From b3f0bbedbf242d2640d3bc56cce62ae726081400 Mon Sep 17 00:00:00 2001 From: Clint Adams Date: Sat, 2 Oct 2010 14:10:59 -0400 Subject: Assume that space- or tab-prefixed lines contain ssh authorized_keys options applicable to the preceding user ID. --- src/share/common | 71 +++++++++++++++++++++++++++++++++++++++++--------------- 1 file changed, 52 insertions(+), 19 deletions(-) diff --git a/src/share/common b/src/share/common index af346a8..a741efb 100644 --- a/src/share/common +++ b/src/share/common @@ -505,13 +505,15 @@ ssh2known_hosts() { # output authorized_keys line from ssh key ssh2authorized_keys() { - local userID - local key - - userID="$1" - key="$2" + local koptions="$1" + local userID="$2" + local key="$3" - printf "%s MonkeySphere%s %s\n" "$key" "$DATE" "$userID" + if [[ -z $koptions ]]; then + printf "%s MonkeySphere%s %s\n" "$key" "$DATE" "$userID" + else + printf "%s %s MonkeySphere%s %s\n" "$koptions" "$key" "$DATE" "$userID" + fi } # convert key from gpg to ssh known_hosts format @@ -608,7 +610,7 @@ gpg_fetch_userid() { # flag:sshKey to the calling function. process_user_id() { local returnCode=0 - local userID + local userID="$1" local requiredCapability local requiredPubCapability local gpgOut @@ -623,8 +625,6 @@ process_user_id() { local lastKeyOK local fingerprint - userID="$1" - # set the required key capability based on the mode requiredCapability=${REQUIRED_KEY_CAPABILITY:="a"} requiredPubCapability=$(echo "$requiredCapability" | tr "[:lower:]" "[:upper:]") @@ -1042,6 +1042,7 @@ process_known_hosts() { # process uids for the authorized_keys file process_uid_authorized_keys() { local userID + local koptions local nKeys local nKeysOK local ok @@ -1050,7 +1051,8 @@ process_uid_authorized_keys() { # set the key processing mode export REQUIRED_KEY_CAPABILITY="$REQUIRED_USER_KEY_CAPABILITY" - userID="$1" + koptions="$1" + userID="$2" log verbose "processing: $userID" @@ -1077,7 +1079,7 @@ process_uid_authorized_keys() { # note that key was found ok nKeysOK=$((nKeysOK+1)) - ssh2authorized_keys "$userID" "$sshKey" >> "$AUTHORIZED_KEYS" + ssh2authorized_keys "$koptions" "$userID" "$sshKey" >> "$AUTHORIZED_KEYS" fi done @@ -1105,9 +1107,14 @@ update_authorized_keys() { local nIDsOK local nIDsBAD local fileCheck + local x koptions + declare -i argtype + + if (( $# % 2 )); then log error "Bad number of arguments; this should never happen."; return 1; fi # the number of ids specified on command line - nIDs="$#" + (( nIDs=$#/2 )) + (( argtype=0 )) nIDsOK=0 nIDsBAD=0 @@ -1129,10 +1136,15 @@ update_authorized_keys() { # remove any monkeysphere lines from authorized_keys file remove_monkeysphere_lines "$AUTHORIZED_KEYS" - for userID ; do + for x; do + (( argtype++ )) + if (( $argtype % 2 )); then + koptions="$x" + else + userID="$x" # process the user ID, change return code if key not found for # user ID - process_uid_authorized_keys "$userID" || returnCode="$?" + process_uid_authorized_keys "$koptions" "$userID" || returnCode="$?" # note the result case "$returnCode" in @@ -1146,6 +1158,7 @@ update_authorized_keys() { # touch the lockfile, for good measure. lock touch "$AUTHORIZED_KEYS" + fi done # remove the lockfile and the trap @@ -1178,11 +1191,15 @@ update_authorized_keys() { # process an authorized_user_ids file for authorized_keys process_authorized_user_ids() { local line - local nline - local userIDs + declare -i nline + declare -a userIDs + declare -a koptions + declare -a export_array authorizedUserIDs="$1" + (( nline=0 )) + # exit if the authorized_user_ids file is empty if [ ! -e "$authorizedUserIDs" ] ; then failure "authorized_user_ids file '$authorizedUserIDs' does not exist." @@ -1204,11 +1221,27 @@ process_authorized_user_ids() { # extract user IDs from authorized_user_ids file IFS=$'\n' for line in $(meat "$authorizedUserIDs") ; do - userIDs["$nline"]="$line" - nline=$((nline+1)) + case "$line" in + (" "*|$'\t'*) + if [[ -z ${koptions[${nline}]} ]]; then + koptions[${nline}]=$(echo $line | sed 's/^[ ]*//;s/[ ]$//;') + else + koptions[${nline}]="${koptions[${nline}]},$(echo $line | sed 's/^[ ]*//;s/[ ]$//;')" + fi + ;; + (*) + ((nline++)) + userIDs[${nline}]="$line" + unset koptions[${nline}] || true + ;; + esac + done + + for i in $(seq 1 $nline); do + export_array+=("${koptions[$i]}" "${userIDs[$i]}") done - update_authorized_keys "${userIDs[@]}" + update_authorized_keys "${export_array[@]}" } # takes a gpg key or keys on stdin, and outputs a list of -- cgit v1.2.3 From 73f3d3118652d1efebdf5992f454c90d9d6ae280 Mon Sep 17 00:00:00 2001 From: Clint Adams Date: Sat, 2 Oct 2010 14:39:01 -0400 Subject: Minimal documentation of ssh authorized_keys options specification. --- man/man8/monkeysphere-authentication.8 | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/man/man8/monkeysphere-authentication.8 b/man/man8/monkeysphere-authentication.8 index 5dfa92a..e2886d6 100644 --- a/man/man8/monkeysphere-authentication.8 +++ b/man/man8/monkeysphere-authentication.8 @@ -197,7 +197,9 @@ Monkeysphere-generated user authorized_keys files. A list of OpenPGP user IDs, one per line. OpenPGP keys with an exactly-matching User ID (calculated valid by the designated identity certifiers), will have any valid authorization-capable keys or subkeys -added to the given user's authorized_keys file. +added to the given user's authorized_keys file. Any line with initial +whitespace will be interpreted as ssh authorized_keys options +applicable to the preceding User ID. .SH AUTHOR -- cgit v1.2.3 From 447c9de61a15d4ef115e2b337161da2569b5aeb2 Mon Sep 17 00:00:00 2001 From: Clint Adams Date: Sat, 2 Oct 2010 14:53:29 -0400 Subject: Make remote execution command a parameter to ssh_test --- tests/basic | 47 ++++++++++++++++++++++++----------------------- 1 file changed, 24 insertions(+), 23 deletions(-) diff --git a/tests/basic b/tests/basic index 9b9eb05..30cff06 100755 --- a/tests/basic +++ b/tests/basic @@ -55,10 +55,11 @@ gpgadmin() { # first argument is expected return code from ssh connection ssh_test() { local RETURN=0 + local remote_command=${1:-true} umask 0077 - CODE=${1:-0} + CODE=${2:-0} # start the ssh daemon on the socket echo "##### starting ssh server..." @@ -73,7 +74,7 @@ ssh_test() { # make a client connection to the socket echo "##### starting ssh client..." ssh-agent bash -c \ - "monkeysphere subkey-to-ssh-agent && ssh -F $TEMPDIR/testuser/.ssh/config ${target_hostname:-testhost.example} true" \ + "monkeysphere subkey-to-ssh-agent && ssh -F $TEMPDIR/testuser/.ssh/config ${target_hostname:-testhost.example} $remote_command" \ || RETURN="$?" # kill the sshd process if it's still running @@ -353,7 +354,7 @@ diff -q <( monkeysphere keys-for-userid ssh://testhost.example ) <( cut -f1,2 -d echo echo "##################################################" echo "### ssh connection test for success..." -ssh_test +ssh_test true # Make sure it works if there is "armor" written in gpg.conf # add other weirdnesses here as they come up. @@ -361,7 +362,7 @@ echo echo "##################################################" echo "### testing functionality in the face of unusual gpg.conf settings..." echo 'armor' >> "$GNUPGHOME"/gpg.conf -ssh_test +ssh_test true # remove the testuser's authorized_user_ids file, update, and make # sure that the ssh authentication FAILS @@ -373,7 +374,7 @@ monkeysphere-authentication update-users $(whoami) echo echo "##################################################" echo "### ssh connection test for failure..." -ssh_test 255 +ssh_test true 255 mv "$TESTHOME"/.monkeysphere/authorized_user_ids{.bak,} # put improper permissions on authorized_user_ids file, update, and @@ -386,7 +387,7 @@ monkeysphere-authentication update-users $(whoami) echo echo "##################################################" echo "### ssh connection test for failure..." -ssh_good_perm_test 255 +ssh_good_perm_test true 255 chmod g-w "$TESTHOME"/.monkeysphere/authorized_user_ids echo echo "##################################################" @@ -396,7 +397,7 @@ monkeysphere-authentication update-users $(whoami) echo echo "##################################################" echo "### ssh connection test for failure..." -ssh_good_perm_test 255 +ssh_good_perm_test true 255 chmod o-w "$TESTHOME"/.monkeysphere/authorized_user_ids monkeysphere-authentication update-users $(whoami) @@ -415,7 +416,7 @@ monkeysphere-authentication update-users $(whoami) echo echo "##################################################" echo "### ssh connection test for success..." -ssh_test +ssh_test true echo echo "##################################################" echo "### create bad permissions on link dir and updating..." @@ -424,7 +425,7 @@ monkeysphere-authentication update-users $(whoami) echo echo "##################################################" echo "### ssh connection test for failure..." -ssh_good_perm_test 255 +ssh_good_perm_test true 255 chmod o-w "$TESTHOME"/.monkeysphere.linktest echo echo "##################################################" @@ -434,7 +435,7 @@ monkeysphere-authentication update-users $(whoami) echo echo "##################################################" echo "### ssh connection test for success..." -ssh_test +ssh_test true echo echo "##################################################" echo "### create bad permissions on link dir updating..." @@ -443,7 +444,7 @@ monkeysphere-authentication update-users $(whoami) echo echo "##################################################" echo "### ssh connection test for failure..." -ssh_good_perm_test 255 +ssh_good_perm_test true 255 chmod o-w "$TESTHOME"/.monkeysphere.linktest # FIXME: implement check of link path, and uncomment this test # echo @@ -454,7 +455,7 @@ chmod o-w "$TESTHOME"/.monkeysphere.linktest # echo # echo "##################################################" # echo "### ssh connection test for failure..." -# ssh_good_perm_test 255 +# ssh_good_perm_test true 255 # chmod o-w "$TESTHOME"/.monkeysphere rm "$TESTHOME"/.monkeysphere/authorized_user_ids mv "$TESTHOME"/.monkeysphere/authorized_user_ids{.bak,} @@ -468,7 +469,7 @@ monkeysphere-authentication update-users $(whoami) echo echo "##################################################" echo "### ssh connection test for success..." -ssh_test +ssh_test true echo echo "##################################################" echo "### create bad permissions on link dir and updating..." @@ -477,7 +478,7 @@ monkeysphere-authentication update-users $(whoami) echo echo "##################################################" echo "### ssh connection test for failure..." -ssh_good_perm_test 255 +ssh_good_perm_test true 255 chmod o-w "$TESTHOME"/.monkeysphere.linktest echo echo "##################################################" @@ -487,7 +488,7 @@ monkeysphere-authentication update-users $(whoami) echo echo "##################################################" echo "### ssh connection test for success..." -ssh_test +ssh_test true echo echo "##################################################" echo "### create bad permissions on link dir updating..." @@ -496,7 +497,7 @@ monkeysphere-authentication update-users $(whoami) echo echo "##################################################" echo "### ssh connection test for failure..." -ssh_good_perm_test 255 +ssh_good_perm_test true 255 chmod o-w "$TESTHOME"/.monkeysphere.linktest rm "$TESTHOME"/.monkeysphere mv "$TESTHOME"/.monkeysphere{.bak,} @@ -506,13 +507,13 @@ echo echo "##################################################" echo "### making sure we are back to normal..." monkeysphere-authentication update-users $(whoami) -ssh_test +ssh_test true echo echo "##################################################" echo "### ssh connection test directly to 'testhost2.example' without new name..." -target_hostname=testhost2.example ssh_test 255 +target_hostname=testhost2.example ssh_test true 255 echo echo "##################################################" echo "### add servicename, certify by admin, import by user..." @@ -525,14 +526,14 @@ echo "##################################################" echo "### ssh connection test with hostname 'testhost2.example' added..." gpgadmin --export "$SSHHOSTKEYID" | gpg --import gpg --check-trustdb -ssh_test +ssh_test true echo echo "##################################################" echo "### ssh connection test directly to 'testhost2.example' ..." gpg --import <"$HOST_KEY_FILE" gpg --check-trustdb -target_hostname=testhost2.example ssh_test +target_hostname=testhost2.example ssh_test true echo echo "##################################################" @@ -540,7 +541,7 @@ echo "### ssh connection test for failure with 'testhost2.example' revoked..." monkeysphere-host revoke-servicename ssh://testhost2.example gpg --import <"$HOST_KEY_FILE" gpg --check-trustdb -target_hostname=testhost2.example ssh_test 255 +target_hostname=testhost2.example ssh_test true 255 # FIXME: addtest: remove admin as id-certifier and check ssh failure @@ -555,7 +556,7 @@ monkeysphere-authentication update-users $(whoami) echo echo "##################################################" echo "### ssh connection test for success..." -ssh_test +ssh_test true echo echo "##################################################" @@ -579,7 +580,7 @@ monkeysphere-host revoke-key "$SSHHOSTKEYID" | gpg --import echo echo "##################################################" echo "### ssh connection test for failure..." -ssh_test 255 +ssh_test true 255 ###################################################################### -- cgit v1.2.3 From bd9c23125a2c27721ddfc74a4c21e17f641bb6bd Mon Sep 17 00:00:00 2001 From: Clint Adams Date: Sat, 2 Oct 2010 15:06:54 -0400 Subject: ssh authorized_keys options test --- tests/basic | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/tests/basic b/tests/basic index 30cff06..9ae04b4 100755 --- a/tests/basic +++ b/tests/basic @@ -509,6 +509,25 @@ echo "### making sure we are back to normal..." monkeysphere-authentication update-users $(whoami) ssh_test true +# check ssh authorized_key options +echo +echo "##################################################" +echo "### checking ssh authorized_key option support..." +cp "$TESTHOME"/.monkeysphere/authorized_user_ids{,.bak} +echo ' no-X11-forwarding' >>"$TESTHOME"/.monkeysphere/authorized_user_ids +echo ' no-port-forwarding' >>"$TESTHOME"/.monkeysphere/authorized_user_ids +echo ' command="/bin/false"' >>"$TESTHOME"/.monkeysphere/authorized_user_ids +monkeysphere-authentication update-users $(whoami) +ssh_test /bin/true 1 +ssh_test /bin/false 1 +mv "$TESTHOME"/.monkeysphere/authorized_user_ids{.bak,} + +# ensure we're back to normal: +echo +echo "##################################################" +echo "### making sure we are back to normal..." +monkeysphere-authentication update-users $(whoami) +ssh_test true echo echo "##################################################" -- cgit v1.2.3 From 2557eca7a3de0f3fef33260187cba824d5dd04b7 Mon Sep 17 00:00:00 2001 From: Jameson Rollins Date: Sat, 2 Oct 2010 16:13:12 -0400 Subject: fix formatting of b3f0bbedbf242d2640d3bc56cce62ae726081400 to conform to standard --- src/share/common | 59 ++++++++++++++++++++++++++++---------------------------- 1 file changed, 30 insertions(+), 29 deletions(-) diff --git a/src/share/common b/src/share/common index a741efb..50c9f61 100644 --- a/src/share/common +++ b/src/share/common @@ -509,7 +509,7 @@ ssh2authorized_keys() { local userID="$2" local key="$3" - if [[ -z $koptions ]]; then + if [[ -z "$koptions" ]]; then printf "%s MonkeySphere%s %s\n" "$key" "$DATE" "$userID" else printf "%s %s MonkeySphere%s %s\n" "$koptions" "$key" "$DATE" "$userID" @@ -1142,22 +1142,23 @@ update_authorized_keys() { koptions="$x" else userID="$x" - # process the user ID, change return code if key not found for - # user ID - process_uid_authorized_keys "$koptions" "$userID" || returnCode="$?" - # note the result - case "$returnCode" in - 0) - nIDsOK=$((nIDsOK+1)) - ;; - 2) - nIDsBAD=$((nIDsBAD+1)) - ;; - esac - - # touch the lockfile, for good measure. - lock touch "$AUTHORIZED_KEYS" + # process the user ID, change return code if key not found + # for user ID + process_uid_authorized_keys "$koptions" "$userID" || returnCode="$?" + + # note the result + case "$returnCode" in + 0) + nIDsOK=$((nIDsOK+1)) + ;; + 2) + nIDsBAD=$((nIDsBAD+1)) + ;; + esac + + # touch the lockfile, for good measure. + lock touch "$AUTHORIZED_KEYS" fi done @@ -1222,19 +1223,19 @@ process_authorized_user_ids() { IFS=$'\n' for line in $(meat "$authorizedUserIDs") ; do case "$line" in - (" "*|$'\t'*) - if [[ -z ${koptions[${nline}]} ]]; then - koptions[${nline}]=$(echo $line | sed 's/^[ ]*//;s/[ ]$//;') - else - koptions[${nline}]="${koptions[${nline}]},$(echo $line | sed 's/^[ ]*//;s/[ ]$//;')" - fi - ;; - (*) - ((nline++)) - userIDs[${nline}]="$line" - unset koptions[${nline}] || true - ;; - esac + (" "*|$'\t'*) + if [[ -z ${koptions[${nline}]} ]]; then + koptions[${nline}]=$(echo $line | sed 's/^[ ]*//;s/[ ]$//;') + else + koptions[${nline}]="${koptions[${nline}]},$(echo $line | sed 's/^[ ]*//;s/[ ]$//;')" + fi + ;; + (*) + ((nline++)) + userIDs[${nline}]="$line" + unset koptions[${nline}] || true + ;; + esac done for i in $(seq 1 $nline); do -- cgit v1.2.3