summaryrefslogtreecommitdiff
path: root/src/share/common
blob: ea872ba17abe39ec1a8a721876b6bf74d42ab069 (plain)
  1. # -*-shell-script-*-
  2. # This should be sourced by bash (though we welcome changes to make it POSIX sh compliant)
  3. # Shared sh functions for the monkeysphere
  4. #
  5. # Written by
  6. # Jameson Rollins <jrollins@finestructure.net>
  7. # Jamie McClelland <jm@mayfirst.org>
  8. # Daniel Kahn Gillmor <dkg@fifthhorseman.net>
  9. #
  10. # Copyright 2008-2009, released under the GPL, version 3 or later
  11. # all-caps variables are meant to be user supplied (ie. from config
  12. # file) and are considered global
  13. ########################################################################
  14. ### UTILITY FUNCTIONS
  15. # output version info
  16. version() {
  17. cat "${SYSSHAREDIR}/VERSION"
  18. }
  19. # failure function. exits with code 255, unless specified otherwise.
  20. failure() {
  21. [ "$1" ] && echo "$1" >&2
  22. exit ${2:-'255'}
  23. }
  24. # write output to stderr based on specified LOG_LEVEL the first
  25. # parameter is the priority of the output, and everything else is what
  26. # is echoed to stderr. If there is nothing else, then output comes
  27. # from stdin, and is not prefaced by log prefix.
  28. log() {
  29. local priority
  30. local level
  31. local output
  32. local alllevels
  33. local found=
  34. # don't include SILENT in alllevels: it's handled separately
  35. # list in decreasing verbosity (all caps).
  36. # separate with $IFS explicitly, since we do some fancy footwork
  37. # elsewhere.
  38. alllevels="DEBUG${IFS}VERBOSE${IFS}INFO${IFS}ERROR"
  39. # translate lowers to uppers in global log level
  40. LOG_LEVEL=$(echo "$LOG_LEVEL" | tr "[:lower:]" "[:upper:]")
  41. # just go ahead and return if the log level is silent
  42. if [ "$LOG_LEVEL" = 'SILENT' ] ; then
  43. return
  44. fi
  45. for level in $alllevels ; do
  46. if [ "$LOG_LEVEL" = "$level" ] ; then
  47. found=true
  48. fi
  49. done
  50. if [ -z "$found" ] ; then
  51. # default to INFO:
  52. LOG_LEVEL=INFO
  53. fi
  54. # get priority from first parameter, translating all lower to
  55. # uppers
  56. priority=$(echo "$1" | tr "[:lower:]" "[:upper:]")
  57. shift
  58. # scan over available levels
  59. for level in $alllevels ; do
  60. # output if the log level matches, set output to true
  61. # this will output for all subsequent loops as well.
  62. if [ "$LOG_LEVEL" = "$level" ] ; then
  63. output=true
  64. fi
  65. if [ "$priority" = "$level" -a "$output" = 'true' ] ; then
  66. if [ "$1" ] ; then
  67. echo "$@"
  68. else
  69. cat
  70. fi | sed 's/^/'"${LOG_PREFIX}"'/' >&2
  71. fi
  72. done
  73. }
  74. # run command as monkeysphere user
  75. su_monkeysphere_user() {
  76. # our main goal here is to run the given command as the the
  77. # monkeysphere user, but without prompting for any sort of
  78. # authentication. If this is not possible, we should just fail.
  79. # FIXME: our current implementation is overly restrictive, because
  80. # there may be some su PAM configurations that would allow su
  81. # "$MONKEYSPHERE_USER" -c "$@" to Just Work without prompting,
  82. # allowing specific users to invoke commands which make use of
  83. # this user.
  84. # chpst (from runit) would be nice to use, but we don't want to
  85. # introduce an extra dependency just for this. This may be a
  86. # candidate for re-factoring if we switch implementation languages.
  87. case $(id -un) in
  88. # if monkeysphere user, run the command under bash
  89. "$MONKEYSPHERE_USER")
  90. bash -c "$@"
  91. ;;
  92. # if root, su command as monkeysphere user
  93. 'root')
  94. su "$MONKEYSPHERE_USER" -c "$@"
  95. ;;
  96. # otherwise, fail
  97. *)
  98. log error "non-privileged user."
  99. ;;
  100. esac
  101. }
  102. # cut out all comments(#) and blank lines from standard input
  103. meat() {
  104. grep -v -e "^[[:space:]]*#" -e '^$' "$1"
  105. }
  106. # cut a specified line from standard input
  107. cutline() {
  108. head --line="$1" "$2" | tail -1
  109. }
  110. # make a temporary directory
  111. msmktempdir() {
  112. mktemp -d ${TMPDIR:-/tmp}/monkeysphere.XXXXXXXXXX
  113. }
  114. # make a temporary file
  115. msmktempfile() {
  116. mktemp ${TMPDIR:-/tmp}/monkeysphere.XXXXXXXXXX
  117. }
  118. # this is a wrapper for doing lock functions.
  119. #
  120. # it lets us depend on either lockfile-progs (preferred) or procmail's
  121. # lockfile, and should
  122. lock() {
  123. local use_lockfileprogs=true
  124. local action="$1"
  125. local file="$2"
  126. if ! ( which lockfile-create >/dev/null 2>/dev/null ) ; then
  127. if ! ( which lockfile >/dev/null ); then
  128. failure "Neither lockfile-create nor lockfile are in the path!"
  129. fi
  130. use_lockfileprogs=
  131. fi
  132. case "$action" in
  133. create)
  134. if [ -n "$use_lockfileprogs" ] ; then
  135. lockfile-create "$file" || failure "unable to lock '$file'"
  136. else
  137. lockfile -r 20 "${file}.lock" || failure "unable to lock '$file'"
  138. fi
  139. log debug "lock created on '$file'."
  140. ;;
  141. touch)
  142. if [ -n "$use_lockfileprogs" ] ; then
  143. lockfile-touch --oneshot "$file"
  144. else
  145. : Nothing to do here
  146. fi
  147. log debug "lock touched on '$file'."
  148. ;;
  149. remove)
  150. if [ -n "$use_lockfileprogs" ] ; then
  151. lockfile-remove "$file"
  152. else
  153. rm -f "${file}.lock"
  154. fi
  155. log debug "lock removed on '$file'."
  156. ;;
  157. *)
  158. failure "bad argument for lock subfunction '$action'"
  159. esac
  160. }
  161. # for portability, between gnu date and BSD date.
  162. # arguments should be: number longunits format
  163. # e.g. advance_date 20 seconds +%F
  164. advance_date() {
  165. local gnutry
  166. local number="$1"
  167. local longunits="$2"
  168. local format="$3"
  169. local shortunits
  170. # try things the GNU way first
  171. if date -d "$number $longunits" "$format" >/dev/null 2>&1; then
  172. date -d "$number $longunits" "$format"
  173. else
  174. # otherwise, convert to (a limited version of) BSD date syntax:
  175. case "$longunits" in
  176. years)
  177. shortunits=y
  178. ;;
  179. months)
  180. shortunits=m
  181. ;;
  182. weeks)
  183. shortunits=w
  184. ;;
  185. days)
  186. shortunits=d
  187. ;;
  188. hours)
  189. shortunits=H
  190. ;;
  191. minutes)
  192. shortunits=M
  193. ;;
  194. seconds)
  195. shortunits=S
  196. ;;
  197. *)
  198. # this is a longshot, and will likely fail; oh well.
  199. shortunits="$longunits"
  200. esac
  201. date "-v+${number}${shortunits}" "$format"
  202. fi
  203. }
  204. # check that characters are in a string (in an AND fashion).
  205. # used for checking key capability
  206. # check_capability capability a [b...]
  207. check_capability() {
  208. local usage
  209. local capcheck
  210. usage="$1"
  211. shift 1
  212. for capcheck ; do
  213. if echo "$usage" | grep -q -v "$capcheck" ; then
  214. return 1
  215. fi
  216. done
  217. return 0
  218. }
  219. # hash of a file
  220. file_hash() {
  221. md5sum "$1" 2> /dev/null
  222. }
  223. # convert escaped characters in pipeline from gpg output back into
  224. # original character
  225. # FIXME: undo all escape character translation in with-colons gpg
  226. # output
  227. gpg_unescape() {
  228. sed 's/\\x3a/:/g'
  229. }
  230. # convert nasty chars into gpg-friendly form in pipeline
  231. # FIXME: escape everything, not just colons!
  232. gpg_escape() {
  233. sed 's/:/\\x3a/g'
  234. }
  235. # prompt for GPG-formatted expiration, and emit result on stdout
  236. get_gpg_expiration() {
  237. local keyExpire
  238. keyExpire="$1"
  239. if [ -z "$keyExpire" -a "$PROMPT" = 'true' ]; then
  240. cat >&2 <<EOF
  241. Please specify how long the key should be valid.
  242. 0 = key does not expire
  243. <n> = key expires in n days
  244. <n>w = key expires in n weeks
  245. <n>m = key expires in n months
  246. <n>y = key expires in n years
  247. EOF
  248. while [ -z "$keyExpire" ] ; do
  249. read -p "Key is valid for? (0) " keyExpire
  250. if ! test_gpg_expire ${keyExpire:=0} ; then
  251. echo "invalid value" >&2
  252. unset keyExpire
  253. fi
  254. done
  255. elif ! test_gpg_expire "$keyExpire" ; then
  256. failure "invalid key expiration value '$keyExpire'."
  257. fi
  258. echo "$keyExpire"
  259. }
  260. passphrase_prompt() {
  261. local prompt="$1"
  262. local fifo="$2"
  263. local PASS
  264. if [ "$DISPLAY" ] && which "${SSH_ASKPASS:-ssh-askpass}" >/dev/null; then
  265. "${SSH_ASKPASS:-ssh-askpass}" "$prompt" > "$fifo"
  266. else
  267. read -s -p "$prompt" PASS
  268. # Uses the builtin echo, so should not put the passphrase into
  269. # the process table. I think. --dkg
  270. echo "$PASS" > "$fifo"
  271. fi
  272. }
  273. # remove all lines with specified string from specified file
  274. remove_line() {
  275. local file
  276. local string
  277. local tempfile
  278. file="$1"
  279. string="$2"
  280. if [ -z "$file" -o -z "$string" ] ; then
  281. return 1
  282. fi
  283. if [ ! -e "$file" ] ; then
  284. return 1
  285. fi
  286. # if the string is in the file...
  287. if grep -q -F "$string" "$file" 2> /dev/null ; then
  288. tempfile=$(mktemp "${file}.XXXXXXX") || \
  289. failure "Unable to make temp file '${file}.XXXXXXX'"
  290. # remove the line with the string, and return 0
  291. grep -v -F "$string" "$file" >"$tempfile"
  292. cat "$tempfile" > "$file"
  293. rm "$tempfile"
  294. return 0
  295. # otherwise return 1
  296. else
  297. return 1
  298. fi
  299. }
  300. # remove all lines with MonkeySphere strings in file
  301. remove_monkeysphere_lines() {
  302. local file
  303. local tempfile
  304. file="$1"
  305. # return error if file does not exist
  306. if [ ! -e "$file" ] ; then
  307. return 1
  308. fi
  309. # just return ok if the file is empty, since there aren't any
  310. # lines to remove
  311. if [ ! -s "$file" ] ; then
  312. return 0
  313. fi
  314. tempfile=$(mktemp "${file}.XXXXXXX") || \
  315. failure "Could not make temporary file '${file}.XXXXXXX'."
  316. egrep -v '^MonkeySphere[[:digit:]]{4}(-[[:digit:]]{2}){2}T[[:digit:]]{2}(:[[:digit:]]{2}){2}$' \
  317. "$file" >"$tempfile"
  318. cat "$tempfile" > "$file"
  319. rm "$tempfile"
  320. }
  321. # translate ssh-style path variables %h and %u
  322. translate_ssh_variables() {
  323. local uname
  324. local home
  325. uname="$1"
  326. path="$2"
  327. # get the user's home directory
  328. userHome=$(getent passwd "$uname" | cut -d: -f6)
  329. # translate '%u' to user name
  330. path=${path/\%u/"$uname"}
  331. # translate '%h' to user home directory
  332. path=${path/\%h/"$userHome"}
  333. echo "$path"
  334. }
  335. # test that a string to conforms to GPG's expiration format
  336. test_gpg_expire() {
  337. echo "$1" | egrep -q "^[0-9]+[mwy]?$"
  338. }
  339. # check that a file is properly owned, and that all it's parent
  340. # directories are not group/other writable
  341. check_key_file_permissions() {
  342. local uname
  343. local path
  344. local stat
  345. local access
  346. local gAccess
  347. local oAccess
  348. # function to check that the given permission corresponds to writability
  349. is_write() {
  350. [ "$1" = "w" ]
  351. }
  352. uname="$1"
  353. path="$2"
  354. log debug "checking path permission '$path'..."
  355. # return 255 if cannot stat file
  356. if ! stat=$(ls -ld "$path" 2>/dev/null) ; then
  357. log error "could not stat path '$path'."
  358. return 255
  359. fi
  360. owner=$(echo "$stat" | awk '{ print $3 }')
  361. gAccess=$(echo "$stat" | cut -c6)
  362. oAccess=$(echo "$stat" | cut -c9)
  363. # return 1 if path has invalid owner
  364. if [ "$owner" != "$uname" -a "$owner" != 'root' ] ; then
  365. log error "improper ownership on path '$path':"
  366. log error " $owner != ($uname|root)"
  367. return 1
  368. fi
  369. # return 2 if path has group or other writability
  370. if is_write "$gAccess" || is_write "$oAccess" ; then
  371. log error "improper group or other writability on path '$path':"
  372. log error " group: $gAccess, other: $oAcess"
  373. return 2
  374. fi
  375. # return zero if all clear, or go to next path
  376. if [ "$path" = '/' ] ; then
  377. log debug "path ok."
  378. return 0
  379. else
  380. check_key_file_permissions "$uname" $(dirname "$path")
  381. fi
  382. }
  383. ### CONVERSION UTILITIES
  384. # output the ssh key for a given key ID
  385. gpg2ssh() {
  386. local keyID
  387. keyID="$1"
  388. gpg --export "$keyID" | openpgp2ssh "$keyID" 2> /dev/null
  389. }
  390. # output known_hosts line from ssh key
  391. ssh2known_hosts() {
  392. local host
  393. local key
  394. host="$1"
  395. key="$2"
  396. echo -n "$host "
  397. echo -n "$key" | tr -d '\n'
  398. echo " MonkeySphere${DATE}"
  399. }
  400. # output authorized_keys line from ssh key
  401. ssh2authorized_keys() {
  402. local userID
  403. local key
  404. userID="$1"
  405. key="$2"
  406. echo -n "$key" | tr -d '\n'
  407. echo " MonkeySphere${DATE} ${userID}"
  408. }
  409. # convert key from gpg to ssh known_hosts format
  410. gpg2known_hosts() {
  411. local host
  412. local keyID
  413. host="$1"
  414. keyID="$2"
  415. # NOTE: it seems that ssh-keygen -R removes all comment fields from
  416. # all lines in the known_hosts file. why?
  417. # NOTE: just in case, the COMMENT can be matched with the
  418. # following regexp:
  419. # '^MonkeySphere[[:digit:]]{4}(-[[:digit:]]{2}){2}T[[:digit:]]{2}(:[[:digit:]]{2}){2}$'
  420. echo -n "$host "
  421. gpg2ssh "$keyID" | tr -d '\n'
  422. echo " MonkeySphere${DATE}"
  423. }
  424. # convert key from gpg to ssh authorized_keys format
  425. gpg2authorized_keys() {
  426. local userID
  427. local keyID
  428. userID="$1"
  429. keyID="$2"
  430. # NOTE: just in case, the COMMENT can be matched with the
  431. # following regexp:
  432. # '^MonkeySphere[[:digit:]]{4}(-[[:digit:]]{2}){2}T[[:digit:]]{2}(:[[:digit:]]{2}){2}$'
  433. gpg2ssh "$keyID" | tr -d '\n'
  434. echo " MonkeySphere${DATE} ${userID}"
  435. }
  436. ### GPG UTILITIES
  437. # retrieve all keys with given user id from keyserver
  438. # FIXME: need to figure out how to retrieve all matching keys
  439. # (not just first N (5 in this case))
  440. gpg_fetch_userid() {
  441. local returnCode=0
  442. local userID
  443. if [ "$CHECK_KEYSERVER" != 'true' ] ; then
  444. return 0
  445. fi
  446. userID="$1"
  447. log verbose " checking keyserver $KEYSERVER... "
  448. echo 1,2,3,4,5 | \
  449. gpg --quiet --batch --with-colons \
  450. --command-fd 0 --keyserver "$KEYSERVER" \
  451. --search ="$userID" > /dev/null 2>&1
  452. returnCode="$?"
  453. return "$returnCode"
  454. }
  455. ########################################################################
  456. ### PROCESSING FUNCTIONS
  457. # userid and key policy checking
  458. # the following checks policy on the returned keys
  459. # - checks that full key has appropriate valididy (u|f)
  460. # - checks key has specified capability (REQUIRED_*_KEY_CAPABILITY)
  461. # - checks that requested user ID has appropriate validity
  462. # (see /usr/share/doc/gnupg/DETAILS.gz)
  463. # output is one line for every found key, in the following format:
  464. #
  465. # flag:sshKey
  466. #
  467. # "flag" is an acceptability flag, 0 = ok, 1 = bad
  468. # "sshKey" is the translated gpg key
  469. #
  470. # all log output must go to stderr, as stdout is used to pass the
  471. # flag:sshKey to the calling function.
  472. #
  473. # expects global variable: "MODE"
  474. process_user_id() {
  475. local returnCode=0
  476. local userID
  477. local requiredCapability
  478. local requiredPubCapability
  479. local gpgOut
  480. local type
  481. local validity
  482. local keyid
  483. local uidfpr
  484. local usage
  485. local keyOK
  486. local uidOK
  487. local lastKey
  488. local lastKeyOK
  489. local fingerprint
  490. userID="$1"
  491. # set the required key capability based on the mode
  492. if [ "$MODE" = 'known_hosts' ] ; then
  493. requiredCapability="$REQUIRED_HOST_KEY_CAPABILITY"
  494. elif [ "$MODE" = 'authorized_keys' ] ; then
  495. requiredCapability="$REQUIRED_USER_KEY_CAPABILITY"
  496. fi
  497. requiredPubCapability=$(echo "$requiredCapability" | tr "[:lower:]" "[:upper:]")
  498. # fetch the user ID if necessary/requested
  499. gpg_fetch_userid "$userID"
  500. # output gpg info for (exact) userid and store
  501. gpgOut=$(gpg --list-key --fixed-list-mode --with-colon \
  502. --with-fingerprint --with-fingerprint \
  503. ="$userID" 2>/dev/null) || returnCode="$?"
  504. # if the gpg query return code is not 0, return 1
  505. if [ "$returnCode" -ne 0 ] ; then
  506. log verbose " no primary keys found."
  507. return 1
  508. fi
  509. # loop over all lines in the gpg output and process.
  510. echo "$gpgOut" | cut -d: -f1,2,5,10,12 | \
  511. while IFS=: read -r type validity keyid uidfpr usage ; do
  512. # process based on record type
  513. case $type in
  514. 'pub') # primary keys
  515. # new key, wipe the slate
  516. keyOK=
  517. uidOK=
  518. lastKey=pub
  519. lastKeyOK=
  520. fingerprint=
  521. log verbose " primary key found: $keyid"
  522. # if overall key is not valid, skip
  523. if [ "$validity" != 'u' -a "$validity" != 'f' ] ; then
  524. log debug " - unacceptable primary key validity ($validity)."
  525. continue
  526. fi
  527. # if overall key is disabled, skip
  528. if check_capability "$usage" 'D' ; then
  529. log debug " - key disabled."
  530. continue
  531. fi
  532. # if overall key capability is not ok, skip
  533. if ! check_capability "$usage" $requiredPubCapability ; then
  534. log debug " - unacceptable primary key capability ($usage)."
  535. continue
  536. fi
  537. # mark overall key as ok
  538. keyOK=true
  539. # mark primary key as ok if capability is ok
  540. if check_capability "$usage" $requiredCapability ; then
  541. lastKeyOK=true
  542. fi
  543. ;;
  544. 'uid') # user ids
  545. if [ "$lastKey" != pub ] ; then
  546. log verbose " ! got a user ID after a sub key?! user IDs should only follow primary keys!"
  547. continue
  548. fi
  549. # if an acceptable user ID was already found, skip
  550. if [ "$uidOK" = 'true' ] ; then
  551. continue
  552. fi
  553. # if the user ID does matches...
  554. if [ "$(echo "$uidfpr" | gpg_unescape)" = "$userID" ] ; then
  555. # and the user ID validity is ok
  556. if [ "$validity" = 'u' -o "$validity" = 'f' ] ; then
  557. # mark user ID acceptable
  558. uidOK=true
  559. else
  560. log debug " - unacceptable user ID validity ($validity)."
  561. fi
  562. else
  563. continue
  564. fi
  565. # output a line for the primary key
  566. # 0 = ok, 1 = bad
  567. if [ "$keyOK" -a "$uidOK" -a "$lastKeyOK" ] ; then
  568. log verbose " * acceptable primary key."
  569. if [ -z "$sshKey" ] ; then
  570. log error " ! primary key could not be translated (not RSA?)."
  571. else
  572. echo "0:${sshKey}"
  573. fi
  574. else
  575. log debug " - unacceptable primary key."
  576. if [ -z "$sshKey" ] ; then
  577. log debug " ! primary key could not be translated (not RSA?)."
  578. else
  579. echo "1:${sshKey}"
  580. fi
  581. fi
  582. ;;
  583. 'sub') # sub keys
  584. # unset acceptability of last key
  585. lastKey=sub
  586. lastKeyOK=
  587. fingerprint=
  588. # don't bother with sub keys if the primary key is not valid
  589. if [ "$keyOK" != true ] ; then
  590. continue
  591. fi
  592. # don't bother with sub keys if no user ID is acceptable:
  593. if [ "$uidOK" != true ] ; then
  594. continue
  595. fi
  596. # if sub key validity is not ok, skip
  597. if [ "$validity" != 'u' -a "$validity" != 'f' ] ; then
  598. log debug " - unacceptable sub key validity ($validity)."
  599. continue
  600. fi
  601. # if sub key capability is not ok, skip
  602. if ! check_capability "$usage" $requiredCapability ; then
  603. log debug " - unacceptable sub key capability ($usage)."
  604. continue
  605. fi
  606. # mark sub key as ok
  607. lastKeyOK=true
  608. ;;
  609. 'fpr') # key fingerprint
  610. fingerprint="$uidfpr"
  611. sshKey=$(gpg2ssh "$fingerprint")
  612. # if the last key was the pub key, skip
  613. if [ "$lastKey" = pub ] ; then
  614. continue
  615. fi
  616. # output a line for the sub key
  617. # 0 = ok, 1 = bad
  618. if [ "$keyOK" -a "$uidOK" -a "$lastKeyOK" ] ; then
  619. log verbose " * acceptable sub key."
  620. if [ -z "$sshKey" ] ; then
  621. log error " ! sub key could not be translated (not RSA?)."
  622. else
  623. echo "0:${sshKey}"
  624. fi
  625. else
  626. log debug " - unacceptable sub key."
  627. if [ -z "$sshKey" ] ; then
  628. log debug " ! sub key could not be translated (not RSA?)."
  629. else
  630. echo "1:${sshKey}"
  631. fi
  632. fi
  633. ;;
  634. esac
  635. done | sort -t: -k1 -n -r
  636. # NOTE: this last sort is important so that the "good" keys (key
  637. # flag '0') come last. This is so that they take precedence when
  638. # being processed in the key files over "bad" keys (key flag '1')
  639. }
  640. # process a single host in the known_host file
  641. process_host_known_hosts() {
  642. local host
  643. local userID
  644. local noKey=
  645. local nKeys
  646. local nKeysOK
  647. local ok
  648. local sshKey
  649. local tmpfile
  650. # set the key processing mode
  651. export MODE='known_hosts'
  652. host="$1"
  653. userID="ssh://${host}"
  654. log verbose "processing: $host"
  655. nKeys=0
  656. nKeysOK=0
  657. IFS=$'\n'
  658. for line in $(process_user_id "${userID}") ; do
  659. # note that key was found
  660. nKeys=$((nKeys+1))
  661. ok=$(echo "$line" | cut -d: -f1)
  662. sshKey=$(echo "$line" | cut -d: -f2)
  663. if [ -z "$sshKey" ] ; then
  664. continue
  665. fi
  666. # remove any old host key line, and note if removed nothing is
  667. # removed
  668. remove_line "$KNOWN_HOSTS" "$sshKey" || noKey=true
  669. # if key OK, add new host line
  670. if [ "$ok" -eq '0' ] ; then
  671. # note that key was found ok
  672. nKeysOK=$((nKeysOK+1))
  673. # hash if specified
  674. if [ "$HASH_KNOWN_HOSTS" = 'true' ] ; then
  675. # FIXME: this is really hackish cause ssh-keygen won't
  676. # hash from stdin to stdout
  677. tmpfile=$(mktemp ${TMPDIR:-/tmp}/tmp.XXXXXXXXXX)
  678. ssh2known_hosts "$host" "$sshKey" > "$tmpfile"
  679. ssh-keygen -H -f "$tmpfile" 2> /dev/null
  680. cat "$tmpfile" >> "$KNOWN_HOSTS"
  681. rm -f "$tmpfile" "${tmpfile}.old"
  682. else
  683. ssh2known_hosts "$host" "$sshKey" >> "$KNOWN_HOSTS"
  684. fi
  685. # log if this is a new key to the known_hosts file
  686. if [ "$noKey" ] ; then
  687. log info "* new key for $host added to known_hosts file."
  688. fi
  689. fi
  690. done
  691. # if at least one key was found...
  692. if [ "$nKeys" -gt 0 ] ; then
  693. # if ok keys were found, return 0
  694. if [ "$nKeysOK" -gt 0 ] ; then
  695. return 0
  696. # else return 2
  697. else
  698. return 2
  699. fi
  700. # if no keys were found, return 1
  701. else
  702. return 1
  703. fi
  704. }
  705. # update the known_hosts file for a set of hosts listed on command
  706. # line
  707. update_known_hosts() {
  708. local returnCode=0
  709. local nHosts
  710. local nHostsOK
  711. local nHostsBAD
  712. local fileCheck
  713. local host
  714. # the number of hosts specified on command line
  715. nHosts="$#"
  716. nHostsOK=0
  717. nHostsBAD=0
  718. # touch the known_hosts file so that the file permission check
  719. # below won't fail upon not finding the file
  720. (umask 0022 && touch "$KNOWN_HOSTS")
  721. # check permissions on the known_hosts file path
  722. check_key_file_permissions $(whoami) "$KNOWN_HOSTS" || failure
  723. # create a lockfile on known_hosts:
  724. lock create "$KNOWN_HOSTS"
  725. # FIXME: we're discarding any pre-existing EXIT trap; is this bad?
  726. trap "lock remove $KNOWN_HOSTS" EXIT
  727. # note pre update file checksum
  728. fileCheck="$(file_hash "$KNOWN_HOSTS")"
  729. for host ; do
  730. # process the host
  731. process_host_known_hosts "$host" || returnCode="$?"
  732. # note the result
  733. case "$returnCode" in
  734. 0)
  735. nHostsOK=$((nHostsOK+1))
  736. ;;
  737. 2)
  738. nHostsBAD=$((nHostsBAD+1))
  739. ;;
  740. esac
  741. # touch the lockfile, for good measure.
  742. lock touch "$KNOWN_HOSTS"
  743. done
  744. # remove the lockfile and the trap
  745. lock remove "$KNOWN_HOSTS"
  746. trap - EXIT
  747. # note if the known_hosts file was updated
  748. if [ "$(file_hash "$KNOWN_HOSTS")" != "$fileCheck" ] ; then
  749. log debug "known_hosts file updated."
  750. fi
  751. # if an acceptable host was found, return 0
  752. if [ "$nHostsOK" -gt 0 ] ; then
  753. return 0
  754. # else if no ok hosts were found...
  755. else
  756. # if no bad host were found then no hosts were found at all,
  757. # and return 1
  758. if [ "$nHostsBAD" -eq 0 ] ; then
  759. return 1
  760. # else if at least one bad host was found, return 2
  761. else
  762. return 2
  763. fi
  764. fi
  765. }
  766. # process hosts from a known_hosts file
  767. process_known_hosts() {
  768. local hosts
  769. # exit if the known_hosts file does not exist
  770. if [ ! -e "$KNOWN_HOSTS" ] ; then
  771. failure "known_hosts file '$KNOWN_HOSTS' does not exist."
  772. fi
  773. log debug "processing known_hosts file:"
  774. log debug " $KNOWN_HOSTS"
  775. hosts=$(meat "$KNOWN_HOSTS" | cut -d ' ' -f 1 | grep -v '^|.*$' | tr , ' ' | tr '\n' ' ')
  776. if [ -z "$hosts" ] ; then
  777. log debug "no hosts to process."
  778. return
  779. fi
  780. # take all the hosts from the known_hosts file (first
  781. # field), grep out all the hashed hosts (lines starting
  782. # with '|')...
  783. update_known_hosts $hosts
  784. }
  785. # process uids for the authorized_keys file
  786. process_uid_authorized_keys() {
  787. local userID
  788. local nKeys
  789. local nKeysOK
  790. local ok
  791. local sshKey
  792. # set the key processing mode
  793. export MODE='authorized_keys'
  794. userID="$1"
  795. log verbose "processing: $userID"
  796. nKeys=0
  797. nKeysOK=0
  798. IFS=$'\n'
  799. for line in $(process_user_id "$userID") ; do
  800. # note that key was found
  801. nKeys=$((nKeys+1))
  802. ok=$(echo "$line" | cut -d: -f1)
  803. sshKey=$(echo "$line" | cut -d: -f2)
  804. if [ -z "$sshKey" ] ; then
  805. continue
  806. fi
  807. # remove the old host key line
  808. remove_line "$AUTHORIZED_KEYS" "$sshKey"
  809. # if key OK, add new host line
  810. if [ "$ok" -eq '0' ] ; then
  811. # note that key was found ok
  812. nKeysOK=$((nKeysOK+1))
  813. ssh2authorized_keys "$userID" "$sshKey" >> "$AUTHORIZED_KEYS"
  814. fi
  815. done
  816. # if at least one key was found...
  817. if [ "$nKeys" -gt 0 ] ; then
  818. # if ok keys were found, return 0
  819. if [ "$nKeysOK" -gt 0 ] ; then
  820. return 0
  821. # else return 2
  822. else
  823. return 2
  824. fi
  825. # if no keys were found, return 1
  826. else
  827. return 1
  828. fi
  829. }
  830. # update the authorized_keys files from a list of user IDs on command
  831. # line
  832. update_authorized_keys() {
  833. local returnCode=0
  834. local userID
  835. local nIDs
  836. local nIDsOK
  837. local nIDsBAD
  838. local fileCheck
  839. # the number of ids specified on command line
  840. nIDs="$#"
  841. nIDsOK=0
  842. nIDsBAD=0
  843. log debug "updating authorized_keys file:"
  844. log debug " $AUTHORIZED_KEYS"
  845. # check permissions on the authorized_keys file path
  846. check_key_file_permissions $(whoami) "$AUTHORIZED_KEYS" || failure
  847. # create a lockfile on authorized_keys
  848. lock create "$AUTHORIZED_KEYS"
  849. # FIXME: we're discarding any pre-existing EXIT trap; is this bad?
  850. trap "lock remove $AUTHORIZED_KEYS" EXIT
  851. # note pre update file checksum
  852. fileCheck="$(file_hash "$AUTHORIZED_KEYS")"
  853. # remove any monkeysphere lines from authorized_keys file
  854. remove_monkeysphere_lines "$AUTHORIZED_KEYS"
  855. for userID ; do
  856. # process the user ID, change return code if key not found for
  857. # user ID
  858. process_uid_authorized_keys "$userID" || returnCode="$?"
  859. # note the result
  860. case "$returnCode" in
  861. 0)
  862. nIDsOK=$((nIDsOK+1))
  863. ;;
  864. 2)
  865. nIDsBAD=$((nIDsBAD+1))
  866. ;;
  867. esac
  868. # touch the lockfile, for good measure.
  869. lock touch "$AUTHORIZED_KEYS"
  870. done
  871. # remove the lockfile and the trap
  872. lock remove "$AUTHORIZED_KEYS"
  873. # remove the trap
  874. trap - EXIT
  875. # note if the authorized_keys file was updated
  876. if [ "$(file_hash "$AUTHORIZED_KEYS")" != "$fileCheck" ] ; then
  877. log debug "authorized_keys file updated."
  878. fi
  879. # if an acceptable id was found, return 0
  880. if [ "$nIDsOK" -gt 0 ] ; then
  881. return 0
  882. # else if no ok ids were found...
  883. else
  884. # if no bad ids were found then no ids were found at all, and
  885. # return 1
  886. if [ "$nIDsBAD" -eq 0 ] ; then
  887. return 1
  888. # else if at least one bad id was found, return 2
  889. else
  890. return 2
  891. fi
  892. fi
  893. }
  894. # process an authorized_user_ids file for authorized_keys
  895. process_authorized_user_ids() {
  896. local line
  897. local nline
  898. local userIDs
  899. authorizedUserIDs="$1"
  900. # exit if the authorized_user_ids file is empty
  901. if [ ! -e "$authorizedUserIDs" ] ; then
  902. failure "authorized_user_ids file '$authorizedUserIDs' does not exist."
  903. fi
  904. log debug "processing authorized_user_ids file:"
  905. log debug " $authorizedUserIDs"
  906. # check permissions on the authorized_user_ids file path
  907. check_key_file_permissions $(whoami) "$authorizedUserIDs" || failure
  908. if ! meat "$authorizedUserIDs" > /dev/null ; then
  909. log debug " no user IDs to process."
  910. return
  911. fi
  912. nline=0
  913. # extract user IDs from authorized_user_ids file
  914. IFS=$'\n'
  915. for line in $(meat "$authorizedUserIDs") ; do
  916. userIDs["$nline"]="$line"
  917. nline=$((nline+1))
  918. done
  919. update_authorized_keys "${userIDs[@]}"
  920. }
  921. # takes a gpg key or keys on stdin, and outputs a list of
  922. # fingerprints, one per line:
  923. list_primary_fingerprints() {
  924. local fake=$(msmktempdir)
  925. GNUPGHOME="$fake" gpg --no-tty --quiet --import
  926. GNUPGHOME="$fake" gpg --with-colons --fingerprint --list-keys | \
  927. awk -F: '/^fpr:/{ print $10 }'
  928. rm -rf "$fake"
  929. }
  930. check_cruft_file() {
  931. local loc="$1"
  932. local version="$2"
  933. if [ -e "$loc" ] ; then
  934. printf "! The file '%s' is no longer used by\n monkeysphere (as of version %s), and can be removed.\n\n" "$loc" "$version" | log info
  935. fi
  936. }
  937. check_upgrade_dir() {
  938. local loc="$1"
  939. local version="$2"
  940. if [ -d "$loc" ] ; then
  941. printf "The presence of directory '%s' indicates that you have\nnot yet completed a monkeysphere upgrade.\nYou should probably run the following script:\n %s/transitions/%s\n\n" "$loc" "$SYSSHAREDIR" "$version" | log info
  942. fi
  943. }
  944. ## look for cruft from old versions of the monkeysphere, and notice if
  945. ## upgrades have not been run:
  946. report_cruft() {
  947. check_upgrade_dir "${SYSCONFIGDIR}/gnupg-host" 0.23
  948. check_upgrade_dir "${SYSCONFIGDIR}/gnupg-authentication" 0.23
  949. check_cruft_file "${SYSCONFIGDIR}/gnupg-authentication.conf" 0.23
  950. check_cruft_file "${SYSCONFIGDIR}/gnupg-host.conf" 0.23
  951. local found=
  952. for foo in "${SYSDATADIR}/backup-from-"*"-transition" ; do
  953. if [ -d "$foo" ] ; then
  954. printf "! %s\n" "$foo" | log info
  955. found=true
  956. fi
  957. done
  958. if [ "$found" ] ; then
  959. printf "The directories above are backups left over from a monkeysphere transition.\nThey may contain copies of sensitive data (host keys, certifier lists), but\nthey are no longer needed by monkeysphere.\nYou may remove them at any time.\n\n" | log info
  960. fi
  961. }