X-Git-Url: https://codewiz.org/gitweb?a=blobdiff_plain;ds=inline;f=src%2Fmonkeysphere-server;h=21973dd2993c0819618d452499ad12c6de6f1d5a;hb=0181b6fc50824941e4f7ac3f535a216b8189568e;hp=7fac3ee2c084b91e4f016a0a358dee6ae37f49e5;hpb=26515a1311d364501d562b706660337fbb906011;p=monkeysphere.git

diff --git a/src/monkeysphere-server b/src/monkeysphere-server
index 7fac3ee..21973dd 100755
--- a/src/monkeysphere-server
+++ b/src/monkeysphere-server
@@ -43,20 +43,20 @@ subcommands:
    -l|--length BITS                    key length in bits (2048)
    -e|--expire EXPIRE                  date to expire
    -r|--revoker FINGERPRINT            add a revoker
- show-fingerprint (f)                show server's host key fingerprint
- publish-key (p)                     publish server's host key to keyserver
- diagnostics (d)                     report on the server's monkeysphere status
+ show-fingerprint (f)                show server host key fingerprint
+ publish-key (p)                     publish server host key to keyserver
+ diagnostics (d)                     report on server monkeysphere status
 
- add-identity-certifier (a) KEYID    import and tsign a certification key
-   -n|--domain DOMAIN                  limit ID certifications to IDs in DOMAIN
+ add-id-certifier (c+) KEYID         import and tsign a certification key
+   -n|--domain DOMAIN                  limit ID certifications to DOMAIN
    -t|--trust TRUST                    trust level of certifier (full)
    -d|--depth DEPTH                    trust depth for certifier (1)
- remove-identity-certifier (r) KEYID remove a certification key
- list-identity-certifiers (l)        list certification keys
+ remove-id-certifier (c-) KEYID      remove a certification key
+ list-id-certifiers (c)              list certification keys
 
  gpg-authentication-cmd CMD          gnupg-authentication command
 
- help (h,?)                          this help
+ -h|--help|help (h,?)                this help
 EOF
 }
 
@@ -236,7 +236,7 @@ gen_key() {
     revoker=
 
     # get options
-    TEMP=$(getopt -o l:e:r: -l length:,expire:,revoker: -n "$PGRM" -- "$@")
+    TEMP=$(getopt -o e:l:r -l expire:,length:,revoker: -n "$PGRM" -- "$@")
 
     if [ $? != 0 ] ; then
 	exit 1
@@ -372,10 +372,10 @@ publish_server_key() {
     # FIXME: need to figure out better way to identify host key
     # dummy command so as not to publish fakes keys during testing
     # eventually:
-    #gpg_authentication "--keyserver $KEYSERVER --send-keys $(hostname -f)"
+    #gpg_authentication "--keyserver $KEYSERVER --send-keys =ssh://$(hostname -f)"
     echo "NOT PUBLISHED (to avoid permanent publication errors during monkeysphere development)."
     echo "The following command should publish the key:"
-    echo "monkeysphere-server gpg-authentication-cmd '--keyserver $KEYSERVER --send-keys $(hostname -f)'"
+    echo "monkeysphere-server gpg-authentication-cmd '--keyserver $KEYSERVER --send-keys =ssh://$(hostname -f)'"
     exit 255
 }
 
@@ -468,11 +468,11 @@ diagnostics() {
 	    fi
 
 	    # propose changes needed for sshd_config (if any)
-	    if ! grep -q "^HostKey ${VARLIB}/ssh_host_rsa_key$" /etc/ssh/sshd_config; then
+	    if ! grep -q "^HostKey[[:space:]]\+${VARLIB}/ssh_host_rsa_key$" /etc/ssh/sshd_config; then
 		echo "! /etc/ssh/sshd_config does not point to the monkeysphere host key (${VARLIB}/ssh_host_rsa_key)."
 		echo " - Recommendation: add a line to /etc/ssh/sshd_config: 'HostKey ${VARLIB}/ssh_host_rsa_key'"
 	    fi
-	    if badhostkeys=$(grep '^HostKey' | grep -q -v "^HostKey ${VARLIB}/ssh_host_rsa_key$") ; then
+	    if badhostkeys=$(grep -i '^HostKey' | grep -q -v "^HostKey[[:space:]]\+${VARLIB}/ssh_host_rsa_key$") ; then
 		echo "! /etc/sshd_config refers to some non-monkeysphere host keys:"
 		echo "$badhostkeys"
 		echo " - Recommendation: remove the above HostKey lines from /etc/ssh/sshd_config"
@@ -489,6 +489,19 @@ diagnostics() {
 
 # FIXME:  make sure that at least one identity certifier exists
 
+    echo "Checking for MonkeySphere-enabled public-key authentication for users ..."
+    # Ensure that User ID authentication is enabled:
+    if ! grep -q "^AuthorizedKeysFile[[:space:]]\+${VARLIB}/authorized_keys/%u$" /etc/ssh/sshd_config; then
+	echo "! /etc/ssh/sshd_config does not point to monkeysphere authorized keys."
+	echo " - Recommendation: add a line to /etc/ssh/sshd_config: 'AuthorizedKeysFile ${VARLIB}/authorized_keys/%u'"
+    fi
+    if badauthorizedkeys=$(grep -i '^AuthorizedKeysFile' | grep -q -v "^AuthorizedKeysFile[[:space:]]\+${VARLIB}/authorized_keys/%u$") ; then
+	echo "! /etc/sshd_config refers to non-monkeysphere authorized_keys files:"
+	echo "$badauthorizedkeys"
+	echo " - Recommendation: remove the above AuthorizedKeysFile lines from /etc/ssh/sshd_config"
+    fi
+
+
 }
 
 # retrieve key from web of trust, import it into the host keyring, and
@@ -683,15 +696,15 @@ case $COMMAND in
 	diagnostics
 	;;
 
-    'add-identity-certifier'|'add-certifier'|'a')
+    'add-identity-certifier'|'add-id-certifier'|'add-certifier'|'c+')
 	add_certifier "$1"
 	;;
 
-    'remove-identity-certifier'|'remove-certifier'|'r')
+    'remove-identity-certifier'|'remove-id-certifier'|'remove-certifier'|'c-')
 	remove_certifier "$1"
 	;;
 
-    'list-identity-certifiers'|'list-certifiers'|'list-certifier'|'l')
+    'list-identity-certifiers'|'list-id-certifiers'|'list-certifiers'|'list-certifier'|'c')
 	list_certifiers "$@"
 	;;
 
@@ -699,7 +712,7 @@ case $COMMAND in
 	gpg_authentication_cmd "$@"
 	;;
 
-    'help'|'h'|'?')
+    '--help'|'help'|'-h'|'h'|'?')
         usage
         ;;