Merge commit 'dkg/master'

[monkeysphere.git] / src / monkeysphere-server

diff --git a/src/monkeysphere-server b/src/monkeysphere-server
index 63c3668c82019c3676c031c105d0424dfd4f54ec..3ca0656e4ad5168b48a6282c4174a25f301168ce 100755 (executable)
--- a/src/monkeysphere-server
+++ b/src/monkeysphere-server
@@ -32,7 +32,7 @@ RETURN=0
 ########################################################################
 
 usage() {
-cat <<EOF
+    cat <<EOF
 usage: $PGRM <subcommand> [options] [args]
 MonkeySphere server admin tool.
 
@@ -56,7 +56,7 @@ subcommands:
 
  gpg-authentication-cmd CMD          gnupg-authentication command
 
- help (h,?)                          this help
+ -h|--help|help (h,?)                this help
 EOF
 }
 
@@ -236,7 +236,7 @@ gen_key() {
     revoker=
 
     # get options
-    TEMP=$(getopt -o l:e:r: -l length:,expire:,revoker: -n "$PGRM" -- "$@")
+    TEMP=$(getopt -o e:l:r -l expire:,length:,revoker: -n "$PGRM" -- "$@")
 
     if [ $? != 0 ] ; then
        exit 1
@@ -390,6 +390,7 @@ diagnostics() {
     local expire
     local uid
     local fingerprint
+    local badhostkeys
 
     seckey=$(gpg_host --list-secret-keys --fingerprint --with-colons --fixed-list-mode)
     keysfound=$(echo "$seckey" | grep -c ^sec:)
@@ -467,10 +468,15 @@ diagnostics() {
            fi
 
            # propose changes needed for sshd_config (if any)
-           if ! grep -q "^HostKey ${VARLIB}/ssh_host_rsa_key$" /etc/ssh/sshd_config; then
+           if ! grep -q "^HostKey[[:space:]]\+${VARLIB}/ssh_host_rsa_key$" /etc/ssh/sshd_config; then
                echo "! /etc/ssh/sshd_config does not point to the monkeysphere host key (${VARLIB}/ssh_host_rsa_key)."
                echo " - Recommendation: add a line to /etc/ssh/sshd_config: 'HostKey ${VARLIB}/ssh_host_rsa_key'"
            fi
+           if badhostkeys=$(grep -i '^HostKey' | grep -q -v "^HostKey[[:space:]]\+${VARLIB}/ssh_host_rsa_key$") ; then
+               echo "! /etc/sshd_config refers to some non-monkeysphere host keys:"
+               echo "$badhostkeys"
+               echo " - Recommendation: remove the above HostKey lines from /etc/ssh/sshd_config"
+           fi
        fi
     fi
 
@@ -483,6 +489,19 @@ diagnostics() {
 
 # FIXME:  make sure that at least one identity certifier exists
 
+    echo "Checking for MonkeySphere-enabled public-key authentication for users ..."
+    # Ensure that User ID authentication is enabled:
+    if ! grep -q "^AuthorizedKeysFile[[:space:]]\+${VARLIB}/authorized_keys/%u$" /etc/ssh/sshd_config; then
+       echo "! /etc/ssh/sshd_config does not point to monkeysphere authorized keys."
+       echo " - Recommendation: add a line to /etc/ssh/sshd_config: 'AuthorizedKeysFile ${VARLIB}/authorized_keys/%u'"
+    fi
+    if badauthorizedkeys=$(grep -i '^AuthorizedKeysFile' | grep -q -v "^AuthorizedKeysFile[[:space:]]\+${VARLIB}/authorized_keys/%u$") ; then
+       echo "! /etc/sshd_config refers to non-monkeysphere authorized_keys files:"
+       echo "$badauthorizedkeys"
+       echo " - Recommendation: remove the above AuthorizedKeysFile lines from /etc/ssh/sshd_config"
+    fi
+
+
 }
 
 # retrieve key from web of trust, import it into the host keyring, and
@@ -693,7 +712,7 @@ case $COMMAND in
        gpg_authentication_cmd "$@"
        ;;
 
-    'help'|'h'|'?')
+    '--help'|'help'|'-h'|'h'|'?')
         usage
         ;;