From c8ab71b24b566967fdb39818d071f6548dc056c8 Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Sun, 26 Oct 2008 21:50:15 -0400 Subject: Changes to fix bug in authorized_keys file generation in monkeysphere-server update-users. --- debian/changelog | 7 ++++ src/monkeysphere-server | 97 ++++++++++++++++++++++++------------------------- 2 files changed, 54 insertions(+), 50 deletions(-) diff --git a/debian/changelog b/debian/changelog index ad795e7..9aa2b0a 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +monkeysphere (0.17-1) experimental; urgency=low + + * Fix some bugs in, and cleanup, authorized_keys file creation in + monkeysphere-server update-users. + + -- Jameson Graef Rollins Sun, 26 Oct 2008 21:49:17 -0400 + monkeysphere (0.16-1) experimental; urgency=low [ Daniel Kahn Gillmor ] diff --git a/src/monkeysphere-server b/src/monkeysphere-server index 0c56279..fb71081 100755 --- a/src/monkeysphere-server +++ b/src/monkeysphere-server @@ -170,32 +170,8 @@ update_users() { continue fi - # set authorized_user_ids and raw authorized_keys variables, - # translating ssh-style path variables - authorizedUserIDs=$(translate_ssh_variables "$uname" "$AUTHORIZED_USER_IDS") - rawAuthorizedKeys=$(translate_ssh_variables "$uname" "$RAW_AUTHORIZED_KEYS") - - # if neither is found, skip user - if [ ! -s "$authorizedUserIDs" ] ; then - if [ "$rawAuthorizedKeys" = '-' -o ! -s "$rawAuthorizedKeys" ] ; then - continue - fi - fi - log verbose "----- user: $uname -----" - # exit if the authorized_user_ids file is empty - if ! check_key_file_permissions "$uname" "$AUTHORIZED_USER_IDS" ; then - log error "Improper permissions on path '$AUTHORIZED_USER_IDS'." - continue - fi - - # check permissions on the authorized_keys file path - if ! check_key_file_permissions "$uname" "$RAW_AUTHORIZED_KEYS" ; then - log error "Improper permissions on path '$RAW_AUTHORIZED_KEYS'." - continue - fi - # make temporary directory TMPLOC=$(mktemp -d ${TMPDIR:-/tmp}/tmp.XXXXXXXXXX) @@ -217,39 +193,60 @@ update_users() { chmod 0600 "$TMP_AUTHORIZED_USER_IDS" chown -R "$MONKEYSPHERE_USER" "$TMPLOC" - # if the authorized_user_ids file exists... + # process authorized_user_ids file + # translating ssh-style path variables + authorizedUserIDs=$(translate_ssh_variables "$uname" "$AUTHORIZED_USER_IDS") if [ -s "$authorizedUserIDs" ] ; then - # copy user authorized_user_ids file to temporary - # location - cat "$authorizedUserIDs" > "$TMP_AUTHORIZED_USER_IDS" - - # export needed variables - export AUTHORIZED_KEYS - export TMP_AUTHORIZED_USER_IDS - - # process authorized_user_ids file, as monkeysphere - # user - su_monkeysphere_user \ - ". ${SYSSHAREDIR}/common; process_authorized_user_ids $TMP_AUTHORIZED_USER_IDS" - RETURN="$?" + # check permissions on the authorized_user_ids file path + if check_key_file_permissions "$uname" "$authorizedUserIDs" ; then + # copy user authorized_user_ids file to temporary + # location + cat "$authorizedUserIDs" > "$TMP_AUTHORIZED_USER_IDS" + + # export needed variables + export AUTHORIZED_KEYS + export TMP_AUTHORIZED_USER_IDS + + # process authorized_user_ids file, as monkeysphere + # user + su_monkeysphere_user \ + ". ${SYSSHAREDIR}/common; process_authorized_user_ids $TMP_AUTHORIZED_USER_IDS" + RETURN="$?" + else + log error "Improper permissions on path '$AUTHORIZED_USER_IDS'." + fi fi - # add user-controlled authorized_keys file path if specified + # add user-controlled authorized_keys file if specified + # translate ssh-style path variables + rawAuthorizedKeys=$(translate_ssh_variables "$uname" "$RAW_AUTHORIZED_KEYS") if [ "$rawAuthorizedKeys" != '-' -a -s "$rawAuthorizedKeys" ] ; then - log verbose "adding raw authorized_keys file... " - cat "$rawAuthorizedKeys" >> "$AUTHORIZED_KEYS" + # check permissions on the authorized_keys file path + if check_key_file_permissions "$uname" "$rawAuthorizedKeys" ; then + log verbose "adding raw authorized_keys file... " + cat "$rawAuthorizedKeys" >> "$AUTHORIZED_KEYS" + else + log error "Improper permissions on path '$RAW_AUTHORIZED_KEYS'. Not added to authorized_keys file." + fi fi - # openssh appears to check the contents of the - # authorized_keys file as the user in question, so the - # file must be readable by that user at least. - # FIXME: is there a better way to do this? - chown root "$AUTHORIZED_KEYS" - chgrp $(getent passwd "$uname" | cut -f4 -d:) "$AUTHORIZED_KEYS" - chmod g+r "$AUTHORIZED_KEYS" + # move the new authorized_keys file into place + if [ -s "$AUTHORIZED_KEYS" ] ; then + # openssh appears to check the contents of the + # authorized_keys file as the user in question, so the + # file must be readable by that user at least. + # FIXME: is there a better way to do this? + chown root "$AUTHORIZED_KEYS" + chgrp $(getent passwd "$uname" | cut -f4 -d:) "$AUTHORIZED_KEYS" + chmod g+r "$AUTHORIZED_KEYS" + + mv -f "$AUTHORIZED_KEYS" "${SYSDATADIR}/authorized_keys/${uname}" + else + rm -f "${SYSDATADIR}/authorized_keys/${uname}" + fi - # move the resulting authorized_keys file into place - mv -f "$AUTHORIZED_KEYS" "${SYSDATADIR}/authorized_keys/${uname}" + # unset the trap + trap - EXIT # destroy temporary directory rm -rf "$TMPLOC" -- cgit v1.2.3 From 3b0d5361bcaa53770ae4130dc08a1b9ea6d36cfd Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Sun, 26 Oct 2008 21:54:03 -0400 Subject: close bug about problem in authorized_keys generation in monkeysphere-server. --- website/bugs/authorized_keys_not_cleared.mdwn | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/website/bugs/authorized_keys_not_cleared.mdwn b/website/bugs/authorized_keys_not_cleared.mdwn index 7246997..4ba347b 100644 --- a/website/bugs/authorized_keys_not_cleared.mdwn +++ b/website/bugs/authorized_keys_not_cleared.mdwn @@ -18,3 +18,7 @@ bytes. However, it just remained untouched, and the old keys persisted. This seems like a potential security problem. + +--- + +[[bugs/done]] on 2008-10-26 in c8ab71b24b566967fdb39818d071f6548dc056c8 -- cgit v1.2.3 From 21fd6545dee4948cad0e726d47f092c9c86f2fba Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Sun, 26 Oct 2008 22:07:07 -0400 Subject: comment to bug about existing invalid authentication keys. --- website/bugs/authorized_keys-options.mdwn | 2 -- ...e-gen-subkey-treats-revoked-auth-subkey-as-valid.mdwn | 16 ++++++++++++++++ 2 files changed, 16 insertions(+), 2 deletions(-) diff --git a/website/bugs/authorized_keys-options.mdwn b/website/bugs/authorized_keys-options.mdwn index a066318..4e7a838 100644 --- a/website/bugs/authorized_keys-options.mdwn +++ b/website/bugs/authorized_keys-options.mdwn @@ -1,7 +1,5 @@ [[meta title="Monkeysphere support for options in authorized_keys"]] -# Monkeysphere support for options within `authorized_keys` # - OpenSSH [allows users to control the capabilities granted to remote key-based logins](http://www.hackinglinuxexposed.com/articles/20030109.html) by diff --git a/website/bugs/monkeysphere-gen-subkey-treats-revoked-auth-subkey-as-valid.mdwn b/website/bugs/monkeysphere-gen-subkey-treats-revoked-auth-subkey-as-valid.mdwn index 8181437..3c7e804 100644 --- a/website/bugs/monkeysphere-gen-subkey-treats-revoked-auth-subkey-as-valid.mdwn +++ b/website/bugs/monkeysphere-gen-subkey-treats-revoked-auth-subkey-as-valid.mdwn @@ -19,3 +19,19 @@ revoked, so probably monkeysphere needs to be looking at gpg's computed validity from the public keyring instead of the secret keyring to be able to get the "r" flag from field 2, in addition to the "e" flag from field 12. + +--- + +So the problem is that there is no field 2 for secret keys. From +/usr/share/doc/gnupg/DETAILS.gz: + + 2. Field: A letter describing the calculated trust. This is a single + letter, but be prepared that additional information may follow + in some future versions. (not used for secret keys) + +Why would secret keys not have this field? They have validity too, +right? This doesn't make any sense. I verify that indeed there is no +output in field 2 for secret keys. I would say this is a bug in gpg, +but it's clearly done on purpose. Any ideas? + +-- jrollins -- cgit v1.2.3 From 88b92e7c69e2c59ece19ff015d150e179c797655 Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Sun, 26 Oct 2008 22:16:32 -0400 Subject: comment to bug about parsing ssh config files. --- ...keysphere-ignores-HashKnownHosts-directive.mdwn | 33 --------------- website/bugs/ssh_config_files_not_parsed.mdwn | 47 ++++++++++++++++++++++ 2 files changed, 47 insertions(+), 33 deletions(-) delete mode 100644 website/bugs/monkeysphere-ignores-HashKnownHosts-directive.mdwn create mode 100644 website/bugs/ssh_config_files_not_parsed.mdwn diff --git a/website/bugs/monkeysphere-ignores-HashKnownHosts-directive.mdwn b/website/bugs/monkeysphere-ignores-HashKnownHosts-directive.mdwn deleted file mode 100644 index 2dac579..0000000 --- a/website/bugs/monkeysphere-ignores-HashKnownHosts-directive.mdwn +++ /dev/null @@ -1,33 +0,0 @@ -In `~/.ssh/config`, i have: - - HashKnownHosts No - -But when `monkeysphere-ssh-proxycommand` adds new hosts to -`~/.ssh/known_hosts`, they appear to be added in a hashed form, -instead of in the clear. - -fwiw: i'm using OpenSSH 5.1p1 on a debian lenny system (backported -from sid) - ---- - -I can confirm this too (I'm running openssh-client 1:4.7p1-12) - --- Jamie (Jam Jam) - ---- - -There is absolutely no attempt by any monkeysphere utility to parse -any ssh or sshd config file. This will probably need to be delt with -down the line, but it's not a particular easy task at the moment. - --- Big Jimmy. - ---- - -I've [posted to the `openssh-unix-dev` list to see if there is a -possibility of openssh making our lives easier -here](http://marc.info/?l=openssh-unix-dev&m=121804767122918&w=2), but -i haven't had much of a response yet. - ---dkg diff --git a/website/bugs/ssh_config_files_not_parsed.mdwn b/website/bugs/ssh_config_files_not_parsed.mdwn new file mode 100644 index 0000000..ca851a8 --- /dev/null +++ b/website/bugs/ssh_config_files_not_parsed.mdwn @@ -0,0 +1,47 @@ +In `~/.ssh/config`, i have: + + HashKnownHosts No + +But when `monkeysphere-ssh-proxycommand` adds new hosts to +`~/.ssh/known_hosts`, they appear to be added in a hashed form, +instead of in the clear. + +fwiw: i'm using OpenSSH 5.1p1 on a debian lenny system (backported +from sid) + +--- + +I can confirm this too (I'm running openssh-client 1:4.7p1-12) + +-- Jamie (Jam Jam) + +--- + +There is absolutely no attempt by any monkeysphere utility to parse +any ssh or sshd config file. This will probably need to be delt with +down the line, but it's not a particular easy task at the moment. + +-- Big Jimmy. + +--- + +I've [posted to the `openssh-unix-dev` list to see if there is a +possibility of openssh making our lives easier +here](http://marc.info/?l=openssh-unix-dev&m=121804767122918&w=2), but +i haven't had much of a response yet. + +--dkg + +--- + +For some reason this didn't get mentioned in this bug earlier, but +there is a monkeysphere config variable about hashing known_hosts +lines, which is set to true by default (to be in sync with the Debian +openssh-client package). + +I think this bug is really more about the fact that monkeysphere does +not parse the ssh config files for any directives relavent to what the +monkeysphere is doing. I'm changing the name of this bug to reflect +what the real issue is. + +-- Big Jimmy. -- cgit v1.2.3