X-Git-Url: https://codewiz.org/gitweb?a=blobdiff_plain;f=src%2Fmonkeysphere-server;h=1e5f2096677cb8dfa9522babeeec5877817b28e0;hb=0e27af63f34c5bb75cef059fc9d76887251c1517;hp=03a4ccba8484686eef7b1086d948db97f33fc5ed;hpb=0b5404f0488d5ea642aec2e92988740af23d820d;p=monkeysphere.git

diff --git a/src/monkeysphere-server b/src/monkeysphere-server
index 03a4ccb..1e5f209 100755
--- a/src/monkeysphere-server
+++ b/src/monkeysphere-server
@@ -56,7 +56,7 @@ subcommands:
 
  gpg-authentication-cmd CMD          gnupg-authentication command
 
- help (h,?)                          this help
+ -h|--help|help (h,?)                this help
 EOF
 }
 
@@ -236,7 +236,7 @@ gen_key() {
     revoker=
 
     # get options
-    TEMP=$(getopt -o l:e:r: -l length:,expire:,revoker: -n "$PGRM" -- "$@")
+    TEMP=$(getopt -o e:l:r -l expire:,length:,revoker: -n "$PGRM" -- "$@")
 
     if [ $? != 0 ] ; then
 	exit 1
@@ -383,82 +383,99 @@ diagnostics() {
 #  * check on the status and validity of the key and public certificates
     local seckey
     local keysfound
-    local keyexp
     local curdate
     local warnwindow
     local warndate
+    local create
+    local expire
+    local uid
+    local fingerprint
+    local badhostkeys
 
-    seckey=$(gpg_host --list-secret-keys --with-colons --fixed-list-mode)
+    seckey=$(gpg_host --list-secret-keys --fingerprint --with-colons --fixed-list-mode)
     keysfound=$(echo "$seckey" | grep -c ^sec:)
     curdate=$(date +%s)
     # warn when anything is 2 months away from expiration
     warnwindow='2 months'
     warndate=$(date +%s -d "$warnwindow")
 
+    echo "Checking host GPG key..."
     if (( "$keysfound" < 1 )); then
-	echo "No host key found!"
-	echo "Recommendation: run 'monkeysphere-server gen-key'"
+	echo "! No host key found."
+	echo " - Recommendation: run 'monkeysphere-server gen-key'"
+    elif (( "$keysfound" > 1 )); then
+	echo "! More than one host key found?"
+	# FIXME: recommend a way to resolve this
     else
-	if (( "$keysfound" > 1 )); then
-	    echo "more than one host key found?"
-	else
+	create=$(echo "$seckey" | grep ^sec: | cut -f6 -d:)
+	expire=$(echo "$seckey" | grep ^sec: | cut -f7 -d:)
+	fingerprint=$(echo "$seckey" | grep ^fpr: | head -n1 | cut -f10 -d:)
 	# check for key expiration:
-	    keyexp=$(echo "$seckey" | grep ^sec: | cut -f7 -d:)
-	    if (( "$keyexp"  < "$curdate" )); then
-		echo "Host key is expired!"
+	if [ "$expire" ]; then
+	    if (( "$expire"  < "$curdate" )); then
+		echo "! Host key is expired."
 		# FIXME: recommend a way to resolve this other than re-keying?
-	    elif (( "$keyexp" < "$warndate" )); then
-		echo "Host key expires in less than $warnwindow"
+	    elif (( "$expire" < "$warndate" )); then
+		echo "! Host key expires in less than $warnwindow:" $(date -d "$(( $expire - $curdate )) seconds" +%F)
 		# FIXME: recommend a way to resolve this?
 	    fi
+	fi
+
         # and weirdnesses:
-	    if (( $(echo "$seckey" | grep ^sec: | cut -f6 -d:) > "$curdate" )); then
-		echo "Host key was created in the future(?!). Is your clock correct?"
-		echo "Recommendation: Check clock ($(date +%F_%T)); use NTP?"
-	    fi
+	if [ "$create" ] && (( "$create" > "$curdate" )); then
+	    echo "! Host key was created in the future(?!). Is your clock correct?"
+	    echo " - Recommendation: Check clock ($(date +%F_%T)); use NTP?"
+	fi
 
         # check for UserID expiration:
-	    echo "$seckey" | grep ^uid: | cut -d: -f6,7,10 | \
-	    while IFS=: read create expire uid ; do
-		# FIXME: should we be doing any checking on the form
-		# of the User ID?  Should we be unmangling it somehow?
-		if [ "$create" ] && (( "$create" > "$curdate" )); then
-		    echo "User ID '$uid' was created in the future(?!).  Is your clock correct?"
-		    echo "Recommendation: Check clock ($(date +%F_%T)); use NTP?"
-		fi
-		if [ "$expire" ] ; then
-		    if (( "$expire" < "$curdate" )); then
-			echo "User ID '$uid' is expired!"
-			# FIXME: recommend a way to resolve this
-		    elif (( "$expire" < "$warndate" )); then
-			echo "User ID '$uid' expires in less than $warnwindow"
+	echo "$seckey" | grep ^uid: | cut -d: -f6,7,10 | \
+	while IFS=: read create expire uid ; do
+	    # FIXME: should we be doing any checking on the form
+	    # of the User ID?  Should we be unmangling it somehow?
+
+	    if [ "$create" ] && (( "$create" > "$curdate" )); then
+		echo "! User ID '$uid' was created in the future(?!).  Is your clock correct?"
+		echo " - Recommendation: Check clock ($(date +%F_%T)); use NTP?"
+	    fi
+	    if [ "$expire" ] ; then
+		if (( "$expire" < "$curdate" )); then
+		    echo "! User ID '$uid' is expired."
 			# FIXME: recommend a way to resolve this
-		    fi
+		elif (( "$expire" < "$warndate" )); then
+		    echo "! User ID '$uid' expires in less than $warnwindow:" $(date -d "$(( $expire - $curdate )) seconds" +%F)		
+		    # FIXME: recommend a way to resolve this
 		fi
-	    done
+	    fi
+	done
 	    
 # FIXME: verify that the host key is properly published to the
-#   keyservers
+#   keyservers (do this with the non-privileged user)
 
 # FIXME: check that there are valid, non-expired certifying signatures
-#   attached to the host key
+#   attached to the host key after fetching from the public keyserver
+#   (do this with the non-privileged user as well)
 
 # FIXME: propose adding a revoker to the host key if none exist (do we
 #   have a way to do that after key generation?)
 
-# Ensure that the ssh_host_rsa_key file is present and non-empty:
-	    if [ ! -s "${VARLIB}/ssh_host_rsa_key" ] ; then
-		echo "The host key as prepared for SSH (${VARLIB}/ssh_host_rsa_key) is missing or empty!"
-	    else
-		if [ $(stat -c '%a' "${VARLIB}/ssh_host_rsa_key") != 600 ] ; then
-		    echo "Permissions seem wrong for ${VARLIB}/ssh_host_rsa_key -- should be 0600 !"
-		fi
+	# Ensure that the ssh_host_rsa_key file is present and non-empty:
+	echo "Checking host SSH key..."
+	if [ ! -s "${VARLIB}/ssh_host_rsa_key" ] ; then
+	    echo "! The host key as prepared for SSH (${VARLIB}/ssh_host_rsa_key) is missing or empty."
+	else
+	    if [ $(stat -c '%a' "${VARLIB}/ssh_host_rsa_key") != 600 ] ; then
+		echo "! Permissions seem wrong for ${VARLIB}/ssh_host_rsa_key -- should be 0600."
+	    fi
 
-		# propose changes needed for sshd_config (if any)
-		if ! grep -q "^HostKey ${VARLIB}/ssh_host_rsa_key$" /etc/ssh/sshd_config; then
-		    echo "/etc/ssh/sshd_config does not point to the monkeysphere host key (${VARLIB}/ssh_host_rsa_key)."
-		    echo "Recommendation: add a line to /etc/ssh/sshd_config: 'HostKey ${VARLIB}/ssh_host_rsa_key'"
-		fi
+	    # propose changes needed for sshd_config (if any)
+	    if ! grep -q "^HostKey ${VARLIB}/ssh_host_rsa_key$" /etc/ssh/sshd_config; then
+		echo "! /etc/ssh/sshd_config does not point to the monkeysphere host key (${VARLIB}/ssh_host_rsa_key)."
+		echo " - Recommendation: add a line to /etc/ssh/sshd_config: 'HostKey ${VARLIB}/ssh_host_rsa_key'"
+	    fi
+	    if badhostkeys=$(grep '^HostKey' | grep -q -v "^HostKey ${VARLIB}/ssh_host_rsa_key$") ; then
+		echo "! /etc/sshd_config refers to some non-monkeysphere host keys:"
+		echo "$badhostkeys"
+		echo "- Recommendation: remove the above HostKey lines from /etc/ssh/sshd_config"
 	    fi
 	fi
     fi
@@ -682,7 +699,7 @@ case $COMMAND in
 	gpg_authentication_cmd "$@"
 	;;
 
-    'help'|'h'|'?')
+    '--help'|'help'|'-h'|'h'|'?')
         usage
         ;;