X-Git-Url: https://codewiz.org/gitweb?a=blobdiff_plain;f=src%2Fmonkeysphere-server;h=db2f428e5a9377caa2628ee7966ec2bb03b8a7ab;hb=0f1c6ac9c3c18a46720a8b96854a6624f3a1b8df;hp=b9898163802f3c1a3da1b300ff24a8ff3316af8a;hpb=677afe2dcae7ea83adfadc42eac93f5301aa0476;p=monkeysphere.git diff --git a/src/monkeysphere-server b/src/monkeysphere-server index b989816..db2f428 100755 --- a/src/monkeysphere-server +++ b/src/monkeysphere-server @@ -21,7 +21,7 @@ DATE=$(date -u '+%FT%T') # unset some environment variables that could screw things up GREP_OPTIONS= -# assuming other problems don't crop up, we'll return 0 as success +# default return code ERR=0 ######################################################################## @@ -34,7 +34,7 @@ usage: $PGRM [args] MonkeySphere server admin tool. subcommands: - update-users (s) [USER]... update users authorized_keys files + update-users (u) [USER]... update users authorized_keys files gen-key (g) [HOSTNAME] generate gpg key for the server show-fingerprint (f) show server's host key fingerprint publish-key (p) publish server's host key to keyserver @@ -171,7 +171,7 @@ mkdir -p -m 0700 "$GNUPGHOME" mkdir -p "${CACHE}/authorized_keys" case $COMMAND in - 'update-users'|'update-user'|'s') + 'update-users'|'update-user'|'u') if [ "$1" ] ; then # get users from command line unames="$@" @@ -190,44 +190,49 @@ case $COMMAND in continue fi - # set authorized_user_ids variable, - # translate ssh-style path variables - authorizedUserIDs=$(translate_ssh_variables "$uname" "$AUTHORIZED_USER_IDS") - - # skip user if authorized_user_ids file does not exist - if [ ! -f "$authorizedUserIDs" ] ; then - continue - fi - log "----- user: $uname -----" + # set authorized_user_ids variable, translating ssh-style + # path variables + authorizedUserIDs=$(translate_ssh_variables "$uname" "$AUTHORIZED_USER_IDS") + # temporary authorized_keys file AUTHORIZED_KEYS=$(mktemp) - # skip if the user's authorized_user_ids file is empty - if [ ! -s "$authorizedUserIDs" ] ; then - log "authorized_user_ids file '$authorizedUserIDs' is empty." - continue - fi - # process authorized_user_ids file - log "processing authorized_user_ids file..." - process_authorized_user_ids "$authorizedUserIDs" + if [ -s "$authorizedUserIDs" ] ; then + log "processing authorized_user_ids file..." + process_authorized_user_ids "$authorizedUserIDs" + fi # add user-controlled authorized_keys file path if specified if [ "$USER_CONTROLLED_AUTHORIZED_KEYS" != '-' ] ; then userAuthorizedKeys=$(translate_ssh_variables "$uname" "$USER_CONTROLLED_AUTHORIZED_KEYS") - if [ -f "$userAuthorizedKeys" ] ; then + if [ -s "$userAuthorizedKeys" ] ; then log -n "adding user's authorized_keys file... " cat "$userAuthorizedKeys" >> "$AUTHORIZED_KEYS" loge "done." fi fi - # move the temp authorized_keys file into place - mv -f "$AUTHORIZED_KEYS" "${CACHE}/authorized_keys/${uname}" + # if the resulting authorized_keys file is not empty + if [ -s "$AUTHORIZED_KEYS" ] ; then + # openssh appears to check the contents of the + # authorized_keys file as the user in question, so the + # file must be readable by that user at least. + # FIXME: is there a better way to do this? + chgrp $(getent passwd "$uname" | cut -f4 -d:) "$AUTHORIZED_KEYS" + chmod g+r "$AUTHORIZED_KEYS" - log "authorized_keys file updated." + # move the temp authorized_keys file into place + mv -f "$AUTHORIZED_KEYS" "${CACHE}/authorized_keys/${uname}" + + log "authorized_keys file updated." + + # else destroy it + else + rm -f "$AUTHORIZED_KEYS" + fi done ;;