From dd26d5acdc42dac6e39ed2f94eb0b5b795e58874 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Fri, 15 Aug 2008 14:18:24 -0400 Subject: switched jrollins repo to use the git protocol --- website/download.mdwn | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/download.mdwn b/website/download.mdwn index 982f88f..3c2f3c5 100644 --- a/website/download.mdwn +++ b/website/download.mdwn @@ -28,7 +28,7 @@ The git repo from this web site: [Jameson Graef Rollins](http://cmrg.fifthhorseman.net/wiki/jrollins): - git clone http://lair.fifthhorseman.net/~jrollins/git/monkeysphere.git monkeysphere + git clone git://lair.fifthhorseman.net/~jrollins/monkeysphere monkeysphere [Daniel Kahn Gillmor](http://cmrg.fifthhorseman.net/wiki/dkg): -- cgit v1.2.3 From 617f03c948b66774e6765206bed2c56d30157187 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Fri, 15 Aug 2008 14:44:18 -0400 Subject: first pass at revoking hostnames. --- debian/changelog | 1 + src/common | 7 +++++++ src/monkeysphere-server | 32 +++++++++++++++++++++++++++++++- 3 files changed, 39 insertions(+), 1 deletion(-) diff --git a/debian/changelog b/debian/changelog index e80e48a..59aea1e 100644 --- a/debian/changelog +++ b/debian/changelog @@ -5,6 +5,7 @@ monkeysphere (0.8-1) UNRELEASED; urgency=low of my own. * More monkeysphere-server diagnostics * monkeysphere --gen-subkey now guesses what KeyID you meant. + * set up host-key revocation [ Jameson Graef Rollins ] * fix another bug for when ssh key files are missing. diff --git a/src/common b/src/common index 17955a7..24decae 100644 --- a/src/common +++ b/src/common @@ -76,6 +76,13 @@ unescape() { echo "$1" | sed 's/\\x3a/:/g' } +# convert nasty chars into gpg-friendly form +# FIXME: escape everything, not just colons! +escape() { + echo "$1" | sed 's/:/\\x3a/g' +} + + # remove all lines with specified string from specified file remove_line() { local file diff --git a/src/monkeysphere-server b/src/monkeysphere-server index 023ce9b..6ffd41f 100755 --- a/src/monkeysphere-server +++ b/src/monkeysphere-server @@ -402,11 +402,41 @@ EOF # revoke hostname user ID to server key revoke_hostname() { + local msg + local uidNum + local tmpuidMatch + local fpr + local linenum + if [ -z "$1" ] ; then failure "You must specify a hostname to revoke." fi - failure "Sorry, not yet implemented." + fpr=$(fingerprint_server_key) + tmpuidMatch="u:$(escape "$1")" + + if linenum=$(gpg_host --list-keys --with-colons --fixed-list-mode "$fpr" | egrep '^(uid|uat):' | cut -f2,10 -d: | grep -n -x -F 'r:Foo T. Bar (DO NOT USE!) ') ; then + uidNum=${linenum%%:*} + else + failure "no non-revoked hostname '$1' is listed." + fi + + msg="hostname removed by monkeysphere-server on $(date +%F)" + + + revuidCommand=$(cat < Date: Fri, 15 Aug 2008 14:58:34 -0400 Subject: sigh. fixing some dumb typos in hostname revocation. --- src/monkeysphere-server | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/monkeysphere-server b/src/monkeysphere-server index 6ffd41f..dd85dcc 100755 --- a/src/monkeysphere-server +++ b/src/monkeysphere-server @@ -413,9 +413,9 @@ revoke_hostname() { fi fpr=$(fingerprint_server_key) - tmpuidMatch="u:$(escape "$1")" + tmpuidMatch="u:$(escape "ssh://$1")" - if linenum=$(gpg_host --list-keys --with-colons --fixed-list-mode "$fpr" | egrep '^(uid|uat):' | cut -f2,10 -d: | grep -n -x -F 'r:Foo T. Bar (DO NOT USE!) ') ; then + if linenum=$(gpg_host --list-keys --with-colons --fixed-list-mode "0x$fpr"\! | egrep '^(uid|uat):' | cut -f2,10 -d: | grep -n -x -F "$tmpuidMatch") ; then uidNum=${linenum%%:*} else failure "no non-revoked hostname '$1' is listed." @@ -436,7 +436,7 @@ save EOF ) - echo "$revuidCommand" | gpg_host --quiet --command-fd 0 --edit-key "0x$fingerprint"\! + echo "$revuidCommand" | gpg_host --quiet --command-fd 0 --edit-key "0x$fpr"\! echo "NOTE: host userID revokation has not been published." echo "Use '$PGRM publish-key' to publish these changes." -- cgit v1.2.3 From d686f4a38a283db78c7922db5c16b9de98d640b9 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Fri, 15 Aug 2008 15:01:08 -0400 Subject: closing multiple-hostnames bug now that we have an implementation. --- website/bugs/multiple-hostnames.mdwn | 2 ++ 1 file changed, 2 insertions(+) diff --git a/website/bugs/multiple-hostnames.mdwn b/website/bugs/multiple-hostnames.mdwn index 7597af5..f4920fd 100644 --- a/website/bugs/multiple-hostnames.mdwn +++ b/website/bugs/multiple-hostnames.mdwn @@ -35,3 +35,5 @@ probably prompt the administrator to re-publish the host key as well, to ensure that the new User IDs are published. --dkg + +[[bugs/done]] on 2008-08-15 15:00:02-0400 in 84b775ff0b36ec4b86e6708844ad2d678eced403 -- cgit v1.2.3 From 74a7b27673d1b7a19c6877a89c8651886c9abfe6 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Fri, 15 Aug 2008 15:17:47 -0400 Subject: fixing proposed script to push authentication subkeys into the ssh-agent. --- website/bugs/handle-passphrase-locked-secret-keys.mdwn | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/website/bugs/handle-passphrase-locked-secret-keys.mdwn b/website/bugs/handle-passphrase-locked-secret-keys.mdwn index b66e4c7..ae5bf72 100644 --- a/website/bugs/handle-passphrase-locked-secret-keys.mdwn +++ b/website/bugs/handle-passphrase-locked-secret-keys.mdwn @@ -36,8 +36,10 @@ work for reasonable values of `$KEYID`: mkfifo "$TMPDIR/passphrase" kname="MonkeySphere Key $KEYID" mkfifo "$TMPDIR/$kname" - ssh-agent "Please enter the passphrase for MonkeySphere key $KEYID" >"$TMPDIR/passphrase" & - gpg --passphrase-fd 3 3<"$TMPDIR/passphrase" --export-options export-reset-subkey-passwd,export-minimal,no-export-attributes --export-secret-subkeys "$KEYID"\! | openpgp2ssh "$KEYID" > "$TMPDIR/$kname" + ssh-askpass "Please enter the passphrase for MonkeySphere key $KEYID" >"$TMPDIR/passphrase" & + gpg --passphrase-fd 3 3<"$TMPDIR/passphrase" \ + --export-options export-reset-subkey-passwd,export-minimal,no-export-attributes \ + --export-secret-subkeys "$KEYID"\! | openpgp2ssh "$KEYID" > "$TMPDIR/$kname" & (cd "$TMPDIR" && ssh-add -c "$kname") rm -rf "$TMPDIR" -- cgit v1.2.3 From b0ea15c8e359a908583e08da0663d69e353c77dc Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Fri, 15 Aug 2008 15:24:34 -0400 Subject: fixing bugs in monkeysphere-server diagnostics. --- src/monkeysphere-server | 23 +++++++++++++---------- 1 file changed, 13 insertions(+), 10 deletions(-) diff --git a/src/monkeysphere-server b/src/monkeysphere-server index dd85dcc..2b9b744 100755 --- a/src/monkeysphere-server +++ b/src/monkeysphere-server @@ -468,7 +468,10 @@ diagnostics() { local uid local fingerprint local badhostkeys + local sshd_config + # FIXME: what's the correct, cross-platform answer? + sshd_config=/etc/ssh/sshd_config seckey=$(fingerprint_server_key) keysfound=$(echo "$seckey" | grep -c ^sec:) curdate=$(date +%s) @@ -545,14 +548,14 @@ diagnostics() { fi # propose changes needed for sshd_config (if any) - if ! grep -q "^HostKey[[:space:]]\+${VARLIB}/ssh_host_rsa_key$" /etc/ssh/sshd_config; then - echo "! /etc/ssh/sshd_config does not point to the monkeysphere host key (${VARLIB}/ssh_host_rsa_key)." - echo " - Recommendation: add a line to /etc/ssh/sshd_config: 'HostKey ${VARLIB}/ssh_host_rsa_key'" + if ! grep -q "^HostKey[[:space:]]\+${VARLIB}/ssh_host_rsa_key$" "$sshd_config"; then + echo "! $sshd_config does not point to the monkeysphere host key (${VARLIB}/ssh_host_rsa_key)." + echo " - Recommendation: add a line to $sshd_config: 'HostKey ${VARLIB}/ssh_host_rsa_key'" fi - if badhostkeys=$(grep -i '^HostKey' | grep -q -v "^HostKey[[:space:]]\+${VARLIB}/ssh_host_rsa_key$") ; then + if badhostkeys=$(grep -i '^HostKey' "$sshd_config" | grep -q -v "^HostKey[[:space:]]\+${VARLIB}/ssh_host_rsa_key$") ; then echo "! /etc/sshd_config refers to some non-monkeysphere host keys:" echo "$badhostkeys" - echo " - Recommendation: remove the above HostKey lines from /etc/ssh/sshd_config" + echo " - Recommendation: remove the above HostKey lines from $sshd_config" fi fi fi @@ -568,14 +571,14 @@ diagnostics() { echo "Checking for MonkeySphere-enabled public-key authentication for users ..." # Ensure that User ID authentication is enabled: - if ! grep -q "^AuthorizedKeysFile[[:space:]]\+${VARLIB}/authorized_keys/%u$" /etc/ssh/sshd_config; then - echo "! /etc/ssh/sshd_config does not point to monkeysphere authorized keys." - echo " - Recommendation: add a line to /etc/ssh/sshd_config: 'AuthorizedKeysFile ${VARLIB}/authorized_keys/%u'" + if ! grep -q "^AuthorizedKeysFile[[:space:]]\+${VARLIB}/authorized_keys/%u$" "$sshd_config"; then + echo "! $sshd_config does not point to monkeysphere authorized keys." + echo " - Recommendation: add a line to $sshd_config: 'AuthorizedKeysFile ${VARLIB}/authorized_keys/%u'" fi - if badauthorizedkeys=$(grep -i '^AuthorizedKeysFile' | grep -q -v "^AuthorizedKeysFile[[:space:]]\+${VARLIB}/authorized_keys/%u$") ; then + if badauthorizedkeys=$(grep -i '^AuthorizedKeysFile' "$sshd_config" | grep -q -v "^AuthorizedKeysFile[[:space:]]\+${VARLIB}/authorized_keys/%u$") ; then echo "! /etc/sshd_config refers to non-monkeysphere authorized_keys files:" echo "$badauthorizedkeys" - echo " - Recommendation: remove the above AuthorizedKeysFile lines from /etc/ssh/sshd_config" + echo " - Recommendation: remove the above AuthorizedKeysFile lines from $sshd_config" fi } -- cgit v1.2.3