From b6983d7cb86f450ebd7fafcb254011fd7099c246 Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Mon, 16 Jun 2008 14:07:33 -0400 Subject: Allow for specification of whether to check keyserver. Update proxy command to check keyserver if host not found in known_hosts. --- src/common | 40 +++++++++++++++++++++++++-------------- src/monkeysphere | 2 +- src/monkeysphere-ssh-proxycommand | 30 +++++++++++++++++++++++++++++ 3 files changed, 57 insertions(+), 15 deletions(-) diff --git a/src/common b/src/common index 8d8e506..471e75a 100644 --- a/src/common +++ b/src/common @@ -43,12 +43,22 @@ cutline() { # FIXME: need to figure out how to retrieve all matching keys # (not just first 5) gpg_fetch_userid() { - local id - id="$1" - echo 1,2,3,4,5 | \ - gpg --quiet --batch --command-fd 0 --with-colons \ - --keyserver "$KEYSERVER" \ - --search ="$id" >/dev/null 2>&1 + local userID + + userID="$1" + + # if CHECK_KEYSERVER variable set, check the keyserver + # for the user ID + if [ "CHECK_KEYSERVER" ] ; then + echo 1,2,3,4,5 | \ + gpg --quiet --batch --command-fd 0 --with-colons \ + --keyserver "$KEYSERVER" \ + --search ="$userID" >/dev/null 2>&1 + + # otherwise just return true + else + return + fi } # check that characters are in a string (in an AND fashion). @@ -117,7 +127,7 @@ gpg2authorized_keys() { gpg --export "$keyID" | \ openpgp2ssh "$keyID" | tr -d '\n' - echo " MonkeySphere${DATE}:${userID}" + echo " MonkeySphere${DATE}: ${userID}" } # userid and key policy checking @@ -296,18 +306,23 @@ update_userid() { log "processing userid: '$userID'" + # return 1 if there is no output of the user ID processing + # ie. no key was found keyCachePath=$(process_user_id "$userID" "$cacheDir") - if [ -z "$keyCachePath" ] ; then return 1 fi + + # check if user ID is in the authorized_user_ids file if ! grep -q "^${userID}\$" "$AUTHORIZED_USER_IDS" ; then read -p "user ID not currently authorized. authorize? [Y|n]: " OK; OK=${OK:=Y} if [ ${OK/y/Y} = 'Y' ] ; then + # add if specified log -n "adding user ID to authorized_user_ids file... " echo "$userID" >> "$AUTHORIZED_USER_IDS" echo "done." else + # else do nothing log "authorized_user_ids file untouched." fi fi @@ -340,7 +355,7 @@ process_host() { host="$1" cacheDir="$2" - log "processing host: '$host'" + log "processing host: $host" keyCachePath=$(process_user_id "ssh://${host}" "$cacheDir") if [ $? = 0 ] ; then @@ -353,18 +368,15 @@ process_host() { # go through line-by-line, extract each host, and process with the # host processing function process_known_hosts() { - local knownHosts local cacheDir local hosts local host - knownHosts="$1" - cacheDir="$2" + cacheDir="$1" # take all the hosts from the known_hosts file (first field), # grep out all the hashed hosts (lines starting with '|')... - cut -d ' ' -f 1 "$knownHosts" | \ - grep -v '^|.*$' | \ + meat "$USER_KNOWN_HOSTS" | cut -d ' ' -f 1 | grep -v '^|.*$' | \ while IFS=, read -r -a hosts ; do # ...and process each host for host in ${hosts[*]} ; do diff --git a/src/monkeysphere b/src/monkeysphere index 23ebd63..79bc352 100755 --- a/src/monkeysphere +++ b/src/monkeysphere @@ -157,7 +157,7 @@ case $COMMAND in failure "known_hosts file '$USER_KNOWN_HOSTS' is empty." fi log "processing known_hosts file..." - process_known_hosts "$USER_KNOWN_HOSTS" "$hostKeysCacheDir" + process_known_hosts "$hostKeysCacheDir" fi ;; diff --git a/src/monkeysphere-ssh-proxycommand b/src/monkeysphere-ssh-proxycommand index 417d013..ec162ab 100755 --- a/src/monkeysphere-ssh-proxycommand +++ b/src/monkeysphere-ssh-proxycommand @@ -16,6 +16,36 @@ HOST="$1" PORT="$2" +usage() { +cat <&2 +usage: ssh -o ProxyCommand="$(basename $0) %h %p" ... +EOF +} + +log() { + echo "$@" >&2 +} + +if [ -z "$HOST" ] ; then + log "host must be specified." + usage + exit 1 +fi +if [ -z "$PORT" ] ; then + log "port must be specified." + usage + exit 1 +fi + +# check for the host key in the known_hosts file +hostKey=$(ssh-keygen -F "$HOST") + +# if the host key is not found in the known_hosts file, +# check the keyserver +if [ -z "$hostKey" ] ; then + CHECK_KEYSERVER="true" +fi + # update the known_hosts file for the host monkeysphere update-known-hosts "$HOST" -- cgit v1.2.3 From c32302172e3533b2170329206ff011d6e3a26a49 Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Mon, 16 Jun 2008 14:43:40 -0400 Subject: Fix bug in configuration handling for HASH_KNOWN_HOSTS and USER_CONTROLLED_AUTHORIZED_KEYS --- etc/monkeysphere-server.conf | 1 + etc/monkeysphere.conf | 11 +++++------ src/common | 4 ++-- src/monkeysphere | 7 ++----- src/monkeysphere-server | 6 +++--- 5 files changed, 13 insertions(+), 16 deletions(-) diff --git a/etc/monkeysphere-server.conf b/etc/monkeysphere-server.conf index 82da497..3915bf4 100644 --- a/etc/monkeysphere-server.conf +++ b/etc/monkeysphere-server.conf @@ -20,4 +20,5 @@ # Whether to add user controlled authorized_keys file to # monkeysphere-generated authorized_keys file. Should be path to file # where '%h' will be replaced by the home directory of the user. +# To not add any user-controlled file, put "-" #USER_CONTROLLED_AUTHORIZED_KEYS=%h/.ssh/authorized_keys diff --git a/etc/monkeysphere.conf b/etc/monkeysphere.conf index d478b93..003ecf6 100644 --- a/etc/monkeysphere.conf +++ b/etc/monkeysphere.conf @@ -22,14 +22,13 @@ #REQUIRED_USER_KEY_CAPABILITY="a" # Path to user-controlled authorized_keys file to add to -# Monkeysphere-generated authorized_keys file. If empty, then no -# user-controlled file will be added. +# Monkeysphere-generated authorized_keys file. +# To not add any user-controlled file, put "-" #USER_CONTROLLED_AUTHORIZED_KEYS=~/.ssh/authorized_keys # User known_hosts file #USER_KNOWN_HOSTS=~/.ssh/known_hosts -# Whether or not to hash the generated known_hosts lines -# (empty mean "no"). -#HASH_KNOWN_HOSTS= - +# Whether or not to hash the generated known_hosts lines. +# Should be "true" or "false" +#HASH_KNOWN_HOSTS=true diff --git a/src/common b/src/common index 471e75a..c0a9030 100644 --- a/src/common +++ b/src/common @@ -275,7 +275,7 @@ process_user_id() { gpg2known_hosts "$keyID" "$userID" >> \ "$cacheDir"/"$userIDHash"."$pubKeyID" # hash the cache file if specified - if [ "$HASH_KNOWN_HOSTS" ] ; then + if [ "$HASH_KNOWN_HOSTS" = "true" ] ; then ssh-keygen -H -f "$cacheDir"/"$userIDHash"."$pubKeyID" > /dev/null 2>&1 rm "$cacheDir"/"$userIDHash"."$pubKeyID".old fi @@ -408,7 +408,7 @@ update_authorized_keys() { else log "no gpg keys to add." fi - if [ "$userAuthorizedKeys" -a -s "$userAuthorizedKeys" ] ; then + if [ "$userAuthorizedKeys" != "-" -a -s "$userAuthorizedKeys" ] ; then log -n "adding user authorized_keys file... " cat "$userAuthorizedKeys" >> "$msAuthorizedKeys" echo "done." diff --git a/src/monkeysphere b/src/monkeysphere index 79bc352..a6ca62d 100755 --- a/src/monkeysphere +++ b/src/monkeysphere @@ -115,7 +115,7 @@ GNUPGHOME=${GNUPGHOME:-"${HOME}/.gnupg"} KEYSERVER=${KEYSERVER:-"subkeys.pgp.net"} REQUIRED_HOST_KEY_CAPABILITY=${REQUIRED_HOST_KEY_CAPABILITY:-"e a"} REQUIRED_USER_KEY_CAPABILITY=${REQUIRED_USER_KEY_CAPABILITY:-"a"} -USER_CONTROLLED_AUTHORIZED_KEYS=${USER_CONTROLLED_AUTHORIZED_KEYS:-"%h/.ssh/authorized_keys"} +USER_CONTROLLED_AUTHORIZED_KEYS=${USER_CONTROLLED_AUTHORIZED_KEYS:-"${HOME}/.ssh/authorized_keys"} USER_KNOWN_HOSTS=${USER_KNOWN_HOSTS:-"${HOME}/.ssh/known_hosts"} HASH_KNOWN_HOSTS=${HASH_KNOWN_HOSTS:-"true"} @@ -191,11 +191,8 @@ case $COMMAND in failure "$AUTHORIZED_USER_IDS is empty." fi - # set user-controlled authorized_keys file path - userAuthorizedKeys=${USER_CONTROLLED_AUTHORIZED_KEYS/\%h/"$HOME"} - # update authorized_keys - update_authorized_keys "$msAuthorizedKeys" "$userAuthorizedKeys" "$userKeysCacheDir" + update_authorized_keys "$msAuthorizedKeys" "$USER_CONTROLLED_AUTHORIZED_KEYS" "$userKeysCacheDir" ;; 'gen-subkey'|'g') diff --git a/src/monkeysphere-server b/src/monkeysphere-server index 3cc7454..cdb76ee 100755 --- a/src/monkeysphere-server +++ b/src/monkeysphere-server @@ -111,10 +111,10 @@ MS_CONF=${MS_CONF:-"$MS_HOME"/monkeysphere-server.conf} [ -e "$MS_CONF" ] && . "$MS_CONF" # set empty config variable with defaults -GNUPGHOME=${GNUPGHOME:-"$MS_HOME"/gnupg} -KEYSERVER=${KEYSERVER:-subkeys.pgp.net} +GNUPGHOME=${GNUPGHOME:-"${MS_HOME}/gnupg"} +KEYSERVER=${KEYSERVER:-"subkeys.pgp.net"} REQUIRED_USER_KEY_CAPABILITY=${REQUIRED_USER_KEY_CAPABILITY:-"a"} -USER_CONTROLLED_AUTHORIZED_KEYS=${USER_CONTROLLED_AUTHORIZED_KEYS:-%h/.ssh/authorized_keys} +USER_CONTROLLED_AUTHORIZED_KEYS=${USER_CONTROLLED_AUTHORIZED_KEYS:-"%h/.ssh/authorized_keys"} export GNUPGHOME -- cgit v1.2.3 From 62ff87e0328bc1406979656029a5e313839cac35 Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Mon, 16 Jun 2008 14:52:20 -0400 Subject: Add log output for keyserver checking. Fix bug in proxy command to export CHECK_KEYSERVER variable. --- src/common | 31 +++++++++++++++++-------------- src/monkeysphere | 1 + src/monkeysphere-ssh-proxycommand | 9 +++++---- 3 files changed, 23 insertions(+), 18 deletions(-) diff --git a/src/common b/src/common index c0a9030..d1554a6 100644 --- a/src/common +++ b/src/common @@ -47,17 +47,17 @@ gpg_fetch_userid() { userID="$1" - # if CHECK_KEYSERVER variable set, check the keyserver - # for the user ID - if [ "CHECK_KEYSERVER" ] ; then - echo 1,2,3,4,5 | \ - gpg --quiet --batch --command-fd 0 --with-colons \ - --keyserver "$KEYSERVER" \ - --search ="$userID" >/dev/null 2>&1 - - # otherwise just return true + log "checking keyserver $KEYSERVER..." + echo 1,2,3,4,5 | \ + gpg --quiet --batch --command-fd 0 --with-colons \ + --keyserver "$KEYSERVER" \ + --search ="$userID" >/dev/null 2>&1 + if [ "$?" = 0 ] ; then + log " user ID found on keyserver." + return 0 else - return + log " user ID not found on keyserver." + return 1 fi } @@ -167,8 +167,11 @@ process_user_id() { fi requiredPubCapability=$(echo "$requiredCapability" | tr "[:lower:]" "[:upper:]") - # fetch keys from keyserver, return 1 if none found - gpg_fetch_userid "$userID" || return 1 + # if CHECK_KEYSERVER variable set, check the keyserver + # for the user ID + if [ "$CHECK_KEYSERVER" = "true" ] ; then + gpg_fetch_userid "$userID" + fi # output gpg info for (exact) userid and store gpgOut=$(gpg --fixed-list-mode --list-key --with-colons \ @@ -176,7 +179,7 @@ process_user_id() { # return 1 if there only "tru" lines are output from gpg if [ -z "$(echo "$gpgOut" | grep -v '^tru:')" ] ; then - log " key not found." + log " key not found in keychain." return 1 fi @@ -268,7 +271,7 @@ process_user_id() { # key cache file if [ "$keyOK" -a "$uidOK" -a "${keyIDs[*]}" ] ; then for keyID in ${keyIDs[@]} ; do - log " acceptable key/uid found." + log " acceptable key/userID found." if [ "$MODE" = 'known_hosts' ] ; then # export the key diff --git a/src/monkeysphere b/src/monkeysphere index a6ca62d..230de06 100755 --- a/src/monkeysphere +++ b/src/monkeysphere @@ -113,6 +113,7 @@ MS_CONF=${MS_CONF:-"${MS_HOME}/monkeysphere.conf"} AUTHORIZED_USER_IDS=${AUTHORIZED_USER_IDS:-"${MS_HOME}/authorized_user_ids"} GNUPGHOME=${GNUPGHOME:-"${HOME}/.gnupg"} KEYSERVER=${KEYSERVER:-"subkeys.pgp.net"} +CHECK_KEYSERVER=${CHECK_KEYSERVER:="true"} REQUIRED_HOST_KEY_CAPABILITY=${REQUIRED_HOST_KEY_CAPABILITY:-"e a"} REQUIRED_USER_KEY_CAPABILITY=${REQUIRED_USER_KEY_CAPABILITY:-"a"} USER_CONTROLLED_AUTHORIZED_KEYS=${USER_CONTROLLED_AUTHORIZED_KEYS:-"${HOME}/.ssh/authorized_keys"} diff --git a/src/monkeysphere-ssh-proxycommand b/src/monkeysphere-ssh-proxycommand index ec162ab..3887e48 100755 --- a/src/monkeysphere-ssh-proxycommand +++ b/src/monkeysphere-ssh-proxycommand @@ -40,11 +40,12 @@ fi # check for the host key in the known_hosts file hostKey=$(ssh-keygen -F "$HOST") -# if the host key is not found in the known_hosts file, -# check the keyserver -if [ -z "$hostKey" ] ; then - CHECK_KEYSERVER="true" +# if the host key is found in the known_hosts file, +# don't check the keyserver +if [ "$hostKey" ] ; then + CHECK_KEYSERVER="false" fi +export CHECK_KEYSERVER # update the known_hosts file for the host monkeysphere update-known-hosts "$HOST" -- cgit v1.2.3 From deb41134ca527508253244cfa8860a2031034825 Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Mon, 16 Jun 2008 15:26:21 -0400 Subject: Add extra variables to gen-key. --- src/monkeysphere-server | 26 ++++++++++++++++++++------ 1 file changed, 20 insertions(+), 6 deletions(-) diff --git a/src/monkeysphere-server b/src/monkeysphere-server index cdb76ee..6279c45 100755 --- a/src/monkeysphere-server +++ b/src/monkeysphere-server @@ -32,7 +32,7 @@ MonkeySphere server admin tool. subcommands: update-users (s) [USER]... update users authorized_keys files - gen-key (g) generate gpg key for the server + gen-key (g) [HOSTNAME] generate gpg key for the server publish-key (p) publish server key to keyserver trust-keys (t) KEYID... mark keyids as trusted update-user-userids (u) USER UID... add/update user IDs for a user @@ -44,14 +44,26 @@ EOF # generate server gpg key gen_key() { + local hostName + + hostName=${1:-$(hostname --fqdn)} + # set key defaults KEY_TYPE=${KEY_TYPE:-"RSA"} KEY_LENGTH=${KEY_LENGTH:-"2048"} KEY_USAGE=${KEY_USAGE:-"auth,encrypt"} - SERVICE=${SERVICE:-"ssh"} - HOSTNAME_FQDN=${HOSTNAME_FQDN:-$(hostname -f)} + cat < = key expires in n days + w = key expires in n weeks + m = key expires in n months + y = key expires in n years +EOF + read -p "Key is valid for? ($EXPIRE) " EXPIRE; EXPIRE=${EXPIRE:-"0"} - USERID=${USERID:-"$SERVICE"://"$HOSTNAME_FQDN"} + SERVICE=${SERVICE:-"ssh"} + USERID=${USERID:-"$SERVICE"://"$hostName"} # set key parameters keyParameters=$(cat <