From 267c6fcda592494466beed500ef78ad955edea8c Mon Sep 17 00:00:00 2001 From: Jameson Rollins Date: Sun, 17 Oct 2010 19:14:31 -0400 Subject: fix keys-for-user This function now properly outputs to stdout exactly what would have been written to the monkeysphere-controlled authorized_keys file, but without actually touching it. --- Changelog | 7 +++++ man/man8/monkeysphere-authentication.8 | 15 +++++----- src/monkeysphere-authentication | 16 +++++----- src/share/ma/keys_for_user | 53 ---------------------------------- src/share/ma/update_users | 28 +++++++++++------- 5 files changed, 41 insertions(+), 78 deletions(-) delete mode 100644 src/share/ma/keys_for_user diff --git a/Changelog b/Changelog index d300602..1e5508e 100644 --- a/Changelog +++ b/Changelog @@ -1,3 +1,10 @@ +monkeysphere (0.34) unstable; urgency=low + + * fix keys-for-user so that it outputs proper authorized_keys lines + (close MS #2550) + + -- Jameson Rollins Sun, 17 Oct 2010 19:18:29 -0400 + monkeysphere (0.33) unstable; urgency=low [ Daniel Kahn Gillmor ] diff --git a/man/man8/monkeysphere-authentication.8 b/man/man8/monkeysphere-authentication.8 index e2886d6..1592c99 100644 --- a/man/man8/monkeysphere-authentication.8 +++ b/man/man8/monkeysphere-authentication.8 @@ -23,7 +23,7 @@ the WoT. \fBmonkeysphere\-authentication\fP takes various subcommands: .TP -.B update\-users [ACCOUNT]... +.B update\-users [USER]... Rebuild the monkeysphere-controlled authorized_keys files. For each specified account, the user ID's listed in the account's authorized_user_ids file are processed. For each user ID, gpg will be @@ -37,16 +37,17 @@ monkeysphere-controlled authorized_keys file. If no accounts are specified, then all accounts on the system are processed. `u' may be used in place of `update\-users'. .TP +.B keys\-for\-user USER +Output to stdout authorized_keys lines for USER. This command behaves +exactly like update\-users (above), except that the resulting +authorized_keys lines are output to stdout, instead of being written +to the monkeysphere-controlled authorized_keys file. +.TP .B refresh\-keys Refresh all keys in the monkeysphere-authentication keyring. If no accounts are specified, then all accounts on the system are processed. `r' may be used in place of `refresh\-keys'. .TP -.B keys\-for\-user USER -Output to stdout all acceptable keys for a given user. User IDs are -read from the user's authorized_user_ids file (see -MONKEYSPHERE_AUTHORIZED_USER_IDS below). -.TP .B add\-id\-certifier KEYID|FILE Instruct system to trust user identity certifications made by KEYID. The key ID will be loaded from the keyserver. A file may be loaded @@ -191,7 +192,7 @@ If the monkeysphere-authentication-x509 file is present, the monkeysphere-x509 file will be ignored. .TP __SYSDATADIR_PREFIX__/monkeysphere/authorized_keys/USER -Monkeysphere-generated user authorized_keys files. +Monkeysphere-controlled user authorized_keys files. .TP ~/.monkeysphere/authorized_user_ids A list of OpenPGP user IDs, one per line. OpenPGP keys with an diff --git a/src/monkeysphere-authentication b/src/monkeysphere-authentication index c9f6634..4249d21 100755 --- a/src/monkeysphere-authentication +++ b/src/monkeysphere-authentication @@ -51,8 +51,8 @@ Monkeysphere authentication admin tool. subcommands: update-users (u) [USER]... update user authorized_keys files + keys-for-user (k) USER output user authorized_keys lines to stdout refresh-keys (r) refresh keys in keyring - keys-for-user (k) USER output valid keys for user add-id-certifier (c+) KEYID|FILE import and tsign a certification key [--domain (-n) DOMAIN] limit ID certifications to DOMAIN @@ -164,18 +164,20 @@ case $COMMAND in source "${MASHAREDIR}/setup" setup source "${MASHAREDIR}/update_users" - update_users "$@" + OUTPUT_STDOUT= update_users "$@" ;; - 'refresh-keys'|'refresh'|'r') + 'keys-for-user'|'k') source "${MASHAREDIR}/setup" setup - gpg_sphere --keyserver "$KEYSERVER" --refresh-keys + source "${MASHAREDIR}/update_users" + OUTPUT_STDOUT=true update_users "$1" ;; - 'keys-for-user'|'k') - source "${MASHAREDIR}/keys_for_user" - keys_for_user "$@" + 'refresh-keys'|'refresh'|'r') + source "${MASHAREDIR}/setup" + setup + gpg_sphere --keyserver "$KEYSERVER" --refresh-keys ;; 'add-identity-certifier'|'add-id-certifier'|'add-certifier'|'c+') diff --git a/src/share/ma/keys_for_user b/src/share/ma/keys_for_user deleted file mode 100644 index 6f61828..0000000 --- a/src/share/ma/keys_for_user +++ /dev/null @@ -1,53 +0,0 @@ -# -*-shell-script-*- -# This should be sourced by bash (though we welcome changes to make it POSIX sh compliant) - -# Monkeysphere authentication keys-for-user subcommand -# -# The monkeysphere scripts are written by: -# Jameson Rollins -# Daniel Kahn Gillmor -# -# They are Copyright 2008-2010, and are all released under the GPL, -# version 3 or later. - -# This command could be run as an sshd AuthorizedKeysCommand to -# provide the authorized keys for a user, based on OpenPGP user id's -# listed in the user's authorized_user_ids file. - -keys_for_user() { - -local uname -local authorizedUserIDs -local line - -# get users from command line -uname="$1" - -# path to authorized_user_ids file, translating ssh-style path -# variables -authorizedUserIDs=$(translate_ssh_variables "$uname" "$AUTHORIZED_USER_IDS") - -# exit if the authorized_user_ids file is empty -if [ ! -s "$authorizedUserIDs" ] ; then - failure "authorized_user_ids file '$authorizedUserIDs' is empty or does not exist." -fi - -log debug "authorized_user_ids file: $authorizedUserIDs" - -# check permissions on the authorized_user_ids file path -check_key_file_permissions "$uname" "$authorizedUserIDs" || failure - -GNUPGHOME="$GNUPGHOME_SPHERE" -export GNUPGHOME - -# extract user IDs from authorized_user_ids file -IFS=$'\n' -for line in $(meat "$authorizedUserIDs") ; do - if [[ "$line" =~ ^[[:space:]] ]] ; then - continue - fi - printf '%s' "$line" | \ - su_monkeysphere_user ". ${SYSSHAREDIR}/common; read X; keys_for_userid \"\$X\"" || true -done - -} diff --git a/src/share/ma/update_users b/src/share/ma/update_users index 0086cd3..91acd66 100644 --- a/src/share/ma/update_users +++ b/src/share/ma/update_users @@ -129,17 +129,23 @@ for uname in $unames ; do # the same uid that sshd is launched as); change the group of # the file so that members of the user's group can read it. - # FIXME: is there a better way to do this? - chown $(whoami) "$AUTHORIZED_KEYS" && \ - chgrp $(id -g "$uname") "$AUTHORIZED_KEYS" && \ - chmod g+r "$AUTHORIZED_KEYS" && \ - mv -f "$AUTHORIZED_KEYS" "${authorizedKeysDir}/${uname}" || \ - { - log error "Failed to install authorized_keys for '$uname'!" - rm -f "${authorizedKeysDir}/${uname}" - # indicate that there has been a failure: - returnCode=1 - } + if [ "$OUTPUT_STDOUT" ] ; then + log debug "outputting keys to stdout..." + cat "$AUTHORIZED_KEYS" + else + log debug "moving new file to ${authorizedKeysDir}/${uname}..." + # FIXME: is there a better way to do this? + chown $(whoami) "$AUTHORIZED_KEYS" && \ + chgrp $(id -g "$uname") "$AUTHORIZED_KEYS" && \ + chmod g+r "$AUTHORIZED_KEYS" && \ + mv -f "$AUTHORIZED_KEYS" "${authorizedKeysDir}/${uname}" || \ + { + log error "Failed to install authorized_keys for '$uname'!" + rm -f "${authorizedKeysDir}/${uname}" + # indicate that there has been a failure: + returnCode=1 + } + fi else rm -f "${authorizedKeysDir}/${uname}" fi -- cgit v1.2.3