tests/basic now tests for adding and revoking hostnames.
[monkeysphere.git] / src / share / ma / diagnostics
1 # -*-shell-script-*-
2 # This should be sourced by bash (though we welcome changes to make it POSIX sh compliant)
3
4 # Monkeysphere authentication diagnostics subcommand
5 #
6 # The monkeysphere scripts are written by:
7 # Jameson Rollins <jrollins@finestructure.net>
8 # Jamie McClelland <jm@mayfirst.org>
9 # Daniel Kahn Gillmor <dkg@fifthhorseman.net>
10 #
11 # They are Copyright 2008-2009, and are all released under the GPL,
12 # version 3 or later.
13
14 # check on the status and validity of the key and public certificates
15
16 diagnostics() {
17
18 local seckey
19 local keysfound
20 local curdate
21 local warnwindow
22 local warndate
23 local create
24 local expire
25 local uid
26 local fingerprint
27 local badhostkeys
28 local sshd_config
29 local problemsfound=0
30
31 report_cruft
32
33 if ! id monkeysphere >/dev/null ; then
34     echo "! No monkeysphere user found!  Please create a monkeysphere system user with bash as its shell."
35     problemsfound=$(($problemsfound+1))
36 fi
37
38 if ! [ -d "$SYSDATADIR" ] ; then
39     echo "! no $SYSDATADIR directory found.  Please create it."
40     problemsfound=$(($problemsfound+1))
41 fi
42
43 echo "Checking for authentication directory..."
44 if ! [ -d "$MADATADIR" ] ; then
45     echo "! No authentication data directory found."
46     echo " - Recommendation: run 'monkeysphere-authentication setup'"
47     exit
48 fi    
49
50 # FIXME: what's the correct, cross-platform way to determine where
51 # sshd_config lives?
52 sshd_config=/etc/ssh/sshd_config
53
54 seckey=$(gpg_core --list-secret-keys --fingerprint --with-colons --fixed-list-mode)
55 keysfound=$(echo "$seckey" | grep -c ^sec:)
56 curdate=$(date +%s)
57 # warn when anything is 2 months away from expiration
58 warnwindow='2 months'
59 warndate=$(advance_date $warnwindow +%s)
60
61 echo "Checking core GPG key..."
62 if (( "$keysfound" < 1 )); then
63     echo "! No core key found."
64     echo " - Recommendation: run 'monkeysphere-authentication setup'"
65     problemsfound=$(($problemsfound+1))
66 elif (( "$keysfound" > 1 )); then
67     echo "! More than one core key found?"
68     # FIXME: recommend a way to resolve this
69     problemsfound=$(($problemsfound+1))
70 else
71     create=$(echo "$seckey" | grep ^sec: | cut -f6 -d:)
72     expire=$(echo "$seckey" | grep ^sec: | cut -f7 -d:)
73     fingerprint=$(echo "$seckey" | grep ^fpr: | head -n1 | cut -f10 -d:)
74     # check for key expiration:
75     if [ "$expire" ]; then
76         if (( "$expire"  < "$curdate" )); then
77             echo "! Core key is expired."
78             echo " - Recommendation: ???"
79             problemsfound=$(($problemsfound+1))
80         elif (( "$expire" < "$warndate" )); then
81             echo "! Core key expires in less than $warnwindow:" $(advance_date $(( $expire - $curdate )) seconds +%F)
82             echo " - Recommendation: ???"
83             problemsfound=$(($problemsfound+1))
84         fi
85     fi
86
87     # and weirdnesses:
88     if [ "$create" ] && (( "$create" > "$curdate" )); then
89         echo "! Core key was created in the future(?!). Is your clock correct?"
90         echo " - Recommendation: Check clock ($(date +%F_%T)); use NTP?"
91         problemsfound=$(($problemsfound+1))
92     fi
93             
94 fi
95
96 # FIXME: look at the ownership/privileges of the various keyrings,
97 #    directories housing them, etc (what should those values be?  can
98 #    we make them as minimal as possible?)
99
100 # FIXME: look to see that the ownertrust rules are set properly on the
101 #    sphere keyring
102
103 # make sure that at least one identity certifier exists
104 echo
105 echo "Checking for Identity Certifiers..."
106 if ! ( monkeysphere-authentication list-identity-certifiers | egrep '^[A-F0-9]{40}:' >/dev/null ) ; then
107     echo "! No Identity Certifiers found!"
108     echo " - Recommendation: once you know who should be able to certify the identities of 
109      connecting users, you should add their key, with: 
110       monkeysphere-authentication add-identity-certifier"
111     problemsfound=$(($problemsfound+1))
112 fi
113
114 # FIXME: look at the timestamps on the monkeysphere-generated
115 # authorized_keys files -- warn if they seem out-of-date.
116
117 # FIXME: check for a cronjob that updates monkeysphere-generated
118 # authorized_keys?
119
120 echo
121 echo "Checking for Monkeysphere-enabled public-key authentication for users ..."
122 # Ensure that User ID authentication is enabled:
123 if ! grep -q "^AuthorizedKeysFile[[:space:]]\+${SYSDATADIR}/authorized_keys/%u$" "$sshd_config"; then
124     echo "! $sshd_config does not point to monkeysphere authorized keys."
125     echo " - Recommendation: add a line to $sshd_config: 'AuthorizedKeysFile ${SYSDATADIR}/authorized_keys/%u'"
126     problemsfound=$(($problemsfound+1))
127 fi
128 if badauthorizedkeys=$(grep -i '^AuthorizedKeysFile' "$sshd_config" | grep -v "^AuthorizedKeysFile[[:space:]]\+${SYSDATADIR}/authorized_keys/%u$") ; then
129     echo "! $sshd_config refers to non-monkeysphere authorized_keys files:"
130     echo "$badauthorizedkeys"
131     echo " - Recommendation: remove the above AuthorizedKeysFile lines from $sshd_config"
132     problemsfound=$(($problemsfound+1))
133 fi
134
135 if [ "$problemsfound" -gt 0 ]; then
136     echo "When the above $problemsfound issue"$(if [ "$problemsfound" -eq 1 ] ; then echo " is" ; else echo "s are" ; fi)" resolved, please re-run:"
137     echo "  monkeysphere-authentication diagnostics"
138 else
139     echo "Everything seems to be in order!"
140 fi
141
142 }