X-Git-Url: https://codewiz.org/gitweb?a=blobdiff_plain;f=src%2Fshare%2Fm%2Fssh_proxycommand;h=33bd8a12c773c28648f9c3251a91e98b43c1c53d;hb=c600e3474acfee2e4eff1f000a1131c0f5905d08;hp=2078445b8069c852612da87faa69e766a0a91d3f;hpb=9624db952c7c151b1fe00f129fe17a9dcbbb1445;p=monkeysphere.git

diff --git a/src/share/m/ssh_proxycommand b/src/share/m/ssh_proxycommand
index 2078445..33bd8a1 100644
--- a/src/share/m/ssh_proxycommand
+++ b/src/share/m/ssh_proxycommand
@@ -15,6 +15,55 @@
 # established.  Can be added to ~/.ssh/config as follows:
 #  ProxyCommand monkeysphere ssh-proxycommand %h %p
 
+# output the key info, including the RSA fingerprint
+show_key_info() {
+    local keyid="$1"
+    local sshKeyGPGFile
+    local sshFingerprint
+    local gpgSigOut
+    local otherUids
+
+    # get the ssh key of the gpg key
+    sshKeyGPGFile=$(msmktempfile)
+    gpg2ssh "$keyid" >"$sshKeyGPGFile"
+    sshFingerprint=$(ssh-keygen -l -f "$sshKeyGPGFile" | \
+        awk '{ print $2 }')
+    rm -f "$sshKeyGPGFile"
+
+    # get the sigs for the matching key
+    gpgSigOut=$(gpg_user --check-sigs \
+        --list-options show-uid-validity \
+        "$keyid")
+
+    echo | log info
+
+    # output the sigs, but only those on the user ID
+    # we are looking for
+    echo "$gpgSigOut" | awk '
+{
+if (match($0,"^pub")) { print; }
+if (match($0,"^uid")) { ok=0; }
+if (match($0,"^uid.*'$userID'$")) { ok=1; print; }
+if (ok) { if (match($0,"^sig")) { print; } }
+}
+'
+
+    # output ssh fingerprint
+    cat <<EOF
+RSA key fingerprint is ${sshFingerprint}.
+EOF
+
+    # output the other user IDs for reference
+    otherUids=$(echo "$gpgSigOut" | grep "^uid" | grep -v "$userID")
+    if [ "$otherUids" ] ; then
+	log info <<EOF
+Other user IDs on this key:
+EOF
+	echo "$otherUids" | log info
+    fi
+
+}
+
 # "marginal case" ouput in the case that there is not a full
 # validation path to the host
 output_no_valid_key() {
@@ -28,8 +77,6 @@ output_no_valid_key() {
     local usage
     local sshKeyGPG
     local tmpkey
-    local sshFingerprint
-    local gpgSigOut
     local returnCode=0
 
     userID="ssh://${HOSTP}"
@@ -46,69 +93,42 @@ output_no_valid_key() {
 	="$userID" 2>/dev/null)
 
     # output header
-    cat <<EOF | log info
+    log info <<EOF
 -------------------- Monkeysphere warning -------------------
 Monkeysphere found OpenPGP keys for this hostname, but none had full validity.
 EOF
 
-    # if the host key is retrieved from the host, check against known
-    # OpenPGP keys
-    if [ "$sshKeyOffered" ] ; then
-	# find all 'pub' and 'sub' lines in the gpg output, which each
-	# represent a retrieved key for the user ID
-	echo "$gpgOut" | cut -d: -f1,2,5,10,12 | \
-	while IFS=: read -r type validity keyid uidfpr usage ; do
-	    case $type in
-		'pub'|'sub')
-		    # get the ssh key of the gpg key
-		    sshKeyGPG=$(gpg2ssh "$keyid")
-
-		    # if one of keys found matches the one offered by the
-		    # host, then output info
-		    if [ "$sshKeyGPG" = "$sshKeyOffered" ] ; then
-			cat <<EOF | log info
-An OpenPGP key matching the ssh key offered by the host was found:
-
+    # output message if host key could not be retrieved from the host
+    if [ -z "$sshKeyOffered" ] ; then
+	log info <<EOF
+Could not retrieve RSA host key from $HOST.
 EOF
-
-			sshKeyGPGFile=$(msmktempfile)
-			printf "%s" "$sshKeyGPG" >"$sshKeyGPGFile"
-			sshFingerprint=$(ssh-keygen -l -f "$sshKeyGPGFile" | \
-			    awk '{ print $2 }')
-			rm -f "$sshKeyGPGFile"
-
-			# get the sigs for the matching key
-			gpgSigOut=$(gpg_user --check-sigs \
-			    --list-options show-uid-validity \
-			    "$keyid")
-
-			# output the sigs, but only those on the user ID
-			# we are looking for
-			echo "$gpgSigOut" | awk '
-{
-if (match($0,"^pub")) {	print; }
-if (match($0,"^uid")) { ok=0; }
-if (match($0,"^uid.*'$userID'$")) { ok=1; print; }
-if (ok) { if (match($0,"^sig")) { print; } }
-}
-' | log info
-			echo | log info
-
-			# output the other user IDs for reference
-			if (echo "$gpgSigOut" | grep "^uid" | grep -v -q "$userID") ; then
-			    cat <<EOF | log info
-Other user IDs on this key:
-
+	# check that there are any marginally valid keys
+	if echo "$gpgOut" | egrep -q '^(pub|sub):(m|f|u):' ; then
+	    log info <<EOF
+The following keys were found with marginal validity:
 EOF
-			    echo "$gpgSigOut" | grep "^uid" | grep -v "$userID" | log info
-			    echo | log info
-			fi
+	fi
+    fi
 
-			# output ssh fingerprint
-			cat <<EOF | log info
-RSA key fingerprint is ${sshFingerprint}.
+    # find all keys in the gpg output ('pub' and 'sub' lines) and
+    # output the ones that match the host key or that have marginal
+    # validity
+    echo "$gpgOut" | cut -d: -f1,2,5,10,12 | \
+    while IFS=: read -r type validity keyid uidfpr usage ; do
+	case $type in
+	    'pub'|'sub')
+		# get the ssh key of the gpg key
+		sshKeyGPG=$(gpg2ssh "$keyid")
+		# if a key was retrieved from the host...
+		if [ "$sshKeyOffered" ] ; then
+		    # if one of the keys matches the one offered by
+		    # the host, then output info and return
+		    if [ "$sshKeyGPG" = "$sshKeyOffered" ] ; then
+			log info <<EOF
+An OpenPGP key matching the ssh key offered by the host was found:
 EOF
-
+			show_key_info "$keyid" | log info
 			# this whole process is in a "while read"
 			# subshell.  the only way to get information
 			# out of the subshell is to change the return
@@ -117,34 +137,52 @@ EOF
 			# for the ssh key offered by the host
 			return 1
 		    fi
-		    ;;
-	    esac
-	done || returnCode="$?"
-
-	# if no key match was made (and the "while read" subshell
-	# returned 1) output how many keys were found
-	if (( returnCode != 1 )) ; then
-	    cat <<EOF | log info
+		# else if a key was not retrieved from the host...
+		else
+		    # and the current key is marginal, show info
+		    if [ "$validity" = 'm' ] \
+			|| [ "$validity" = 'f' ] \
+			|| [ "$validity" = 'u' ] ; then
+			show_key_info "$keyid" | log info
+		    fi
+		fi
+		;;
+	esac
+    done || returnCode="$?"
+
+    # if no key match was made (and the "while read" subshell
+    # returned 1) output how many keys were found
+    if (( returnCode == 1 )) ; then
+	echo | log info
+    else
+	# if a key was retrieved, but didn't match, note this
+	if [ "$sshKeyOffered" ] ; then
+	    log info <<EOF
 None of the found keys matched the key offered by the host.
-Run the following command for more info about the found keys:
-gpg --check-sigs --list-options show-uid-validity =${userID}
 EOF
+	fi
 
-	    # FIXME: should we do anything extra here if the retrieved
-	    # host key is actually in the known_hosts file and the ssh
-	    # connection will succeed?  Should the user be warned?
-	    # prompted?
+	# note how many invalid keys were found
+	nInvalidKeys=$(echo "$gpgOut" | egrep '^(pub|sub):[^(m|f|u)]:' | wc -l)
+	if ((nInvalidKeys > 0)) ; then
+	    log info <<EOF
+Keys found with less than marginal validity: $nInvalidKeys
+EOF
 	fi
 
-    # if host key could not be retrieved from the host, output message
-    else
-	cat <<EOF | log info
-Could not retrieve RSA host key from $HOST.
+	log info <<EOF
+Run the following command for more info about the found keys:
+gpg --check-sigs --list-options show-uid-validity =${userID}
 EOF
+
+	# FIXME: should we do anything extra here if the retrieved
+	# host key is actually in the known_hosts file and the ssh
+	# connection will succeed?  Should the user be warned?
+	# prompted?
     fi
 
     # output footer
-    cat <<EOF | log info
+    log info <<EOF
 -------------------- ssh continues below --------------------
 EOF
 }
@@ -186,7 +224,7 @@ URI="ssh://${HOSTP}"
 # CHECK_KEYSERVER variable in the monkeysphere.conf file.
 
 # if the host is in the gpg keyring...
-if gpg_user --list-key ="${URI}" 2>&1 >/dev/null ; then
+if gpg_user --list-key ="${URI}" &>/dev/null ; then
     # do not check the keyserver
     CHECK_KEYSERVER=${CHECK_KEYSERVER:="false"}
 
@@ -253,9 +291,9 @@ esac
 
 # exec a netcat passthrough to host for the ssh connection
 if [ -z "$NO_CONNECT" ] ; then
-    if (which nc 2>/dev/null >/dev/null); then
+    if (type nc &>/dev/null); then
 	exec nc "$HOST" "$PORT"
-    elif (which socat 2>/dev/null >/dev/null); then
+    elif (type socat &>/dev/null); then
 	exec socat STDIO "TCP:$HOST:$PORT"
     else
 	echo "Neither netcat nor socat found -- could not complete monkeysphere-ssh-proxycommand connection to $HOST:$PORT" >&2