X-Git-Url: https://codewiz.org/gitweb?a=blobdiff_plain;f=src%2Fcommon;h=b220150de4000e991296c78be0dda82a13ad8596;hb=e20132d271b8e4bde15cbdb9e56fae53d0ca9fa9;hp=c39506d729a14503ebc992adbb92fc3d3e1ae256;hpb=208f6c2cd469cf46a51b11c0ea58723f4a18f9ab;p=monkeysphere.git diff --git a/src/common b/src/common index c39506d..b220150 100644 --- a/src/common +++ b/src/common @@ -18,10 +18,17 @@ ETC="/etc/monkeysphere" export ETC CACHE="/var/cache/monkeysphere" export CACHE +ERR=0 +export ERR ######################################################################## ### UTILITY FUNCTIONS +error() { + log "$1" + ERR=${2:-'1'} +} + failure() { echo "$1" >&2 exit ${2:-'1'} @@ -29,12 +36,12 @@ failure() { # write output to stderr log() { - echo -n "ms: " 1>&2 - echo "$@" 1>&2 + echo -n "ms: " >&2 + echo "$@" >&2 } loge() { - echo "$@" 1>&2 + echo "$@" >&2 } # cut out all comments(#) and blank lines from standard input @@ -85,6 +92,25 @@ remove_line() { fi } +# translate ssh-style path variables %h and %u +translate_ssh_variables() { + local uname + local home + + uname="$1" + path="$2" + + # get the user's home directory + userHome=$(getent passwd "$uname" | cut -d: -f6) + + # translate '%u' to user name + path=${path/\%u/"$uname"} + # translate '%h' to user home directory + path=${path/\%h/"$userHome"} + + echo "$path" +} + ### CONVERTION UTILITIES # output the ssh key for a given key ID @@ -98,6 +124,17 @@ gpg2ssh() { gpg --export "$keyID" | openpgp2ssh "$keyID" 2> /dev/null } +# output the ssh key for a given secret key ID +gpgsecret2ssh() { + local keyID + + #keyID="$1" #TMP + # only use last 16 characters until openpgp2ssh can take all 40 #TMP + keyID=$(echo "$1" | cut -c 25-) #TMP + + gpg --export-secret-key "$keyID" | openpgp2ssh "$keyID" 2> /dev/null +} + # output known_hosts line from ssh key ssh2known_hosts() { local host @@ -181,8 +218,8 @@ get_key_fingerprint() { keyID="$1" gpg --list-key --with-colons --fixed-list-mode \ - --with-fingerprint "$keyID" | grep "$keyID" | \ - grep '^fpr:' | cut -d: -f10 + --with-fingerprint --with-fingerprint "$keyID" | \ + grep '^fpr:' | grep "$keyID" | cut -d: -f10 } ######################################################################## @@ -351,110 +388,79 @@ process_user_id() { done } -# update the cache for userid, and prompt to add file to -# authorized_user_ids file if the userid is found in gpg -# and not already in file. -update_userid() { - local userID - - userID="$1" - - log "processing userid: '$userID'" - - # process the user ID to pull it from keyserver - process_user_id "$userID" | grep -q "^0 " - - # check if user ID is in the authorized_user_ids file - if ! grep -q "^${userID}\$" "$AUTHORIZED_USER_IDS" ; then - read -p "user ID not currently authorized. authorize? [Y|n]: " OK; OK=${OK:=Y} - if [ ${OK/y/Y} = 'Y' ] ; then - # add if specified - log -n " adding user ID to authorized_user_ids file... " - echo "$userID" >> "$AUTHORIZED_USER_IDS" - loge "done." - else - # else do nothing - log " authorized_user_ids file untouched." - fi - fi -} - -# remove a userid from the authorized_user_ids file -remove_userid() { - local userID - - userID="$1" - - log "processing userid: '$userID'" - - # check if user ID is in the authorized_user_ids file - if ! grep -q "^${userID}\$" "$AUTHORIZED_USER_IDS" ; then - log " user ID not currently authorized." - return 1 - fi - - # remove user ID from file - log -n " removing user ID '$userID'... " - remove_line "$AUTHORIZED_USER_IDS" "^${userID}$" - loge "done." -} - -# process a host in known_host file -process_host_known_hosts() { +# process hosts in the known_host file +process_hosts_known_hosts() { local host local userID local ok local keyid local tmpfile - host="$1" - userID="ssh://${host}" - - log "processing host: $host" - - process_user_id "ssh://${host}" | \ - while read -r ok keyid ; do - sshKey=$(gpg2ssh "$keyid") - # remove the old host key line - remove_line "$KNOWN_HOSTS" "$sshKey" - # if key OK, add new host line - if [ "$ok" -eq '0' ] ; then - # hash if specified - if [ "$HASH_KNOWN_HOSTS" = 'true' ] ; then - # FIXME: this is really hackish cause ssh-keygen won't - # hash from stdin to stdout - tmpfile=$(mktemp) - ssh2known_hosts "$host" "$sshKey" > "$tmpfile" - ssh-keygen -H -f "$tmpfile" 2> /dev/null - cat "$tmpfile" >> "$KNOWN_HOSTS" - rm -f "$tmpfile" "${tmpfile}.old" - else - ssh2known_hosts "$host" "$sshKey" >> "$KNOWN_HOSTS" + # create a lockfile on known_hosts + lockfile-create "$KNOWN_HOSTS" + + for host ; do + log "processing host: $host" + + userID="ssh://${host}" + + process_user_id "ssh://${host}" | \ + while read -r ok keyid ; do + sshKey=$(gpg2ssh "$keyid") + # remove the old host key line + remove_line "$KNOWN_HOSTS" "$sshKey" + # if key OK, add new host line + if [ "$ok" -eq '0' ] ; then + # hash if specified + if [ "$HASH_KNOWN_HOSTS" = 'true' ] ; then + # FIXME: this is really hackish cause ssh-keygen won't + # hash from stdin to stdout + tmpfile=$(mktemp) + ssh2known_hosts "$host" "$sshKey" > "$tmpfile" + ssh-keygen -H -f "$tmpfile" 2> /dev/null + cat "$tmpfile" >> "$KNOWN_HOSTS" + rm -f "$tmpfile" "${tmpfile}.old" + else + ssh2known_hosts "$host" "$sshKey" >> "$KNOWN_HOSTS" + fi fi - fi + done + # touch the lockfile, for good measure. + lockfile-touch --oneshot "$KNOWN_HOSTS" done + + # remove the lockfile + lockfile-remove "$KNOWN_HOSTS" } -# process a uid in an authorized_keys file -process_uid_authorized_keys() { +# process uids for the authorized_keys file +process_uids_authorized_keys() { local userID local ok local keyid - userID="$1" + # create a lockfile on authorized_keys + lockfile-create "$AUTHORIZED_KEYS" - log "processing user ID: $userID" + for userID ; do + log "processing user ID: $userID" - process_user_id "$userID" | \ - while read -r ok keyid ; do - sshKey=$(gpg2ssh "$keyid") - # remove the old host key line - remove_line "$AUTHORIZED_KEYS" "$sshKey" - # if key OK, add new host line - if [ "$ok" -eq '0' ] ; then - ssh2authorized_keys "$userID" "$sshKey" >> "$AUTHORIZED_KEYS" - fi + process_user_id "$userID" | \ + while read -r ok keyid ; do + sshKey=$(gpg2ssh "$keyid") + # remove the old host key line + remove_line "$AUTHORIZED_KEYS" "$sshKey" + # if key OK, add new host line + if [ "$ok" -eq '0' ] ; then + ssh2authorized_keys "$userID" "$sshKey" >> "$AUTHORIZED_KEYS" + fi + done + # touch the lockfile, for good measure. + lockfile-touch --oneshot "$AUTHORIZED_KEYS" done + + # remove the lockfile + lockfile-remove "$AUTHORIZED_KEYS" } # process known_hosts file @@ -469,10 +475,7 @@ process_known_hosts() { cat "$KNOWN_HOSTS" | meat | \ cut -d ' ' -f 1 | grep -v '^|.*$' | \ while IFS=, read -r -a hosts ; do - # and process each host - for host in ${hosts[*]} ; do - process_host_known_hosts "$host" - done + process_hosts_known_hosts ${hosts[@]} done } @@ -480,9 +483,11 @@ process_known_hosts() { process_authorized_user_ids() { local userid - cat "$AUTHORIZED_USER_IDS" | meat | \ + authorizedUserIDs="$1" + + cat "$authorizedUserIDs" | meat | \ while read -r userid ; do - process_uid_authorized_keys "$userid" + process_uids_authorized_keys "$userid" done } @@ -529,8 +534,7 @@ process_authorized_keys() { trust_key() { # get the key from the key server if ! gpg --keyserver "$KEYSERVER" --recv-key "$keyID" ; then - log "could not retrieve key '$keyID'" - return 1 + failure "Could not retrieve key '$keyID'." fi # get key fingerprint @@ -544,9 +548,9 @@ trust_key() { # import "full" trust for fingerprint into gpg echo ${fingerprint}:5: | gpg --import-ownertrust if [ $? = 0 ] ; then - log "owner trust updated." + log "Owner trust updated." else - failure "there was a problem changing owner trust." + failure "There was a problem changing owner trust." fi } @@ -562,7 +566,6 @@ publish_server_key() { # dummy command so as not to publish fakes keys during testing # eventually: #gpg --keyserver "$KEYSERVER" --send-keys $(hostname -f) - echo "NOT PUBLISHED (to avoid permanent publication errors during monkeysphere development). + failure "NOT PUBLISHED (to avoid permanent publication errors during monkeysphere development). To publish manually, do: gpg --keyserver $KEYSERVER --send-keys $(hostname -f)" - return 1 }