From 0beaa999dbd326a2c80a733913a36e64b917add6 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Sat, 13 Sep 2008 15:34:44 -0400 Subject: counting problems in monkeysphere-server diagnostics --- debian/changelog | 5 ++++- src/monkeysphere-server | 23 ++++++++++++++++++++++- 2 files changed, 26 insertions(+), 2 deletions(-) diff --git a/debian/changelog b/debian/changelog index 13872bf..32d5a19 100644 --- a/debian/changelog +++ b/debian/changelog @@ -5,10 +5,13 @@ monkeysphere (0.16~pre-1) UNRELEASED; urgency=low portability. * fixed busted lockfile arrangement, where empty file was being locked * portability fixes in the way we use date, mktemp, hostname, su - * stop using stat, since the syntax appears to be totally unportable + * stop using /usr/bin/stat, since the syntax appears to be totally + unportable * require GNU getopt, and test for getopt failures (look for getopt in /usr/local/bin first, since that's where FreeBSD's GNU-compatible getopt lives. + * monkeysphere-server diagnostics now counts problems and suggests a + re-run after they have been resolved. -- Daniel Kahn Gillmor Thu, 11 Sep 2008 23:16:31 -0400 diff --git a/src/monkeysphere-server b/src/monkeysphere-server index 6798fab..a0dc33f 100755 --- a/src/monkeysphere-server +++ b/src/monkeysphere-server @@ -559,6 +559,7 @@ diagnostics() { local fingerprint local badhostkeys local sshd_config + local problemsfound=0 # FIXME: what's the correct, cross-platform answer? sshd_config=/etc/ssh/sshd_config @@ -571,19 +572,23 @@ diagnostics() { if ! id monkeysphere >/dev/null ; then echo "! No monkeysphere user found! Please create a monkeysphere system user." + problemsfound=$(($problemsfound+1)) fi if ! [ -d "$VARLIB" ] ; then echo "! no $VARLIB directory found. Please create it." + problemsfound=$(($problemsfound+1)) fi echo "Checking host GPG key..." if (( "$keysfound" < 1 )); then echo "! No host key found." echo " - Recommendation: run 'monkeysphere-server gen-key'" + problemsfound=$(($problemsfound+1)) elif (( "$keysfound" > 1 )); then echo "! More than one host key found?" # FIXME: recommend a way to resolve this + problemsfound=$(($problemsfound+1)) else create=$(echo "$seckey" | grep ^sec: | cut -f6 -d:) expire=$(echo "$seckey" | grep ^sec: | cut -f7 -d:) @@ -593,9 +598,11 @@ diagnostics() { if (( "$expire" < "$curdate" )); then echo "! Host key is expired." echo " - Recommendation: extend lifetime of key with 'monkeysphere-server extend-key'" + problemsfound=$(($problemsfound+1)) elif (( "$expire" < "$warndate" )); then echo "! Host key expires in less than $warnwindow:" $(advance_date $(( $expire - $curdate )) seconds +%F) echo " - Recommendation: extend lifetime of key with 'monkeysphere-server extend-key'" + problemsfound=$(($problemsfound+1)) fi fi @@ -603,6 +610,7 @@ diagnostics() { if [ "$create" ] && (( "$create" > "$curdate" )); then echo "! Host key was created in the future(?!). Is your clock correct?" echo " - Recommendation: Check clock ($(date +%F_%T)); use NTP?" + problemsfound=$(($problemsfound+1)) fi # check for UserID expiration: @@ -614,14 +622,17 @@ diagnostics() { if [ "$create" ] && (( "$create" > "$curdate" )); then echo "! User ID '$uid' was created in the future(?!). Is your clock correct?" echo " - Recommendation: Check clock ($(date +%F_%T)); use NTP?" + problemsfound=$(($problemsfound+1)) fi if [ "$expire" ] ; then if (( "$expire" < "$curdate" )); then echo "! User ID '$uid' is expired." - # FIXME: recommend a way to resolve this + # FIXME: recommend a way to resolve this + problemsfound=$(($problemsfound+1)) elif (( "$expire" < "$warndate" )); then echo "! User ID '$uid' expires in less than $warnwindow:" $(advance_date $(( $expire - $curdate )) seconds +%F) # FIXME: recommend a way to resolve this + problemsfound=$(($problemsfound+1)) fi fi done @@ -641,20 +652,24 @@ diagnostics() { echo "Checking host SSH key..." if [ ! -s "${VARLIB}/ssh_host_rsa_key" ] ; then echo "! The host key as prepared for SSH (${VARLIB}/ssh_host_rsa_key) is missing or empty." + problemsfound=$(($problemsfound+1)) else if [ $(ls -l "${VARLIB}/ssh_host_rsa_key" | cut -f1 -d\ ) != '-rw-------' ] ; then echo "! Permissions seem wrong for ${VARLIB}/ssh_host_rsa_key -- should be 0600." + problemsfound=$(($problemsfound+1)) fi # propose changes needed for sshd_config (if any) if ! grep -q "^HostKey[[:space:]]\+${VARLIB}/ssh_host_rsa_key$" "$sshd_config"; then echo "! $sshd_config does not point to the monkeysphere host key (${VARLIB}/ssh_host_rsa_key)." echo " - Recommendation: add a line to $sshd_config: 'HostKey ${VARLIB}/ssh_host_rsa_key'" + problemsfound=$(($problemsfound+1)) fi if badhostkeys=$(grep -i '^HostKey' "$sshd_config" | grep -q -v "^HostKey[[:space:]]\+${VARLIB}/ssh_host_rsa_key$") ; then echo "! $sshd_config refers to some non-monkeysphere host keys:" echo "$badhostkeys" echo " - Recommendation: remove the above HostKey lines from $sshd_config" + problemsfound=$(($problemsfound+1)) fi fi fi @@ -679,6 +694,12 @@ diagnostics() { echo "! $sshd_config refers to non-monkeysphere authorized_keys files:" echo "$badauthorizedkeys" echo " - Recommendation: remove the above AuthorizedKeysFile lines from $sshd_config" + problemsfound=$(($problemsfound+1)) + fi + + if [ "$problemsfound" -gt 0 ]; then + echo "When the above $problemsfound problem"$([ "$problemsfound" -eq 1 ] || echo "s")" are resolved, please re-run:" + echo " monkeysphere-server diagnostics" fi } -- cgit v1.2.3