summaryrefslogtreecommitdiff
path: root/src/share/mh
diff options
context:
space:
mode:
Diffstat (limited to 'src/share/mh')
-rw-r--r--src/share/mh/add_hostname2
-rw-r--r--src/share/mh/diagnostics35
-rw-r--r--src/share/mh/extend_key2
-rw-r--r--src/share/mh/gen_key16
-rw-r--r--src/share/mh/import_key8
-rw-r--r--src/share/mh/publish_key2
-rw-r--r--src/share/mh/revoke_hostname2
7 files changed, 21 insertions, 46 deletions
diff --git a/src/share/mh/add_hostname b/src/share/mh/add_hostname
index 10d5f58..267f109 100644
--- a/src/share/mh/add_hostname
+++ b/src/share/mh/add_hostname
@@ -27,7 +27,7 @@ fi
userID="ssh://${1}"
-fingerprint=$(fingerprint_server_key)
+fingerprint=$(fingerprint_host_key)
# match to only ultimately trusted user IDs
tmpuidMatch="u:$(echo $userID | gpg_escape)"
diff --git a/src/share/mh/diagnostics b/src/share/mh/diagnostics
index 7e76da6..96065e6 100644
--- a/src/share/mh/diagnostics
+++ b/src/share/mh/diagnostics
@@ -50,7 +50,7 @@ fi
echo "Checking host GPG key..."
if (( "$keysfound" < 1 )); then
echo "! No host key found."
- echo " - Recommendation: run 'monkeysphere-server gen-key'"
+ echo " - Recommendation: run 'monkeysphere-host gen-key' or 'monkeysphere-host import-key'"
problemsfound=$(($problemsfound+1))
elif (( "$keysfound" > 1 )); then
echo "! More than one host key found?"
@@ -64,11 +64,11 @@ else
if [ "$expire" ]; then
if (( "$expire" < "$curdate" )); then
echo "! Host key is expired."
- echo " - Recommendation: extend lifetime of key with 'monkeysphere-server extend-key'"
+ echo " - Recommendation: extend lifetime of key with 'monkeysphere-host extend-key'"
problemsfound=$(($problemsfound+1))
elif (( "$expire" < "$warndate" )); then
echo "! Host key expires in less than $warnwindow:" $(advance_date $(( $expire - $curdate )) seconds +%F)
- echo " - Recommendation: extend lifetime of key with 'monkeysphere-server extend-key'"
+ echo " - Recommendation: extend lifetime of key with 'monkeysphere-host extend-key'"
problemsfound=$(($problemsfound+1))
fi
fi
@@ -97,7 +97,7 @@ else
# FIXME: recommend a way to resolve this
problemsfound=$(($problemsfound+1))
elif (( "$expire" < "$warndate" )); then
- echo "! User ID '$uid' expires in less than $warnwindow:" $(advance_date $(( $expire - $curdate )) seconds +%F)
+ echo "! User ID '$uid' expires in less than $warnwindow:" $(advance_date $(( $expire - $curdate )) seconds +%F)
# FIXME: recommend a way to resolve this
problemsfound=$(($problemsfound+1))
fi
@@ -149,35 +149,10 @@ fi
# directories housing them, etc (what should those values be? can
# we make them as minimal as possible?)
-# FIXME: look to see that the ownertrust rules are set properly on the
-# authentication keyring
-
-# FIXME: make sure that at least one identity certifier exists
-
-# FIXME: look at the timestamps on the monkeysphere-generated
-# authorized_keys files -- warn if they seem out-of-date.
-
-# FIXME: check for a cronjob that updates monkeysphere-generated
-# authorized_keys?
-
-echo
-echo "Checking for MonkeySphere-enabled public-key authentication for users ..."
-# Ensure that User ID authentication is enabled:
-if ! grep -q "^AuthorizedKeysFile[[:space:]]\+${SYSDATADIR}/authorized_keys/%u$" "$sshd_config"; then
- echo "! $sshd_config does not point to monkeysphere authorized keys."
- echo " - Recommendation: add a line to $sshd_config: 'AuthorizedKeysFile ${SYSDATADIR}/authorized_keys/%u'"
- problemsfound=$(($problemsfound+1))
-fi
-if badauthorizedkeys=$(grep -i '^AuthorizedKeysFile' "$sshd_config" | grep -v "^AuthorizedKeysFile[[:space:]]\+${SYSDATADIR}/authorized_keys/%u$") ; then
- echo "! $sshd_config refers to non-monkeysphere authorized_keys files:"
- echo "$badauthorizedkeys"
- echo " - Recommendation: remove the above AuthorizedKeysFile lines from $sshd_config"
- problemsfound=$(($problemsfound+1))
-fi
if [ "$problemsfound" -gt 0 ]; then
echo "When the above $problemsfound issue"$(if [ "$problemsfound" -eq 1 ] ; then echo " is" ; else echo "s are" ; fi)" resolved, please re-run:"
- echo " monkeysphere-server diagnostics"
+ echo " monkeysphere-host expert diagnostics"
else
echo "Everything seems to be in order!"
fi
diff --git a/src/share/mh/extend_key b/src/share/mh/extend_key
index ccbaf0e..d03b89a 100644
--- a/src/share/mh/extend_key
+++ b/src/share/mh/extend_key
@@ -15,7 +15,7 @@
extend_key() {
-local fpr=$(fingerprint_server_key)
+local fpr=$(fingerprint_host_key)
local extendTo="$1"
# get the new expiration date
diff --git a/src/share/mh/gen_key b/src/share/mh/gen_key
index 162a64e..a73d85e 100644
--- a/src/share/mh/gen_key
+++ b/src/share/mh/gen_key
@@ -24,7 +24,7 @@ local fingerprint
# check for presense of secret key
# FIXME: is this the proper test to be doing here?
-fingerprint_server_key >/dev/null \
+fingerprint_host_key >/dev/null \
&& failure "An OpenPGP host key already exists."
# get options
@@ -83,19 +83,19 @@ log verbose "generating host key..."
echo "$keyParameters" | gpg_host --batch --gen-key
# find the key fingerprint of the newly generated key
-fingerprint=$(fingerprint_server_key)
+fingerprint=$(fingerprint_host_key)
# translate the private key to ssh format, and export to a file
# for sshs usage.
# NOTE: assumes that the primary key is the proper key to use
(umask 077 && \
gpg_host --export-secret-key "$fingerprint" | \
- openpgp2ssh "$fingerprint" > "${SYSDATADIR}/ssh_host_rsa_key")
-log info "SSH host private key output to file: ${SYSDATADIR}/ssh_host_rsa_key"
-ssh-keygen -y -f "${SYSDATADIR}/ssh_host_rsa_key" > "${SYSDATADIR}/ssh_host_rsa_key.pub"
-log info "SSH host public key output to file: ${SYSDATADIR}/ssh_host_rsa_key.pub"
-gpg_host "--export-options export-minimal --armor --export 0x${fingerprint}\!" > "${SYSDATADIR}/ssh_host_rsa_key.pub.gpg"
-log info "SSH host public key in OpenPGP form: ${SYSDATADIR}/ssh_host_rsa_key.pub.gpg"
+ openpgp2ssh "$fingerprint" > "${MHDATADIR}/ssh_host_rsa_key")
+log info "SSH host private key output to file: ${MHDATADIR}/ssh_host_rsa_key"
+ssh-keygen -y -f "${MHDATADIR}/ssh_host_rsa_key" > "${MHDATADIR}/ssh_host_rsa_key.pub"
+log info "SSH host public key output to file: ${MHDATADIR}/ssh_host_rsa_key.pub"
+gpg_host "--export-options export-minimal --armor --export 0x${fingerprint}\!" > "${MHDATADIR}/ssh_host_rsa_key.pub.gpg"
+log info "SSH host public key in OpenPGP form: ${MHDATADIR}/ssh_host_rsa_key.pub.gpg"
# show info about new key
show_key
diff --git a/src/share/mh/import_key b/src/share/mh/import_key
index c0d5956..e7b713f 100644
--- a/src/share/mh/import_key
+++ b/src/share/mh/import_key
@@ -20,7 +20,7 @@ local userID
# check for presense of secret key
# FIXME: is this the proper test to be doing here?
-fingerprint_server_key >/dev/null \
+fingerprint_host_key >/dev/null \
&& failure "An OpenPGP host key already exists."
# get options
@@ -72,15 +72,15 @@ log verbose "importing ssh key..."
pem2openpgp "$userID" "$keyExpire" < "$sshKey" | gpg_host --import)
# find the key fingerprint of the newly converted key
-fingerprint=$(fingerprint_server_key)
+fingerprint=$(fingerprint_host_key)
# export host ownertrust to authentication keyring
log verbose "setting ultimate owner trust for host key..."
echo "${fingerprint}:6:" | gpg_host "--import-ownertrust"
# export public key to file
-gpg_host "--export-options export-minimal --armor --export 0x${fingerprint}\!" > "${SYSDATADIR}/ssh_host_rsa_key.pub.gpg"
-log info "SSH host public key in OpenPGP form: ${SYSDATADIR}/ssh_host_rsa_key.pub.gpg"
+gpg_host "--export-options export-minimal --armor --export 0x${fingerprint}\!" > "${MHDATADIR}/ssh_host_rsa_key.pub.gpg"
+log info "SSH host public key in OpenPGP form: ${MHDATADIR}/ssh_host_rsa_key.pub.gpg"
# show info about new key
show_key
diff --git a/src/share/mh/publish_key b/src/share/mh/publish_key
index b7ab01d..988b450 100644
--- a/src/share/mh/publish_key
+++ b/src/share/mh/publish_key
@@ -21,7 +21,7 @@ if [ ${OK/y/Y} != 'Y' ] ; then
fi
# find the key fingerprint
-fingerprint=$(fingerprint_server_key)
+fingerprint=$(fingerprint_host_key)
# publish host key
# FIXME: need to define how to do this
diff --git a/src/share/mh/revoke_hostname b/src/share/mh/revoke_hostname
index b519cf6..06b5810 100644
--- a/src/share/mh/revoke_hostname
+++ b/src/share/mh/revoke_hostname
@@ -38,7 +38,7 @@ fi
userID="ssh://${1}"
-fingerprint=$(fingerprint_server_key)
+fingerprint=$(fingerprint_host_key)
# match to only ultimately trusted user IDs
tmpuidMatch="u:$(echo $userID | gpg_escape)"