From 617f03c948b66774e6765206bed2c56d30157187 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Fri, 15 Aug 2008 14:44:18 -0400 Subject: first pass at revoking hostnames. --- src/common | 7 +++++++ src/monkeysphere-server | 32 +++++++++++++++++++++++++++++++- 2 files changed, 38 insertions(+), 1 deletion(-) (limited to 'src') diff --git a/src/common b/src/common index 17955a7..24decae 100644 --- a/src/common +++ b/src/common @@ -76,6 +76,13 @@ unescape() { echo "$1" | sed 's/\\x3a/:/g' } +# convert nasty chars into gpg-friendly form +# FIXME: escape everything, not just colons! +escape() { + echo "$1" | sed 's/:/\\x3a/g' +} + + # remove all lines with specified string from specified file remove_line() { local file diff --git a/src/monkeysphere-server b/src/monkeysphere-server index 023ce9b..6ffd41f 100755 --- a/src/monkeysphere-server +++ b/src/monkeysphere-server @@ -402,11 +402,41 @@ EOF # revoke hostname user ID to server key revoke_hostname() { + local msg + local uidNum + local tmpuidMatch + local fpr + local linenum + if [ -z "$1" ] ; then failure "You must specify a hostname to revoke." fi - failure "Sorry, not yet implemented." + fpr=$(fingerprint_server_key) + tmpuidMatch="u:$(escape "$1")" + + if linenum=$(gpg_host --list-keys --with-colons --fixed-list-mode "$fpr" | egrep '^(uid|uat):' | cut -f2,10 -d: | grep -n -x -F 'r:Foo T. Bar (DO NOT USE!) ') ; then + uidNum=${linenum%%:*} + else + failure "no non-revoked hostname '$1' is listed." + fi + + msg="hostname removed by monkeysphere-server on $(date +%F)" + + + revuidCommand=$(cat < Date: Fri, 15 Aug 2008 14:58:34 -0400 Subject: sigh. fixing some dumb typos in hostname revocation. --- src/monkeysphere-server | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'src') diff --git a/src/monkeysphere-server b/src/monkeysphere-server index 6ffd41f..dd85dcc 100755 --- a/src/monkeysphere-server +++ b/src/monkeysphere-server @@ -413,9 +413,9 @@ revoke_hostname() { fi fpr=$(fingerprint_server_key) - tmpuidMatch="u:$(escape "$1")" + tmpuidMatch="u:$(escape "ssh://$1")" - if linenum=$(gpg_host --list-keys --with-colons --fixed-list-mode "$fpr" | egrep '^(uid|uat):' | cut -f2,10 -d: | grep -n -x -F 'r:Foo T. Bar (DO NOT USE!) ') ; then + if linenum=$(gpg_host --list-keys --with-colons --fixed-list-mode "0x$fpr"\! | egrep '^(uid|uat):' | cut -f2,10 -d: | grep -n -x -F "$tmpuidMatch") ; then uidNum=${linenum%%:*} else failure "no non-revoked hostname '$1' is listed." @@ -436,7 +436,7 @@ save EOF ) - echo "$revuidCommand" | gpg_host --quiet --command-fd 0 --edit-key "0x$fingerprint"\! + echo "$revuidCommand" | gpg_host --quiet --command-fd 0 --edit-key "0x$fpr"\! echo "NOTE: host userID revokation has not been published." echo "Use '$PGRM publish-key' to publish these changes." -- cgit v1.2.3 From b0ea15c8e359a908583e08da0663d69e353c77dc Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Fri, 15 Aug 2008 15:24:34 -0400 Subject: fixing bugs in monkeysphere-server diagnostics. --- src/monkeysphere-server | 23 +++++++++++++---------- 1 file changed, 13 insertions(+), 10 deletions(-) (limited to 'src') diff --git a/src/monkeysphere-server b/src/monkeysphere-server index dd85dcc..2b9b744 100755 --- a/src/monkeysphere-server +++ b/src/monkeysphere-server @@ -468,7 +468,10 @@ diagnostics() { local uid local fingerprint local badhostkeys + local sshd_config + # FIXME: what's the correct, cross-platform answer? + sshd_config=/etc/ssh/sshd_config seckey=$(fingerprint_server_key) keysfound=$(echo "$seckey" | grep -c ^sec:) curdate=$(date +%s) @@ -545,14 +548,14 @@ diagnostics() { fi # propose changes needed for sshd_config (if any) - if ! grep -q "^HostKey[[:space:]]\+${VARLIB}/ssh_host_rsa_key$" /etc/ssh/sshd_config; then - echo "! /etc/ssh/sshd_config does not point to the monkeysphere host key (${VARLIB}/ssh_host_rsa_key)." - echo " - Recommendation: add a line to /etc/ssh/sshd_config: 'HostKey ${VARLIB}/ssh_host_rsa_key'" + if ! grep -q "^HostKey[[:space:]]\+${VARLIB}/ssh_host_rsa_key$" "$sshd_config"; then + echo "! $sshd_config does not point to the monkeysphere host key (${VARLIB}/ssh_host_rsa_key)." + echo " - Recommendation: add a line to $sshd_config: 'HostKey ${VARLIB}/ssh_host_rsa_key'" fi - if badhostkeys=$(grep -i '^HostKey' | grep -q -v "^HostKey[[:space:]]\+${VARLIB}/ssh_host_rsa_key$") ; then + if badhostkeys=$(grep -i '^HostKey' "$sshd_config" | grep -q -v "^HostKey[[:space:]]\+${VARLIB}/ssh_host_rsa_key$") ; then echo "! /etc/sshd_config refers to some non-monkeysphere host keys:" echo "$badhostkeys" - echo " - Recommendation: remove the above HostKey lines from /etc/ssh/sshd_config" + echo " - Recommendation: remove the above HostKey lines from $sshd_config" fi fi fi @@ -568,14 +571,14 @@ diagnostics() { echo "Checking for MonkeySphere-enabled public-key authentication for users ..." # Ensure that User ID authentication is enabled: - if ! grep -q "^AuthorizedKeysFile[[:space:]]\+${VARLIB}/authorized_keys/%u$" /etc/ssh/sshd_config; then - echo "! /etc/ssh/sshd_config does not point to monkeysphere authorized keys." - echo " - Recommendation: add a line to /etc/ssh/sshd_config: 'AuthorizedKeysFile ${VARLIB}/authorized_keys/%u'" + if ! grep -q "^AuthorizedKeysFile[[:space:]]\+${VARLIB}/authorized_keys/%u$" "$sshd_config"; then + echo "! $sshd_config does not point to monkeysphere authorized keys." + echo " - Recommendation: add a line to $sshd_config: 'AuthorizedKeysFile ${VARLIB}/authorized_keys/%u'" fi - if badauthorizedkeys=$(grep -i '^AuthorizedKeysFile' | grep -q -v "^AuthorizedKeysFile[[:space:]]\+${VARLIB}/authorized_keys/%u$") ; then + if badauthorizedkeys=$(grep -i '^AuthorizedKeysFile' "$sshd_config" | grep -q -v "^AuthorizedKeysFile[[:space:]]\+${VARLIB}/authorized_keys/%u$") ; then echo "! /etc/sshd_config refers to non-monkeysphere authorized_keys files:" echo "$badauthorizedkeys" - echo " - Recommendation: remove the above AuthorizedKeysFile lines from /etc/ssh/sshd_config" + echo " - Recommendation: remove the above AuthorizedKeysFile lines from $sshd_config" fi } -- cgit v1.2.3