return 0
}
-# convert escaped characters from gpg output back into original
-# character
-# FIXME: undo all escape character translation in with-colons gpg output
-unescape() {
- echo "$1" | sed 's/\\x3a/:/'
+# hash of a file
+file_hash() {
+ md5sum "$1" 2> /dev/null
+}
+
+# convert escaped characters in pipeline from gpg output back into
+# original character
+# FIXME: undo all escape character translation in with-colons gpg
+# output
+gpg_unescape() {
+ sed 's/\\x3a/:/g'
+}
+
+# convert nasty chars into gpg-friendly form in pipeline
+# FIXME: escape everything, not just colons!
+gpg_escape() {
+ sed 's/:/\\x3a/g'
+}
+
+# prompt for GPG-formatted expiration, and emit result on stdout
+get_gpg_expiration() {
+ local keyExpire=
+
+ cat >&2 <<EOF
+Please specify how long the key should be valid.
+ 0 = key does not expire
+ <n> = key expires in n days
+ <n>w = key expires in n weeks
+ <n>m = key expires in n months
+ <n>y = key expires in n years
+EOF
+ while [ -z "$keyExpire" ] ; do
+ read -p "Key is valid for? (0) " keyExpire
+ if ! test_gpg_expire ${keyExpire:=0} ; then
+ echo "invalid value" >&2
+ unset keyExpire
+ fi
+ done
+ echo "$keyExpire"
}
# remove all lines with specified string from specified file
# (see /usr/share/doc/gnupg/DETAILS.gz)
# output is one line for every found key, in the following format:
#
-# flag fingerprint
+# flag:fingerprint
#
# "flag" is an acceptability flag, 0 = ok, 1 = bad
# "fingerprint" is the fingerprint of the key
fi
;;
'uid') # user ids
- # if an acceptable user ID was already found, skip
- if [ "$uidOK" ] ; then
+ if [ "$lastKey" != pub ] ; then
+ log " - got a user ID after a sub key?! user IDs should only follow primary keys!"
continue
fi
- # if the user ID does not match, skip
- if [ "$(unescape "$uidfpr")" != "$userID" ] ; then
+ # if an acceptable user ID was already found, skip
+ if [ "$uidOK" = 'true' ] ; then
continue
fi
- # if the user ID validity is not ok, skip
- if [ "$validity" != 'u' -a "$validity" != 'f' ] ; then
+ # if the user ID does matches...
+ if [ "$(echo "$uidfpr" | gpg_unescape)" = "$userID" ] ; then
+ # and the user ID validity is ok
+ if [ "$validity" = 'u' -o "$validity" = 'f' ] ; then
+ # mark user ID acceptable
+ uidOK=true
+ fi
+ else
continue
fi
- # mark user ID acceptable
- uidOK=true
-
# output a line for the primary key
# 0 = ok, 1 = bad
if [ "$keyOK" -a "$uidOK" -a "$lastKeyOK" ] ; then
log " * acceptable primary key."
if [ -z "$sshKey" ] ; then
- log " ! primary key could not be translated."
+ log " ! primary key could not be translated (not RSA or DSA?)."
else
echo "0:${sshKey}"
fi
else
log " - unacceptable primary key."
if [ -z "$sshKey" ] ; then
- log " ! primary key could not be translated."
+ log " ! primary key could not be translated (not RSA or DSA?)."
else
echo "1:${sshKey}"
fi
lastKey=sub
lastKeyOK=
fingerprint=
+
+ # don't bother with sub keys if the primary key is not valid
+ if [ "$keyOK" != true ] ; then
+ continue
+ fi
+ # don't bother with sub keys if no user ID is acceptable:
+ if [ "$uidOK" != true ] ; then
+ continue
+ fi
+
# if sub key validity is not ok, skip
if [ "$validity" != 'u' -a "$validity" != 'f' ] ; then
continue
continue
fi
- # output a line for the primary key
+ # output a line for the sub key
# 0 = ok, 1 = bad
if [ "$keyOK" -a "$uidOK" -a "$lastKeyOK" ] ; then
log " * acceptable sub key."
if [ -z "$sshKey" ] ; then
- log " ! sub key could not be translated."
+ log " ! sub key could not be translated (not RSA or DSA?)."
else
echo "0:${sshKey}"
fi
else
log " - unacceptable sub key."
if [ -z "$sshKey" ] ; then
- log " ! sub key could not be translated."
+ log " ! sub key could not be translated (not RSA or DSA?)."
else
echo "1:${sshKey}"
fi
fi
;;
esac
- done
+ done | sort -t: -k1 -n -r
+ # NOTE: this last sort is important so that the "good" keys (key
+ # flag '0') come last. This is so that they take precedence when
+ # being processed in the key files over "bad" keys (key flag '1')
}
# process a single host in the known_host file
local tmpfile
host="$1"
+ userID="ssh://${host}"
log "processing: $host"
- userID="ssh://${host}"
-
nKeys=0
nKeysOK=0
IFS=$'\n'
- for line in $(process_user_id "ssh://${host}") ; do
+ for line in $(process_user_id "${userID}") ; do
# note that key was found
nKeys=$((nKeys+1))
lockfile-create "$KNOWN_HOSTS"
# note pre update file checksum
- fileCheck="$(cat "$KNOWN_HOSTS" | md5sum)"
+ fileCheck="$(file_hash "$KNOWN_HOSTS")"
for host ; do
# process the host
lockfile-remove "$KNOWN_HOSTS"
# note if the known_hosts file was updated
- if [ "$(cat "$KNOWN_HOSTS" | md5sum)" != "$fileCheck" ] ; then
+ if [ "$(file_hash "$KNOWN_HOSTS")" != "$fileCheck" ] ; then
log "known_hosts file updated."
fi
lockfile-create "$AUTHORIZED_KEYS"
# note pre update file checksum
- fileCheck="$(cat "$AUTHORIZED_KEYS" | md5sum)"
+ fileCheck="$(file_hash "$AUTHORIZED_KEYS")"
# remove any monkeysphere lines from authorized_keys file
remove_monkeysphere_lines "$AUTHORIZED_KEYS"
lockfile-remove "$AUTHORIZED_KEYS"
# note if the authorized_keys file was updated
- if [ "$(cat "$AUTHORIZED_KEYS" | md5sum)" != "$fileCheck" ] ; then
+ if [ "$(file_hash "$AUTHORIZED_KEYS")" != "$fileCheck" ] ; then
log "authorized_keys file updated."
fi
projects / monkeysphere.git / blobdiff