X-Git-Url: https://codewiz.org/gitweb?a=blobdiff_plain;f=src%2Fcommon;h=8d8e5063258910ebb75f7fe032ff3a438648cc84;hb=07cb14cdb80ef060e63ba2713ef70b67db9f5783;hp=d56028fa6e7b36d1d926b1c9366f50a45e3cc4e8;hpb=ad0a9cc0958b30f5be851453ea22c151097fad0c;p=monkeysphere.git diff --git a/src/common b/src/common index d56028f..8d8e506 100644 --- a/src/common +++ b/src/common @@ -1,13 +1,13 @@ # -*-shell-script-*- -# Shared bash functions for the monkeysphere +# Shared sh functions for the monkeysphere # # Written by # Jameson Rollins # # Copyright 2008, released under the GPL, version 3 or later -# all caps variables are meant to be user supplied (ie. from config +# all-caps variables are meant to be user supplied (ie. from config # file) and are considered global ######################################################################## @@ -123,13 +123,14 @@ gpg2authorized_keys() { # userid and key policy checking # the following checks policy on the returned keys # - checks that full key has appropriate valididy (u|f) -# - checks key has specified capability (REQUIRED_KEY_CAPABILITY) +# - checks key has specified capability (REQUIRED_*_KEY_CAPABILITY) # - checks that particular desired user id has appropriate validity # see /usr/share/doc/gnupg/DETAILS.gz # expects global variable: "MODE" process_user_id() { local userID local cacheDir + local requiredCapability local requiredPubCapability local gpgOut local line @@ -148,7 +149,13 @@ process_user_id() { userID="$1" cacheDir="$2" - requiredPubCapability=$(echo "$REQUIRED_KEY_CAPABILITY" | tr "[:lower:]" "[:upper:]") + # set the required key capability based on the mode + if [ "$MODE" = 'known_hosts' ] ; then + requiredCapability="$REQUIRED_HOST_KEY_CAPABILITY" + elif [ "$MODE" = 'authorized_keys' ] ; then + requiredCapability="$REQUIRED_USER_KEY_CAPABILITY" + fi + requiredPubCapability=$(echo "$requiredCapability" | tr "[:lower:]" "[:upper:]") # fetch keys from keyserver, return 1 if none found gpg_fetch_userid "$userID" || return 1 @@ -207,7 +214,7 @@ process_user_id() { keyOK=true # add primary key ID to key list if it has required capability - if check_capability "$capability" $REQUIRED_KEY_CAPABILITY ; then + if check_capability "$capability" $requiredCapability ; then keyIDs[${#keyIDs[*]}]="$keyid" fi ;; @@ -230,7 +237,7 @@ process_user_id() { ;; 'sub') # sub keys # add sub key ID to key list if it has required capability - if check_capability "$capability" $REQUIRED_KEY_CAPABILITY ; then + if check_capability "$capability" $requiredCapability ; then keyIDs[${#keyIDs[*]}]="$keyid" fi ;; @@ -240,6 +247,9 @@ process_user_id() { # hash userid for cache file name userIDHash=$(echo "$userID" | sha1sum | awk '{ print $1 }') + # make sure the cache directory exists + mkdir -p "$cacheDir" + # touch/clear key cache file # (will be left empty if there are noacceptable keys) > "$cacheDir"/"$userIDHash"."$pubKeyID" @@ -279,22 +289,22 @@ process_user_id() { update_userid() { local userID local cacheDir - local userIDKeyCache + local keyCache userID="$1" cacheDir="$2" log "processing userid: '$userID'" - userIDKeyCache=$(process_user_id "$userID" "$cacheDir") - if [ -z "$userIDKeyCache" ] ; then + + keyCachePath=$(process_user_id "$userID" "$cacheDir") + + if [ -z "$keyCachePath" ] ; then return 1 fi if ! grep -q "^${userID}\$" "$AUTHORIZED_USER_IDS" ; then - echo "the following userid is not in the authorized_user_ids file:" - echo " $userID" - read -p "would you like to add it? [Y|n]: " OK; OK=${OK:=Y} + read -p "user ID not currently authorized. authorize? [Y|n]: " OK; OK=${OK:=Y} if [ ${OK/y/Y} = 'Y' ] ; then - log -n "adding userid to authorized_user_ids file... " + log -n "adding user ID to authorized_user_ids file... " echo "$userID" >> "$AUTHORIZED_USER_IDS" echo "done." else @@ -303,21 +313,39 @@ update_userid() { fi } +# remove a userid from the authorized_user_ids file +remove_userid() { + local userID + + userID="$1" + + log "processing userid: '$userID'" + + if ! grep -q "^${userID}\$" "$AUTHORIZED_USER_IDS" ; then + log "user ID not currently authorized." + return 1 + fi + + log -n "removing user ID '$userID'... " + grep -v "$userID" "$AUTHORIZED_USER_IDS" | sponge "$AUTHORIZED_USER_IDS" + echo "done." +} + # process a host for addition to a known_host file process_host() { local host local cacheDir - local hostKeyCachePath + local keyCachePath host="$1" cacheDir="$2" log "processing host: '$host'" - hostKeyCachePath=$(process_user_id "ssh://${host}" "$cacheDir") + keyCachePath=$(process_user_id "ssh://${host}" "$cacheDir") if [ $? = 0 ] ; then ssh-keygen -R "$host" -f "$USER_KNOWN_HOSTS" - cat "$hostKeyCachePath" >> "$USER_KNOWN_HOSTS" + cat "$keyCachePath" >> "$USER_KNOWN_HOSTS" fi } @@ -373,7 +401,8 @@ update_authorized_keys() { cat "$userAuthorizedKeys" >> "$msAuthorizedKeys" echo "done." fi - log "monkeysphere authorized_keys file generated: $msAuthorizedKeys" + log "monkeysphere authorized_keys file generated:" + log "$msAuthorizedKeys" } # process an authorized_*_ids file @@ -403,7 +432,7 @@ process_authorized_ids() { # EXPERIMENTAL (unused) process userids found in authorized_keys file # go through line-by-line, extract monkeysphere userids from comment # fields, and process each userid -process_userids_from_authorized_keys() { +process_authorized_keys() { local authorizedKeys local cacheDir local userID @@ -446,6 +475,11 @@ trust_key() { # get key fingerprint fingerprint=$(get_key_fingerprint "$keyID") + # attach a "non-exportable" signature to the key + # this is required for the key to have any validity at all + # the 'y's on stdin indicates "yes, i really want to sign" + echo -e 'y\ny' | gpg --lsign-key --command-fd 0 "$fingerprint" + # import "full" trust for fingerprint into gpg echo ${fingerprint}:5: | gpg --import-ownertrust if [ $? = 0 ] ; then