X-Git-Url: https://codewiz.org/gitweb?a=blobdiff_plain;f=src%2Fshare%2Fm%2Fssh_proxycommand;h=33bd8a12c773c28648f9c3251a91e98b43c1c53d;hb=c600e3474acfee2e4eff1f000a1131c0f5905d08;hp=abe068ddc9467aa1aae7c4679ce724a84278e3ec;hpb=9847f362471d81b3f13af72f5a28740c94698c20;p=monkeysphere.git

diff --git a/src/share/m/ssh_proxycommand b/src/share/m/ssh_proxycommand
index abe068d..33bd8a1 100644
--- a/src/share/m/ssh_proxycommand
+++ b/src/share/m/ssh_proxycommand
@@ -15,12 +15,61 @@
 # established.  Can be added to ~/.ssh/config as follows:
 #  ProxyCommand monkeysphere ssh-proxycommand %h %p
 
+# output the key info, including the RSA fingerprint
+show_key_info() {
+    local keyid="$1"
+    local sshKeyGPGFile
+    local sshFingerprint
+    local gpgSigOut
+    local otherUids
+
+    # get the ssh key of the gpg key
+    sshKeyGPGFile=$(msmktempfile)
+    gpg2ssh "$keyid" >"$sshKeyGPGFile"
+    sshFingerprint=$(ssh-keygen -l -f "$sshKeyGPGFile" | \
+        awk '{ print $2 }')
+    rm -f "$sshKeyGPGFile"
+
+    # get the sigs for the matching key
+    gpgSigOut=$(gpg_user --check-sigs \
+        --list-options show-uid-validity \
+        "$keyid")
+
+    echo | log info
+
+    # output the sigs, but only those on the user ID
+    # we are looking for
+    echo "$gpgSigOut" | awk '
+{
+if (match($0,"^pub")) { print; }
+if (match($0,"^uid")) { ok=0; }
+if (match($0,"^uid.*'$userID'$")) { ok=1; print; }
+if (ok) { if (match($0,"^sig")) { print; } }
+}
+'
+
+    # output ssh fingerprint
+    cat <<EOF
+RSA key fingerprint is ${sshFingerprint}.
+EOF
+
+    # output the other user IDs for reference
+    otherUids=$(echo "$gpgSigOut" | grep "^uid" | grep -v "$userID")
+    if [ "$otherUids" ] ; then
+	log info <<EOF
+Other user IDs on this key:
+EOF
+	echo "$otherUids" | log info
+    fi
+
+}
+
 # "marginal case" ouput in the case that there is not a full
 # validation path to the host
 output_no_valid_key() {
-    local returnCode=0
-    local sshKeyOffered
     local userID
+    local sshKeyOffered
+    local gpgOut
     local type
     local validity
     local keyid
@@ -28,98 +77,100 @@ output_no_valid_key() {
     local usage
     local sshKeyGPG
     local tmpkey
-    local sshFingerprint
-    local gpgSigOut
+    local returnCode=0
 
     userID="ssh://${HOSTP}"
 
-    cat <<EOF | log info
--------------------- Monkeysphere warning -------------------
-Monkeysphere found OpenPGP keys for this hostname, but none had full validity.
-EOF
+    LOG_PREFIX=
 
-    # retrieve the actual ssh key
-    sshKeyOffered=$(ssh-keyscan -t rsa -p "$PORT" "$HOST" 2>/dev/null | awk '{ print $2, $3 }')
-    # FIXME: should we do any checks for failed keyscans, eg. host not
-    # found?
+    # retrieve the ssh key being offered by the host
+    sshKeyOffered=$(ssh-keyscan -t rsa -p "$PORT" "$HOST" 2>/dev/null \
+	| awk '{ print $2, $3 }')
 
     # get the gpg info for userid
     gpgOut=$(gpg_user --list-key --fixed-list-mode --with-colon \
 	--with-fingerprint --with-fingerprint \
 	="$userID" 2>/dev/null)
 
-    # find all 'pub' and 'sub' lines in the gpg output, which each
-    # represent a retrieved key for the user ID
+    # output header
+    log info <<EOF
+-------------------- Monkeysphere warning -------------------
+Monkeysphere found OpenPGP keys for this hostname, but none had full validity.
+EOF
+
+    # output message if host key could not be retrieved from the host
+    if [ -z "$sshKeyOffered" ] ; then
+	log info <<EOF
+Could not retrieve RSA host key from $HOST.
+EOF
+	# check that there are any marginally valid keys
+	if echo "$gpgOut" | egrep -q '^(pub|sub):(m|f|u):' ; then
+	    log info <<EOF
+The following keys were found with marginal validity:
+EOF
+	fi
+    fi
+
+    # find all keys in the gpg output ('pub' and 'sub' lines) and
+    # output the ones that match the host key or that have marginal
+    # validity
     echo "$gpgOut" | cut -d: -f1,2,5,10,12 | \
     while IFS=: read -r type validity keyid uidfpr usage ; do
 	case $type in
 	    'pub'|'sub')
 		# get the ssh key of the gpg key
 		sshKeyGPG=$(gpg2ssh "$keyid")
-
-		# if one of keys found matches the one offered by the
-		# host, then output info
-		if [ "$sshKeyGPG" = "$sshKeyOffered" ] ; then
-		    cat <<EOF | log info
+		# if a key was retrieved from the host...
+		if [ "$sshKeyOffered" ] ; then
+		    # if one of the keys matches the one offered by
+		    # the host, then output info and return
+		    if [ "$sshKeyGPG" = "$sshKeyOffered" ] ; then
+			log info <<EOF
 An OpenPGP key matching the ssh key offered by the host was found:
-
 EOF
-
-		    sshKeyGPGFile=$(msmktempfile)
-		    printf "%s" "$sshKeyGPG" >"$sshKeyGPGFile"
-		    sshFingerprint=$(ssh-keygen -l -f "$sshKeyGPGFile" | \
-			awk '{ print $2 }')
-		    rm -f "$sshKeyGPGFile"
-
-		    # get the sigs for the matching key
-		    gpgSigOut=$(gpg_user --check-sigs \
-			--list-options show-uid-validity \
-			"$keyid")
-
-		    # output the sigs, but only those on the user ID
-		    # we are looking for
-		    echo "$gpgSigOut" | awk '
-{
-if (match($0,"^pub")) {	print; }
-if (match($0,"^uid")) { ok=0; }
-if (match($0,"^uid.*'$userID'$")) { ok=1; print; }
-if (ok) { if (match($0,"^sig")) { print; } }
-}
-' | log info
-		    echo | log info
-
-		    # output the other user IDs for reference
-		    if (echo "$gpgSigOut" | grep "^uid" | grep -v -q "$userID") ; then
-			cat <<EOF | log info
-Other user IDs on this key:
-
-EOF
-			echo "$gpgSigOut" | grep "^uid" | grep -v "$userID" | log info
-			echo | log info
+			show_key_info "$keyid" | log info
+			# this whole process is in a "while read"
+			# subshell.  the only way to get information
+			# out of the subshell is to change the return
+			# code.  therefore we return 1 here to
+			# indicate that a matching gpg key was found
+			# for the ssh key offered by the host
+			return 1
+		    fi
+		# else if a key was not retrieved from the host...
+		else
+		    # and the current key is marginal, show info
+		    if [ "$validity" = 'm' ] \
+			|| [ "$validity" = 'f' ] \
+			|| [ "$validity" = 'u' ] ; then
+			show_key_info "$keyid" | log info
 		    fi
-
-		    # output ssh fingerprint
-		    cat <<EOF | log info
-RSA key fingerprint is ${sshFingerprint}.
-EOF
-
-		    # this whole process is in a "while read"
-		    # subshell.  the only way to get information out
-		    # of the subshell is to change the return code.
-		    # therefore we return 1 here to indicate that a
-		    # matching gpg key was found for the ssh key
-		    # offered by the host
-		    return 1
 		fi
 		;;
 	esac
     done || returnCode="$?"
 
-    # if no key match was made (and the "while read" subshell returned
-    # 1) output how many keys were found
-    if (( returnCode != 1 )) ; then
-	cat <<EOF | log info
+    # if no key match was made (and the "while read" subshell
+    # returned 1) output how many keys were found
+    if (( returnCode == 1 )) ; then
+	echo | log info
+    else
+	# if a key was retrieved, but didn't match, note this
+	if [ "$sshKeyOffered" ] ; then
+	    log info <<EOF
 None of the found keys matched the key offered by the host.
+EOF
+	fi
+
+	# note how many invalid keys were found
+	nInvalidKeys=$(echo "$gpgOut" | egrep '^(pub|sub):[^(m|f|u)]:' | wc -l)
+	if ((nInvalidKeys > 0)) ; then
+	    log info <<EOF
+Keys found with less than marginal validity: $nInvalidKeys
+EOF
+	fi
+
+	log info <<EOF
 Run the following command for more info about the found keys:
 gpg --check-sigs --list-options show-uid-validity =${userID}
 EOF
@@ -130,7 +181,8 @@ EOF
 	# prompted?
     fi
 
-    cat <<EOF | log info
+    # output footer
+    log info <<EOF
 -------------------- ssh continues below --------------------
 EOF
 }
@@ -172,7 +224,7 @@ URI="ssh://${HOSTP}"
 # CHECK_KEYSERVER variable in the monkeysphere.conf file.
 
 # if the host is in the gpg keyring...
-if gpg_user --list-key ="${URI}" 2>&1 >/dev/null ; then
+if gpg_user --list-key ="${URI}" &>/dev/null ; then
     # do not check the keyserver
     CHECK_KEYSERVER=${CHECK_KEYSERVER:="false"}
 
@@ -239,9 +291,9 @@ esac
 
 # exec a netcat passthrough to host for the ssh connection
 if [ -z "$NO_CONNECT" ] ; then
-    if (which nc 2>/dev/null >/dev/null); then
+    if (type nc &>/dev/null); then
 	exec nc "$HOST" "$PORT"
-    elif (which socat 2>/dev/null >/dev/null); then
+    elif (type socat &>/dev/null); then
 	exec socat STDIO "TCP:$HOST:$PORT"
     else
 	echo "Neither netcat nor socat found -- could not complete monkeysphere-ssh-proxycommand connection to $HOST:$PORT" >&2