From 4793624c65673268128fb0146cd9bd1b3cfeb6c4 Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Tue, 10 Jun 2008 17:17:51 -0400 Subject: New client/server components: - broke out all common functions to "common" file - put all client commands into "monkeysphere" script - put all server commands into "monkeysphere-server" script - moved all code into src directory to clean things up a bit - this effectively makes obsolete rhesus and howler - added proposed monkeysphere-ssh-proxycommand script that can be called to update known_hosts from ssh ProxyCommand - updated monkeysphere.conf to work as global client config - added monkeysphere-server.conf for server config --- src/monkeysphere-ssh-proxycommand | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100755 src/monkeysphere-ssh-proxycommand (limited to 'src/monkeysphere-ssh-proxycommand') diff --git a/src/monkeysphere-ssh-proxycommand b/src/monkeysphere-ssh-proxycommand new file mode 100755 index 0000000..1724966 --- /dev/null +++ b/src/monkeysphere-ssh-proxycommand @@ -0,0 +1,16 @@ +#!/bin/sh -e + +# MonkeySphere ssh ProxyCommand hook +# Proxy command script to initiate a monkeysphere known_hosts update +# before an ssh connection to host is established. +# Can be added to ~/.ssh/config as follows: +# ProxyCommand monkeysphere-ssh-proxycommand %h %p + +HOST="$1" +PORT="$2" + +# update the known_hosts file for the host +monkeysphere update-known-hosts "$HOST" + +# make a netcat connection to host for the ssh connection +exec nc "$HOST" "$PORT" -- cgit v1.2.3 From be186e427ac34812e2b2a55489ae55fe2341f6a0 Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Tue, 10 Jun 2008 18:38:46 -0400 Subject: Cleaned/fix up update-userid function. also some general cleanup. --- src/common | 40 ++++++++++++++++++++++++++++++++ src/monkeysphere | 31 +++++++++++++++---------- src/monkeysphere-server | 49 +++++++++++++++++---------------------- src/monkeysphere-ssh-proxycommand | 19 ++++++++++----- 4 files changed, 93 insertions(+), 46 deletions(-) (limited to 'src/monkeysphere-ssh-proxycommand') diff --git a/src/common b/src/common index 8643080..073b8af 100755 --- a/src/common +++ b/src/common @@ -351,3 +351,43 @@ process_authorized_ids() { process_user_id "$userID" "$cacheDir" > /dev/null done } + +# update the cache for userid, and prompt to add file to +# authorized_user_ids file if the userid is found in gpg +# and not already in file. +update_userid() { + local userID + local cacheDir + local userIDKeyCache + + userID="$1" + cacheDir="$2" + + log "processing userid: '$userID'" + userIDKeyCache=$(process_user_id "$userID" "$cacheDir") + if [ -z "$userIDKeyCache" ] ; then + return 1 + fi + if ! grep -q "^${userID}\$" "$AUTHORIZED_USER_IDS" ; then + echo "the following userid is not in the authorized_user_ids file:" + echo " $userID" + read -p "would you like to add? [Y|n]: " OK; OK=${OK:=Y} + if [ ${OK/y/Y} = 'Y' ] ; then + log -n " adding userid to authorized_user_ids file... " + echo "$userID" >> "$AUTHORIZED_USER_IDS" + echo "done." + fi + fi +} + +# retrieve key from web of trust, and set owner trust to "full" +# if key is found. +trust_key() { + # get the key from the key server + gpg --keyserver "$KEYSERVER" --recv-key "$keyID" || failure "could not retrieve key '$keyID'" + + # edit the key to change trust + # FIXME: need to figure out how to automate this, + # in a batch mode or something. + gpg --edit-key "$keyID" +} diff --git a/src/monkeysphere b/src/monkeysphere index f279d86..d652ab3 100755 --- a/src/monkeysphere +++ b/src/monkeysphere @@ -1,5 +1,13 @@ #!/bin/sh +# monkeysphere: MonkeySphere client tool +# +# The monkeysphere scripts are written by: +# Jameson Rollins +# +# They are Copyright 2008, and are all released under the GPL, version 3 +# or later. + ######################################################################## PGRM=$(basename $0) @@ -26,11 +34,11 @@ usage: $PGRM [args] Monkeysphere client tool. subcommands: - update-known-hosts (k) [HOST]... update known_hosts file - update-authorized-keys (a) update authorized_keys file - update-userid (u) [USERID]... add/update userid to - authorized_user_ids - help (h,?) this help + update-known-hosts (k) [HOST]... update known_hosts file + update-authorized-keys (a) update authorized_keys file + update-userids (u) [USERID]... add/update userid + gen-ae-subkey (g) generate an 'ae' capable subkey + help (h,?) this help EOF } @@ -129,20 +137,19 @@ case $COMMAND in log "$msAuthorizedKeys" ;; - 'update-userid'|'u') + 'update-userids'|'u') if [ -z "$1" ] ; then failure "you must specify at least one userid." fi for userID ; do - if ! grep -q "^${userID}\$" "$AUTHORIZED_USER_IDS" ; then - log "userid '$userID' not in authorized_user_ids file." - continue - fi - log "processing user id: '$userID'" - process_user_id "$userID" "$userKeysCacheDir" > /dev/null + update_userid "$userID" "$userKeysCacheDir" done ;; + 'gen-ae-subkey'|) + failure "function not implemented yet." + ;; + 'help'|'h'|'?') usage ;; diff --git a/src/monkeysphere-server b/src/monkeysphere-server index f1b4892..fd7b583 100755 --- a/src/monkeysphere-server +++ b/src/monkeysphere-server @@ -1,5 +1,13 @@ #!/bin/sh +# monkeysphere-server: MonkeySphere server admin tool +# +# The monkeysphere scripts are written by: +# Jameson Rollins +# +# They are Copyright 2008, and are all released under the GPL, version 3 +# or later. + ######################################################################## PGRM=$(basename $0) @@ -23,12 +31,12 @@ usage: $PGRM [args] Monkeysphere server admin tool. subcommands: - update-users (s) [USER]... update authorized_keys file - gen-key (g) generate gpg key for the host - publish-key (p) publish host gpg to keyserver - trust-key (t) KEYID [KEYID]... mark keyid as trusted - update-user-userid (u) USER UID [UID]... add/update userid for user - help (h,?) this help + update-users (s) [USER]... update user authorized_keys file + gen-key (g) generate gpg key for the server + publish-key (p) publish server gpg to keyserver + trust-key (t) KEYID [KEYID]... mark keyid as trusted + update-user-userids (u) USER UID [UID]... add/update userid for user + help (h,?) this help EOF } @@ -85,19 +93,6 @@ publish_key() { echo "gpg --send-keys --keyserver $KEYSERVER $keyID" } -# trust key -trust_key() { - for keyID ; do - # get the key from the key server - gpg --keyserver "$KEYSERVER" --recv-key "$keyID" || failure "could not retrieve key '$keyID'" - - # edit the key to change trust - # FIXME: need to figure out how to automate this, - # in a batch mode or something. - gpg --edit-key "$keyID" - done -} - ######################################################################## # MAIN ######################################################################## @@ -185,10 +180,12 @@ case $COMMAND in if [ -z "$1" ] ; then failure "you must specify at least one key to trust." fi - trust_key "$@" + for keyID ; do + trust_key "$keyID" + done ;; - 'update-user-userid'|'u') + 'update-user-userids'|'u') uname="$1" shift if [ -z "$uname" ] ; then @@ -197,14 +194,10 @@ case $COMMAND in if [ -z "$1" ] ; then failure "you must specify at least one userid." fi + AUTHORIZED_USER_IDS="$MS_HOME"/authorized_user_ids/"$uname" + userKeysCacheDir="$STAGING_AREA"/"$uname"/user_keys for userID ; do - AUTHORIZED_USER_IDS="$MS_HOME"/authorized_user_ids/"$uname" - if ! grep -q "^${userID}\$" "$AUTHORIZED_USER_IDS" ; then - log "userid '$userID' not in authorized_user_ids file." - continue - fi - log "processing user id: '$userID'" - process_user_id "$userID" "$userKeysCacheDir" > /dev/null + update_userid "$userID" "$userKeysCacheDir" done ;; diff --git a/src/monkeysphere-ssh-proxycommand b/src/monkeysphere-ssh-proxycommand index 1724966..417d013 100755 --- a/src/monkeysphere-ssh-proxycommand +++ b/src/monkeysphere-ssh-proxycommand @@ -1,10 +1,17 @@ #!/bin/sh -e -# MonkeySphere ssh ProxyCommand hook -# Proxy command script to initiate a monkeysphere known_hosts update -# before an ssh connection to host is established. -# Can be added to ~/.ssh/config as follows: -# ProxyCommand monkeysphere-ssh-proxycommand %h %p +# monkeysphere-ssh-proxycommand: MonkeySphere ssh ProxyCommand hook +# +# The monkeysphere scripts are written by: +# Jameson Rollins +# +# They are Copyright 2008, and are all released under the GPL, version 3 +# or later. + +# This is meant to be run as an ssh ProxyCommand to initiate a +# monkeysphere known_hosts update before an ssh connection to host is +# established. Can be added to ~/.ssh/config as follows: +# ProxyCommand monkeysphere-ssh-proxycommand %h %p HOST="$1" PORT="$2" @@ -12,5 +19,5 @@ PORT="$2" # update the known_hosts file for the host monkeysphere update-known-hosts "$HOST" -# make a netcat connection to host for the ssh connection +# exec a netcat passthrough to host for the ssh connection exec nc "$HOST" "$PORT" -- cgit v1.2.3 From bb17921883afe6edfeaa029d2113baebf10b7b92 Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Mon, 16 Jun 2008 14:07:33 -0400 Subject: Allow for specification of whether to check keyserver. Update proxy command to check keyserver if host not found in known_hosts. --- src/monkeysphere-ssh-proxycommand | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) (limited to 'src/monkeysphere-ssh-proxycommand') diff --git a/src/monkeysphere-ssh-proxycommand b/src/monkeysphere-ssh-proxycommand index 417d013..ec162ab 100755 --- a/src/monkeysphere-ssh-proxycommand +++ b/src/monkeysphere-ssh-proxycommand @@ -16,6 +16,36 @@ HOST="$1" PORT="$2" +usage() { +cat <&2 +usage: ssh -o ProxyCommand="$(basename $0) %h %p" ... +EOF +} + +log() { + echo "$@" >&2 +} + +if [ -z "$HOST" ] ; then + log "host must be specified." + usage + exit 1 +fi +if [ -z "$PORT" ] ; then + log "port must be specified." + usage + exit 1 +fi + +# check for the host key in the known_hosts file +hostKey=$(ssh-keygen -F "$HOST") + +# if the host key is not found in the known_hosts file, +# check the keyserver +if [ -z "$hostKey" ] ; then + CHECK_KEYSERVER="true" +fi + # update the known_hosts file for the host monkeysphere update-known-hosts "$HOST" -- cgit v1.2.3 From b6983d7cb86f450ebd7fafcb254011fd7099c246 Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Mon, 16 Jun 2008 14:07:33 -0400 Subject: Allow for specification of whether to check keyserver. Update proxy command to check keyserver if host not found in known_hosts. --- src/common | 40 +++++++++++++++++++++++++-------------- src/monkeysphere | 2 +- src/monkeysphere-ssh-proxycommand | 30 +++++++++++++++++++++++++++++ 3 files changed, 57 insertions(+), 15 deletions(-) (limited to 'src/monkeysphere-ssh-proxycommand') diff --git a/src/common b/src/common index 8d8e506..471e75a 100644 --- a/src/common +++ b/src/common @@ -43,12 +43,22 @@ cutline() { # FIXME: need to figure out how to retrieve all matching keys # (not just first 5) gpg_fetch_userid() { - local id - id="$1" - echo 1,2,3,4,5 | \ - gpg --quiet --batch --command-fd 0 --with-colons \ - --keyserver "$KEYSERVER" \ - --search ="$id" >/dev/null 2>&1 + local userID + + userID="$1" + + # if CHECK_KEYSERVER variable set, check the keyserver + # for the user ID + if [ "CHECK_KEYSERVER" ] ; then + echo 1,2,3,4,5 | \ + gpg --quiet --batch --command-fd 0 --with-colons \ + --keyserver "$KEYSERVER" \ + --search ="$userID" >/dev/null 2>&1 + + # otherwise just return true + else + return + fi } # check that characters are in a string (in an AND fashion). @@ -117,7 +127,7 @@ gpg2authorized_keys() { gpg --export "$keyID" | \ openpgp2ssh "$keyID" | tr -d '\n' - echo " MonkeySphere${DATE}:${userID}" + echo " MonkeySphere${DATE}: ${userID}" } # userid and key policy checking @@ -296,18 +306,23 @@ update_userid() { log "processing userid: '$userID'" + # return 1 if there is no output of the user ID processing + # ie. no key was found keyCachePath=$(process_user_id "$userID" "$cacheDir") - if [ -z "$keyCachePath" ] ; then return 1 fi + + # check if user ID is in the authorized_user_ids file if ! grep -q "^${userID}\$" "$AUTHORIZED_USER_IDS" ; then read -p "user ID not currently authorized. authorize? [Y|n]: " OK; OK=${OK:=Y} if [ ${OK/y/Y} = 'Y' ] ; then + # add if specified log -n "adding user ID to authorized_user_ids file... " echo "$userID" >> "$AUTHORIZED_USER_IDS" echo "done." else + # else do nothing log "authorized_user_ids file untouched." fi fi @@ -340,7 +355,7 @@ process_host() { host="$1" cacheDir="$2" - log "processing host: '$host'" + log "processing host: $host" keyCachePath=$(process_user_id "ssh://${host}" "$cacheDir") if [ $? = 0 ] ; then @@ -353,18 +368,15 @@ process_host() { # go through line-by-line, extract each host, and process with the # host processing function process_known_hosts() { - local knownHosts local cacheDir local hosts local host - knownHosts="$1" - cacheDir="$2" + cacheDir="$1" # take all the hosts from the known_hosts file (first field), # grep out all the hashed hosts (lines starting with '|')... - cut -d ' ' -f 1 "$knownHosts" | \ - grep -v '^|.*$' | \ + meat "$USER_KNOWN_HOSTS" | cut -d ' ' -f 1 | grep -v '^|.*$' | \ while IFS=, read -r -a hosts ; do # ...and process each host for host in ${hosts[*]} ; do diff --git a/src/monkeysphere b/src/monkeysphere index 23ebd63..79bc352 100755 --- a/src/monkeysphere +++ b/src/monkeysphere @@ -157,7 +157,7 @@ case $COMMAND in failure "known_hosts file '$USER_KNOWN_HOSTS' is empty." fi log "processing known_hosts file..." - process_known_hosts "$USER_KNOWN_HOSTS" "$hostKeysCacheDir" + process_known_hosts "$hostKeysCacheDir" fi ;; diff --git a/src/monkeysphere-ssh-proxycommand b/src/monkeysphere-ssh-proxycommand index 417d013..ec162ab 100755 --- a/src/monkeysphere-ssh-proxycommand +++ b/src/monkeysphere-ssh-proxycommand @@ -16,6 +16,36 @@ HOST="$1" PORT="$2" +usage() { +cat <&2 +usage: ssh -o ProxyCommand="$(basename $0) %h %p" ... +EOF +} + +log() { + echo "$@" >&2 +} + +if [ -z "$HOST" ] ; then + log "host must be specified." + usage + exit 1 +fi +if [ -z "$PORT" ] ; then + log "port must be specified." + usage + exit 1 +fi + +# check for the host key in the known_hosts file +hostKey=$(ssh-keygen -F "$HOST") + +# if the host key is not found in the known_hosts file, +# check the keyserver +if [ -z "$hostKey" ] ; then + CHECK_KEYSERVER="true" +fi + # update the known_hosts file for the host monkeysphere update-known-hosts "$HOST" -- cgit v1.2.3 From 62ff87e0328bc1406979656029a5e313839cac35 Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Mon, 16 Jun 2008 14:52:20 -0400 Subject: Add log output for keyserver checking. Fix bug in proxy command to export CHECK_KEYSERVER variable. --- src/common | 31 +++++++++++++++++-------------- src/monkeysphere | 1 + src/monkeysphere-ssh-proxycommand | 9 +++++---- 3 files changed, 23 insertions(+), 18 deletions(-) (limited to 'src/monkeysphere-ssh-proxycommand') diff --git a/src/common b/src/common index c0a9030..d1554a6 100644 --- a/src/common +++ b/src/common @@ -47,17 +47,17 @@ gpg_fetch_userid() { userID="$1" - # if CHECK_KEYSERVER variable set, check the keyserver - # for the user ID - if [ "CHECK_KEYSERVER" ] ; then - echo 1,2,3,4,5 | \ - gpg --quiet --batch --command-fd 0 --with-colons \ - --keyserver "$KEYSERVER" \ - --search ="$userID" >/dev/null 2>&1 - - # otherwise just return true + log "checking keyserver $KEYSERVER..." + echo 1,2,3,4,5 | \ + gpg --quiet --batch --command-fd 0 --with-colons \ + --keyserver "$KEYSERVER" \ + --search ="$userID" >/dev/null 2>&1 + if [ "$?" = 0 ] ; then + log " user ID found on keyserver." + return 0 else - return + log " user ID not found on keyserver." + return 1 fi } @@ -167,8 +167,11 @@ process_user_id() { fi requiredPubCapability=$(echo "$requiredCapability" | tr "[:lower:]" "[:upper:]") - # fetch keys from keyserver, return 1 if none found - gpg_fetch_userid "$userID" || return 1 + # if CHECK_KEYSERVER variable set, check the keyserver + # for the user ID + if [ "$CHECK_KEYSERVER" = "true" ] ; then + gpg_fetch_userid "$userID" + fi # output gpg info for (exact) userid and store gpgOut=$(gpg --fixed-list-mode --list-key --with-colons \ @@ -176,7 +179,7 @@ process_user_id() { # return 1 if there only "tru" lines are output from gpg if [ -z "$(echo "$gpgOut" | grep -v '^tru:')" ] ; then - log " key not found." + log " key not found in keychain." return 1 fi @@ -268,7 +271,7 @@ process_user_id() { # key cache file if [ "$keyOK" -a "$uidOK" -a "${keyIDs[*]}" ] ; then for keyID in ${keyIDs[@]} ; do - log " acceptable key/uid found." + log " acceptable key/userID found." if [ "$MODE" = 'known_hosts' ] ; then # export the key diff --git a/src/monkeysphere b/src/monkeysphere index a6ca62d..230de06 100755 --- a/src/monkeysphere +++ b/src/monkeysphere @@ -113,6 +113,7 @@ MS_CONF=${MS_CONF:-"${MS_HOME}/monkeysphere.conf"} AUTHORIZED_USER_IDS=${AUTHORIZED_USER_IDS:-"${MS_HOME}/authorized_user_ids"} GNUPGHOME=${GNUPGHOME:-"${HOME}/.gnupg"} KEYSERVER=${KEYSERVER:-"subkeys.pgp.net"} +CHECK_KEYSERVER=${CHECK_KEYSERVER:="true"} REQUIRED_HOST_KEY_CAPABILITY=${REQUIRED_HOST_KEY_CAPABILITY:-"e a"} REQUIRED_USER_KEY_CAPABILITY=${REQUIRED_USER_KEY_CAPABILITY:-"a"} USER_CONTROLLED_AUTHORIZED_KEYS=${USER_CONTROLLED_AUTHORIZED_KEYS:-"${HOME}/.ssh/authorized_keys"} diff --git a/src/monkeysphere-ssh-proxycommand b/src/monkeysphere-ssh-proxycommand index ec162ab..3887e48 100755 --- a/src/monkeysphere-ssh-proxycommand +++ b/src/monkeysphere-ssh-proxycommand @@ -40,11 +40,12 @@ fi # check for the host key in the known_hosts file hostKey=$(ssh-keygen -F "$HOST") -# if the host key is not found in the known_hosts file, -# check the keyserver -if [ -z "$hostKey" ] ; then - CHECK_KEYSERVER="true" +# if the host key is found in the known_hosts file, +# don't check the keyserver +if [ "$hostKey" ] ; then + CHECK_KEYSERVER="false" fi +export CHECK_KEYSERVER # update the known_hosts file for the host monkeysphere update-known-hosts "$HOST" -- cgit v1.2.3 From 1a19643197dafa975de9cae717cef3f4608879d8 Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Wed, 18 Jun 2008 23:31:35 -0400 Subject: Add more nuanced keyserver checking policy, including a defered check if key is not in keyring, but is in known_hosts. --- src/monkeysphere-ssh-proxycommand | 46 +++++++++++++++++++++++++++++---------- 1 file changed, 35 insertions(+), 11 deletions(-) (limited to 'src/monkeysphere-ssh-proxycommand') diff --git a/src/monkeysphere-ssh-proxycommand b/src/monkeysphere-ssh-proxycommand index 4b90a0d..4cbcd51 100755 --- a/src/monkeysphere-ssh-proxycommand +++ b/src/monkeysphere-ssh-proxycommand @@ -13,9 +13,6 @@ # established. Can be added to ~/.ssh/config as follows: # ProxyCommand monkeysphere-ssh-proxycommand %h %p -HOST="$1" -PORT="$2" - usage() { cat <&2 usage: ssh -o ProxyCommand="$(basename $0) %h %p" ... @@ -26,6 +23,14 @@ log() { echo "$@" >&2 } +if [ "$1" = '--no-connect' ] ; then + NO_CONNECT='true' + shift 1 +fi + +HOST="$1" +PORT="$2" + if [ -z "$HOST" ] ; then log "host must be specified." usage @@ -37,20 +42,39 @@ if [ -z "$PORT" ] ; then exit 1 fi -# check for the host key in the known_hosts file -hostKey=$(ssh-keygen -F "$HOST") +# set the host URI +URI="ssh://${HOST}" +if [ "$PORT" != '22' ] ; then + URI="${URI}:$PORT" +fi -# if the host key is found in the known_hosts file, -# don't check the keyserver -if [ "$hostKey" ] ; then +# if the host is in the gpg keyring... +if gpg --list-key ="${URI}" >/dev/null ; then + # do not check the keyserver CHECK_KEYSERVER="false" +# if the host is NOT in the keyring... else - CHECK_KEYSERVER="true" + # if the host key is found in the known_hosts file... + # FIXME: this only works for default known_hosts location + hostKey=$(ssh-keygen -F "$HOST") + if [ "$hostKey" ] ; then + # if the check keyserver variable is NOT set to true... + if [ "$CHECK_KEYSERVER" != 'true' ] ; then + # schedule a keyserver check for host at a later time + echo "monkeysphere update-known_hosts $HOST" | at noon + fi + # if the host key is not found in the known_hosts file... + else + # check the keyserver + CHECK_KEYSERVER="true" + fi fi export CHECK_KEYSERVER # update the known_hosts file for the host -monkeysphere update-known-hosts "$HOST" +monkeysphere update-known_hosts "$HOST" # exec a netcat passthrough to host for the ssh connection -exec nc "$HOST" "$PORT" +if [ -z "$NO_CONNECT" ] ; then + exec nc "$HOST" "$PORT" +fi -- cgit v1.2.3 From 15637a9ab9b4fe7ea537988f5cc145d35948d783 Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Thu, 19 Jun 2008 15:22:46 -0400 Subject: Added server config variable to specify user authorized_user_ids file, and changed default. --- debian/changelog | 9 +++++-- etc/monkeysphere-server.conf | 9 ++++++- src/common | 32 +++++++++++++++++++---- src/monkeysphere | 6 ++--- src/monkeysphere-server | 55 +++++++++++++++++++++++---------------- src/monkeysphere-ssh-proxycommand | 2 +- 6 files changed, 78 insertions(+), 35 deletions(-) (limited to 'src/monkeysphere-ssh-proxycommand') diff --git a/debian/changelog b/debian/changelog index 74c5d8b..9bfcc26 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,9 +1,14 @@ monkeysphere (0.2-1) UNRELEASED; urgency=low + [ Daniel Kahn Gillmor ] * NOT YET RELEASED (switch to "experimental" when ready to release) - * - -- Daniel Kahn Gillmor Thu, 19 Jun 2008 04:03:45 -0400 + [ Jameson Graef Rollins ] + * Add AUTHORIZED_USER_IDS config variable for server, which defaults to + %h/.config/monkeysphere/authorized_user_ids, instead of + /etc/monkeysphere/authorized_user_ids. + + -- Jameson Graef Rollins Thu, 19 Jun 2008 15:22:05 -0400 monkeysphere (0.1-1) experimental; urgency=low diff --git a/etc/monkeysphere-server.conf b/etc/monkeysphere-server.conf index 3915bf4..847e879 100644 --- a/etc/monkeysphere-server.conf +++ b/etc/monkeysphere-server.conf @@ -17,8 +17,15 @@ # a = authentication #REQUIRED_USER_KEY_CAPABILITY="a" +# Path to authorized_user_ids file to process to create +# authorized_keys file. '%h' will be replaced by the home directory +# of the user, and %u will be replaced by the username of the user. +# For purely admin-controlled authorized_user_ids, you might put them +# in /etc/monkeysphere/authorized_user_ids/%u +#AUTHORIZED_USER_IDS="%h/.config/monkeysphere/authorized_user_ids" + # Whether to add user controlled authorized_keys file to # monkeysphere-generated authorized_keys file. Should be path to file # where '%h' will be replaced by the home directory of the user. # To not add any user-controlled file, put "-" -#USER_CONTROLLED_AUTHORIZED_KEYS=%h/.ssh/authorized_keys +#USER_CONTROLLED_AUTHORIZED_KEYS="%h/.ssh/authorized_keys" diff --git a/src/common b/src/common index c39506d..89efc46 100644 --- a/src/common +++ b/src/common @@ -85,6 +85,24 @@ remove_line() { fi } +# translate ssh-style path variables %h and %u +translate_ssh_variables() { + local uname + local home + + uname="$1" + path="$2" + + # get the user's home directory + userHome=$(getent passwd "$uname" | cut -d: -f6) + + # translate ssh-style path variables + path=${path/\%u/"$uname"} + path=${path/\%h/"$userHome"} + + echo "$path" +} + ### CONVERTION UTILITIES # output the ssh key for a given key ID @@ -358,6 +376,7 @@ update_userid() { local userID userID="$1" + authorizedUserIDs="$2" log "processing userid: '$userID'" @@ -365,12 +384,12 @@ update_userid() { process_user_id "$userID" | grep -q "^0 " # check if user ID is in the authorized_user_ids file - if ! grep -q "^${userID}\$" "$AUTHORIZED_USER_IDS" ; then + if ! grep -q "^${userID}\$" "$authorizedUserIDs" ; then read -p "user ID not currently authorized. authorize? [Y|n]: " OK; OK=${OK:=Y} if [ ${OK/y/Y} = 'Y' ] ; then # add if specified log -n " adding user ID to authorized_user_ids file... " - echo "$userID" >> "$AUTHORIZED_USER_IDS" + echo "$userID" >> "$authorizedUserIDs" loge "done." else # else do nothing @@ -384,18 +403,19 @@ remove_userid() { local userID userID="$1" + authorizedUserIDs="$2" log "processing userid: '$userID'" # check if user ID is in the authorized_user_ids file - if ! grep -q "^${userID}\$" "$AUTHORIZED_USER_IDS" ; then + if ! grep -q "^${userID}\$" "$authorizedUserIDs" ; then log " user ID not currently authorized." return 1 fi # remove user ID from file log -n " removing user ID '$userID'... " - remove_line "$AUTHORIZED_USER_IDS" "^${userID}$" + remove_line "$authorizedUserIDs" "^${userID}$" loge "done." } @@ -480,7 +500,9 @@ process_known_hosts() { process_authorized_user_ids() { local userid - cat "$AUTHORIZED_USER_IDS" | meat | \ + authorizedUserIDs="$1" + + cat "$authorizedUserIDs" | meat | \ while read -r userid ; do process_uid_authorized_keys "$userid" done diff --git a/src/monkeysphere b/src/monkeysphere index a6cecfd..a9c9d58 100755 --- a/src/monkeysphere +++ b/src/monkeysphere @@ -164,7 +164,7 @@ case $COMMAND in failure "you must specify at least one userid." fi for userID ; do - update_userid "$userID" + update_userid "$userID" "$AUTHORIZED_USER_IDS" done log "Run the following to update your monkeysphere authorized_keys file:" log "$PGRM update-authorized_keys" @@ -175,7 +175,7 @@ case $COMMAND in failure "you must specify at least one userid." fi for userID ; do - remove_userid "$userID" + remove_userid "$userID" "$AUTHORIZED_USER_IDS" done log "Run the following to update your monkeysphere authorized_keys file:" log "$PGRM update-authorized_keys" @@ -191,7 +191,7 @@ case $COMMAND in # process authorized_user_ids file log "processing authorized_user_ids file..." - process_authorized_user_ids + process_authorized_user_ids "$AUTHORIZED_USER_IDS" log "authorized_keys file updated." ;; diff --git a/src/monkeysphere-server b/src/monkeysphere-server index 96a1070..bfd5db8 100755 --- a/src/monkeysphere-server +++ b/src/monkeysphere-server @@ -139,6 +139,7 @@ GNUPGHOME=${GNUPGHOME:-"${MS_HOME}/gnupg"} KEYSERVER=${KEYSERVER:-"subkeys.pgp.net"} CHECK_KEYSERVER=${CHECK_KEYSERVER:="true"} REQUIRED_USER_KEY_CAPABILITY=${REQUIRED_USER_KEY_CAPABILITY:-"a"} +AUTHORIZED_USER_IDS=${AUTHORIZED_USER_IDS:-"%h/.config/monkeysphere/authorized_user_ids"} USER_CONTROLLED_AUTHORIZED_KEYS=${USER_CONTROLLED_AUTHORIZED_KEYS:-"%h/.ssh/authorized_keys"} export GNUPGHOME @@ -153,40 +154,44 @@ mkdir -p "${CACHE}/authorized_keys" case $COMMAND in 'update-users'|'update-user'|'s') if [ "$1" ] ; then + # get users from command line unames="$@" else - unames=$(ls -1 "${MS_HOME}/authorized_user_ids") + # or just look at all users if none specified + unames=$(getent passwd | cut -d: -f1) fi + # loop over users for uname in $unames ; do MODE="authorized_keys" + # set authorized_user_ids variable, + # translate ssh-style path variables + authorizedUserIDs=$(translate_ssh_variables "$uname" "$AUTHORIZED_USER_IDS") + + # skip user if authorized_user_ids file does not exist + if [ ! -f "$authorizedUserIDs" ] ; then + continue + fi + log "----- user: $uname -----" - # set variables for the user - AUTHORIZED_USER_IDS="${MS_HOME}/authorized_user_ids/${uname}" # temporary authorized_keys file - AUTHORIZED_KEYS="${CACHE}/authorized_keys/${uname}.tmp" - - # make sure user's authorized_user_ids file exists - touch "$AUTHORIZED_USER_IDS" - # make sure the authorized_keys file exists and is clear - > "$AUTHORIZED_KEYS" + AUTHORIZED_KEYS=$(mktemp) # skip if the user's authorized_user_ids file is empty - if [ ! -s "$AUTHORIZED_USER_IDS" ] ; then - log "authorized_user_ids file for '$uname' is empty." + if [ ! -s "$authorizedUserIDs" ] ; then + log "authorized_user_ids file '$authorizedUserIDs' is empty." continue fi # process authorized_user_ids file log "processing authorized_user_ids file..." - process_authorized_user_ids + process_authorized_user_ids "$authorizedUserIDs" # add user-controlled authorized_keys file path if specified if [ "$USER_CONTROLLED_AUTHORIZED_KEYS" != '-' ] ; then - userHome=$(getent passwd "$uname" | cut -d: -f6) - userAuthorizedKeys=${USER_CONTROLLED_AUTHORIZED_KEYS/\%h/"$userHome"} + userAuthorizedKeys=$(translate_ssh_variables "$uname" "$USER_CONTROLLED_AUTHORIZED_KEYS") if [ -f "$userAuthorizedKeys" ] ; then log -n "adding user's authorized_keys file... " cat "$userAuthorizedKeys" >> "$AUTHORIZED_KEYS" @@ -195,7 +200,7 @@ case $COMMAND in fi # move the temp authorized_keys file into place - mv -f "${CACHE}/authorized_keys/${uname}.tmp" "${CACHE}/authorized_keys/${uname}" + mv -f "$AUTHORIZED_KEYS" "${CACHE}/authorized_keys/${uname}" log "authorized_keys file updated." done @@ -236,15 +241,16 @@ case $COMMAND in failure "You must specify at least one user ID." fi - # set variables for the user - AUTHORIZED_USER_IDS="$MS_HOME"/authorized_user_ids/"$uname" + # set authorized_user_ids variable, + # translate ssh-style path variables + authorizedUserIDs=$(translate_ssh_variables "$uname" "$AUTHORIZED_USER_IDS") # make sure user's authorized_user_ids file exists - touch "$AUTHORIZED_USER_IDS" + touch "$authorizedUserIDs" # process the user IDs for userID ; do - update_userid "$userID" + update_userid "$userID" "$authorizedUserIDs" done log "Run the following to update user's authorized_keys file:" @@ -261,15 +267,18 @@ case $COMMAND in failure "You must specify at least one user ID." fi - # set variables for the user - AUTHORIZED_USER_IDS="$MS_HOME"/authorized_user_ids/"$uname" + # set authorized_user_ids variable, + # translate ssh-style path variables + authorizedUserIDs=$(translate_ssh_variables "$uname" "$AUTHORIZED_USER_IDS") # make sure user's authorized_user_ids file exists - touch "$AUTHORIZED_USER_IDS" + if [ ! -f "$authorizedUserIDs" ] ; then + failure "authorized_user_ids file '$authorizedUserIDs' does not exist." + fi # process the user IDs for userID ; do - remove_userid "$userID" + remove_userid "$userID" "$authorizedUserIDs" done log "Run the following to update user's authorized_keys file:" diff --git a/src/monkeysphere-ssh-proxycommand b/src/monkeysphere-ssh-proxycommand index 4cbcd51..f4d4b0d 100755 --- a/src/monkeysphere-ssh-proxycommand +++ b/src/monkeysphere-ssh-proxycommand @@ -49,7 +49,7 @@ if [ "$PORT" != '22' ] ; then fi # if the host is in the gpg keyring... -if gpg --list-key ="${URI}" >/dev/null ; then +if gpg --list-key ="${URI}" 2>&1 >/dev/null ; then # do not check the keyserver CHECK_KEYSERVER="false" # if the host is NOT in the keyring... -- cgit v1.2.3