From 267c6fcda592494466beed500ef78ad955edea8c Mon Sep 17 00:00:00 2001 From: Jameson Rollins Date: Sun, 17 Oct 2010 19:14:31 -0400 Subject: fix keys-for-user This function now properly outputs to stdout exactly what would have been written to the monkeysphere-controlled authorized_keys file, but without actually touching it. --- src/share/ma/keys_for_user | 53 ---------------------------------------------- src/share/ma/update_users | 28 ++++++++++++++---------- 2 files changed, 17 insertions(+), 64 deletions(-) delete mode 100644 src/share/ma/keys_for_user (limited to 'src/share') diff --git a/src/share/ma/keys_for_user b/src/share/ma/keys_for_user deleted file mode 100644 index 6f61828..0000000 --- a/src/share/ma/keys_for_user +++ /dev/null @@ -1,53 +0,0 @@ -# -*-shell-script-*- -# This should be sourced by bash (though we welcome changes to make it POSIX sh compliant) - -# Monkeysphere authentication keys-for-user subcommand -# -# The monkeysphere scripts are written by: -# Jameson Rollins -# Daniel Kahn Gillmor -# -# They are Copyright 2008-2010, and are all released under the GPL, -# version 3 or later. - -# This command could be run as an sshd AuthorizedKeysCommand to -# provide the authorized keys for a user, based on OpenPGP user id's -# listed in the user's authorized_user_ids file. - -keys_for_user() { - -local uname -local authorizedUserIDs -local line - -# get users from command line -uname="$1" - -# path to authorized_user_ids file, translating ssh-style path -# variables -authorizedUserIDs=$(translate_ssh_variables "$uname" "$AUTHORIZED_USER_IDS") - -# exit if the authorized_user_ids file is empty -if [ ! -s "$authorizedUserIDs" ] ; then - failure "authorized_user_ids file '$authorizedUserIDs' is empty or does not exist." -fi - -log debug "authorized_user_ids file: $authorizedUserIDs" - -# check permissions on the authorized_user_ids file path -check_key_file_permissions "$uname" "$authorizedUserIDs" || failure - -GNUPGHOME="$GNUPGHOME_SPHERE" -export GNUPGHOME - -# extract user IDs from authorized_user_ids file -IFS=$'\n' -for line in $(meat "$authorizedUserIDs") ; do - if [[ "$line" =~ ^[[:space:]] ]] ; then - continue - fi - printf '%s' "$line" | \ - su_monkeysphere_user ". ${SYSSHAREDIR}/common; read X; keys_for_userid \"\$X\"" || true -done - -} diff --git a/src/share/ma/update_users b/src/share/ma/update_users index 0086cd3..91acd66 100644 --- a/src/share/ma/update_users +++ b/src/share/ma/update_users @@ -129,17 +129,23 @@ for uname in $unames ; do # the same uid that sshd is launched as); change the group of # the file so that members of the user's group can read it. - # FIXME: is there a better way to do this? - chown $(whoami) "$AUTHORIZED_KEYS" && \ - chgrp $(id -g "$uname") "$AUTHORIZED_KEYS" && \ - chmod g+r "$AUTHORIZED_KEYS" && \ - mv -f "$AUTHORIZED_KEYS" "${authorizedKeysDir}/${uname}" || \ - { - log error "Failed to install authorized_keys for '$uname'!" - rm -f "${authorizedKeysDir}/${uname}" - # indicate that there has been a failure: - returnCode=1 - } + if [ "$OUTPUT_STDOUT" ] ; then + log debug "outputting keys to stdout..." + cat "$AUTHORIZED_KEYS" + else + log debug "moving new file to ${authorizedKeysDir}/${uname}..." + # FIXME: is there a better way to do this? + chown $(whoami) "$AUTHORIZED_KEYS" && \ + chgrp $(id -g "$uname") "$AUTHORIZED_KEYS" && \ + chmod g+r "$AUTHORIZED_KEYS" && \ + mv -f "$AUTHORIZED_KEYS" "${authorizedKeysDir}/${uname}" || \ + { + log error "Failed to install authorized_keys for '$uname'!" + rm -f "${authorizedKeysDir}/${uname}" + # indicate that there has been a failure: + returnCode=1 + } + fi else rm -f "${authorizedKeysDir}/${uname}" fi -- cgit v1.2.3