From 0beaa999dbd326a2c80a733913a36e64b917add6 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Sat, 13 Sep 2008 15:34:44 -0400 Subject: counting problems in monkeysphere-server diagnostics --- src/monkeysphere-server | 23 ++++++++++++++++++++++- 1 file changed, 22 insertions(+), 1 deletion(-) (limited to 'src/monkeysphere-server') diff --git a/src/monkeysphere-server b/src/monkeysphere-server index 6798fab..a0dc33f 100755 --- a/src/monkeysphere-server +++ b/src/monkeysphere-server @@ -559,6 +559,7 @@ diagnostics() { local fingerprint local badhostkeys local sshd_config + local problemsfound=0 # FIXME: what's the correct, cross-platform answer? sshd_config=/etc/ssh/sshd_config @@ -571,19 +572,23 @@ diagnostics() { if ! id monkeysphere >/dev/null ; then echo "! No monkeysphere user found! Please create a monkeysphere system user." + problemsfound=$(($problemsfound+1)) fi if ! [ -d "$VARLIB" ] ; then echo "! no $VARLIB directory found. Please create it." + problemsfound=$(($problemsfound+1)) fi echo "Checking host GPG key..." if (( "$keysfound" < 1 )); then echo "! No host key found." echo " - Recommendation: run 'monkeysphere-server gen-key'" + problemsfound=$(($problemsfound+1)) elif (( "$keysfound" > 1 )); then echo "! More than one host key found?" # FIXME: recommend a way to resolve this + problemsfound=$(($problemsfound+1)) else create=$(echo "$seckey" | grep ^sec: | cut -f6 -d:) expire=$(echo "$seckey" | grep ^sec: | cut -f7 -d:) @@ -593,9 +598,11 @@ diagnostics() { if (( "$expire" < "$curdate" )); then echo "! Host key is expired." echo " - Recommendation: extend lifetime of key with 'monkeysphere-server extend-key'" + problemsfound=$(($problemsfound+1)) elif (( "$expire" < "$warndate" )); then echo "! Host key expires in less than $warnwindow:" $(advance_date $(( $expire - $curdate )) seconds +%F) echo " - Recommendation: extend lifetime of key with 'monkeysphere-server extend-key'" + problemsfound=$(($problemsfound+1)) fi fi @@ -603,6 +610,7 @@ diagnostics() { if [ "$create" ] && (( "$create" > "$curdate" )); then echo "! Host key was created in the future(?!). Is your clock correct?" echo " - Recommendation: Check clock ($(date +%F_%T)); use NTP?" + problemsfound=$(($problemsfound+1)) fi # check for UserID expiration: @@ -614,14 +622,17 @@ diagnostics() { if [ "$create" ] && (( "$create" > "$curdate" )); then echo "! User ID '$uid' was created in the future(?!). Is your clock correct?" echo " - Recommendation: Check clock ($(date +%F_%T)); use NTP?" + problemsfound=$(($problemsfound+1)) fi if [ "$expire" ] ; then if (( "$expire" < "$curdate" )); then echo "! User ID '$uid' is expired." - # FIXME: recommend a way to resolve this + # FIXME: recommend a way to resolve this + problemsfound=$(($problemsfound+1)) elif (( "$expire" < "$warndate" )); then echo "! User ID '$uid' expires in less than $warnwindow:" $(advance_date $(( $expire - $curdate )) seconds +%F) # FIXME: recommend a way to resolve this + problemsfound=$(($problemsfound+1)) fi fi done @@ -641,20 +652,24 @@ diagnostics() { echo "Checking host SSH key..." if [ ! -s "${VARLIB}/ssh_host_rsa_key" ] ; then echo "! The host key as prepared for SSH (${VARLIB}/ssh_host_rsa_key) is missing or empty." + problemsfound=$(($problemsfound+1)) else if [ $(ls -l "${VARLIB}/ssh_host_rsa_key" | cut -f1 -d\ ) != '-rw-------' ] ; then echo "! Permissions seem wrong for ${VARLIB}/ssh_host_rsa_key -- should be 0600." + problemsfound=$(($problemsfound+1)) fi # propose changes needed for sshd_config (if any) if ! grep -q "^HostKey[[:space:]]\+${VARLIB}/ssh_host_rsa_key$" "$sshd_config"; then echo "! $sshd_config does not point to the monkeysphere host key (${VARLIB}/ssh_host_rsa_key)." echo " - Recommendation: add a line to $sshd_config: 'HostKey ${VARLIB}/ssh_host_rsa_key'" + problemsfound=$(($problemsfound+1)) fi if badhostkeys=$(grep -i '^HostKey' "$sshd_config" | grep -q -v "^HostKey[[:space:]]\+${VARLIB}/ssh_host_rsa_key$") ; then echo "! $sshd_config refers to some non-monkeysphere host keys:" echo "$badhostkeys" echo " - Recommendation: remove the above HostKey lines from $sshd_config" + problemsfound=$(($problemsfound+1)) fi fi fi @@ -679,6 +694,12 @@ diagnostics() { echo "! $sshd_config refers to non-monkeysphere authorized_keys files:" echo "$badauthorizedkeys" echo " - Recommendation: remove the above AuthorizedKeysFile lines from $sshd_config" + problemsfound=$(($problemsfound+1)) + fi + + if [ "$problemsfound" -gt 0 ]; then + echo "When the above $problemsfound problem"$([ "$problemsfound" -eq 1 ] || echo "s")" are resolved, please re-run:" + echo " monkeysphere-server diagnostics" fi } -- cgit v1.2.3 From 988ed72a69dde1e5e0a028823fed0536cd926520 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Sat, 13 Sep 2008 16:12:25 -0400 Subject: fixing bugs in monkeysphere-server diagnostics. --- packaging/freebsd/distinfo | 6 +++--- src/monkeysphere-server | 7 ++++--- 2 files changed, 7 insertions(+), 6 deletions(-) (limited to 'src/monkeysphere-server') diff --git a/packaging/freebsd/distinfo b/packaging/freebsd/distinfo index 1a3b6c5..63bc25e 100644 --- a/packaging/freebsd/distinfo +++ b/packaging/freebsd/distinfo @@ -1,3 +1,3 @@ -MD5 (monkeysphere_0.16~pre.orig.tar.gz) = 7ec79824cf814c618b39e9bf33ff65b1 -SHA256 (monkeysphere_0.16~pre.orig.tar.gz) = bce97a2b2f90bc85b81af374cc0d32dfb23c6b2c1f1b2145f8a4d4a5bb00645b -SIZE (monkeysphere_0.16~pre.orig.tar.gz) = 58595 +MD5 (monkeysphere_0.16~pre.orig.tar.gz) = 23be1e51f2046652985ff102018549db +SHA256 (monkeysphere_0.16~pre.orig.tar.gz) = 2caeb5ce39572400f09b66cf5df8d9f6fb7b84b3d0371c532337a29632018340 +SIZE (monkeysphere_0.16~pre.orig.tar.gz) = 58689 diff --git a/src/monkeysphere-server b/src/monkeysphere-server index a0dc33f..7401bf5 100755 --- a/src/monkeysphere-server +++ b/src/monkeysphere-server @@ -665,7 +665,7 @@ diagnostics() { echo " - Recommendation: add a line to $sshd_config: 'HostKey ${VARLIB}/ssh_host_rsa_key'" problemsfound=$(($problemsfound+1)) fi - if badhostkeys=$(grep -i '^HostKey' "$sshd_config" | grep -q -v "^HostKey[[:space:]]\+${VARLIB}/ssh_host_rsa_key$") ; then + if badhostkeys=$(grep -i '^HostKey' "$sshd_config" | grep -v "^HostKey[[:space:]]\+${VARLIB}/ssh_host_rsa_key$") ; then echo "! $sshd_config refers to some non-monkeysphere host keys:" echo "$badhostkeys" echo " - Recommendation: remove the above HostKey lines from $sshd_config" @@ -689,8 +689,9 @@ diagnostics() { if ! grep -q "^AuthorizedKeysFile[[:space:]]\+${VARLIB}/authorized_keys/%u$" "$sshd_config"; then echo "! $sshd_config does not point to monkeysphere authorized keys." echo " - Recommendation: add a line to $sshd_config: 'AuthorizedKeysFile ${VARLIB}/authorized_keys/%u'" + problemsfound=$(($problemsfound+1)) fi - if badauthorizedkeys=$(grep -i '^AuthorizedKeysFile' "$sshd_config" | grep -q -v "^AuthorizedKeysFile[[:space:]]\+${VARLIB}/authorized_keys/%u$") ; then + if badauthorizedkeys=$(grep -i '^AuthorizedKeysFile' "$sshd_config" | grep -v "^AuthorizedKeysFile[[:space:]]\+${VARLIB}/authorized_keys/%u$") ; then echo "! $sshd_config refers to non-monkeysphere authorized_keys files:" echo "$badauthorizedkeys" echo " - Recommendation: remove the above AuthorizedKeysFile lines from $sshd_config" @@ -698,7 +699,7 @@ diagnostics() { fi if [ "$problemsfound" -gt 0 ]; then - echo "When the above $problemsfound problem"$([ "$problemsfound" -eq 1 ] || echo "s")" are resolved, please re-run:" + echo "When the above $problemsfound issue"$(if [ "$problemsfound" -eq 1 ] ; then echo " is" ; else echo "s are" ; fi)" resolved, please re-run:" echo " monkeysphere-server diagnostics" fi } -- cgit v1.2.3 From 12664ba44bd38efbfd9e6571b937035a5695cdaa Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Sun, 14 Sep 2008 17:24:47 -0400 Subject: allow monkeysphere-server c+ to read from the filesystem. Fix mistaken use of $TMPDIR, which was causing weird recursion problems with portable invocations of mktemp. --- src/monkeysphere-server | 48 ++++++++++++++++++++++++++++++++++++++---------- 1 file changed, 38 insertions(+), 10 deletions(-) (limited to 'src/monkeysphere-server') diff --git a/src/monkeysphere-server b/src/monkeysphere-server index 7401bf5..a8cc211 100755 --- a/src/monkeysphere-server +++ b/src/monkeysphere-server @@ -188,25 +188,25 @@ update_users() { fi # make temporary directory - TMPDIR=$(mktemp -d ${TMPDIR:-/tmp}/tmp.XXXXXXXXXX) + TMPLOC=$(mktemp -d ${TMPDIR:-/tmp}/tmp.XXXXXXXXXX) # trap to delete temporary directory on exit - trap "rm -rf $TMPDIR" EXIT + trap "rm -rf $TMPLOC" EXIT # create temporary authorized_user_ids file - TMP_AUTHORIZED_USER_IDS="${TMPDIR}/authorized_user_ids" + TMP_AUTHORIZED_USER_IDS="${TMPLOC}/authorized_user_ids" touch "$TMP_AUTHORIZED_USER_IDS" # create temporary authorized_keys file - AUTHORIZED_KEYS="${TMPDIR}/authorized_keys" + AUTHORIZED_KEYS="${TMPLOC}/authorized_keys" touch "$AUTHORIZED_KEYS" # set restrictive permissions on the temporary files # FIXME: is there a better way to do this? - chmod 0700 "$TMPDIR" + chmod 0700 "$TMPLOC" chmod 0600 "$AUTHORIZED_KEYS" chmod 0600 "$TMP_AUTHORIZED_USER_IDS" - chown -R "$MONKEYSPHERE_USER" "$TMPDIR" + chown -R "$MONKEYSPHERE_USER" "$TMPLOC" # if the authorized_user_ids file exists... if [ -s "$authorizedUserIDs" ] ; then @@ -243,7 +243,7 @@ update_users() { mv -f "$AUTHORIZED_KEYS" "${VARLIB}/authorized_keys/${uname}" # destroy temporary directory - rm -rf "$TMPDIR" + rm -rf "$TMPLOC" done } @@ -701,6 +701,8 @@ diagnostics() { if [ "$problemsfound" -gt 0 ]; then echo "When the above $problemsfound issue"$(if [ "$problemsfound" -eq 1 ] ; then echo " is" ; else echo "s are" ; fi)" resolved, please re-run:" echo " monkeysphere-server diagnostics" + else + echo "Everything seems to be in order!" fi } @@ -755,12 +757,38 @@ add_certifier() { keyID="$1" if [ -z "$keyID" ] ; then - failure "You must specify the key ID of a key to add." + failure "You must specify the key ID of a key to add, or specify a file to read the key from." + fi + if [ -f "$keyID" ] ; then + echo "Reading key from file '$keyID':" + importinfo=$(gpg_authentication "--import" < "$keyID" 2>&1) || failure "could not read key from '$keyID'" + # FIXME: if this is tried when the key database is not + # up-to-date, i got these errors (using set -x): + +# ++ su -m monkeysphere -c '\''gpg --import'\'' +# Warning: using insecure memory! +# gpg: key D21739E9: public key "Daniel Kahn Gillmor " imported +# gpg: Total number processed: 1 +# gpg: imported: 1 (RSA: 1) +# gpg: can'\''t create `/var/monkeysphere/gnupg-host/pubring.gpg.tmp'\'': Permission denied +# gpg: failed to rebuild keyring cache: Permission denied +# gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model +# gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u +# gpg: next trustdb check due at 2009-01-10' +# + failure 'could not read key from '\''/root/dkg.gpg'\''' +# + echo 'could not read key from '\''/root/dkg.gpg'\''' + + keyID=$(echo "$importinfo" | grep '^gpg: key ' | cut -f2 -d: | cut -f3 -d\ ) + if [ -z "$keyID" ] || [ $(echo "$keyID" | wc -l) -ne 1 ] ; then + failure "Expected there to be a single gpg key in the file." + fi + else + # get the key from the key server + gpg_authentication "--keyserver $KEYSERVER --recv-key '0x${keyID}!'" || failure "Could not receive a key with this ID from the '$KEYSERVER' keyserver." fi + export keyID - # get the key from the key server - gpg_authentication "--keyserver $KEYSERVER --recv-key '0x${keyID}!'" # get the full fingerprint of a key ID fingerprint=$(gpg_authentication "--list-key --with-colons --with-fingerprint 0x${keyID}!" | \ -- cgit v1.2.3 From f81f2c89fac457574ce9a427af6c91ba85461d34 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Sun, 14 Sep 2008 17:51:13 -0400 Subject: adding another FIXME of things worth adding to monkeysphere-server diagnostics. --- packaging/freebsd/distinfo | 6 +++--- src/monkeysphere-server | 3 +++ 2 files changed, 6 insertions(+), 3 deletions(-) (limited to 'src/monkeysphere-server') diff --git a/packaging/freebsd/distinfo b/packaging/freebsd/distinfo index 63bc25e..d590579 100644 --- a/packaging/freebsd/distinfo +++ b/packaging/freebsd/distinfo @@ -1,3 +1,3 @@ -MD5 (monkeysphere_0.16~pre.orig.tar.gz) = 23be1e51f2046652985ff102018549db -SHA256 (monkeysphere_0.16~pre.orig.tar.gz) = 2caeb5ce39572400f09b66cf5df8d9f6fb7b84b3d0371c532337a29632018340 -SIZE (monkeysphere_0.16~pre.orig.tar.gz) = 58689 +MD5 (monkeysphere_0.16~pre.orig.tar.gz) = bda65df4e378e72f3edf02936b2b5f34 +SHA256 (monkeysphere_0.16~pre.orig.tar.gz) = d0c85ad5cdd9b7a61333adf56714e3b25f1bd619bbc40279db759347b17980fe +SIZE (monkeysphere_0.16~pre.orig.tar.gz) = 59241 diff --git a/src/monkeysphere-server b/src/monkeysphere-server index a8cc211..b1cacf9 100755 --- a/src/monkeysphere-server +++ b/src/monkeysphere-server @@ -683,6 +683,9 @@ diagnostics() { # FIXME: make sure that at least one identity certifier exists +# FIXME: look at the timestamps on the monkeysphere-generated +# authorized_keys files -- warn if they seem out-of-date. + echo echo "Checking for MonkeySphere-enabled public-key authentication for users ..." # Ensure that User ID authentication is enabled: -- cgit v1.2.3 From d454019309fb9887f40b2330866f26741b4e8078 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Sun, 14 Sep 2008 19:43:57 -0400 Subject: The monkeysphere system user must have bash as its shell for the simple su invocation to work. Do not try to explicitly preserve the environment across an su, as this is the default, and -m implies using the login shell of the superuser under FreeBSD. --- debian/monkeysphere.postinst | 2 +- packaging/freebsd/distinfo | 6 +++--- packaging/freebsd/pkg-install | 2 +- src/monkeysphere-server | 4 ++-- 4 files changed, 7 insertions(+), 7 deletions(-) (limited to 'src/monkeysphere-server') diff --git a/debian/monkeysphere.postinst b/debian/monkeysphere.postinst index d3c3b96..981c9df 100755 --- a/debian/monkeysphere.postinst +++ b/debian/monkeysphere.postinst @@ -11,7 +11,7 @@ if ! getent passwd monkeysphere >/dev/null ; then echo "adding monkeysphere user..." adduser --quiet --system --no-create-home --group \ --home "$VARLIB" \ - --shell '/bin/sh' \ + --shell '/bin/bash' \ --gecos 'monkeysphere authentication user,,,' \ monkeysphere fi diff --git a/packaging/freebsd/distinfo b/packaging/freebsd/distinfo index d590579..26aa939 100644 --- a/packaging/freebsd/distinfo +++ b/packaging/freebsd/distinfo @@ -1,3 +1,3 @@ -MD5 (monkeysphere_0.16~pre.orig.tar.gz) = bda65df4e378e72f3edf02936b2b5f34 -SHA256 (monkeysphere_0.16~pre.orig.tar.gz) = d0c85ad5cdd9b7a61333adf56714e3b25f1bd619bbc40279db759347b17980fe -SIZE (monkeysphere_0.16~pre.orig.tar.gz) = 59241 +MD5 (monkeysphere_0.16~pre.orig.tar.gz) = e94bc8371adf8ce30c58ec040e436417 +SHA256 (monkeysphere_0.16~pre.orig.tar.gz) = f8543778c6ae5a7a87dcb03e34980436f6d967edeb87ccfac2cc19c750f4e588 +SIZE (monkeysphere_0.16~pre.orig.tar.gz) = 59253 diff --git a/packaging/freebsd/pkg-install b/packaging/freebsd/pkg-install index 92a4bbc..6783ee8 100755 --- a/packaging/freebsd/pkg-install +++ b/packaging/freebsd/pkg-install @@ -38,7 +38,7 @@ POST-INSTALL) echo "You already have a user \"${USER}\", so I will use it." else if pw useradd ${USER} -u ${UID} -g ${GROUP} -h - \ - -d "$VARLIB" -s /bin/sh -c "monkeysphere authentication user,,," + -d "$VARLIB" -s /usr/local/bin/bash -c "monkeysphere authentication user,,," then echo "Added user \"${USER}\"." else diff --git a/src/monkeysphere-server b/src/monkeysphere-server index b1cacf9..db3687b 100755 --- a/src/monkeysphere-server +++ b/src/monkeysphere-server @@ -67,7 +67,7 @@ EOF } su_monkeysphere_user() { - su -m "$MONKEYSPHERE_USER" -c "$@" + su "$MONKEYSPHERE_USER" -c "$@" } # function to interact with the host gnupg keyring @@ -571,7 +571,7 @@ diagnostics() { warndate=$(advance_date $warnwindow +%s) if ! id monkeysphere >/dev/null ; then - echo "! No monkeysphere user found! Please create a monkeysphere system user." + echo "! No monkeysphere user found! Please create a monkeysphere system user with bash as its shell." problemsfound=$(($problemsfound+1)) fi -- cgit v1.2.3