From 70674cae8b3d69d0e750125387b26c0d5857c5ba Mon Sep 17 00:00:00 2001
From: Jameson Graef Rollins <jrollins@phys.columbia.edu>
Date: Tue, 12 Aug 2008 18:24:18 -0700
Subject: fix another bug when processing ssh key files that do not exist.

---
 src/common | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

(limited to 'src/common')

diff --git a/src/common b/src/common
index b4e786b..cbfa956 100644
--- a/src/common
+++ b/src/common
@@ -64,6 +64,11 @@ check_capability() {
     return 0
 }
 
+# hash of a file
+file_hash() {
+    md5sum "$1" 2> /dev/null
+}
+
 # convert escaped characters from gpg output back into original
 # character
 # FIXME: undo all escape character translation in with-colons gpg output
@@ -573,7 +578,7 @@ update_known_hosts() {
     lockfile-create "$KNOWN_HOSTS"
 
     # note pre update file checksum
-    fileCheck="$(cat "$KNOWN_HOSTS" | md5sum)"
+    fileCheck="$(file_hash "$KNOWN_HOSTS")"
 
     for host ; do
 	# process the host
@@ -596,7 +601,7 @@ update_known_hosts() {
     lockfile-remove "$KNOWN_HOSTS"
 
     # note if the known_hosts file was updated
-    if [ "$(cat "$KNOWN_HOSTS" | md5sum)" != "$fileCheck" ] ; then
+    if [ "$(file_hash "$KNOWN_HOSTS")" != "$fileCheck" ] ; then
 	log "known_hosts file updated."
     fi
 
@@ -711,7 +716,7 @@ update_authorized_keys() {
     lockfile-create "$AUTHORIZED_KEYS"
 
     # note pre update file checksum
-    fileCheck="$(cat "$AUTHORIZED_KEYS" | md5sum)"
+    fileCheck="$(file_hash "$AUTHORIZED_KEYS")"
 
     # remove any monkeysphere lines from authorized_keys file
     remove_monkeysphere_lines "$AUTHORIZED_KEYS"
@@ -739,7 +744,7 @@ update_authorized_keys() {
     lockfile-remove "$AUTHORIZED_KEYS"
 
     # note if the authorized_keys file was updated
-    if [ "$(cat "$AUTHORIZED_KEYS" | md5sum)" != "$fileCheck" ] ; then
+    if [ "$(file_hash "$AUTHORIZED_KEYS")" != "$fileCheck" ] ; then
 	log "authorized_keys file updated."
     fi
 
-- 
cgit v1.2.3


From 2f89210eb11ccb0a7289f89a545697029b2bb9d7 Mon Sep 17 00:00:00 2001
From: Jameson Graef Rollins <jrollins@phys.columbia.edu>
Date: Thu, 14 Aug 2008 21:05:40 -0700
Subject: Add sorting of the processed key lines so that "good" keys are output
 at the end.  This is done so that they take precedence over "bad" when being
 processed in key files.  If bad keys are processed after good keys, there is
 a possibility of malicious bad key causing good keys to be continually
 removed from key files, which would be a big nuisance.

---
 src/common | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

(limited to 'src/common')

diff --git a/src/common b/src/common
index 9c76bd1..17955a7 100644
--- a/src/common
+++ b/src/common
@@ -484,7 +484,10 @@ process_user_id() {
 		fi
 		;;
 	esac
-    done
+    done | sort -t: -k1 -n -r
+    # NOTE: this last sort is important so that the "good" keys (key
+    # flag '0') come last.  This is so that they take precedence when
+    # being processed in the key files over "bad" keys (key flag '1')
 }
 
 # process a single host in the known_host file
@@ -498,16 +501,15 @@ process_host_known_hosts() {
     local tmpfile
 
     host="$1"
+    userID="ssh://${host}"
 
     log "processing: $host"
 
-    userID="ssh://${host}"
-
     nKeys=0
     nKeysOK=0
 
     IFS=$'\n'
-    for line in $(process_user_id "ssh://${host}") ; do
+    for line in $(process_user_id "${userID}") ; do
 	# note that key was found
 	nKeys=$((nKeys+1))
 
-- 
cgit v1.2.3