From 0f1c6ac9c3c18a46720a8b96854a6624f3a1b8df Mon Sep 17 00:00:00 2001
From: Jameson Graef Rollins <jrollins@phys.columbia.edu>
Date: Mon, 23 Jun 2008 20:17:22 -0400
Subject: fix some authorized_keys updating bugs in ms-server, and update to
use new ability of openpgp to handle 40 char fingerprints.
---
src/common | 4 +---
src/monkeysphere-server | 59 +++++++++++++++++++++----------------------------
2 files changed, 26 insertions(+), 37 deletions(-)
(limited to 'src')
diff --git a/src/common b/src/common
index 5bb0b79..986cc33 100644
--- a/src/common
+++ b/src/common
@@ -115,9 +115,7 @@ translate_ssh_variables() {
gpg2ssh() {
local keyID
- #keyID="$1" #TMP
- # only use last 16 characters until openpgp2ssh can take all 40 #TMP
- keyID=$(echo "$1" | cut -c 25-) #TMP
+ keyID="$1"
gpg --export "$keyID" | openpgp2ssh "$keyID" 2> /dev/null
}
diff --git a/src/monkeysphere-server b/src/monkeysphere-server
index 369555c..db2f428 100755
--- a/src/monkeysphere-server
+++ b/src/monkeysphere-server
@@ -190,58 +190,49 @@ case $COMMAND in
continue
fi
- # set authorized_user_ids variable,
- # translate ssh-style path variables
- authorizedUserIDs=$(translate_ssh_variables "$uname" "$AUTHORIZED_USER_IDS")
-
- # skip user if authorized_user_ids file does not exist
- if [ ! -f "$authorizedUserIDs" ] ; then
- #FIXME: what about a user with no authorized_user_ids
- # file, but with an authorized_keys file when
- # USER_CONTROLLED_AUTHORIZED_KEYS is set?
- continue
- fi
-
log "----- user: $uname -----"
+ # set authorized_user_ids variable, translating ssh-style
+ # path variables
+ authorizedUserIDs=$(translate_ssh_variables "$uname" "$AUTHORIZED_USER_IDS")
+
# temporary authorized_keys file
AUTHORIZED_KEYS=$(mktemp)
- # skip if the user's authorized_user_ids file is empty
- if [ ! -s "$authorizedUserIDs" ] ; then
- log "authorized_user_ids file '$authorizedUserIDs' is empty."
- #FIXME: what about a user with an empty
- # authorized_user_ids file, but with an
- # authorized_keys file when
- # USER_CONTROLLED_AUTHORIZED_KEYS is set?
- continue
- fi
-
# process authorized_user_ids file
- log "processing authorized_user_ids file..."
- process_authorized_user_ids "$authorizedUserIDs"
+ if [ -s "$authorizedUserIDs" ] ; then
+ log "processing authorized_user_ids file..."
+ process_authorized_user_ids "$authorizedUserIDs"
+ fi
# add user-controlled authorized_keys file path if specified
if [ "$USER_CONTROLLED_AUTHORIZED_KEYS" != '-' ] ; then
userAuthorizedKeys=$(translate_ssh_variables "$uname" "$USER_CONTROLLED_AUTHORIZED_KEYS")
- if [ -f "$userAuthorizedKeys" ] ; then
+ if [ -s "$userAuthorizedKeys" ] ; then
log -n "adding user's authorized_keys file... "
cat "$userAuthorizedKeys" >> "$AUTHORIZED_KEYS"
loge "done."
fi
fi
- # openssh appears to check the contents of the
- # authorized_keys file as the user in question, so the file
- # must be readable by that user at least.
- # FIXME: is there a better way to do this?
- chgrp $(getent passwd "$uname" | cut -f4 -d:) "$AUTHORIZED_KEYS"
- chmod g+r "$AUTHORIZED_KEYS"
+ # if the resulting authorized_keys file is not empty
+ if [ -s "$AUTHORIZED_KEYS" ] ; then
+ # openssh appears to check the contents of the
+ # authorized_keys file as the user in question, so the
+ # file must be readable by that user at least.
+ # FIXME: is there a better way to do this?
+ chgrp $(getent passwd "$uname" | cut -f4 -d:) "$AUTHORIZED_KEYS"
+ chmod g+r "$AUTHORIZED_KEYS"
+
+ # move the temp authorized_keys file into place
+ mv -f "$AUTHORIZED_KEYS" "${CACHE}/authorized_keys/${uname}"
- # move the temp authorized_keys file into place
- mv -f "$AUTHORIZED_KEYS" "${CACHE}/authorized_keys/${uname}"
+ log "authorized_keys file updated."
- log "authorized_keys file updated."
+ # else destroy it
+ else
+ rm -f "$AUTHORIZED_KEYS"
+ fi
done
;;
--
cgit v1.2.3