diff options
Diffstat (limited to 'src')
| -rwxr-xr-x | src/monkeysphere | 2 | ||||
| -rw-r--r-- | src/share/common | 33 | ||||
| -rw-r--r-- | src/share/m/gen_subkey | 7 | ||||
| -rw-r--r-- | src/share/m/ssh_proxycommand | 139 | ||||
| -rw-r--r-- | src/share/ma/add_certifier | 8 | ||||
| -rw-r--r-- | src/share/mh/add_hostname | 8 | ||||
| -rw-r--r-- | src/share/mh/add_revoker | 8 | ||||
| -rw-r--r-- | src/share/mh/revoke_hostname | 8 | ||||
| -rw-r--r-- | src/share/mh/set_expire | 2 |
9 files changed, 113 insertions, 102 deletions
diff --git a/src/monkeysphere b/src/monkeysphere index 2e3bc16..fbc05b4 100755 --- a/src/monkeysphere +++ b/src/monkeysphere @@ -47,7 +47,7 @@ subcommands: update-authorized_keys (a) update authorized_keys file gen-subkey (g) [KEYID] generate an authentication subkey --length (-l) BITS key length in bits (2048) - ssh-proxycommand monkeysphere ssh ProxyCommand + ssh-proxycommand HOST [PORT] monkeysphere ssh ProxyCommand subkey-to-ssh-agent (s) store authentication subkey in ssh-agent version (v) show version number help (h,?) this help diff --git a/src/share/common b/src/share/common index ea872ba..d6e4949 100644 --- a/src/share/common +++ b/src/share/common @@ -464,14 +464,23 @@ gpg2ssh() { # output known_hosts line from ssh key ssh2known_hosts() { local host + local port local key - host="$1" + # FIXME this does not properly deal with IPv6 hosts using the + # standard port (because it's unclear whether their final + # colon-delimited address section is a port number or an address + # string) + host=${1%:*} + port=${1##*:} key="$2" - echo -n "$host " - echo -n "$key" | tr -d '\n' - echo " MonkeySphere${DATE}" + # specify the host and port properly for new ssh known_hosts + # format + if [ "$port" != "$host" ] ; then + host="[${host}]:${port}" + fi + printf "%s %s MonkeySphere%s\n" "$host" "$key" "$DATE" } # output authorized_keys line from ssh key @@ -482,41 +491,43 @@ ssh2authorized_keys() { userID="$1" key="$2" - echo -n "$key" | tr -d '\n' - echo " MonkeySphere${DATE} ${userID}" + printf "%s MonkeySphere%s %s\n" "$key" "$DATE" "$userID" } # convert key from gpg to ssh known_hosts format gpg2known_hosts() { local host local keyID + local key host="$1" keyID="$2" + key=$(gpg2ssh "$keyID") + # NOTE: it seems that ssh-keygen -R removes all comment fields from # all lines in the known_hosts file. why? # NOTE: just in case, the COMMENT can be matched with the # following regexp: # '^MonkeySphere[[:digit:]]{4}(-[[:digit:]]{2}){2}T[[:digit:]]{2}(:[[:digit:]]{2}){2}$' - echo -n "$host " - gpg2ssh "$keyID" | tr -d '\n' - echo " MonkeySphere${DATE}" + printf "%s %s MonkeySphere%s\n" "$host" "$key" "$DATE" } # convert key from gpg to ssh authorized_keys format gpg2authorized_keys() { local userID local keyID + local key userID="$1" keyID="$2" + key=$(gpg2ssh "$keyID") + # NOTE: just in case, the COMMENT can be matched with the # following regexp: # '^MonkeySphere[[:digit:]]{4}(-[[:digit:]]{2}){2}T[[:digit:]]{2}(:[[:digit:]]{2}){2}$' - gpg2ssh "$keyID" | tr -d '\n' - echo " MonkeySphere${DATE} ${userID}" + printf "%s MonkeySphere%s %s\n" "$key" "$DATE" "$userID" } ### GPG UTILITIES diff --git a/src/share/m/gen_subkey b/src/share/m/gen_subkey index dbd9dd6..a0fa3ce 100644 --- a/src/share/m/gen_subkey +++ b/src/share/m/gen_subkey @@ -44,8 +44,7 @@ Type '$PGRM help' for usage." check_gpg_authentication_subkey "$keyID" # generate the list of commands that will be passed to edit-key - editCommands=$(cat <<EOF -addkey + editCommands="addkey 7 S E @@ -53,9 +52,7 @@ A Q $keyLength 0 -save -EOF -) +save" # setup the temp fifo dir for retrieving the key password log debug "creating password fifo..." diff --git a/src/share/m/ssh_proxycommand b/src/share/m/ssh_proxycommand index 7ab4bec..77f9d24 100644 --- a/src/share/m/ssh_proxycommand +++ b/src/share/m/ssh_proxycommand @@ -36,52 +36,55 @@ output_no_valid_key() { LOG_PREFIX= - cat <<EOF | log info --------------------- Monkeysphere warning ------------------- -Monkeysphere found OpenPGP keys for this hostname, but none had full validity. -EOF - - # retrieve the actual ssh key - sshKeyOffered=$(ssh-keyscan -t rsa -p "$PORT" "$HOST" 2>/dev/null | awk '{ print $2, $3 }') - # FIXME: should we do any checks for failed keyscans, eg. host not - # found? + # retrieve the ssh key being offered by the host + sshKeyOffered=$(ssh-keyscan -t rsa -p "$PORT" "$HOST" 2>/dev/null \ + | awk '{ print $2, $3 }') # get the gpg info for userid gpgOut=$(gpg_user --list-key --fixed-list-mode --with-colon \ --with-fingerprint --with-fingerprint \ ="$userID" 2>/dev/null) - # find all 'pub' and 'sub' lines in the gpg output, which each - # represent a retrieved key for the user ID - echo "$gpgOut" | cut -d: -f1,2,5,10,12 | \ - while IFS=: read -r type validity keyid uidfpr usage ; do - case $type in - 'pub'|'sub') - # get the ssh key of the gpg key - sshKeyGPG=$(gpg2ssh "$keyid") - - # if one of keys found matches the one offered by the - # host, then output info - if [ "$sshKeyGPG" = "$sshKeyOffered" ] ; then - cat <<EOF | log info + # output header + log info <<EOF +-------------------- Monkeysphere warning ------------------- +Monkeysphere found OpenPGP keys for this hostname, but none had full validity. +EOF + + # if the host key is retrieved from the host, check against known + # OpenPGP keys + if [ "$sshKeyOffered" ] ; then + # find all 'pub' and 'sub' lines in the gpg output, which each + # represent a retrieved key for the user ID + echo "$gpgOut" | cut -d: -f1,2,5,10,12 | \ + while IFS=: read -r type validity keyid uidfpr usage ; do + case $type in + 'pub'|'sub') + # get the ssh key of the gpg key + sshKeyGPG=$(gpg2ssh "$keyid") + + # if one of keys found matches the one offered by the + # host, then output info + if [ "$sshKeyGPG" = "$sshKeyOffered" ] ; then + log info <<EOF An OpenPGP key matching the ssh key offered by the host was found: EOF - sshKeyGPGFile=$(msmktempfile) - printf "%s" "$sshKeyGPG" >"$sshKeyGPGFile" - sshFingerprint=$(ssh-keygen -l -f "$sshKeyGPGFile" | \ - awk '{ print $2 }') - rm -f "$sshKeyGPGFile" + sshKeyGPGFile=$(msmktempfile) + printf "%s" "$sshKeyGPG" >"$sshKeyGPGFile" + sshFingerprint=$(ssh-keygen -l -f "$sshKeyGPGFile" | \ + awk '{ print $2 }') + rm -f "$sshKeyGPGFile" - # get the sigs for the matching key - gpgSigOut=$(gpg_user --check-sigs \ - --list-options show-uid-validity \ - "$keyid") + # get the sigs for the matching key + gpgSigOut=$(gpg_user --check-sigs \ + --list-options show-uid-validity \ + "$keyid") - # output the sigs, but only those on the user ID - # we are looking for - echo "$gpgSigOut" | awk ' + # output the sigs, but only those on the user ID + # we are looking for + echo "$gpgSigOut" | awk ' { if (match($0,"^pub")) { print; } if (match($0,"^uid")) { ok=0; } @@ -89,51 +92,59 @@ if (match($0,"^uid.*'$userID'$")) { ok=1; print; } if (ok) { if (match($0,"^sig")) { print; } } } ' | log info - echo | log info + echo | log info - # output the other user IDs for reference - if (echo "$gpgSigOut" | grep "^uid" | grep -v -q "$userID") ; then - cat <<EOF | log info + # output the other user IDs for reference + if (echo "$gpgSigOut" | grep "^uid" | grep -v -q "$userID") ; then + log info <<EOF Other user IDs on this key: EOF - echo "$gpgSigOut" | grep "^uid" | grep -v "$userID" | log info - echo | log info - fi + echo "$gpgSigOut" | grep "^uid" | grep -v "$userID" | log info + echo | log info + fi - # output ssh fingerprint - cat <<EOF | log info + # output ssh fingerprint + log info <<EOF RSA key fingerprint is ${sshFingerprint}. EOF - # this whole process is in a "while read" - # subshell. the only way to get information out - # of the subshell is to change the return code. - # therefore we return 1 here to indicate that a - # matching gpg key was found for the ssh key - # offered by the host - return 1 - fi - ;; - esac - done || returnCode="$?" - - # if no key match was made (and the "while read" subshell returned - # 1) output how many keys were found - if (( returnCode != 1 )) ; then - cat <<EOF | log info + # this whole process is in a "while read" + # subshell. the only way to get information + # out of the subshell is to change the return + # code. therefore we return 1 here to + # indicate that a matching gpg key was found + # for the ssh key offered by the host + return 1 + fi + ;; + esac + done || returnCode="$?" + + # if no key match was made (and the "while read" subshell + # returned 1) output how many keys were found + if (( returnCode != 1 )) ; then + log info <<EOF None of the found keys matched the key offered by the host. Run the following command for more info about the found keys: gpg --check-sigs --list-options show-uid-validity =${userID} EOF - # FIXME: should we do anything extra here if the retrieved - # host key is actually in the known_hosts file and the ssh - # connection will succeed? Should the user be warned? - # prompted? + # FIXME: should we do anything extra here if the retrieved + # host key is actually in the known_hosts file and the ssh + # connection will succeed? Should the user be warned? + # prompted? + fi + + # if host key could not be retrieved from the host, output message + else + log info <<EOF +Could not retrieve RSA host key from $HOST. +EOF fi - cat <<EOF | log info + # output footer + log info <<EOF -------------------- ssh continues below -------------------- EOF } diff --git a/src/share/ma/add_certifier b/src/share/ma/add_certifier index 544a3f0..402da08 100644 --- a/src/share/ma/add_certifier +++ b/src/share/ma/add_certifier @@ -153,16 +153,14 @@ gpg_sphere "--export 0x${fingerprint}!" | gpg_core --import # edit-key script to ltsign key # NOTE: *all* user IDs will be ltsigned -ltsignCommand=$(cat <<EOF -ltsign +ltsignCommand="ltsign y $trustval $depth $domain y -save -EOF - ) +save" +# end script # core ltsigns the newly imported certifier key log debug "executing core ltsign script..." diff --git a/src/share/mh/add_hostname b/src/share/mh/add_hostname index b08d688..36f174d 100644 --- a/src/share/mh/add_hostname +++ b/src/share/mh/add_hostname @@ -43,14 +43,12 @@ else fi # edit-key script command to add user ID -adduidCommand=$(cat <<EOF -adduid +adduidCommand="adduid $userID -save -EOF -) +save" +# end script # execute edit-key script if echo "$adduidCommand" | gpg_host_edit ; then diff --git a/src/share/mh/add_revoker b/src/share/mh/add_revoker index 03ae56f..077b0d0 100644 --- a/src/share/mh/add_revoker +++ b/src/share/mh/add_revoker @@ -106,14 +106,12 @@ of the host key? (Y/n) " OK; OK=${OK:-Y} fi # edit-key script to add revoker -addrevokerCommand=$(cat <<EOF -addrevoker +addrevokerCommand="addrevoker $fingerprint y save - -EOF - ) +" +# end script # core ltsigns the newly imported revoker key log debug "executing add revoker script..." diff --git a/src/share/mh/revoke_hostname b/src/share/mh/revoke_hostname index 2142af7..5dc327f 100644 --- a/src/share/mh/revoke_hostname +++ b/src/share/mh/revoke_hostname @@ -54,17 +54,15 @@ else fi # edit-key script command to revoke user ID -revuidCommand=$(cat <<EOF -$uidIndex +revuidCommand="$uidIndex revuid y 4 Hostname removed by monkeysphere-host: $DATE y -save -EOF - ) +save" +# end script # execute edit-key script if echo "$revuidCommand" | gpg_host_edit ; then diff --git a/src/share/mh/set_expire b/src/share/mh/set_expire index 63e5c55..a6bf1f1 100644 --- a/src/share/mh/set_expire +++ b/src/share/mh/set_expire @@ -40,7 +40,7 @@ EOF update_gpg_pub_file -cat <<EOF | log info +log info <<EOF NOTE: Host key expiration date adjusted, but not yet published. Run '$PGRM publish-key' to publish the new expiration date. EOF |