# revoke hostname user ID to server key
revoke_hostname() {
+ local msg
+ local uidNum
+ local tmpuidMatch
+ local fpr
+ local linenum
+
if [ -z "$1" ] ; then
failure "You must specify a hostname to revoke."
fi
- failure "Sorry, not yet implemented."
+ fpr=$(fingerprint_server_key)
+ tmpuidMatch="u:$(escape "ssh://$1")"
+
+ if linenum=$(gpg_host --list-keys --with-colons --fixed-list-mode "0x$fpr"\! | egrep '^(uid|uat):' | cut -f2,10 -d: | grep -n -x -F "$tmpuidMatch") ; then
+ uidNum=${linenum%%:*}
+ else
+ failure "no non-revoked hostname '$1' is listed."
+ fi
+
+ msg="hostname removed by monkeysphere-server on $(date +%F)"
+
+
+ revuidCommand=$(cat <<EOF
+$uidNum
+revuid
+y
+4
+$msg
+
+y
+save
+EOF
+)
+
+ echo "$revuidCommand" | gpg_host --quiet --command-fd 0 --edit-key "0x$fpr"\!
echo "NOTE: host userID revokation has not been published."
echo "Use '$PGRM publish-key' to publish these changes."
fingerprint=$(fingerprint_server_key)
# publish host key
- # FIXME: need to figure out better way to identify host key
- # dummy command so as not to publish fakes keys during testing
- # eventually:
gpg_authentication "--keyserver $KEYSERVER --send-keys $fingerprint"
}
local uid
local fingerprint
local badhostkeys
+ local sshd_config
+ # FIXME: what's the correct, cross-platform answer?
+ sshd_config=/etc/ssh/sshd_config
seckey=$(fingerprint_server_key)
keysfound=$(echo "$seckey" | grep -c ^sec:)
curdate=$(date +%s)
fi
# propose changes needed for sshd_config (if any)
- if ! grep -q "^HostKey[[:space:]]\+${VARLIB}/ssh_host_rsa_key$" /etc/ssh/sshd_config; then
- echo "! /etc/ssh/sshd_config does not point to the monkeysphere host key (${VARLIB}/ssh_host_rsa_key)."
- echo " - Recommendation: add a line to /etc/ssh/sshd_config: 'HostKey ${VARLIB}/ssh_host_rsa_key'"
+ if ! grep -q "^HostKey[[:space:]]\+${VARLIB}/ssh_host_rsa_key$" "$sshd_config"; then
+ echo "! $sshd_config does not point to the monkeysphere host key (${VARLIB}/ssh_host_rsa_key)."
+ echo " - Recommendation: add a line to $sshd_config: 'HostKey ${VARLIB}/ssh_host_rsa_key'"
fi
- if badhostkeys=$(grep -i '^HostKey' | grep -q -v "^HostKey[[:space:]]\+${VARLIB}/ssh_host_rsa_key$") ; then
+ if badhostkeys=$(grep -i '^HostKey' "$sshd_config" | grep -q -v "^HostKey[[:space:]]\+${VARLIB}/ssh_host_rsa_key$") ; then
echo "! /etc/sshd_config refers to some non-monkeysphere host keys:"
echo "$badhostkeys"
- echo " - Recommendation: remove the above HostKey lines from /etc/ssh/sshd_config"
+ echo " - Recommendation: remove the above HostKey lines from $sshd_config"
fi
fi
fi
echo "Checking for MonkeySphere-enabled public-key authentication for users ..."
# Ensure that User ID authentication is enabled:
- if ! grep -q "^AuthorizedKeysFile[[:space:]]\+${VARLIB}/authorized_keys/%u$" /etc/ssh/sshd_config; then
- echo "! /etc/ssh/sshd_config does not point to monkeysphere authorized keys."
- echo " - Recommendation: add a line to /etc/ssh/sshd_config: 'AuthorizedKeysFile ${VARLIB}/authorized_keys/%u'"
+ if ! grep -q "^AuthorizedKeysFile[[:space:]]\+${VARLIB}/authorized_keys/%u$" "$sshd_config"; then
+ echo "! $sshd_config does not point to monkeysphere authorized keys."
+ echo " - Recommendation: add a line to $sshd_config: 'AuthorizedKeysFile ${VARLIB}/authorized_keys/%u'"
fi
- if badauthorizedkeys=$(grep -i '^AuthorizedKeysFile' | grep -q -v "^AuthorizedKeysFile[[:space:]]\+${VARLIB}/authorized_keys/%u$") ; then
+ if badauthorizedkeys=$(grep -i '^AuthorizedKeysFile' "$sshd_config" | grep -q -v "^AuthorizedKeysFile[[:space:]]\+${VARLIB}/authorized_keys/%u$") ; then
echo "! /etc/sshd_config refers to non-monkeysphere authorized_keys files:"
echo "$badauthorizedkeys"
- echo " - Recommendation: remove the above AuthorizedKeysFile lines from /etc/ssh/sshd_config"
+ echo " - Recommendation: remove the above AuthorizedKeysFile lines from $sshd_config"
fi
}
projects / monkeysphere.git / blobdiff