X-Git-Url: https://codewiz.org/gitweb?a=blobdiff_plain;f=src%2Fcommon;h=17955a7a1723e0d861563fcbc79dba73885a981d;hb=0181b6fc50824941e4f7ac3f535a216b8189568e;hp=f5bb3bbbf4f0d40b5ebce3229658d9fbce4ec339;hpb=8e1439bc18f8203d71c1237a25c21374ca17c38c;p=monkeysphere.git

diff --git a/src/common b/src/common
index f5bb3bb..17955a7 100644
--- a/src/common
+++ b/src/common
@@ -64,11 +64,16 @@ check_capability() {
     return 0
 }
 
+# hash of a file
+file_hash() {
+    md5sum "$1" 2> /dev/null
+}
+
 # convert escaped characters from gpg output back into original
 # character
 # FIXME: undo all escape character translation in with-colons gpg output
 unescape() {
-    echo "$1" | sed 's/\\x3a/:/'
+    echo "$1" | sed 's/\\x3a/:/g'
 }
 
 # remove all lines with specified string from specified file
@@ -83,6 +88,10 @@ remove_line() {
 	return 1
     fi
 
+    if [ ! -e "$file" ] ; then
+	return 1
+    fi
+
     # if the string is in the file...
     if grep -q -F "$string" "$file" 2> /dev/null ; then
 	# remove the line with the string, and return 0
@@ -94,6 +103,24 @@ remove_line() {
     fi
 }
 
+# remove all lines with MonkeySphere strings in file
+remove_monkeysphere_lines() {
+    local file
+
+    file="$1"
+
+    if [ -z "$file" ] ; then
+	return 1
+    fi
+
+    if [ ! -e "$file" ] ; then
+	return 1
+    fi
+
+    egrep -v '^MonkeySphere[[:digit:]]{4}(-[[:digit:]]{2}){2}T[[:digit:]]{2}(:[[:digit:]]{2}){2}$' \
+	"$file" | sponge "$file"
+}
+
 # translate ssh-style path variables %h and %u
 translate_ssh_variables() {
     local uname
@@ -272,7 +299,7 @@ gpg_fetch_userid() {
 # (see /usr/share/doc/gnupg/DETAILS.gz)
 # output is one line for every found key, in the following format:
 #
-# flag fingerprint
+# flag:fingerprint
 #
 # "flag" is an acceptability flag, 0 = ok, 1 = bad
 # "fingerprint" is the fingerprint of the key
@@ -358,6 +385,14 @@ process_user_id() {
 		fi
 		;;
 	    'uid') # user ids
+		if [ "$lastKey" != pub ] ; then
+		    log " - got a user ID after a sub key!  user IDs should only follow primary keys!"
+		    continue
+		fi
+		# don't bother with a uid if there is no valid or reasonable primary key.
+		if [ "$keyOK" != true ] ; then
+		    continue
+		fi
 		# if an acceptable user ID was already found, skip
 		if [ "$uidOK" ] ; then
 		    continue
@@ -379,14 +414,14 @@ process_user_id() {
 		if [ "$keyOK" -a "$uidOK" -a "$lastKeyOK" ] ; then
 		    log "  * acceptable primary key."
 		    if [ -z "$sshKey" ] ; then
-			log "    ! primary key could not be translated."
+			log "    ! primary key could not be translated (not RSA or DSA?)."
 		    else
 			echo "0:${sshKey}"
 		    fi
 		else
 		    log "  - unacceptable primary key."
 		    if [ -z "$sshKey" ] ; then
-			log "   ! primary key could not be translated."
+			log "   ! primary key could not be translated (not RSA or DSA?)."
 		    else
 			echo "1:${sshKey}"
 		    fi
@@ -397,7 +432,17 @@ process_user_id() {
 		lastKey=sub
 		lastKeyOK=
 		fingerprint=
+		
+		# don't bother with sub keys if the primary key is not valid
+		if [ "$keyOK" != true ] ; then
+		    continue
+		fi
 
+		# don't bother with sub keys if no user ID is acceptable:
+		if [ "$uidOK" != true ] ; then
+		    continue
+		fi
+		
 		# if sub key validity is not ok, skip
 		if [ "$validity" != 'u' -a "$validity" != 'f' ] ; then
 		    continue
@@ -420,26 +465,29 @@ process_user_id() {
 		    continue
 		fi
 
-		# output a line for the primary key
+		# output a line for the sub key
 		# 0 = ok, 1 = bad
 		if [ "$keyOK" -a "$uidOK" -a "$lastKeyOK" ] ; then
 		    log "  * acceptable sub key."
 		    if [ -z "$sshKey" ] ; then
-			log "    ! sub key could not be translated."
+			log "    ! sub key could not be translated (not RSA or DSA?)."
 		    else
 			echo "0:${sshKey}"
 		    fi
 		else
 		    log "  - unacceptable sub key."
 		    if [ -z "$sshKey" ] ; then
-			log "    ! sub key could not be translated."
+			log "    ! sub key could not be translated (not RSA or DSA?)."
 		    else
 			echo "1:${sshKey}"
 		    fi
 		fi
 		;;
 	esac
-    done
+    done | sort -t: -k1 -n -r
+    # NOTE: this last sort is important so that the "good" keys (key
+    # flag '0') come last.  This is so that they take precedence when
+    # being processed in the key files over "bad" keys (key flag '1')
 }
 
 # process a single host in the known_host file
@@ -453,16 +501,15 @@ process_host_known_hosts() {
     local tmpfile
 
     host="$1"
+    userID="ssh://${host}"
 
     log "processing: $host"
 
-    userID="ssh://${host}"
-
     nKeys=0
     nKeysOK=0
 
     IFS=$'\n'
-    for line in $(process_user_id "ssh://${host}") ; do
+    for line in $(process_user_id "${userID}") ; do
 	# note that key was found
 	nKeys=$((nKeys+1))
 
@@ -533,7 +580,7 @@ update_known_hosts() {
     lockfile-create "$KNOWN_HOSTS"
 
     # note pre update file checksum
-    fileCheck=$(md5sum "$KNOWN_HOSTS")
+    fileCheck="$(file_hash "$KNOWN_HOSTS")"
 
     for host ; do
 	# process the host
@@ -556,7 +603,7 @@ update_known_hosts() {
     lockfile-remove "$KNOWN_HOSTS"
 
     # note if the known_hosts file was updated
-    if [ "$(md5sum "$KNOWN_HOSTS")" != "$fileCheck" ] ; then
+    if [ "$(file_hash "$KNOWN_HOSTS")" != "$fileCheck" ] ; then
 	log "known_hosts file updated."
     fi
 
@@ -671,7 +718,10 @@ update_authorized_keys() {
     lockfile-create "$AUTHORIZED_KEYS"
 
     # note pre update file checksum
-    fileCheck=$(md5sum "$AUTHORIZED_KEYS")
+    fileCheck="$(file_hash "$AUTHORIZED_KEYS")"
+
+    # remove any monkeysphere lines from authorized_keys file
+    remove_monkeysphere_lines "$AUTHORIZED_KEYS"
 
     for userID ; do
 	# process the user ID, change return code if key not found for
@@ -696,7 +746,7 @@ update_authorized_keys() {
     lockfile-remove "$AUTHORIZED_KEYS"
 
     # note if the authorized_keys file was updated
-    if [ "$(md5sum "$AUTHORIZED_KEYS")" != "$fileCheck" ] ; then
+    if [ "$(file_hash "$AUTHORIZED_KEYS")" != "$fileCheck" ] ; then
 	log "authorized_keys file updated."
     fi
 
@@ -742,45 +792,3 @@ process_authorized_user_ids() {
 
     update_authorized_keys "${userIDs[@]}"
 }
-
-# EXPERIMENTAL (unused) process userids found in authorized_keys file
-# go through line-by-line, extract monkeysphere userids from comment
-# fields, and process each userid
-# NOT WORKING
-process_authorized_keys() {
-    local authorizedKeys
-    local userID
-    local returnCode
-
-    # default return code is 0, and is set to 1 if a key for a user
-    # is not found
-    returnCode=0
-
-    authorizedKeys="$1"
-
-    # take all the monkeysphere userids from the authorized_keys file
-    # comment field (third field) that starts with "MonkeySphere uid:"
-    # FIXME: needs to handle authorized_keys options (field 0)
-    meat "$authorizedKeys" | \
-    while read -r options keytype key comment ; do
-	# if the comment field is empty, assume the third field was
-	# the comment
-	if [ -z "$comment" ] ; then
-	    comment="$key"
-	fi
-
-	if echo "$comment" | egrep -v -q '^MonkeySphere[[:digit:]]{4}(-[[:digit:]]{2}){2}T[[:digit:]]{2}(:[[:digit:]]{2}){2}' ; then
-	    continue
-	fi
-	userID=$(echo "$comment" | awk "{ print $2 }")
-	if [ -z "$userID" ] ; then
-	    continue
-	fi
-
-	# process the userid
-	log "processing userid: '$userID'"
-	process_user_id "$userID" > /dev/null || returnCode=1
-    done
-
-    return "$returnCode"
-}