monkeysphere - Unnamed repository; edit this file 'description' to name the repository.

summary refs log tree commit diff

path: root/debian/copyright

diff options

Diffstat (limited to 'debian/copyright')

0 files changed, 0 insertions, 0 deletions

ssh-keygen -l -f "$sshKeyGPGFile" | \

awk '{ print $2 }')

rm -f "$sshKeyGPGFile"

# get the sigs for the matching key

gpgSigOut=$(gpg_user --check-sigs \

--list-options show-uid-validity \

"$keyid")

echo | log info

# output the sigs, but only those on the user ID

# we are looking for

echo "$gpgSigOut" | awk '

{

if (match($0,"^pub")) { print; }

if (match($0,"^uid")) { ok=0; }

if (match($0,"^uid.*'$userID'$")) { ok=1; print; }

if (ok) { if (match($0,"^sig")) { print; } }

}

# output ssh fingerprint

cat <<EOF

RSA key fingerprint is ${sshFingerprint}.

EOF

# output the other user IDs for reference

otherUids=$(echo "$gpgSigOut" | grep "^uid" | grep -v "$userID")

if [ "$otherUids" ] ; then

log info <<EOF

Other user IDs on this key:

EOF

echo "$otherUids" | log info

}

# "marginal case" ouput in the case that there is not a full

# validation path to the host

output_no_valid_key() {

local userID

local sshKeyOffered

local gpgOut

local type

local validity

local keyid

local uidfpr

local usage

local sshKeyGPG

local tmpkey

local returnCode=0

userID="ssh://${HOSTP}"

LOG_PREFIX=

# retrieve the ssh key being offered by the host

sshKeyOffered=$(ssh-keyscan -t rsa -p "$PORT" "$HOST" 2>/dev/null \

| awk '{ print $2, $3 }')

# get the gpg info for userid

gpgOut=$(gpg_user --list-key --fixed-list-mode --with-colon \

--with-fingerprint --with-fingerprint \

="$userID" 2>/dev/null)

# output header

log info <<EOF

-------------------- Monkeysphere warning -------------------

Monkeysphere found OpenPGP keys for this hostname, but none had full validity.

EOF

# output message if host key could not be retrieved from the host

if [ -z "$sshKeyOffered" ] ; then

log info <<EOF

Could not retrieve RSA host key from $HOST.

EOF

# check that there are any marginally valid keys

if echo "$gpgOut" | egrep -q '^(pub|sub):(m|f|u):' ; then

log info <<EOF

The following keys were found with marginal validity:

EOF

# find all 'pub' and 'sub' lines in the gpg output, which each

# represent a retrieved key for the user ID

echo "$gpgOut" | cut -d: -f1,2,5,10,12 | \

while IFS=: read -r type validity keyid uidfpr usage ; do

case $type in

'pub'|'sub')

# get the ssh key of the gpg key

sshKeyGPG=$(gpg2ssh "$keyid")

# if a key was retrieved from the host...

if [ "$sshKeyOffered" ] ; then

# if one of keys found matches the one offered by the

# host, then output info

if [ "$sshKeyGPG" = "$sshKeyOffered" ] ; then

log info <<EOF

An OpenPGP key matching the ssh key offered by the host was found:

EOF

show_key_info "$keyid" | log info

# this whole process is in a "while read"

# subshell. the only way to get information

# out of the subshell is to change the return

# code. therefore we return 1 here to

# indicate that a matching gpg key was found

# for the ssh key offered by the host

return 1

# else if a key was not retrieved from the host

else

# if the current key is marginal, show info

if [ "$validity" = 'm' ] ; then

show_key_info "$keyid" | log info

;;

esac

done || returnCode="$?"

# if no key match was made (and the "while read" subshell

# returned 1) output how many keys were found

if (( returnCode != 1 )) ; then

echo | log info

# output different footer messages depending on if a key had

# been retrieved from the host

if [ "$sshKeyOffered" ] ; then

log info <<EOF

None of the found keys matched the key offered by the host.

EOF

else

log info <<EOF

There may be keys for this hostname with less than marginal validity.

EOF

log info <<EOF

Run the following command for more info about the found keys:

gpg --check-sigs --list-options show-uid-validity =${userID}

EOF

# FIXME: should we do anything extra here if the retrieved

# host key is actually in the known_hosts file and the ssh

# connection will succeed? Should the user be warned?

# prompted?

# output footer

log info <<EOF

-------------------- ssh continues below --------------------

EOF

}

# the ssh proxycommand function itself

ssh_proxycommand() {

if [ "$1" = '--no-connect' ] ; then

NO_CONNECT='true'

shift 1

HOST="$1"

PORT="$2"

if [ -z "$HOST" ] ; then

log error "Host not specified."

usage

exit 255

if [ -z "$PORT" ] ; then

PORT=22

# set the host URI

if [ "$PORT" != '22' ] ; then

HOSTP="${HOST}:${PORT}"

else

HOSTP="${HOST}"

URI="ssh://${HOSTP}"

# specify keyserver checking. the behavior of this proxy command is

# intentionally different than that of running monkeyesphere normally,

# and keyserver checking is intentionally done under certain

# circumstances. This can be overridden by setting the

# MONKEYSPHERE_CHECK_KEYSERVER environment variable, or by setting the

# CHECK_KEYSERVER variable in the monkeysphere.conf file.

# if the host is in the gpg keyring...

if gpg_user --list-key ="${URI}" &>/dev/null ; then

# do not check the keyserver

CHECK_KEYSERVER=${CHECK_KEYSERVER:="false"}

# if the host is NOT in the keyring...

else

# if the host key is found in the known_hosts file...

# FIXME: this only works for default known_hosts location

hostKey=$(ssh-keygen -F "$HOST" 2>/dev/null)

if [ "$hostKey" ] ; then

# do not check the keyserver

# FIXME: more nuanced checking should be done here to properly


context:
space:
mode: