From c09ac0eb561a67c152c63c7de635040713e13b09 Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Tue, 2 Sep 2008 15:39:34 -0700 Subject: created new VERBOSE log level, and moved most INFO stuff to that level. --- src/common | 24 ++++++++++++------------ src/monkeysphere | 4 ++-- src/monkeysphere-server | 14 +++++++------- 3 files changed, 21 insertions(+), 21 deletions(-) (limited to 'src') diff --git a/src/common b/src/common index 3b3b7a5..c70ba64 100644 --- a/src/common +++ b/src/common @@ -42,7 +42,7 @@ log() { # list in decreasing verbosity (all caps). # separate with $IFS explicitly, since we do some fancy footwork # elsewhere. - alllevels="DEBUG${IFS}INFO${IFS}ERROR" + alllevels="DEBUG${IFS}VERBOSE${IFS}INFO${IFS}ERROR" # translate lowers to uppers in global log level LOG_LEVEL=$(echo "$LOG_LEVEL" | tr "[:lower:]" "[:upper:]") @@ -413,7 +413,7 @@ gpg_fetch_userid() { userID="$1" - log info " checking keyserver $KEYSERVER... " + log verbose " checking keyserver $KEYSERVER... " echo 1,2,3,4,5 | \ gpg --quiet --batch --with-colons \ --command-fd 0 --keyserver "$KEYSERVER" \ @@ -485,7 +485,7 @@ process_user_id() { # if the gpg query return code is not 0, return 1 if [ "$?" -ne 0 ] ; then - log info " no primary keys found." + log verbose " no primary keys found." return 1 fi @@ -502,7 +502,7 @@ process_user_id() { lastKeyOK= fingerprint= - log info " primary key found: $keyid" + log verbose " primary key found: $keyid" # if overall key is not valid, skip if [ "$validity" != 'u' -a "$validity" != 'f' ] ; then @@ -551,7 +551,7 @@ process_user_id() { # output a line for the primary key # 0 = ok, 1 = bad if [ "$keyOK" -a "$uidOK" -a "$lastKeyOK" ] ; then - log info " * acceptable primary key." + log verbose " * acceptable primary key." if [ -z "$sshKey" ] ; then log error " ! primary key could not be translated (not RSA or DSA?)." else @@ -607,7 +607,7 @@ process_user_id() { # output a line for the sub key # 0 = ok, 1 = bad if [ "$keyOK" -a "$uidOK" -a "$lastKeyOK" ] ; then - log info " * acceptable sub key." + log verbose " * acceptable sub key." if [ -z "$sshKey" ] ; then log error " ! sub key could not be translated (not RSA or DSA?)." else @@ -642,7 +642,7 @@ process_host_known_hosts() { host="$1" userID="ssh://${host}" - log info "processing: $host" + log verbose "processing: $host" nKeys=0 nKeysOK=0 @@ -743,7 +743,7 @@ update_known_hosts() { # note if the known_hosts file was updated if [ "$(file_hash "$KNOWN_HOSTS")" != "$fileCheck" ] ; then - log info "known_hosts file updated." + log verbose "known_hosts file updated." fi # if an acceptable host was found, return 0 @@ -766,7 +766,7 @@ update_known_hosts() { process_known_hosts() { local hosts - log info "processing known_hosts file..." + log verbose "processing known_hosts file..." hosts=$(meat "$KNOWN_HOSTS" | cut -d ' ' -f 1 | grep -v '^|.*$' | tr , ' ' | tr '\n' ' ') @@ -791,7 +791,7 @@ process_uid_authorized_keys() { userID="$1" - log info "processing: $userID" + log verbose "processing: $userID" nKeys=0 nKeysOK=0 @@ -886,7 +886,7 @@ update_authorized_keys() { # note if the authorized_keys file was updated if [ "$(file_hash "$AUTHORIZED_KEYS")" != "$fileCheck" ] ; then - log info "authorized_keys file updated." + log verbose "authorized_keys file updated." fi # if an acceptable id was found, return 0 @@ -913,7 +913,7 @@ process_authorized_user_ids() { authorizedUserIDs="$1" - log info "processing authorized_user_ids file..." + log verbose "processing authorized_user_ids file..." if ! meat "$authorizedUserIDs" > /dev/null ; then log error "no user IDs to process." diff --git a/src/monkeysphere b/src/monkeysphere index b0003fc..92beafd 100755 --- a/src/monkeysphere +++ b/src/monkeysphere @@ -146,7 +146,7 @@ save EOF ) - log info "generating subkey..." + log verbose "generating subkey..." fifoDir=$(mktemp -d) (umask 077 && mkfifo "$fifoDir/pass") echo "$editCommands" | gpg --passphrase-fd 3 3< "$fifoDir/pass" --expert --command-fd 0 --edit-key "$keyID" & @@ -155,7 +155,7 @@ EOF rm -rf "$fifoDir" wait - log info "done." + log verbose "done." } function subkey_to_ssh_agent() { diff --git a/src/monkeysphere-server b/src/monkeysphere-server index ad94786..084e0d5 100755 --- a/src/monkeysphere-server +++ b/src/monkeysphere-server @@ -157,7 +157,7 @@ update_users() { for uname in $unames ; do # check all specified users exist if ! getent passwd "$uname" >/dev/null ; then - log info "----- unknown user '$uname' -----" + log verbose "----- unknown user '$uname' -----" continue fi @@ -173,17 +173,17 @@ update_users() { fi fi - log info "----- user: $uname -----" + log verbose "----- user: $uname -----" # exit if the authorized_user_ids file is empty if ! check_key_file_permissions "$uname" "$AUTHORIZED_USER_IDS" ; then - log error "Improper permissions on authorized_user_ids file path." + log error "Improper permissions on path '$AUTHORIZED_USER_IDS'." continue fi # check permissions on the authorized_keys file path if ! check_key_file_permissions "$uname" "$RAW_AUTHORIZED_KEYS" ; then - log error "Improper permissions on authorized_keys file path path." + log error "Improper permissions on path '$RAW_AUTHORIZED_KEYS'." continue fi @@ -227,7 +227,7 @@ update_users() { # add user-controlled authorized_keys file path if specified if [ "$rawAuthorizedKeys" != '-' -a -s "$rawAuthorizedKeys" ] ; then - log info "adding raw authorized_keys file... " + log verbose "adding raw authorized_keys file... " cat "$rawAuthorizedKeys" >> "$AUTHORIZED_KEYS" fi @@ -346,7 +346,7 @@ EOF EOF ) - log info "generating server key..." + log verbose "generating server key..." echo "$keyParameters" | gpg_host --batch --gen-key # output the server fingerprint @@ -356,7 +356,7 @@ EOF fingerprint=$(fingerprint_server_key) # export host ownertrust to authentication keyring - log info "setting ultimate owner trust for server key..." + log verbose "setting ultimate owner trust for server key..." echo "${fingerprint}:6:" | gpg_authentication "--import-ownertrust" # translate the private key to ssh format, and export to a file -- cgit v1.2.3 From 451f5499c39a406fbd12871bc46d692d528d3e5f Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Tue, 2 Sep 2008 18:49:53 -0400 Subject: monkeysphere-server update-users on a bad name should warrant an error. --- src/monkeysphere-server | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src') diff --git a/src/monkeysphere-server b/src/monkeysphere-server index 084e0d5..4c7df19 100755 --- a/src/monkeysphere-server +++ b/src/monkeysphere-server @@ -157,7 +157,7 @@ update_users() { for uname in $unames ; do # check all specified users exist if ! getent passwd "$uname" >/dev/null ; then - log verbose "----- unknown user '$uname' -----" + log error "----- unknown user '$uname' -----" continue fi -- cgit v1.2.3 From e883a0593667b94cabdbb12773f5c52b46c3aeba Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Tue, 2 Sep 2008 19:02:55 -0400 Subject: checking a keyserver should warn at level INFO, since it is a potential information leak. --- debian/changelog | 4 ++++ src/common | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) (limited to 'src') diff --git a/debian/changelog b/debian/changelog index 92c56ea..efb4a9c 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,8 +1,12 @@ monkeysphere (0.12-1) UNRELEASED; urgency=low + [ Jameson Graef Rollins ] * Improved output handling. New LOG_LEVEL variable. + + [ Daniel Kahn Gillmor ] * debian/control: switched Homepage: and Vcs-Git: to canonicalized upstream hostnames. + * updated documentation for new release. -- Daniel Kahn Gillmor Tue, 02 Sep 2008 18:54:29 -0400 diff --git a/src/common b/src/common index c70ba64..7768335 100644 --- a/src/common +++ b/src/common @@ -413,7 +413,7 @@ gpg_fetch_userid() { userID="$1" - log verbose " checking keyserver $KEYSERVER... " + log info " checking keyserver $KEYSERVER... " echo 1,2,3,4,5 | \ gpg --quiet --batch --with-colons \ --command-fd 0 --keyserver "$KEYSERVER" \ -- cgit v1.2.3 From aefec8e2f77cf0bba2ea971607c1882925a197e2 Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Tue, 2 Sep 2008 16:10:39 -0700 Subject: some cleanup to the proxycommand. --- src/monkeysphere-ssh-proxycommand | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) (limited to 'src') diff --git a/src/monkeysphere-ssh-proxycommand b/src/monkeysphere-ssh-proxycommand index cc81020..c37d754 100755 --- a/src/monkeysphere-ssh-proxycommand +++ b/src/monkeysphere-ssh-proxycommand @@ -13,10 +13,6 @@ # established. Can be added to ~/.ssh/config as follows: # ProxyCommand monkeysphere-ssh-proxycommand %h %p -######################################################################## -SHARE=${MONKEYSPHERE_SHARE:-"/usr/share/monkeysphere"} -. "${SHARE}/common" || exit 1 - ######################################################################## usage() { @@ -38,8 +34,6 @@ fi HOST="$1" PORT="$2" -MS_HOME=${MS_HOME:-"${HOME}/.config/monkeysphere"} - if [ -z "$HOST" ] ; then echo "Host not specified." >&2 usage @@ -57,6 +51,12 @@ else fi URI="ssh://${HOSTP}" +# specify keyserver checking. the behavior of this proxy command is +# intentially different than that of running monkeyesphere normally, +# and keychecking is intentially done unders certain circumstances. +# This can be overridden by setting the MONKEYSPHERE_CHECK_KEYSERVER +# variable on the command line. + # if the host is in the gpg keyring... if gpg --list-key ="${URI}" 2>&1 >/dev/null ; then # do not check the keyserver @@ -81,7 +81,7 @@ else CHECK_KEYSERVER="true" fi fi - +# set and export the variable for use by monkeysphere MONKEYSPHERE_CHECK_KEYSERVER=${MONKEYSPHERE_CHECK_KEYSERVER:="$CHECK_KEYSERVER"} export MONKEYSPHERE_CHECK_KEYSERVER -- cgit v1.2.3 From fcfb94ec8b3195a107627fecb3765a4b825db5d3 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Tue, 2 Sep 2008 19:45:14 -0400 Subject: editing comments in monkeysphere-ssh-proxycommand. --- src/monkeysphere-ssh-proxycommand | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'src') diff --git a/src/monkeysphere-ssh-proxycommand b/src/monkeysphere-ssh-proxycommand index c37d754..a7b87ca 100755 --- a/src/monkeysphere-ssh-proxycommand +++ b/src/monkeysphere-ssh-proxycommand @@ -52,10 +52,10 @@ fi URI="ssh://${HOSTP}" # specify keyserver checking. the behavior of this proxy command is -# intentially different than that of running monkeyesphere normally, -# and keychecking is intentially done unders certain circumstances. -# This can be overridden by setting the MONKEYSPHERE_CHECK_KEYSERVER -# variable on the command line. +# intentionally different than that of running monkeyesphere normally, +# and keyserver checking is intentionally done under certain +# circumstances. This can be overridden by setting the +# MONKEYSPHERE_CHECK_KEYSERVER environment variable. # if the host is in the gpg keyring... if gpg --list-key ="${URI}" 2>&1 >/dev/null ; then -- cgit v1.2.3 From 0352609ba566585484da022b6512520629b9981f Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Tue, 2 Sep 2008 21:24:33 -0400 Subject: tuning how monkeysphere looks for secret keys. --- src/monkeysphere | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'src') diff --git a/src/monkeysphere b/src/monkeysphere index 92beafd..471da20 100755 --- a/src/monkeysphere +++ b/src/monkeysphere @@ -93,7 +93,7 @@ gen_subkey(){ if [ -z "$1" ] ; then # find all secret keys - keyID=$(gpg --with-colons --list-secret-keys | grep ^sec | cut -f5 -d:) + keyID=$(gpg --with-colons --list-secret-keys | grep ^sec | cut -f5 -d: | sort -u) # if multiple sec keys exist, fail if (( $(echo "$keyID" | wc -l) > 1 )) ; then echo "Multiple secret keys found:" @@ -115,7 +115,7 @@ key before joining the monkeysphere. You can do this with: # fail if multiple sec lines are returned, which means the id # given is not unique - if [ $(echo "$gpgOut" | grep '^sec:' | wc -l) -gt '1' ] ; then + if [ $(echo "$gpgOut" | grep -c '^sec:') -gt '1' ] ; then failure "Key ID '$keyID' is not unique." fi -- cgit v1.2.3