From b7e17887ac20bc5916d830f5282b07f4c0360c2a Mon Sep 17 00:00:00 2001
From: Jameson Graef Rollins <jrollins@finestructure.net>
Date: Sat, 31 Jan 2009 17:30:11 -0500
Subject: break out monkeysphere-{host,authentication} subcommands into
 seperate scripts.  MUCH MORE WORK NEEDED to get these working.

---
 src/subcommands/mh/diagnostics | 179 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 179 insertions(+)
 create mode 100755 src/subcommands/mh/diagnostics

(limited to 'src/subcommands/mh/diagnostics')

diff --git a/src/subcommands/mh/diagnostics b/src/subcommands/mh/diagnostics
new file mode 100755
index 0000000..f411e06
--- /dev/null
+++ b/src/subcommands/mh/diagnostics
@@ -0,0 +1,179 @@
+#!/usr/bin/env bash
+
+# Monkeysphere host diagnostics subcommand
+#
+# The monkeysphere scripts are written by:
+# Jameson Rollins <jrollins@fifthhorseman.net>
+# Jamie McClelland <jm@mayfirst.org>
+# Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+#
+# They are Copyright 2008, and are all released under the GPL, version 3
+# or later.
+
+#  * check on the status and validity of the key and public certificates
+local seckey
+local keysfound
+local curdate
+local warnwindow
+local warndate
+local create
+local expire
+local uid
+local fingerprint
+local badhostkeys
+local sshd_config
+local problemsfound=0
+
+# FIXME: what's the correct, cross-platform answer?
+sshd_config=/etc/ssh/sshd_config
+seckey=$(gpg_host --list-secret-keys --fingerprint --with-colons --fixed-list-mode)
+keysfound=$(echo "$seckey" | grep -c ^sec:)
+curdate=$(date +%s)
+# warn when anything is 2 months away from expiration
+warnwindow='2 months'
+warndate=$(advance_date $warnwindow +%s)
+
+if ! id monkeysphere >/dev/null ; then
+    echo "! No monkeysphere user found!  Please create a monkeysphere system user with bash as its shell."
+    problemsfound=$(($problemsfound+1))
+fi
+
+if ! [ -d "$SYSDATADIR" ] ; then
+    echo "! no $SYSDATADIR directory found.  Please create it."
+    problemsfound=$(($problemsfound+1))
+fi
+
+echo "Checking host GPG key..."
+if (( "$keysfound" < 1 )); then
+    echo "! No host key found."
+    echo " - Recommendation: run 'monkeysphere-server gen-key'"
+    problemsfound=$(($problemsfound+1))
+elif (( "$keysfound" > 1 )); then
+    echo "! More than one host key found?"
+    # FIXME: recommend a way to resolve this
+    problemsfound=$(($problemsfound+1))
+else
+    create=$(echo "$seckey" | grep ^sec: | cut -f6 -d:)
+    expire=$(echo "$seckey" | grep ^sec: | cut -f7 -d:)
+    fingerprint=$(echo "$seckey" | grep ^fpr: | head -n1 | cut -f10 -d:)
+    # check for key expiration:
+    if [ "$expire" ]; then
+	if (( "$expire"  < "$curdate" )); then
+	    echo "! Host key is expired."
+	    echo " - Recommendation: extend lifetime of key with 'monkeysphere-server extend-key'"
+	    problemsfound=$(($problemsfound+1))
+	elif (( "$expire" < "$warndate" )); then
+	    echo "! Host key expires in less than $warnwindow:" $(advance_date $(( $expire - $curdate )) seconds +%F)
+	    echo " - Recommendation: extend lifetime of key with 'monkeysphere-server extend-key'"
+	    problemsfound=$(($problemsfound+1))
+	fi
+    fi
+
+    # and weirdnesses:
+    if [ "$create" ] && (( "$create" > "$curdate" )); then
+	echo "! Host key was created in the future(?!). Is your clock correct?"
+	echo " - Recommendation: Check clock ($(date +%F_%T)); use NTP?"
+	problemsfound=$(($problemsfound+1))
+    fi
+    
+    # check for UserID expiration:
+    echo "$seckey" | grep ^uid: | cut -d: -f6,7,10 | \
+    while IFS=: read create expire uid ; do
+	# FIXME: should we be doing any checking on the form
+	# of the User ID?  Should we be unmangling it somehow?
+
+	if [ "$create" ] && (( "$create" > "$curdate" )); then
+	    echo "! User ID '$uid' was created in the future(?!).  Is your clock correct?"
+	    echo " - Recommendation: Check clock ($(date +%F_%T)); use NTP?"
+	    problemsfound=$(($problemsfound+1))
+	fi
+	if [ "$expire" ] ; then
+	    if (( "$expire" < "$curdate" )); then
+		echo "! User ID '$uid' is expired."
+		# FIXME: recommend a way to resolve this
+		problemsfound=$(($problemsfound+1))
+	    elif (( "$expire" < "$warndate" )); then
+		echo "! User ID '$uid' expires in less than $warnwindow:" $(advance_date $(( $expire - $curdate )) seconds +%F)		
+		# FIXME: recommend a way to resolve this
+		problemsfound=$(($problemsfound+1))
+	    fi
+	fi
+    done
+	    
+# FIXME: verify that the host key is properly published to the
+#   keyservers (do this with the non-privileged user)
+
+# FIXME: check that there are valid, non-expired certifying signatures
+#   attached to the host key after fetching from the public keyserver
+#   (do this with the non-privileged user as well)
+
+# FIXME: propose adding a revoker to the host key if none exist (do we
+#   have a way to do that after key generation?)
+
+    # Ensure that the ssh_host_rsa_key file is present and non-empty:
+    echo
+    echo "Checking host SSH key..."
+    if [ ! -s "${SYSDATADIR}/ssh_host_rsa_key" ] ; then
+	echo "! The host key as prepared for SSH (${SYSDATADIR}/ssh_host_rsa_key) is missing or empty."
+	problemsfound=$(($problemsfound+1))
+    else
+	if [ $(ls -l "${SYSDATADIR}/ssh_host_rsa_key" | cut -f1 -d\ ) != '-rw-------' ] ; then
+	    echo "! Permissions seem wrong for ${SYSDATADIR}/ssh_host_rsa_key -- should be 0600."
+	    problemsfound=$(($problemsfound+1))
+	fi
+
+	# propose changes needed for sshd_config (if any)
+	if ! grep -q "^HostKey[[:space:]]\+${SYSDATADIR}/ssh_host_rsa_key$" "$sshd_config"; then
+	    echo "! $sshd_config does not point to the monkeysphere host key (${SYSDATADIR}/ssh_host_rsa_key)."
+	    echo " - Recommendation: add a line to $sshd_config: 'HostKey ${SYSDATADIR}/ssh_host_rsa_key'"
+	    problemsfound=$(($problemsfound+1))
+	fi
+	if badhostkeys=$(grep -i '^HostKey' "$sshd_config" | grep -v "^HostKey[[:space:]]\+${SYSDATADIR}/ssh_host_rsa_key$") ; then
+	    echo "! $sshd_config refers to some non-monkeysphere host keys:"
+	    echo "$badhostkeys"
+	    echo " - Recommendation: remove the above HostKey lines from $sshd_config"
+	    problemsfound=$(($problemsfound+1))
+	fi
+
+        # FIXME: test (with ssh-keyscan?) that the running ssh
+        # daemon is actually offering the monkeysphere host key.
+
+    fi
+fi
+
+# FIXME: look at the ownership/privileges of the various keyrings,
+#    directories housing them, etc (what should those values be?  can
+#    we make them as minimal as possible?)
+
+# FIXME: look to see that the ownertrust rules are set properly on the
+#    authentication keyring
+
+# FIXME: make sure that at least one identity certifier exists
+
+# FIXME: look at the timestamps on the monkeysphere-generated
+# authorized_keys files -- warn if they seem out-of-date.
+
+# FIXME: check for a cronjob that updates monkeysphere-generated
+# authorized_keys?
+
+echo
+echo "Checking for MonkeySphere-enabled public-key authentication for users ..."
+# Ensure that User ID authentication is enabled:
+if ! grep -q "^AuthorizedKeysFile[[:space:]]\+${SYSDATADIR}/authorized_keys/%u$" "$sshd_config"; then
+    echo "! $sshd_config does not point to monkeysphere authorized keys."
+    echo " - Recommendation: add a line to $sshd_config: 'AuthorizedKeysFile ${SYSDATADIR}/authorized_keys/%u'"
+    problemsfound=$(($problemsfound+1))
+fi
+if badauthorizedkeys=$(grep -i '^AuthorizedKeysFile' "$sshd_config" | grep -v "^AuthorizedKeysFile[[:space:]]\+${SYSDATADIR}/authorized_keys/%u$") ; then
+    echo "! $sshd_config refers to non-monkeysphere authorized_keys files:"
+    echo "$badauthorizedkeys"
+    echo " - Recommendation: remove the above AuthorizedKeysFile lines from $sshd_config"
+    problemsfound=$(($problemsfound+1))
+fi
+
+if [ "$problemsfound" -gt 0 ]; then
+    echo "When the above $problemsfound issue"$(if [ "$problemsfound" -eq 1 ] ; then echo " is" ; else echo "s are" ; fi)" resolved, please re-run:"
+    echo "  monkeysphere-server diagnostics"
+else
+    echo "Everything seems to be in order!"
+fi
-- 
cgit v1.2.3


From a0747749cbc7445e0cadaf0fbf1c92a2e86d1369 Mon Sep 17 00:00:00 2001
From: Jameson Graef Rollins <jrollins@finestructure.net>
Date: Sat, 31 Jan 2009 18:04:21 -0500
Subject: turn subcommands into subfunctions, that will need to be sourced and
 executed.

---
 src/monkeysphere-host              | 29 +++++++++++++++++++++++++++++
 src/subcommands/mh/add-hostname    |  6 +++++-
 src/subcommands/mh/add-revoker     |  4 ++++
 src/subcommands/mh/diagnostics     |  7 ++++++-
 src/subcommands/mh/extend-key      |  4 ++++
 src/subcommands/mh/gen-key         |  2 +-
 src/subcommands/mh/import-key      |  2 +-
 src/subcommands/mh/publish-key     |  4 ++++
 src/subcommands/mh/revoke-hostname |  6 +++++-
 src/subcommands/mh/revoke-key      |  4 ++++
 src/subcommands/mh/show-key        | 37 -------------------------------------
 11 files changed, 63 insertions(+), 42 deletions(-)
 delete mode 100755 src/subcommands/mh/show-key

(limited to 'src/subcommands/mh/diagnostics')

diff --git a/src/monkeysphere-host b/src/monkeysphere-host
index 5c97aa6..7ba0700 100755
--- a/src/monkeysphere-host
+++ b/src/monkeysphere-host
@@ -131,6 +131,35 @@ check_host_keyring() {
 	|| failure "You don't appear to have a Monkeysphere host key on this server.  Please run 'monkeysphere-server gen-key' first."
 }
 
+# show info about the host key
+show_key() {
+    local fingerprintPGP
+    local fingerprintSSH
+    local ret=0
+
+    # FIXME: you shouldn't have to be root to see the host key fingerprint
+    if is_root ; then
+	check_host_keyring
+	fingerprintPGP=$(fingerprint_server_key)
+	gpg_authentication "--fingerprint --list-key --list-options show-unusable-uids $fingerprintPGP" 2>/dev/null
+	echo "OpenPGP fingerprint: $fingerprintPGP"
+    else
+	log info "You must be root to see host OpenPGP fingerprint."
+	ret='1'
+    fi
+
+    if [ -f "${SYSDATADIR}/ssh_host_rsa_key.pub" ] ; then
+	fingerprintSSH=$(ssh-keygen -l -f "${SYSDATADIR}/ssh_host_rsa_key.pub" | \
+	    awk '{ print $1, $2, $4 }')
+	echo "ssh fingerprint: $fingerprintSSH"
+    else
+	log info "SSH host key not found."
+	ret='1'
+    fi
+
+return $ret
+}
+
 ########################################################################
 # MAIN
 ########################################################################
diff --git a/src/subcommands/mh/add-hostname b/src/subcommands/mh/add-hostname
index fc1ae96..7726a29 100755
--- a/src/subcommands/mh/add-hostname
+++ b/src/subcommands/mh/add-hostname
@@ -12,6 +12,8 @@
 
 # add hostname user ID to server key
 
+add_hostname() {
+
 local userID
 local fingerprint
 local tmpuidMatch
@@ -61,7 +63,7 @@ if echo "$adduidCommand" | \
     # update the trustdb for the authentication keyring
     gpg_authentication "--check-trustdb"
 
-    show_server_key
+    show_key
 
     echo
     echo "NOTE: User ID added to key, but key not published."
@@ -69,3 +71,5 @@ if echo "$adduidCommand" | \
 else
     failure "Problem adding user ID."
 fi
+
+}
diff --git a/src/subcommands/mh/add-revoker b/src/subcommands/mh/add-revoker
index 8783cd1..8c4651e 100755
--- a/src/subcommands/mh/add-revoker
+++ b/src/subcommands/mh/add-revoker
@@ -12,5 +12,9 @@
 
 # add a revoker to the host key
 
+add_revoker() {
+
 # FIXME: implement!
 failure "not implemented yet!"
+
+}
diff --git a/src/subcommands/mh/diagnostics b/src/subcommands/mh/diagnostics
index f411e06..5b04b14 100755
--- a/src/subcommands/mh/diagnostics
+++ b/src/subcommands/mh/diagnostics
@@ -10,7 +10,10 @@
 # They are Copyright 2008, and are all released under the GPL, version 3
 # or later.
 
-#  * check on the status and validity of the key and public certificates
+# check on the status and validity of the key and public certificates
+
+diagnostics() {
+
 local seckey
 local keysfound
 local curdate
@@ -177,3 +180,5 @@ if [ "$problemsfound" -gt 0 ]; then
 else
     echo "Everything seems to be in order!"
 fi
+
+}
diff --git a/src/subcommands/mh/extend-key b/src/subcommands/mh/extend-key
index 755fe13..8f1ecc2 100755
--- a/src/subcommands/mh/extend-key
+++ b/src/subcommands/mh/extend-key
@@ -12,6 +12,8 @@
 
 # extend the lifetime of a host key:
 
+extend_key() {
+
 local fpr=$(fingerprint_server_key)
 local extendTo="$1"
 
@@ -27,3 +29,5 @@ EOF
 echo
 echo "NOTE: Host key expiration date adjusted, but not yet published."
 echo "Run '$PGRM publish-key' to publish the new expiration date."
+
+}
diff --git a/src/subcommands/mh/gen-key b/src/subcommands/mh/gen-key
index 37469c7..da2e40d 100755
--- a/src/subcommands/mh/gen-key
+++ b/src/subcommands/mh/gen-key
@@ -115,4 +115,4 @@ gpg_authentication "--export-options export-minimal --armor --export 0x${fingerp
 log info "SSH host public key in OpenPGP form: ${SYSDATADIR}/ssh_host_rsa_key.pub.gpg"
 
 # show info about new key
-show_server_key
+show_key
diff --git a/src/subcommands/mh/import-key b/src/subcommands/mh/import-key
index c33550b..d60e982 100755
--- a/src/subcommands/mh/import-key
+++ b/src/subcommands/mh/import-key
@@ -82,4 +82,4 @@ gpg_authentication "--export-options export-minimal --armor --export 0x${fingerp
 log info "SSH host public key in OpenPGP form: ${SYSDATADIR}/ssh_host_rsa_key.pub.gpg"
 
 # show info about new key
-show_server_key
+show_key
diff --git a/src/subcommands/mh/publish-key b/src/subcommands/mh/publish-key
index 792d858..8b36a18 100755
--- a/src/subcommands/mh/publish-key
+++ b/src/subcommands/mh/publish-key
@@ -12,6 +12,8 @@
 
 # publish server key to keyserver
 
+publish_key() {
+
 read -p "Really publish host key to $KEYSERVER? (y/N) " OK; OK=${OK:=N}
 if [ ${OK/y/Y} != 'Y' ] ; then
     failure "key not published."
@@ -22,3 +24,5 @@ fingerprint=$(fingerprint_server_key)
 
 # publish host key
 gpg_authentication "--keyserver $KEYSERVER --send-keys '0x${fingerprint}!'"
+
+}
diff --git a/src/subcommands/mh/revoke-hostname b/src/subcommands/mh/revoke-hostname
index decac86..0a773a3 100755
--- a/src/subcommands/mh/revoke-hostname
+++ b/src/subcommands/mh/revoke-hostname
@@ -12,6 +12,8 @@
 
 # revoke hostname user ID from host key
 
+revoke_hostname() {
+
 local userID
 local fingerprint
 local tmpuidMatch
@@ -79,7 +81,7 @@ if echo "$revuidCommand" | \
     # update the trustdb for the authentication keyring
     gpg_authentication "--check-trustdb"
 
-    show_server_key
+    show_key
 
     echo
     echo "NOTE: User ID revoked, but revocation not published."
@@ -87,3 +89,5 @@ if echo "$revuidCommand" | \
 else
     failure "Problem revoking user ID."
 fi
+
+}
diff --git a/src/subcommands/mh/revoke-key b/src/subcommands/mh/revoke-key
index b4ce401..3810a0b 100755
--- a/src/subcommands/mh/revoke-key
+++ b/src/subcommands/mh/revoke-key
@@ -12,5 +12,9 @@
 
 # revoke host key
 
+revoke_key() {
+
 # FIXME: implement!
 failure "not implemented yet!"
+
+}
diff --git a/src/subcommands/mh/show-key b/src/subcommands/mh/show-key
deleted file mode 100755
index c62ec16..0000000
--- a/src/subcommands/mh/show-key
+++ /dev/null
@@ -1,37 +0,0 @@
-#!/usr/bin/env bash
-
-# Monkeysphere host show-key subcommand
-#
-# The monkeysphere scripts are written by:
-# Jameson Rollins <jrollins@fifthhorseman.net>
-# Jamie McClelland <jm@mayfirst.org>
-# Daniel Kahn Gillmor <dkg@fifthhorseman.net>
-#
-# They are Copyright 2008, and are all released under the GPL, version 3
-# or later.
-
-local fingerprintPGP
-local fingerprintSSH
-local ret=0
-
-# FIXME: you shouldn't have to be root to see the host key fingerprint
-if is_root ; then
-    check_host_keyring
-    fingerprintPGP=$(fingerprint_server_key)
-    gpg_authentication "--fingerprint --list-key --list-options show-unusable-uids $fingerprintPGP" 2>/dev/null
-    echo "OpenPGP fingerprint: $fingerprintPGP"
-else
-    log info "You must be root to see host OpenPGP fingerprint."
-    ret='1'
-fi
-
-if [ -f "${SYSDATADIR}/ssh_host_rsa_key.pub" ] ; then
-    fingerprintSSH=$(ssh-keygen -l -f "${SYSDATADIR}/ssh_host_rsa_key.pub" | \
-	awk '{ print $1, $2, $4 }')
-    echo "ssh fingerprint: $fingerprintSSH"
-else
-    log info "SSH host key not found."
-    ret='1'
-fi
-
-return $ret
-- 
cgit v1.2.3