projects
/
monkeysphere.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
|
inline
| side by side (parent:
f95798d
)
Added server config variable to specify user authorized_user_ids file,
author
Jameson Graef Rollins
<jrollins@phys.columbia.edu>
Thu, 19 Jun 2008 19:22:46 +0000
(15:22 -0400)
committer
Jameson Graef Rollins
<jrollins@phys.columbia.edu>
Thu, 19 Jun 2008 19:22:46 +0000
(15:22 -0400)
and changed default.
debian/changelog
patch
|
blob
|
history
etc/monkeysphere-server.conf
patch
|
blob
|
history
src/common
patch
|
blob
|
history
src/monkeysphere
patch
|
blob
|
history
src/monkeysphere-server
patch
|
blob
|
history
src/monkeysphere-ssh-proxycommand
patch
|
blob
|
history
diff --git
a/debian/changelog
b/debian/changelog
index 74c5d8bb5adbe293cc360c4986407a8f10c30975..9bfcc26ede3c992acc8ad4d6cc7232884f1f8271 100644
(file)
--- a/
debian/changelog
+++ b/
debian/changelog
@@
-1,9
+1,14
@@
monkeysphere (0.2-1) UNRELEASED; urgency=low
monkeysphere (0.2-1) UNRELEASED; urgency=low
+ [ Daniel Kahn Gillmor ]
* NOT YET RELEASED (switch to "experimental" when ready to release)
* NOT YET RELEASED (switch to "experimental" when ready to release)
- *
- -- Daniel Kahn Gillmor <dkg-debian.org@fifthhorseman.net> Thu, 19 Jun 2008 04:03:45 -0400
+ [ Jameson Graef Rollins ]
+ * Add AUTHORIZED_USER_IDS config variable for server, which defaults to
+ %h/.config/monkeysphere/authorized_user_ids, instead of
+ /etc/monkeysphere/authorized_user_ids.
+
+ -- Jameson Graef Rollins <jrollins@phys.columbia.edu> Thu, 19 Jun 2008 15:22:05 -0400
monkeysphere (0.1-1) experimental; urgency=low
monkeysphere (0.1-1) experimental; urgency=low
diff --git
a/etc/monkeysphere-server.conf
b/etc/monkeysphere-server.conf
index 3915bf46f4168d7c1a25e89148920c75566e3f66..847e8795ea4c53f0825a4f64262c761c5f364218 100644
(file)
--- a/
etc/monkeysphere-server.conf
+++ b/
etc/monkeysphere-server.conf
@@
-17,8
+17,15
@@
# a = authentication
#REQUIRED_USER_KEY_CAPABILITY="a"
# a = authentication
#REQUIRED_USER_KEY_CAPABILITY="a"
+# Path to authorized_user_ids file to process to create
+# authorized_keys file. '%h' will be replaced by the home directory
+# of the user, and %u will be replaced by the username of the user.
+# For purely admin-controlled authorized_user_ids, you might put them
+# in /etc/monkeysphere/authorized_user_ids/%u
+#AUTHORIZED_USER_IDS="%h/.config/monkeysphere/authorized_user_ids"
+
# Whether to add user controlled authorized_keys file to
# monkeysphere-generated authorized_keys file. Should be path to file
# where '%h' will be replaced by the home directory of the user.
# To not add any user-controlled file, put "-"
# Whether to add user controlled authorized_keys file to
# monkeysphere-generated authorized_keys file. Should be path to file
# where '%h' will be replaced by the home directory of the user.
# To not add any user-controlled file, put "-"
-#USER_CONTROLLED_AUTHORIZED_KEYS=
%h/.ssh/authorized_keys
+#USER_CONTROLLED_AUTHORIZED_KEYS=
"%h/.ssh/authorized_keys"
diff --git
a/src/common
b/src/common
index c39506d729a14503ebc992adbb92fc3d3e1ae256..89efc46a4014dbcfedaec546018c09d066e3509b 100644
(file)
--- a/
src/common
+++ b/
src/common
@@
-85,6
+85,24
@@
remove_line() {
fi
}
fi
}
+# translate ssh-style path variables %h and %u
+translate_ssh_variables() {
+ local uname
+ local home
+
+ uname="$1"
+ path="$2"
+
+ # get the user's home directory
+ userHome=$(getent passwd "$uname" | cut -d: -f6)
+
+ # translate ssh-style path variables
+ path=${path/\%u/"$uname"}
+ path=${path/\%h/"$userHome"}
+
+ echo "$path"
+}
+
### CONVERTION UTILITIES
# output the ssh key for a given key ID
### CONVERTION UTILITIES
# output the ssh key for a given key ID
@@
-358,6
+376,7
@@
update_userid() {
local userID
userID="$1"
local userID
userID="$1"
+ authorizedUserIDs="$2"
log "processing userid: '$userID'"
log "processing userid: '$userID'"
@@
-365,12
+384,12
@@
update_userid() {
process_user_id "$userID" | grep -q "^0 "
# check if user ID is in the authorized_user_ids file
process_user_id "$userID" | grep -q "^0 "
# check if user ID is in the authorized_user_ids file
- if ! grep -q "^${userID}\$" "$
AUTHORIZED_USER_IDS
" ; then
+ if ! grep -q "^${userID}\$" "$
authorizedUserIDs
" ; then
read -p "user ID not currently authorized. authorize? [Y|n]: " OK; OK=${OK:=Y}
if [ ${OK/y/Y} = 'Y' ] ; then
# add if specified
log -n " adding user ID to authorized_user_ids file... "
read -p "user ID not currently authorized. authorize? [Y|n]: " OK; OK=${OK:=Y}
if [ ${OK/y/Y} = 'Y' ] ; then
# add if specified
log -n " adding user ID to authorized_user_ids file... "
- echo "$userID" >> "$
AUTHORIZED_USER_IDS
"
+ echo "$userID" >> "$
authorizedUserIDs
"
loge "done."
else
# else do nothing
loge "done."
else
# else do nothing
@@
-384,18
+403,19
@@
remove_userid() {
local userID
userID="$1"
local userID
userID="$1"
+ authorizedUserIDs="$2"
log "processing userid: '$userID'"
# check if user ID is in the authorized_user_ids file
log "processing userid: '$userID'"
# check if user ID is in the authorized_user_ids file
- if ! grep -q "^${userID}\$" "$
AUTHORIZED_USER_IDS
" ; then
+ if ! grep -q "^${userID}\$" "$
authorizedUserIDs
" ; then
log " user ID not currently authorized."
return 1
fi
# remove user ID from file
log -n " removing user ID '$userID'... "
log " user ID not currently authorized."
return 1
fi
# remove user ID from file
log -n " removing user ID '$userID'... "
- remove_line "$
AUTHORIZED_USER_IDS
" "^${userID}$"
+ remove_line "$
authorizedUserIDs
" "^${userID}$"
loge "done."
}
loge "done."
}
@@
-480,7
+500,9
@@
process_known_hosts() {
process_authorized_user_ids() {
local userid
process_authorized_user_ids() {
local userid
- cat "$AUTHORIZED_USER_IDS" | meat | \
+ authorizedUserIDs="$1"
+
+ cat "$authorizedUserIDs" | meat | \
while read -r userid ; do
process_uid_authorized_keys "$userid"
done
while read -r userid ; do
process_uid_authorized_keys "$userid"
done
diff --git
a/src/monkeysphere
b/src/monkeysphere
index a6cecfd63de025c3b4195842bf6c431f33ecf5c1..a9c9d5856002acf42e99c4f757e347a7d3967536 100755
(executable)
--- a/
src/monkeysphere
+++ b/
src/monkeysphere
@@
-164,7
+164,7
@@
case $COMMAND in
failure "you must specify at least one userid."
fi
for userID ; do
failure "you must specify at least one userid."
fi
for userID ; do
- update_userid "$userID"
+ update_userid "$userID"
"$AUTHORIZED_USER_IDS"
done
log "Run the following to update your monkeysphere authorized_keys file:"
log "$PGRM update-authorized_keys"
done
log "Run the following to update your monkeysphere authorized_keys file:"
log "$PGRM update-authorized_keys"
@@
-175,7
+175,7
@@
case $COMMAND in
failure "you must specify at least one userid."
fi
for userID ; do
failure "you must specify at least one userid."
fi
for userID ; do
- remove_userid "$userID"
+ remove_userid "$userID"
"$AUTHORIZED_USER_IDS"
done
log "Run the following to update your monkeysphere authorized_keys file:"
log "$PGRM update-authorized_keys"
done
log "Run the following to update your monkeysphere authorized_keys file:"
log "$PGRM update-authorized_keys"
@@
-191,7
+191,7
@@
case $COMMAND in
# process authorized_user_ids file
log "processing authorized_user_ids file..."
# process authorized_user_ids file
log "processing authorized_user_ids file..."
- process_authorized_user_ids
+ process_authorized_user_ids
"$AUTHORIZED_USER_IDS"
log "authorized_keys file updated."
;;
log "authorized_keys file updated."
;;
diff --git
a/src/monkeysphere-server
b/src/monkeysphere-server
index 96a1070ea173f917d098cd711cc6f80b6abddf64..bfd5db84477cc40c5c3c9e044ebbd241cd7a0e98 100755
(executable)
--- a/
src/monkeysphere-server
+++ b/
src/monkeysphere-server
@@
-139,6
+139,7
@@
GNUPGHOME=${GNUPGHOME:-"${MS_HOME}/gnupg"}
KEYSERVER=${KEYSERVER:-"subkeys.pgp.net"}
CHECK_KEYSERVER=${CHECK_KEYSERVER:="true"}
REQUIRED_USER_KEY_CAPABILITY=${REQUIRED_USER_KEY_CAPABILITY:-"a"}
KEYSERVER=${KEYSERVER:-"subkeys.pgp.net"}
CHECK_KEYSERVER=${CHECK_KEYSERVER:="true"}
REQUIRED_USER_KEY_CAPABILITY=${REQUIRED_USER_KEY_CAPABILITY:-"a"}
+AUTHORIZED_USER_IDS=${AUTHORIZED_USER_IDS:-"%h/.config/monkeysphere/authorized_user_ids"}
USER_CONTROLLED_AUTHORIZED_KEYS=${USER_CONTROLLED_AUTHORIZED_KEYS:-"%h/.ssh/authorized_keys"}
export GNUPGHOME
USER_CONTROLLED_AUTHORIZED_KEYS=${USER_CONTROLLED_AUTHORIZED_KEYS:-"%h/.ssh/authorized_keys"}
export GNUPGHOME
@@
-153,40
+154,44
@@
mkdir -p "${CACHE}/authorized_keys"
case $COMMAND in
'update-users'|'update-user'|'s')
if [ "$1" ] ; then
case $COMMAND in
'update-users'|'update-user'|'s')
if [ "$1" ] ; then
+ # get users from command line
unames="$@"
else
unames="$@"
else
- unames=$(ls -1 "${MS_HOME}/authorized_user_ids")
+ # or just look at all users if none specified
+ unames=$(getent passwd | cut -d: -f1)
fi
fi
+ # loop over users
for uname in $unames ; do
MODE="authorized_keys"
for uname in $unames ; do
MODE="authorized_keys"
+ # set authorized_user_ids variable,
+ # translate ssh-style path variables
+ authorizedUserIDs=$(translate_ssh_variables "$uname" "$AUTHORIZED_USER_IDS")
+
+ # skip user if authorized_user_ids file does not exist
+ if [ ! -f "$authorizedUserIDs" ] ; then
+ continue
+ fi
+
log "----- user: $uname -----"
log "----- user: $uname -----"
- # set variables for the user
- AUTHORIZED_USER_IDS="${MS_HOME}/authorized_user_ids/${uname}"
# temporary authorized_keys file
# temporary authorized_keys file
- AUTHORIZED_KEYS="${CACHE}/authorized_keys/${uname}.tmp"
-
- # make sure user's authorized_user_ids file exists
- touch "$AUTHORIZED_USER_IDS"
- # make sure the authorized_keys file exists and is clear
- > "$AUTHORIZED_KEYS"
+ AUTHORIZED_KEYS=$(mktemp)
# skip if the user's authorized_user_ids file is empty
# skip if the user's authorized_user_ids file is empty
- if [ ! -s "$
AUTHORIZED_USER_IDS
" ] ; then
- log "authorized_user_ids file
for '$uname
' is empty."
+ if [ ! -s "$
authorizedUserIDs
" ] ; then
+ log "authorized_user_ids file
'$authorizedUserIDs
' is empty."
continue
fi
# process authorized_user_ids file
log "processing authorized_user_ids file..."
continue
fi
# process authorized_user_ids file
log "processing authorized_user_ids file..."
- process_authorized_user_ids
+ process_authorized_user_ids
"$authorizedUserIDs"
# add user-controlled authorized_keys file path if specified
if [ "$USER_CONTROLLED_AUTHORIZED_KEYS" != '-' ] ; then
# add user-controlled authorized_keys file path if specified
if [ "$USER_CONTROLLED_AUTHORIZED_KEYS" != '-' ] ; then
- userHome=$(getent passwd "$uname" | cut -d: -f6)
- userAuthorizedKeys=${USER_CONTROLLED_AUTHORIZED_KEYS/\%h/"$userHome"}
+ userAuthorizedKeys=$(translate_ssh_variables "$uname" "$USER_CONTROLLED_AUTHORIZED_KEYS")
if [ -f "$userAuthorizedKeys" ] ; then
log -n "adding user's authorized_keys file... "
cat "$userAuthorizedKeys" >> "$AUTHORIZED_KEYS"
if [ -f "$userAuthorizedKeys" ] ; then
log -n "adding user's authorized_keys file... "
cat "$userAuthorizedKeys" >> "$AUTHORIZED_KEYS"
@@
-195,7
+200,7
@@
case $COMMAND in
fi
# move the temp authorized_keys file into place
fi
# move the temp authorized_keys file into place
- mv -f "$
{CACHE}/authorized_keys/${uname}.tmp
" "${CACHE}/authorized_keys/${uname}"
+ mv -f "$
AUTHORIZED_KEYS
" "${CACHE}/authorized_keys/${uname}"
log "authorized_keys file updated."
done
log "authorized_keys file updated."
done
@@
-236,15
+241,16
@@
case $COMMAND in
failure "You must specify at least one user ID."
fi
failure "You must specify at least one user ID."
fi
- # set variables for the user
- AUTHORIZED_USER_IDS="$MS_HOME"/authorized_user_ids/"$uname"
+ # set authorized_user_ids variable,
+ # translate ssh-style path variables
+ authorizedUserIDs=$(translate_ssh_variables "$uname" "$AUTHORIZED_USER_IDS")
# make sure user's authorized_user_ids file exists
# make sure user's authorized_user_ids file exists
- touch "$
AUTHORIZED_USER_IDS
"
+ touch "$
authorizedUserIDs
"
# process the user IDs
for userID ; do
# process the user IDs
for userID ; do
- update_userid "$userID"
+ update_userid "$userID"
"$authorizedUserIDs"
done
log "Run the following to update user's authorized_keys file:"
done
log "Run the following to update user's authorized_keys file:"
@@
-261,15
+267,18
@@
case $COMMAND in
failure "You must specify at least one user ID."
fi
failure "You must specify at least one user ID."
fi
- # set variables for the user
- AUTHORIZED_USER_IDS="$MS_HOME"/authorized_user_ids/"$uname"
+ # set authorized_user_ids variable,
+ # translate ssh-style path variables
+ authorizedUserIDs=$(translate_ssh_variables "$uname" "$AUTHORIZED_USER_IDS")
# make sure user's authorized_user_ids file exists
# make sure user's authorized_user_ids file exists
- touch "$AUTHORIZED_USER_IDS"
+ if [ ! -f "$authorizedUserIDs" ] ; then
+ failure "authorized_user_ids file '$authorizedUserIDs' does not exist."
+ fi
# process the user IDs
for userID ; do
# process the user IDs
for userID ; do
- remove_userid "$userID"
+ remove_userid "$userID"
"$authorizedUserIDs"
done
log "Run the following to update user's authorized_keys file:"
done
log "Run the following to update user's authorized_keys file:"
diff --git
a/src/monkeysphere-ssh-proxycommand
b/src/monkeysphere-ssh-proxycommand
index 4cbcd5138bda3a5904eb3741c5a64993c67d0484..f4d4b0d9affb8835ae812e22c9fa58f5388c3fbf 100755
(executable)
--- a/
src/monkeysphere-ssh-proxycommand
+++ b/
src/monkeysphere-ssh-proxycommand
@@
-49,7
+49,7
@@
if [ "$PORT" != '22' ] ; then
fi
# if the host is in the gpg keyring...
fi
# if the host is in the gpg keyring...
-if gpg --list-key ="${URI}" >/dev/null ; then
+if gpg --list-key ="${URI}"
2>&1
>/dev/null ; then
# do not check the keyserver
CHECK_KEYSERVER="false"
# if the host is NOT in the keyring...
# do not check the keyserver
CHECK_KEYSERVER="false"
# if the host is NOT in the keyring...