summaryrefslogtreecommitdiff
path: root/src/share/mh/diagnostics
blob: 8e83cc5ab0a62fb9dc249a7ebf452550671fb122 (plain)
  1. # -*-shell-script-*-
  2. # This should be sourced by bash (though we welcome changes to make it POSIX sh compliant)
  3. # Monkeysphere host diagnostics subcommand
  4. #
  5. # The monkeysphere scripts are written by:
  6. # Jameson Rollins <jrollins@finestructure.net>
  7. # Jamie McClelland <jm@mayfirst.org>
  8. # Daniel Kahn Gillmor <dkg@fifthhorseman.net>
  9. #
  10. # They are Copyright 2008-2009, and are all released under the GPL,
  11. # version 3 or later.
  12. # check on the status and validity of the key and public certificates
  13. diagnostics() {
  14. local seckey
  15. local keysfound
  16. local curdate
  17. local warnwindow
  18. local warndate
  19. local create
  20. local expire
  21. local uid
  22. local fingerprint
  23. local badhostkeys
  24. local problemsfound=0
  25. if ! [ -d "$SYSDATADIR" ] ; then
  26. echo "! no $SYSDATADIR directory found. Please create it."
  27. exit
  28. fi
  29. if ! [ -f "$HOST_KEY_FILE" ] ; then
  30. echo "No host key OpenPGP pub file found!"
  31. echo " - Recommendation: run 'monkeysphere-host import-key'"
  32. exit
  33. fi
  34. # load the host key fingerprint
  35. load_fingerprint
  36. seckey=$(gpg_host --list-secret-keys --fingerprint --with-colons --fixed-list-mode)
  37. keysfound=$(echo "$seckey" | grep -c ^sec:)
  38. curdate=$(date +%s)
  39. # warn when anything is 2 months away from expiration
  40. warnwindow='2 months'
  41. warndate=$(advance_date $warnwindow +%s)
  42. if ! id monkeysphere >/dev/null ; then
  43. echo "! No monkeysphere user found! Please create a monkeysphere system user with bash as its shell."
  44. problemsfound=$(($problemsfound+1))
  45. fi
  46. echo "Checking host GPG key..."
  47. if (( "$keysfound" < 1 )); then
  48. echo "! No host key found. The monkeysphere-host data directory is corrupt?!?!"
  49. echo " - Recommendation: purge the MHDATADIR ($MHDATADIR) and rerun 'monkeysphere-host import-key'"
  50. problemsfound=$(($problemsfound+1))
  51. elif (( "$keysfound" > 1 )); then
  52. echo "! More than one host key found?"
  53. # FIXME: recommend a way to resolve this
  54. problemsfound=$(($problemsfound+1))
  55. else
  56. create=$(echo "$seckey" | grep ^sec: | cut -f6 -d:)
  57. expire=$(echo "$seckey" | grep ^sec: | cut -f7 -d:)
  58. fingerprint=$(echo "$seckey" | grep ^fpr: | head -n1 | cut -f10 -d:)
  59. # check for key expiration:
  60. if [ "$expire" ]; then
  61. if (( "$expire" < "$curdate" )); then
  62. echo "! Host key is expired."
  63. echo " - Recommendation: extend lifetime of key with 'monkeysphere-host set-expire'"
  64. problemsfound=$(($problemsfound+1))
  65. elif (( "$expire" < "$warndate" )); then
  66. echo "! Host key expires in less than $warnwindow:" $(advance_date $(( $expire - $curdate )) seconds +%F)
  67. echo " - Recommendation: extend lifetime of key with 'monkeysphere-host set-expire'"
  68. problemsfound=$(($problemsfound+1))
  69. fi
  70. fi
  71. # and weirdnesses:
  72. if [ "$create" ] && (( "$create" > "$curdate" )); then
  73. echo "! Host key was created in the future(?!). Is your clock correct?"
  74. echo " - Recommendation: Check clock ($(date +%F_%T)); use NTP?"
  75. problemsfound=$(($problemsfound+1))
  76. fi
  77. # check for UserID expiration:
  78. echo "$seckey" | grep ^uid: | cut -d: -f6,7,10 | \
  79. while IFS=: read create expire uid ; do
  80. # FIXME: should we be doing any checking on the form
  81. # of the User ID? Should we be unmangling it somehow?
  82. if [ "$create" ] && (( "$create" > "$curdate" )); then
  83. echo "! User ID '$uid' was created in the future(?!). Is your clock correct?"
  84. echo " - Recommendation: Check clock ($(date +%F_%T)); use NTP?"
  85. problemsfound=$(($problemsfound+1))
  86. fi
  87. if [ "$expire" ] ; then
  88. if (( "$expire" < "$curdate" )); then
  89. echo "! User ID '$uid' is expired."
  90. # FIXME: recommend a way to resolve this
  91. problemsfound=$(($problemsfound+1))
  92. elif (( "$expire" < "$warndate" )); then
  93. echo "! User ID '$uid' expires in less than $warnwindow:" $(advance_date $(( $expire - $curdate )) seconds +%F)
  94. # FIXME: recommend a way to resolve this
  95. problemsfound=$(($problemsfound+1))
  96. fi
  97. fi
  98. done
  99. # FIXME: verify that the host key is properly published to the
  100. # keyservers (do this with the non-privileged user)
  101. # FIXME: check that there are valid, non-expired certifying signatures
  102. # attached to the host key after fetching from the public keyserver
  103. # (do this with the non-privileged user as well)
  104. # FIXME: propose adding a revoker to the host key if none exist (do we
  105. # have a way to do that after key generation?)
  106. # FIXME: test (with ssh-keyscan?) that the running ssh
  107. # daemon is actually offering the monkeysphere host key.
  108. fi
  109. # FIXME: look at the ownership/privileges of the various keyrings,
  110. # directories housing them, etc (what should those values be? can
  111. # we make them as minimal as possible?)
  112. # report on any cruft from old monkeysphere version
  113. report_cruft
  114. if [ "$problemsfound" -gt 0 ]; then
  115. echo "When the above $problemsfound issue"$(if [ "$problemsfound" -eq 1 ] ; then echo " is" ; else echo "s are" ; fi)" resolved, please re-run:"
  116. echo " monkeysphere-host diagnostics"
  117. else
  118. echo "Everything seems to be in order!"
  119. fi
  120. }