From 48cd196efb86f8661fbf77552ef6c26b11fe20c6 Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Tue, 10 Jun 2008 17:34:08 -0400 Subject: Add some skeletal debian packaging stuff and man pages, and moved conf files to etc directory. --- debian/changelog | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 debian/changelog (limited to 'debian/changelog') diff --git a/debian/changelog b/debian/changelog new file mode 100644 index 0000000..2b68de6 --- /dev/null +++ b/debian/changelog @@ -0,0 +1,6 @@ +monkeysphere (0.1-1) unstable; urgency=low + + * to be first release... + + -- Jameson Graef Rollins Tue, 10 Jun 2008 17:20:16 -0400 + -- cgit v1.2.3 From 03cc847e6fc901ab4c1920324910126158655e37 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Fri, 13 Jun 2008 11:18:00 -0400 Subject: monkeysphere debianization. Package can now be cleanly built with minimal lintian warnings. --- COPYING | 6 +++--- Makefile | 5 ++++- debian/changelog | 5 +++-- debian/control | 6 +++--- debian/copyright | 9 +++++++-- man/man1/openpgp2ssh.1 | 54 ++++++++++++++++++++++++++++++-------------------- src/keytrans/Makefile | 2 +- test.key | 27 ------------------------- 8 files changed, 53 insertions(+), 61 deletions(-) delete mode 100644 test.key (limited to 'debian/changelog') diff --git a/COPYING b/COPYING index ab8788d..c920a0e 100644 --- a/COPYING +++ b/COPYING @@ -1,13 +1,13 @@ MonkeySphere is a system to use the OpenPGP web-of-trust to authenticate and encrypt ssh connections. -It is free software, written by: +It is free software, developed by: Jameson Rollins - Daniel Kahn Gillmor -with much help from: + Daniel Kahn Gillmor Jamie McClelland Micah Anderson Matthew Goins + Mike Castleman MonkeySphere is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of diff --git a/Makefile b/Makefile index b28e54e..64e6cbe 100644 --- a/Makefile +++ b/Makefile @@ -3,7 +3,10 @@ all: keytrans keytrans: $(MAKE) -C src/keytrans +release: clean + tar c COPYING doc etc Makefile man src | gzip -n > ../monkeysphere_`head -n1 debian/changelog | sed 's/.*(\([^-]*\)-.*/\1/'`.orig.tar.gz + clean: $(MAKE) -C src/keytrans clean -.PHONY: all clean +.PHONY: all clean release diff --git a/debian/changelog b/debian/changelog index 2b68de6..ec744e1 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,6 +1,7 @@ monkeysphere (0.1-1) unstable; urgency=low - * to be first release... + * First release of debian package for monkeysphere. + * This is experimental -- please report bugs! - -- Jameson Graef Rollins Tue, 10 Jun 2008 17:20:16 -0400 + -- Daniel Kahn Gillmor Fri, 13 Jun 2008 10:53:43 -0400 diff --git a/debian/control b/debian/control index e190ae0..afd5bfa 100644 --- a/debian/control +++ b/debian/control @@ -1,18 +1,18 @@ Source: monkeysphere Section: net Priority: extra -Maintainer: Daniel Kahn Gillmor +Maintainer: Daniel Kahn Gillmor Uploaders: Jameson Rollins Build-Depends: debhelper (>= 7.0), libgnutls-dev (>= 2.3.14) Standards-Version: 3.8.0.1 Homepage: http://cmrg.fifthhorseman.net/wiki/OpenPGPandSSH -Enhances: openssh-client, openssh-server Dm-Upload-Allowed: yes Package: monkeysphere Architecture: any -Depends: openssh-client, gnupg | gnupg2, coreutils (>= 6) +Depends: openssh-client, gnupg | gnupg2, coreutils (>= 6), ${shlibs:Depends} Recommends: netcat +Enhances: openssh-client, openssh-server Description: use the OpenPGP web of trust to verify ssh connections SSH key-based authentication is tried-and-true, but it lacks a true Public Key Infrastructure for key certification, revocation and diff --git a/debian/copyright b/debian/copyright index 413f60f..11abe8b 100644 --- a/debian/copyright +++ b/debian/copyright @@ -4,8 +4,13 @@ Debianized-Date: Fri Jun 13 10:19:16 EDT 2008 Original-Source: http://lair.fifthhorseman.net/~dkg/git/monkeysphere.git/ Files: * -Copyright: Jameson Rollins , - Daniel Kahn Gillmor +Copyright: 2008 Jameson Rollins , + Daniel Kahn Gillmor , + Jamie McClelland , + Micah Anderson , + Matthew Goins , + Mike Castleman + License: GPL-3+ This package is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by diff --git a/man/man1/openpgp2ssh.1 b/man/man1/openpgp2ssh.1 index 1a02b38..83b6154 100644 --- a/man/man1/openpgp2ssh.1 +++ b/man/man1/openpgp2ssh.1 @@ -7,31 +7,34 @@ openpgp2ssh .Nd translate OpenPGP keys to SSH keys .Sh SYNOPSIS .Nm openpgp2ssh < mykey.gpg - +.Pp .Nm gpg --export $KEYID | openpgp2ssh $KEYID - +.Pp .Nm gpg --export-secret-key $KEYID | openpgp2ssh $KEYID .Sh DESCRIPTION -openpgp2ssh takes an OpenPGP-formatted primary key and associated +.Nm +takes an OpenPGP-formatted primary key and associated subkeys on standard input, and spits out the requested equivalent SSH-style key on standard output. - +.Pp If the data on standard input contains no subkeys, you can invoke -openpgp2ssh without arguments. If the data on standard input contains +.Nm +without arguments. If the data on standard input contains multiple keys (e.g. a primary key and associated subkeys), you must specify a specific OpenPGP keyid (e.g. CCD2ED94D21739E9) or fingerprint as the first argument to indicate which key to export. The keyid must be exactly 16 hex characters. - +.Pp If the input contains an OpenPGP RSA or DSA public key, it will be converted to the OpenSSH-style single-line keystring, prefixed with the key type. This format is suitable (with minor alterations) for insertion into known_hosts files and authorized_keys files. - +.Pp If the input contains an OpenPGP RSA or DSA secret key, it will be converted to the equivalent PEM-encoded private key. - -openpgp2ssh is part of the +.Pp +.Nm +is part of the .Xr monkeysphere 1 framework for providing a PKI for SSH. .Sh CAVEATS @@ -39,17 +42,20 @@ The keys produced by this process are stripped of all identifying information, including certifications, self-signatures, etc. This is intentional, since ssh attaches no inherent significance to these features. - -openpgp2ssh only works with RSA or DSA keys, because those are the +.Pp +.Nm +only works with RSA or DSA keys, because those are the only ones which work with ssh. - -Assuming a valid key type, though, openpgp2ssh will produce output for +.Pp +Assuming a valid key type, though, +.Nm +will produce output for any requested key. This means, among other things, that it will happily export revoked keys, unverifiable keys, expired keys, etc. Make sure you do your own key validation before using this tool! .Sh EXAMPLES .Nm gpg --export-secret-key $KEYID | openpgp2ssh $KEYID | ssh-add -c /dev/stdin - +.Pp This pushes the secret key into the active .Xr ssh-agent 1 . Tools such as @@ -58,21 +64,25 @@ which know how to talk to the .Xr ssh-agent 1 can now rely on the key. .Sh AUTHOR -openpgp2ssh and this man page were written by Daniel Kahn Gillmor +.Nm +and this man page were written by Daniel Kahn Gillmor . .Sh BUGS -openpgp2ssh currently only exports into formats used by the OpenSSH. +.Nm +currently only exports into formats used by the OpenSSH. It should support other key output formats, such as those used by lsh(1) and putty(1). - +.Pp Secret key output is currently not passphrase-protected. - -openpgp2ssh currently cannot handle passphrase-protected secret keys on input. - +.Pp +.Nm +currently cannot handle passphrase-protected secret keys on input. +.Pp It would be nice to be able to use keyids shorter or longer than 16 hex characters. - -openpgp2ssh only acts on keys associated with the first primary key +.Pp +.Nm +only acts on keys associated with the first primary key passed in. If you send it more than one primary key, it will silently ignore later ones. .Sh SEE ALSO diff --git a/src/keytrans/Makefile b/src/keytrans/Makefile index 53fa5dc..79602ef 100644 --- a/src/keytrans/Makefile +++ b/src/keytrans/Makefile @@ -1,7 +1,7 @@ all: openpgp2ssh openpgp2ssh: openpgp2ssh.c gnutls-helpers.o - gcc -g -Wall --pedantic -o openpgp2ssh openpgp2ssh.c `libgnutls-config --libs --cflags` -lgnutls-extra gnutls-helpers.o + gcc -g -Wall --pedantic -o openpgp2ssh openpgp2ssh.c `libgnutls-config --libs --cflags` gnutls-helpers.o %.o: %.c gcc -g -Wall --pedantic -o $@ -c $< diff --git a/test.key b/test.key deleted file mode 100644 index 4e05880..0000000 --- a/test.key +++ /dev/null @@ -1,27 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIIEogIBAAKCAQEAxMv33LvWBZnKtahorHGYdBZqVxrNUQcVNrgxp4bf/FvgvSLG -kBrw6wHFdVYvWWViD5efrJugqA4+pKp16LEWlc7JZICrou4vEJGkvoqBIJC/4cVN -xcwV1a8jo9ZOYjt0JIyuHrEDGW/edQYWI41XO/H+QdMDsdI+oOmfPV/V4eMyjGKH -vRJ+xDae5izhUb3Lb00YnxpP2n/zhvHpn7weu+bzvwb3pMMo9336Ft7m5ulGPJzN -+3l595LW+lUSDUlUJbACp4Nyn+i9ODPV6xzghzirsh7rnD8jD2kaqIVkcvEhusoB -JN3daPXt9t6m5cfsCWu31BXdbpTWiLIZRUxDzQIBIwKCAQEAl9CMAg0+s90KFxuD -8r4H5IZSCK5GnZe/6GI07vMEj3oTxRrTsP7XG7DoyDsr1z+UyjMjZ+XFE+27S9P0 -ju8Cy1Zg2ICEZ78OXT0nUSkEhtYQXbV2gqTAYwNzQ9/WEUPOn9o9LZ5+u9n0wKzs -gdNvLj5WbUsC2aIwUD8xswDJkP5cA4RfKo8Mz40aXbK6b+S/bOKEkXRFvOor46pl -A8GHxUVcUPUG7LAXCm1FWrDob6FTlv3yW8DeVTCYwt6HdrTmc9b+yOinwMR6ZvUz -R6AESGG7czCvA6rpkCcprfCPx0gfntuzLiGRtl54GvbYWWtPDlxnPwcw1zcSALvM -pJNpawKBgQD/zze04kYZBNDTxolBrZltpPXtPpOrG2Otp8CHreOKn0TifCFPDnCb -ewUhxuDRA+L9KPLT311DtHfIzXJ8/RD6K/QE72ny39h2X2Pn2hWSgb9+iysHBDNc -jb136QFoKQcpqUpLEfTvA71Yqvuk6gsYiuWnIN5KJwy/AhwFQnK/WQKBgQDE8X87 -C+0JSg2ybUopOQVSrvildJEa8CWbM1SAL1j3E24U2fPh+zVmIxqa2m4X/PxFBBTv -WVGayzFkmJK2Dgt7F7hBqi5HelP0B38dXtkPlK6idTALNHoS/7HCDXISgHmDOhcQ -LHGQUuQMkTq6H4cOMwTNO5aM2zc5E9uF/hptlQKBgEHHkftQIKdZAn+Zc8Bud+j+ -iGGTv5JmIPIj0mwIJJFcJ6f0CJCr8RIJsNzMvXeTSP9FCz3LuOWGLW4mM2H37mw3 -MB6GtNgNrLC5cXYiIs3m2XhPq/p9bEr/4ENnzSlposGR7ohVExjjtFig/uFDfzIy -WE+MG+cunOCoxWBwLCKTAoGBALQP/0vtpYTV/eT2NS0A7uyCt3Kzt94dZDYgTUH/ -Z0hMR2OFcUOj2Qzs5R/dpnxVA+dUMGXOAXeVNHk7CcsFhtbxHX3dbCQYEj4yvVyu -fVAS6M8MDqsoqh//uHbnuMB1dmlZrq+zmwecPjdgNbF76TGNuz9MbGOGmOO6Yk6f -LhsLAoGAJoK+yRDaEFDwrjdvGazEy/d1CtknkGY2r4vb8giEodFJcQQhtVtjnYPl -gDIpbcpeT0GDiZd0pxAxpibbKM63pYz8PKtlq0B/qXgArRgJnbku01Jc4iLVWPqK -qitRgsz1HdN2tIqa8oQE0iuvyoq+r6+pqcQJd7sc6lKlk0gO0Mo= ------END RSA PRIVATE KEY----- -- cgit v1.2.3 From 418db67eab25d035e585e2237b57b5d9ebf261c6 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Thu, 19 Jun 2008 00:35:41 -0400 Subject: preparing for first tagged release (planned for george.riseup.net). --- debian/changelog | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'debian/changelog') diff --git a/debian/changelog b/debian/changelog index ec744e1..ce425b0 100644 --- a/debian/changelog +++ b/debian/changelog @@ -3,5 +3,5 @@ monkeysphere (0.1-1) unstable; urgency=low * First release of debian package for monkeysphere. * This is experimental -- please report bugs! - -- Daniel Kahn Gillmor Fri, 13 Jun 2008 10:53:43 -0400 + -- Daniel Kahn Gillmor Thu, 19 Jun 2008 00:34:53 -0400 -- cgit v1.2.3 From f126697f731f311fb9561217be751b36ec49db4a Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Thu, 19 Jun 2008 04:04:32 -0400 Subject: bumping revision number for next version. --- debian/changelog | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'debian/changelog') diff --git a/debian/changelog b/debian/changelog index ce425b0..d326473 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +monkeysphere (0.2-1) UNRELEASED; urgency=low + + * NOT YET RELEASED + * + + -- Daniel Kahn Gillmor Thu, 19 Jun 2008 04:03:45 -0400 + monkeysphere (0.1-1) unstable; urgency=low * First release of debian package for monkeysphere. -- cgit v1.2.3 From bb383503ddd5df97801afe10fb104705ca41f66c Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Thu, 19 Jun 2008 11:40:25 -0400 Subject: switching suite to experimental to properly reflect status. --- debian/changelog | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'debian/changelog') diff --git a/debian/changelog b/debian/changelog index d326473..74c5d8b 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,11 +1,11 @@ monkeysphere (0.2-1) UNRELEASED; urgency=low - * NOT YET RELEASED + * NOT YET RELEASED (switch to "experimental" when ready to release) * -- Daniel Kahn Gillmor Thu, 19 Jun 2008 04:03:45 -0400 -monkeysphere (0.1-1) unstable; urgency=low +monkeysphere (0.1-1) experimental; urgency=low * First release of debian package for monkeysphere. * This is experimental -- please report bugs! -- cgit v1.2.3 From 15637a9ab9b4fe7ea537988f5cc145d35948d783 Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Thu, 19 Jun 2008 15:22:46 -0400 Subject: Added server config variable to specify user authorized_user_ids file, and changed default. --- debian/changelog | 9 +++++-- etc/monkeysphere-server.conf | 9 ++++++- src/common | 32 +++++++++++++++++++---- src/monkeysphere | 6 ++--- src/monkeysphere-server | 55 +++++++++++++++++++++++---------------- src/monkeysphere-ssh-proxycommand | 2 +- 6 files changed, 78 insertions(+), 35 deletions(-) (limited to 'debian/changelog') diff --git a/debian/changelog b/debian/changelog index 74c5d8b..9bfcc26 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,9 +1,14 @@ monkeysphere (0.2-1) UNRELEASED; urgency=low + [ Daniel Kahn Gillmor ] * NOT YET RELEASED (switch to "experimental" when ready to release) - * - -- Daniel Kahn Gillmor Thu, 19 Jun 2008 04:03:45 -0400 + [ Jameson Graef Rollins ] + * Add AUTHORIZED_USER_IDS config variable for server, which defaults to + %h/.config/monkeysphere/authorized_user_ids, instead of + /etc/monkeysphere/authorized_user_ids. + + -- Jameson Graef Rollins Thu, 19 Jun 2008 15:22:05 -0400 monkeysphere (0.1-1) experimental; urgency=low diff --git a/etc/monkeysphere-server.conf b/etc/monkeysphere-server.conf index 3915bf4..847e879 100644 --- a/etc/monkeysphere-server.conf +++ b/etc/monkeysphere-server.conf @@ -17,8 +17,15 @@ # a = authentication #REQUIRED_USER_KEY_CAPABILITY="a" +# Path to authorized_user_ids file to process to create +# authorized_keys file. '%h' will be replaced by the home directory +# of the user, and %u will be replaced by the username of the user. +# For purely admin-controlled authorized_user_ids, you might put them +# in /etc/monkeysphere/authorized_user_ids/%u +#AUTHORIZED_USER_IDS="%h/.config/monkeysphere/authorized_user_ids" + # Whether to add user controlled authorized_keys file to # monkeysphere-generated authorized_keys file. Should be path to file # where '%h' will be replaced by the home directory of the user. # To not add any user-controlled file, put "-" -#USER_CONTROLLED_AUTHORIZED_KEYS=%h/.ssh/authorized_keys +#USER_CONTROLLED_AUTHORIZED_KEYS="%h/.ssh/authorized_keys" diff --git a/src/common b/src/common index c39506d..89efc46 100644 --- a/src/common +++ b/src/common @@ -85,6 +85,24 @@ remove_line() { fi } +# translate ssh-style path variables %h and %u +translate_ssh_variables() { + local uname + local home + + uname="$1" + path="$2" + + # get the user's home directory + userHome=$(getent passwd "$uname" | cut -d: -f6) + + # translate ssh-style path variables + path=${path/\%u/"$uname"} + path=${path/\%h/"$userHome"} + + echo "$path" +} + ### CONVERTION UTILITIES # output the ssh key for a given key ID @@ -358,6 +376,7 @@ update_userid() { local userID userID="$1" + authorizedUserIDs="$2" log "processing userid: '$userID'" @@ -365,12 +384,12 @@ update_userid() { process_user_id "$userID" | grep -q "^0 " # check if user ID is in the authorized_user_ids file - if ! grep -q "^${userID}\$" "$AUTHORIZED_USER_IDS" ; then + if ! grep -q "^${userID}\$" "$authorizedUserIDs" ; then read -p "user ID not currently authorized. authorize? [Y|n]: " OK; OK=${OK:=Y} if [ ${OK/y/Y} = 'Y' ] ; then # add if specified log -n " adding user ID to authorized_user_ids file... " - echo "$userID" >> "$AUTHORIZED_USER_IDS" + echo "$userID" >> "$authorizedUserIDs" loge "done." else # else do nothing @@ -384,18 +403,19 @@ remove_userid() { local userID userID="$1" + authorizedUserIDs="$2" log "processing userid: '$userID'" # check if user ID is in the authorized_user_ids file - if ! grep -q "^${userID}\$" "$AUTHORIZED_USER_IDS" ; then + if ! grep -q "^${userID}\$" "$authorizedUserIDs" ; then log " user ID not currently authorized." return 1 fi # remove user ID from file log -n " removing user ID '$userID'... " - remove_line "$AUTHORIZED_USER_IDS" "^${userID}$" + remove_line "$authorizedUserIDs" "^${userID}$" loge "done." } @@ -480,7 +500,9 @@ process_known_hosts() { process_authorized_user_ids() { local userid - cat "$AUTHORIZED_USER_IDS" | meat | \ + authorizedUserIDs="$1" + + cat "$authorizedUserIDs" | meat | \ while read -r userid ; do process_uid_authorized_keys "$userid" done diff --git a/src/monkeysphere b/src/monkeysphere index a6cecfd..a9c9d58 100755 --- a/src/monkeysphere +++ b/src/monkeysphere @@ -164,7 +164,7 @@ case $COMMAND in failure "you must specify at least one userid." fi for userID ; do - update_userid "$userID" + update_userid "$userID" "$AUTHORIZED_USER_IDS" done log "Run the following to update your monkeysphere authorized_keys file:" log "$PGRM update-authorized_keys" @@ -175,7 +175,7 @@ case $COMMAND in failure "you must specify at least one userid." fi for userID ; do - remove_userid "$userID" + remove_userid "$userID" "$AUTHORIZED_USER_IDS" done log "Run the following to update your monkeysphere authorized_keys file:" log "$PGRM update-authorized_keys" @@ -191,7 +191,7 @@ case $COMMAND in # process authorized_user_ids file log "processing authorized_user_ids file..." - process_authorized_user_ids + process_authorized_user_ids "$AUTHORIZED_USER_IDS" log "authorized_keys file updated." ;; diff --git a/src/monkeysphere-server b/src/monkeysphere-server index 96a1070..bfd5db8 100755 --- a/src/monkeysphere-server +++ b/src/monkeysphere-server @@ -139,6 +139,7 @@ GNUPGHOME=${GNUPGHOME:-"${MS_HOME}/gnupg"} KEYSERVER=${KEYSERVER:-"subkeys.pgp.net"} CHECK_KEYSERVER=${CHECK_KEYSERVER:="true"} REQUIRED_USER_KEY_CAPABILITY=${REQUIRED_USER_KEY_CAPABILITY:-"a"} +AUTHORIZED_USER_IDS=${AUTHORIZED_USER_IDS:-"%h/.config/monkeysphere/authorized_user_ids"} USER_CONTROLLED_AUTHORIZED_KEYS=${USER_CONTROLLED_AUTHORIZED_KEYS:-"%h/.ssh/authorized_keys"} export GNUPGHOME @@ -153,40 +154,44 @@ mkdir -p "${CACHE}/authorized_keys" case $COMMAND in 'update-users'|'update-user'|'s') if [ "$1" ] ; then + # get users from command line unames="$@" else - unames=$(ls -1 "${MS_HOME}/authorized_user_ids") + # or just look at all users if none specified + unames=$(getent passwd | cut -d: -f1) fi + # loop over users for uname in $unames ; do MODE="authorized_keys" + # set authorized_user_ids variable, + # translate ssh-style path variables + authorizedUserIDs=$(translate_ssh_variables "$uname" "$AUTHORIZED_USER_IDS") + + # skip user if authorized_user_ids file does not exist + if [ ! -f "$authorizedUserIDs" ] ; then + continue + fi + log "----- user: $uname -----" - # set variables for the user - AUTHORIZED_USER_IDS="${MS_HOME}/authorized_user_ids/${uname}" # temporary authorized_keys file - AUTHORIZED_KEYS="${CACHE}/authorized_keys/${uname}.tmp" - - # make sure user's authorized_user_ids file exists - touch "$AUTHORIZED_USER_IDS" - # make sure the authorized_keys file exists and is clear - > "$AUTHORIZED_KEYS" + AUTHORIZED_KEYS=$(mktemp) # skip if the user's authorized_user_ids file is empty - if [ ! -s "$AUTHORIZED_USER_IDS" ] ; then - log "authorized_user_ids file for '$uname' is empty." + if [ ! -s "$authorizedUserIDs" ] ; then + log "authorized_user_ids file '$authorizedUserIDs' is empty." continue fi # process authorized_user_ids file log "processing authorized_user_ids file..." - process_authorized_user_ids + process_authorized_user_ids "$authorizedUserIDs" # add user-controlled authorized_keys file path if specified if [ "$USER_CONTROLLED_AUTHORIZED_KEYS" != '-' ] ; then - userHome=$(getent passwd "$uname" | cut -d: -f6) - userAuthorizedKeys=${USER_CONTROLLED_AUTHORIZED_KEYS/\%h/"$userHome"} + userAuthorizedKeys=$(translate_ssh_variables "$uname" "$USER_CONTROLLED_AUTHORIZED_KEYS") if [ -f "$userAuthorizedKeys" ] ; then log -n "adding user's authorized_keys file... " cat "$userAuthorizedKeys" >> "$AUTHORIZED_KEYS" @@ -195,7 +200,7 @@ case $COMMAND in fi # move the temp authorized_keys file into place - mv -f "${CACHE}/authorized_keys/${uname}.tmp" "${CACHE}/authorized_keys/${uname}" + mv -f "$AUTHORIZED_KEYS" "${CACHE}/authorized_keys/${uname}" log "authorized_keys file updated." done @@ -236,15 +241,16 @@ case $COMMAND in failure "You must specify at least one user ID." fi - # set variables for the user - AUTHORIZED_USER_IDS="$MS_HOME"/authorized_user_ids/"$uname" + # set authorized_user_ids variable, + # translate ssh-style path variables + authorizedUserIDs=$(translate_ssh_variables "$uname" "$AUTHORIZED_USER_IDS") # make sure user's authorized_user_ids file exists - touch "$AUTHORIZED_USER_IDS" + touch "$authorizedUserIDs" # process the user IDs for userID ; do - update_userid "$userID" + update_userid "$userID" "$authorizedUserIDs" done log "Run the following to update user's authorized_keys file:" @@ -261,15 +267,18 @@ case $COMMAND in failure "You must specify at least one user ID." fi - # set variables for the user - AUTHORIZED_USER_IDS="$MS_HOME"/authorized_user_ids/"$uname" + # set authorized_user_ids variable, + # translate ssh-style path variables + authorizedUserIDs=$(translate_ssh_variables "$uname" "$AUTHORIZED_USER_IDS") # make sure user's authorized_user_ids file exists - touch "$AUTHORIZED_USER_IDS" + if [ ! -f "$authorizedUserIDs" ] ; then + failure "authorized_user_ids file '$authorizedUserIDs' does not exist." + fi # process the user IDs for userID ; do - remove_userid "$userID" + remove_userid "$userID" "$authorizedUserIDs" done log "Run the following to update user's authorized_keys file:" diff --git a/src/monkeysphere-ssh-proxycommand b/src/monkeysphere-ssh-proxycommand index 4cbcd51..f4d4b0d 100755 --- a/src/monkeysphere-ssh-proxycommand +++ b/src/monkeysphere-ssh-proxycommand @@ -49,7 +49,7 @@ if [ "$PORT" != '22' ] ; then fi # if the host is in the gpg keyring... -if gpg --list-key ="${URI}" >/dev/null ; then +if gpg --list-key ="${URI}" 2>&1 >/dev/null ; then # do not check the keyserver CHECK_KEYSERVER="false" # if the host is NOT in the keyring... -- cgit v1.2.3 From f511119f57f076147acb2b5dccae597b34df6c8d Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Thu, 19 Jun 2008 16:57:09 -0400 Subject: Remove {update,remove}-userids functions, since we decided they weren't worth it. Updated man pages as well. --- debian/changelog | 4 ++- man/man1/monkeysphere-ssh-proxycommand.1 | 30 +++++++++++----- man/man1/monkeysphere.1 | 21 +----------- man/man8/monkeysphere-server.8 | 11 ++---- src/common | 50 --------------------------- src/monkeysphere | 24 ------------- src/monkeysphere-server | 59 +------------------------------- 7 files changed, 28 insertions(+), 171 deletions(-) (limited to 'debian/changelog') diff --git a/debian/changelog b/debian/changelog index 9bfcc26..726f262 100644 --- a/debian/changelog +++ b/debian/changelog @@ -7,8 +7,10 @@ monkeysphere (0.2-1) UNRELEASED; urgency=low * Add AUTHORIZED_USER_IDS config variable for server, which defaults to %h/.config/monkeysphere/authorized_user_ids, instead of /etc/monkeysphere/authorized_user_ids. + * Remove {update,remove}-userids functions, since we decided they + weren't useful enough to be worth maintaining. - -- Jameson Graef Rollins Thu, 19 Jun 2008 15:22:05 -0400 + -- Jameson Graef Rollins Thu, 19 Jun 2008 16:56:32 -0400 monkeysphere (0.1-1) experimental; urgency=low diff --git a/man/man1/monkeysphere-ssh-proxycommand.1 b/man/man1/monkeysphere-ssh-proxycommand.1 index 5fabb91..c4196f2 100644 --- a/man/man1/monkeysphere-ssh-proxycommand.1 +++ b/man/man1/monkeysphere-ssh-proxycommand.1 @@ -18,17 +18,29 @@ or by adding the following line to your ~/.ssh/config script: .B ProxyCommand monkeysphere-ssh-proxycommand %h %p -The script is very simple, and can easily be incorporated into other -ProxyCommand scripts. It first tests to see if the host is in the -known_hosts file. If it's not, the CHECK_KEYSERVER variable is set to -true and "update-known_hosts" is run for the host to check for a host -key for that host. If the host is found in the known_hosts file, -CHECK_KEYSERVER is set to false and "update-known_hosts" is run to -update from the local keychain. +The script can easily be incorporated into other ProxyCommand scripts +by calling it with the "--no-connect" option, ie: -Run the following command for more info: +.B monkeysphere-ssh-proxycommand --no-connect "$HOST" "$PORT" -.B less $(which monkeysphere-ssh-proxycommand) +This will run everything but will not exec netcat to make the tcp +connection to the host. + +.SH KEYSERVER CHECKING + +The proxy command has a fairly nuanced policy for when keyservers are +queried when processing host. If the host userID is not found in +either the user's keyring or in the known_hosts file, then the +keyserver is queried for the host userID. If the host userID is found +in the user's keyring, then the keyserver is not checked. This is +because... If the host userID is not found in the user's keyring, but +the host is listed in the known_hosts file, then defered check is +scheduled. + +.SH ENVIRONMENT VARIABLES + +.TP +KEYSERVER The keyserver to query. .SH AUTHOR diff --git a/man/man1/monkeysphere.1 b/man/man1/monkeysphere.1 index f36d69e..30e35bb 100644 --- a/man/man1/monkeysphere.1 +++ b/man/man1/monkeysphere.1 @@ -33,20 +33,6 @@ is done. If no hosts are specified, all hosts listed in the known_hosts file will be processed. `k' may be used in place of `update-known_hosts'. .TP -.B update-userids [USERID]... -Add/update a user ID to the authorized_user_ids file. The user IDs -specified should be exact matches to OpenPGP user IDs. For each -specified user ID, gpg will be queried for a key associated with that -user ID, querying a keyserver if specified. If a key is found, the -user ID will be added to the user's authorized_user_ids file (if it -wasn't already present). `u' may be used in place of -`update-userids'. -.TP -.B remove-userids [USERID]... -Remove a user ID from the authorized_user_ids file. The user IDs -specified should be exact matches to OpenPGP user IDs. `r' may be -used in place of `remove-userids'. -.TP .B update-authorized_keys Update the monkeysphere authorized_keys file. For each user ID in the user's authorized_user_ids file, gpg will be queried for keys @@ -78,9 +64,7 @@ specification for the host, ie. "ssh://host.full.domain". GPG keys are considered acceptable if the following criteria are met: .TP .B capability -For host keys, the key must have both the "authentication" ("a") and -"encrypt" ("e") capability flags. For user keys, the key must have -the "authentication" ("a") capability flag. +The key must have the "authentication" ("a") usage flag set. .TP .B validity The key must be "fully" valid, and must not be expired or revoked. @@ -97,9 +81,6 @@ System-wide monkeysphere config file. ~/.config/monkeysphere/authorized_user_ids OpenPGP user IDs associated with keys that will be checked for addition to the authorized_keys file. -.TP -~/.config/monkeysphere/authorized_keys -Monkeysphere generated authorized_keys file. .SH AUTHOR diff --git a/man/man8/monkeysphere-server.8 b/man/man8/monkeysphere-server.8 index 28149fb..3073adc 100644 --- a/man/man8/monkeysphere-server.8 +++ b/man/man8/monkeysphere-server.8 @@ -23,7 +23,8 @@ be used for authentication of ssh connections. .TP .B update-users [USER]... Update the admin-controlled authorized_keys files for user. For each -user specified, update the user's authorized_keys file in +user specified, user ID's listed in the user's authorized_user_ids +file are processed, and the user's authorized_keys file in /var/cache/monkeysphere/authorized_keys/USER. See `man monkeysphere' for more info. If the USER_CONTROLLED_AUTHORIZED_KEYS variable is set, then a user-controlled authorized_keys file (usually @@ -46,14 +47,6 @@ of `publish-key'. Mark key specified with key IDs with full owner trust. `t' may be used in place of `trust-keys'. .TP -.B update-user-userids USER USERID... -Add/update a user ID to the authorized_user_ids file for USER. `u' may -be used in place of `update-user-userids'. -.TP -.B remove-user-userids USER USERID... -Remove a user ID from the authorized_user_ids file for USER. `r' may -be used in place of `remove-user-userids'. -.TP .B help Output a brief usage summary. `h' or `?' may be used in place of `help'. diff --git a/src/common b/src/common index 89efc46..00ee7b0 100644 --- a/src/common +++ b/src/common @@ -369,56 +369,6 @@ process_user_id() { done } -# update the cache for userid, and prompt to add file to -# authorized_user_ids file if the userid is found in gpg -# and not already in file. -update_userid() { - local userID - - userID="$1" - authorizedUserIDs="$2" - - log "processing userid: '$userID'" - - # process the user ID to pull it from keyserver - process_user_id "$userID" | grep -q "^0 " - - # check if user ID is in the authorized_user_ids file - if ! grep -q "^${userID}\$" "$authorizedUserIDs" ; then - read -p "user ID not currently authorized. authorize? [Y|n]: " OK; OK=${OK:=Y} - if [ ${OK/y/Y} = 'Y' ] ; then - # add if specified - log -n " adding user ID to authorized_user_ids file... " - echo "$userID" >> "$authorizedUserIDs" - loge "done." - else - # else do nothing - log " authorized_user_ids file untouched." - fi - fi -} - -# remove a userid from the authorized_user_ids file -remove_userid() { - local userID - - userID="$1" - authorizedUserIDs="$2" - - log "processing userid: '$userID'" - - # check if user ID is in the authorized_user_ids file - if ! grep -q "^${userID}\$" "$authorizedUserIDs" ; then - log " user ID not currently authorized." - return 1 - fi - - # remove user ID from file - log -n " removing user ID '$userID'... " - remove_line "$authorizedUserIDs" "^${userID}$" - loge "done." -} - # process a host in known_host file process_host_known_hosts() { local host diff --git a/src/monkeysphere b/src/monkeysphere index a9c9d58..a433701 100755 --- a/src/monkeysphere +++ b/src/monkeysphere @@ -35,8 +35,6 @@ MonkeySphere client tool. subcommands: update-known_hosts (k) [HOST]... update known_hosts file - update-userids (u) [USERID]... add/update user IDs - remove-userids (r) [USERID]... remove user IDs update-authorized_keys (a) update authorized_keys file gen-subkey (g) KEYID generate an 'a' capable subkey help (h,?) this help @@ -159,28 +157,6 @@ case $COMMAND in fi ;; - 'update-userids'|'update-userid'|'u') - if [ -z "$1" ] ; then - failure "you must specify at least one userid." - fi - for userID ; do - update_userid "$userID" "$AUTHORIZED_USER_IDS" - done - log "Run the following to update your monkeysphere authorized_keys file:" - log "$PGRM update-authorized_keys" - ;; - - 'remove-userids'|'remove-userid'|'r') - if [ -z "$1" ] ; then - failure "you must specify at least one userid." - fi - for userID ; do - remove_userid "$userID" "$AUTHORIZED_USER_IDS" - done - log "Run the following to update your monkeysphere authorized_keys file:" - log "$PGRM update-authorized_keys" - ;; - 'update-authorized_keys'|'update-authorized-keys'|'a') MODE='authorized_keys' diff --git a/src/monkeysphere-server b/src/monkeysphere-server index bfd5db8..154c146 100755 --- a/src/monkeysphere-server +++ b/src/monkeysphere-server @@ -31,14 +31,11 @@ usage: $PGRM [args] MonkeySphere server admin tool. subcommands: + update-users (s) [USER]... update users authorized_keys files gen-key (g) [HOSTNAME] generate gpg key for the server show-fingerprint (f) show server's host key fingerprint publish-key (p) publish server key to keyserver trust-keys (t) KEYID... mark keyids as trusted - - update-users (s) [USER]... update users authorized_keys files - update-user-userids (u) USER UID... add/update user IDs for a user - remove-user-userids (r) USER UID... remove user IDs for a user help (h,?) this help EOF @@ -231,60 +228,6 @@ case $COMMAND in done ;; - 'update-user-userids'|'update-user-userid'|'u') - uname="$1" - shift - if [ -z "$uname" ] ; then - failure "You must specify user." - fi - if [ -z "$1" ] ; then - failure "You must specify at least one user ID." - fi - - # set authorized_user_ids variable, - # translate ssh-style path variables - authorizedUserIDs=$(translate_ssh_variables "$uname" "$AUTHORIZED_USER_IDS") - - # make sure user's authorized_user_ids file exists - touch "$authorizedUserIDs" - - # process the user IDs - for userID ; do - update_userid "$userID" "$authorizedUserIDs" - done - - log "Run the following to update user's authorized_keys file:" - log "$PGRM update-users $uname" - ;; - - 'remove-user-userids'|'remove-user-userid'|'r') - uname="$1" - shift - if [ -z "$uname" ] ; then - failure "You must specify user." - fi - if [ -z "$1" ] ; then - failure "You must specify at least one user ID." - fi - - # set authorized_user_ids variable, - # translate ssh-style path variables - authorizedUserIDs=$(translate_ssh_variables "$uname" "$AUTHORIZED_USER_IDS") - - # make sure user's authorized_user_ids file exists - if [ ! -f "$authorizedUserIDs" ] ; then - failure "authorized_user_ids file '$authorizedUserIDs' does not exist." - fi - - # process the user IDs - for userID ; do - remove_userid "$userID" "$authorizedUserIDs" - done - - log "Run the following to update user's authorized_keys file:" - log "$PGRM update-users $uname" - ;; - 'help'|'h'|'?') usage ;; -- cgit v1.2.3 From 7019354a75ca19ffd2e10f2e2b3dc89b480156bd Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Thu, 19 Jun 2008 18:09:41 -0400 Subject: Better handling of unknown users in server update-users. Updated TODO file. --- debian/changelog | 3 ++- doc/TODO | 21 +++------------------ doc/george/user-id-configuration | 7 ------- src/common | 13 ++++++++++--- src/monkeysphere-server | 10 ++++++++-- 5 files changed, 23 insertions(+), 31 deletions(-) (limited to 'debian/changelog') diff --git a/debian/changelog b/debian/changelog index 726f262..bd12e1a 100644 --- a/debian/changelog +++ b/debian/changelog @@ -9,8 +9,9 @@ monkeysphere (0.2-1) UNRELEASED; urgency=low /etc/monkeysphere/authorized_user_ids. * Remove {update,remove}-userids functions, since we decided they weren't useful enough to be worth maintaining. + * Better handling of unknown users in server update-users - -- Jameson Graef Rollins Thu, 19 Jun 2008 16:56:32 -0400 + -- Jameson Graef Rollins Thu, 19 Jun 2008 18:08:57 -0400 monkeysphere (0.1-1) experimental; urgency=low diff --git a/doc/TODO b/doc/TODO index 5cd9be9..a82f031 100644 --- a/doc/TODO +++ b/doc/TODO @@ -26,37 +26,22 @@ Streamline host key generation, publication, verification. See doc/george/host-key-publication for what dkg went through on 2008-06-19 -Streamline authorized_user_ids setup (including question of where - authorized_user_ids files should go). See - doc/george/user-id-configuration for what dkg went through on - 2008-06-19 - Ensure that authorized_user_ids are under as tight control as ssh expects from authorized_keys: we don't want monkeysphere to be a weak link in the filesystem. -What happens when there are no entries in the authorized_user_ids file - for a user? /var/cache/monkeysphere/authorized_keys/$USER.tmp - seems like it gets created and then left there. - What happens when a user account has no corresponding /etc/monkeysphere/authorized_user_ids/$USER file? What gets placed in /var/cache/monkeysphere/authorized_keys/$USER? It looks currently untouched, which could mean bad things for such a user. + - if authorized_user_ids is empty, then the user's authorized_keys + file will be also, unless the user-controlled authorized_keys file + is added. I believe this is expected, correct behavior. Consider the default permissions for /var/cache/monkeysphere/authorized_keys/* (and indeed the whole directory path leading up to that) -What should happen when an admin does - "monkeysphere-server update-users not_an_existent_user"? - currently, it adds - /etc/monkeysphere/authorized_user_ids/not_an_existent_user, which - seems rather wrong. - -is /var/cache/monkeysphere/authorized_keys/$USER.tmp guaranteed to - avoid collisions? Why not use a real mktemp file? - As an administrator, how do i reverse the effect of a "monkeysphere-server trust-keys" that i later decide i should not have run? diff --git a/doc/george/user-id-configuration b/doc/george/user-id-configuration index d42bfbd..9a7f4d2 100644 --- a/doc/george/user-id-configuration +++ b/doc/george/user-id-configuration @@ -33,13 +33,6 @@ and then modified /etc/ssh/sshd_config with: Some outstanding questions: - * why are the authorized_user_ids stored in /etc/ and not in people's - home directories? - - * why are authorized_user_ids managed with a special sub-command of - monkeysphere-server, instead of just being hand-managed files, the - way that authorized_keys are in stock openssh? - * Should we ship a scheduled monkeysphere-server update-users cron job automatically? diff --git a/src/common b/src/common index 00ee7b0..e98f1bc 100644 --- a/src/common +++ b/src/common @@ -18,10 +18,17 @@ ETC="/etc/monkeysphere" export ETC CACHE="/var/cache/monkeysphere" export CACHE +ERR=0 +export ERR ######################################################################## ### UTILITY FUNCTIONS +error() { + log "$1" + ERR=${2:-'1'} +} + failure() { echo "$1" >&2 exit ${2:-'1'} @@ -29,12 +36,12 @@ failure() { # write output to stderr log() { - echo -n "ms: " 1>&2 - echo "$@" 1>&2 + echo -n "ms: " >&2 + echo "$@" >&2 } loge() { - echo "$@" 1>&2 + echo "$@" >&2 } # cut out all comments(#) and blank lines from standard input diff --git a/src/monkeysphere-server b/src/monkeysphere-server index 154c146..a9a9aed 100755 --- a/src/monkeysphere-server +++ b/src/monkeysphere-server @@ -162,6 +162,12 @@ case $COMMAND in for uname in $unames ; do MODE="authorized_keys" + # check all specified users exist + if ! getent passwd | cut -d: -f1 | grep -q "^${uname}$" ; then + error "----- unknown user '$uname' -----" + continue + fi + # set authorized_user_ids variable, # translate ssh-style path variables authorizedUserIDs=$(translate_ssh_variables "$uname" "$AUTHORIZED_USER_IDS") @@ -201,8 +207,6 @@ case $COMMAND in log "authorized_keys file updated." done - - log "----- done. -----" ;; 'gen-key'|'g') @@ -237,3 +241,5 @@ case $COMMAND in Type '$PGRM help' for usage." ;; esac + +exit "$ERR" -- cgit v1.2.3 From 736054b1c1d8e3433d709ea8bbeb1b8ac7257927 Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Fri, 20 Jun 2008 00:44:36 -0400 Subject: add file locking to known_hosts and authorized_keys --- debian/changelog | 3 +- src/common | 102 +++++++++++++++++++++++++++++++------------------------ src/monkeysphere | 10 +++--- 3 files changed, 64 insertions(+), 51 deletions(-) (limited to 'debian/changelog') diff --git a/debian/changelog b/debian/changelog index bd12e1a..2133d2d 100644 --- a/debian/changelog +++ b/debian/changelog @@ -10,8 +10,9 @@ monkeysphere (0.2-1) UNRELEASED; urgency=low * Remove {update,remove}-userids functions, since we decided they weren't useful enough to be worth maintaining. * Better handling of unknown users in server update-users + * Add file locking when modifying known_hosts or authorized_keys - -- Jameson Graef Rollins Thu, 19 Jun 2008 18:08:57 -0400 + -- Jameson Graef Rollins Fri, 20 Jun 2008 00:43:44 -0400 monkeysphere (0.1-1) experimental; urgency=low diff --git a/src/common b/src/common index e98f1bc..7df6908 100644 --- a/src/common +++ b/src/common @@ -376,62 +376,79 @@ process_user_id() { done } -# process a host in known_host file -process_host_known_hosts() { +# process hosts in the known_host file +process_hosts_known_hosts() { local host local userID local ok local keyid local tmpfile - host="$1" - userID="ssh://${host}" - - log "processing host: $host" - - process_user_id "ssh://${host}" | \ - while read -r ok keyid ; do - sshKey=$(gpg2ssh "$keyid") - # remove the old host key line - remove_line "$KNOWN_HOSTS" "$sshKey" - # if key OK, add new host line - if [ "$ok" -eq '0' ] ; then - # hash if specified - if [ "$HASH_KNOWN_HOSTS" = 'true' ] ; then - # FIXME: this is really hackish cause ssh-keygen won't - # hash from stdin to stdout - tmpfile=$(mktemp) - ssh2known_hosts "$host" "$sshKey" > "$tmpfile" - ssh-keygen -H -f "$tmpfile" 2> /dev/null - cat "$tmpfile" >> "$KNOWN_HOSTS" - rm -f "$tmpfile" "${tmpfile}.old" - else - ssh2known_hosts "$host" "$sshKey" >> "$KNOWN_HOSTS" + # create a lockfile on known_hosts + lockfile-create "$KNOWN_HOSTS" + + for host ; do + log "processing host: $host" + + userID="ssh://${host}" + + process_user_id "ssh://${host}" | \ + while read -r ok keyid ; do + sshKey=$(gpg2ssh "$keyid") + # remove the old host key line + remove_line "$KNOWN_HOSTS" "$sshKey" + # if key OK, add new host line + if [ "$ok" -eq '0' ] ; then + # hash if specified + if [ "$HASH_KNOWN_HOSTS" = 'true' ] ; then + # FIXME: this is really hackish cause ssh-keygen won't + # hash from stdin to stdout + tmpfile=$(mktemp) + ssh2known_hosts "$host" "$sshKey" > "$tmpfile" + ssh-keygen -H -f "$tmpfile" 2> /dev/null + cat "$tmpfile" >> "$KNOWN_HOSTS" + rm -f "$tmpfile" "${tmpfile}.old" + else + ssh2known_hosts "$host" "$sshKey" >> "$KNOWN_HOSTS" + fi fi - fi + done + # touch the lockfile, for good measure. + lockfile-touch --oneshot "$KNOWN_HOSTS" done + + # remove the lockfile + lockfile-remove "$KNOWN_HOSTS" } -# process a uid in an authorized_keys file -process_uid_authorized_keys() { +# process uids for the authorized_keys file +process_uids_authorized_keys() { local userID local ok local keyid - userID="$1" + # create a lockfile on authorized_keys + lockfile-create "$AUTHORIZED_KEYS" - log "processing user ID: $userID" + for userID ; do + log "processing user ID: $userID" - process_user_id "$userID" | \ - while read -r ok keyid ; do - sshKey=$(gpg2ssh "$keyid") - # remove the old host key line - remove_line "$AUTHORIZED_KEYS" "$sshKey" - # if key OK, add new host line - if [ "$ok" -eq '0' ] ; then - ssh2authorized_keys "$userID" "$sshKey" >> "$AUTHORIZED_KEYS" - fi + process_user_id "$userID" | \ + while read -r ok keyid ; do + sshKey=$(gpg2ssh "$keyid") + # remove the old host key line + remove_line "$AUTHORIZED_KEYS" "$sshKey" + # if key OK, add new host line + if [ "$ok" -eq '0' ] ; then + ssh2authorized_keys "$userID" "$sshKey" >> "$AUTHORIZED_KEYS" + fi + done + # touch the lockfile, for good measure. + lockfile-touch --oneshot "$AUTHORIZED_KEYS" done + + # remove the lockfile + lockfile-remove "$AUTHORIZED_KEYS" } # process known_hosts file @@ -446,10 +463,7 @@ process_known_hosts() { cat "$KNOWN_HOSTS" | meat | \ cut -d ' ' -f 1 | grep -v '^|.*$' | \ while IFS=, read -r -a hosts ; do - # and process each host - for host in ${hosts[*]} ; do - process_host_known_hosts "$host" - done + process_hosts_known_hosts ${hosts[@]} done } @@ -461,7 +475,7 @@ process_authorized_user_ids() { cat "$authorizedUserIDs" | meat | \ while read -r userid ; do - process_uid_authorized_keys "$userid" + process_uids_authorized_keys "$userid" done } diff --git a/src/monkeysphere b/src/monkeysphere index a433701..58f0fdc 100755 --- a/src/monkeysphere +++ b/src/monkeysphere @@ -140,12 +140,9 @@ case $COMMAND in # if hosts are specified on the command line, process just # those hosts if [ "$1" ] ; then - for host ; do - process_host_known_hosts "$host" - done - log "known_hosts file updated." + process_hosts_known_hosts "$@" - # otherwise, if no hosts are specified, process every user + # otherwise, if no hosts are specified, process every host # in the user's known_hosts file else if [ ! -s "$KNOWN_HOSTS" ] ; then @@ -153,8 +150,9 @@ case $COMMAND in fi log "processing known_hosts file..." process_known_hosts - log "known_hosts file updated." fi + + log "known_hosts file updated." ;; 'update-authorized_keys'|'update-authorized-keys'|'a') -- cgit v1.2.3