X-Git-Url: https://codewiz.org/gitweb?a=blobdiff_plain;f=src%2Fmonkeysphere-server;h=b1cacf9e5c8843b2cdc49d8970dbf906da82a1b7;hb=f81f2c89fac457574ce9a427af6c91ba85461d34;hp=3c4eed406774db0e9bcdb7795c91e43989520cf4;hpb=89cf6f46622a48e3ca1dd8df5037e4b02595631d;p=monkeysphere.git diff --git a/src/monkeysphere-server b/src/monkeysphere-server index 3c4eed4..b1cacf9 100755 --- a/src/monkeysphere-server +++ b/src/monkeysphere-server @@ -1,9 +1,10 @@ -#!/bin/bash +#!/usr/bin/env bash # monkeysphere-server: MonkeySphere server admin tool # # The monkeysphere scripts are written by: # Jameson Rollins +# Jamie McClelland # Daniel Kahn Gillmor # # They are Copyright 2008, and are all released under the GPL, version 3 @@ -19,7 +20,7 @@ export SHARE VARLIB="/var/lib/monkeysphere" export VARLIB -# date in UTF format if needed +# UTC date in ISO 8601 format if needed DATE=$(date -u '+%FT%T') # unset some environment variables that could screw things up @@ -33,7 +34,7 @@ RETURN=0 ######################################################################## usage() { - cat <&2 usage: $PGRM [options] [args] MonkeySphere server admin tool. @@ -66,7 +67,7 @@ EOF } su_monkeysphere_user() { - su --preserve-environment "$MONKEYSPHERE_USER" -- -c "$@" + su -m "$MONKEYSPHERE_USER" -c "$@" } # function to interact with the host gnupg keyring @@ -119,7 +120,7 @@ show_server_key() { # dumping to a file named ' ' so that the ssh-keygen output # doesn't claim any potentially bogus hostname(s): - tmpkey=$(mktemp -d) + tmpkey=$(mktemp -d ${TMPDIR:-/tmp}/tmp.XXXXXXXXXX) gpg_authentication "--export $fingerprint" | openpgp2ssh "$fingerprint" 2>/dev/null > "$tmpkey/ " echo -n "ssh fingerprint: " (cd "$tmpkey" && ssh-keygen -l -f ' ' | awk '{ print $2 }') @@ -156,7 +157,7 @@ update_users() { for uname in $unames ; do # check all specified users exist if ! getent passwd "$uname" >/dev/null ; then - log "----- unknown user '$uname' -----" + log error "----- unknown user '$uname' -----" continue fi @@ -172,40 +173,40 @@ update_users() { fi fi - log "----- user: $uname -----" + log verbose "----- user: $uname -----" # exit if the authorized_user_ids file is empty if ! check_key_file_permissions "$uname" "$AUTHORIZED_USER_IDS" ; then - log "Improper permissions on authorized_user_ids file path." + log error "Improper permissions on path '$AUTHORIZED_USER_IDS'." continue fi # check permissions on the authorized_keys file path if ! check_key_file_permissions "$uname" "$RAW_AUTHORIZED_KEYS" ; then - log "Improper permissions on authorized_keys file path path." + log error "Improper permissions on path '$RAW_AUTHORIZED_KEYS'." continue fi # make temporary directory - TMPDIR=$(mktemp -d) + TMPLOC=$(mktemp -d ${TMPDIR:-/tmp}/tmp.XXXXXXXXXX) # trap to delete temporary directory on exit - trap "rm -rf $TMPDIR" EXIT + trap "rm -rf $TMPLOC" EXIT # create temporary authorized_user_ids file - TMP_AUTHORIZED_USER_IDS="${TMPDIR}/authorized_user_ids" + TMP_AUTHORIZED_USER_IDS="${TMPLOC}/authorized_user_ids" touch "$TMP_AUTHORIZED_USER_IDS" # create temporary authorized_keys file - AUTHORIZED_KEYS="${TMPDIR}/authorized_keys" + AUTHORIZED_KEYS="${TMPLOC}/authorized_keys" touch "$AUTHORIZED_KEYS" # set restrictive permissions on the temporary files # FIXME: is there a better way to do this? - chmod 0700 "$TMPDIR" + chmod 0700 "$TMPLOC" chmod 0600 "$AUTHORIZED_KEYS" chmod 0600 "$TMP_AUTHORIZED_USER_IDS" - chown -R "$MONKEYSPHERE_USER" "$TMPDIR" + chown -R "$MONKEYSPHERE_USER" "$TMPLOC" # if the authorized_user_ids file exists... if [ -s "$authorizedUserIDs" ] ; then @@ -226,9 +227,8 @@ update_users() { # add user-controlled authorized_keys file path if specified if [ "$rawAuthorizedKeys" != '-' -a -s "$rawAuthorizedKeys" ] ; then - log -n "adding raw authorized_keys file... " + log verbose "adding raw authorized_keys file... " cat "$rawAuthorizedKeys" >> "$AUTHORIZED_KEYS" - loge "done." fi # openssh appears to check the contents of the @@ -243,7 +243,7 @@ update_users() { mv -f "$AUTHORIZED_KEYS" "${VARLIB}/authorized_keys/${uname}" # destroy temporary directory - rm -rf "$TMPDIR" + rm -rf "$TMPLOC" done } @@ -267,7 +267,7 @@ gen_key() { revoker= # get options - TEMP=$(getopt -o e:l:r -l expire:,length:,revoker: -n "$PGRM" -- "$@") + TEMP=$(PATH="/usr/local/bin:$PATH" getopt -o e:l:r -l expire:,length:,revoker: -n "$PGRM" -- "$@") || failure "getopt failed! Does your getopt support GNU-style long options?" if [ $? != 0 ] ; then exit 1 @@ -299,7 +299,7 @@ gen_key() { esac done - hostName=${1:-$(hostname --fqdn)} + hostName=${1:-$(hostname -f)} userID="ssh://${hostName}" # check for presense of key with user ID @@ -308,12 +308,7 @@ gen_key() { fi # prompt about key expiration if not specified - if [ -z "$keyExpire" ] ; then - keyExpire=$(get_gpg_expiration) - fi - if ! test_gpg_expire "$keyExpire" ; then - failure "invalid key expiration value '$keyExpire'." - fi + keyExpire=$(get_gpg_expiration "$keyExpire") # set key parameters keyParameters=$(cat < "${VARLIB}/ssh_host_rsa_key") - log "Private SSH host key output to file: ${VARLIB}/ssh_host_rsa_key" + log info "Private SSH host key output to file: ${VARLIB}/ssh_host_rsa_key" } # extend the lifetime of a host key: @@ -382,12 +377,8 @@ extend_key() { failure "You don't appear to have a MonkeySphere host key on this server. Try 'monkeysphere-server gen-key' first." fi - if [ -z "$extendTo" ]; then - extendTo=$(get_gpg_expiration) - fi - if ! test_gpg_expire "$extendTo" ; then - failure "invalid expiration value '$extendTo'." - fi + # get the new expiration date + extendTo=$(get_gpg_expiration "$extendTo") gpg_host --quiet --command-fd 0 --edit-key "$fpr" </dev/null ; then + echo "! No monkeysphere user found! Please create a monkeysphere system user." + problemsfound=$(($problemsfound+1)) + fi + + if ! [ -d "$VARLIB" ] ; then + echo "! no $VARLIB directory found. Please create it." + problemsfound=$(($problemsfound+1)) + fi echo "Checking host GPG key..." if (( "$keysfound" < 1 )); then echo "! No host key found." echo " - Recommendation: run 'monkeysphere-server gen-key'" + problemsfound=$(($problemsfound+1)) elif (( "$keysfound" > 1 )); then echo "! More than one host key found?" # FIXME: recommend a way to resolve this + problemsfound=$(($problemsfound+1)) else create=$(echo "$seckey" | grep ^sec: | cut -f6 -d:) expire=$(echo "$seckey" | grep ^sec: | cut -f7 -d:) @@ -593,9 +598,11 @@ diagnostics() { if (( "$expire" < "$curdate" )); then echo "! Host key is expired." echo " - Recommendation: extend lifetime of key with 'monkeysphere-server extend-key'" + problemsfound=$(($problemsfound+1)) elif (( "$expire" < "$warndate" )); then - echo "! Host key expires in less than $warnwindow:" $(date -d "$(( $expire - $curdate )) seconds" +%F) + echo "! Host key expires in less than $warnwindow:" $(advance_date $(( $expire - $curdate )) seconds +%F) echo " - Recommendation: extend lifetime of key with 'monkeysphere-server extend-key'" + problemsfound=$(($problemsfound+1)) fi fi @@ -603,6 +610,7 @@ diagnostics() { if [ "$create" ] && (( "$create" > "$curdate" )); then echo "! Host key was created in the future(?!). Is your clock correct?" echo " - Recommendation: Check clock ($(date +%F_%T)); use NTP?" + problemsfound=$(($problemsfound+1)) fi # check for UserID expiration: @@ -614,14 +622,17 @@ diagnostics() { if [ "$create" ] && (( "$create" > "$curdate" )); then echo "! User ID '$uid' was created in the future(?!). Is your clock correct?" echo " - Recommendation: Check clock ($(date +%F_%T)); use NTP?" + problemsfound=$(($problemsfound+1)) fi if [ "$expire" ] ; then if (( "$expire" < "$curdate" )); then echo "! User ID '$uid' is expired." - # FIXME: recommend a way to resolve this + # FIXME: recommend a way to resolve this + problemsfound=$(($problemsfound+1)) elif (( "$expire" < "$warndate" )); then - echo "! User ID '$uid' expires in less than $warnwindow:" $(date -d "$(( $expire - $curdate )) seconds" +%F) + echo "! User ID '$uid' expires in less than $warnwindow:" $(advance_date $(( $expire - $curdate )) seconds +%F) # FIXME: recommend a way to resolve this + problemsfound=$(($problemsfound+1)) fi fi done @@ -641,20 +652,24 @@ diagnostics() { echo "Checking host SSH key..." if [ ! -s "${VARLIB}/ssh_host_rsa_key" ] ; then echo "! The host key as prepared for SSH (${VARLIB}/ssh_host_rsa_key) is missing or empty." + problemsfound=$(($problemsfound+1)) else - if [ $(stat -c '%a' "${VARLIB}/ssh_host_rsa_key") != 600 ] ; then + if [ $(ls -l "${VARLIB}/ssh_host_rsa_key" | cut -f1 -d\ ) != '-rw-------' ] ; then echo "! Permissions seem wrong for ${VARLIB}/ssh_host_rsa_key -- should be 0600." + problemsfound=$(($problemsfound+1)) fi # propose changes needed for sshd_config (if any) if ! grep -q "^HostKey[[:space:]]\+${VARLIB}/ssh_host_rsa_key$" "$sshd_config"; then echo "! $sshd_config does not point to the monkeysphere host key (${VARLIB}/ssh_host_rsa_key)." echo " - Recommendation: add a line to $sshd_config: 'HostKey ${VARLIB}/ssh_host_rsa_key'" + problemsfound=$(($problemsfound+1)) fi - if badhostkeys=$(grep -i '^HostKey' "$sshd_config" | grep -q -v "^HostKey[[:space:]]\+${VARLIB}/ssh_host_rsa_key$") ; then + if badhostkeys=$(grep -i '^HostKey' "$sshd_config" | grep -v "^HostKey[[:space:]]\+${VARLIB}/ssh_host_rsa_key$") ; then echo "! $sshd_config refers to some non-monkeysphere host keys:" echo "$badhostkeys" echo " - Recommendation: remove the above HostKey lines from $sshd_config" + problemsfound=$(($problemsfound+1)) fi fi fi @@ -668,17 +683,29 @@ diagnostics() { # FIXME: make sure that at least one identity certifier exists +# FIXME: look at the timestamps on the monkeysphere-generated +# authorized_keys files -- warn if they seem out-of-date. + echo echo "Checking for MonkeySphere-enabled public-key authentication for users ..." # Ensure that User ID authentication is enabled: if ! grep -q "^AuthorizedKeysFile[[:space:]]\+${VARLIB}/authorized_keys/%u$" "$sshd_config"; then echo "! $sshd_config does not point to monkeysphere authorized keys." echo " - Recommendation: add a line to $sshd_config: 'AuthorizedKeysFile ${VARLIB}/authorized_keys/%u'" + problemsfound=$(($problemsfound+1)) fi - if badauthorizedkeys=$(grep -i '^AuthorizedKeysFile' "$sshd_config" | grep -q -v "^AuthorizedKeysFile[[:space:]]\+${VARLIB}/authorized_keys/%u$") ; then + if badauthorizedkeys=$(grep -i '^AuthorizedKeysFile' "$sshd_config" | grep -v "^AuthorizedKeysFile[[:space:]]\+${VARLIB}/authorized_keys/%u$") ; then echo "! $sshd_config refers to non-monkeysphere authorized_keys files:" echo "$badauthorizedkeys" echo " - Recommendation: remove the above AuthorizedKeysFile lines from $sshd_config" + problemsfound=$(($problemsfound+1)) + fi + + if [ "$problemsfound" -gt 0 ]; then + echo "When the above $problemsfound issue"$(if [ "$problemsfound" -eq 1 ] ; then echo " is" ; else echo "s are" ; fi)" resolved, please re-run:" + echo " monkeysphere-server diagnostics" + else + echo "Everything seems to be in order!" fi } @@ -699,7 +726,7 @@ add_certifier() { depth=1 # get options - TEMP=$(getopt -o n:t:d: -l domain:,trust:,depth: -n "$PGRM" -- "$@") + TEMP=$(PATH="/usr/local/bin:$PATH" getopt -o n:t:d: -l domain:,trust:,depth: -n "$PGRM" -- "$@") || failure "getopt failed! Does your getopt support GNU-style long options?" if [ $? != 0 ] ; then exit 1 @@ -733,12 +760,38 @@ add_certifier() { keyID="$1" if [ -z "$keyID" ] ; then - failure "You must specify the key ID of a key to add." + failure "You must specify the key ID of a key to add, or specify a file to read the key from." + fi + if [ -f "$keyID" ] ; then + echo "Reading key from file '$keyID':" + importinfo=$(gpg_authentication "--import" < "$keyID" 2>&1) || failure "could not read key from '$keyID'" + # FIXME: if this is tried when the key database is not + # up-to-date, i got these errors (using set -x): + +# ++ su -m monkeysphere -c '\''gpg --import'\'' +# Warning: using insecure memory! +# gpg: key D21739E9: public key "Daniel Kahn Gillmor " imported +# gpg: Total number processed: 1 +# gpg: imported: 1 (RSA: 1) +# gpg: can'\''t create `/var/monkeysphere/gnupg-host/pubring.gpg.tmp'\'': Permission denied +# gpg: failed to rebuild keyring cache: Permission denied +# gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model +# gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u +# gpg: next trustdb check due at 2009-01-10' +# + failure 'could not read key from '\''/root/dkg.gpg'\''' +# + echo 'could not read key from '\''/root/dkg.gpg'\''' + + keyID=$(echo "$importinfo" | grep '^gpg: key ' | cut -f2 -d: | cut -f3 -d\ ) + if [ -z "$keyID" ] || [ $(echo "$keyID" | wc -l) -ne 1 ] ; then + failure "Expected there to be a single gpg key in the file." + fi + else + # get the key from the key server + gpg_authentication "--keyserver $KEYSERVER --recv-key '0x${keyID}!'" || failure "Could not receive a key with this ID from the '$KEYSERVER' keyserver." fi + export keyID - # get the key from the key server - gpg_authentication "--keyserver $KEYSERVER --recv-key '0x${keyID}!'" # get the full fingerprint of a key ID fingerprint=$(gpg_authentication "--list-key --with-colons --with-fingerprint 0x${keyID}!" | \ @@ -865,8 +918,9 @@ unset MONKEYSPHERE_USER # set empty config variable with ones from the environment, or with # defaults +LOG_LEVEL=${MONKEYSPHERE_LOG_LEVEL:=${LOG_LEVEL:="INFO"}} KEYSERVER=${MONKEYSPHERE_KEYSERVER:=${KEYSERVER:="subkeys.pgp.net"}} -AUTHORIZED_USER_IDS=${MONKEYSPHERE_AUTHORIZED_USER_IDS:=${AUTHORIZED_USER_IDS:="%h/.config/monkeysphere/authorized_user_ids"}} +AUTHORIZED_USER_IDS=${MONKEYSPHERE_AUTHORIZED_USER_IDS:=${AUTHORIZED_USER_IDS:="%h/.monkeysphere/authorized_user_ids"}} RAW_AUTHORIZED_KEYS=${MONKEYSPHERE_RAW_AUTHORIZED_KEYS:=${RAW_AUTHORIZED_KEYS:="%h/.ssh/authorized_keys"}} MONKEYSPHERE_USER=${MONKEYSPHERE_MONKEYSPHERE_USER:=${MONKEYSPHERE_USER:="monkeysphere"}} @@ -880,6 +934,7 @@ GNUPGHOME_AUTHENTICATION=${MONKEYSPHERE_GNUPGHOME_AUTHENTICATION:="${VARLIB}/gnu export DATE export MODE export MONKEYSPHERE_USER +export LOG_LEVEL export KEYSERVER export CHECK_KEYSERVER export REQUIRED_USER_KEY_CAPABILITY