From a4983d24c8e79729deaa02602b742eace6d09f86 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Sat, 15 Nov 2008 18:55:42 -0500 Subject: change from using a filename that is a just a space to an actual temporary file --- src/monkeysphere-server | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'src') diff --git a/src/monkeysphere-server b/src/monkeysphere-server index e78903b..5edaa4f 100755 --- a/src/monkeysphere-server +++ b/src/monkeysphere-server @@ -134,10 +134,10 @@ show_server_key() { # dumping to a file named ' ' so that the ssh-keygen output # doesn't claim any potentially bogus hostname(s): - tmpkey=$(mktemp -d ${TMPDIR:-/tmp}/tmp.XXXXXXXXXX) || failure "Could not create temporary directory!" - gpg_authentication "--export $fingerprint" | openpgp2ssh "$fingerprint" 2>/dev/null > "$tmpkey/ " + tmpkey=$(mktemp ${TMPDIR:-/tmp}/tmp.XXXXXXXXXX) || failure "Could not create temporary directory!" + gpg_authentication "--export $fingerprint" | openpgp2ssh "$fingerprint" 2>/dev/null > "$tmpkey" echo -n "ssh fingerprint: " - (cd "$tmpkey" && ssh-keygen -l -f ' ' | awk '{ print $2 }') + ssh-keygen -l -f $tmpkey | awk '{ print $1, $2, $4 }' rm -rf "$tmpkey" echo -n "OpenPGP fingerprint: " echo "$fingerprint" -- cgit v1.2.3 From 2459fa3ea277d7b9289945748619eab1e3441e5c Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Sat, 15 Nov 2008 20:49:27 -0500 Subject: Added info log output when a new key is added to known_hosts file. --- packaging/debian/changelog | 7 +++++++ src/common | 11 +++++++++-- 2 files changed, 16 insertions(+), 2 deletions(-) (limited to 'src') diff --git a/packaging/debian/changelog b/packaging/debian/changelog index 62f021e..f1db037 100644 --- a/packaging/debian/changelog +++ b/packaging/debian/changelog @@ -1,3 +1,10 @@ +monkeysphere (0.22-1) UNRELEASED; urgency=low + + * New upstream release: + - Added info log output when a new key is added to known_hosts file. + + -- Jameson Graef Rollins Sat, 15 Nov 2008 20:49:13 -0500 + monkeysphere (0.21-2) unstable; urgency=low * actually rmdir /var/lib/monkeysphere-* during prerm if possible. diff --git a/src/common b/src/common index 297e7f3..efee9bd 100644 --- a/src/common +++ b/src/common @@ -742,6 +742,7 @@ process_user_id() { process_host_known_hosts() { local host local userID + local noKey= local nKeys local nKeysOK local ok @@ -768,8 +769,9 @@ process_host_known_hosts() { continue fi - # remove the old host key line, and note if removed - remove_line "$KNOWN_HOSTS" "$sshKey" + # remove any old host key line, and note if removed nothing is + # removed + remove_line "$KNOWN_HOSTS" "$sshKey" || noKey=true # if key OK, add new host line if [ "$ok" -eq '0' ] ; then @@ -788,6 +790,11 @@ process_host_known_hosts() { else ssh2known_hosts "$host" "$sshKey" >> "$KNOWN_HOSTS" fi + + # log if this is a new key to the known_hosts file + if [ "$noKey" ] ; then + log info "* new key for $host added to known_hosts file." + fi fi done -- cgit v1.2.3 From d068b7c722211adf7d830b1c1b4ce9693eafbe4f Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Sun, 16 Nov 2008 00:57:27 -0500 Subject: m-s s: avoid failures when $TMPDIR has a space in it. (output might still be a bit garbled) --- src/monkeysphere-server | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src') diff --git a/src/monkeysphere-server b/src/monkeysphere-server index 5edaa4f..665d916 100755 --- a/src/monkeysphere-server +++ b/src/monkeysphere-server @@ -137,7 +137,7 @@ show_server_key() { tmpkey=$(mktemp ${TMPDIR:-/tmp}/tmp.XXXXXXXXXX) || failure "Could not create temporary directory!" gpg_authentication "--export $fingerprint" | openpgp2ssh "$fingerprint" 2>/dev/null > "$tmpkey" echo -n "ssh fingerprint: " - ssh-keygen -l -f $tmpkey | awk '{ print $1, $2, $4 }' + ssh-keygen -l -f "$tmpkey" | awk '{ print $1, $2, $4 }' rm -rf "$tmpkey" echo -n "OpenPGP fingerprint: " echo "$fingerprint" -- cgit v1.2.3 From 9eed0790573d3f1f21707151ede87f8339dbecc0 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Sun, 16 Nov 2008 01:28:19 -0500 Subject: exporting SSH host public key (two variants: one traditional ssh, the other OpenPGP) during m-s gen-key --- src/monkeysphere-server | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'src') diff --git a/src/monkeysphere-server b/src/monkeysphere-server index 665d916..bb26c04 100755 --- a/src/monkeysphere-server +++ b/src/monkeysphere-server @@ -399,7 +399,11 @@ EOF (umask 077 && \ gpg_host --export-secret-key "$fingerprint" | \ openpgp2ssh "$fingerprint" > "${SYSDATADIR}/ssh_host_rsa_key") - log info "private SSH host key output to file: ${SYSDATADIR}/ssh_host_rsa_key" + log info "SSH host private key output to file: ${SYSDATADIR}/ssh_host_rsa_key" + ssh-keygen -y -f "${SYSDATADIR}/ssh_host_rsa_key" > "${SYSDATADIR}/ssh_host_rsa_key.pub" + log info "SSH host public key output to file: ${SYSDATADIR}/ssh_host_rsa_key.pub" + gpg_authentication --export-options export-minimal --export "0x${fingerprint}!" > "${SYSDATADIR}/ssh_host_rsa_key.pub.gpg" + log info "SSH host public key in OpenPGP form: ${SYSDATADIR}/ssh_host_rsa_key.pub.gpg" } # extend the lifetime of a host key: -- cgit v1.2.3 From dd002c89fc4dccabc16d488a15a40cc88383605f Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Sun, 16 Nov 2008 03:17:36 -0500 Subject: added some useful output to the ssh-proxycommand for "marginal" cases where keys are found for host but do not have full validity. this uses ssh-keyscan to pull the key for the host in question, check this key against the keys against those found via gpg, and output some useful information about the one that matches. --- changelog | 2 +- packaging/debian/changelog | 6 ++- src/monkeysphere-server | 2 +- src/monkeysphere-ssh-proxycommand | 98 ++++++++++++++++++++++++++++++++++++++- 4 files changed, 102 insertions(+), 6 deletions(-) (limited to 'src') diff --git a/changelog b/changelog index b9a9e21..4264fa4 120000 --- a/changelog +++ b/changelog @@ -1 +1 @@ -website/changelog \ No newline at end of file +packaging/debian/changelog \ No newline at end of file diff --git a/packaging/debian/changelog b/packaging/debian/changelog index f1db037..e8ea1a9 100644 --- a/packaging/debian/changelog +++ b/packaging/debian/changelog @@ -1,9 +1,11 @@ monkeysphere (0.22-1) UNRELEASED; urgency=low * New upstream release: - - Added info log output when a new key is added to known_hosts file. + - added info log output when a new key is added to known_hosts file. + - added some useful output to the ssh-proxycommand for "marginal" + cases where keys are found for host but do not have full validity. - -- Jameson Graef Rollins Sat, 15 Nov 2008 20:49:13 -0500 + -- Jameson Graef Rollins Sun, 16 Nov 2008 03:17:16 -0500 monkeysphere (0.21-2) unstable; urgency=low diff --git a/src/monkeysphere-server b/src/monkeysphere-server index 5edaa4f..665d916 100755 --- a/src/monkeysphere-server +++ b/src/monkeysphere-server @@ -137,7 +137,7 @@ show_server_key() { tmpkey=$(mktemp ${TMPDIR:-/tmp}/tmp.XXXXXXXXXX) || failure "Could not create temporary directory!" gpg_authentication "--export $fingerprint" | openpgp2ssh "$fingerprint" 2>/dev/null > "$tmpkey" echo -n "ssh fingerprint: " - ssh-keygen -l -f $tmpkey | awk '{ print $1, $2, $4 }' + ssh-keygen -l -f "$tmpkey" | awk '{ print $1, $2, $4 }' rm -rf "$tmpkey" echo -n "OpenPGP fingerprint: " echo "$fingerprint" diff --git a/src/monkeysphere-ssh-proxycommand b/src/monkeysphere-ssh-proxycommand index 6276092..b039844 100755 --- a/src/monkeysphere-ssh-proxycommand +++ b/src/monkeysphere-ssh-proxycommand @@ -13,14 +13,84 @@ # established. Can be added to ~/.ssh/config as follows: # ProxyCommand monkeysphere-ssh-proxycommand %h %p +######################################################################## +PGRM=$(basename $0) + +SYSSHAREDIR=${MONKEYSPHERE_SYSSHAREDIR:-"/usr/share/monkeysphere"} +export SYSSHAREDIR +. "${SYSSHAREDIR}/common" || exit 1 + +######################################################################## +# FUNCTIONS ######################################################################## usage() { -cat <&2 + cat <&2 usage: ssh -o ProxyCommand="$(basename $0) %h %p" ... EOF } +log() { + echo "$@" >&2 +} + +output_no_valid_key() { + local sshKeyOffered + local userID + local type + local validity + local keyid + local uidfpr + local usage + local sshKeyGPG + local sshFingerprint + + log "OpenPGP keys with*out* full validity found for this host:" + log + + # retrieve the actual ssh key + sshKeyOffered=$(ssh-keyscan -t rsa -p "$PORT" "$HOST" 2>/dev/null | awk '{ print $2, $3 }') + + userID="ssh://${HOSTP}" + + # output gpg info for (exact) userid and store + gpgOut=$(gpg --list-key --fixed-list-mode --with-colon \ + --with-fingerprint --with-fingerprint \ + ="$userID" 2>/dev/null) + + # loop over all lines in the gpg output and process. + echo "$gpgOut" | cut -d: -f1,2,5,10,12 | \ + while IFS=: read -r type validity keyid uidfpr usage ; do + case $type in + 'pub'|'sub') + # get the ssh key of the gpg key + sshKeyGPG=$(gpg2ssh "$keyid") + + # if one of keys found matches the one offered by the + # host, then output info + if [ "$sshKeyGPG" = "$sshKeyOffered" ] ; then + + # get the fingerprint of the ssh key + tmpkey=$(mktemp ${TMPDIR:-/tmp}/tmp.XXXXXXXXXX) + echo "$sshKeyGPG" > "$tmpkey" + sshFingerprint=$(ssh-keygen -l -f "$tmpkey" | awk '{ print $2 }') + rm -rf "$tmpkey" + + # output gpg info + gpg --check-sigs \ + --list-options show-uid-validity \ + "$keyid" >&2 + + # output ssh fingerprint + log "RSA key fingerprint is ${sshFingerprint}." + log "Falling through to standard ssh host checking." + log + fi + ;; + esac + done +} + ######################################################################## # export the monkeysphere log level @@ -35,7 +105,7 @@ HOST="$1" PORT="$2" if [ -z "$HOST" ] ; then - echo "Host not specified." >&2 + log "Host not specified." usage exit 255 fi @@ -88,6 +158,30 @@ export MONKEYSPHERE_CHECK_KEYSERVER # update the known_hosts file for the host monkeysphere update-known_hosts "$HOSTP" +# output on depending on the return of the update-known_hosts +# subcommand, which is (ultimately) the return code of the +# update_known_hosts function in common +case $? in + 0) + # acceptable host key found so continue to ssh + true + ;; + 1) + # no hosts at all found so also continue (drop through to + # regular ssh host verification) + true + ;; + 2) + # at least one *bad* host key (and no good host keys) was + # found, so output some usefull information + output_no_valid_key + ;; + *) + # anything else drop through + true + ;; +esac + # exec a netcat passthrough to host for the ssh connection if [ -z "$NO_CONNECT" ] ; then if (which nc 2>/dev/null >/dev/null); then -- cgit v1.2.3