat, 07 Mar 2009 12:28:13 -0500 + -- Jameson Graef Rollins <jrollins@finestructure.net> Wed, 18 Mar 2009 11:46:44 -0400 monkeysphere (0.24-1) unstable; urgency=low diff --git a/src/share/m/ssh_proxycommand b/src/share/m/ssh_proxycommand index 7ab4bec..2078445 100644 --- a/src/share/m/ssh_proxycommand +++ b/src/share/m/ssh_proxycommand @@ -36,52 +36,55 @@ output_no_valid_key() { LOG_PREFIX= - cat <<EOF | log info --------------------- Monkeysphere warning ------------------- -Monkeysphere found OpenPGP keys for this hostname, but none had full validity. -EOF - - # retrieve the actual ssh key - sshKeyOffered=$(ssh-keyscan -t rsa -p "$PORT" "$HOST" 2>/dev/null | awk '{ print $2, $3 }') - # FIXME: should we do any checks for failed keyscans, eg. host not - # found? + # retrieve the ssh key being offered by the host + sshKeyOffered=$(ssh-keyscan -t rsa -p "$PORT" "$HOST" 2>/dev/null \ + | awk '{ print $2, $3 }') # get the gpg info for userid gpgOut=$(gpg_user --list-key --fixed-list-mode --with-colon \ --with-fingerprint --with-fingerprint \ ="$userID" 2>/dev/null) - # find all 'pub' and 'sub' lines in the gpg output, which each - # represent a retrieved key for the user ID - echo "$gpgOut" | cut -d: -f1,2,5,10,12 | \ - while IFS=: read -r type validity keyid uidfpr usage ; do - case $type in - 'pub'|'sub') - # get the ssh key of the gpg key - sshKeyGPG=$(gpg2ssh "$keyid") - - # if one of keys found matches the one offered by the - # host, then output info - if [ "$sshKeyGPG" = "$sshKeyOffered" ] ; then - cat <<EOF | log info + # output header + cat <<EOF | log info +-------------------- Monkeysphere warning ------------------- +Monkeysphere found OpenPGP keys for this hostname, but none had full validity. +EOF + + # if the host key is retrieved from the host, check against known + # OpenPGP keys + if [ "$sshKeyOffered" ] ; then + # find all 'pub' and 'sub' lines in the gpg output, which each + # represent a retrieved key for the user ID + echo "$gpgOut" | cut -d: -f1,2,5,10,12 | \ + while IFS=: read -r type validity keyid uidfpr usage ; do + case $type in + 'pub'|'sub') + # get the ssh key of the gpg key + sshKeyGPG=$(gpg2ssh "$keyid") + + # if one of keys found matches the one offered by the + # host, then output info + if [ "$sshKeyGPG" = "$sshKeyOffered" ] ; then + cat <<EOF | log info An OpenPGP key matching the ssh key offered by the host was found: EOF - sshKeyGPGFile=$(msmktempfile) - printf "%s" "$sshKeyGPG" >"$sshKeyGPGFile" - sshFingerprint=$(ssh-keygen -l -f "$sshKeyGPGFile" | \ - awk '{ print $2 }') - rm -f "$sshKeyGPGFile" + sshKeyGPGFile=$(msmktempfile) + printf "%s" "$sshKeyGPG" >"$sshKeyGPGFile" + sshFingerprint=$(ssh-keygen -l -f "$sshKeyGPGFile" | \ + awk '{ print $2 }') + rm -f "$sshKeyGPGFile" - # get the sigs for the matching key - gpgSigOut=$(gpg_user --check-sigs \ - --list-options show-uid-validity \ - "$keyid") + # get the sigs for the matching key + gpgSigOut=$(gpg_user --check-sigs \ + --list-options show-uid-validity \ + "$keyid") - # output the sigs, but only those on the user ID - # we are looking for - echo "$gpgSigOut" | awk ' + # output the sigs, but only those on the user ID + # we are looking for + echo "$gpgSigOut" | awk ' { if (match($0,"^pub")) { print; } if (match($0,"^uid")) { ok=0; } @@ -89,50 +92,58 @@ if (match($0,"^uid.*'$userID'$")) { ok=1; print; } if (ok) { if (match($0,"^sig")) { print; } } } ' | log info - echo | log info + echo | log info - # output the other user IDs for reference - if (echo "$gpgSigOut" | grep "^uid" | grep -v -q "$userID") ; then - cat <<EOF | log info + # output the other user IDs for reference + if (echo "$gpgSigOut" | grep "^uid" | grep -v -q "$userID") ; then + cat <<EOF | log info Other user IDs on this key: EOF - echo "$gpgSigOut" | grep "^uid" | grep -v "$userID" | log info - echo | log info - fi + echo "$gpgSigOut" | grep "^uid" | grep -v "$userID" | log info + echo | log info + fi - # output ssh fingerprint - cat <<EOF | log info + # output ssh fingerprint + cat <<EOF | log info RSA key fingerprint is ${sshFingerprint}. EOF - # this whole process is in a "while read" - # subshell. the only way to get information out - # of the subshell is to change the return code. - # therefore we return 1 here to indicate that a - # matching gpg key was found for the ssh key - # offered by the host - return 1 - fi - ;; - esac - done || returnCode="$?" - - # if no key match was made (and the "while read" subshell returned - # 1) output how many keys were found - if (( returnCode != 1 )) ; then - cat <<EOF | log info + # this whole process is in a "while read" + # subshell. the only way to get information + # out of the subshell is to change the return + # code. therefore we return 1 here to + # indicate that a matching gpg key was found + # for the ssh key offered by the host + return 1 + fi + ;; + esac + done || returnCode="$?" + + # if no key match was made (and the "while read" subshell + # returned 1) output how many keys were found + if (( returnCode != 1 )) ; then + cat <<EOF | log info None of the found keys matched the key offered by the host. Run the following command for more info about the found keys: gpg --check-sigs --list-options show-uid-validity =${userID} EOF - # FIXME: should we do anything extra here if the retrieved - # host key is actually in the known_hosts file and the ssh - # connection will succeed? Should the user be warned? - # prompted? + # FIXME: should we do anything extra here if the retrieved + # host key is actually in the known_hosts file and the ssh + # connection will succeed? Should the user be warned? + # prompted? + fi + + # if host key could not be retrieved from the host, output message + else + cat <<EOF | log info +Could not retrieve RSA host key from $HOST. +EOF fi + # output footer cat <<EOF | log info -------------------- ssh continues below -------------------- EOF diff --git a/website/download.mdwn b/website/download.mdwn index a9b6cc4..1dd5366 100644 --- a/website/download.mdwn +++ b/website/download.mdwn @@ -18,7 +18,8 @@ Monkeysphere relies on: ## Debian ## If you are running a [Debian](http://www.debian.org/) system, the -[monkeysphere is available in the Debian archive](http://packages.debian.org/sid/monkeysphere). +[monkeysphere is available in the Debian testing ("squeeze") +distribution](http://packages.debian.org/testing/monkeysphere). You can also install the Monkeysphere directly from the Monkeysphere Debian archive. You can add this archive to your system by putting diff --git a/website/news/0.24-accepted-in-Debian-testing.mdwn b/website/news/0.24-accepted-in-Debian-testing.mdwn new file mode 100644 index 0000000..4222493 --- /dev/null +++ b/website/news/0.24-accepted-in-Debian-testing.mdwn @@ -0,0 +1,10 @@ +[[meta title="Monkeysphere 0.24 accepted in Debian testing"]] + +[Monkeysphere 0.24 is now available in the Debian testing distribution +("squeeze")](http://packages.debian.org/testing/monkeysphere). +Monkeysphere 0.24 is our strongest release yet. If you are running +Debian testing, installing the monkeysphere is now very easy: + + aptitude install monkeysphere + +See the [[download]] page for more information. |