diff options
-rw-r--r-- | debian/changelog | 4 | ||||
-rw-r--r-- | man/man1/monkeysphere-ssh-proxycommand.1 | 30 | ||||
-rw-r--r-- | man/man1/monkeysphere.1 | 21 | ||||
-rw-r--r-- | man/man8/monkeysphere-server.8 | 11 | ||||
-rw-r--r-- | src/common | 50 | ||||
-rwxr-xr-x | src/monkeysphere | 24 | ||||
-rwxr-xr-x | src/monkeysphere-server | 59 |
7 files changed, 28 insertions, 171 deletions
diff --git a/debian/changelog b/debian/changelog index 9bfcc26..726f262 100644 --- a/debian/changelog +++ b/debian/changelog @@ -7,8 +7,10 @@ monkeysphere (0.2-1) UNRELEASED; urgency=low * Add AUTHORIZED_USER_IDS config variable for server, which defaults to %h/.config/monkeysphere/authorized_user_ids, instead of /etc/monkeysphere/authorized_user_ids. + * Remove {update,remove}-userids functions, since we decided they + weren't useful enough to be worth maintaining. - -- Jameson Graef Rollins <jrollins@phys.columbia.edu> Thu, 19 Jun 2008 15:22:05 -0400 + -- Jameson Graef Rollins <jrollins@phys.columbia.edu> Thu, 19 Jun 2008 16:56:32 -0400 monkeysphere (0.1-1) experimental; urgency=low diff --git a/man/man1/monkeysphere-ssh-proxycommand.1 b/man/man1/monkeysphere-ssh-proxycommand.1 index 5fabb91..c4196f2 100644 --- a/man/man1/monkeysphere-ssh-proxycommand.1 +++ b/man/man1/monkeysphere-ssh-proxycommand.1 @@ -18,17 +18,29 @@ or by adding the following line to your ~/.ssh/config script: .B ProxyCommand monkeysphere-ssh-proxycommand %h %p -The script is very simple, and can easily be incorporated into other -ProxyCommand scripts. It first tests to see if the host is in the -known_hosts file. If it's not, the CHECK_KEYSERVER variable is set to -true and "update-known_hosts" is run for the host to check for a host -key for that host. If the host is found in the known_hosts file, -CHECK_KEYSERVER is set to false and "update-known_hosts" is run to -update from the local keychain. +The script can easily be incorporated into other ProxyCommand scripts +by calling it with the "--no-connect" option, ie: -Run the following command for more info: +.B monkeysphere-ssh-proxycommand --no-connect "$HOST" "$PORT" -.B less $(which monkeysphere-ssh-proxycommand) +This will run everything but will not exec netcat to make the tcp +connection to the host. + +.SH KEYSERVER CHECKING + +The proxy command has a fairly nuanced policy for when keyservers are +queried when processing host. If the host userID is not found in +either the user's keyring or in the known_hosts file, then the +keyserver is queried for the host userID. If the host userID is found +in the user's keyring, then the keyserver is not checked. This is +because... If the host userID is not found in the user's keyring, but +the host is listed in the known_hosts file, then defered check is +scheduled. + +.SH ENVIRONMENT VARIABLES + +.TP +KEYSERVER The keyserver to query. .SH AUTHOR diff --git a/man/man1/monkeysphere.1 b/man/man1/monkeysphere.1 index f36d69e..30e35bb 100644 --- a/man/man1/monkeysphere.1 +++ b/man/man1/monkeysphere.1 @@ -33,20 +33,6 @@ is done. If no hosts are specified, all hosts listed in the known_hosts file will be processed. `k' may be used in place of `update-known_hosts'. .TP -.B update-userids [USERID]... -Add/update a user ID to the authorized_user_ids file. The user IDs -specified should be exact matches to OpenPGP user IDs. For each -specified user ID, gpg will be queried for a key associated with that -user ID, querying a keyserver if specified. If a key is found, the -user ID will be added to the user's authorized_user_ids file (if it -wasn't already present). `u' may be used in place of -`update-userids'. -.TP -.B remove-userids [USERID]... -Remove a user ID from the authorized_user_ids file. The user IDs -specified should be exact matches to OpenPGP user IDs. `r' may be -used in place of `remove-userids'. -.TP .B update-authorized_keys Update the monkeysphere authorized_keys file. For each user ID in the user's authorized_user_ids file, gpg will be queried for keys @@ -78,9 +64,7 @@ specification for the host, ie. "ssh://host.full.domain". GPG keys are considered acceptable if the following criteria are met: .TP .B capability -For host keys, the key must have both the "authentication" ("a") and -"encrypt" ("e") capability flags. For user keys, the key must have -the "authentication" ("a") capability flag. +The key must have the "authentication" ("a") usage flag set. .TP .B validity The key must be "fully" valid, and must not be expired or revoked. @@ -97,9 +81,6 @@ System-wide monkeysphere config file. ~/.config/monkeysphere/authorized_user_ids OpenPGP user IDs associated with keys that will be checked for addition to the authorized_keys file. -.TP -~/.config/monkeysphere/authorized_keys -Monkeysphere generated authorized_keys file. .SH AUTHOR diff --git a/man/man8/monkeysphere-server.8 b/man/man8/monkeysphere-server.8 index 28149fb..3073adc 100644 --- a/man/man8/monkeysphere-server.8 +++ b/man/man8/monkeysphere-server.8 @@ -23,7 +23,8 @@ be used for authentication of ssh connections. .TP .B update-users [USER]... Update the admin-controlled authorized_keys files for user. For each -user specified, update the user's authorized_keys file in +user specified, user ID's listed in the user's authorized_user_ids +file are processed, and the user's authorized_keys file in /var/cache/monkeysphere/authorized_keys/USER. See `man monkeysphere' for more info. If the USER_CONTROLLED_AUTHORIZED_KEYS variable is set, then a user-controlled authorized_keys file (usually @@ -46,14 +47,6 @@ of `publish-key'. Mark key specified with key IDs with full owner trust. `t' may be used in place of `trust-keys'. .TP -.B update-user-userids USER USERID... -Add/update a user ID to the authorized_user_ids file for USER. `u' may -be used in place of `update-user-userids'. -.TP -.B remove-user-userids USER USERID... -Remove a user ID from the authorized_user_ids file for USER. `r' may -be used in place of `remove-user-userids'. -.TP .B help Output a brief usage summary. `h' or `?' may be used in place of `help'. @@ -369,56 +369,6 @@ process_user_id() { done } -# update the cache for userid, and prompt to add file to -# authorized_user_ids file if the userid is found in gpg -# and not already in file. -update_userid() { - local userID - - userID="$1" - authorizedUserIDs="$2" - - log "processing userid: '$userID'" - - # process the user ID to pull it from keyserver - process_user_id "$userID" | grep -q "^0 " - - # check if user ID is in the authorized_user_ids file - if ! grep -q "^${userID}\$" "$authorizedUserIDs" ; then - read -p "user ID not currently authorized. authorize? [Y|n]: " OK; OK=${OK:=Y} - if [ ${OK/y/Y} = 'Y' ] ; then - # add if specified - log -n " adding user ID to authorized_user_ids file... " - echo "$userID" >> "$authorizedUserIDs" - loge "done." - else - # else do nothing - log " authorized_user_ids file untouched." - fi - fi -} - -# remove a userid from the authorized_user_ids file -remove_userid() { - local userID - - userID="$1" - authorizedUserIDs="$2" - - log "processing userid: '$userID'" - - # check if user ID is in the authorized_user_ids file - if ! grep -q "^${userID}\$" "$authorizedUserIDs" ; then - log " user ID not currently authorized." - return 1 - fi - - # remove user ID from file - log -n " removing user ID '$userID'... " - remove_line "$authorizedUserIDs" "^${userID}$" - loge "done." -} - # process a host in known_host file process_host_known_hosts() { local host diff --git a/src/monkeysphere b/src/monkeysphere index a9c9d58..a433701 100755 --- a/src/monkeysphere +++ b/src/monkeysphere @@ -35,8 +35,6 @@ MonkeySphere client tool. subcommands: update-known_hosts (k) [HOST]... update known_hosts file - update-userids (u) [USERID]... add/update user IDs - remove-userids (r) [USERID]... remove user IDs update-authorized_keys (a) update authorized_keys file gen-subkey (g) KEYID generate an 'a' capable subkey help (h,?) this help @@ -159,28 +157,6 @@ case $COMMAND in fi ;; - 'update-userids'|'update-userid'|'u') - if [ -z "$1" ] ; then - failure "you must specify at least one userid." - fi - for userID ; do - update_userid "$userID" "$AUTHORIZED_USER_IDS" - done - log "Run the following to update your monkeysphere authorized_keys file:" - log "$PGRM update-authorized_keys" - ;; - - 'remove-userids'|'remove-userid'|'r') - if [ -z "$1" ] ; then - failure "you must specify at least one userid." - fi - for userID ; do - remove_userid "$userID" "$AUTHORIZED_USER_IDS" - done - log "Run the following to update your monkeysphere authorized_keys file:" - log "$PGRM update-authorized_keys" - ;; - 'update-authorized_keys'|'update-authorized-keys'|'a') MODE='authorized_keys' diff --git a/src/monkeysphere-server b/src/monkeysphere-server index bfd5db8..154c146 100755 --- a/src/monkeysphere-server +++ b/src/monkeysphere-server @@ -31,14 +31,11 @@ usage: $PGRM <subcommand> [args] MonkeySphere server admin tool. subcommands: + update-users (s) [USER]... update users authorized_keys files gen-key (g) [HOSTNAME] generate gpg key for the server show-fingerprint (f) show server's host key fingerprint publish-key (p) publish server key to keyserver trust-keys (t) KEYID... mark keyids as trusted - - update-users (s) [USER]... update users authorized_keys files - update-user-userids (u) USER UID... add/update user IDs for a user - remove-user-userids (r) USER UID... remove user IDs for a user help (h,?) this help EOF @@ -231,60 +228,6 @@ case $COMMAND in done ;; - 'update-user-userids'|'update-user-userid'|'u') - uname="$1" - shift - if [ -z "$uname" ] ; then - failure "You must specify user." - fi - if [ -z "$1" ] ; then - failure "You must specify at least one user ID." - fi - - # set authorized_user_ids variable, - # translate ssh-style path variables - authorizedUserIDs=$(translate_ssh_variables "$uname" "$AUTHORIZED_USER_IDS") - - # make sure user's authorized_user_ids file exists - touch "$authorizedUserIDs" - - # process the user IDs - for userID ; do - update_userid "$userID" "$authorizedUserIDs" - done - - log "Run the following to update user's authorized_keys file:" - log "$PGRM update-users $uname" - ;; - - 'remove-user-userids'|'remove-user-userid'|'r') - uname="$1" - shift - if [ -z "$uname" ] ; then - failure "You must specify user." - fi - if [ -z "$1" ] ; then - failure "You must specify at least one user ID." - fi - - # set authorized_user_ids variable, - # translate ssh-style path variables - authorizedUserIDs=$(translate_ssh_variables "$uname" "$AUTHORIZED_USER_IDS") - - # make sure user's authorized_user_ids file exists - if [ ! -f "$authorizedUserIDs" ] ; then - failure "authorized_user_ids file '$authorizedUserIDs' does not exist." - fi - - # process the user IDs - for userID ; do - remove_userid "$userID" "$authorizedUserIDs" - done - - log "Run the following to update user's authorized_keys file:" - log "$PGRM update-users $uname" - ;; - 'help'|'h'|'?') usage ;; |