From 0655d5cbf24a29da4aff7e272e82bfa258b2ceed Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Sun, 1 Feb 2009 21:14:22 -0500 Subject: new function to export signatures from core to sphere keyrings. this is so that the sphere does not have to read the core pubring to get the certifier ltsigs, and we can therefore keep tighter permissions on the core keyring files. updated some comments/documentation as well. --- src/monkeysphere-authentication | 18 +++++++----------- 1 file changed, 7 insertions(+), 11 deletions(-) (limited to 'src/monkeysphere-authentication') diff --git a/src/monkeysphere-authentication b/src/monkeysphere-authentication index 7c43aa8..2316183 100755 --- a/src/monkeysphere-authentication +++ b/src/monkeysphere-authentication @@ -85,8 +85,6 @@ su_monkeysphere_user() { # function to interact with the gpg core keyring gpg_core() { - local returnCode - GNUPGHOME="$GNUPGHOME_CORE" export GNUPGHOME @@ -94,15 +92,7 @@ gpg_core() { # user to be able to read the host pubring. we realize this might # be problematic, but it's the simplest solution, without too much # loss of security. - gpg --no-permission-warning "$@" - returnCode="$?" - - # always reset the permissions on the host pubring so that the - # monkeysphere user can read the trust signatures - chgrp "$MONKEYSPHERE_USER" "${GNUPGHOME_CORE}/pubring.gpg" - chmod g+r "${GNUPGHOME_CORE}/pubring.gpg" - - return "$returnCode" + gpg "$@" } # function to interact with the gpg sphere keyring @@ -116,6 +106,12 @@ gpg_sphere() { su_monkeysphere_user "gpg $@" } +# export signatures from core to sphere +gpg_core_sphere_sig_transfer() { + gpg_core --export-options export-local-sigs --export | \ + gpg_sphere --import-options import-local-sigs --import +} + ######################################################################## # MAIN ######################################################################## -- cgit v1.2.3 From 10c741dac082844fbf9a2fbbfc4322f718c2abea Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Mon, 2 Feb 2009 11:34:26 -0500 Subject: add ability to specify key length of core secret key, so the test scripts can specify something smaller than the default. --- src/monkeysphere-authentication | 2 ++ src/share/ma/setup | 6 +++--- tests/basic | 1 + 3 files changed, 6 insertions(+), 3 deletions(-) (limited to 'src/monkeysphere-authentication') diff --git a/src/monkeysphere-authentication b/src/monkeysphere-authentication index 2316183..4485bd4 100755 --- a/src/monkeysphere-authentication +++ b/src/monkeysphere-authentication @@ -138,6 +138,7 @@ CHECK_KEYSERVER=${MONKEYSPHERE_CHECK_KEYSERVER:="true"} REQUIRED_USER_KEY_CAPABILITY=${MONKEYSPHERE_REQUIRED_USER_KEY_CAPABILITY:="a"} GNUPGHOME_CORE=${MONKEYSPHERE_GNUPGHOME_CORE:="${MADATADIR}/core"} GNUPGHOME_SPHERE=${MONKEYSPHERE_GNUPGHOME_SPHERE:="${MADATADIR}/sphere"} +CORE_KEYLENGTH=${MONKEYSPHERE_CORE_KEYLENGTH:="2048"} # export variables needed in su invocation export DATE @@ -150,6 +151,7 @@ export REQUIRED_USER_KEY_CAPABILITY export GNUPGHOME_CORE export GNUPGHOME_SPHERE export GNUPGHOME +export CORE_KEYLENGTH # get subcommand COMMAND="$1" diff --git a/src/share/ma/setup b/src/share/ma/setup index 90f748e..422cfd3 100644 --- a/src/share/ma/setup +++ b/src/share/ma/setup @@ -56,13 +56,13 @@ EOF local TMPLOC=$(mktemp -d "${MATMPDIR}"/tmp.XXXXXXXXXX) || failure "Could not create temporary directory!" # generate the key with ssh-keygen... - log debug "generating ssh key..." - ssh-keygen -q -b 1024 -t rsa -N '' -f "${TMPLOC}/authkey" || failure "Could not generate new key for Monkeysphere authentication trust core" + log debug "generating ssh key ($CORE_KEYLENGTH bits)..." + ssh-keygen -q -b "$CORE_KEYLENGTH" -t rsa -N '' -f "${TMPLOC}/authkey" || failure "Could not generate new key for Monkeysphere authentication trust core" # and then translate to openpgp encoding and import # FIXME: pem2openpgp currently sets the A flag and a short # expiration date. We should set the C flag and no expiration # date. - log debug "converting ssh key to pgp key and importing into core..." + log debug "converting ssh key to openpgp key and importing into core..." < "${TMPLOC}/authkey" pem2openpgp "$CORE_UID" | gpg_core --import || failure "Could not import new key for Monkeysphere authentication trust core" # get fingerprint of core key. should definitely not be empty at this point diff --git a/tests/basic b/tests/basic index 4d2266e..5e233aa 100755 --- a/tests/basic +++ b/tests/basic @@ -132,6 +132,7 @@ export MONKEYSPHERE_SYSSHAREDIR="$TESTDIR"/../src/share export MONKEYSPHERE_MONKEYSPHERE_USER=$(whoami) export MONKEYSPHERE_CHECK_KEYSERVER=false export MONKEYSPHERE_LOG_LEVEL=DEBUG +export MONKEYSPHERE_CORE_KEYLENGTH=1024 export SSHD_CONFIG="$TEMPDIR"/sshd_config export SOCKET="$TEMPDIR"/ssh-socket -- cgit v1.2.3