X-Git-Url: https://codewiz.org/gitweb?a=blobdiff_plain;f=src%2Fmonkeysphere-server;h=ce800593da8fec3cf82722393dc9ca7d05a31d3d;hb=38d9be677ee1928e92b6c914a5467fe9bf8bcd4e;hp=9d0d9b33b80101942491b64a68e86c6803bc00a4;hpb=64a6b0cded9f9b21243ed9395a9e2ca734ac05c5;p=monkeysphere.git diff --git a/src/monkeysphere-server b/src/monkeysphere-server index 9d0d9b3..ce80059 100755 --- a/src/monkeysphere-server +++ b/src/monkeysphere-server @@ -47,8 +47,8 @@ subcommands: publish-key (p) publish server's host key to keyserver add-identity-certifier (a) KEYID import and tsign a certification key - -n|--domain DOMAIN domain of certifier () - -t|--trust TRUST trust level of certifier (2) + -n|--domain DOMAIN limit ID certifications to IDs in DOMAIN () + -t|--trust TRUST trust level of certifier (full) -d|--depth DEPTH trust depth for certifier (1) remove-identity-certifier (r) KEYID remove a certification key list-identity-certifiers (l) list certification keys @@ -143,13 +143,15 @@ update_users() { log "----- user: $uname -----" + # exit if the authorized_user_ids file is empty if ! check_key_file_permissions "$uname" "$AUTHORIZED_USER_IDS" ; then - log "Improper permissions on authorized_user_ids file." + log "Improper permissions on authorized_user_ids file path." continue fi + # check permissions on the authorized_keys file path if ! check_key_file_permissions "$uname" "$RAW_AUTHORIZED_KEYS" ; then - log "Improper permissions on authorized_keys file." + log "Improper permissions on authorized_keys file path path." continue fi @@ -206,8 +208,7 @@ update_users() { chgrp $(getent passwd "$uname" | cut -f4 -d:) "$AUTHORIZED_KEYS" chmod g+r "$AUTHORIZED_KEYS" - # if the resulting authorized_keys file is not empty, move - # it into place + # move the resulting authorized_keys file into place mv -f "$AUTHORIZED_KEYS" "${VARLIB}/authorized_keys/${uname}" # destroy temporary directory @@ -342,6 +343,10 @@ EOF fingerprint=$(gpg_host --list-key --with-colons --with-fingerprint "=${userID}" | \ grep '^fpr:' | head -1 | cut -d: -f10) + # export host ownertrust to authentication keyring + log "setting ultimate owner trust for server key..." + echo "${fingerprint}:6:" | gpg_authentication "--import-ownertrust" + # translate the private key to ssh format, and export to a file # for sshs usage. # NOTE: assumes that the primary key is the proper key to use @@ -383,10 +388,11 @@ add_certifier() { local keyID local fingerprint local ltsignCommand + local trustval # set default values for trust depth and domain domain= - trust=2 + trust=full depth=1 # get options @@ -423,11 +429,11 @@ add_certifier() { done keyID="$1" + if [ -z "$keyID" ] ; then + failure "You must specify the key ID of a key to add." + fi export keyID - # export host ownertrust to authentication keyring - gpg_host --export-ownertrust | gpg_authentication "--import-ownertrust" - # get the key from the key server gpg_authentication "--keyserver $KEYSERVER --recv-key '$keyID'" @@ -438,7 +444,8 @@ add_certifier() { echo "key found:" gpg_authentication "--fingerprint $fingerprint" - read -p "Are you sure you want to add this key as a certifier of users on this system? (y/N) " OK; OK=${OK:-N} + echo "Are you sure you want to add this key as a certifier of" + read -p "users on this system? (y/N) " OK; OK=${OK:-N} if [ "${OK/y/Y}" != 'Y' ] ; then failure "aborting." fi @@ -446,18 +453,26 @@ add_certifier() { # export the key to the host keyring gpg_authentication "--export $keyID" | gpg_host --import + if [ "$trust" == marginal ]; then + trustval=1 + elif [ "$trust" == full ]; then + trustval=2 + else + failure "trust value requested ('$trust') was unclear (only 'marginal' or 'full' are supported)" + fi + # ltsign command # NOTE: *all* user IDs will be ltsigned ltsignCommand=$(cat <