diff options
Diffstat (limited to 'src/common')
| -rw-r--r-- | src/common | 185 |
1 files changed, 89 insertions, 96 deletions
@@ -18,10 +18,17 @@ ETC="/etc/monkeysphere" export ETC CACHE="/var/cache/monkeysphere" export CACHE +ERR=0 +export ERR ######################################################################## ### UTILITY FUNCTIONS +error() { + log "$1" + ERR=${2:-'1'} +} + failure() { echo "$1" >&2 exit ${2:-'1'} @@ -29,12 +36,12 @@ failure() { # write output to stderr log() { - echo -n "ms: " 1>&2 - echo "$@" 1>&2 + echo -n "ms: " >&2 + echo "$@" >&2 } loge() { - echo "$@" 1>&2 + echo "$@" >&2 } # cut out all comments(#) and blank lines from standard input @@ -85,6 +92,24 @@ remove_line() { fi } +# translate ssh-style path variables %h and %u +translate_ssh_variables() { + local uname + local home + + uname="$1" + path="$2" + + # get the user's home directory + userHome=$(getent passwd "$uname" | cut -d: -f6) + + # translate ssh-style path variables + path=${path/\%u/"$uname"} + path=${path/\%h/"$userHome"} + + echo "$path" +} + ### CONVERTION UTILITIES # output the ssh key for a given key ID @@ -351,110 +376,79 @@ process_user_id() { done } -# update the cache for userid, and prompt to add file to -# authorized_user_ids file if the userid is found in gpg -# and not already in file. -update_userid() { - local userID - - userID="$1" - - log "processing userid: '$userID'" - - # process the user ID to pull it from keyserver - process_user_id "$userID" | grep -q "^0 " - - # check if user ID is in the authorized_user_ids file - if ! grep -q "^${userID}\$" "$AUTHORIZED_USER_IDS" ; then - read -p "user ID not currently authorized. authorize? [Y|n]: " OK; OK=${OK:=Y} - if [ ${OK/y/Y} = 'Y' ] ; then - # add if specified - log -n " adding user ID to authorized_user_ids file... " - echo "$userID" >> "$AUTHORIZED_USER_IDS" - loge "done." - else - # else do nothing - log " authorized_user_ids file untouched." - fi - fi -} - -# remove a userid from the authorized_user_ids file -remove_userid() { - local userID - - userID="$1" - - log "processing userid: '$userID'" - - # check if user ID is in the authorized_user_ids file - if ! grep -q "^${userID}\$" "$AUTHORIZED_USER_IDS" ; then - log " user ID not currently authorized." - return 1 - fi - - # remove user ID from file - log -n " removing user ID '$userID'... " - remove_line "$AUTHORIZED_USER_IDS" "^${userID}$" - loge "done." -} - -# process a host in known_host file -process_host_known_hosts() { +# process hosts in the known_host file +process_hosts_known_hosts() { local host local userID local ok local keyid local tmpfile - host="$1" - userID="ssh://${host}" - - log "processing host: $host" - - process_user_id "ssh://${host}" | \ - while read -r ok keyid ; do - sshKey=$(gpg2ssh "$keyid") - # remove the old host key line - remove_line "$KNOWN_HOSTS" "$sshKey" - # if key OK, add new host line - if [ "$ok" -eq '0' ] ; then - # hash if specified - if [ "$HASH_KNOWN_HOSTS" = 'true' ] ; then - # FIXME: this is really hackish cause ssh-keygen won't - # hash from stdin to stdout - tmpfile=$(mktemp) - ssh2known_hosts "$host" "$sshKey" > "$tmpfile" - ssh-keygen -H -f "$tmpfile" 2> /dev/null - cat "$tmpfile" >> "$KNOWN_HOSTS" - rm -f "$tmpfile" "${tmpfile}.old" - else - ssh2known_hosts "$host" "$sshKey" >> "$KNOWN_HOSTS" + # create a lockfile on known_hosts + lockfile-create "$KNOWN_HOSTS" + + for host ; do + log "processing host: $host" + + userID="ssh://${host}" + + process_user_id "ssh://${host}" | \ + while read -r ok keyid ; do + sshKey=$(gpg2ssh "$keyid") + # remove the old host key line + remove_line "$KNOWN_HOSTS" "$sshKey" + # if key OK, add new host line + if [ "$ok" -eq '0' ] ; then + # hash if specified + if [ "$HASH_KNOWN_HOSTS" = 'true' ] ; then + # FIXME: this is really hackish cause ssh-keygen won't + # hash from stdin to stdout + tmpfile=$(mktemp) + ssh2known_hosts "$host" "$sshKey" > "$tmpfile" + ssh-keygen -H -f "$tmpfile" 2> /dev/null + cat "$tmpfile" >> "$KNOWN_HOSTS" + rm -f "$tmpfile" "${tmpfile}.old" + else + ssh2known_hosts "$host" "$sshKey" >> "$KNOWN_HOSTS" + fi fi - fi + done + # touch the lockfile, for good measure. + lockfile-touch --oneshot "$KNOWN_HOSTS" done + + # remove the lockfile + lockfile-remove "$KNOWN_HOSTS" } -# process a uid in an authorized_keys file -process_uid_authorized_keys() { +# process uids for the authorized_keys file +process_uids_authorized_keys() { local userID local ok local keyid - userID="$1" + # create a lockfile on authorized_keys + lockfile-create "$AUTHORIZED_KEYS" - log "processing user ID: $userID" + for userID ; do + log "processing user ID: $userID" - process_user_id "$userID" | \ - while read -r ok keyid ; do - sshKey=$(gpg2ssh "$keyid") - # remove the old host key line - remove_line "$AUTHORIZED_KEYS" "$sshKey" - # if key OK, add new host line - if [ "$ok" -eq '0' ] ; then - ssh2authorized_keys "$userID" "$sshKey" >> "$AUTHORIZED_KEYS" - fi + process_user_id "$userID" | \ + while read -r ok keyid ; do + sshKey=$(gpg2ssh "$keyid") + # remove the old host key line + remove_line "$AUTHORIZED_KEYS" "$sshKey" + # if key OK, add new host line + if [ "$ok" -eq '0' ] ; then + ssh2authorized_keys "$userID" "$sshKey" >> "$AUTHORIZED_KEYS" + fi + done + # touch the lockfile, for good measure. + lockfile-touch --oneshot "$AUTHORIZED_KEYS" done + + # remove the lockfile + lockfile-remove "$AUTHORIZED_KEYS" } # process known_hosts file @@ -469,10 +463,7 @@ process_known_hosts() { cat "$KNOWN_HOSTS" | meat | \ cut -d ' ' -f 1 | grep -v '^|.*$' | \ while IFS=, read -r -a hosts ; do - # and process each host - for host in ${hosts[*]} ; do - process_host_known_hosts "$host" - done + process_hosts_known_hosts ${hosts[@]} done } @@ -480,9 +471,11 @@ process_known_hosts() { process_authorized_user_ids() { local userid - cat "$AUTHORIZED_USER_IDS" | meat | \ + authorizedUserIDs="$1" + + cat "$authorizedUserIDs" | meat | \ while read -r userid ; do - process_uid_authorized_keys "$userid" + process_uids_authorized_keys "$userid" done } |