From e93a298ec6f9abd80e30a933b0dd84c764d11bff Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Mon, 16 Feb 2009 21:28:32 -0500 Subject: REMOVE GEN_KEY. The gen_key function is entirely removed. Decided this was OK now that import_key works, and we can't really see a reason to keep it around. We can resurect it down the line if need be. Also, removed "expert" subcommand, after promting import_key, since it may be need semi-regularly. The other "expert" commands are now just not listed in the usage. --- man/man8/monkeysphere-authentication.8 | 27 +++++++++++---------------- 1 file changed, 11 insertions(+), 16 deletions(-) (limited to 'man/man8/monkeysphere-authentication.8') diff --git a/man/man8/monkeysphere-authentication.8 b/man/man8/monkeysphere-authentication.8 index 2b0091e..4187c70 100644 --- a/man/man8/monkeysphere-authentication.8 +++ b/man/man8/monkeysphere-authentication.8 @@ -60,6 +60,17 @@ Instruct system to ignore user identity certifications made by KEYID. List key IDs trusted by the system to certify user identities. `c' may be used in place of `list-id-certifiers'. .TP +.B diagnostics +Review the state of the server with respect to authentication. `d' +may be used in place of `diagnostics'. +.TP +.B gpg-cmd +Execute a gpg command, as the monkeysphere user, on the monkeysphere +authentication "sphere" keyring. This takes a single argument +(multiple gpg arguments need to be quoted). Use this command with +caution, as modifying the authentication sphere keyring can affect ssh +user authentication. +.TP .B help Output a brief usage summary. `h' or `?' may be used in place of `help'. @@ -67,22 +78,6 @@ Output a brief usage summary. `h' or `?' may be used in place of .B version show version number -.SH "EXPERT" SUBCOMMANDS - -Some commands are very unlikely to be needed by most administrators. -These commands must prefaced by the word `expert'. -.TP -.B diagnostics -Review the state of the server with respect to authentication. `d' -may be used in place of `diagnostics'. -.TP -.B gpg-cmd -Execute a gpg command on the gnupg-authentication keyring as the -monkeysphere user. This takes a single command (multiple gpg -arguments need to be quoted). Use this command with caution, as -modifying the gnupg-authentication keyring can affect ssh user -authentication. - .SH SETUP USER AUTHENTICATION If the server will handle user authentication through -- cgit v1.2.3 From a2a3d02d1aaf2d3dae3afea90c85cd6ca9f7ce4d Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Tue, 17 Feb 2009 15:19:40 -0500 Subject: add some checks about setup to authentication --- man/man8/monkeysphere-authentication.8 | 6 ++++-- src/monkeysphere-authentication | 13 +++++++++++++ src/share/ma/setup | 4 +++- 3 files changed, 20 insertions(+), 3 deletions(-) (limited to 'man/man8/monkeysphere-authentication.8') diff --git a/man/man8/monkeysphere-authentication.8 b/man/man8/monkeysphere-authentication.8 index 4187c70..9b8baa9 100644 --- a/man/man8/monkeysphere-authentication.8 +++ b/man/man8/monkeysphere-authentication.8 @@ -24,8 +24,10 @@ authentication. \fBmonkeysphere-authentication\fP takes various subcommands. .TP .B setup -Setup the server for Monkeysphere user authentication. `s' may be -used in place of `setup'. +Setup the server for Monkeysphere user authentication. This command +is idempotent, which means it can be run multiple times to make sure +the setup is correct, without adversely affecting existing setups. +`s' may be used in place of `setup'. .TP .B update-users [ACCOUNT]... Rebuild the monkeysphere-controlled authorized_keys files. For each diff --git a/src/monkeysphere-authentication b/src/monkeysphere-authentication index 465777d..60cb5f2 100755 --- a/src/monkeysphere-authentication +++ b/src/monkeysphere-authentication @@ -95,6 +95,14 @@ core_fingerprint() { | grep ^fpr: | cut -d: -f10 } +# fail if authentication has not been setup +check_no_setup() { + # FIXME: what is the right test to do here? + [ -d "$MADATADIR" ] \ + || failure "This host appears to have not yet been set up for Monkeysphere authentication. +Please run 'monkeysphere-authentication setup' first." +} + # export signatures from core to sphere gpg_core_sphere_sig_transfer() { log debug "exporting core local sigs to sphere..." @@ -155,21 +163,25 @@ case $COMMAND in ;; 'update-users'|'update-user'|'u') + check_no_setup source "${MASHAREDIR}/update_users" update_users "$@" ;; 'add-identity-certifier'|'add-id-certifier'|'add-certifier'|'c+') + check_no_setup source "${MASHAREDIR}/add_certifier" add_certifier "$@" ;; 'remove-identity-certifier'|'remove-id-certifier'|'remove-certifier'|'c-') + check_no_setup source "${MASHAREDIR}/remove_certifier" remove_certifier "$@" ;; 'list-identity-certifiers'|'list-id-certifiers'|'list-certifiers'|'list-certifier'|'c') + check_no_setup source "${MASHAREDIR}/list_certifiers" list_certifiers "$@" ;; @@ -180,6 +192,7 @@ case $COMMAND in ;; 'gpg-cmd') + check_no_setup gpg_sphere "$@" ;; diff --git a/src/share/ma/setup b/src/share/ma/setup index 02fc069..f59187b 100644 --- a/src/share/ma/setup +++ b/src/share/ma/setup @@ -70,7 +70,7 @@ EOF fi else - log verbose "This system has already set up the Monkeysphere authentication trust core." + log verbose "Monkeysphere authentication trust core already exists." fi # export the core key to the sphere keyring @@ -91,6 +91,7 @@ EOF fi else failure "Could not get monkeysphere-authentication trust guidelines." + # FIXME: what does this mean? should we suggest how to fix? fi # ensure that we're using the extended trust model (1), and that @@ -102,5 +103,6 @@ EOF log debug "sphere trust model: $TRUST_MODEL" if [ "$TRUST_MODEL" != '1:3:1' ] ; then failure "monkeysphere-authentication does not have the expected trust model settings." + # FIXME: what does this mean? should we suggest how to fix? fi } -- cgit v1.2.3