summaryrefslogtreecommitdiff
path: root/src/share/mh/diagnostics
blob: 37460203b9056e490089a357d300882d03fdf339 (plain)
  1. # -*-shell-script-*-
  2. # This should be sourced by bash (though we welcome changes to make it POSIX sh compliant)
  3. # Monkeysphere host diagnostics subcommand
  4. #
  5. # The monkeysphere scripts are written by:
  6. # Jameson Rollins <jrollins@finestructure.net>
  7. # Jamie McClelland <jm@mayfirst.org>
  8. # Daniel Kahn Gillmor <dkg@fifthhorseman.net>
  9. #
  10. # They are Copyright 2008-2009, and are all released under the GPL,
  11. # version 3 or later.
  12. # check on the status and validity of the key and public certificates
  13. diagnostics() {
  14. local seckey
  15. local keysfound
  16. local curdate
  17. local warnwindow
  18. local warndate
  19. local create
  20. local expire
  21. local uid
  22. local fingerprint
  23. local badhostkeys
  24. local problemsfound=0
  25. report_cruft
  26. seckey=$(gpg_host --list-secret-keys --fingerprint --with-colons --fixed-list-mode)
  27. keysfound=$(echo "$seckey" | grep -c ^sec:)
  28. curdate=$(date +%s)
  29. # warn when anything is 2 months away from expiration
  30. warnwindow='2 months'
  31. warndate=$(advance_date $warnwindow +%s)
  32. if ! id monkeysphere >/dev/null ; then
  33. echo "! No monkeysphere user found! Please create a monkeysphere system user with bash as its shell."
  34. problemsfound=$(($problemsfound+1))
  35. fi
  36. if ! [ -d "$SYSDATADIR" ] ; then
  37. echo "! no $SYSDATADIR directory found. Please create it."
  38. problemsfound=$(($problemsfound+1))
  39. fi
  40. echo "Checking host GPG key..."
  41. if (( "$keysfound" < 1 )); then
  42. echo "! No host key found."
  43. echo " - Recommendation: run 'monkeysphere-host import-key'"
  44. problemsfound=$(($problemsfound+1))
  45. elif (( "$keysfound" > 1 )); then
  46. echo "! More than one host key found?"
  47. # FIXME: recommend a way to resolve this
  48. problemsfound=$(($problemsfound+1))
  49. else
  50. create=$(echo "$seckey" | grep ^sec: | cut -f6 -d:)
  51. expire=$(echo "$seckey" | grep ^sec: | cut -f7 -d:)
  52. fingerprint=$(echo "$seckey" | grep ^fpr: | head -n1 | cut -f10 -d:)
  53. # check for key expiration:
  54. if [ "$expire" ]; then
  55. if (( "$expire" < "$curdate" )); then
  56. echo "! Host key is expired."
  57. echo " - Recommendation: extend lifetime of key with 'monkeysphere-host set-expire'"
  58. problemsfound=$(($problemsfound+1))
  59. elif (( "$expire" < "$warndate" )); then
  60. echo "! Host key expires in less than $warnwindow:" $(advance_date $(( $expire - $curdate )) seconds +%F)
  61. echo " - Recommendation: extend lifetime of key with 'monkeysphere-host set-expire'"
  62. problemsfound=$(($problemsfound+1))
  63. fi
  64. fi
  65. # and weirdnesses:
  66. if [ "$create" ] && (( "$create" > "$curdate" )); then
  67. echo "! Host key was created in the future(?!). Is your clock correct?"
  68. echo " - Recommendation: Check clock ($(date +%F_%T)); use NTP?"
  69. problemsfound=$(($problemsfound+1))
  70. fi
  71. # check for UserID expiration:
  72. echo "$seckey" | grep ^uid: | cut -d: -f6,7,10 | \
  73. while IFS=: read create expire uid ; do
  74. # FIXME: should we be doing any checking on the form
  75. # of the User ID? Should we be unmangling it somehow?
  76. if [ "$create" ] && (( "$create" > "$curdate" )); then
  77. echo "! User ID '$uid' was created in the future(?!). Is your clock correct?"
  78. echo " - Recommendation: Check clock ($(date +%F_%T)); use NTP?"
  79. problemsfound=$(($problemsfound+1))
  80. fi
  81. if [ "$expire" ] ; then
  82. if (( "$expire" < "$curdate" )); then
  83. echo "! User ID '$uid' is expired."
  84. # FIXME: recommend a way to resolve this
  85. problemsfound=$(($problemsfound+1))
  86. elif (( "$expire" < "$warndate" )); then
  87. echo "! User ID '$uid' expires in less than $warnwindow:" $(advance_date $(( $expire - $curdate )) seconds +%F)
  88. # FIXME: recommend a way to resolve this
  89. problemsfound=$(($problemsfound+1))
  90. fi
  91. fi
  92. done
  93. # FIXME: verify that the host key is properly published to the
  94. # keyservers (do this with the non-privileged user)
  95. # FIXME: check that there are valid, non-expired certifying signatures
  96. # attached to the host key after fetching from the public keyserver
  97. # (do this with the non-privileged user as well)
  98. # FIXME: propose adding a revoker to the host key if none exist (do we
  99. # have a way to do that after key generation?)
  100. # FIXME: test (with ssh-keyscan?) that the running ssh
  101. # daemon is actually offering the monkeysphere host key.
  102. fi
  103. # FIXME: look at the ownership/privileges of the various keyrings,
  104. # directories housing them, etc (what should those values be? can
  105. # we make them as minimal as possible?)
  106. if [ "$problemsfound" -gt 0 ]; then
  107. echo "When the above $problemsfound issue"$(if [ "$problemsfound" -eq 1 ] ; then echo " is" ; else echo "s are" ; fi)" resolved, please re-run:"
  108. echo " monkeysphere-host diagnostics"
  109. else
  110. echo "Everything seems to be in order!"
  111. fi
  112. }