3 files changed, 176 insertions, 12 deletions

diff --git a/src/common b/src/common
index 297e7f3..51b0470 100644
--- a/src/common
+++ b/src/common
@@ -639,7 +639,7 @@ process_user_id() {
 		;;
 	    'uid') # user ids
 		if [ "$lastKey" != pub ] ; then
-		    log verbose " - got a user ID after a sub key?!  user IDs should only follow primary keys!"
+		    log verbose " ! got a user ID after a sub key?!  user IDs should only follow primary keys!"
 		    continue
 		fi
 		# if an acceptable user ID was already found, skip
@@ -652,6 +652,8 @@ process_user_id() {
 		    if [ "$validity" = 'u' -o "$validity" = 'f' ] ; then
 			# mark user ID acceptable
 			uidOK=true
+		    else
+			log debug "  - unacceptable user ID validity ($validity)."
 		    fi
 		else
 		    continue
@@ -693,10 +695,12 @@ process_user_id() {
 		
 		# if sub key validity is not ok, skip
 		if [ "$validity" != 'u' -a "$validity" != 'f' ] ; then
+		    log debug "  - unacceptable sub key validity ($validity)."
 		    continue
 		fi
 		# if sub key capability is not ok, skip
 		if ! check_capability "$usage" $requiredCapability ; then
+		    log debug "  - unacceptable sub key capability ($usage)."
 		    continue
 		fi
 
@@ -742,6 +746,7 @@ process_user_id() {
 process_host_known_hosts() {
     local host
     local userID
+    local noKey=
     local nKeys
     local nKeysOK
     local ok
@@ -768,8 +773,9 @@ process_host_known_hosts() {
             continue
         fi
 
-	# remove the old host key line, and note if removed
-	remove_line "$KNOWN_HOSTS" "$sshKey"
+	# remove any old host key line, and note if removed nothing is
+	# removed
+	remove_line "$KNOWN_HOSTS" "$sshKey" || noKey=true
 
 	# if key OK, add new host line
 	if [ "$ok" -eq '0' ] ; then
@@ -788,6 +794,11 @@ process_host_known_hosts() {
 	    else
 		ssh2known_hosts "$host" "$sshKey" >> "$KNOWN_HOSTS"
 	    fi
+
+	    # log if this is a new key to the known_hosts file
+	    if [ "$noKey" ] ; then
+		log info "* new key for $host added to known_hosts file."
+	    fi
 	fi
     done
 
diff --git a/src/monkeysphere-server b/src/monkeysphere-server
index e78903b..a1844ee 100755
--- a/src/monkeysphere-server
+++ b/src/monkeysphere-server
@@ -132,13 +132,13 @@ show_server_key() {
     fingerprint=$(fingerprint_server_key)
     gpg_authentication "--fingerprint --list-key --list-options show-unusable-uids $fingerprint"
 
-    # dumping to a file named ' ' so that the ssh-keygen output
-    # doesn't claim any potentially bogus hostname(s):
-    tmpkey=$(mktemp -d ${TMPDIR:-/tmp}/tmp.XXXXXXXXXX) || failure "Could not create temporary directory!"
-    gpg_authentication "--export $fingerprint" | openpgp2ssh "$fingerprint" 2>/dev/null > "$tmpkey/ "
+    # do some crazy "Here Strings" redirection to get the key to
+    # ssh-keygen, since it doesn't read from stdin cleanly
     echo -n "ssh fingerprint: "
-    (cd "$tmpkey" && ssh-keygen -l -f ' ' | awk '{ print $2 }')
-    rm -rf "$tmpkey"
+    ssh-keygen -l -f /dev/stdin \
+	<<<$(gpg_authentication "--export $fingerprint" | \
+	openpgp2ssh "$fingerprint" 2>/dev/null) | \
+	awk '{ print $1, $2, $4 }'
     echo -n "OpenPGP fingerprint: "
     echo "$fingerprint"
 }
@@ -399,7 +399,11 @@ EOF
     (umask 077 && \
 	gpg_host --export-secret-key "$fingerprint" | \
 	openpgp2ssh "$fingerprint" > "${SYSDATADIR}/ssh_host_rsa_key")
-    log info "private SSH host key output to file: ${SYSDATADIR}/ssh_host_rsa_key"
+    log info "SSH host private key output to file: ${SYSDATADIR}/ssh_host_rsa_key"
+    ssh-keygen -y -f "${SYSDATADIR}/ssh_host_rsa_key" > "${SYSDATADIR}/ssh_host_rsa_key.pub"
+    log info "SSH host public key output to file: ${SYSDATADIR}/ssh_host_rsa_key.pub"
+    gpg_authentication "--export-options export-minimal --armor --export 0x${fingerprint}\!" > "${SYSDATADIR}/ssh_host_rsa_key.pub.gpg"
+    log info "SSH host public key in OpenPGP form: ${SYSDATADIR}/ssh_host_rsa_key.pub.gpg"
 }
 
 # extend the lifetime of a host key:
diff --git a/src/monkeysphere-ssh-proxycommand b/src/monkeysphere-ssh-proxycommand
index 6276092..a609199 100755
--- a/src/monkeysphere-ssh-proxycommand
+++ b/src/monkeysphere-ssh-proxycommand
@@ -14,13 +14,129 @@
 #  ProxyCommand monkeysphere-ssh-proxycommand %h %p
 
 ########################################################################
+PGRM=$(basename $0)
+
+SYSSHAREDIR=${MONKEYSPHERE_SYSSHAREDIR:-"/usr/share/monkeysphere"}
+export SYSSHAREDIR
+. "${SYSSHAREDIR}/common" || exit 1
+
+########################################################################
+# FUNCTIONS
+########################################################################
 
 usage() {
-cat <<EOF >&2
+    cat <<EOF >&2
 usage: ssh -o ProxyCommand="$(basename $0) %h %p" ...
 EOF
 }
 
+log() {
+    echo "$@" >&2
+}
+
+output_no_valid_key() {
+    local sshKeyOffered
+    local userID
+    local type
+    local validity
+    local keyid
+    local uidfpr
+    local usage
+    local sshKeyGPG
+    local tmpkey
+    local sshFingerprint
+    local gpgSigOut
+
+    userID="ssh://${HOSTP}"
+
+    log "-------------------- Monkeysphere warning -------------------"
+    log "Monkeysphere found OpenPGP keys for this hostname, but none had full validity."
+
+    # retrieve the actual ssh key
+    sshKeyOffered=$(ssh-keyscan -t rsa -p "$PORT" "$HOST" 2>/dev/null | awk '{ print $2, $3 }')
+    # FIXME: should we do any checks for failed keyscans, eg. host not
+    # found?
+
+    # get the gpg info for userid
+    gpgOut=$(gpg --list-key --fixed-list-mode --with-colon \
+	--with-fingerprint --with-fingerprint \
+	="$userID" 2>/dev/null)
+
+    # find all 'pub' and 'sub' lines in the gpg output, which each
+    # represent a retrieved key for the user ID
+    echo "$gpgOut" | cut -d: -f1,2,5,10,12 | \
+    while IFS=: read -r type validity keyid uidfpr usage ; do
+	case $type in
+	    'pub'|'sub')
+		# get the ssh key of the gpg key
+		sshKeyGPG=$(gpg2ssh "$keyid")
+
+		# if one of keys found matches the one offered by the
+		# host, then output info
+		if [ "$sshKeyGPG" = "$sshKeyOffered" ] ; then
+		    log "An OpenPGP key matching the ssh key offered by the host was found:"
+		    log
+
+		    # do some crazy "Here Strings" redirection to get the key to
+		    # ssh-keygen, since it doesn't read from stdin cleanly
+		    sshFingerprint=$(ssh-keygen -l -f /dev/stdin \
+			<<<$(echo "$sshKeyGPG") | \
+			awk '{ print $2 }')
+
+		    # get the sigs for the matching key
+		    gpgSigOut=$(gpg --check-sigs \
+			--list-options show-uid-validity \
+			"$keyid")
+
+		    # output the sigs, but only those on the user ID
+		    # we are looking for
+		    echo "$gpgSigOut" | awk '
+{
+if (match($0,"^pub")) {	print; }
+if (match($0,"^uid")) { ok=0; }
+if (match($0,"^uid.*'$userID'$")) { ok=1; print; }
+if (ok) { if (match($0,"^sig")) { print; } }
+}
+' >&2
+		    log
+
+		    # output the other user IDs for reference
+		    if (echo "$gpgSigOut" | grep "^uid" | grep -v -q "$userID") ; then
+			log "Other user IDs on this key:"
+			echo "$gpgSigOut" | grep "^uid" | grep -v "$userID" >&2
+			log
+		    fi
+
+		    # output ssh fingerprint
+		    log "RSA key fingerprint is ${sshFingerprint}."
+
+		    # this whole process is in a "while read"
+		    # subshell.  the only way to get information out
+		    # of the subshell is to change the return code.
+		    # therefore we return 1 here to indicate that a
+		    # matching gpg key was found for the ssh key
+		    # offered by the host
+		    return 1
+		fi
+		;;
+	esac
+    done
+
+    # if no key match was made (and the "while read" subshell returned
+    # 1) output how many keys were found
+    if (($? != 1)) ; then
+	log "None of the found keys matched the key offered by the host."
+	log "Run the following command for more info about the found keys:"
+	log "gpg --check-sigs --list-options show-uid-validity =${userID}"
+	# FIXME: should we do anything extra here if the retrieved
+	# host key is actually in the known_hosts file and the ssh
+	# connection will succeed?  Should the user be warned?
+	# prompted?
+    fi
+
+    log "-------------------- ssh continues below --------------------"
+}
+
 ########################################################################
 
 # export the monkeysphere log level
@@ -35,7 +151,7 @@ HOST="$1"
 PORT="$2"
 
 if [ -z "$HOST" ] ; then
-    echo "Host not specified." >&2
+    log "Host not specified."
     usage
     exit 255
 fi
@@ -88,6 +204,39 @@ export MONKEYSPHERE_CHECK_KEYSERVER
 # update the known_hosts file for the host
 monkeysphere update-known_hosts "$HOSTP"
 
+# output on depending on the return of the update-known_hosts
+# subcommand, which is (ultimately) the return code of the
+# update_known_hosts function in common
+case $? in
+    0)
+	# acceptable host key found so continue to ssh
+	true
+	;;
+    1)
+	# no hosts at all found so also continue (drop through to
+	# regular ssh host verification)
+	true
+	;;
+    2)
+	# at least one *bad* host key (and no good host keys) was
+	# found, so output some usefull information
+	output_no_valid_key
+	;;
+    *)
+	# anything else drop through
+	true
+	;;
+esac
+
+# FIXME: what about the case where monkeysphere successfully finds a
+# valid key for the host and adds it to the known_hosts file, but a
+# different non-monkeysphere key for the host already exists in the
+# known_hosts, and it is this non-ms key that is offered by the host?
+# monkeysphere will succeed, and the ssh connection will succeed, and
+# the user will be left with the impression that they are dealing with
+# a OpenPGP/PKI host key when in fact they are not.  should we use
+# ssh-keyscan to compare the keys first?
+
 # exec a netcat passthrough to host for the ssh connection
 if [ -z "$NO_CONNECT" ] ; then
     if (which nc 2>/dev/null >/dev/null); then