From ebb12157ce060b27c2740e9bef241ce4a74aff70 Mon Sep 17 00:00:00 2001
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Date: Sun, 1 Feb 2009 01:58:02 -0500
Subject: add m-a setup implementation

---
 src/share/ma/setup | 88 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 88 insertions(+)
 create mode 100644 src/share/ma/setup

(limited to 'src/share/ma/setup')

diff --git a/src/share/ma/setup b/src/share/ma/setup
new file mode 100644
index 0000000..a829a98
--- /dev/null
+++ b/src/share/ma/setup
@@ -0,0 +1,88 @@
+# -*-shell-script-*-
+# This should be sourced by bash (though we welcome changes to make it POSIX sh compliant)
+
+# Monkeysphere authentication setup subcommand
+#
+# The monkeysphere scripts are written by:
+# Jameson Rollins <jrollins@finestructure.net>
+# Jamie McClelland <jm@mayfirst.org>
+# Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+#
+# They are Copyright 2009, and are all released under the GPL,
+# version 3 or later.
+
+setup() {
+    # make the core and the sphere:
+    mkdir -p ${SYSDATADIR}/authentication
+    mkdir -p ${GNUPGHOME_SPHERE}
+    mkdir -p ${GNUPGHOME_CORE}
+
+    # deliberately replace the config files via truncation
+    # FIXME: should we be dumping to tmp files and then moving atomically?
+    cat >${GNUPGHOME_CORE}/gpg.conf <<EOF
+# Monkeysphere trust core GnuPG configuration
+# This file is maintained by the Monkeysphere software.
+# Edits will be overwritten.
+no-greeting
+list-options show-uid-validity
+EOF
+    
+    cat >${GNUPGHOME_SPHERE}/gpg.conf <<EOF
+# Monkeysphere trust sphere GnuPG configuration
+# This file is maintained by the Monkeysphere software.
+# Edits will be overwritten.
+no-greeting
+primary-keyring ${GNUPGHOME_SPHERE}/pubring.gpg
+keyring ${GNUPGHOME_CORE}/pubring.gpg
+
+list-options show-uid-validity
+EOF
+
+    local CORE_FPR=$(gpg_core --with-colons --fixed-list-mode --fingerprint --list-secret-key | grep ^fpr: | cut -f10 -d: )
+
+    if [ -z "$CORE_FPR" ] ; then
+	log info "Setting up Monkeysphere authentication trust core"
+
+	local CORE_UID=$(printf "Monkeysphere authentication trust core UID (random string: %s)" $(head -c21 | base64))
+    
+	if gpg_core --gen-key --batch <<EOF
+Key-Type: RSA
+Key-Length: 4096
+Key-Usage: certify
+Name-Real: $CORE_UID
+
+%commit
+%echo done
+EOF
+	then
+	    CORE_FPR=$(gpg_core --with-colons --fixed-list-mode --fingerprint --list-secret-key | grep ^fpr: | cut -f10 -d: )
+	    if [ -z "$CORE_FPR" ] ; then
+		failure "Failed to find fingerprint of Monkeysphere authentication trust core!"
+	    fi
+	else
+	    failure "Failed to create Monkeysphere authentication trust core!"
+	fi
+	
+    else 
+	log verbose "This system has already set up the Monkeysphere authentication trust core"
+    fi
+
+
+    # ensure that the authentication sphere checker has absolute ownertrust on the expected key.
+    printf "%s:6:\n" "$CORE_FPR" | gpg_sphere --import-ownertrust
+    local ORIG_TRUST
+    if ORIG_TRUST=$(gpg_sphere --export-ownertrust | grep '^[^#]') ; then
+	if [ "$CORE_FPR:6:" != "$ORIG_TRUST" ] ; then
+	    failure "Monkeysphere authentication trust sphere should explicitly trust the core.  It does not have proper ownertrust settings."
+	fi
+    else
+	failure "Could not get monkeysphere-authentication trust guidleines."
+    fi
+
+    # ensure that we're using the extended trust model (1), and that
+    # our preferences are reasonable (i.e. 3 marginal OR 1 fully
+    # trusted certifications are sufficient to grant full validity.
+    if [ "1:3:1" != $(gpg_sphere --with-colons --fixed-list-mode --list-keys | head -n1 | grep ^tru: cut -f3,6,7 -d:) ] ; then
+	failure "monkeysphere-preference does not have the expected trust model settings"
+    fi
+}
-- 
cgit v1.2.3


From 6b09adf78d79ea76849a43f4af4335a7a89b10c7 Mon Sep 17 00:00:00 2001
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Date: Sun, 1 Feb 2009 02:27:58 -0500
Subject: removed some unnecessary setup from the basic test, pulling the
 random string from /dev/urandom; generating the authentication trust core key
 at 2048 bits

---
 src/share/ma/setup | 4 ++--
 tests/basic        | 5 +----
 2 files changed, 3 insertions(+), 6 deletions(-)

(limited to 'src/share/ma/setup')

diff --git a/src/share/ma/setup b/src/share/ma/setup
index a829a98..944bb4d 100644
--- a/src/share/ma/setup
+++ b/src/share/ma/setup
@@ -43,11 +43,11 @@ EOF
     if [ -z "$CORE_FPR" ] ; then
 	log info "Setting up Monkeysphere authentication trust core"
 
-	local CORE_UID=$(printf "Monkeysphere authentication trust core UID (random string: %s)" $(head -c21 | base64))
+	local CORE_UID=$(printf "Monkeysphere authentication trust core UID (random string: %s)" $(head -c21 </dev/urandom | base64))
     
 	if gpg_core --gen-key --batch <<EOF
 Key-Type: RSA
-Key-Length: 4096
+Key-Length: 2048
 Key-Usage: certify
 Name-Real: $CORE_UID
 
diff --git a/tests/basic b/tests/basic
index bf6a364..c3d3208 100755
--- a/tests/basic
+++ b/tests/basic
@@ -204,14 +204,11 @@ cp "$TESTDIR"/etc/monkeysphere/monkeysphere-authentication.conf "$TEMPDIR"/
 cat <<EOF >> "$TEMPDIR"/monkeysphere-authentication.conf
 AUTHORIZED_USER_IDS="$MONKEYSPHERE_HOME/authentication/authorized_user_ids"
 EOF
-cat <<EOF > "$MONKEYSPHERE_SYSDATADIR"/authentication/sphere/gpg.conf
-primary-keyring ${MONKEYSPHERE_SYSDATADIR}/authentication/sphere/pubring.gpg
-keyring ${MONKEYSPHERE_SYSDATADIR}/authentication/core/pubring.gpg
-EOF
 
 # setup server authentication
 echo "### setting up server authentication..."
 monkeysphere-authentication setup
+get_gpg_prng_arg >> "$MONKEYSPHERE_SYSDATADIR"/authentication/sphere/gpg.conf
 
 # add admin as identity certifier for testhost
 echo "### adding admin as certifier..."
-- 
cgit v1.2.3


From 047780def321f18898c58dcc0e94e09a4b40f465 Mon Sep 17 00:00:00 2001
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Date: Sun, 1 Feb 2009 02:52:26 -0500
Subject: trying to improve m-a setup; still not successfully tested.

---
 src/share/ma/setup | 15 +++++++--------
 1 file changed, 7 insertions(+), 8 deletions(-)

(limited to 'src/share/ma/setup')

diff --git a/src/share/ma/setup b/src/share/ma/setup
index 944bb4d..764fdb8 100644
--- a/src/share/ma/setup
+++ b/src/share/ma/setup
@@ -45,15 +45,14 @@ EOF
 
 	local CORE_UID=$(printf "Monkeysphere authentication trust core UID (random string: %s)" $(head -c21 </dev/urandom | base64))
     
-	if gpg_core --gen-key --batch <<EOF
-Key-Type: RSA
-Key-Length: 2048
-Key-Usage: certify
-Name-Real: $CORE_UID
+	local TMPLOC=$(mktemp -d ${MATMPDIR}/tmp.XXXXXXXXXX) || failure "Could not create temporary directory!"
+	ssh-keygen -q -b 2048 -t rsa -N'' "${TMPLOC}/authkey" || failure "Could not generate new key for Monkeysphere authentication trust core"
+
+	# FIXME: pem2openpgp currently sets the A flag and a short
+	# expiration date.  We should set the C flag and no expiration
+	# date.
+	< "${TMPLOC}/authkey" pem2openpgp "$CORE_UID" | gpg --import || failure "Could not import new key for Monkeysphere authentication trust core"
 
-%commit
-%echo done
-EOF
 	then
 	    CORE_FPR=$(gpg_core --with-colons --fixed-list-mode --fingerprint --list-secret-key | grep ^fpr: | cut -f10 -d: )
 	    if [ -z "$CORE_FPR" ] ; then
-- 
cgit v1.2.3


From 98ee387a0ba4b15fe80cfcd7828127ff8ae9518d Mon Sep 17 00:00:00 2001
From: Jameson Graef Rollins <jrollins@finestructure.net>
Date: Sun, 1 Feb 2009 12:16:33 -0500
Subject: some small tweaks, and one tiny syntax bug fix, to ma/setup, and some
 small formating and comment changes to test/basic

---
 src/share/ma/setup | 23 ++++++++++-------------
 tests/basic        | 46 +++++++++++++++++++++++++++++++++++++++++-----
 2 files changed, 51 insertions(+), 18 deletions(-)

(limited to 'src/share/ma/setup')

diff --git a/src/share/ma/setup b/src/share/ma/setup
index 764fdb8..abce3af 100644
--- a/src/share/ma/setup
+++ b/src/share/ma/setup
@@ -13,13 +13,13 @@
 
 setup() {
     # make the core and the sphere:
-    mkdir -p ${SYSDATADIR}/authentication
-    mkdir -p ${GNUPGHOME_SPHERE}
-    mkdir -p ${GNUPGHOME_CORE}
+    mkdir -p "${SYSDATADIR}"/authentication
+    mkdir -p "${GNUPGHOME_SPHERE}"
+    mkdir -p "${GNUPGHOME_CORE}"
 
     # deliberately replace the config files via truncation
     # FIXME: should we be dumping to tmp files and then moving atomically?
-    cat >${GNUPGHOME_CORE}/gpg.conf <<EOF
+    cat >"${GNUPGHOME_CORE}"/gpg.conf <<EOF
 # Monkeysphere trust core GnuPG configuration
 # This file is maintained by the Monkeysphere software.
 # Edits will be overwritten.
@@ -27,7 +27,7 @@ no-greeting
 list-options show-uid-validity
 EOF
     
-    cat >${GNUPGHOME_SPHERE}/gpg.conf <<EOF
+    cat >"${GNUPGHOME_SPHERE}"/gpg.conf <<EOF
 # Monkeysphere trust sphere GnuPG configuration
 # This file is maintained by the Monkeysphere software.
 # Edits will be overwritten.
@@ -38,6 +38,7 @@ keyring ${GNUPGHOME_CORE}/pubring.gpg
 list-options show-uid-validity
 EOF
 
+    # fingerprint of core key.  this should be empty on unconfigured systems.
     local CORE_FPR=$(gpg_core --with-colons --fixed-list-mode --fingerprint --list-secret-key | grep ^fpr: | cut -f10 -d: )
 
     if [ -z "$CORE_FPR" ] ; then
@@ -53,12 +54,8 @@ EOF
 	# date.
 	< "${TMPLOC}/authkey" pem2openpgp "$CORE_UID" | gpg --import || failure "Could not import new key for Monkeysphere authentication trust core"
 
-	then
-	    CORE_FPR=$(gpg_core --with-colons --fixed-list-mode --fingerprint --list-secret-key | grep ^fpr: | cut -f10 -d: )
-	    if [ -z "$CORE_FPR" ] ; then
-		failure "Failed to find fingerprint of Monkeysphere authentication trust core!"
-	    fi
-	else
+	CORE_FPR=$(gpg_core --with-colons --fixed-list-mode --fingerprint --list-secret-key | grep ^fpr: | cut -f10 -d: )
+	if [ -z "$CORE_FPR" ] ; then
 	    failure "Failed to create Monkeysphere authentication trust core!"
 	fi
 	
@@ -71,11 +68,11 @@ EOF
     printf "%s:6:\n" "$CORE_FPR" | gpg_sphere --import-ownertrust
     local ORIG_TRUST
     if ORIG_TRUST=$(gpg_sphere --export-ownertrust | grep '^[^#]') ; then
-	if [ "$CORE_FPR:6:" != "$ORIG_TRUST" ] ; then
+	if [ "${CORE_FPR}:6:" != "$ORIG_TRUST" ] ; then
 	    failure "Monkeysphere authentication trust sphere should explicitly trust the core.  It does not have proper ownertrust settings."
 	fi
     else
-	failure "Could not get monkeysphere-authentication trust guidleines."
+	failure "Could not get monkeysphere-authentication trust guidelines."
     fi
 
     # ensure that we're using the extended trust model (1), and that
diff --git a/tests/basic b/tests/basic
index c3d3208..e30f31b 100755
--- a/tests/basic
+++ b/tests/basic
@@ -137,9 +137,11 @@ export SOCKET="$TEMPDIR"/ssh-socket
 # *anything* with any running X11 session.
 export DISPLAY=monkeys
 
+
 ### CONFIGURE ENVIRONMENTS
 
 # copy in admin and testuser home to tmp
+echo "##################################################"
 echo "### copying admin and testuser homes..."
 cp -a "$TESTDIR"/home/admin "$TEMPDIR"/
 cp -a "$TESTDIR"/home/testuser "$TEMPDIR"/
@@ -160,6 +162,7 @@ EOF
 get_gpg_prng_arg >> "$GNUPGHOME"/gpg.conf
 
 # set up sshd
+echo "##################################################"
 echo "### configuring sshd..."
 cp "$TESTDIR"/etc/ssh/sshd_config "$SSHD_CONFIG"
 # write the sshd_config
@@ -172,10 +175,12 @@ EOF
 ### SERVER HOST SETUP
 
 # set up monkeysphere host
+echo "##################################################"
 echo "### configuring monkeysphere host..."
 mkdir -p -m 750 "$MONKEYSPHERE_SYSDATADIR"/host
 
 # create a new host key
+echo "##################################################"
 echo "### generating server host key..."
 # add gpg.conf with quick-random
 get_gpg_prng_arg >> "$MONKEYSPHERE_SYSCONFIGDIR"/host/gpg.conf
@@ -183,10 +188,13 @@ echo | monkeysphere-host expert gen-key --length 1024 --expire 0 testhost
 # remove the gpg.conf
 rm "$MONKEYSPHERE_SYSCONFIGDIR"/host/gpg.conf
 
+# FIXME: need to test import-key as well
+
 HOSTKEYID=$( monkeysphere-host show-key | grep '^OpenPGP fingerprint: ' | cut -f3 -d\  )
 
 # certify it with the "Admin's Key".
 # (this would normally be done via keyservers)
+echo "##################################################"
 echo "### certifying server host key..."
 GNUPGHOME="$MONKEYSPHERE_SYSCONFIGDIR"/host gpg --armor --export "$HOSTKEYID" | gpgadmin --import
 echo y | gpgadmin --command-fd 0 --sign-key "$HOSTKEYID"
@@ -194,10 +202,13 @@ echo y | gpgadmin --command-fd 0 --sign-key "$HOSTKEYID"
 # FIXME: how can we test publish-key without flooding junk into the
 # keyservers?
 
+# FIXME: should we run "diagnostics" here to test setup?
+
 
-### SERVER AUTHENTICATION TESTS
+### SERVER AUTHENTICATION SETUP
 
 # set up monkeysphere authentication
+echo "##################################################"
 echo "### configuring monkeysphere authentication..."
 mkdir -p -m 700 "$MONKEYSPHERE_SYSDATADIR"/authentication/{authorized_keys,core,sphere,tmp}
 cp "$TESTDIR"/etc/monkeysphere/monkeysphere-authentication.conf "$TEMPDIR"/
@@ -206,65 +217,90 @@ AUTHORIZED_USER_IDS="$MONKEYSPHERE_HOME/authentication/authorized_user_ids"
 EOF
 
 # setup server authentication
+echo "##################################################"
 echo "### setting up server authentication..."
 monkeysphere-authentication setup
 get_gpg_prng_arg >> "$MONKEYSPHERE_SYSDATADIR"/authentication/sphere/gpg.conf
 
 # add admin as identity certifier for testhost
+echo "##################################################"
 echo "### adding admin as certifier..."
 echo y | monkeysphere-authentication add-id-certifier "$TEMPDIR"/admin/.gnupg/pubkey.gpg
 
+# FIXME: should we run "diagnostics" here to test setup?
 
-### TESTUSER TESTS
+
+### TESTUSER SETUP
 
 # generate an auth subkey for the test user that expires in 2 days
+echo "##################################################"
 echo "### generating key for testuser..."
 monkeysphere gen-subkey --expire 2
 
 # add server key to testuser keychain
+echo "##################################################"
 echo "### export server key to testuser..."
 gpgadmin --armor --export "$HOSTKEYID" | gpg --import
 
 # teach the "server" about the testuser's key
+echo "##################################################"
 echo "### export testuser key to server..."
 gpg --export testuser | monkeysphere-authentication gpg-cmd --import
+
+# update authorized_keys for user
+echo "##################################################"
 echo "### update server authorized_keys file for this testuser..."
 monkeysphere-authentication update-users $(whoami)
 
+
+### TESTS
+
 # connect to test sshd, using monkeysphere-ssh-proxycommand to verify
 # the identity before connection.  This should work in both directions!
+echo "##################################################"
 echo "### ssh connection test for success..."
 ssh_test
 
 # remove the testuser's authorized_user_ids file, update, and make
 # sure that the ssh authentication FAILS
+echo "##################################################"
 echo "### removing testuser authorized_user_ids and updating..."
 mv "$TESTHOME"/.monkeysphere/authorized_user_ids{,.bak}
 monkeysphere-authentication update-users $(whoami)
+echo "##################################################"
 echo "### ssh connection test for server authentication denial..."
 ssh_test 255
 mv "$TESTHOME"/.monkeysphere/authorized_user_ids{.bak,}
 
 # put improper permissions on authorized_user_ids file, update, and
 # make sure ssh authentication FAILS
+echo "##################################################"
 echo "### setting group writability on authorized_user_ids and updating..."
 chmod g+w "$TESTHOME"/.monkeysphere/authorized_user_ids
 monkeysphere-authentication update-users $(whoami)
+echo "##################################################"
 echo "### ssh connection test for server authentication denial..."
 ssh_test 255
 chmod g-w "$TESTHOME"/.monkeysphere/authorized_user_ids
+echo "##################################################"
 echo "### setting other writability on authorized_user_ids and updating..."
 chmod o+w "$TESTHOME"/.monkeysphere/authorized_user_ids
 monkeysphere-authentication update-users $(whoami)
+echo "##################################################"
 echo "### ssh connection test for server authentication denial..."
 ssh_test 255
 chmod o-w "$TESTHOME"/.monkeysphere/authorized_user_ids
 
+# FIXME: addtest: remove admin as id-certifier and check ssh failure
+
+# FIXME: addtest: revoke hostname on host key and check ssh failure
+
+# FIXME: addtest: revoke the host key and check ssh failure
 
 trap - EXIT
 
-echo
-echo "Monkeysphere basic tests completed successfully!"
-echo
+echo "##################################################"
+echo " Monkeysphere basic tests completed successfully!"
+echo "##################################################"
 
 cleanup
-- 
cgit v1.2.3


From 89e447e2001c0406fab6d2e6ca300a19d492435b Mon Sep 17 00:00:00 2001
From: Jameson Graef Rollins <jrollins@finestructure.net>
Date: Sun, 1 Feb 2009 12:52:10 -0500
Subject: fix a bunch of directory references to the new data/share dirs

---
 src/monkeysphere-authentication | 15 ++++++++++-----
 src/monkeysphere-host           | 13 ++++++++-----
 src/share/ma/setup              | 12 ++++++++----
 src/share/ma/update_users       |  2 +-
 src/share/mh/gen_key            | 12 ++++++------
 src/share/mh/import_key         |  4 ++--
 tests/basic                     |  6 +-----
 7 files changed, 36 insertions(+), 28 deletions(-)

(limited to 'src/share/ma/setup')

diff --git a/src/monkeysphere-authentication b/src/monkeysphere-authentication
index 4aaf02d..7c43aa8 100755
--- a/src/monkeysphere-authentication
+++ b/src/monkeysphere-authentication
@@ -12,20 +12,25 @@
 # version 3 or later.
 
 ########################################################################
+set -e
+
 PGRM=$(basename $0)
 
 SYSSHAREDIR=${MONKEYSPHERE_SYSSHAREDIR:-"/usr/share/monkeysphere"}
 export SYSSHAREDIR
 . "${SYSSHAREDIR}/common" || exit 1
 
+SYSDATADIR=${MONKEYSPHERE_SYSDATADIR:-"/var/lib/monkeysphere"}
+export SYSDATADIR
+
 # sharedir for authentication functions
 MASHAREDIR="${SYSSHAREDIR}/ma"
 
-SYSDATADIR=${MONKEYSPHERE_SYSDATADIR:-"/var/lib/monkeysphere"}
-export SYSDATADIR
+# datadir for authentication functions
+MADATADIR="${SYSDATADIR}/authentication"
 
 # temp directory to enable atomic moves of authorized_keys files
-MATMPDIR="${SYSDATADIR}/tmp"
+MATMPDIR="${MADATADIR}/tmp"
 export MSTMPDIR
 
 # UTC date in ISO 8601 format if needed
@@ -135,8 +140,8 @@ MONKEYSPHERE_USER=${MONKEYSPHERE_MONKEYSPHERE_USER:=${MONKEYSPHERE_USER:="monkey
 # other variables
 CHECK_KEYSERVER=${MONKEYSPHERE_CHECK_KEYSERVER:="true"}
 REQUIRED_USER_KEY_CAPABILITY=${MONKEYSPHERE_REQUIRED_USER_KEY_CAPABILITY:="a"}
-GNUPGHOME_CORE=${MONKEYSPHERE_GNUPGHOME_CORE:="${SYSDATADIR}/authentication/core"}
-GNUPGHOME_SPHERE=${MONKEYSPHERE_GNUPGHOME_SPHERE:="${SYSDATADIR}/authentication/sphere"}
+GNUPGHOME_CORE=${MONKEYSPHERE_GNUPGHOME_CORE:="${MADATADIR}/core"}
+GNUPGHOME_SPHERE=${MONKEYSPHERE_GNUPGHOME_SPHERE:="${MADATADIR}/sphere"}
 
 # export variables needed in su invocation
 export DATE
diff --git a/src/monkeysphere-host b/src/monkeysphere-host
index 0b37ba9..3f4a434 100755
--- a/src/monkeysphere-host
+++ b/src/monkeysphere-host
@@ -18,11 +18,14 @@ SYSSHAREDIR=${MONKEYSPHERE_SYSSHAREDIR:-"/usr/share/monkeysphere"}
 export SYSSHAREDIR
 . "${SYSSHAREDIR}/common" || exit 1
 
+SYSDATADIR=${MONKEYSPHERE_SYSDATADIR:-"/var/lib/monkeysphere"}
+export SYSDATADIR
+
 # sharedir for host functions
 MHSHAREDIR="${SYSSHAREDIR}/mh"
 
-SYSDATADIR=${MONKEYSPHERE_SYSDATADIR:-"/var/lib/monkeysphere"}
-export SYSDATADIR
+# datadir for host functions
+MHDATADIR="${SYSDATADIR}/host"
 
 # UTC date in ISO 8601 format if needed
 DATE=$(date -u '+%FT%T')
@@ -114,8 +117,8 @@ show_key() {
     gpg_host "--fingerprint --list-key --list-options show-unusable-uids $fingerprintPGP" 2>/dev/null
     echo "OpenPGP fingerprint: $fingerprintPGP"
 
-    if [ -f "${SYSDATADIR}/ssh_host_rsa_key.pub" ] ; then
-	fingerprintSSH=$(ssh-keygen -l -f "${SYSDATADIR}/ssh_host_rsa_key.pub" | \
+    if [ -f "${MHDATADIR}/ssh_host_rsa_key.pub" ] ; then
+	fingerprintSSH=$(ssh-keygen -l -f "${MHDATADIR}/ssh_host_rsa_key.pub" | \
 	    awk '{ print $1, $2, $4 }')
 	echo "ssh fingerprint: $fingerprintSSH"
     else
@@ -144,7 +147,7 @@ MONKEYSPHERE_USER=${MONKEYSPHERE_MONKEYSPHERE_USER:=${MONKEYSPHERE_USER:="monkey
 
 # other variables
 CHECK_KEYSERVER=${MONKEYSPHERE_CHECK_KEYSERVER:="true"}
-GNUPGHOME_HOST=${MONKEYSPHERE_GNUPGHOME_HOST:="${SYSDATADIR}/host"}
+GNUPGHOME_HOST=${MONKEYSPHERE_GNUPGHOME_HOST:="${MHDATADIR}"}
 
 # export variables needed in su invocation
 export DATE
diff --git a/src/share/ma/setup b/src/share/ma/setup
index abce3af..672a960 100644
--- a/src/share/ma/setup
+++ b/src/share/ma/setup
@@ -12,8 +12,9 @@
 # version 3 or later.
 
 setup() {
-    # make the core and the sphere:
-    mkdir -p "${SYSDATADIR}"/authentication
+    # make all needed directories
+    mkdir -p "${MADATADIR}"
+    mkdir -p "${MATMPDIR}"
     mkdir -p "${GNUPGHOME_SPHERE}"
     mkdir -p "${GNUPGHOME_CORE}"
 
@@ -46,14 +47,17 @@ EOF
 
 	local CORE_UID=$(printf "Monkeysphere authentication trust core UID (random string: %s)" $(head -c21 </dev/urandom | base64))
     
-	local TMPLOC=$(mktemp -d ${MATMPDIR}/tmp.XXXXXXXXXX) || failure "Could not create temporary directory!"
-	ssh-keygen -q -b 2048 -t rsa -N'' "${TMPLOC}/authkey" || failure "Could not generate new key for Monkeysphere authentication trust core"
+	local TMPLOC=$(mktemp -d "${MATMPDIR}"/tmp.XXXXXXXXXX) || failure "Could not create temporary directory!"
 
+	# generate the key with ssh-keygen...
+	ssh-keygen -q -b 1024 -t rsa -N '' -f "${TMPLOC}/authkey" || failure "Could not generate new key for Monkeysphere authentication trust core"
+	# and then translate to openpgp encoding and import
 	# FIXME: pem2openpgp currently sets the A flag and a short
 	# expiration date.  We should set the C flag and no expiration
 	# date.
 	< "${TMPLOC}/authkey" pem2openpgp "$CORE_UID" | gpg --import || failure "Could not import new key for Monkeysphere authentication trust core"
 
+	gpg_core --with-colons --fixed-list-mode --fingerprint --list-secret-key
 	CORE_FPR=$(gpg_core --with-colons --fixed-list-mode --fingerprint --list-secret-key | grep ^fpr: | cut -f10 -d: )
 	if [ -z "$CORE_FPR" ] ; then
 	    failure "Failed to create Monkeysphere authentication trust core!"
diff --git a/src/share/ma/update_users b/src/share/ma/update_users
index 73685f6..e9e3cc6 100644
--- a/src/share/ma/update_users
+++ b/src/share/ma/update_users
@@ -35,7 +35,7 @@ MODE="authorized_keys"
 GNUPGHOME="$GNUPGHOME_SPHERE"
 
 # the authorized_keys directory
-authorizedKeysDir="${SYSDATADIR}/authentication/authorized_keys"
+authorizedKeysDir="${MADATADIR}/authorized_keys"
 
 # check to see if the gpg trust database has been initialized
 if [ ! -s "${GNUPGHOME}/trustdb.gpg" ] ; then
diff --git a/src/share/mh/gen_key b/src/share/mh/gen_key
index 162a64e..c0445db 100644
--- a/src/share/mh/gen_key
+++ b/src/share/mh/gen_key
@@ -90,12 +90,12 @@ fingerprint=$(fingerprint_server_key)
 # NOTE: assumes that the primary key is the proper key to use
 (umask 077 && \
 	gpg_host --export-secret-key "$fingerprint" | \
-	openpgp2ssh "$fingerprint" > "${SYSDATADIR}/ssh_host_rsa_key")
-log info "SSH host private key output to file: ${SYSDATADIR}/ssh_host_rsa_key"
-ssh-keygen -y -f "${SYSDATADIR}/ssh_host_rsa_key" > "${SYSDATADIR}/ssh_host_rsa_key.pub"
-log info "SSH host public key output to file: ${SYSDATADIR}/ssh_host_rsa_key.pub"
-gpg_host "--export-options export-minimal --armor --export 0x${fingerprint}\!" > "${SYSDATADIR}/ssh_host_rsa_key.pub.gpg"
-log info "SSH host public key in OpenPGP form: ${SYSDATADIR}/ssh_host_rsa_key.pub.gpg"
+	openpgp2ssh "$fingerprint" > "${MHDATADIR}/ssh_host_rsa_key")
+log info "SSH host private key output to file: ${MHDATADIR}/ssh_host_rsa_key"
+ssh-keygen -y -f "${MHDATADIR}/ssh_host_rsa_key" > "${MHDATADIR}/ssh_host_rsa_key.pub"
+log info "SSH host public key output to file: ${MHDATADIR}/ssh_host_rsa_key.pub"
+gpg_host "--export-options export-minimal --armor --export 0x${fingerprint}\!" > "${MHDATADIR}/ssh_host_rsa_key.pub.gpg"
+log info "SSH host public key in OpenPGP form: ${MHDATADIR}/ssh_host_rsa_key.pub.gpg"
 
 # show info about new key
 show_key
diff --git a/src/share/mh/import_key b/src/share/mh/import_key
index c0d5956..0f16d27 100644
--- a/src/share/mh/import_key
+++ b/src/share/mh/import_key
@@ -79,8 +79,8 @@ log verbose "setting ultimate owner trust for host key..."
 echo "${fingerprint}:6:" | gpg_host "--import-ownertrust"
 
 # export public key to file
-gpg_host "--export-options export-minimal --armor --export 0x${fingerprint}\!" > "${SYSDATADIR}/ssh_host_rsa_key.pub.gpg"
-log info "SSH host public key in OpenPGP form: ${SYSDATADIR}/ssh_host_rsa_key.pub.gpg"
+gpg_host "--export-options export-minimal --armor --export 0x${fingerprint}\!" > "${MHDATADIR}/ssh_host_rsa_key.pub.gpg"
+log info "SSH host public key in OpenPGP form: ${MHDATADIR}/ssh_host_rsa_key.pub.gpg"
 
 # show info about new key
 show_key
diff --git a/tests/basic b/tests/basic
index e30f31b..b5afb23 100755
--- a/tests/basic
+++ b/tests/basic
@@ -209,16 +209,12 @@ echo y | gpgadmin --command-fd 0 --sign-key "$HOSTKEYID"
 
 # set up monkeysphere authentication
 echo "##################################################"
-echo "### configuring monkeysphere authentication..."
+echo "### setup monkeysphere authentication..."
 mkdir -p -m 700 "$MONKEYSPHERE_SYSDATADIR"/authentication/{authorized_keys,core,sphere,tmp}
 cp "$TESTDIR"/etc/monkeysphere/monkeysphere-authentication.conf "$TEMPDIR"/
 cat <<EOF >> "$TEMPDIR"/monkeysphere-authentication.conf
 AUTHORIZED_USER_IDS="$MONKEYSPHERE_HOME/authentication/authorized_user_ids"
 EOF
-
-# setup server authentication
-echo "##################################################"
-echo "### setting up server authentication..."
 monkeysphere-authentication setup
 get_gpg_prng_arg >> "$MONKEYSPHERE_SYSDATADIR"/authentication/sphere/gpg.conf
 
-- 
cgit v1.2.3