projects
/
monkeysphere.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
Merge commit 'dkg/master'
[monkeysphere.git]
/
src
/
monkeysphere-server
diff --git
a/src/monkeysphere-server
b/src/monkeysphere-server
index db3687bda3b7c185c7bc1e34f63f853afaa1e1eb..0c562799a3355a09207c7023e0d1044a7eea5451 100755
(executable)
--- a/
src/monkeysphere-server
+++ b/
src/monkeysphere-server
@@
-13,12
+13,12
@@
########################################################################
PGRM=$(basename $0)
########################################################################
PGRM=$(basename $0)
-S
HARE=${MONKEYSPHERE_SHARE:=
"/usr/share/monkeysphere"}
-export S
HARE
-. "${S
HARE
}/common" || exit 1
+S
YSSHAREDIR=${MONKEYSPHERE_SYSSHAREDIR:-
"/usr/share/monkeysphere"}
+export S
YSSHAREDIR
+. "${S
YSSHAREDIR
}/common" || exit 1
-VARLIB="/var/lib/monkeysphere"
-export
VARLIB
+SYSDATADIR=${MONKEYSPHERE_SYSDATADIR:-"/var/lib/monkeysphere"}
+export
SYSDATADIR
# UTC date in ISO 8601 format if needed
DATE=$(date -u '+%FT%T')
# UTC date in ISO 8601 format if needed
DATE=$(date -u '+%FT%T')
@@
-36,7
+36,7
@@
RETURN=0
usage() {
cat <<EOF >&2
usage: $PGRM <subcommand> [options] [args]
usage() {
cat <<EOF >&2
usage: $PGRM <subcommand> [options] [args]
-Monkey
S
phere server admin tool.
+Monkey
s
phere server admin tool.
subcommands:
update-users (u) [USER]... update user authorized_keys files
subcommands:
update-users (u) [USER]... update user authorized_keys files
@@
-66,8
+66,17
@@
subcommands:
EOF
}
EOF
}
+# function to run command as monkeysphere user
su_monkeysphere_user() {
su_monkeysphere_user() {
- su "$MONKEYSPHERE_USER" -c "$@"
+ # if the current user is the monkeysphere user, then just eval
+ # command
+ if [ $(id -un) = "$MONKEYSPHERE_USER" ] ; then
+ eval "$@"
+
+ # otherwise su command as monkeysphere user
+ else
+ su "$MONKEYSPHERE_USER" -c "$@"
+ fi
}
# function to interact with the host gnupg keyring
}
# function to interact with the host gnupg keyring
@@
-151,7
+160,7
@@
update_users() {
fi
# make sure the authorized_keys directory exists
fi
# make sure the authorized_keys directory exists
- mkdir -p "${
VARLIB
}/authorized_keys"
+ mkdir -p "${
SYSDATADIR
}/authorized_keys"
# loop over users
for uname in $unames ; do
# loop over users
for uname in $unames ; do
@@
-221,7
+230,7
@@
update_users() {
# process authorized_user_ids file, as monkeysphere
# user
su_monkeysphere_user \
# process authorized_user_ids file, as monkeysphere
# user
su_monkeysphere_user \
- ". ${S
HARE
}/common; process_authorized_user_ids $TMP_AUTHORIZED_USER_IDS"
+ ". ${S
YSSHAREDIR
}/common; process_authorized_user_ids $TMP_AUTHORIZED_USER_IDS"
RETURN="$?"
fi
RETURN="$?"
fi
@@
-240,7
+249,7
@@
update_users() {
chmod g+r "$AUTHORIZED_KEYS"
# move the resulting authorized_keys file into place
chmod g+r "$AUTHORIZED_KEYS"
# move the resulting authorized_keys file into place
- mv -f "$AUTHORIZED_KEYS" "${
VARLIB
}/authorized_keys/${uname}"
+ mv -f "$AUTHORIZED_KEYS" "${
SYSDATADIR
}/authorized_keys/${uname}"
# destroy temporary directory
rm -rf "$TMPLOC"
# destroy temporary directory
rm -rf "$TMPLOC"
@@
-364,8
+373,8
@@
EOF
# NOTE: assumes that the primary key is the proper key to use
(umask 077 && \
gpg_host --export-secret-key "$fingerprint" | \
# NOTE: assumes that the primary key is the proper key to use
(umask 077 && \
gpg_host --export-secret-key "$fingerprint" | \
- openpgp2ssh "$fingerprint" > "${
VARLIB
}/ssh_host_rsa_key")
- log info "Private SSH host key output to file: ${
VARLIB
}/ssh_host_rsa_key"
+ openpgp2ssh "$fingerprint" > "${
SYSDATADIR
}/ssh_host_rsa_key")
+ log info "Private SSH host key output to file: ${
SYSDATADIR
}/ssh_host_rsa_key"
}
# extend the lifetime of a host key:
}
# extend the lifetime of a host key:
@@
-575,8
+584,8
@@
diagnostics() {
problemsfound=$(($problemsfound+1))
fi
problemsfound=$(($problemsfound+1))
fi
- if ! [ -d "$
VARLIB
" ] ; then
- echo "! no $
VARLIB
directory found. Please create it."
+ if ! [ -d "$
SYSDATADIR
" ] ; then
+ echo "! no $
SYSDATADIR
directory found. Please create it."
problemsfound=$(($problemsfound+1))
fi
problemsfound=$(($problemsfound+1))
fi
@@
-650,22
+659,22
@@
diagnostics() {
# Ensure that the ssh_host_rsa_key file is present and non-empty:
echo
echo "Checking host SSH key..."
# Ensure that the ssh_host_rsa_key file is present and non-empty:
echo
echo "Checking host SSH key..."
- if [ ! -s "${
VARLIB
}/ssh_host_rsa_key" ] ; then
- echo "! The host key as prepared for SSH (${
VARLIB
}/ssh_host_rsa_key) is missing or empty."
+ if [ ! -s "${
SYSDATADIR
}/ssh_host_rsa_key" ] ; then
+ echo "! The host key as prepared for SSH (${
SYSDATADIR
}/ssh_host_rsa_key) is missing or empty."
problemsfound=$(($problemsfound+1))
else
problemsfound=$(($problemsfound+1))
else
- if [ $(ls -l "${
VARLIB
}/ssh_host_rsa_key" | cut -f1 -d\ ) != '-rw-------' ] ; then
- echo "! Permissions seem wrong for ${
VARLIB
}/ssh_host_rsa_key -- should be 0600."
+ if [ $(ls -l "${
SYSDATADIR
}/ssh_host_rsa_key" | cut -f1 -d\ ) != '-rw-------' ] ; then
+ echo "! Permissions seem wrong for ${
SYSDATADIR
}/ssh_host_rsa_key -- should be 0600."
problemsfound=$(($problemsfound+1))
fi
# propose changes needed for sshd_config (if any)
problemsfound=$(($problemsfound+1))
fi
# propose changes needed for sshd_config (if any)
- if ! grep -q "^HostKey[[:space:]]\+${
VARLIB
}/ssh_host_rsa_key$" "$sshd_config"; then
- echo "! $sshd_config does not point to the monkeysphere host key (${
VARLIB
}/ssh_host_rsa_key)."
- echo " - Recommendation: add a line to $sshd_config: 'HostKey ${
VARLIB
}/ssh_host_rsa_key'"
+ if ! grep -q "^HostKey[[:space:]]\+${
SYSDATADIR
}/ssh_host_rsa_key$" "$sshd_config"; then
+ echo "! $sshd_config does not point to the monkeysphere host key (${
SYSDATADIR
}/ssh_host_rsa_key)."
+ echo " - Recommendation: add a line to $sshd_config: 'HostKey ${
SYSDATADIR
}/ssh_host_rsa_key'"
problemsfound=$(($problemsfound+1))
fi
problemsfound=$(($problemsfound+1))
fi
- if badhostkeys=$(grep -i '^HostKey' "$sshd_config" | grep -v "^HostKey[[:space:]]\+${
VARLIB
}/ssh_host_rsa_key$") ; then
+ if badhostkeys=$(grep -i '^HostKey' "$sshd_config" | grep -v "^HostKey[[:space:]]\+${
SYSDATADIR
}/ssh_host_rsa_key$") ; then
echo "! $sshd_config refers to some non-monkeysphere host keys:"
echo "$badhostkeys"
echo " - Recommendation: remove the above HostKey lines from $sshd_config"
echo "! $sshd_config refers to some non-monkeysphere host keys:"
echo "$badhostkeys"
echo " - Recommendation: remove the above HostKey lines from $sshd_config"
@@
-681,20
+690,23
@@
diagnostics() {
# FIXME: look to see that the ownertrust rules are set properly on the
# authentication keyring
# FIXME: look to see that the ownertrust rules are set properly on the
# authentication keyring
-# FIXME:
make sure that at least one identity certifier exists
+# FIXME: make sure that at least one identity certifier exists
# FIXME: look at the timestamps on the monkeysphere-generated
# authorized_keys files -- warn if they seem out-of-date.
# FIXME: look at the timestamps on the monkeysphere-generated
# authorized_keys files -- warn if they seem out-of-date.
+# FIXME: check for a cronjob that updates monkeysphere-generated
+# authorized_keys?
+
echo
echo "Checking for MonkeySphere-enabled public-key authentication for users ..."
# Ensure that User ID authentication is enabled:
echo
echo "Checking for MonkeySphere-enabled public-key authentication for users ..."
# Ensure that User ID authentication is enabled:
- if ! grep -q "^AuthorizedKeysFile[[:space:]]\+${
VARLIB
}/authorized_keys/%u$" "$sshd_config"; then
+ if ! grep -q "^AuthorizedKeysFile[[:space:]]\+${
SYSDATADIR
}/authorized_keys/%u$" "$sshd_config"; then
echo "! $sshd_config does not point to monkeysphere authorized keys."
echo "! $sshd_config does not point to monkeysphere authorized keys."
- echo " - Recommendation: add a line to $sshd_config: 'AuthorizedKeysFile ${
VARLIB
}/authorized_keys/%u'"
+ echo " - Recommendation: add a line to $sshd_config: 'AuthorizedKeysFile ${
SYSDATADIR
}/authorized_keys/%u'"
problemsfound=$(($problemsfound+1))
fi
problemsfound=$(($problemsfound+1))
fi
- if badauthorizedkeys=$(grep -i '^AuthorizedKeysFile' "$sshd_config" | grep -v "^AuthorizedKeysFile[[:space:]]\+${
VARLIB
}/authorized_keys/%u$") ; then
+ if badauthorizedkeys=$(grep -i '^AuthorizedKeysFile' "$sshd_config" | grep -v "^AuthorizedKeysFile[[:space:]]\+${
SYSDATADIR
}/authorized_keys/%u$") ; then
echo "! $sshd_config refers to non-monkeysphere authorized_keys files:"
echo "$badauthorizedkeys"
echo " - Recommendation: remove the above AuthorizedKeysFile lines from $sshd_config"
echo "! $sshd_config refers to non-monkeysphere authorized_keys files:"
echo "$badauthorizedkeys"
echo " - Recommendation: remove the above AuthorizedKeysFile lines from $sshd_config"
@@
-914,12
+926,12
@@
unset RAW_AUTHORIZED_KEYS
unset MONKEYSPHERE_USER
# load configuration file
unset MONKEYSPHERE_USER
# load configuration file
-[ -e ${MONKEYSPHERE_SERVER_CONFIG:="${
ETC
}/monkeysphere-server.conf"} ] && . "$MONKEYSPHERE_SERVER_CONFIG"
+[ -e ${MONKEYSPHERE_SERVER_CONFIG:="${
SYSCONFIGDIR
}/monkeysphere-server.conf"} ] && . "$MONKEYSPHERE_SERVER_CONFIG"
# set empty config variable with ones from the environment, or with
# defaults
LOG_LEVEL=${MONKEYSPHERE_LOG_LEVEL:=${LOG_LEVEL:="INFO"}}
# set empty config variable with ones from the environment, or with
# defaults
LOG_LEVEL=${MONKEYSPHERE_LOG_LEVEL:=${LOG_LEVEL:="INFO"}}
-KEYSERVER=${MONKEYSPHERE_KEYSERVER:=${KEYSERVER:="
subkeys.pgp
.net"}}
+KEYSERVER=${MONKEYSPHERE_KEYSERVER:=${KEYSERVER:="
pool.sks-keyservers
.net"}}
AUTHORIZED_USER_IDS=${MONKEYSPHERE_AUTHORIZED_USER_IDS:=${AUTHORIZED_USER_IDS:="%h/.monkeysphere/authorized_user_ids"}}
RAW_AUTHORIZED_KEYS=${MONKEYSPHERE_RAW_AUTHORIZED_KEYS:=${RAW_AUTHORIZED_KEYS:="%h/.ssh/authorized_keys"}}
MONKEYSPHERE_USER=${MONKEYSPHERE_MONKEYSPHERE_USER:=${MONKEYSPHERE_USER:="monkeysphere"}}
AUTHORIZED_USER_IDS=${MONKEYSPHERE_AUTHORIZED_USER_IDS:=${AUTHORIZED_USER_IDS:="%h/.monkeysphere/authorized_user_ids"}}
RAW_AUTHORIZED_KEYS=${MONKEYSPHERE_RAW_AUTHORIZED_KEYS:=${RAW_AUTHORIZED_KEYS:="%h/.ssh/authorized_keys"}}
MONKEYSPHERE_USER=${MONKEYSPHERE_MONKEYSPHERE_USER:=${MONKEYSPHERE_USER:="monkeysphere"}}
@@
-927,8
+939,8
@@
MONKEYSPHERE_USER=${MONKEYSPHERE_MONKEYSPHERE_USER:=${MONKEYSPHERE_USER:="monkey
# other variables
CHECK_KEYSERVER=${MONKEYSPHERE_CHECK_KEYSERVER:="true"}
REQUIRED_USER_KEY_CAPABILITY=${MONKEYSPHERE_REQUIRED_USER_KEY_CAPABILITY:="a"}
# other variables
CHECK_KEYSERVER=${MONKEYSPHERE_CHECK_KEYSERVER:="true"}
REQUIRED_USER_KEY_CAPABILITY=${MONKEYSPHERE_REQUIRED_USER_KEY_CAPABILITY:="a"}
-GNUPGHOME_HOST=${MONKEYSPHERE_GNUPGHOME_HOST:="${
VARLIB
}/gnupg-host"}
-GNUPGHOME_AUTHENTICATION=${MONKEYSPHERE_GNUPGHOME_AUTHENTICATION:="${
VARLIB
}/gnupg-authentication"}
+GNUPGHOME_HOST=${MONKEYSPHERE_GNUPGHOME_HOST:="${
SYSDATADIR
}/gnupg-host"}
+GNUPGHOME_AUTHENTICATION=${MONKEYSPHERE_GNUPGHOME_AUTHENTICATION:="${
SYSDATADIR
}/gnupg-authentication"}
# export variables needed in su invocation
export DATE
# export variables needed in su invocation
export DATE