From 20fa2bf388d33f42446c191b1c9a18a828cdca23 Mon Sep 17 00:00:00 2001
From: Micah Anderson <micah@riseup.net>
Date: Sat, 15 Nov 2008 18:01:49 -0500
Subject: add a directory and a changlog for the zimmerman keyserver (including
 some changes)

---
 doc/zimmerman/changelog | 15 +++++++++++++++
 1 file changed, 15 insertions(+)
 create mode 100644 doc/zimmerman/changelog

diff --git a/doc/zimmerman/changelog b/doc/zimmerman/changelog
new file mode 100644
index 0000000..2033cd5
--- /dev/null
+++ b/doc/zimmerman/changelog
@@ -0,0 +1,15 @@
+******************************************************************************
+*                                                                            *
+*                       zimmerman system log                                 *
+*                                                                            *
+******************************************************************************
+*  Please add new entries in reverse chronological order whenever you make   *
+*  changes to this system (first command at top, last at bottom)             *
+******************************************************************************
+
+2008-11-15 - micah
+	* aptitude update && aptitude full-upgrade
+	* aptitude install sks
+	* cd /var/lib/sks/dump ; wget -q -r -np -nd -A bz2,SHA256,asc \
+	  http://nynex.net/keydump/ -e robots=off
+
-- 
cgit v1.2.3


From a889bad4f15b45b0b98fa7335129c66519eeb336 Mon Sep 17 00:00:00 2001
From: Jamie McClelland <jm@mayfirst.org>
Date: Sat, 15 Nov 2008 18:06:31 -0500
Subject: reporting changes around mail configuration of zimmermann.

---
 doc/zimmerman/changelog | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/doc/zimmerman/changelog b/doc/zimmerman/changelog
index 2033cd5..e119e23 100644
--- a/doc/zimmerman/changelog
+++ b/doc/zimmerman/changelog
@@ -13,3 +13,6 @@
 	* cd /var/lib/sks/dump ; wget -q -r -np -nd -A bz2,SHA256,asc \
 	  http://nynex.net/keydump/ -e robots=off
 
+2008-11-15 - jamie
+  * aptitude install esmtp-run mailx
+	* edited /etc/esmtp-run, configured to relay to bulk.mayfirst.org
-- 
cgit v1.2.3


From cdfb653480aa9b14deffd54ea7f497c27d5abdb4 Mon Sep 17 00:00:00 2001
From: Micah Anderson <micah@riseup.net>
Date: Sat, 15 Nov 2008 18:13:07 -0500
Subject: add the new monkeysphere package to zimmerman

---
 doc/zimmerman/changelog | 1 +
 1 file changed, 1 insertion(+)

diff --git a/doc/zimmerman/changelog b/doc/zimmerman/changelog
index 2033cd5..a92198c 100644
--- a/doc/zimmerman/changelog
+++ b/doc/zimmerman/changelog
@@ -12,4 +12,5 @@
 	* aptitude install sks
 	* cd /var/lib/sks/dump ; wget -q -r -np -nd -A bz2,SHA256,asc \
 	  http://nynex.net/keydump/ -e robots=off
+	* install monkeysphere 0.21-2 package
 
-- 
cgit v1.2.3


From f5d87b83453aa7888f64b72a74fb16b9d3b65c4a Mon Sep 17 00:00:00 2001
From: Jameson Graef Rollins <jrollins@finestructure.net>
Date: Sat, 15 Nov 2008 18:45:25 -0500
Subject: remove pruning of the ssh fingerprint output in monkeysphere-server
 show-key function.  the extra info (key length and type) are useful to have.

---
 src/monkeysphere-server | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/monkeysphere-server b/src/monkeysphere-server
index e78903b..0815b32 100755
--- a/src/monkeysphere-server
+++ b/src/monkeysphere-server
@@ -137,7 +137,7 @@ show_server_key() {
     tmpkey=$(mktemp -d ${TMPDIR:-/tmp}/tmp.XXXXXXXXXX) || failure "Could not create temporary directory!"
     gpg_authentication "--export $fingerprint" | openpgp2ssh "$fingerprint" 2>/dev/null > "$tmpkey/ "
     echo -n "ssh fingerprint: "
-    (cd "$tmpkey" && ssh-keygen -l -f ' ' | awk '{ print $2 }')
+    (cd "$tmpkey" && ssh-keygen -l -f ' '
     rm -rf "$tmpkey"
     echo -n "OpenPGP fingerprint: "
     echo "$fingerprint"
-- 
cgit v1.2.3


From a4983d24c8e79729deaa02602b742eace6d09f86 Mon Sep 17 00:00:00 2001
From: Micah Anderson <micah@riseup.net>
Date: Sat, 15 Nov 2008 18:55:42 -0500
Subject: change from using a filename that is a just a space to an actual
 temporary file

---
 src/monkeysphere-server | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/monkeysphere-server b/src/monkeysphere-server
index e78903b..5edaa4f 100755
--- a/src/monkeysphere-server
+++ b/src/monkeysphere-server
@@ -134,10 +134,10 @@ show_server_key() {
 
     # dumping to a file named ' ' so that the ssh-keygen output
     # doesn't claim any potentially bogus hostname(s):
-    tmpkey=$(mktemp -d ${TMPDIR:-/tmp}/tmp.XXXXXXXXXX) || failure "Could not create temporary directory!"
-    gpg_authentication "--export $fingerprint" | openpgp2ssh "$fingerprint" 2>/dev/null > "$tmpkey/ "
+    tmpkey=$(mktemp ${TMPDIR:-/tmp}/tmp.XXXXXXXXXX) || failure "Could not create temporary directory!"
+    gpg_authentication "--export $fingerprint" | openpgp2ssh "$fingerprint" 2>/dev/null > "$tmpkey"
     echo -n "ssh fingerprint: "
-    (cd "$tmpkey" && ssh-keygen -l -f ' ' | awk '{ print $2 }')
+    ssh-keygen -l -f $tmpkey | awk '{ print $1, $2, $4 }'
     rm -rf "$tmpkey"
     echo -n "OpenPGP fingerprint: "
     echo "$fingerprint"
-- 
cgit v1.2.3


From 2459fa3ea277d7b9289945748619eab1e3441e5c Mon Sep 17 00:00:00 2001
From: Jameson Graef Rollins <jrollins@finestructure.net>
Date: Sat, 15 Nov 2008 20:49:27 -0500
Subject: Added info log output when a new key is added to known_hosts file.

---
 packaging/debian/changelog |  7 +++++++
 src/common                 | 11 +++++++++--
 2 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/packaging/debian/changelog b/packaging/debian/changelog
index 62f021e..f1db037 100644
--- a/packaging/debian/changelog
+++ b/packaging/debian/changelog
@@ -1,3 +1,10 @@
+monkeysphere (0.22-1) UNRELEASED; urgency=low
+
+  * New upstream release:
+    - Added info log output when a new key is added to known_hosts file.
+
+ -- Jameson Graef Rollins <jrollins@finestructure.net>  Sat, 15 Nov 2008 20:49:13 -0500
+
 monkeysphere (0.21-2) unstable; urgency=low
 
   * actually rmdir /var/lib/monkeysphere-* during prerm if possible.
diff --git a/src/common b/src/common
index 297e7f3..efee9bd 100644
--- a/src/common
+++ b/src/common
@@ -742,6 +742,7 @@ process_user_id() {
 process_host_known_hosts() {
     local host
     local userID
+    local noKey=
     local nKeys
     local nKeysOK
     local ok
@@ -768,8 +769,9 @@ process_host_known_hosts() {
             continue
         fi
 
-	# remove the old host key line, and note if removed
-	remove_line "$KNOWN_HOSTS" "$sshKey"
+	# remove any old host key line, and note if removed nothing is
+	# removed
+	remove_line "$KNOWN_HOSTS" "$sshKey" || noKey=true
 
 	# if key OK, add new host line
 	if [ "$ok" -eq '0' ] ; then
@@ -788,6 +790,11 @@ process_host_known_hosts() {
 	    else
 		ssh2known_hosts "$host" "$sshKey" >> "$KNOWN_HOSTS"
 	    fi
+
+	    # log if this is a new key to the known_hosts file
+	    if [ "$noKey" ] ; then
+		log info "* new key for $host added to known_hosts file."
+	    fi
 	fi
     done
 
-- 
cgit v1.2.3


From 5c769e797dc0b867db7d6e19eaf9ca493dc87091 Mon Sep 17 00:00:00 2001
From: Micah Anderson <micah@riseup.net>
Date: Sun, 16 Nov 2008 00:14:15 -0500
Subject: fix tarball download link

---
 website/download.mdwn | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/website/download.mdwn b/website/download.mdwn
index e67d0dc..6d5a73f 100644
--- a/website/download.mdwn
+++ b/website/download.mdwn
@@ -75,7 +75,7 @@ For those that would like to download the source directly, [the source
 is available](/community) via [git](http://git.or.cz/).
 
 The [latest
-tarball](http://archive.monkeysphere.info/debian/pool/monkeysphere/m/monkeysphere/monkeysphere_.orig.tar.gz)
+tarball](http://archive.monkeysphere.info/debian/pool/monkeysphere/m/monkeysphere/monkeysphere_0.21.orig.tar.gz)
 is also available, and has these checksums:
 
 <pre>
-- 
cgit v1.2.3


From d068b7c722211adf7d830b1c1b4ce9693eafbe4f Mon Sep 17 00:00:00 2001
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Date: Sun, 16 Nov 2008 00:57:27 -0500
Subject: m-s s: avoid failures when $TMPDIR has a space in it. (output might
 still be a bit garbled)

---
 src/monkeysphere-server | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/monkeysphere-server b/src/monkeysphere-server
index 5edaa4f..665d916 100755
--- a/src/monkeysphere-server
+++ b/src/monkeysphere-server
@@ -137,7 +137,7 @@ show_server_key() {
     tmpkey=$(mktemp ${TMPDIR:-/tmp}/tmp.XXXXXXXXXX) || failure "Could not create temporary directory!"
     gpg_authentication "--export $fingerprint" | openpgp2ssh "$fingerprint" 2>/dev/null > "$tmpkey"
     echo -n "ssh fingerprint: "
-    ssh-keygen -l -f $tmpkey | awk '{ print $1, $2, $4 }'
+    ssh-keygen -l -f "$tmpkey" | awk '{ print $1, $2, $4 }'
     rm -rf "$tmpkey"
     echo -n "OpenPGP fingerprint: "
     echo "$fingerprint"
-- 
cgit v1.2.3


From 9eed0790573d3f1f21707151ede87f8339dbecc0 Mon Sep 17 00:00:00 2001
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Date: Sun, 16 Nov 2008 01:28:19 -0500
Subject: exporting SSH host public key (two variants: one traditional ssh, the
 other OpenPGP) during m-s gen-key

---
 src/monkeysphere-server | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/monkeysphere-server b/src/monkeysphere-server
index 665d916..bb26c04 100755
--- a/src/monkeysphere-server
+++ b/src/monkeysphere-server
@@ -399,7 +399,11 @@ EOF
     (umask 077 && \
 	gpg_host --export-secret-key "$fingerprint" | \
 	openpgp2ssh "$fingerprint" > "${SYSDATADIR}/ssh_host_rsa_key")
-    log info "private SSH host key output to file: ${SYSDATADIR}/ssh_host_rsa_key"
+    log info "SSH host private key output to file: ${SYSDATADIR}/ssh_host_rsa_key"
+    ssh-keygen -y -f "${SYSDATADIR}/ssh_host_rsa_key" > "${SYSDATADIR}/ssh_host_rsa_key.pub"
+    log info "SSH host public key output to file: ${SYSDATADIR}/ssh_host_rsa_key.pub"
+    gpg_authentication --export-options export-minimal --export "0x${fingerprint}!" > "${SYSDATADIR}/ssh_host_rsa_key.pub.gpg"
+    log info "SSH host public key in OpenPGP form: ${SYSDATADIR}/ssh_host_rsa_key.pub.gpg"
 }
 
 # extend the lifetime of a host key:
-- 
cgit v1.2.3


From c9efd3d44010262946d518dc712edba733697b34 Mon Sep 17 00:00:00 2001
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Date: Sun, 16 Nov 2008 02:04:56 -0500
Subject: update debian/changelog.

---
 packaging/debian/changelog | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/packaging/debian/changelog b/packaging/debian/changelog
index f1db037..c2c4241 100644
--- a/packaging/debian/changelog
+++ b/packaging/debian/changelog
@@ -1,8 +1,16 @@
 monkeysphere (0.22-1) UNRELEASED; urgency=low
 
   * New upstream release:
+  [ Jameson Rollins ]
+
     - Added info log output when a new key is added to known_hosts file.
 
+  [ Daniel Kahn Gillmor ]
+
+    - automatically output two copies of the host's public key: one
+    standard ssh public key file, and the other a minimal OpenPGP key with
+    just the latest valid self-sig.
+
  -- Jameson Graef Rollins <jrollins@finestructure.net>  Sat, 15 Nov 2008 20:49:13 -0500
 
 monkeysphere (0.21-2) unstable; urgency=low
-- 
cgit v1.2.3


From 11e3f75a105d37cc113abe8f19e29ed1d9d90155 Mon Sep 17 00:00:00 2001
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Date: Sun, 16 Nov 2008 02:33:42 -0500
Subject: making the "upstream version" end in ~pre so that test packages
 created before the release will upgrade properly when the official 0.22 gets
 released.

---
 packaging/debian/changelog | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/packaging/debian/changelog b/packaging/debian/changelog
index c2c4241..1aee7d1 100644
--- a/packaging/debian/changelog
+++ b/packaging/debian/changelog
@@ -1,4 +1,4 @@
-monkeysphere (0.22-1) UNRELEASED; urgency=low
+monkeysphere (0.22~pre-1) UNRELEASED; urgency=low
 
   * New upstream release:
   [ Jameson Rollins ]
-- 
cgit v1.2.3


From d056cc64effacd7936fddb6e696957868fff7eed Mon Sep 17 00:00:00 2001
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Date: Sun, 16 Nov 2008 02:39:51 -0500
Subject: feedback on useful-information bug.

---
 website/bugs/useful-information.mdwn | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/website/bugs/useful-information.mdwn b/website/bugs/useful-information.mdwn
index 0750354..62094bb 100644
--- a/website/bugs/useful-information.mdwn
+++ b/website/bugs/useful-information.mdwn
@@ -8,3 +8,17 @@ time seems to the monkeysphere very similar to a key re-added ten
 seconds after last login.
 
 Still, from a UI perspective, I want to know what monkeysphere is doing.
+
+------
+
+It looks like jrollins committed a change for reporting at INFO level
+when a host key gets added by the monkeysphere:
+2459fa3ea277d7b9289945748619eab1e3441e5c
+
+When i connect to a host whose key is not already present in my
+known_hosts file, i get the following to stderr:
+
+    ms: * new key for squeak.fifthhorseman.net added to known_hosts file.
+
+This doesn't fully close this bug, because we aren't notifying on key
+deletion, afaict.
-- 
cgit v1.2.3


From dd002c89fc4dccabc16d488a15a40cc88383605f Mon Sep 17 00:00:00 2001
From: Jameson Graef Rollins <jrollins@finestructure.net>
Date: Sun, 16 Nov 2008 03:17:36 -0500
Subject: added some useful output to the ssh-proxycommand for "marginal" cases
 where keys are found for host but do not have full validity.  this uses
 ssh-keyscan to pull the key for the host in question, check this key against
 the keys against those found via gpg, and output some useful information
 about the one that matches.

---
 changelog                         |  2 +-
 packaging/debian/changelog        |  6 ++-
 src/monkeysphere-server           |  2 +-
 src/monkeysphere-ssh-proxycommand | 98 ++++++++++++++++++++++++++++++++++++++-
 4 files changed, 102 insertions(+), 6 deletions(-)

diff --git a/changelog b/changelog
index b9a9e21..4264fa4 120000
--- a/changelog
+++ b/changelog
@@ -1 +1 @@
-website/changelog
\ No newline at end of file
+packaging/debian/changelog
\ No newline at end of file
diff --git a/packaging/debian/changelog b/packaging/debian/changelog
index f1db037..e8ea1a9 100644
--- a/packaging/debian/changelog
+++ b/packaging/debian/changelog
@@ -1,9 +1,11 @@
 monkeysphere (0.22-1) UNRELEASED; urgency=low
 
   * New upstream release:
-    - Added info log output when a new key is added to known_hosts file.
+    - added info log output when a new key is added to known_hosts file.
+    - added some useful output to the ssh-proxycommand for "marginal"
+      cases where keys are found for host but do not have full validity.
 
- -- Jameson Graef Rollins <jrollins@finestructure.net>  Sat, 15 Nov 2008 20:49:13 -0500
+ -- Jameson Graef Rollins <jrollins@finestructure.net>  Sun, 16 Nov 2008 03:17:16 -0500
 
 monkeysphere (0.21-2) unstable; urgency=low
 
diff --git a/src/monkeysphere-server b/src/monkeysphere-server
index 5edaa4f..665d916 100755
--- a/src/monkeysphere-server
+++ b/src/monkeysphere-server
@@ -137,7 +137,7 @@ show_server_key() {
     tmpkey=$(mktemp ${TMPDIR:-/tmp}/tmp.XXXXXXXXXX) || failure "Could not create temporary directory!"
     gpg_authentication "--export $fingerprint" | openpgp2ssh "$fingerprint" 2>/dev/null > "$tmpkey"
     echo -n "ssh fingerprint: "
-    ssh-keygen -l -f $tmpkey | awk '{ print $1, $2, $4 }'
+    ssh-keygen -l -f "$tmpkey" | awk '{ print $1, $2, $4 }'
     rm -rf "$tmpkey"
     echo -n "OpenPGP fingerprint: "
     echo "$fingerprint"
diff --git a/src/monkeysphere-ssh-proxycommand b/src/monkeysphere-ssh-proxycommand
index 6276092..b039844 100755
--- a/src/monkeysphere-ssh-proxycommand
+++ b/src/monkeysphere-ssh-proxycommand
@@ -13,14 +13,84 @@
 # established.  Can be added to ~/.ssh/config as follows:
 #  ProxyCommand monkeysphere-ssh-proxycommand %h %p
 
+########################################################################
+PGRM=$(basename $0)
+
+SYSSHAREDIR=${MONKEYSPHERE_SYSSHAREDIR:-"/usr/share/monkeysphere"}
+export SYSSHAREDIR
+. "${SYSSHAREDIR}/common" || exit 1
+
+########################################################################
+# FUNCTIONS
 ########################################################################
 
 usage() {
-cat <<EOF >&2
+    cat <<EOF >&2
 usage: ssh -o ProxyCommand="$(basename $0) %h %p" ...
 EOF
 }
 
+log() {
+    echo "$@" >&2
+}
+
+output_no_valid_key() {
+    local sshKeyOffered
+    local userID
+    local type
+    local validity
+    local keyid
+    local uidfpr
+    local usage
+    local sshKeyGPG
+    local sshFingerprint
+
+    log "OpenPGP keys with*out* full validity found for this host:"
+    log
+
+    # retrieve the actual ssh key
+    sshKeyOffered=$(ssh-keyscan -t rsa -p "$PORT" "$HOST" 2>/dev/null | awk '{ print $2, $3 }')
+
+    userID="ssh://${HOSTP}"
+
+    # output gpg info for (exact) userid and store
+    gpgOut=$(gpg --list-key --fixed-list-mode --with-colon \
+	--with-fingerprint --with-fingerprint \
+	="$userID" 2>/dev/null)
+
+    # loop over all lines in the gpg output and process.
+    echo "$gpgOut" | cut -d: -f1,2,5,10,12 | \
+    while IFS=: read -r type validity keyid uidfpr usage ; do
+	case $type in
+	    'pub'|'sub')
+		# get the ssh key of the gpg key
+		sshKeyGPG=$(gpg2ssh "$keyid")
+
+		# if one of keys found matches the one offered by the
+		# host, then output info
+		if [ "$sshKeyGPG" = "$sshKeyOffered" ] ; then
+
+		    # get the fingerprint of the ssh key
+		    tmpkey=$(mktemp ${TMPDIR:-/tmp}/tmp.XXXXXXXXXX)
+		    echo "$sshKeyGPG" > "$tmpkey"
+		    sshFingerprint=$(ssh-keygen -l -f "$tmpkey" | awk '{ print $2 }')
+		    rm -rf "$tmpkey"
+
+		    # output gpg info
+		    gpg --check-sigs \
+			--list-options show-uid-validity \
+			"$keyid" >&2
+
+		    # output ssh fingerprint
+		    log "RSA key fingerprint is ${sshFingerprint}."
+		    log "Falling through to standard ssh host checking."
+		    log
+		fi
+		;;
+	esac
+    done
+}
+
 ########################################################################
 
 # export the monkeysphere log level
@@ -35,7 +105,7 @@ HOST="$1"
 PORT="$2"
 
 if [ -z "$HOST" ] ; then
-    echo "Host not specified." >&2
+    log "Host not specified."
     usage
     exit 255
 fi
@@ -88,6 +158,30 @@ export MONKEYSPHERE_CHECK_KEYSERVER
 # update the known_hosts file for the host
 monkeysphere update-known_hosts "$HOSTP"
 
+# output on depending on the return of the update-known_hosts
+# subcommand, which is (ultimately) the return code of the
+# update_known_hosts function in common
+case $? in
+    0)
+	# acceptable host key found so continue to ssh
+	true
+	;;
+    1)
+	# no hosts at all found so also continue (drop through to
+	# regular ssh host verification)
+	true
+	;;
+    2)
+	# at least one *bad* host key (and no good host keys) was
+	# found, so output some usefull information
+	output_no_valid_key
+	;;
+    *)
+	# anything else drop through
+	true
+	;;
+esac
+
 # exec a netcat passthrough to host for the ssh connection
 if [ -z "$NO_CONNECT" ] ; then
     if (which nc 2>/dev/null >/dev/null); then
-- 
cgit v1.2.3


From d91a9e05ef6c351f40d931d2f7d19e3a3979279c Mon Sep 17 00:00:00 2001
From: Jameson Graef Rollins <jrollins@finestructure.net>
Date: Sun, 16 Nov 2008 17:26:14 -0500
Subject: add some more informative debug output to key processing.

---
 src/common                        |  6 +++++-
 src/monkeysphere-ssh-proxycommand | 14 +++++++++-----
 2 files changed, 14 insertions(+), 6 deletions(-)

diff --git a/src/common b/src/common
index efee9bd..51b0470 100644
--- a/src/common
+++ b/src/common
@@ -639,7 +639,7 @@ process_user_id() {
 		;;
 	    'uid') # user ids
 		if [ "$lastKey" != pub ] ; then
-		    log verbose " - got a user ID after a sub key?!  user IDs should only follow primary keys!"
+		    log verbose " ! got a user ID after a sub key?!  user IDs should only follow primary keys!"
 		    continue
 		fi
 		# if an acceptable user ID was already found, skip
@@ -652,6 +652,8 @@ process_user_id() {
 		    if [ "$validity" = 'u' -o "$validity" = 'f' ] ; then
 			# mark user ID acceptable
 			uidOK=true
+		    else
+			log debug "  - unacceptable user ID validity ($validity)."
 		    fi
 		else
 		    continue
@@ -693,10 +695,12 @@ process_user_id() {
 		
 		# if sub key validity is not ok, skip
 		if [ "$validity" != 'u' -a "$validity" != 'f' ] ; then
+		    log debug "  - unacceptable sub key validity ($validity)."
 		    continue
 		fi
 		# if sub key capability is not ok, skip
 		if ! check_capability "$usage" $requiredCapability ; then
+		    log debug "  - unacceptable sub key capability ($usage)."
 		    continue
 		fi
 
diff --git a/src/monkeysphere-ssh-proxycommand b/src/monkeysphere-ssh-proxycommand
index b039844..aeea30d 100755
--- a/src/monkeysphere-ssh-proxycommand
+++ b/src/monkeysphere-ssh-proxycommand
@@ -45,20 +45,24 @@ output_no_valid_key() {
     local sshKeyGPG
     local sshFingerprint
 
-    log "OpenPGP keys with*out* full validity found for this host:"
+    userID="ssh://${HOSTP}"
+
+    log "Monkeysphere found only OpenPGP keys for this host with*out* full validity."
+    log "host:                $userID"
     log
 
     # retrieve the actual ssh key
     sshKeyOffered=$(ssh-keyscan -t rsa -p "$PORT" "$HOST" 2>/dev/null | awk '{ print $2, $3 }')
+    # FIXME: should we do any checks for failed keyscans, eg host not
+    # found?
 
-    userID="ssh://${HOSTP}"
-
-    # output gpg info for (exact) userid and store
+    # output gpg info for userid and store
     gpgOut=$(gpg --list-key --fixed-list-mode --with-colon \
 	--with-fingerprint --with-fingerprint \
 	="$userID" 2>/dev/null)
 
-    # loop over all lines in the gpg output and process.
+    # find all 'pub' and 'sub' lines in the gpg output, which each
+    # represent a retrieved key for the user ID
     echo "$gpgOut" | cut -d: -f1,2,5,10,12 | \
     while IFS=: read -r type validity keyid uidfpr usage ; do
 	case $type in
-- 
cgit v1.2.3


From 864a89f60b05f0f32cf8ef2bb5677c2d50062749 Mon Sep 17 00:00:00 2001
From: Jameson Graef Rollins <jrollins@finestructure.net>
Date: Sun, 16 Nov 2008 19:10:03 -0500
Subject: fix quoting in output of ssh_host_rsa_key.pub.gpg.  remember, at the
 moment the gpg_authentication function can only accept a single argument, so
 the entire gpg command string needs to be in a single quoted string.

---
 src/monkeysphere-server | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/monkeysphere-server b/src/monkeysphere-server
index bb26c04..018a1ec 100755
--- a/src/monkeysphere-server
+++ b/src/monkeysphere-server
@@ -402,7 +402,7 @@ EOF
     log info "SSH host private key output to file: ${SYSDATADIR}/ssh_host_rsa_key"
     ssh-keygen -y -f "${SYSDATADIR}/ssh_host_rsa_key" > "${SYSDATADIR}/ssh_host_rsa_key.pub"
     log info "SSH host public key output to file: ${SYSDATADIR}/ssh_host_rsa_key.pub"
-    gpg_authentication --export-options export-minimal --export "0x${fingerprint}!" > "${SYSDATADIR}/ssh_host_rsa_key.pub.gpg"
+    gpg_authentication "--export-options export-minimal --export 0x${fingerprint}!" > "${SYSDATADIR}/ssh_host_rsa_key.pub.gpg"
     log info "SSH host public key in OpenPGP form: ${SYSDATADIR}/ssh_host_rsa_key.pub.gpg"
 }
 
-- 
cgit v1.2.3


From 11a42a66941cc1bb4c1268895ac4522ecb5fb6e6 Mon Sep 17 00:00:00 2001
From: Jameson Graef Rollins <jrollins@finestructure.net>
Date: Sun, 16 Nov 2008 19:32:58 -0500
Subject: really fix the ssh_host_rsa_key.pub.gpg output.

---
 src/monkeysphere-server | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/monkeysphere-server b/src/monkeysphere-server
index 018a1ec..34b06b7 100755
--- a/src/monkeysphere-server
+++ b/src/monkeysphere-server
@@ -402,7 +402,7 @@ EOF
     log info "SSH host private key output to file: ${SYSDATADIR}/ssh_host_rsa_key"
     ssh-keygen -y -f "${SYSDATADIR}/ssh_host_rsa_key" > "${SYSDATADIR}/ssh_host_rsa_key.pub"
     log info "SSH host public key output to file: ${SYSDATADIR}/ssh_host_rsa_key.pub"
-    gpg_authentication "--export-options export-minimal --export 0x${fingerprint}!" > "${SYSDATADIR}/ssh_host_rsa_key.pub.gpg"
+    gpg_authentication "--export-options export-minimal --armor --export 0x${fingerprint}\!" > "${SYSDATADIR}/ssh_host_rsa_key.pub.gpg"
     log info "SSH host public key in OpenPGP form: ${SYSDATADIR}/ssh_host_rsa_key.pub.gpg"
 }
 
-- 
cgit v1.2.3


From f7dfcead0281c9f6dd26908f76282efc843a7e52 Mon Sep 17 00:00:00 2001
From: Jameson Graef Rollins <jrollins@finestructure.net>
Date: Mon, 17 Nov 2008 01:14:20 -0500
Subject: More work on the marginal case output for the ssh-proxycommand.  For
 a key matching that offered by the host, now outputs just the information
 (including sigs) of the relevant user ID.  There is some other useful output
 for other cases as well. I also added a couple of FIXMEs for some other cases
 that I think we should think about and maybe tweak behavior for.

---
 src/monkeysphere-ssh-proxycommand | 74 +++++++++++++++++++++++++++++++++------
 1 file changed, 63 insertions(+), 11 deletions(-)

diff --git a/src/monkeysphere-ssh-proxycommand b/src/monkeysphere-ssh-proxycommand
index aeea30d..b3dc562 100755
--- a/src/monkeysphere-ssh-proxycommand
+++ b/src/monkeysphere-ssh-proxycommand
@@ -43,20 +43,21 @@ output_no_valid_key() {
     local uidfpr
     local usage
     local sshKeyGPG
+    local tmpkey
     local sshFingerprint
+    local gpgSigOut
 
     userID="ssh://${HOSTP}"
 
-    log "Monkeysphere found only OpenPGP keys for this host with*out* full validity."
-    log "host:                $userID"
-    log
+    log "-------------------- Monkeysphere warning -------------------"
+    log "Monkeysphere found OpenPGP keys for this hostname, but none had full validity."
 
     # retrieve the actual ssh key
     sshKeyOffered=$(ssh-keyscan -t rsa -p "$PORT" "$HOST" 2>/dev/null | awk '{ print $2, $3 }')
-    # FIXME: should we do any checks for failed keyscans, eg host not
+    # FIXME: should we do any checks for failed keyscans, eg. host not
     # found?
 
-    # output gpg info for userid and store
+    # get the gpg info for userid
     gpgOut=$(gpg --list-key --fixed-list-mode --with-colon \
 	--with-fingerprint --with-fingerprint \
 	="$userID" 2>/dev/null)
@@ -73,26 +74,68 @@ output_no_valid_key() {
 		# if one of keys found matches the one offered by the
 		# host, then output info
 		if [ "$sshKeyGPG" = "$sshKeyOffered" ] ; then
+		    log "An OpenPGP key matching the ssh key offered by the host was found:"
+		    log
 
 		    # get the fingerprint of the ssh key
 		    tmpkey=$(mktemp ${TMPDIR:-/tmp}/tmp.XXXXXXXXXX)
 		    echo "$sshKeyGPG" > "$tmpkey"
-		    sshFingerprint=$(ssh-keygen -l -f "$tmpkey" | awk '{ print $2 }')
+		    sshFingerprint=$(ssh-keygen -l -f "$tmpkey" | \
+			awk '{ print $2 }')
 		    rm -rf "$tmpkey"
 
-		    # output gpg info
-		    gpg --check-sigs \
+		    # get the sigs for the matching key
+		    gpgSigOut=$(gpg --check-sigs \
 			--list-options show-uid-validity \
-			"$keyid" >&2
+			"$keyid")
+
+		    # output the sigs, but only those on the user ID
+		    # we are looking for
+		    echo "$gpgSigOut" | awk '
+{
+if (match($0,"^pub")) {	print; }
+if (match($0,"^uid")) { ok=0; }
+if (match($0,"^uid.*'$userID'$")) { ok=1; print; }
+if (ok) { if (match($0,"^sig")) { print; } }
+}
+' >&2
+		    log
+
+		    # output the other user IDs for reference
+		    if (echo "$gpgSigOut" | grep "^uid" | grep -v -q "$userID") ; then
+			log "Other user IDs on this key:"
+			echo "$gpgSigOut" | grep "^uid" | grep -v "$userID" >&2
+			log
+		    fi
 
 		    # output ssh fingerprint
 		    log "RSA key fingerprint is ${sshFingerprint}."
-		    log "Falling through to standard ssh host checking."
-		    log
+
+		    # this whole process is in a "while read"
+		    # subshell.  the only way to get information out
+		    # of the subshell is to change the return code.
+		    # therefore we return 1 here to indicate that a
+		    # matching gpg key was found for the ssh key
+		    # offered by the host
+		    return 1
 		fi
 		;;
 	esac
     done
+
+    # if no key match was made (and the "while read" subshell returned
+    # 1) output how many keys were found
+    if (($? != 1)) ; then
+	log "None of the found keys matched the key offered by the host."
+	log "Run the following command for more info about the found keys:"
+	log "gpg --check-sigs --list-options show-uid-validity =${userID}"
+	# FIXME: should we do anything extra here if the retrieved
+	# host key is actually in the known_hosts file and the ssh
+	# connection will succeed?  Should the user be warned?
+	# prompted?
+    fi
+
+    log "-------------------- ssh continues below --------------------"
 }
 
 ########################################################################
@@ -186,6 +229,15 @@ case $? in
 	;;
 esac
 
+# FIXME: what about the case where monkeysphere successfully finds a
+# valid key for the host and adds it to the known_hosts file, but a
+# different non-monkeysphere key for the host already exists in the
+# known_hosts, and it is this non-ms key that is offered by the host?
+# monkeysphere will succeed, and the ssh connection will succeed, and
+# the user will be left with the impression that they are dealing with
+# a OpenPGP/PKI host key when in fact they are not.  should we use
+# ssh-keyscan to compare the keys first?
+
 # exec a netcat passthrough to host for the ssh connection
 if [ -z "$NO_CONNECT" ] ; then
     if (which nc 2>/dev/null >/dev/null); then
-- 
cgit v1.2.3