From 4d9da8f75a38327d4a9fc1506739221f9fea9c2a Mon Sep 17 00:00:00 2001 From: mike castleman Date: Sat, 11 Jul 2009 15:45:32 -0400 Subject: don't use read -p; it is sucky (closes: #446) --- src/monkeysphere | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'src') diff --git a/src/monkeysphere b/src/monkeysphere index 6f43632..c45a36f 100755 --- a/src/monkeysphere +++ b/src/monkeysphere @@ -144,7 +144,8 @@ check_gpg_authentication_subkey() { if [ "$validity" = 'u' ] ; then echo "A valid authentication key already exists for primary key '$keyID'." 1>&2 if [ "$PROMPT" = "true" ] ; then - read -p "Are you sure you would like to generate another one? (y/N) " OK; OK=${OK:N} + printf "Are you sure you would like to generate another one? (y/N) " + read OK; OK=${OK:N} if [ "${OK/y/Y}" != 'Y' ] ; then failure "aborting." fi -- cgit v1.2.3 From 134b8c66bec679556bec90c4eef937d464a7950e Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Sat, 11 Jul 2009 16:00:22 -0400 Subject: explicitly set MONKEYSPHERE_GROUP The monkeysphere group is now determined from the system "groups" command, and then MONKEYSPHERE_GROUP is explicitly set from this, and then used when setting group ownership. --- src/monkeysphere-authentication | 2 ++ src/monkeysphere-host | 2 ++ src/share/ma/setup | 6 +++--- src/share/mh/add_revoker | 2 +- src/share/mh/publish_key | 2 +- 5 files changed, 9 insertions(+), 5 deletions(-) (limited to 'src') diff --git a/src/monkeysphere-authentication b/src/monkeysphere-authentication index 5b98153..0e6f986 100755 --- a/src/monkeysphere-authentication +++ b/src/monkeysphere-authentication @@ -120,6 +120,7 @@ LOG_LEVEL=${MONKEYSPHERE_LOG_LEVEL:=$LOG_LEVEL} KEYSERVER=${MONKEYSPHERE_KEYSERVER:=$KEYSERVER} CHECK_KEYSERVER=${MONKEYSPHERE_CHECK_KEYSERVER:=$CHECK_KEYSERVER} MONKEYSPHERE_USER=${MONKEYSPHERE_MONKEYSPHERE_USER:=$MONKEYSPHERE_USER} +MONKEYSPHERE_GROUP=$(groups "$MONKEYSPHERE_USER" | cut -d: -f2 | awk '{ print $1 }') PROMPT=${MONKEYSPHERE_PROMPT:=$PROMPT} AUTHORIZED_USER_IDS=${MONKEYSPHERE_AUTHORIZED_USER_IDS:=$AUTHORIZED_USER_IDS} RAW_AUTHORIZED_KEYS=${MONKEYSPHERE_RAW_AUTHORIZED_KEYS:=$RAW_AUTHORIZED_KEYS} @@ -137,6 +138,7 @@ export MODE export LOG_LEVEL export KEYSERVER export MONKEYSPHERE_USER +export MONKEYSPHERE_GROUP export PROMPT export CHECK_KEYSERVER export REQUIRED_USER_KEY_CAPABILITY diff --git a/src/monkeysphere-host b/src/monkeysphere-host index 507b47f..60b627a 100755 --- a/src/monkeysphere-host +++ b/src/monkeysphere-host @@ -226,6 +226,7 @@ LOG_LEVEL=${MONKEYSPHERE_LOG_LEVEL:=$LOG_LEVEL} KEYSERVER=${MONKEYSPHERE_KEYSERVER:=$KEYSERVER} CHECK_KEYSERVER=${MONKEYSPHERE_CHECK_KEYSERVER:=$CHECK_KEYSERVER} MONKEYSPHERE_USER=${MONKEYSPHERE_MONKEYSPHERE_USER:=$MONKEYSPHERE_USER} +MONKEYSPHERE_GROUP=$(groups "$MONKEYSPHERE_USER" | cut -d: -f2 | awk '{ print $1 }') PROMPT=${MONKEYSPHERE_PROMPT:=$PROMPT} # other variables @@ -238,6 +239,7 @@ export LOG_LEVEL export KEYSERVER export CHECK_KEYSERVER export MONKEYSPHERE_USER +export MONKEYSPHERE_GROUP export PROMPT export GNUPGHOME_HOST export GNUPGHOME diff --git a/src/share/ma/setup b/src/share/ma/setup index 4c87009..0ed0406 100644 --- a/src/share/ma/setup +++ b/src/share/ma/setup @@ -16,10 +16,10 @@ setup() { log debug "checking authentication directory structure..." mkdir -p "${MADATADIR}" chmod 0750 "${MADATADIR}" - chgrp "$MONKEYSPHERE_USER" "${MADATADIR}" + chgrp "$MONKEYSPHERE_GROUP" "${MADATADIR}" mkdir -p "${MATMPDIR}" chmod 0750 "${MATMPDIR}" - chgrp "$MONKEYSPHERE_USER" "${MATMPDIR}" + chgrp "$MONKEYSPHERE_GROUP" "${MATMPDIR}" mkdir -p "${GNUPGHOME_CORE}" chmod 0700 "${GNUPGHOME_CORE}" mkdir -p "${GNUPGHOME_SPHERE}" @@ -48,7 +48,7 @@ EOF # make sure the monkeysphere user owns everything in the sphere # gnupghome log debug "fixing sphere gnupg home ownership..." - chown "$MONKEYSPHERE_USER:$MONKEYSPHERE_USER" "${GNUPGHOME_SPHERE}" "${GNUPGHOME_SPHERE}"/gpg.conf + chown "$MONKEYSPHERE_USER:$MONKEYSPHERE_GROUP" "${GNUPGHOME_SPHERE}" "${GNUPGHOME_SPHERE}"/gpg.conf # get fingerprint of core key. this should be empty on unconfigured systems. local CORE_FPR=$(core_fingerprint) diff --git a/src/share/mh/add_revoker b/src/share/mh/add_revoker index 077b0d0..c83cb24 100644 --- a/src/share/mh/add_revoker +++ b/src/share/mh/add_revoker @@ -64,7 +64,7 @@ else # fix permissions and ownership on temporary directory which will # be used by monkeysphere user for storing the downloaded key chmod 0700 "$tmpDir" - chown "$MONKEYSPHERE_USER":"$MONKEYSPHERE_USER" "$tmpDir" + chown "$MONKEYSPHERE_USER":"$MONKEYSPHERE_GROUP" "$tmpDir" # download the key from the keyserver as the monkeysphere user log verbose "searching keyserver $KEYSERVER for keyID $keyID..." diff --git a/src/share/mh/publish_key b/src/share/mh/publish_key index b0ffd93..ab1b2dc 100644 --- a/src/share/mh/publish_key +++ b/src/share/mh/publish_key @@ -29,7 +29,7 @@ fi # create a temporary gnupg directory from which to publish the key export GNUPGHOME=$(msmktempdir) chmod 0700 "$GNUPGHOME" -chown "$MONKEYSPHERE_USER":"$MONKEYSPHERE_USER" "$GNUPGHOME" +chown "$MONKEYSPHERE_USER":"$MONKEYSPHERE_GROUP" "$GNUPGHOME" # trap to remove tmp dir if break trap "rm -rf $GNUPGHOME" EXIT -- cgit v1.2.3 From a2704823c7770bc8df9377116877fcca78c3ea12 Mon Sep 17 00:00:00 2001 From: mike castleman Date: Sat, 11 Jul 2009 16:19:31 -0400 Subject: more replacement of read -p with printf; read (re #446) --- src/monkeysphere | 2 +- src/share/common | 3 ++- src/share/ma/add_certifier | 4 ++-- src/share/ma/remove_certifier | 3 ++- src/share/mh/add_hostname | 5 ++--- src/share/mh/add_revoker | 4 ++-- src/share/mh/publish_key | 3 ++- src/share/mh/revoke_hostname | 16 ++++++++-------- src/share/mh/revoke_key | 6 ++++-- src/share/mh/set_expire | 3 ++- tests/common | 3 ++- 11 files changed, 29 insertions(+), 23 deletions(-) (limited to 'src') diff --git a/src/monkeysphere b/src/monkeysphere index c45a36f..341b9fd 100755 --- a/src/monkeysphere +++ b/src/monkeysphere @@ -144,7 +144,7 @@ check_gpg_authentication_subkey() { if [ "$validity" = 'u' ] ; then echo "A valid authentication key already exists for primary key '$keyID'." 1>&2 if [ "$PROMPT" = "true" ] ; then - printf "Are you sure you would like to generate another one? (y/N) " + printf "Are you sure you would like to generate another one? (y/N) " >&2 read OK; OK=${OK:N} if [ "${OK/y/Y}" != 'Y' ] ; then failure "aborting." diff --git a/src/share/common b/src/share/common index bd887d3..c88857e 100644 --- a/src/share/common +++ b/src/share/common @@ -291,7 +291,8 @@ Please specify how long the key should be valid. y = key expires in n years EOF while [ -z "$keyExpire" ] ; do - read -p "Key is valid for? (0) " keyExpire + printf "Key is valid for? (0) " >&2 + read keyExpire if ! test_gpg_expire ${keyExpire:=0} ; then echo "invalid value" >&2 unset keyExpire diff --git a/src/share/ma/add_certifier b/src/share/ma/add_certifier index 402da08..1601997 100644 --- a/src/share/ma/add_certifier +++ b/src/share/ma/add_certifier @@ -136,8 +136,8 @@ EOF gpg_sphere "--fingerprint 0x${fingerprint}!" if [ "$PROMPT" = "true" ] ; then - echo "Are you sure you want to add the above key as a certifier" - read -p "of users on this system? (Y/n) " OK; OK=${OK:-Y} + printf "Are you sure you want to add the above key as a certifier\nof users on this system? (Y/n) " >&2 + read OK; OK=${OK:-Y} if [ "${OK/y/Y}" != 'Y' ] ; then failure "Identity certifier not added." fi diff --git a/src/share/ma/remove_certifier b/src/share/ma/remove_certifier index 6c90358..79f1cda 100644 --- a/src/share/ma/remove_certifier +++ b/src/share/ma/remove_certifier @@ -27,7 +27,8 @@ fi gpg_core --list-key --fingerprint "0x${keyID}!" || failure if [ "$PROMPT" = "true" ] ; then - read -p "Really remove the above listed identity certifier? (Y/n) " OK; OK=${OK:-Y} + printf "Really remove the above listed identity certifier? (Y/n) " >&2 + read OK; OK=${OK:-Y} if [ "${OK/y/Y}" != 'Y' ] ; then failure "Identity certifier not removed." fi diff --git a/src/share/mh/add_hostname b/src/share/mh/add_hostname index 36f174d..9465d96 100644 --- a/src/share/mh/add_hostname +++ b/src/share/mh/add_hostname @@ -32,9 +32,8 @@ find_host_userid > /dev/null && \ failure "Host userID '$userID' already exists." if [ "$PROMPT" = "true" ] ; then - read -p "The following user ID will be added to the host key: - $userID -Are you sure you would like to add this user ID? (Y/n) " OK; OK=${OK:=Y} + printf "The following user ID will be added to the host key:\n %s\nAre you sure you would like to add this user ID? (Y/n) " "$userID" >&2 + read OK; OK=${OK:=Y} if [ "${OK/y/Y}" != 'Y' ] ; then failure "User ID not added." fi diff --git a/src/share/mh/add_revoker b/src/share/mh/add_revoker index 077b0d0..e58995b 100644 --- a/src/share/mh/add_revoker +++ b/src/share/mh/add_revoker @@ -90,8 +90,8 @@ EOF su_monkeysphere_user "GNUPGHOME=$tmpDir gpg --fingerprint 0x${fingerprint}!" if [ "$PROMPT" = "true" ] ; then - read -p "Are you sure you want to add the above key as a revoker -of the host key? (Y/n) " OK; OK=${OK:-Y} + printf "Are you sure you want to add the above key as a revoker\nof the host key? (Y/n) " >&2 + read OK; OK=${OK:-Y} if [ "${OK/y/Y}" != 'Y' ] ; then failure "revoker not added." fi diff --git a/src/share/mh/publish_key b/src/share/mh/publish_key index b0ffd93..f6e1c0f 100644 --- a/src/share/mh/publish_key +++ b/src/share/mh/publish_key @@ -18,7 +18,8 @@ publish_key() { local GNUPGHOME if [ "$PROMPT" = "true" ] ; then - read -p "Really publish host key to $KEYSERVER? (Y/n) " OK; OK=${OK:=Y} + printf "Really publish host key to $KEYSERVER? (Y/n) " >&2 + read OK; OK=${OK:=Y} if [ "${OK/y/Y}" != 'Y' ] ; then failure "key not published." fi diff --git a/src/share/mh/revoke_hostname b/src/share/mh/revoke_hostname index 5dc327f..44ba312 100644 --- a/src/share/mh/revoke_hostname +++ b/src/share/mh/revoke_hostname @@ -27,11 +27,12 @@ if [ -z "$1" ] ; then failure "You must specify a hostname to revoke." fi -echo "WARNING: There is a known bug in this function." -echo "This function has been known to occasionally revoke the wrong hostname." -echo "Please see the following bug report for more information:" -echo "https://labs.riseup.net/code/issues/show/422" -read -p "Are you sure you would like to proceed? (y/N) " OK; OK=${OK:=N} +echo "WARNING: There is a known bug in this function. +This function has been known to occasionally revoke the wrong hostname. +Please see the following bug report for more information: +https://labs.riseup.net/code/issues/show/422" >&2 +printf "Are you sure you would like to proceed? (y/N) " >&2 +read OK; OK=${OK:=N} if [ ${OK/y/Y} != 'Y' ] ; then failure "aborting." fi @@ -43,9 +44,8 @@ uidIndex=$(find_host_userid) || \ failure "No non-revoked user ID found matching '$userID'." if [ "$PROMPT" = "true" ] ; then - read -p "The following host key user ID will be revoked: - $userID -Are you sure you would like to revoke this user ID? (Y/n) " OK; OK=${OK:=Y} + printf "The following host key user ID will be revoked:\n %s\nAre you sure you would like to revoke this user ID? (Y/n) " "$userID" >&2 + read OK; OK=${OK:=Y} if [ "${OK/y/Y}" != 'Y' ] ; then failure "User ID not revoked." fi diff --git a/src/share/mh/revoke_key b/src/share/mh/revoke_key index ad68d5f..5460e51 100644 --- a/src/share/mh/revoke_key +++ b/src/share/mh/revoke_key @@ -33,7 +33,8 @@ Publishing this certificate will IMMEDIATELY and PERMANENTLY revoke your host key! EOF - read -p "Publish the certificate after generation? (y/n/Q) " publish + printf "Publish the certificate after generation? (y/n/Q) " >&2 + read publish if ! [ "${publish/y/Y}" = 'Y' -o "${publish/n/N}" = 'N' ] ; then failure "aborting at user request" @@ -87,7 +88,8 @@ y if [ "${publish/y/Y}" = 'Y' ] ; then printf "\n" >&2 - read -p "Really publish this cert to $KEYSERVER ? (Y/n) " really + printf "Really publish this cert to $KEYSERVER ? (Y/n) " >&2 + read really if [ "${really/n/N}" = 'N' ] ; then printf "Not publishing.\n" >&2 else diff --git a/src/share/mh/set_expire b/src/share/mh/set_expire index a6bf1f1..9889e76 100644 --- a/src/share/mh/set_expire +++ b/src/share/mh/set_expire @@ -22,7 +22,8 @@ local extendTo extendTo=$(get_gpg_expiration "$1") if [ "$PROMPT" = "true" ] ; then - read -p "Are you sure you want to change the expiration on the host key to '$extendTo'? (Y/n) " OK; OK=${OK:-Y} + printf "Are you sure you want to change the expiration on the host key to '%s'? (Y/n) " "$extendTo" >&2 + read OK; OK=${OK:-Y} if [ "${OK/y/Y}" != 'Y' ] ; then failure "expiration not set." fi diff --git a/tests/common b/tests/common index 6d732c8..727ad0f 100644 --- a/tests/common +++ b/tests/common @@ -4,7 +4,8 @@ failed_cleanup() { # FIXME: can we be more verbose here? echo 'FAILED!' if [ -z "$MONKEYSPHERE_TEST_NO_EXAMINE" ] ; then - read -p "press enter to cleanup and remove tmp (or type 'bash' for a subshell to examine): " XX + printf "press enter to cleanup and remove tmp (or type 'bash' for a subshell to examine): " >&2 + read XX if [ "$XX" = bash ] ; then echo "Entering subshell..." cd "$TEMPDIR" -- cgit v1.2.3 From ba3ca3e10f4975510dfeedcb6dfe8e2374ca3097 Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Sat, 11 Jul 2009 16:25:52 -0400 Subject: improve function to get primary group to make it more portable --- src/monkeysphere-authentication | 2 +- src/monkeysphere-host | 2 +- src/share/common | 6 ++++++ 3 files changed, 8 insertions(+), 2 deletions(-) (limited to 'src') diff --git a/src/monkeysphere-authentication b/src/monkeysphere-authentication index 0e6f986..5b30628 100755 --- a/src/monkeysphere-authentication +++ b/src/monkeysphere-authentication @@ -120,7 +120,7 @@ LOG_LEVEL=${MONKEYSPHERE_LOG_LEVEL:=$LOG_LEVEL} KEYSERVER=${MONKEYSPHERE_KEYSERVER:=$KEYSERVER} CHECK_KEYSERVER=${MONKEYSPHERE_CHECK_KEYSERVER:=$CHECK_KEYSERVER} MONKEYSPHERE_USER=${MONKEYSPHERE_MONKEYSPHERE_USER:=$MONKEYSPHERE_USER} -MONKEYSPHERE_GROUP=$(groups "$MONKEYSPHERE_USER" | cut -d: -f2 | awk '{ print $1 }') +MONKEYSPHERE_GROUP=$(get_primary_group "$MONKEYSPHERE_USER") PROMPT=${MONKEYSPHERE_PROMPT:=$PROMPT} AUTHORIZED_USER_IDS=${MONKEYSPHERE_AUTHORIZED_USER_IDS:=$AUTHORIZED_USER_IDS} RAW_AUTHORIZED_KEYS=${MONKEYSPHERE_RAW_AUTHORIZED_KEYS:=$RAW_AUTHORIZED_KEYS} diff --git a/src/monkeysphere-host b/src/monkeysphere-host index 60b627a..ebd29c8 100755 --- a/src/monkeysphere-host +++ b/src/monkeysphere-host @@ -226,7 +226,7 @@ LOG_LEVEL=${MONKEYSPHERE_LOG_LEVEL:=$LOG_LEVEL} KEYSERVER=${MONKEYSPHERE_KEYSERVER:=$KEYSERVER} CHECK_KEYSERVER=${MONKEYSPHERE_CHECK_KEYSERVER:=$CHECK_KEYSERVER} MONKEYSPHERE_USER=${MONKEYSPHERE_MONKEYSPHERE_USER:=$MONKEYSPHERE_USER} -MONKEYSPHERE_GROUP=$(groups "$MONKEYSPHERE_USER" | cut -d: -f2 | awk '{ print $1 }') +MONKEYSPHERE_GROUP=$(get_primary_group "$MONKEYSPHERE_USER") PROMPT=${MONKEYSPHERE_PROMPT:=$PROMPT} # other variables diff --git a/src/share/common b/src/share/common index bd887d3..76b539f 100644 --- a/src/share/common +++ b/src/share/common @@ -483,6 +483,12 @@ get_homedir() { eval "echo ~${uname}" } +# return the primary group of a user +get_primary_group() { + local uname=${1:-`whoami`} + groups "$uname" | sed 's/^..* : //' | awk '{ print $1 }' +} + ### CONVERSION UTILITIES # output the ssh key for a given key ID -- cgit v1.2.3 From 0ac8f36de9a29b5feb4f834e9dd15aaf834b4991 Mon Sep 17 00:00:00 2001 From: Greg Lyle Date: Sat, 11 Jul 2009 17:38:53 -0400 Subject: Check for a host key before running monkeysphere-host diagnostics Closes #624 --- src/monkeysphere-host | 1 + 1 file changed, 1 insertion(+) (limited to 'src') diff --git a/src/monkeysphere-host b/src/monkeysphere-host index ebd29c8..d498065 100755 --- a/src/monkeysphere-host +++ b/src/monkeysphere-host @@ -306,6 +306,7 @@ case $COMMAND in ;; 'diagnostics'|'d') + check_host_no_key load_fingerprint source "${MHSHAREDIR}/diagnostics" diagnostics -- cgit v1.2.3 From 0755ca307728b516cb1727d5f7a5d7547676d573 Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Sat, 11 Jul 2009 18:42:00 -0400 Subject: improve marginal UI for cases when host key can't be retrieved if ssh-keyscan can't retrieve the host key, then output all keys with matching user ID and validity marginal or better. --- src/share/m/ssh_proxycommand | 169 ++++++++++++++++++++++++++----------------- 1 file changed, 102 insertions(+), 67 deletions(-) (limited to 'src') diff --git a/src/share/m/ssh_proxycommand b/src/share/m/ssh_proxycommand index 74b0f85..322937b 100644 --- a/src/share/m/ssh_proxycommand +++ b/src/share/m/ssh_proxycommand @@ -15,6 +15,55 @@ # established. Can be added to ~/.ssh/config as follows: # ProxyCommand monkeysphere ssh-proxycommand %h %p +# output the key info, including the RSA fingerprint +show_key_info() { + local keyid="$1" + local sshKeyGPGFile + local sshFingerprint + local gpgSigOut + local otherUids + + # get the ssh key of the gpg key + sshKeyGPGFile=$(msmktempfile) + gpg2ssh "$keyid" >"$sshKeyGPGFile" + sshFingerprint=$(ssh-keygen -l -f "$sshKeyGPGFile" | \ + awk '{ print $2 }') + rm -f "$sshKeyGPGFile" + + # get the sigs for the matching key + gpgSigOut=$(gpg_user --check-sigs \ + --list-options show-uid-validity \ + "$keyid") + + echo | log info + + # output the sigs, but only those on the user ID + # we are looking for + echo "$gpgSigOut" | awk ' +{ +if (match($0,"^pub")) { print; } +if (match($0,"^uid")) { ok=0; } +if (match($0,"^uid.*'$userID'$")) { ok=1; print; } +if (ok) { if (match($0,"^sig")) { print; } } +} +' + + # output ssh fingerprint + cat <"$sshKeyGPGFile" - sshFingerprint=$(ssh-keygen -l -f "$sshKeyGPGFile" | \ - awk '{ print $2 }') - rm -f "$sshKeyGPGFile" - - # get the sigs for the matching key - gpgSigOut=$(gpg_user --check-sigs \ - --list-options show-uid-validity \ - "$keyid") - - # output the sigs, but only those on the user ID - # we are looking for - echo "$gpgSigOut" | awk ' -{ -if (match($0,"^pub")) { print; } -if (match($0,"^uid")) { ok=0; } -if (match($0,"^uid.*'$userID'$")) { ok=1; print; } -if (ok) { if (match($0,"^sig")) { print; } } -} -' | log info - echo | log info - - # output the other user IDs for reference - if (echo "$gpgSigOut" | grep "^uid" | grep -v -q "$userID") ; then - log info <