redirect sample refresh keys cron tab to /dev/null.

[monkeysphere.git] / src / monkeysphere-server

diff --git a/src/monkeysphere-server b/src/monkeysphere-server
index 6534fa17fb8565506c12a5c41a5f4efb92a949dd..ce800593da8fec3cf82722393dc9ca7d05a31d3d 100755 (executable)
--- a/src/monkeysphere-server
+++ b/src/monkeysphere-server
@@ -47,8 +47,8 @@ subcommands:
   publish-key (p)                       publish server's host key to keyserver
 
   add-identity-certifier (a) KEYID      import and tsign a certification key
-    -n|--domain DOMAIN                    domain of certifier ()
-    -t|--trust TRUST                      trust level of certifier (2)
+    -n|--domain DOMAIN                    limit ID certifications to IDs in DOMAIN ()
+    -t|--trust TRUST                      trust level of certifier (full)
     -d|--depth DEPTH                      trust depth for certifier (1)
   remove-identity-certifier (r) KEYID   remove a certification key
   list-identity-certifiers (l)          list certification keys
@@ -143,13 +143,15 @@ update_users() {
 
        log "----- user: $uname -----"
 
+        # exit if the authorized_user_ids file is empty
        if ! check_key_file_permissions "$uname" "$AUTHORIZED_USER_IDS" ; then
-           log "Improper permissions on authorized_user_ids file."
+           log "Improper permissions on authorized_user_ids file path."
            continue
        fi
 
+       # check permissions on the authorized_keys file path
        if ! check_key_file_permissions "$uname" "$RAW_AUTHORIZED_KEYS" ; then
-           log "Improper permissions on authorized_keys file."
+           log "Improper permissions on authorized_keys file path path."
            continue
        fi
 
@@ -206,8 +208,7 @@ update_users() {
        chgrp $(getent passwd "$uname" | cut -f4 -d:) "$AUTHORIZED_KEYS"
        chmod g+r "$AUTHORIZED_KEYS"
 
-       # if the resulting authorized_keys file is not empty, move
-       # it into place
+       # move the resulting authorized_keys file into place
        mv -f "$AUTHORIZED_KEYS" "${VARLIB}/authorized_keys/${uname}"
 
        # destroy temporary directory
@@ -342,6 +343,10 @@ EOF
     fingerprint=$(gpg_host --list-key --with-colons --with-fingerprint "=${userID}" | \
        grep '^fpr:' | head -1 | cut -d: -f10)
 
+    # export host ownertrust to authentication keyring
+    log "setting ultimate owner trust for server key..."
+    echo "${fingerprint}:6:" | gpg_authentication "--import-ownertrust"
+
     # translate the private key to ssh format, and export to a file
     # for sshs usage.
     # NOTE: assumes that the primary key is the proper key to use
@@ -383,10 +388,11 @@ add_certifier() {
     local keyID
     local fingerprint
     local ltsignCommand
+    local trustval
 
     # set default values for trust depth and domain
     domain=
-    trust=2
+    trust=full
     depth=1
 
     # get options
@@ -428,9 +434,6 @@ add_certifier() {
     fi
     export keyID
 
-    # export host ownertrust to authentication keyring
-    gpg_host --export-ownertrust | gpg_authentication "--import-ownertrust"
-
     # get the key from the key server
     gpg_authentication "--keyserver $KEYSERVER --recv-key '$keyID'"
 
@@ -450,18 +453,26 @@ add_certifier() {
     # export the key to the host keyring
     gpg_authentication "--export $keyID" | gpg_host --import
 
+    if [ "$trust" == marginal ]; then
+       trustval=1
+    elif [ "$trust" == full ]; then
+       trustval=2
+    else
+       failure "trust value requested ('$trust') was unclear (only 'marginal' or 'full' are supported)"
+    fi
+
     # ltsign command
     # NOTE: *all* user IDs will be ltsigned
     ltsignCommand=$(cat <<EOF
 ltsign
 y
-$trust
+$trustval
 $depth
 $domain
 y
 save
 EOF
-)
+       )
 
     # ltsign the key
     echo "$ltsignCommand" | gpg_host --quiet --command-fd 0 --edit-key "$fingerprint"