From 34439fbc29dde4d946fa6542cf441655aed06f5e Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Tue, 28 Oct 2008 01:58:54 -0400 Subject: tests now avoid prompting for default identity files. --- tests/basic | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/basic b/tests/basic index 46ba63c..3ec4a21 100755 --- a/tests/basic +++ b/tests/basic @@ -23,6 +23,7 @@ launch_sshd() { socat EXEC:"/usr/sbin/sshd -f ${SSHD_CONFIG} -i -D -e" "UNIX-LISTEN:${SOCKET}" 2> "$TEMPDIR"/sshd.log & export SSHD_PID=$! + # wait until the socket is created before continuing while [ ! -S "$SOCKET" ] ; do sleep 1 done @@ -89,6 +90,7 @@ cp -a "$TESTDIR"/home/testuser "$TEMPDIR"/ cat <> "$TEMPDIR"/testuser/.ssh/config UserKnownHostsFile $TEMPDIR/testuser/.ssh/known_hosts +IdentityFile $TEMPDIR/testuser/.ssh/no-such-identity ProxyCommand $TEMPDIR/testuser/.ssh/proxy-command %h %p $SOCKET EOF @@ -187,8 +189,6 @@ launch_sshd # and make sure the user can no longer connect echo "### testuser attempting to connect to sshd socket..." -# FIXME: this prompts for the passphrase for the default identity -# file. how can this be avoided? ssh_test || SSH_RETURN="$?" if [ "$SSH_RETURN" != '255' ] ; then exit -- cgit v1.2.3 From 12be051561696e4f5fc33d927b6b5cb1e431bc13 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Tue, 28 Oct 2008 02:05:01 -0400 Subject: update changelog in preparation for 0.17 release. --- debian/changelog | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/debian/changelog b/debian/changelog index 4db311e..83253a6 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,11 +1,12 @@ monkeysphere (0.17-1) experimental; urgency=low + [ Jameson Graef Rollins ] * Fix some bugs in, and cleanup, authorized_keys file creation in monkeysphere-server update-users. * Move to using the empty string for not adding a user-controlled authorized_keys file in the RAW_AUTHORIZED_KEYS variable. - -- Jameson Graef Rollins Mon, 27 Oct 2008 07:39:10 -0400 + -- Daniel Kahn Gillmor Tue, 28 Oct 2008 02:04:22 -0400 monkeysphere (0.16-1) experimental; urgency=low -- cgit v1.2.3 From 56db549e699f139e9ddce7c0e3e34ce587857766 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Tue, 28 Oct 2008 09:56:18 -0400 Subject: added release notes for 0.17-1 --- website/download.mdwn | 36 ++++++++++++++++++------------------ website/news/release-0.17-1.mdwn | 17 +++++++++++++++++ 2 files changed, 35 insertions(+), 18 deletions(-) create mode 100644 website/news/release-0.17-1.mdwn diff --git a/website/download.mdwn b/website/download.mdwn index 32ba9b7..a9dda2a 100644 --- a/website/download.mdwn +++ b/website/download.mdwn @@ -33,38 +33,38 @@ look at the source, we recommend [using git](/community). But if you want a tarball of the most recent release, we publish those too. The [latest -tarball](http://archive.monkeysphere.info/debian/pool/monkeysphere/m/monkeysphere/monkeysphere_0.16.orig.tar.gz) +tarball](http://archive.monkeysphere.info/debian/pool/monkeysphere/m/monkeysphere/monkeysphere_0.17.orig.tar.gz) has these checksums: 
 -----BEGIN PGP SIGNED MESSAGE-----
 Hash: SHA1
 
-checksums for the monkeysphere 0.16 release:
+checksums for the monkeysphere 0.17 release:
 
 MD5:
-4bc223e8004e0e374bd54f0315585c49  monkeysphere_0.16.orig.tar.gz
+2dde3fc8427d1b64a3dd7ee62b6d84fd  monkeysphere_0.17.orig.tar.gz
 
 SHA1:
-82c78ea1aeecb3059a14af9dfab0f471ce315e38  monkeysphere_0.16.orig.tar.gz
+487bdfb3dbbec828f69355f63516f2f365663f1c  monkeysphere_0.17.orig.tar.gz
 
 SHA256:
-f2dbd031315f99c82099a4a902f2240cca97536b035ef75872e72a65f324c9d7  monkeysphere_0.16.orig.tar.gz
+f2a839fc9f7ad23c7dad00bcf40905aac73b8c65e711b87ec54ce5d33f72324c  monkeysphere_0.17.orig.tar.gz
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.9 (GNU/Linux)
 
-iQIVAwUBSQQdZRjmZ/HrivMUAQJaIA/6AnZG0yYJJ+0C4S0McnBnLMyiA4zQzVsH
-5J9dAYO771h0TZnlre1NZdgiP37YiPA1et24O/S7da0Ud/CND+V7CGrsxPzsfEbP
-xTPVDST2BgvnDo9LYN4Q9h7QD4lOiGjhoJM6PN/R6Zo2OGiw+yZ8RP+BW5AxW21e
-3AnasZ2XLEmwqI0AMl9OWsLk4NzeS7t+ycWjwJKINOk/5ghzlOR0Use/mRyTHvzy
-GhMjrLoqtgHo85pAfAWT7LkwTt+FDVRzLZl2shzJszewvPFva+z2A8kvuY+vAzUw
-CSvIAC5MSrheFUg1JC+6efVbUTgn3RZj+zn7CxyttVuRzjyrnY2WkiMOT5mKuZCg
-LR42FEXnDCNHjreVLB6PoU1bOseohRbfK2yN+oDSoXmO4GoKetokGEWU/S+pi/gq
-dhjyMZUYv1pgE9Vtz3ps0vVC4e8D/i39qEm7JB2AWPWU4jGX5cLCeEkrfXGsGWyu
-OxGGywarXfNp83R62QTh2cPZlkACj3IwoYgZ2h8r98ikyJlQE0Y7V8uHKsx1DMJX
-JBemkEVW5P7pZiRS7X2zqLGIDNwqBKNRnjZ7bAhqThJXpCBWNuZ+DjGY743BBddr
-RAfQUvdjbSEOD78NMh6pLLg3iYJA902EVXZX8Q8JQnjg5GlUrB2yS5uz82dwjbpx
-dy0gzEhr4DA=
-=DY0y
+iQIVAwUBSQcZ2xjmZ/HrivMUAQKvzxAAlBwQkef39LXpur6Zc4Y/z5RDWvo3uWSY
+p/xNPz1T+pUhbg94+Ozle5ACSZLDoH2XbsJdZQyudBf+AZg+rrruzdSUbmSpQrhU
+tWoXrWKyyqfVDdwvk6NUj1x/8jhkydHo8EM+ka/NyPiXVMmvWmtzIA8HpsbCgsIQ
+4hb4UEFsM2atLdigApH8Bp0MR5Wrshog1GCxsOKi7lWghv1FZfc1NTCNbyU7W89l
+VsO29jxGR9LYyttZpuDdmDserpsCN6ExFyvkxmDWXI+5HPR2z5WQKMscOCFhf4s5
+O2s7xGVofv9aVJX0SRbA8C7PdA/eBT2pw5IYwO4/OYKXU+0JI5+6IKCeoUeokQK/
+/yx01RrGr9r89XsLYC8Xd81Ey6RD5nhgJXyWD+8LlQSs8Xh+1VTwQYBqHs7VSaCm
+EgCG+0rp9ZOSb7h8y+qxHffqQHgKIx+s9qHKi+iEDDamXhlSrSOhMgADx3TtxMRm
+rVHkgUITFb+92ns3xrUnbsh7koNzssyiu7FLSL46X7EASgoJ6QVqWviz7AXkSuHD
+ngIpt6dEy8nKkjMAxEsnxHm5OmNtHxhAIkSpaxCC/HclErPcoEENYsnu5cwFECCF
+OkMxO+0tz8M0Gxo6xCdkHHH5TDfOIUY3+phCLi6ubqxbnoeAIzn6yds5SXlRiJvp
+Ujzwufr3Ymo=
+=rjN6
 -----END PGP SIGNATURE-----
diff --git a/website/news/release-0.17-1.mdwn b/website/news/release-0.17-1.mdwn new file mode 100644 index 0000000..ec847fb --- /dev/null +++ b/website/news/release-0.17-1.mdwn @@ -0,0 +1,17 @@ +[[meta title="Monkeysphere 0.17-1 released!"]] + +# Monkeysphere 0.17-1 released! # + +Monkeysphere 0.17-1 has been released. + +Notes from the changelog: + +
+  [ Jameson Graef Rollins ]  
+  * Fix some bugs in, and cleanup, authorized_keys file creation in
+    monkeysphere-server update-users.
+  * Move to using the empty string for not adding a user-controlled
+    authorized_keys file in the RAW_AUTHORIZED_KEYS variable.
+
+ +[[Download]] it now! -- cgit v1.2.3 From d45c604fec211ec969533771b83c5c94e0a5ed05 Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Tue, 28 Oct 2008 14:37:04 -0400 Subject: fix bugs in authorized_* file permission checking. --- debian/changelog | 6 ++++++ debian/control | 2 +- src/common | 33 ++++++++++++++++++++------------- src/monkeysphere | 8 ++------ src/monkeysphere-server | 6 +++--- 5 files changed, 32 insertions(+), 23 deletions(-) diff --git a/debian/changelog b/debian/changelog index 83253a6..3131902 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +monkeysphere (0.18-1) UNRELEASED; urgency=low + + * Fix bugs in authorized_{user_ids,keys} file permission checking. + + -- Jameson Graef Rollins Tue, 28 Oct 2008 14:36:16 -0400 + monkeysphere (0.17-1) experimental; urgency=low [ Jameson Graef Rollins ] diff --git a/debian/control b/debian/control index 8f5aeef..efd734b 100644 --- a/debian/control +++ b/debian/control @@ -2,7 +2,7 @@ Source: monkeysphere Section: net Priority: extra Maintainer: Daniel Kahn Gillmor -Uploaders: Jameson Rollins +Uploaders: Jameson Graef Rollins Build-Depends: debhelper (>= 7.0), libgnutls-dev (>= 2.4.0) Standards-Version: 3.8.0.1 Homepage: http://web.monkeysphere.info/ diff --git a/src/common b/src/common index 5d92b26..68a69e9 100644 --- a/src/common +++ b/src/common @@ -24,7 +24,7 @@ export SYSCONFIGDIR # failure function. exits with code 255, unless specified otherwise. failure() { - echo "$1" >&2 + [ "$1" ] && echo "$1" >&2 exit ${2:-'255'} } @@ -393,8 +393,9 @@ test_gpg_expire() { # check that a file is properly owned, and that all it's parent # directories are not group/other writable check_key_file_permissions() { - local user + local uname local path + local stat local access local gAccess local oAccess @@ -404,30 +405,36 @@ check_key_file_permissions() { [ "$1" = "w" ] } - user="$1" + uname="$1" path="$2" - # return 0 is path does not exist - [ -e "$path" ] || return 0 + # return 255 if cannot stat file + if ! stat=$(ls -ld "$path" 2>/dev/null) ; then + log error "could not stat path '$path'." + return 255 + fi - owner=$(ls -l "$path" | awk '{ print $3 }') - gAccess=$(ls -l "$path" | cut -c6) - oAccess=$(ls -l "$path" | cut -c9) + owner=$(echo "$stat" | awk '{ print $3 }') + gAccess=$(echo "$stat" | cut -c6) + oAccess=$(echo "$stat" | cut -c9) - # check owner - if [ "$owner" != "$user" -a "$owner" != 'root' ] ; then + # return 1 if path has invalid owner + if [ "$owner" != "$uname" -a "$owner" != 'root' ] ; then + log error "improper ownership on path '$path'." return 1 fi - # check group/other writability + # return 2 if path has group or other writability if is_write "$gAccess" || is_write "$oAccess" ; then + log error "improper group or other writability on path '$path'." return 2 fi + # return zero if all clear, or go to next path if [ "$path" = '/' ] ; then return 0 else - check_key_file_permissions $(dirname "$path") + check_key_file_permissions "$uname" $(dirname "$path") fi } @@ -1018,7 +1025,7 @@ process_authorized_user_ids() { log debug "processing authorized_user_ids file..." if ! meat "$authorizedUserIDs" > /dev/null ; then - log debug "no user IDs to process." + log debug " no user IDs to process." return fi diff --git a/src/monkeysphere b/src/monkeysphere index dd689b5..5703995 100755 --- a/src/monkeysphere +++ b/src/monkeysphere @@ -347,14 +347,10 @@ case $COMMAND in MODE='authorized_keys' # check permissions on the authorized_user_ids file path - if ! check_key_file_permissions "$USER" "$AUTHORIZED_USER_IDS" ; then - failure "Improper permissions on authorized_user_ids file path." - fi + check_key_file_permissions "$USER" "$AUTHORIZED_USER_IDS" || failure # check permissions on the authorized_keys file path - if ! check_key_file_permissions "$USER" "$AUTHORIZED_KEYS" ; then - failure "Improper permissions on authorized_keys file path." - fi + check_key_file_permissions "$USER" "$AUTHORIZED_KEYS" || failure # exit if the authorized_user_ids file is empty if [ ! -e "$AUTHORIZED_USER_IDS" ] ; then diff --git a/src/monkeysphere-server b/src/monkeysphere-server index 6ca6a4f..617c10a 100755 --- a/src/monkeysphere-server +++ b/src/monkeysphere-server @@ -213,7 +213,7 @@ update_users() { ". ${SYSSHAREDIR}/common; process_authorized_user_ids $TMP_AUTHORIZED_USER_IDS" RETURN="$?" else - log error "Improper permissions on path '$AUTHORIZED_USER_IDS'." + log verbose "not processing authorized_user_ids." fi fi @@ -226,7 +226,7 @@ update_users() { log verbose "adding raw authorized_keys file... " cat "$rawAuthorizedKeys" >> "$AUTHORIZED_KEYS" else - log error "Improper permissions on path '$RAW_AUTHORIZED_KEYS'. Not added to authorized_keys file." + log verbose "not adding raw authorized_keys file." fi fi @@ -371,7 +371,7 @@ EOF (umask 077 && \ gpg_host --export-secret-key "$fingerprint" | \ openpgp2ssh "$fingerprint" > "${SYSDATADIR}/ssh_host_rsa_key") - log info "Private SSH host key output to file: ${SYSDATADIR}/ssh_host_rsa_key" + log info "private SSH host key output to file: ${SYSDATADIR}/ssh_host_rsa_key" } # extend the lifetime of a host key: -- cgit v1.2.3 From 2c6da8e68e326d52e0a472bddfca50649a45602f Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Tue, 28 Oct 2008 15:04:04 -0400 Subject: add more debugging output. --- src/monkeysphere-server | 22 +++++++++++++++------- 1 file changed, 15 insertions(+), 7 deletions(-) diff --git a/src/monkeysphere-server b/src/monkeysphere-server index 617c10a..b6bf78b 100755 --- a/src/monkeysphere-server +++ b/src/monkeysphere-server @@ -194,6 +194,7 @@ update_users() { chown -R "$MONKEYSPHERE_USER" "$TMPLOC" # process authorized_user_ids file + log debug "checking for authorized_user_ids..." # translating ssh-style path variables authorizedUserIDs=$(translate_ssh_variables "$uname" "$AUTHORIZED_USER_IDS") if [ -s "$authorizedUserIDs" ] ; then @@ -213,20 +214,27 @@ update_users() { ". ${SYSSHAREDIR}/common; process_authorized_user_ids $TMP_AUTHORIZED_USER_IDS" RETURN="$?" else - log verbose "not processing authorized_user_ids." + log debug "not processing authorized_user_ids." fi + else + log debug "empty or absent authorized_user_ids file." fi # add user-controlled authorized_keys file if specified # translate ssh-style path variables rawAuthorizedKeys=$(translate_ssh_variables "$uname" "$RAW_AUTHORIZED_KEYS") - if [ "$rawAuthorizedKeys" -a -s "$rawAuthorizedKeys" ] ; then - # check permissions on the authorized_keys file path - if check_key_file_permissions "$uname" "$rawAuthorizedKeys" ; then - log verbose "adding raw authorized_keys file... " - cat "$rawAuthorizedKeys" >> "$AUTHORIZED_KEYS" + if [ "$rawAuthorizedKeys" ] ; then + log debug "checking for raw authorized_keys..." + if [ -s "$rawAuthorizedKeys" ] ; then + # check permissions on the authorized_keys file path + if check_key_file_permissions "$uname" "$rawAuthorizedKeys" ; then + log verbose "adding raw authorized_keys file... " + cat "$rawAuthorizedKeys" >> "$AUTHORIZED_KEYS" + else + log debug "not adding raw authorized_keys file." + fi else - log verbose "not adding raw authorized_keys file." + log debug "empty or absent authorized_keys file." fi fi -- cgit v1.2.3 From d080f8c802e0ca929577abe70118fa765d473dc6 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Tue, 28 Oct 2008 18:01:21 -0400 Subject: make sure that the /etc/monkeysphere/gpg-*.conf are placed during package installation. --- Makefile | 2 ++ debian/changelog | 7 ++++++- packaging/freebsd/Makefile | 6 ++++++ 3 files changed, 14 insertions(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 057707a..dfeb3f1 100644 --- a/Makefile +++ b/Makefile @@ -46,6 +46,8 @@ install: all installman install src/monkeysphere-server $(DESTDIR)$(PREFIX)/sbin install -m 0644 src/common $(DESTDIR)$(PREFIX)/share/monkeysphere install doc/* $(DESTDIR)$(PREFIX)/share/doc/monkeysphere + install -m 0644 etc/gnupg-host.conf $(DESTDIR)$(ETCPREFIX)/etc/monkeysphere/gnupg-host.conf$(ETCSUFFIX) + install -m 0644 etc/gnupg-authentication.conf $(DESTDIR)$(ETCPREFIX)/etc/monkeysphere/gnupg-authentication.conf$(ETCSUFFIX) install -m 0644 etc/monkeysphere.conf $(DESTDIR)$(ETCPREFIX)/etc/monkeysphere/monkeysphere.conf$(ETCSUFFIX) install -m 0644 etc/monkeysphere-server.conf $(DESTDIR)$(ETCPREFIX)/etc/monkeysphere/monkeysphere-server.conf$(ETCSUFFIX) diff --git a/debian/changelog b/debian/changelog index 3131902..05383d4 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,8 +1,13 @@ monkeysphere (0.18-1) UNRELEASED; urgency=low + [ Jameson Graef Rollins ] * Fix bugs in authorized_{user_ids,keys} file permission checking. + + [ Daniel Kahn Gillmor ] + * update install to ensure placement of + /etc/monkeysphere/gnupg-{host,authentication}.conf - -- Jameson Graef Rollins Tue, 28 Oct 2008 14:36:16 -0400 + -- Daniel Kahn Gillmor Tue, 28 Oct 2008 17:58:25 -0400 monkeysphere (0.17-1) experimental; urgency=low diff --git a/packaging/freebsd/Makefile b/packaging/freebsd/Makefile index 78ad0d3..f4bf0fe 100644 --- a/packaging/freebsd/Makefile +++ b/packaging/freebsd/Makefile @@ -34,6 +34,12 @@ post-patch: find . -iname '*.orig' -delete post-install: + @if [ ! -f ${PREFIX}/etc/monkeysphere/gnupg-host.conf ]; then \ + ${CP} -p ${PREFIX}/etc/monkeysphere/gnupg-host.conf.sample ${PREFIX}/etc/monkeysphere/gnupg-host.conf ; \ + fi + @if [ ! -f ${PREFIX}/etc/monkeysphere/gnupg-authentication.conf ]; then \ + ${CP} -p ${PREFIX}/etc/monkeysphere/gnupg-authentication.conf.sample ${PREFIX}/etc/monkeysphere/gnupg-authentication.conf ; \ + fi @if [ ! -f ${PREFIX}/etc/monkeysphere/monkeysphere.conf ]; then \ ${CP} -p ${PREFIX}/etc/monkeysphere/monkeysphere.conf.sample ${PREFIX}/etc/monkeysphere/monkeysphere.conf ; \ fi -- cgit v1.2.3 From 3e5ccfd11d143e113944a8c35831618421d90552 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Tue, 28 Oct 2008 18:04:51 -0400 Subject: do not choke at end of test suite if no sshd was ever launched. --- tests/basic | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tests/basic b/tests/basic index 3ec4a21..393bcc2 100755 --- a/tests/basic +++ b/tests/basic @@ -43,7 +43,7 @@ failed_cleanup() { } cleanup() { - if ( ps "$SSHD_PID" >/dev/null ) ; then + if [ "$SSHD_PID" ] && ( ps "$SSHD_PID" >/dev/null ) ; then echo "### stopping still-running sshd..." kill "$SSHD_PID" fi @@ -82,6 +82,7 @@ export MONKEYSPHERE_CHECK_KEYSERVER=false export SSHD_CONFIG="$TEMPDIR"/sshd_config export SOCKET="$TEMPDIR"/ssh-socket +export SSHD_PID= # copy in admin and testuser home to tmp echo "### copying admin and testuser homes..." -- cgit v1.2.3 From 30ac88c7bd68e38af8b2b06327bc1c6492a337c6 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Tue, 28 Oct 2008 18:18:24 -0400 Subject: test suite now auto-detects which flavor of prng support GPG uses. --- debian/changelog | 2 ++ tests/basic | 12 +++++++++++- tests/home/testuser/.gnupg/gpg.conf | 2 -- 3 files changed, 13 insertions(+), 3 deletions(-) diff --git a/debian/changelog b/debian/changelog index 05383d4..30b33f0 100644 --- a/debian/changelog +++ b/debian/changelog @@ -6,6 +6,8 @@ monkeysphere (0.18-1) UNRELEASED; urgency=low [ Daniel Kahn Gillmor ] * update install to ensure placement of /etc/monkeysphere/gnupg-{host,authentication}.conf + * choose either --quick-random or --debug-quick-random depending on + which gpg supports for the test suite. -- Daniel Kahn Gillmor Tue, 28 Oct 2008 17:58:25 -0400 diff --git a/tests/basic b/tests/basic index 393bcc2..9c3796c 100755 --- a/tests/basic +++ b/tests/basic @@ -42,6 +42,14 @@ failed_cleanup() { cleanup } +get_gpg_prng_arg() { + if (gpg --quick-random --version >/dev/null 2>&1) ; then + echo quick-random + elif (gpg --debug-quick-random --version >/dev/null 2>&1) ; then + echo debug-quick-random + fi +} + cleanup() { if [ "$SSHD_PID" ] && ( ps "$SSHD_PID" >/dev/null ) ; then echo "### stopping still-running sshd..." @@ -99,6 +107,8 @@ cat <> "$TEMPDIR"/testuser/.monkeysphere/monkeysphere.conf KNOWN_HOSTS=$TEMPDIR/testuser/.ssh/known_hosts EOF +get_gpg_prng_arg >> "$TEMPDIR"/testuser/.gnupg/gpg.conf + # set up a simple default monkeysphere-server.conf cat <> "$TEMPDIR"/monkeysphere-server.conf AUTHORIZED_USER_IDS="$TEMPDIR/testuser/.monkeysphere/authorized_user_ids" @@ -118,7 +128,7 @@ EOF # create a new host key echo "### generating server key..." # add gpg.conf with quick-random -echo "quick-random" >> "$MONKEYSPHERE_SYSCONFIGDIR"/gnupg-host/gpg.conf +get_gpg_prng_arg >> "$MONKEYSPHERE_SYSCONFIGDIR"/gnupg-host/gpg.conf echo | monkeysphere-server gen-key --length 1024 --expire 0 testhost # remove the gpg.conf rm "$MONKEYSPHERE_SYSCONFIGDIR"/gnupg-host/gpg.conf diff --git a/tests/home/testuser/.gnupg/gpg.conf b/tests/home/testuser/.gnupg/gpg.conf index f65c71b..c8cb60d 100644 --- a/tests/home/testuser/.gnupg/gpg.conf +++ b/tests/home/testuser/.gnupg/gpg.conf @@ -1,5 +1,3 @@ -# command to avoid depleting the system entropy -quick-random # other options verify-options show-uid-validity list-options show-uid-validity -- cgit v1.2.3 From bee6028687945fd7d8d6eab98c26def2ecadf8b1 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Tue, 28 Oct 2008 18:26:10 -0400 Subject: testing: tighten up the umask before sshd launch, so that the socket is not exposed during the test. --- tests/basic | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/basic b/tests/basic index 9c3796c..d82719d 100755 --- a/tests/basic +++ b/tests/basic @@ -20,6 +20,7 @@ gpgadmin() { } launch_sshd() { + umask 0077 socat EXEC:"/usr/sbin/sshd -f ${SSHD_CONFIG} -i -D -e" "UNIX-LISTEN:${SOCKET}" 2> "$TEMPDIR"/sshd.log & export SSHD_PID=$! -- cgit v1.2.3 From f7242749c484cac12aacf8bcfe19bdea72c89aaa Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Tue, 28 Oct 2008 19:20:14 -0400 Subject: chown authorized_keys files as jrollins, and add monkeysphere tmpdir in SYSDATADIR, for atomic moves of authorized_keys. --- debian/changelog | 6 +++++- debian/dirs | 1 + src/monkeysphere-server | 9 +++++++-- tests/basic | 49 +++++++++++++++++++++---------------------------- 4 files changed, 34 insertions(+), 31 deletions(-) diff --git a/debian/changelog b/debian/changelog index 30b33f0..78266d5 100644 --- a/debian/changelog +++ b/debian/changelog @@ -2,6 +2,10 @@ monkeysphere (0.18-1) UNRELEASED; urgency=low [ Jameson Graef Rollins ] * Fix bugs in authorized_{user_ids,keys} file permission checking. + * Add new monkeysphere tmpdir to enable atomic moves of authorized_keys + files. + * chown authorized_keys files to `whoami`, for compatibility with test + suite. [ Daniel Kahn Gillmor ] * update install to ensure placement of @@ -9,7 +13,7 @@ monkeysphere (0.18-1) UNRELEASED; urgency=low * choose either --quick-random or --debug-quick-random depending on which gpg supports for the test suite. - -- Daniel Kahn Gillmor Tue, 28 Oct 2008 17:58:25 -0400 + -- Jameson Graef Rollins Tue, 28 Oct 2008 19:19:20 -0400 monkeysphere (0.17-1) experimental; urgency=low diff --git a/debian/dirs b/debian/dirs index e9390a7..b2bd77c 100644 --- a/debian/dirs +++ b/debian/dirs @@ -1,5 +1,6 @@ var/lib/monkeysphere var/lib/monkeysphere/authorized_keys +var/lib/monkeysphere/tmp usr/bin usr/sbin usr/share diff --git a/src/monkeysphere-server b/src/monkeysphere-server index b6bf78b..846eb81 100755 --- a/src/monkeysphere-server +++ b/src/monkeysphere-server @@ -20,6 +20,11 @@ export SYSSHAREDIR SYSDATADIR=${MONKEYSPHERE_SYSDATADIR:-"/var/lib/monkeysphere"} export SYSDATADIR +# monkeysphere temp directory, in sysdatadir to enable atomic moves of +# authorized_keys files +MSTMPDIR="${SYSDATADIR}/tmp" +export MSTMPDIR + # UTC date in ISO 8601 format if needed DATE=$(date -u '+%FT%T') @@ -173,7 +178,7 @@ update_users() { log verbose "----- user: $uname -----" # make temporary directory - TMPLOC=$(mktemp -d ${TMPDIR:-/tmp}/tmp.XXXXXXXXXX) + TMPLOC=$(mktemp -d ${MSTMPDIR}/tmp.XXXXXXXXXX) # trap to delete temporary directory on exit trap "rm -rf $TMPLOC" EXIT @@ -244,7 +249,7 @@ update_users() { # authorized_keys file as the user in question, so the # file must be readable by that user at least. # FIXME: is there a better way to do this? - chown root "$AUTHORIZED_KEYS" + chown $(whoami) "$AUTHORIZED_KEYS" chgrp $(getent passwd "$uname" | cut -f4 -d:) "$AUTHORIZED_KEYS" chmod g+r "$AUTHORIZED_KEYS" diff --git a/tests/basic b/tests/basic index d82719d..067a02c 100755 --- a/tests/basic +++ b/tests/basic @@ -19,20 +19,27 @@ gpgadmin() { GNUPGHOME="$TEMPDIR"/admin/.gnupg gpg "$@" } -launch_sshd() { +ssh_test() { umask 0077 + + # start the ssh daemon on the socket socat EXEC:"/usr/sbin/sshd -f ${SSHD_CONFIG} -i -D -e" "UNIX-LISTEN:${SOCKET}" 2> "$TEMPDIR"/sshd.log & - export SSHD_PID=$! + SSHD_PID="$!" # wait until the socket is created before continuing while [ ! -S "$SOCKET" ] ; do sleep 1 done -} -ssh_test() { + # make a client connection to the socket ssh-agent bash -c \ "monkeysphere subkey-to-ssh-agent && ssh -F $TEMPDIR/testuser/.ssh/config testhost true" + RETURN="$?" + + # kill the previous sshd process if it's still running + kill "$SSHD_PID" + + return "$RETURN" } failed_cleanup() { @@ -52,11 +59,6 @@ get_gpg_prng_arg() { } cleanup() { - if [ "$SSHD_PID" ] && ( ps "$SSHD_PID" >/dev/null ) ; then - echo "### stopping still-running sshd..." - kill "$SSHD_PID" - fi - echo "### removing temp dir..." rm -rf "$TEMPDIR" @@ -88,6 +90,7 @@ export MONKEYSPHERE_SYSCONFIGDIR="$TEMPDIR" export MONKEYSPHERE_SYSSHAREDIR="$TESTDIR"/../src export MONKEYSPHERE_MONKEYSPHERE_USER="$USER" export MONKEYSPHERE_CHECK_KEYSERVER=false +export MONKEYSPHERE_LOG_LEVEL=DEBUG export SSHD_CONFIG="$TEMPDIR"/sshd_config export SOCKET="$TEMPDIR"/ssh-socket @@ -150,6 +153,7 @@ echo "### adding admin as certifier..." echo y | monkeysphere-server add-identity-certifier "$TEMPDIR"/admin/.gnupg/pubkey.gpg # initialize base sshd_config +echo "### configuring sshd..." cp etc/ssh/sshd_config "$SSHD_CONFIG" # write the sshd_config cat <> "$SSHD_CONFIG" @@ -157,10 +161,6 @@ HostKey ${MONKEYSPHERE_SYSDATADIR}/ssh_host_rsa_key AuthorizedKeysFile ${MONKEYSPHERE_SYSDATADIR}/authorized_keys/%u EOF -# launch test sshd with the new host key. -echo "### starting sshd..." -launch_sshd - ### TESTUSER TESTS # generate an auth subkey for the test user @@ -168,7 +168,6 @@ echo "### generating key for testuser..." export GNUPGHOME="$TEMPDIR"/testuser/.gnupg export SSH_ASKPASS="$TEMPDIR"/testuser/.ssh/askpass export MONKEYSPHERE_HOME="$TEMPDIR"/testuser/.monkeysphere - monkeysphere gen-subkey --expire 0 # add server key to testuser keychain @@ -183,26 +182,20 @@ monkeysphere-server update-users "$USER" # connect to test sshd, using monkeysphere-ssh-proxycommand to verify # the identity before connection. This should work in both directions! -echo "### testuser connecting to sshd socket..." +echo "### ssh connection test for success..." ssh_test -# kill the previous sshd process if it's still running -kill "$SSHD_PID" - -# now remove the testuser's authorized_user_ids file and reupdate -# authorized_keys file... +# remove the testuser's authorized_user_ids file and update +# authorized_keys file, this is to make sure that the ssh +# authentication FAILS... echo "### removing testuser authorized_user_ids and reupdating authorized_keys..." rm -f "$TEMPDIR"/testuser/.monkeysphere/authorized_user_ids monkeysphere-server update-users "$USER" -# restart the sshd -echo "### restarting sshd..." -launch_sshd - -# and make sure the user can no longer connect -echo "### testuser attempting to connect to sshd socket..." -ssh_test || SSH_RETURN="$?" -if [ "$SSH_RETURN" != '255' ] ; then +# make sure the user can NOT connect +echo "### ssh connection test for server authentication denial..." +ssh_test +if [ "$?" != '255' ] ; then exit fi -- cgit v1.2.3 From 4b5be52a9e06b2e2f0dfb1377e0a5d8bdaea1aef Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Tue, 28 Oct 2008 19:57:10 -0400 Subject: more work on test suite, and add new tmpdir to monkeysphere.dirs. --- debian/monkeysphere.dirs | 1 + tests/basic | 32 +++++++++++++++++++------------- 2 files changed, 20 insertions(+), 13 deletions(-) diff --git a/debian/monkeysphere.dirs b/debian/monkeysphere.dirs index b0b2d9c..0ff6712 100644 --- a/debian/monkeysphere.dirs +++ b/debian/monkeysphere.dirs @@ -1,4 +1,5 @@ usr/share/monkeysphere var/lib/monkeysphere var/lib/monkeysphere/authorized_keys +var/lib/monkeysphere/tmp etc/monkeysphere diff --git a/tests/basic b/tests/basic index 067a02c..08705eb 100755 --- a/tests/basic +++ b/tests/basic @@ -23,6 +23,7 @@ ssh_test() { umask 0077 # start the ssh daemon on the socket + echo "##### starting ssh server..." socat EXEC:"/usr/sbin/sshd -f ${SSHD_CONFIG} -i -D -e" "UNIX-LISTEN:${SOCKET}" 2> "$TEMPDIR"/sshd.log & SSHD_PID="$!" @@ -32,6 +33,7 @@ ssh_test() { done # make a client connection to the socket + echo "##### starting ssh client..." ssh-agent bash -c \ "monkeysphere subkey-to-ssh-agent && ssh -F $TEMPDIR/testuser/.ssh/config testhost true" RETURN="$?" @@ -101,21 +103,27 @@ echo "### copying admin and testuser homes..." cp -a "$TESTDIR"/home/admin "$TEMPDIR"/ cp -a "$TESTDIR"/home/testuser "$TEMPDIR"/ -cat <> "$TEMPDIR"/testuser/.ssh/config -UserKnownHostsFile $TEMPDIR/testuser/.ssh/known_hosts -IdentityFile $TEMPDIR/testuser/.ssh/no-such-identity -ProxyCommand $TEMPDIR/testuser/.ssh/proxy-command %h %p $SOCKET +# set up environment for testuser +export HOME="$TEMPDIR"/testuser +export GNUPGHOME="$HOME"/.gnupg +export SSH_ASKPASS="$HOME"/.ssh/askpass +export MONKEYSPHERE_HOME="$HOME"/.monkeysphere + +cat <> "$HOME"/.ssh/config +UserKnownHostsFile $HOME/.ssh/known_hosts +IdentityFile $HOME/.ssh/no-such-identity +ProxyCommand $HOME/.ssh/proxy-command %h %p $SOCKET EOF -cat <> "$TEMPDIR"/testuser/.monkeysphere/monkeysphere.conf -KNOWN_HOSTS=$TEMPDIR/testuser/.ssh/known_hosts +cat <> "$MONKEYSPHERE_HOME"/monkeysphere.conf +KNOWN_HOSTS=$HOME/.ssh/known_hosts EOF -get_gpg_prng_arg >> "$TEMPDIR"/testuser/.gnupg/gpg.conf +get_gpg_prng_arg >> "$GNUPGHOME"/gpg.conf # set up a simple default monkeysphere-server.conf cat <> "$TEMPDIR"/monkeysphere-server.conf -AUTHORIZED_USER_IDS="$TEMPDIR/testuser/.monkeysphere/authorized_user_ids" +AUTHORIZED_USER_IDS="$MONKEYSPHERE_HOME/authorized_user_ids" EOF ### SERVER TESTS @@ -124,6 +132,7 @@ EOF mkdir -p -m 750 "$MONKEYSPHERE_SYSDATADIR"/gnupg-host mkdir -p -m 700 "$MONKEYSPHERE_SYSDATADIR"/gnupg-authentication mkdir -p -m 700 "$MONKEYSPHERE_SYSDATADIR"/authorized_keys +mkdir -p -m 700 "$MONKEYSPHERE_SYSDATADIR"/tmp cat < "$MONKEYSPHERE_SYSDATADIR"/gnupg-authentication/gpg.conf primary-keyring ${MONKEYSPHERE_SYSDATADIR}/gnupg-authentication/pubring.gpg keyring ${MONKEYSPHERE_SYSDATADIR}/gnupg-host/pubring.gpg @@ -165,9 +174,6 @@ EOF # generate an auth subkey for the test user echo "### generating key for testuser..." -export GNUPGHOME="$TEMPDIR"/testuser/.gnupg -export SSH_ASKPASS="$TEMPDIR"/testuser/.ssh/askpass -export MONKEYSPHERE_HOME="$TEMPDIR"/testuser/.monkeysphere monkeysphere gen-subkey --expire 0 # add server key to testuser keychain @@ -178,7 +184,7 @@ gpgadmin --armor --export "$HOSTKEYID" | gpg --import echo "### export testuser key to server..." gpg --export testuser | monkeysphere-server gpg-authentication-cmd --import echo "### update server authorized_keys file for this testuser..." -monkeysphere-server update-users "$USER" +monkeysphere-server update-users testuser # connect to test sshd, using monkeysphere-ssh-proxycommand to verify # the identity before connection. This should work in both directions! @@ -190,7 +196,7 @@ ssh_test # authentication FAILS... echo "### removing testuser authorized_user_ids and reupdating authorized_keys..." rm -f "$TEMPDIR"/testuser/.monkeysphere/authorized_user_ids -monkeysphere-server update-users "$USER" +monkeysphere-server update-users testuser # make sure the user can NOT connect echo "### ssh connection test for server authentication denial..." -- cgit v1.2.3 From 6be0d74343652c21075101e5bc0ad6579a48d302 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Tue, 28 Oct 2008 20:13:19 -0400 Subject: cleaning up debian packaging. --- debian/dirs | 13 ------------- debian/monkeysphere.dirs | 10 +++++++++- 2 files changed, 9 insertions(+), 14 deletions(-) delete mode 100644 debian/dirs diff --git a/debian/dirs b/debian/dirs deleted file mode 100644 index b2bd77c..0000000 --- a/debian/dirs +++ /dev/null @@ -1,13 +0,0 @@ -var/lib/monkeysphere -var/lib/monkeysphere/authorized_keys -var/lib/monkeysphere/tmp -usr/bin -usr/sbin -usr/share -usr/share/monkeysphere -usr/share/man -usr/share/man/man1 -usr/share/man/man5 -usr/share/man/man8 -etc/monkeysphere -etc/monkeysphere/authorized_user_ids diff --git a/debian/monkeysphere.dirs b/debian/monkeysphere.dirs index 0ff6712..b2bd77c 100644 --- a/debian/monkeysphere.dirs +++ b/debian/monkeysphere.dirs @@ -1,5 +1,13 @@ -usr/share/monkeysphere var/lib/monkeysphere var/lib/monkeysphere/authorized_keys var/lib/monkeysphere/tmp +usr/bin +usr/sbin +usr/share +usr/share/monkeysphere +usr/share/man +usr/share/man/man1 +usr/share/man/man5 +usr/share/man/man8 etc/monkeysphere +etc/monkeysphere/authorized_user_ids -- cgit v1.2.3 From f83f5532fb1cec60741ce07cf90df4abdf5b2c1f Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Tue, 28 Oct 2008 21:12:35 -0400 Subject: enforce error checking when transferring the authorized keys file. If the transfer fails, remove any existing target file so that we fail closed. --- src/monkeysphere-server | 27 +++++++++++++++++++++------ 1 file changed, 21 insertions(+), 6 deletions(-) diff --git a/src/monkeysphere-server b/src/monkeysphere-server index 846eb81..0b63e5c 100755 --- a/src/monkeysphere-server +++ b/src/monkeysphere-server @@ -153,6 +153,8 @@ update_users() { unames=$(getent passwd | cut -d: -f1) fi + RETCODE=0 + # set mode MODE="authorized_keys" @@ -170,7 +172,7 @@ update_users() { # loop over users for uname in $unames ; do # check all specified users exist - if ! getent passwd "$uname" >/dev/null ; then + if ! id "$uname" >/dev/null ; then log error "----- unknown user '$uname' -----" continue fi @@ -248,12 +250,25 @@ update_users() { # openssh appears to check the contents of the # authorized_keys file as the user in question, so the # file must be readable by that user at least. - # FIXME: is there a better way to do this? - chown $(whoami) "$AUTHORIZED_KEYS" - chgrp $(getent passwd "$uname" | cut -f4 -d:) "$AUTHORIZED_KEYS" - chmod g+r "$AUTHORIZED_KEYS" - mv -f "$AUTHORIZED_KEYS" "${SYSDATADIR}/authorized_keys/${uname}" + # but in general, we don't want the user tampering with + # this file directly, so we'll adopt this approach: Own + # the file by the monkeysphere-server invoker (usually + # root, but should be the same uid that sshd is launched + # as); change the group of the file so that members of the + # user's group can read it. + + # FIXME: is there a better way to do this? + chown $(whoami) "$AUTHORIZED_KEYS" && \ + chgrp $(id -g "$uname") "$AUTHORIZED_KEYS" && \ + chmod g+r "$AUTHORIZED_KEYS" && \ + mv -f "$AUTHORIZED_KEYS" "${SYSDATADIR}/authorized_keys/${uname}" || \ + { + log error "Failed to install authorized_keys for '$uname'!" + rm -f "${SYSDATADIR}/authorized_keys/${uname}" + # indicate that there has been a failure: + RETURN=1 + } else rm -f "${SYSDATADIR}/authorized_keys/${uname}" fi -- cgit v1.2.3 From dbbd331815b6f15f675d2ce651678b8b2ec06d68 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Tue, 28 Oct 2008 21:27:47 -0400 Subject: cleaning up basic test. --- tests/basic | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/tests/basic b/tests/basic index 08705eb..1f4930f 100755 --- a/tests/basic +++ b/tests/basic @@ -90,7 +90,7 @@ export PATH="$TESTDIR"/../src:"$TESTDIR"/../src/keytrans:"$PATH" export MONKEYSPHERE_SYSDATADIR="$TEMPDIR" export MONKEYSPHERE_SYSCONFIGDIR="$TEMPDIR" export MONKEYSPHERE_SYSSHAREDIR="$TESTDIR"/../src -export MONKEYSPHERE_MONKEYSPHERE_USER="$USER" +export MONKEYSPHERE_MONKEYSPHERE_USER=$(whoami) export MONKEYSPHERE_CHECK_KEYSERVER=false export MONKEYSPHERE_LOG_LEVEL=DEBUG @@ -172,9 +172,9 @@ EOF ### TESTUSER TESTS -# generate an auth subkey for the test user +# generate an auth subkey for the test user that expires in 2 days echo "### generating key for testuser..." -monkeysphere gen-subkey --expire 0 +monkeysphere gen-subkey --expire 2 # add server key to testuser keychain echo "### export server key to testuser..." @@ -184,7 +184,7 @@ gpgadmin --armor --export "$HOSTKEYID" | gpg --import echo "### export testuser key to server..." gpg --export testuser | monkeysphere-server gpg-authentication-cmd --import echo "### update server authorized_keys file for this testuser..." -monkeysphere-server update-users testuser +monkeysphere-server update-users $(whoami) # connect to test sshd, using monkeysphere-ssh-proxycommand to verify # the identity before connection. This should work in both directions! @@ -196,13 +196,15 @@ ssh_test # authentication FAILS... echo "### removing testuser authorized_user_ids and reupdating authorized_keys..." rm -f "$TEMPDIR"/testuser/.monkeysphere/authorized_user_ids -monkeysphere-server update-users testuser +monkeysphere-server update-users $(whoami) # make sure the user can NOT connect echo "### ssh connection test for server authentication denial..." ssh_test -if [ "$?" != '255' ] ; then - exit +ret="$?" +if [ "$ret" != '255' ] ; then + echo "### connection should have failed!" + exit "$ret" fi trap - EXIT -- cgit v1.2.3 From 4af6e62dee8d977ab52f16b61d38051175655082 Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Tue, 28 Oct 2008 22:32:56 -0400 Subject: touch known_hosts file in monkeysphere so that permission checking down't fail. remove spurios directory in monkeysphere.dirs. more work on test suite. --- debian/monkeysphere.dirs | 1 - src/monkeysphere | 8 +++++--- tests/basic | 24 +++++++++++----------- .../home/testuser/.monkeysphere/monkeysphere.conf | 2 ++ 4 files changed, 19 insertions(+), 16 deletions(-) diff --git a/debian/monkeysphere.dirs b/debian/monkeysphere.dirs index b2bd77c..cfafe15 100644 --- a/debian/monkeysphere.dirs +++ b/debian/monkeysphere.dirs @@ -10,4 +10,3 @@ usr/share/man/man1 usr/share/man/man5 usr/share/man/man8 etc/monkeysphere -etc/monkeysphere/authorized_user_ids diff --git a/src/monkeysphere b/src/monkeysphere index 5703995..7e800cc 100755 --- a/src/monkeysphere +++ b/src/monkeysphere @@ -318,10 +318,12 @@ case $COMMAND in 'update-known_hosts'|'update-known-hosts'|'k') MODE='known_hosts' + # touch the known_hosts file so that the file permission check + # below won't fail upon not finding the file + (umask 0022 && touch "$KNOWN_HOSTS") + # check permissions on the known_hosts file path - if ! check_key_file_permissions "$USER" "$KNOWN_HOSTS" ; then - failure "Improper permissions on known_hosts file path." - fi + check_key_file_permissions "$USER" "$KNOWN_HOSTS" || failure # if hosts are specified on the command line, process just # those hosts diff --git a/tests/basic b/tests/basic index 1f4930f..ec92e1a 100755 --- a/tests/basic +++ b/tests/basic @@ -104,19 +104,19 @@ cp -a "$TESTDIR"/home/admin "$TEMPDIR"/ cp -a "$TESTDIR"/home/testuser "$TEMPDIR"/ # set up environment for testuser -export HOME="$TEMPDIR"/testuser -export GNUPGHOME="$HOME"/.gnupg -export SSH_ASKPASS="$HOME"/.ssh/askpass -export MONKEYSPHERE_HOME="$HOME"/.monkeysphere - -cat <> "$HOME"/.ssh/config -UserKnownHostsFile $HOME/.ssh/known_hosts -IdentityFile $HOME/.ssh/no-such-identity -ProxyCommand $HOME/.ssh/proxy-command %h %p $SOCKET +TESTHOME="$TEMPDIR"/testuser +export GNUPGHOME="$TESTHOME"/.gnupg +export SSH_ASKPASS="$TESTHOME"/.ssh/askpass +export MONKEYSPHERE_HOME="$TESTHOME"/.monkeysphere + +cat <> "$TESTHOME"/.ssh/config +UserKnownHostsFile $TESTHOME/.ssh/known_hosts +IdentityFile $TESTHOME/.ssh/no-such-identity +ProxyCommand $TESTHOME/.ssh/proxy-command %h %p $SOCKET EOF cat <> "$MONKEYSPHERE_HOME"/monkeysphere.conf -KNOWN_HOSTS=$HOME/.ssh/known_hosts +KNOWN_HOSTS=$TESTHOME/.ssh/known_hosts EOF get_gpg_prng_arg >> "$GNUPGHOME"/gpg.conf @@ -128,7 +128,7 @@ EOF ### SERVER TESTS -# setup monkeysphere temp gnupghome directories +# setup monkeysphere directories mkdir -p -m 750 "$MONKEYSPHERE_SYSDATADIR"/gnupg-host mkdir -p -m 700 "$MONKEYSPHERE_SYSDATADIR"/gnupg-authentication mkdir -p -m 700 "$MONKEYSPHERE_SYSDATADIR"/authorized_keys @@ -195,7 +195,7 @@ ssh_test # authorized_keys file, this is to make sure that the ssh # authentication FAILS... echo "### removing testuser authorized_user_ids and reupdating authorized_keys..." -rm -f "$TEMPDIR"/testuser/.monkeysphere/authorized_user_ids +rm -f "$TESTHOME"/.monkeysphere/authorized_user_ids monkeysphere-server update-users $(whoami) # make sure the user can NOT connect diff --git a/tests/home/testuser/.monkeysphere/monkeysphere.conf b/tests/home/testuser/.monkeysphere/monkeysphere.conf index 59cc0cf..dbe0233 100644 --- a/tests/home/testuser/.monkeysphere/monkeysphere.conf +++ b/tests/home/testuser/.monkeysphere/monkeysphere.conf @@ -1,3 +1,5 @@ # monkeysphere config for testuser in monkeysphere test suite +LOG_LEVEL=DEBUG + # KNOWN_HOSTS will be dynamically defined after creation. -- cgit v1.2.3 From 11cd8c4839367d87b0dbcb58f46e81391c0dac1c Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Tue, 28 Oct 2008 23:27:11 -0400 Subject: move to using 'none' for the RAW_AUTHORIZED_KEY value to use for *not* including a user-controlled authorized_keys file. more fixes on test suite. --- etc/monkeysphere-server.conf | 6 ++-- src/monkeysphere-server | 2 +- tests/basic | 42 ++++++++++++++----------- tests/etc/monkeysphere/monkeysphere-server.conf | 5 +++ 4 files changed, 32 insertions(+), 23 deletions(-) create mode 100644 tests/etc/monkeysphere/monkeysphere-server.conf diff --git a/etc/monkeysphere-server.conf b/etc/monkeysphere-server.conf index b69420a..8b9ffa4 100644 --- a/etc/monkeysphere-server.conf +++ b/etc/monkeysphere-server.conf @@ -23,6 +23,6 @@ # Path to a user controlled authorized_keys file to be added to the # monkeysphere-generated authorized_keys file. '%h' will be replaced # by the home directory of the user, and '%u' will by replaced by the -# username of the user. To not add any user-controlled file set this -# variable to be the empty string, "". -#RAW_AUTHORIZED_KEYS="%h/.ssh/authorized_keys" +# username of the user. Setting this variable to 'none' prevents the +# inclusion of user controlled authorized_keys file. +# RAW_AUTHORIZED_KEYS="%h/.ssh/authorized_keys" diff --git a/src/monkeysphere-server b/src/monkeysphere-server index 0b63e5c..5f0cb73 100755 --- a/src/monkeysphere-server +++ b/src/monkeysphere-server @@ -230,7 +230,7 @@ update_users() { # add user-controlled authorized_keys file if specified # translate ssh-style path variables rawAuthorizedKeys=$(translate_ssh_variables "$uname" "$RAW_AUTHORIZED_KEYS") - if [ "$rawAuthorizedKeys" ] ; then + if [ "$rawAuthorizedKeys" != 'none' ] ; then log debug "checking for raw authorized_keys..." if [ -s "$rawAuthorizedKeys" ] ; then # check permissions on the authorized_keys file path diff --git a/tests/basic b/tests/basic index ec92e1a..d79b64b 100755 --- a/tests/basic +++ b/tests/basic @@ -70,6 +70,8 @@ cleanup() { ## setup trap trap failed_cleanup EXIT + +### SETUP VARIABLES ## set up some variables to ensure that we're operating strictly in ## the tests, not system-wide: @@ -89,6 +91,7 @@ export PATH="$TESTDIR"/../src:"$TESTDIR"/../src/keytrans:"$PATH" export MONKEYSPHERE_SYSDATADIR="$TEMPDIR" export MONKEYSPHERE_SYSCONFIGDIR="$TEMPDIR" +export MONKEYSPHERE_SERVER_CONFIG="$TEMPDIR"/monkeysphere-server.conf export MONKEYSPHERE_SYSSHAREDIR="$TESTDIR"/../src export MONKEYSPHERE_MONKEYSPHERE_USER=$(whoami) export MONKEYSPHERE_CHECK_KEYSERVER=false @@ -98,6 +101,9 @@ export SSHD_CONFIG="$TEMPDIR"/sshd_config export SOCKET="$TEMPDIR"/ssh-socket export SSHD_PID= + +### CONFIGURE ENVIRONMENTS + # copy in admin and testuser home to tmp echo "### copying admin and testuser homes..." cp -a "$TESTDIR"/home/admin "$TEMPDIR"/ @@ -108,36 +114,43 @@ TESTHOME="$TEMPDIR"/testuser export GNUPGHOME="$TESTHOME"/.gnupg export SSH_ASKPASS="$TESTHOME"/.ssh/askpass export MONKEYSPHERE_HOME="$TESTHOME"/.monkeysphere - cat <> "$TESTHOME"/.ssh/config UserKnownHostsFile $TESTHOME/.ssh/known_hosts IdentityFile $TESTHOME/.ssh/no-such-identity ProxyCommand $TESTHOME/.ssh/proxy-command %h %p $SOCKET EOF - cat <> "$MONKEYSPHERE_HOME"/monkeysphere.conf KNOWN_HOSTS=$TESTHOME/.ssh/known_hosts EOF - get_gpg_prng_arg >> "$GNUPGHOME"/gpg.conf -# set up a simple default monkeysphere-server.conf -cat <> "$TEMPDIR"/monkeysphere-server.conf -AUTHORIZED_USER_IDS="$MONKEYSPHERE_HOME/authorized_user_ids" +# set up sshd +echo "### configuring sshd..." +cp etc/ssh/sshd_config "$SSHD_CONFIG" +# write the sshd_config +cat <> "$SSHD_CONFIG" +HostKey ${MONKEYSPHERE_SYSDATADIR}/ssh_host_rsa_key +AuthorizedKeysFile ${MONKEYSPHERE_SYSDATADIR}/authorized_keys/%u EOF -### SERVER TESTS - -# setup monkeysphere directories +# set up monkeysphere-server +echo "### configuring monkeysphere..." mkdir -p -m 750 "$MONKEYSPHERE_SYSDATADIR"/gnupg-host mkdir -p -m 700 "$MONKEYSPHERE_SYSDATADIR"/gnupg-authentication mkdir -p -m 700 "$MONKEYSPHERE_SYSDATADIR"/authorized_keys mkdir -p -m 700 "$MONKEYSPHERE_SYSDATADIR"/tmp +cp etc/monkeysphere/monkeysphere-server.conf "$MONKEYSPHERE_SERVER_CONFIG" +cat <> "$MONKEYSPHERE_SERVER_CONFIG" +AUTHORIZED_USER_IDS="$MONKEYSPHERE_HOME/authorized_user_ids" +EOF cat < "$MONKEYSPHERE_SYSDATADIR"/gnupg-authentication/gpg.conf primary-keyring ${MONKEYSPHERE_SYSDATADIR}/gnupg-authentication/pubring.gpg keyring ${MONKEYSPHERE_SYSDATADIR}/gnupg-host/pubring.gpg EOF + +### SERVER TESTS + # create a new host key echo "### generating server key..." # add gpg.conf with quick-random @@ -161,14 +174,6 @@ echo y | gpgadmin --command-fd 0 --sign-key "$HOSTKEYID" echo "### adding admin as certifier..." echo y | monkeysphere-server add-identity-certifier "$TEMPDIR"/admin/.gnupg/pubkey.gpg -# initialize base sshd_config -echo "### configuring sshd..." -cp etc/ssh/sshd_config "$SSHD_CONFIG" -# write the sshd_config -cat <> "$SSHD_CONFIG" -HostKey ${MONKEYSPHERE_SYSDATADIR}/ssh_host_rsa_key -AuthorizedKeysFile ${MONKEYSPHERE_SYSDATADIR}/authorized_keys/%u -EOF ### TESTUSER TESTS @@ -200,8 +205,7 @@ monkeysphere-server update-users $(whoami) # make sure the user can NOT connect echo "### ssh connection test for server authentication denial..." -ssh_test -ret="$?" +ssh_test || ret="$?" if [ "$ret" != '255' ] ; then echo "### connection should have failed!" exit "$ret" diff --git a/tests/etc/monkeysphere/monkeysphere-server.conf b/tests/etc/monkeysphere/monkeysphere-server.conf new file mode 100644 index 0000000..5b4d90f --- /dev/null +++ b/tests/etc/monkeysphere/monkeysphere-server.conf @@ -0,0 +1,5 @@ +# Base monkeysphere-server.conf for monkeysphere tests + +# AUTHORIZED_USER_IDS variable will be added dynamically during test. + +RAW_AUTHORIZED_KEYS= -- cgit v1.2.3 From 0d7a9241410a09e8c029a7e4c06ffa79ab7277f6 Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Tue, 28 Oct 2008 23:29:52 -0400 Subject: tweak to test to not include user authorized_keys file. --- tests/etc/monkeysphere/monkeysphere-server.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/etc/monkeysphere/monkeysphere-server.conf b/tests/etc/monkeysphere/monkeysphere-server.conf index 5b4d90f..9cc396f 100644 --- a/tests/etc/monkeysphere/monkeysphere-server.conf +++ b/tests/etc/monkeysphere/monkeysphere-server.conf @@ -2,4 +2,4 @@ # AUTHORIZED_USER_IDS variable will be added dynamically during test. -RAW_AUTHORIZED_KEYS= +RAW_AUTHORIZED_KEYS=none -- cgit v1.2.3 From c5b6958858173044c74af2b0af6a8d46e5019221 Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Tue, 28 Oct 2008 23:38:07 -0400 Subject: move away from using MONKEYSPHERE_SERVER_CONFIG in test suite. --- tests/basic | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/tests/basic b/tests/basic index d79b64b..f6fa7fc 100755 --- a/tests/basic +++ b/tests/basic @@ -91,7 +91,6 @@ export PATH="$TESTDIR"/../src:"$TESTDIR"/../src/keytrans:"$PATH" export MONKEYSPHERE_SYSDATADIR="$TEMPDIR" export MONKEYSPHERE_SYSCONFIGDIR="$TEMPDIR" -export MONKEYSPHERE_SERVER_CONFIG="$TEMPDIR"/monkeysphere-server.conf export MONKEYSPHERE_SYSSHAREDIR="$TESTDIR"/../src export MONKEYSPHERE_MONKEYSPHERE_USER=$(whoami) export MONKEYSPHERE_CHECK_KEYSERVER=false @@ -139,8 +138,8 @@ mkdir -p -m 750 "$MONKEYSPHERE_SYSDATADIR"/gnupg-host mkdir -p -m 700 "$MONKEYSPHERE_SYSDATADIR"/gnupg-authentication mkdir -p -m 700 "$MONKEYSPHERE_SYSDATADIR"/authorized_keys mkdir -p -m 700 "$MONKEYSPHERE_SYSDATADIR"/tmp -cp etc/monkeysphere/monkeysphere-server.conf "$MONKEYSPHERE_SERVER_CONFIG" -cat <> "$MONKEYSPHERE_SERVER_CONFIG" +cp etc/monkeysphere/monkeysphere-server.conf "$TEMPDIR"/monkeysphere-server.conf +cat <> "$TEMPDIR"/monkeysphere-server.conf AUTHORIZED_USER_IDS="$MONKEYSPHERE_HOME/authorized_user_ids" EOF cat < "$MONKEYSPHERE_SYSDATADIR"/gnupg-authentication/gpg.conf -- cgit v1.2.3 From 8d609df9ec376905dbed377c8b03a49ceca5efc5 Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Wed, 29 Oct 2008 00:19:12 -0400 Subject: finish consolidating test suite ssh test into single function, and add more tests (for permission checking). --- tests/basic | 51 ++++++++++++++++++++++++++++++++++++++------------- 1 file changed, 38 insertions(+), 13 deletions(-) diff --git a/tests/basic b/tests/basic index f6fa7fc..259a7f0 100755 --- a/tests/basic +++ b/tests/basic @@ -19,9 +19,13 @@ gpgadmin() { GNUPGHOME="$TEMPDIR"/admin/.gnupg gpg "$@" } +# test ssh connection +# first argument is expected return code from ssh connection ssh_test() { umask 0077 + CODE=${1:-0} + # start the ssh daemon on the socket echo "##### starting ssh server..." socat EXEC:"/usr/sbin/sshd -f ${SSHD_CONFIG} -i -D -e" "UNIX-LISTEN:${SOCKET}" 2> "$TEMPDIR"/sshd.log & @@ -32,16 +36,27 @@ ssh_test() { sleep 1 done + set +e + # make a client connection to the socket echo "##### starting ssh client..." ssh-agent bash -c \ "monkeysphere subkey-to-ssh-agent && ssh -F $TEMPDIR/testuser/.ssh/config testhost true" RETURN="$?" - # kill the previous sshd process if it's still running + # kill the sshd process if it's still running kill "$SSHD_PID" - return "$RETURN" + set -e + + echo "##### return $RETURN" + if [ "$RETURN" = "$CODE" ] ; then + echo "##### ssh connection test returned as desired" + return 0 + else + echo "##### ssh connection test failed. expected return code $CODE" + return 1 + fi } failed_cleanup() { @@ -195,20 +210,30 @@ monkeysphere-server update-users $(whoami) echo "### ssh connection test for success..." ssh_test -# remove the testuser's authorized_user_ids file and update -# authorized_keys file, this is to make sure that the ssh -# authentication FAILS... -echo "### removing testuser authorized_user_ids and reupdating authorized_keys..." -rm -f "$TESTHOME"/.monkeysphere/authorized_user_ids +# remove the testuser's authorized_user_ids file, update, and make +# sure that the ssh authentication FAILS +echo "### removing testuser authorized_user_ids and updating..." +mv "$TESTHOME"/.monkeysphere/authorized_user_ids{,.bak} monkeysphere-server update-users $(whoami) +echo "### ssh connection test for server authentication denial..." +ssh_test 255 +mv "$TESTHOME"/.monkeysphere/authorized_user_ids{.bak,} -# make sure the user can NOT connect +# put improper permissions on authorized_user_ids file, update, and +# make sure ssh authentication FAILS +echo "### setting group writability on authorized_user_ids and updating..." +chmod g+w "$TESTHOME"/.monkeysphere/authorized_user_ids +monkeysphere-server update-users $(whoami) echo "### ssh connection test for server authentication denial..." -ssh_test || ret="$?" -if [ "$ret" != '255' ] ; then - echo "### connection should have failed!" - exit "$ret" -fi +ssh_test 255 +chmod g-w "$TESTHOME"/.monkeysphere/authorized_user_ids +echo "### setting other writability on authorized_user_ids and updating..." +chmod o+w "$TESTHOME"/.monkeysphere/authorized_user_ids +monkeysphere-server update-users $(whoami) +echo "### ssh connection test for server authentication denial..." +ssh_test 255 +chmod o-w "$TESTHOME"/.monkeysphere/authorized_user_ids + trap - EXIT -- cgit v1.2.3 From 45662d0c78d3fab91073224a80d28e10423a89ae Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Wed, 29 Oct 2008 00:42:02 -0400 Subject: preparing for 0.18-1 release. --- debian/changelog | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/debian/changelog b/debian/changelog index 78266d5..ebde5e4 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,4 @@ -monkeysphere (0.18-1) UNRELEASED; urgency=low +monkeysphere (0.18-1) experimental; urgency=low [ Jameson Graef Rollins ] * Fix bugs in authorized_{user_ids,keys} file permission checking. @@ -6,14 +6,15 @@ monkeysphere (0.18-1) UNRELEASED; urgency=low files. * chown authorized_keys files to `whoami`, for compatibility with test suite. + * major improvements to test suite, added more tests. [ Daniel Kahn Gillmor ] - * update install to ensure placement of + * update make install to ensure placement of /etc/monkeysphere/gnupg-{host,authentication}.conf * choose either --quick-random or --debug-quick-random depending on which gpg supports for the test suite. - -- Jameson Graef Rollins Tue, 28 Oct 2008 19:19:20 -0400 + -- Daniel Kahn Gillmor Wed, 29 Oct 2008 00:41:38 -0400 monkeysphere (0.17-1) experimental; urgency=low -- cgit v1.2.3 From e81c98d8f6aeff3722e0190ff6344c969fd1291a Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Wed, 29 Oct 2008 01:02:10 -0400 Subject: added release notes for 0.18-1. --- website/download.mdwn | 36 ++++++++++++++++++------------------ website/news/release-0.18-1.mdwn | 25 +++++++++++++++++++++++++ 2 files changed, 43 insertions(+), 18 deletions(-) create mode 100644 website/news/release-0.18-1.mdwn diff --git a/website/download.mdwn b/website/download.mdwn index a9dda2a..3e22916 100644 --- a/website/download.mdwn +++ b/website/download.mdwn @@ -33,38 +33,38 @@ look at the source, we recommend [using git](/community). But if you want a tarball of the most recent release, we publish those too. The [latest -tarball](http://archive.monkeysphere.info/debian/pool/monkeysphere/m/monkeysphere/monkeysphere_0.17.orig.tar.gz) +tarball](http://archive.monkeysphere.info/debian/pool/monkeysphere/m/monkeysphere/monkeysphere_0.18.orig.tar.gz) has these checksums: 
 -----BEGIN PGP SIGNED MESSAGE-----
 Hash: SHA1
 
-checksums for the monkeysphere 0.17 release:
+checksums for the monkeysphere 0.18 release:
 
 MD5:
-2dde3fc8427d1b64a3dd7ee62b6d84fd  monkeysphere_0.17.orig.tar.gz
+4cae9db5bd112a3a2d1077d1816384de  monkeysphere_0.18.orig.tar.gz
 
 SHA1:
-487bdfb3dbbec828f69355f63516f2f365663f1c  monkeysphere_0.17.orig.tar.gz
+6254fbd26d3f6a6c42b0dbd12cfd4476f3746c54  monkeysphere_0.18.orig.tar.gz
 
 SHA256:
-f2a839fc9f7ad23c7dad00bcf40905aac73b8c65e711b87ec54ce5d33f72324c  monkeysphere_0.17.orig.tar.gz
+68cb88676cad5788d2a75d95b1ccf8e884a0f7f47512c5292f402b630f63ace8  monkeysphere_0.18.orig.tar.gz
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.9 (GNU/Linux)
 
-iQIVAwUBSQcZ2xjmZ/HrivMUAQKvzxAAlBwQkef39LXpur6Zc4Y/z5RDWvo3uWSY
-p/xNPz1T+pUhbg94+Ozle5ACSZLDoH2XbsJdZQyudBf+AZg+rrruzdSUbmSpQrhU
-tWoXrWKyyqfVDdwvk6NUj1x/8jhkydHo8EM+ka/NyPiXVMmvWmtzIA8HpsbCgsIQ
-4hb4UEFsM2atLdigApH8Bp0MR5Wrshog1GCxsOKi7lWghv1FZfc1NTCNbyU7W89l
-VsO29jxGR9LYyttZpuDdmDserpsCN6ExFyvkxmDWXI+5HPR2z5WQKMscOCFhf4s5
-O2s7xGVofv9aVJX0SRbA8C7PdA/eBT2pw5IYwO4/OYKXU+0JI5+6IKCeoUeokQK/
-/yx01RrGr9r89XsLYC8Xd81Ey6RD5nhgJXyWD+8LlQSs8Xh+1VTwQYBqHs7VSaCm
-EgCG+0rp9ZOSb7h8y+qxHffqQHgKIx+s9qHKi+iEDDamXhlSrSOhMgADx3TtxMRm
-rVHkgUITFb+92ns3xrUnbsh7koNzssyiu7FLSL46X7EASgoJ6QVqWviz7AXkSuHD
-ngIpt6dEy8nKkjMAxEsnxHm5OmNtHxhAIkSpaxCC/HclErPcoEENYsnu5cwFECCF
-OkMxO+0tz8M0Gxo6xCdkHHH5TDfOIUY3+phCLi6ubqxbnoeAIzn6yds5SXlRiJvp
-Ujzwufr3Ymo=
-=rjN6
+iQIVAwUBSQfuQhjmZ/HrivMUAQJhIw/9E2CrzmwqUTLKMCl5HuLYbqDdSP7ModF5
+xZbhfXRASOI849lux8Z6QYP58WxrVFbYsYXLzu4u3QcwltWUabX/7W+1822jntbV
+Ua7CKdHLF8lvY2yah62lPBFNQGwBgFUVzmvgbTouZ81/XVFZgCaxg2yKBaPe+ELR
+rGiv2wzGbQaa+9eSSquXk6VjlWEQ0tcXWStocn5wOJR+K5jNR/2FGoxZCu4hq33o
+GzOXPHT2s+DG06h8OikKuv1812EKGGjqUVic04KiGZHErHozNh5UzCAUhLwvtDHF
+1md+qhveuVb0S8ap56DXaqQJDsgaTghgdV6D9Yc4Ssyj6Zlh6Cmh5ODFgq7EdUfD
+nGn92ZfibcoJkRYZhOuTRqlfxjfsZYBHkZWtKlaO38vmGAM3bMMPsclIAnscjdPK
+sdIg7g7fUZTgl/qWq2hHv+fu/XJ9PMzdI62zNVAZ/mw6gZRSDZ6nlvaJ82L2oVka
+X45bCGoVeJTIzEuO3IYrcmINuNVqQiq3g37M4+46+/aHe/b+urAAjAYx6YURdKLD
+94wzGHk63Z8bIw3PHVRsvqN1toM9RaK7Tz5YM6+Af8/0tQnVDj796XbJcYdLfq1H
+UFi+uVzp5dVZMJ1X4otnTaAFEJOTc8JwR8NaLZTcN0oormJImKwW4XAFUjYOYesH
+i7dYknfGRB0=
+=w2e2
 -----END PGP SIGNATURE-----
diff --git a/website/news/release-0.18-1.mdwn b/website/news/release-0.18-1.mdwn new file mode 100644 index 0000000..b434360 --- /dev/null +++ b/website/news/release-0.18-1.mdwn @@ -0,0 +1,25 @@ +[[meta title="Monkeysphere 0.18-1 released!"]] + +# Monkeysphere 0.18-1 released! # + +Monkeysphere 0.18-1 has been released. + +Notes from the changelog: + +
+  [ Jameson Graef Rollins ]
+  * Fix bugs in authorized_{user_ids,keys} file permission checking.
+  * Add new monkeysphere tmpdir to enable atomic moves of authorized_keys
+    files.
+  * chown authorized_keys files to `whoami`, for compatibility with test
+    suite.
+  * major improvements to test suite, added more tests.
+  
+  [ Daniel Kahn Gillmor ]
+  * update make install to ensure placement of
+    /etc/monkeysphere/gnupg-{host,authentication}.conf 
+  * choose either --quick-random or --debug-quick-random depending on
+    which gpg supports for the test suite.
+
+ +[[Download]] it now! -- cgit v1.2.3 From 753b7c5f74caa99f31254b44fac62c313ecbb1db Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Wed, 29 Oct 2008 01:38:39 -0400 Subject: set DISPLAY in test suite so that passphrase prompting falls through. --- src/common | 2 +- tests/basic | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/src/common b/src/common index 68a69e9..297e7f3 100644 --- a/src/common +++ b/src/common @@ -669,7 +669,7 @@ process_user_id() { else log debug " - unacceptable primary key." if [ -z "$sshKey" ] ; then - log error " ! primary key could not be translated (not RSA or DSA?)." + log error " ! primary key could not be translated (not RSA or DSA?)." else echo "1:${sshKey}" fi diff --git a/tests/basic b/tests/basic index 259a7f0..c85b449 100755 --- a/tests/basic +++ b/tests/basic @@ -115,6 +115,7 @@ export SSHD_CONFIG="$TEMPDIR"/sshd_config export SOCKET="$TEMPDIR"/ssh-socket export SSHD_PID= +export DISPLAY=monkeys ### CONFIGURE ENVIRONMENTS -- cgit v1.2.3 From 37c5b03dbe70f8f3fe24d15318645e1678841879 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Wed, 29 Oct 2008 02:17:54 -0400 Subject: added comments and changelog notes about why the test script sets $DISPLAY --- debian/changelog | 6 ++++++ tests/basic | 4 ++++ 2 files changed, 10 insertions(+) diff --git a/debian/changelog b/debian/changelog index ebde5e4..f42b3d8 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +monkeysphere (0.19-1) UNRELEASED; urgency=low + + * simulating an X11 session in the test script. + + -- + monkeysphere (0.18-1) experimental; urgency=low [ Jameson Graef Rollins ] diff --git a/tests/basic b/tests/basic index c85b449..d735578 100755 --- a/tests/basic +++ b/tests/basic @@ -115,6 +115,10 @@ export SSHD_CONFIG="$TEMPDIR"/sshd_config export SOCKET="$TEMPDIR"/ssh-socket export SSHD_PID= +# Make sure $DISPLAY is set to convince ssh and monkeysphere to fall +# back on $SSH_ASKPASS. Make sure it's not set to the current actual +# $DISPLAY (if one exists) because this test suite should not be doing +# *anything* with any running X11 session. export DISPLAY=monkeys ### CONFIGURE ENVIRONMENTS -- cgit v1.2.3 From 4885662fcaaad9a065a5ef43e0e243609ee8ac60 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Wed, 29 Oct 2008 02:46:44 -0400 Subject: fixing symlinks created in packaging; updated FreeBSD port to handle centrally-linked gpg.conf files too. --- debian/monkeysphere.postinst | 4 ++-- packaging/freebsd/Makefile | 4 ++-- packaging/freebsd/distinfo | 6 +++--- packaging/freebsd/pkg-install | 15 +++++---------- 4 files changed, 12 insertions(+), 17 deletions(-) diff --git a/debian/monkeysphere.postinst b/debian/monkeysphere.postinst index 27a50e0..02d6304 100755 --- a/debian/monkeysphere.postinst +++ b/debian/monkeysphere.postinst @@ -20,9 +20,9 @@ fi # install host gnupg home directory install --owner root --group monkeysphere --mode 750 -d "$VARLIB"/gnupg-host # link in the gpg.conf -ln -sTf "$ETC"/gpg-host.conf "$VARLIB"/gnupg-host/gpg.conf +ln -sTf "$ETC"/gnupg-host.conf "$VARLIB"/gnupg-host/gpg.conf # install authentication gnupg home directory install --owner monkeysphere --group monkeysphere --mode 700 -d "$VARLIB"/gnupg-authentication # link in the gpg.conf -ln -sTf "$ETC"/gpg-authentication.conf "$VARLIB"/gnupg-authentication/gpg.conf +ln -sTf "$ETC"/gnupg-authentication.conf "$VARLIB"/gnupg-authentication/gpg.conf diff --git a/packaging/freebsd/Makefile b/packaging/freebsd/Makefile index f4bf0fe..e484997 100644 --- a/packaging/freebsd/Makefile +++ b/packaging/freebsd/Makefile @@ -6,7 +6,7 @@ # PORTNAME= monkeysphere -PORTVERSION= 0.16 +PORTVERSION= 0.18 CATEGORIES= security MASTER_SITES= http://archive.monkeysphere.info/debian/pool/monkeysphere/m/monkeysphere/ # hack for debian orig tarballs @@ -17,7 +17,7 @@ COMMENT= use the OpenPGP web of trust to verify ssh connections LIB_DEPENDS= gnutls.26:${PORTSDIR}/security/gnutls RUN_DEPENDS= base64:${PORTSDIR}/converters/base64 \ - gpg:${PORTSDIR}/security/gnupg \ + gpg:${PORTSDIR}/security/gnupg1 \ lockfile:${PORTSDIR}/mail/procmail \ /usr/local/bin/getopt:${PORTSDIR}/misc/getopt \ bash:${PORTSDIR}/shells/bash diff --git a/packaging/freebsd/distinfo b/packaging/freebsd/distinfo index 16e88de..f449c5a 100644 --- a/packaging/freebsd/distinfo +++ b/packaging/freebsd/distinfo @@ -1,3 +1,3 @@ -MD5 (monkeysphere_0.16.orig.tar.gz) = 4bc223e8004e0e374bd54f0315585c49 -SHA256 (monkeysphere_0.16.orig.tar.gz) = f2dbd031315f99c82099a4a902f2240cca97536b035ef75872e72a65f324c9d7 -SIZE (monkeysphere_0.16.orig.tar.gz) = 66062 +MD5 (monkeysphere_0.18.orig.tar.gz) = 4cae9db5bd112a3a2d1077d1816384de +SHA256 (monkeysphere_0.18.orig.tar.gz) = 68cb88676cad5788d2a75d95b1ccf8e884a0f7f47512c5292f402b630f63ace8 +SIZE (monkeysphere_0.18.orig.tar.gz) = 68219 diff --git a/packaging/freebsd/pkg-install b/packaging/freebsd/pkg-install index 5e520cd..d7e4dbe 100755 --- a/packaging/freebsd/pkg-install +++ b/packaging/freebsd/pkg-install @@ -15,6 +15,7 @@ # MySQL puts its data in /var/db/mysql VARLIB="/var/monkeysphere" +ETCDIR="/usr/local/etc/monkeysphere" case $2 in POST-INSTALL) @@ -56,20 +57,14 @@ POST-INSTALL) fi fi - ## set up the cache directories: + ## set up the cache directories, and link them to the config files: install -d -o root -g monkeysphere -m 750 "$VARLIB"/gnupg-host - cat < "$VARLIB"/gnupg-host/gpg.conf -list-options show-uid-validity -EOF + ln -sf "$ETCDIR"/gnupg-host.conf "$VARLIB"/gnupg-host/gpg.conf install -d -o monkeysphere -g monkeysphere -m 700 "$VARLIB"/gnupg-authentication -# install authentication gpg.conf - cat < "$VARLIB"/gnupg-authentication/gpg.conf -list-options show-uid-validity -primary-keyring $VARLIB/gnupg-authentication/pubring.gpg -keyring $VARLIB/gnupg-host/pubring.gpg -EOF + ln -sf "$ETCDIR"/gnupg-authentication.conf "$VARLIB"/gnupg-authentication/gpg.conf + chown monkeysphere:monkeysphere "$VARLIB"/gnupg-authentication/gpg.conf monkeysphere-server diagnostics -- cgit v1.2.3 From 263aa3199e180236686785d72ff5d2233a971866 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Wed, 29 Oct 2008 02:49:44 -0400 Subject: preparing for 0.19-1 release to fix config file goofiness. --- debian/changelog | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/debian/changelog b/debian/changelog index f42b3d8..a7514a3 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,8 +1,10 @@ -monkeysphere (0.19-1) UNRELEASED; urgency=low +monkeysphere (0.19-1) experimental; urgency=low + [ Daniel Kahn Gillmor ] * simulating an X11 session in the test script. + * updated packaging so that symlinks to config files are correct. - -- + -- Daniel Kahn Gillmor Wed, 29 Oct 2008 02:47:49 -0400 monkeysphere (0.18-1) experimental; urgency=low -- cgit v1.2.3 From 3df649ef125c84f81acf986674a75fbaca7f4e83 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Wed, 29 Oct 2008 03:09:13 -0400 Subject: added release notes for 0.19-1 --- website/download.mdwn | 36 ++++++++++++++++++------------------ website/news/release-0.19-1.mdwn | 15 +++++++++++++++ 2 files changed, 33 insertions(+), 18 deletions(-) create mode 100644 website/news/release-0.19-1.mdwn diff --git a/website/download.mdwn b/website/download.mdwn index 3e22916..e5ea72c 100644 --- a/website/download.mdwn +++ b/website/download.mdwn @@ -33,38 +33,38 @@ look at the source, we recommend [using git](/community). But if you want a tarball of the most recent release, we publish those too. The [latest -tarball](http://archive.monkeysphere.info/debian/pool/monkeysphere/m/monkeysphere/monkeysphere_0.18.orig.tar.gz) +tarball](http://archive.monkeysphere.info/debian/pool/monkeysphere/m/monkeysphere/monkeysphere_0.19.orig.tar.gz) has these checksums: 
 -----BEGIN PGP SIGNED MESSAGE-----
 Hash: SHA1
 
-checksums for the monkeysphere 0.18 release:
+checksums for the monkeysphere 0.19 release:
 
 MD5:
-4cae9db5bd112a3a2d1077d1816384de  monkeysphere_0.18.orig.tar.gz
+64c643dd0ab642bbc8814aec1718000e  monkeysphere_0.19.orig.tar.gz
 
 SHA1:
-6254fbd26d3f6a6c42b0dbd12cfd4476f3746c54  monkeysphere_0.18.orig.tar.gz
+ea3c263b084d2c0b7922cd96677be192201700e4  monkeysphere_0.19.orig.tar.gz
 
 SHA256:
-68cb88676cad5788d2a75d95b1ccf8e884a0f7f47512c5292f402b630f63ace8  monkeysphere_0.18.orig.tar.gz
+321b77c1e10fe48ffbef8491893f5dd22842c35c11464efa7893150ce756a522  monkeysphere_0.19.orig.tar.gz
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.9 (GNU/Linux)
 
-iQIVAwUBSQfuQhjmZ/HrivMUAQJhIw/9E2CrzmwqUTLKMCl5HuLYbqDdSP7ModF5
-xZbhfXRASOI849lux8Z6QYP58WxrVFbYsYXLzu4u3QcwltWUabX/7W+1822jntbV
-Ua7CKdHLF8lvY2yah62lPBFNQGwBgFUVzmvgbTouZ81/XVFZgCaxg2yKBaPe+ELR
-rGiv2wzGbQaa+9eSSquXk6VjlWEQ0tcXWStocn5wOJR+K5jNR/2FGoxZCu4hq33o
-GzOXPHT2s+DG06h8OikKuv1812EKGGjqUVic04KiGZHErHozNh5UzCAUhLwvtDHF
-1md+qhveuVb0S8ap56DXaqQJDsgaTghgdV6D9Yc4Ssyj6Zlh6Cmh5ODFgq7EdUfD
-nGn92ZfibcoJkRYZhOuTRqlfxjfsZYBHkZWtKlaO38vmGAM3bMMPsclIAnscjdPK
-sdIg7g7fUZTgl/qWq2hHv+fu/XJ9PMzdI62zNVAZ/mw6gZRSDZ6nlvaJ82L2oVka
-X45bCGoVeJTIzEuO3IYrcmINuNVqQiq3g37M4+46+/aHe/b+urAAjAYx6YURdKLD
-94wzGHk63Z8bIw3PHVRsvqN1toM9RaK7Tz5YM6+Af8/0tQnVDj796XbJcYdLfq1H
-UFi+uVzp5dVZMJ1X4otnTaAFEJOTc8JwR8NaLZTcN0oormJImKwW4XAFUjYOYesH
-i7dYknfGRB0=
-=w2e2
+iQIVAwUBSQgMCRjmZ/HrivMUAQI2Jg//bZoSxx0Nor6uBikRGHQny8LzgUT/0kpv
+xg0eRmL9kQwhGis/sdOiJ9cHykJ1ukhRiIZGfxPBdxiQbWGs9nM6147TGIDgqx6D
+yYIW41dvzTRB0TwjNd7g1q6MaSiDNuU/6dD+ooM3/IiR8PDR7X8we0WhSM63KD+v
+HeMsN51UMhBfeaZ06fxrjYoJCvnp0YNYJpLuvtd5tzxqJCJA2Vh5VqJMbMP/MtbY
+zM/zuNXRI1mJnQZeU++IaAnimX7c7SsGjLaloZG8mapYqqY0tKJ5Yod6aeloq+i5
+wI4gZuuPcgAntD6cnPaqB1ni/d71yywme5F75zpezXGzKzDSh1J5oE6akjMi2lJE
+DSOKp7zb7TvDwXxCl+vOVod81F260gPhonlTsD/LpBfPGPBdWlWP+fFchb9N/a2u
+weCMhUYX1u8Jg/bHIycjoQjPEgZwCkJT9RKF1NTLyWvb4P4a3sPe+fauCMZFbTQ/
+3EYPRBY+PfIDO09XswdB5O3gq6B33ChyWJpdwlXEEHMcFt1FuezuP0avVM9/3ZNp
+MkqalDrUEd65X8o+CE3KjFxjMceVdda9mz2netnoHrFMW6X3mFqE2fTldgHi1mCT
+hMCqpPzY04+HOHYZ0GapR3pvedd4dwhkNYrdpckp+nJMTRfexEPH/NXDVNH/mxKg
+jLoIos0SaiY=
+=VUsz
 -----END PGP SIGNATURE-----
diff --git a/website/news/release-0.19-1.mdwn b/website/news/release-0.19-1.mdwn new file mode 100644 index 0000000..f3336da --- /dev/null +++ b/website/news/release-0.19-1.mdwn @@ -0,0 +1,15 @@ +[[meta title="Monkeysphere 0.19-1 released!"]] + +# Monkeysphere 0.19-1 released! # + +Monkeysphere 0.19-1 has been released. + +Notes from the changelog: + +
+  [ Daniel Kahn Gillmor ]
+  * simulating an X11 session in the test script.
+  * updated packaging so that symlinks to config files are correct.
+
+ +[[Download]] it now! -- cgit v1.2.3 From 6ed72efb63d7111acc7fb1f2e4f28757ad485b77 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Wed, 29 Oct 2008 03:09:38 -0400 Subject: updated freebsd data for 0.19 --- packaging/freebsd/Makefile | 2 +- packaging/freebsd/distinfo | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/packaging/freebsd/Makefile b/packaging/freebsd/Makefile index e484997..984bc87 100644 --- a/packaging/freebsd/Makefile +++ b/packaging/freebsd/Makefile @@ -6,7 +6,7 @@ # PORTNAME= monkeysphere -PORTVERSION= 0.18 +PORTVERSION= 0.19 CATEGORIES= security MASTER_SITES= http://archive.monkeysphere.info/debian/pool/monkeysphere/m/monkeysphere/ # hack for debian orig tarballs diff --git a/packaging/freebsd/distinfo b/packaging/freebsd/distinfo index f449c5a..86aecd1 100644 --- a/packaging/freebsd/distinfo +++ b/packaging/freebsd/distinfo @@ -1,3 +1,3 @@ -MD5 (monkeysphere_0.18.orig.tar.gz) = 4cae9db5bd112a3a2d1077d1816384de -SHA256 (monkeysphere_0.18.orig.tar.gz) = 68cb88676cad5788d2a75d95b1ccf8e884a0f7f47512c5292f402b630f63ace8 -SIZE (monkeysphere_0.18.orig.tar.gz) = 68219 +MD5 (monkeysphere_0.19.orig.tar.gz) = 64c643dd0ab642bbc8814aec1718000e +SHA256 (monkeysphere_0.19.orig.tar.gz) = 321b77c1e10fe48ffbef8491893f5dd22842c35c11464efa7893150ce756a522 +SIZE (monkeysphere_0.19.orig.tar.gz) = 68335 -- cgit v1.2.3