From 2459fa3ea277d7b9289945748619eab1e3441e5c Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Sat, 15 Nov 2008 20:49:27 -0500 Subject: Added info log output when a new key is added to known_hosts file. --- packaging/debian/changelog | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'packaging/debian') diff --git a/packaging/debian/changelog b/packaging/debian/changelog index 62f021e..f1db037 100644 --- a/packaging/debian/changelog +++ b/packaging/debian/changelog @@ -1,3 +1,10 @@ +monkeysphere (0.22-1) UNRELEASED; urgency=low + + * New upstream release: + - Added info log output when a new key is added to known_hosts file. + + -- Jameson Graef Rollins Sat, 15 Nov 2008 20:49:13 -0500 + monkeysphere (0.21-2) unstable; urgency=low * actually rmdir /var/lib/monkeysphere-* during prerm if possible. -- cgit v1.2.3 From c9efd3d44010262946d518dc712edba733697b34 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Sun, 16 Nov 2008 02:04:56 -0500 Subject: update debian/changelog. --- packaging/debian/changelog | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'packaging/debian') diff --git a/packaging/debian/changelog b/packaging/debian/changelog index f1db037..c2c4241 100644 --- a/packaging/debian/changelog +++ b/packaging/debian/changelog @@ -1,8 +1,16 @@ monkeysphere (0.22-1) UNRELEASED; urgency=low * New upstream release: + [ Jameson Rollins ] + - Added info log output when a new key is added to known_hosts file. + [ Daniel Kahn Gillmor ] + + - automatically output two copies of the host's public key: one + standard ssh public key file, and the other a minimal OpenPGP key with + just the latest valid self-sig. + -- Jameson Graef Rollins Sat, 15 Nov 2008 20:49:13 -0500 monkeysphere (0.21-2) unstable; urgency=low -- cgit v1.2.3 From 11e3f75a105d37cc113abe8f19e29ed1d9d90155 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Sun, 16 Nov 2008 02:33:42 -0500 Subject: making the "upstream version" end in ~pre so that test packages created before the release will upgrade properly when the official 0.22 gets released. --- packaging/debian/changelog | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'packaging/debian') diff --git a/packaging/debian/changelog b/packaging/debian/changelog index c2c4241..1aee7d1 100644 --- a/packaging/debian/changelog +++ b/packaging/debian/changelog @@ -1,4 +1,4 @@ -monkeysphere (0.22-1) UNRELEASED; urgency=low +monkeysphere (0.22~pre-1) UNRELEASED; urgency=low * New upstream release: [ Jameson Rollins ] -- cgit v1.2.3 From dd002c89fc4dccabc16d488a15a40cc88383605f Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Sun, 16 Nov 2008 03:17:36 -0500 Subject: added some useful output to the ssh-proxycommand for "marginal" cases where keys are found for host but do not have full validity. this uses ssh-keyscan to pull the key for the host in question, check this key against the keys against those found via gpg, and output some useful information about the one that matches. --- changelog | 2 +- packaging/debian/changelog | 6 ++- src/monkeysphere-server | 2 +- src/monkeysphere-ssh-proxycommand | 98 ++++++++++++++++++++++++++++++++++++++- 4 files changed, 102 insertions(+), 6 deletions(-) (limited to 'packaging/debian') diff --git a/changelog b/changelog index b9a9e21..4264fa4 120000 --- a/changelog +++ b/changelog @@ -1 +1 @@ -website/changelog \ No newline at end of file +packaging/debian/changelog \ No newline at end of file diff --git a/packaging/debian/changelog b/packaging/debian/changelog index f1db037..e8ea1a9 100644 --- a/packaging/debian/changelog +++ b/packaging/debian/changelog @@ -1,9 +1,11 @@ monkeysphere (0.22-1) UNRELEASED; urgency=low * New upstream release: - - Added info log output when a new key is added to known_hosts file. + - added info log output when a new key is added to known_hosts file. + - added some useful output to the ssh-proxycommand for "marginal" + cases where keys are found for host but do not have full validity. - -- Jameson Graef Rollins Sat, 15 Nov 2008 20:49:13 -0500 + -- Jameson Graef Rollins Sun, 16 Nov 2008 03:17:16 -0500 monkeysphere (0.21-2) unstable; urgency=low diff --git a/src/monkeysphere-server b/src/monkeysphere-server index 5edaa4f..665d916 100755 --- a/src/monkeysphere-server +++ b/src/monkeysphere-server @@ -137,7 +137,7 @@ show_server_key() { tmpkey=$(mktemp ${TMPDIR:-/tmp}/tmp.XXXXXXXXXX) || failure "Could not create temporary directory!" gpg_authentication "--export $fingerprint" | openpgp2ssh "$fingerprint" 2>/dev/null > "$tmpkey" echo -n "ssh fingerprint: " - ssh-keygen -l -f $tmpkey | awk '{ print $1, $2, $4 }' + ssh-keygen -l -f "$tmpkey" | awk '{ print $1, $2, $4 }' rm -rf "$tmpkey" echo -n "OpenPGP fingerprint: " echo "$fingerprint" diff --git a/src/monkeysphere-ssh-proxycommand b/src/monkeysphere-ssh-proxycommand index 6276092..b039844 100755 --- a/src/monkeysphere-ssh-proxycommand +++ b/src/monkeysphere-ssh-proxycommand @@ -13,14 +13,84 @@ # established. Can be added to ~/.ssh/config as follows: # ProxyCommand monkeysphere-ssh-proxycommand %h %p +######################################################################## +PGRM=$(basename $0) + +SYSSHAREDIR=${MONKEYSPHERE_SYSSHAREDIR:-"/usr/share/monkeysphere"} +export SYSSHAREDIR +. "${SYSSHAREDIR}/common" || exit 1 + +######################################################################## +# FUNCTIONS ######################################################################## usage() { -cat <&2 + cat <&2 usage: ssh -o ProxyCommand="$(basename $0) %h %p" ... EOF } +log() { + echo "$@" >&2 +} + +output_no_valid_key() { + local sshKeyOffered + local userID + local type + local validity + local keyid + local uidfpr + local usage + local sshKeyGPG + local sshFingerprint + + log "OpenPGP keys with*out* full validity found for this host:" + log + + # retrieve the actual ssh key + sshKeyOffered=$(ssh-keyscan -t rsa -p "$PORT" "$HOST" 2>/dev/null | awk '{ print $2, $3 }') + + userID="ssh://${HOSTP}" + + # output gpg info for (exact) userid and store + gpgOut=$(gpg --list-key --fixed-list-mode --with-colon \ + --with-fingerprint --with-fingerprint \ + ="$userID" 2>/dev/null) + + # loop over all lines in the gpg output and process. + echo "$gpgOut" | cut -d: -f1,2,5,10,12 | \ + while IFS=: read -r type validity keyid uidfpr usage ; do + case $type in + 'pub'|'sub') + # get the ssh key of the gpg key + sshKeyGPG=$(gpg2ssh "$keyid") + + # if one of keys found matches the one offered by the + # host, then output info + if [ "$sshKeyGPG" = "$sshKeyOffered" ] ; then + + # get the fingerprint of the ssh key + tmpkey=$(mktemp ${TMPDIR:-/tmp}/tmp.XXXXXXXXXX) + echo "$sshKeyGPG" > "$tmpkey" + sshFingerprint=$(ssh-keygen -l -f "$tmpkey" | awk '{ print $2 }') + rm -rf "$tmpkey" + + # output gpg info + gpg --check-sigs \ + --list-options show-uid-validity \ + "$keyid" >&2 + + # output ssh fingerprint + log "RSA key fingerprint is ${sshFingerprint}." + log "Falling through to standard ssh host checking." + log + fi + ;; + esac + done +} + ######################################################################## # export the monkeysphere log level @@ -35,7 +105,7 @@ HOST="$1" PORT="$2" if [ -z "$HOST" ] ; then - echo "Host not specified." >&2 + log "Host not specified." usage exit 255 fi @@ -88,6 +158,30 @@ export MONKEYSPHERE_CHECK_KEYSERVER # update the known_hosts file for the host monkeysphere update-known_hosts "$HOSTP" +# output on depending on the return of the update-known_hosts +# subcommand, which is (ultimately) the return code of the +# update_known_hosts function in common +case $? in + 0) + # acceptable host key found so continue to ssh + true + ;; + 1) + # no hosts at all found so also continue (drop through to + # regular ssh host verification) + true + ;; + 2) + # at least one *bad* host key (and no good host keys) was + # found, so output some usefull information + output_no_valid_key + ;; + *) + # anything else drop through + true + ;; +esac + # exec a netcat passthrough to host for the ssh connection if [ -z "$NO_CONNECT" ] ; then if (which nc 2>/dev/null >/dev/null); then -- cgit v1.2.3