From e8ac612c4bad88172c5e80fa7e813664e536a6f8 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Mon, 23 Jun 2008 17:02:15 -0400 Subject: openpgp2ssh can now accept arbitrary-length key IDs (from the trivial 8 hex digit key IDs to 40 hex digits of a full fingerprint). This moves our build dependency on gnutls to 2.4.0, which includes subkey fingerprint calculations. --- man/man1/openpgp2ssh.1 | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) (limited to 'man') diff --git a/man/man1/openpgp2ssh.1 b/man/man1/openpgp2ssh.1 index bea1da5..6141ec5 100644 --- a/man/man1/openpgp2ssh.1 +++ b/man/man1/openpgp2ssh.1 @@ -19,11 +19,14 @@ SSH-style key on standard output. .Pp If the data on standard input contains no subkeys, you can invoke .Nm -without arguments. If the data on standard input contains -multiple keys (e.g. a primary key and associated subkeys), you must -specify a specific OpenPGP keyid (e.g. CCD2ED94D21739E9) or -fingerprint as the first argument to indicate which key to export. -The keyid must be exactly 16 hex characters. +without arguments. If the data on standard input contains multiple +keys (e.g. a primary key and associated subkeys), you must specify a +specific OpenPGP key identifier as the first argument to indicate +which key to export. The key ID is normally the 40 hex digit OpenPGP +fingerprint of the key or subkey desired, but +.Nm +will accept as few as the last 8 digits of the fingerprint as a key +ID. .Pp If the input contains an OpenPGP RSA or DSA public key, it will be converted to the OpenSSH-style single-line keystring, prefixed with @@ -78,8 +81,9 @@ Secret key output is currently not passphrase-protected. .Nm currently cannot handle passphrase-protected secret keys on input. .Pp -It would be nice to be able to use keyids shorter or longer than 16 -hex characters. +Key identifiers consisting of an odd number of hex digits are not +accepted. Users who use a key ID with a standard length of 8, 16, or +40 hex digits should not be affected by this. .Pp .Nm only acts on keys associated with the first primary key -- cgit v1.2.3 From 438d1fa8881a1f8359b5e91932bf42addefbffca Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Mon, 23 Jun 2008 19:02:58 -0400 Subject: switched shortcut for monkeysphere-server update-users to "u", added some FIXMEs to monkeysphere-server. --- man/man8/monkeysphere-server.8 | 4 ++-- src/common | 4 ++-- src/monkeysphere-server | 9 ++++++++- 3 files changed, 12 insertions(+), 5 deletions(-) (limited to 'man') diff --git a/man/man8/monkeysphere-server.8 b/man/man8/monkeysphere-server.8 index e821e63..f808eff 100644 --- a/man/man8/monkeysphere-server.8 +++ b/man/man8/monkeysphere-server.8 @@ -28,8 +28,8 @@ file are processed, and the user's authorized_keys file in /var/cache/monkeysphere/authorized_keys/USER. See `man monkeysphere' for more info. If the USER_CONTROLLED_AUTHORIZED_KEYS variable is set, then a user-controlled authorized_keys file (usually -~USER/.ssh/authorized_keys) is added to the authorized_keys file. `k' -may be used in place of `update-known_hosts'. +~USER/.ssh/authorized_keys) is added to the authorized_keys file. `u' +may be used in place of `update-users. .TP .B gen-key Generate a gpg key for the host. `g' may be used in place of diff --git a/src/common b/src/common index 9dcc5e8..9fd156b 100644 --- a/src/common +++ b/src/common @@ -109,7 +109,7 @@ translate_ssh_variables() { echo "$path" } -### CONVERTION UTILITIES +### CONVERSION UTILITIES # output the ssh key for a given key ID gpg2ssh() { @@ -263,7 +263,7 @@ process_user_id() { fi requiredPubCapability=$(echo "$requiredCapability" | tr "[:lower:]" "[:upper:]") - # if CHECK_KEYSERVER variable set, check the keyserver + # if CHECK_KEYSERVER variable set to true, check the keyserver # for the user ID if [ "$CHECK_KEYSERVER" = "true" ] ; then gpg_fetch_userid "$userID" diff --git a/src/monkeysphere-server b/src/monkeysphere-server index b989816..11e593b 100755 --- a/src/monkeysphere-server +++ b/src/monkeysphere-server @@ -171,7 +171,7 @@ mkdir -p -m 0700 "$GNUPGHOME" mkdir -p "${CACHE}/authorized_keys" case $COMMAND in - 'update-users'|'update-user'|'s') + 'update-users'|'update-user'|'u') if [ "$1" ] ; then # get users from command line unames="$@" @@ -196,6 +196,9 @@ case $COMMAND in # skip user if authorized_user_ids file does not exist if [ ! -f "$authorizedUserIDs" ] ; then + #FIXME: what about a user with no authorized_user_ids + # file, but with an authorized_keys file when + # USER_CONTROLLED_AUTHORIZED_KEYS is set? continue fi @@ -207,6 +210,10 @@ case $COMMAND in # skip if the user's authorized_user_ids file is empty if [ ! -s "$authorizedUserIDs" ] ; then log "authorized_user_ids file '$authorizedUserIDs' is empty." + #FIXME: what about a user with an empty + # authorized_user_ids file, but with an + # authorized_keys file when + # USER_CONTROLLED_AUTHORIZED_KEYS is set? continue fi -- cgit v1.2.3 From 2a8ee05beeb4d81e58cf6e9af9e1b1abfa5c1709 Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Tue, 24 Jun 2008 00:56:19 -0400 Subject: Fix man pages to reflect recent path changes. --- man/man8/monkeysphere-server.8 | 21 +++++++++++---------- src/monkeysphere-server | 4 ++-- 2 files changed, 13 insertions(+), 12 deletions(-) (limited to 'man') diff --git a/man/man8/monkeysphere-server.8 b/man/man8/monkeysphere-server.8 index f808eff..9bb7b2d 100644 --- a/man/man8/monkeysphere-server.8 +++ b/man/man8/monkeysphere-server.8 @@ -63,12 +63,12 @@ that is done, publish the key to a keyserver with "publish-key" subcommand. Finally, you need to modify the sshd_config to tell sshd where the new server host key: -HostKey /etc/monkeysphere/ssh_host_rsa_key +HostKey /var/lib/monkeysphere/ssh_host_rsa_key If the server will also handle user authentication through monkeysphere-generated authorized_keys files, set the following: -AuthorizedKeysFile /var/cache/monkeysphere/authorized_keys/%u +AuthorizedKeysFile /var/lib/monkeysphere/authorized_keys/%u Once those changes are made, restart the ssh server. @@ -81,17 +81,18 @@ System monkeysphere-server config file. /etc/monkeysphere/monkeysphere.conf System-wide monkeysphere config file. .TP -/etc/monkeysphere/gnupg -Monkeysphere GNUPG home directory. +/var/lib/monkeysphere/authorized_keys/USER +Monkeysphere-generated user authorized_keys files. .TP -/etc/monkeysphere/ssh_host_rsa_key -Copy of the host's private key in ssh format, suitable for use by sshd. +/var/lib/monkeysphere/ssh_host_rsa_key +Copy of the host's private key in ssh format, suitable for use by +sshd. .TP -/etc/monkeysphere/authorized_user_ids/USER -Server maintained authorized_user_ids files for users. +/var/lib/monkeysphere/gnupg-host +Monkeysphere host GNUPG home directory. .TP -/var/cache/monkeysphere/authorized_keys/USER -User authorized_keys file. +/var/lib/monkeysphere/gnupg-authentication +Monkeysphere authentication GNUPG home directory. .SH AUTHOR diff --git a/src/monkeysphere-server b/src/monkeysphere-server index b711fc5..ac7c1cb 100755 --- a/src/monkeysphere-server +++ b/src/monkeysphere-server @@ -125,8 +125,8 @@ EOF # write the key to the file # NOTE: assumes that the primary key is the proper key to use - (umask 077 && gpgsecret2ssh "$keyID" > "${MS_HOME}/ssh_host_rsa_key") - log "Private SSH host key output to file: ${MS_HOME}/ssh_host_rsa_key" + (umask 077 && gpgsecret2ssh "$keyID" > "${VARLIB}/ssh_host_rsa_key") + log "Private SSH host key output to file: ${VARLIB}/ssh_host_rsa_key" } # gpg output key fingerprint -- cgit v1.2.3