summaryrefslogtreecommitdiff
path: root/src/share/ma/diagnostics
blob: 7810c562134fc6a2c257044409bb5a0dc0088b47 (plain)
  1. # -*-shell-script-*-
  2. # This should be sourced by bash (though we welcome changes to make it POSIX sh compliant)
  3. # Monkeysphere authentication diagnostics subcommand
  4. #
  5. # The monkeysphere scripts are written by:
  6. # Jameson Rollins <jrollins@finestructure.net>
  7. # Jamie McClelland <jm@mayfirst.org>
  8. # Daniel Kahn Gillmor <dkg@fifthhorseman.net>
  9. #
  10. # They are Copyright 2008-2009, and are all released under the GPL,
  11. # version 3 or later.
  12. # check on the status and validity of the key and public certificates
  13. diagnostics() {
  14. local seckey
  15. local keysfound
  16. local curdate
  17. local warnwindow
  18. local warndate
  19. local create
  20. local expire
  21. local uid
  22. local fingerprint
  23. local badhostkeys
  24. local sshd_config
  25. local problemsfound=0
  26. report_cruft
  27. if ! id monkeysphere >/dev/null ; then
  28. echo "! No monkeysphere user found! Please create a monkeysphere system user with bash as its shell."
  29. problemsfound=$(($problemsfound+1))
  30. fi
  31. if ! [ -d "$SYSDATADIR" ] ; then
  32. echo "! no $SYSDATADIR directory found. Please create it."
  33. problemsfound=$(($problemsfound+1))
  34. fi
  35. echo "Checking for authentication directory..."
  36. if ! [ -d "$MADATADIR" ] ; then
  37. echo "! No authentication data directory found."
  38. echo " - Recommendation: run 'monkeysphere-authentication setup'"
  39. exit
  40. fi
  41. # FIXME: what's the correct, cross-platform answer?
  42. seckey=$(gpg_core --list-secret-keys --fingerprint --with-colons --fixed-list-mode)
  43. keysfound=$(echo "$seckey" | grep -c ^sec:)
  44. curdate=$(date +%s)
  45. # warn when anything is 2 months away from expiration
  46. warnwindow='2 months'
  47. warndate=$(advance_date $warnwindow +%s)
  48. echo "Checking core GPG key..."
  49. if (( "$keysfound" < 1 )); then
  50. echo "! No core key found."
  51. echo " - Recommendation: run 'monkeysphere-authentication setup'"
  52. problemsfound=$(($problemsfound+1))
  53. elif (( "$keysfound" > 1 )); then
  54. echo "! More than one core key found?"
  55. # FIXME: recommend a way to resolve this
  56. problemsfound=$(($problemsfound+1))
  57. else
  58. create=$(echo "$seckey" | grep ^sec: | cut -f6 -d:)
  59. expire=$(echo "$seckey" | grep ^sec: | cut -f7 -d:)
  60. fingerprint=$(echo "$seckey" | grep ^fpr: | head -n1 | cut -f10 -d:)
  61. # check for key expiration:
  62. if [ "$expire" ]; then
  63. if (( "$expire" < "$curdate" )); then
  64. echo "! Core key is expired."
  65. echo " - Recommendation: ???"
  66. problemsfound=$(($problemsfound+1))
  67. elif (( "$expire" < "$warndate" )); then
  68. echo "! Core key expires in less than $warnwindow:" $(advance_date $(( $expire - $curdate )) seconds +%F)
  69. echo " - Recommendation: ???"
  70. problemsfound=$(($problemsfound+1))
  71. fi
  72. fi
  73. # and weirdnesses:
  74. if [ "$create" ] && (( "$create" > "$curdate" )); then
  75. echo "! Core key was created in the future(?!). Is your clock correct?"
  76. echo " - Recommendation: Check clock ($(date +%F_%T)); use NTP?"
  77. problemsfound=$(($problemsfound+1))
  78. fi
  79. fi
  80. # FIXME: look at the ownership/privileges of the various keyrings,
  81. # directories housing them, etc (what should those values be? can
  82. # we make them as minimal as possible?)
  83. # FIXME: look to see that the ownertrust rules are set properly on the
  84. # sphere keyring
  85. # FIXME: make sure that at least one identity certifier exists
  86. # FIXME: look at the timestamps on the monkeysphere-generated
  87. # authorized_keys files -- warn if they seem out-of-date.
  88. # FIXME: check for a cronjob that updates monkeysphere-generated
  89. # authorized_keys?
  90. echo
  91. echo "Checking for Monkeysphere-enabled public-key authentication for users ..."
  92. # Ensure that User ID authentication is enabled:
  93. if ! grep -q "^AuthorizedKeysFile[[:space:]]\+${SYSDATADIR}/authorized_keys/%u$" "$sshd_config"; then
  94. echo "! $sshd_config does not point to monkeysphere authorized keys."
  95. echo " - Recommendation: add a line to $sshd_config: 'AuthorizedKeysFile ${SYSDATADIR}/authorized_keys/%u'"
  96. problemsfound=$(($problemsfound+1))
  97. fi
  98. if badauthorizedkeys=$(grep -i '^AuthorizedKeysFile' "$sshd_config" | grep -v "^AuthorizedKeysFile[[:space:]]\+${SYSDATADIR}/authorized_keys/%u$") ; then
  99. echo "! $sshd_config refers to non-monkeysphere authorized_keys files:"
  100. echo "$badauthorizedkeys"
  101. echo " - Recommendation: remove the above AuthorizedKeysFile lines from $sshd_config"
  102. problemsfound=$(($problemsfound+1))
  103. fi
  104. if [ "$problemsfound" -gt 0 ]; then
  105. echo "When the above $problemsfound issue"$(if [ "$problemsfound" -eq 1 ] ; then echo " is" ; else echo "s are" ; fi)" resolved, please re-run:"
  106. echo " monkeysphere-authentication diagnostics"
  107. else
  108. echo "Everything seems to be in order!"
  109. fi
  110. }