summaryrefslogtreecommitdiff
path: root/src/share/mh/diagnostics
blob: 2f65f899f4cfdd7f0e4aad9fe1304ee50bf46ec2 (plain) 
    

  1. # -*-shell-script-*-
    2. 

  2. # This should be sourced by bash (though we welcome changes to make it POSIX sh compliant)
    3. 

  3. 

  4. # Monkeysphere host diagnostics subcommand
    5. 

  5. #
    6. 

  6. # The monkeysphere scripts are written by:
    7. 

  7. # Jameson Rollins <jrollins@finestructure.net>
    8. 

  8. # Jamie McClelland <jm@mayfirst.org>
    9. 

  9. # Daniel Kahn Gillmor <dkg@fifthhorseman.net>
    10. 

  10. #
    11. 

  11. # They are Copyright 2008-2009, and are all released under the GPL,
    12. 

  12. # version 3 or later.
    13. 

  13. 

  14. # check on the status and validity of the key and public certificates
    15. 

  15. 

  16. diagnostics() {
    17. 

  17. 

  18. local seckey
    19. 

  19. local keysfound
    20. 

  20. local curdate
    21. 

  21. local warnwindow
    22. 

  22. local warndate
    23. 

  23. local create
    24. 

  24. local expire
    25. 

  25. local uid
    26. 

  26. local fingerprint
    27. 

  27. local badhostkeys
    28. 

  28. local problemsfound=0
    29. 

  29. 

  30. report_cruft
    31. 

  31. 

  32. seckey=$(gpg_host --list-secret-keys --fingerprint --with-colons --fixed-list-mode)
    33. 

  33. keysfound=$(echo "$seckey" | grep -c ^sec:)
    34. 

  34. curdate=$(date +%s)
    35. 

  35. # warn when anything is 2 months away from expiration
    36. 

  36. warnwindow='2 months'
    37. 

  37. warndate=$(advance_date $warnwindow +%s)
    38. 

  38. 

  39. if ! id monkeysphere >/dev/null ; then
    40. 

  40.     echo "! No monkeysphere user found!  Please create a monkeysphere system user with bash as its shell."
    41. 

  41.     problemsfound=$(($problemsfound+1))
    42. 

  42. fi
    43. 

  43. 

  44. if ! [ -d "$SYSDATADIR" ] ; then
    45. 

  45.     echo "! no $SYSDATADIR directory found.  Please create it."
    46. 

  46.     problemsfound=$(($problemsfound+1))
    47. 

  47. fi
    48. 

  48. 

  49. echo "Checking host GPG key..."
    50. 

  50. if (( "$keysfound" < 1 )); then
    51. 

  51.     echo "! No host key found."
    52. 

  52.     echo " - Recommendation: run 'monkeysphere-host import-key'"
    53. 

  53.     problemsfound=$(($problemsfound+1))
    54. 

  54. elif (( "$keysfound" > 1 )); then
    55. 

  55.     echo "! More than one host key found?"
    56. 

  56.     # FIXME: recommend a way to resolve this
    57. 

  57.     problemsfound=$(($problemsfound+1))
    58. 

  58. else
    59. 

  59.     create=$(echo "$seckey" | grep ^sec: | cut -f6 -d:)
    60. 

  60.     expire=$(echo "$seckey" | grep ^sec: | cut -f7 -d:)
    61. 

  61.     fingerprint=$(echo "$seckey" | grep ^fpr: | head -n1 | cut -f10 -d:)
    62. 

  62.     # check for key expiration:
    63. 

  63.     if [ "$expire" ]; then
    64. 

  64.     if (( "$expire"  < "$curdate" )); then
    65. 

  65.         echo "! Host key is expired."
    66. 

  66.         echo " - Recommendation: extend lifetime of key with 'monkeysphere-host extend-key'"
    67. 

  67.         problemsfound=$(($problemsfound+1))
    68. 

  68.     elif (( "$expire" < "$warndate" )); then
    69. 

  69.         echo "! Host key expires in less than $warnwindow:" $(advance_date $(( $expire - $curdate )) seconds +%F)
    70. 

  70.         echo " - Recommendation: extend lifetime of key with 'monkeysphere-host extend-key'"
    71. 

  71.         problemsfound=$(($problemsfound+1))
    72. 

  72.     fi
    73. 

  73.     fi
    74. 

  74. 

  75.     # and weirdnesses:
    76. 

  76.     if [ "$create" ] && (( "$create" > "$curdate" )); then
    77. 

  77.     echo "! Host key was created in the future(?!). Is your clock correct?"
    78. 

  78.     echo " - Recommendation: Check clock ($(date +%F_%T)); use NTP?"
    79. 

  79.     problemsfound=$(($problemsfound+1))
    80. 

  80.     fi
    81. 

  81.     
    82. 

  82.     # check for UserID expiration:
    83. 

  83.     echo "$seckey" | grep ^uid: | cut -d: -f6,7,10 | \
    84. 

  84.     while IFS=: read create expire uid ; do
    85. 

  85.     # FIXME: should we be doing any checking on the form
    86. 

  86.     # of the User ID?  Should we be unmangling it somehow?
    87. 

  87. 

  88.     if [ "$create" ] && (( "$create" > "$curdate" )); then
    89. 

  89.         echo "! User ID '$uid' was created in the future(?!).  Is your clock correct?"
    90. 

  90.         echo " - Recommendation: Check clock ($(date +%F_%T)); use NTP?"
    91. 

  91.         problemsfound=$(($problemsfound+1))
    92. 

  92.     fi
    93. 

  93.     if [ "$expire" ] ; then
    94. 

  94.         if (( "$expire" < "$curdate" )); then
    95. 

  95.         echo "! User ID '$uid' is expired."
    96. 

  96.         # FIXME: recommend a way to resolve this
    97. 

  97.         problemsfound=$(($problemsfound+1))
    98. 

  98.         elif (( "$expire" < "$warndate" )); then
    99. 

  99.         echo "! User ID '$uid' expires in less than $warnwindow:" $(advance_date $(( $expire - $curdate )) seconds +%F)
    100. 

  100.         # FIXME: recommend a way to resolve this
    101. 

  101.         problemsfound=$(($problemsfound+1))
    102. 

  102.         fi
    103. 

  103.     fi
    104. 

  104.     done
    105. 

  105.         
    106. 

  106. # FIXME: verify that the host key is properly published to the
    107. 

  107. #   keyservers (do this with the non-privileged user)
    108. 

  108. 

  109. # FIXME: check that there are valid, non-expired certifying signatures
    110. 

  110. #   attached to the host key after fetching from the public keyserver
    111. 

  111. #   (do this with the non-privileged user as well)
    112. 

  112. 

  113. # FIXME: propose adding a revoker to the host key if none exist (do we
    114. 

  114. #   have a way to do that after key generation?)
    115. 

  115. 

  116. # FIXME: test (with ssh-keyscan?) that the running ssh
    117. 

  117. # daemon is actually offering the monkeysphere host key.
    118. 

  118. 

  119. fi
    120. 

  120. 

  121. # FIXME: look at the ownership/privileges of the various keyrings,
    122. 

  122. #    directories housing them, etc (what should those values be?  can
    123. 

  123. #    we make them as minimal as possible?)
    124. 

  124. 

  125. 

  126. if [ "$problemsfound" -gt 0 ]; then
    127. 

  127.     echo "When the above $problemsfound issue"$(if [ "$problemsfound" -eq 1 ] ; then echo " is" ; else echo "s are" ; fi)" resolved, please re-run:"
    128. 

  128.     echo "  monkeysphere-host diagnostics"
    129. 

  129. else
    130. 

  130.     echo "Everything seems to be in order!"
    131. 

  131. fi
    132. 

  132. 

  133. }
    134.
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-28 10:49:36 +0000