Added server config variable to specify user authorized_user_ids file,

and changed default.

diff --git a/debian/changelog b/debian/changelog
index 74c5d8bb5adbe293cc360c4986407a8f10c30975..9bfcc26ede3c992acc8ad4d6cc7232884f1f8271 100644 (file)
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,9 +1,14 @@
 monkeysphere (0.2-1) UNRELEASED; urgency=low
 
 monkeysphere (0.2-1) UNRELEASED; urgency=low
 

+  [ Daniel Kahn Gillmor ]

   * NOT YET RELEASED (switch to "experimental" when ready to release)
   * NOT YET RELEASED (switch to "experimental" when ready to release)

-  * 

 
 

- -- Daniel Kahn Gillmor <dkg-debian.org@fifthhorseman.net>  Thu, 19 Jun 2008 04:03:45 -0400
+  [ Jameson Graef Rollins ]
+  * Add AUTHORIZED_USER_IDS config variable for server, which defaults to
+    %h/.config/monkeysphere/authorized_user_ids, instead of
+    /etc/monkeysphere/authorized_user_ids.
+
+ -- Jameson Graef Rollins <jrollins@phys.columbia.edu>  Thu, 19 Jun 2008 15:22:05 -0400

 
 monkeysphere (0.1-1) experimental; urgency=low
 
 
 monkeysphere (0.1-1) experimental; urgency=low
 

diff --git a/etc/monkeysphere-server.conf b/etc/monkeysphere-server.conf
index 3915bf46f4168d7c1a25e89148920c75566e3f66..847e8795ea4c53f0825a4f64262c761c5f364218 100644 (file)
--- a/etc/monkeysphere-server.conf
+++ b/etc/monkeysphere-server.conf
@@ -17,8 +17,15 @@
 #   a = authentication
 #REQUIRED_USER_KEY_CAPABILITY="a"
 
 #   a = authentication
 #REQUIRED_USER_KEY_CAPABILITY="a"
 

+# Path to authorized_user_ids file to process to create
+# authorized_keys file.  '%h' will be replaced by the home directory
+# of the user, and %u will be replaced by the username of the user.
+# For purely admin-controlled authorized_user_ids, you might put them
+# in /etc/monkeysphere/authorized_user_ids/%u
+#AUTHORIZED_USER_IDS="%h/.config/monkeysphere/authorized_user_ids"
+

 # Whether to add user controlled authorized_keys file to
 # monkeysphere-generated authorized_keys file.  Should be path to file
 # where '%h' will be replaced by the home directory of the user.
 # To not add any user-controlled file, put "-"
 # Whether to add user controlled authorized_keys file to
 # monkeysphere-generated authorized_keys file.  Should be path to file
 # where '%h' will be replaced by the home directory of the user.
 # To not add any user-controlled file, put "-"

-#USER_CONTROLLED_AUTHORIZED_KEYS=%h/.ssh/authorized_keys
+#USER_CONTROLLED_AUTHORIZED_KEYS="%h/.ssh/authorized_keys"

diff --git a/src/common b/src/common
index c39506d729a14503ebc992adbb92fc3d3e1ae256..89efc46a4014dbcfedaec546018c09d066e3509b 100644 (file)
--- a/src/common
+++ b/src/common
@@ -85,6 +85,24 @@ remove_line() {
     fi
 }
 
     fi
 }
 

+# translate ssh-style path variables %h and %u
+translate_ssh_variables() {
+    local uname
+    local home
+
+    uname="$1"
+    path="$2"
+
+    # get the user's home directory
+    userHome=$(getent passwd "$uname" | cut -d: -f6)
+
+    # translate ssh-style path variables
+    path=${path/\%u/"$uname"}
+    path=${path/\%h/"$userHome"}
+
+    echo "$path"
+}
+

 ### CONVERTION UTILITIES
 
 # output the ssh key for a given key ID
 ### CONVERTION UTILITIES
 
 # output the ssh key for a given key ID


@@ -358,6 +376,7 @@ update_userid() {
     local userID
 
     userID="$1"
     local userID
 
     userID="$1"

+    authorizedUserIDs="$2"

 
     log "processing userid: '$userID'"
 
 
     log "processing userid: '$userID'"
 


@@ -365,12 +384,12 @@ update_userid() {
     process_user_id "$userID" | grep -q "^0 "
 
     # check if user ID is in the authorized_user_ids file
     process_user_id "$userID" | grep -q "^0 "
 
     # check if user ID is in the authorized_user_ids file

-    if ! grep -q "^${userID}\$" "$AUTHORIZED_USER_IDS" ; then
+    if ! grep -q "^${userID}\$" "$authorizedUserIDs" ; then

        read -p "user ID not currently authorized.  authorize? [Y|n]: " OK; OK=${OK:=Y}
        if [ ${OK/y/Y} = 'Y' ] ; then
            # add if specified
            log -n " adding user ID to authorized_user_ids file... "
        read -p "user ID not currently authorized.  authorize? [Y|n]: " OK; OK=${OK:=Y}
        if [ ${OK/y/Y} = 'Y' ] ; then
            # add if specified
            log -n " adding user ID to authorized_user_ids file... "

-           echo "$userID" >> "$AUTHORIZED_USER_IDS"
+           echo "$userID" >> "$authorizedUserIDs"

            loge "done."
        else
            # else do nothing
            loge "done."
        else
            # else do nothing


@@ -384,18 +403,19 @@ remove_userid() {
     local userID
 
     userID="$1"
     local userID
 
     userID="$1"

+    authorizedUserIDs="$2"

 
     log "processing userid: '$userID'"
 
     # check if user ID is in the authorized_user_ids file
 
     log "processing userid: '$userID'"
 
     # check if user ID is in the authorized_user_ids file

-    if ! grep -q "^${userID}\$" "$AUTHORIZED_USER_IDS" ; then
+    if ! grep -q "^${userID}\$" "$authorizedUserIDs" ; then

        log " user ID not currently authorized."
        return 1
     fi
 
     # remove user ID from file
     log -n " removing user ID '$userID'... "
        log " user ID not currently authorized."
        return 1
     fi
 
     # remove user ID from file
     log -n " removing user ID '$userID'... "

-    remove_line "$AUTHORIZED_USER_IDS" "^${userID}$"
+    remove_line "$authorizedUserIDs" "^${userID}$"

     loge "done."
 }
 
     loge "done."
 }
 


@@ -480,7 +500,9 @@ process_known_hosts() {
 process_authorized_user_ids() {
     local userid
 
 process_authorized_user_ids() {
     local userid
 

-    cat "$AUTHORIZED_USER_IDS" | meat | \
+    authorizedUserIDs="$1"
+
+    cat "$authorizedUserIDs" | meat | \

     while read -r userid ; do
        process_uid_authorized_keys "$userid"
     done
     while read -r userid ; do
        process_uid_authorized_keys "$userid"
     done

diff --git a/src/monkeysphere b/src/monkeysphere
index a6cecfd63de025c3b4195842bf6c431f33ecf5c1..a9c9d5856002acf42e99c4f757e347a7d3967536 100755 (executable)
--- a/src/monkeysphere
+++ b/src/monkeysphere
@@ -164,7 +164,7 @@ case $COMMAND in
            failure "you must specify at least one userid."
        fi
        for userID ; do
            failure "you must specify at least one userid."
        fi
        for userID ; do

-           update_userid "$userID"
+           update_userid "$userID" "$AUTHORIZED_USER_IDS"

        done
        log "Run the following to update your monkeysphere authorized_keys file:"
        log "$PGRM update-authorized_keys"
        done
        log "Run the following to update your monkeysphere authorized_keys file:"
        log "$PGRM update-authorized_keys"


@@ -175,7 +175,7 @@ case $COMMAND in
            failure "you must specify at least one userid."
        fi
        for userID ; do
            failure "you must specify at least one userid."
        fi
        for userID ; do

-           remove_userid "$userID"
+           remove_userid "$userID" "$AUTHORIZED_USER_IDS"

        done
        log "Run the following to update your monkeysphere authorized_keys file:"
        log "$PGRM update-authorized_keys"
        done
        log "Run the following to update your monkeysphere authorized_keys file:"
        log "$PGRM update-authorized_keys"


@@ -191,7 +191,7 @@ case $COMMAND in
 
        # process authorized_user_ids file
        log "processing authorized_user_ids file..."
 
        # process authorized_user_ids file
        log "processing authorized_user_ids file..."

-       process_authorized_user_ids
+       process_authorized_user_ids "$AUTHORIZED_USER_IDS"

        log "authorized_keys file updated."
        ;;
 
        log "authorized_keys file updated."
        ;;
 

diff --git a/src/monkeysphere-server b/src/monkeysphere-server
index 96a1070ea173f917d098cd711cc6f80b6abddf64..bfd5db84477cc40c5c3c9e044ebbd241cd7a0e98 100755 (executable)
--- a/src/monkeysphere-server
+++ b/src/monkeysphere-server
@@ -139,6 +139,7 @@ GNUPGHOME=${GNUPGHOME:-"${MS_HOME}/gnupg"}
 KEYSERVER=${KEYSERVER:-"subkeys.pgp.net"}
 CHECK_KEYSERVER=${CHECK_KEYSERVER:="true"}
 REQUIRED_USER_KEY_CAPABILITY=${REQUIRED_USER_KEY_CAPABILITY:-"a"}
 KEYSERVER=${KEYSERVER:-"subkeys.pgp.net"}
 CHECK_KEYSERVER=${CHECK_KEYSERVER:="true"}
 REQUIRED_USER_KEY_CAPABILITY=${REQUIRED_USER_KEY_CAPABILITY:-"a"}

+AUTHORIZED_USER_IDS=${AUTHORIZED_USER_IDS:-"%h/.config/monkeysphere/authorized_user_ids"}

 USER_CONTROLLED_AUTHORIZED_KEYS=${USER_CONTROLLED_AUTHORIZED_KEYS:-"%h/.ssh/authorized_keys"}
 
 export GNUPGHOME
 USER_CONTROLLED_AUTHORIZED_KEYS=${USER_CONTROLLED_AUTHORIZED_KEYS:-"%h/.ssh/authorized_keys"}
 
 export GNUPGHOME


@@ -153,40 +154,44 @@ mkdir -p "${CACHE}/authorized_keys"
 case $COMMAND in
     'update-users'|'update-user'|'s')
        if [ "$1" ] ; then
 case $COMMAND in
     'update-users'|'update-user'|'s')
        if [ "$1" ] ; then

+           # get users from command line

            unames="$@"
        else
            unames="$@"
        else

-           unames=$(ls -1 "${MS_HOME}/authorized_user_ids")
+           # or just look at all users if none specified
+           unames=$(getent passwd | cut -d: -f1)

        fi
 
        fi
 

+       # loop over users

        for uname in $unames ; do
            MODE="authorized_keys"
 
        for uname in $unames ; do
            MODE="authorized_keys"
 

+           # set authorized_user_ids variable,
+           # translate ssh-style path variables
+           authorizedUserIDs=$(translate_ssh_variables "$uname" "$AUTHORIZED_USER_IDS")
+
+           # skip user if authorized_user_ids file does not exist
+           if [ ! -f "$authorizedUserIDs" ] ; then
+               continue
+           fi
+

            log "----- user: $uname -----"
 
            log "----- user: $uname -----"
 

-           # set variables for the user
-           AUTHORIZED_USER_IDS="${MS_HOME}/authorized_user_ids/${uname}"

            # temporary authorized_keys file
            # temporary authorized_keys file

-           AUTHORIZED_KEYS="${CACHE}/authorized_keys/${uname}.tmp"
-
-            # make sure user's authorized_user_ids file exists
-           touch "$AUTHORIZED_USER_IDS"
-           # make sure the authorized_keys file exists and is clear
-           > "$AUTHORIZED_KEYS"
+           AUTHORIZED_KEYS=$(mktemp)

 
            # skip if the user's authorized_user_ids file is empty
 
            # skip if the user's authorized_user_ids file is empty

-           if [ ! -s "$AUTHORIZED_USER_IDS" ] ; then
-               log "authorized_user_ids file for '$uname' is empty."
+           if [ ! -s "$authorizedUserIDs" ] ; then
+               log "authorized_user_ids file '$authorizedUserIDs' is empty."

                continue
            fi
 
            # process authorized_user_ids file
            log "processing authorized_user_ids file..."
                continue
            fi
 
            # process authorized_user_ids file
            log "processing authorized_user_ids file..."

-           process_authorized_user_ids
+           process_authorized_user_ids "$authorizedUserIDs"

 
            # add user-controlled authorized_keys file path if specified
            if [ "$USER_CONTROLLED_AUTHORIZED_KEYS" != '-' ] ; then
 
            # add user-controlled authorized_keys file path if specified
            if [ "$USER_CONTROLLED_AUTHORIZED_KEYS" != '-' ] ; then

-               userHome=$(getent passwd "$uname" | cut -d: -f6)
-               userAuthorizedKeys=${USER_CONTROLLED_AUTHORIZED_KEYS/\%h/"$userHome"}
+               userAuthorizedKeys=$(translate_ssh_variables "$uname" "$USER_CONTROLLED_AUTHORIZED_KEYS")

                if [ -f "$userAuthorizedKeys" ] ; then
                    log -n "adding user's authorized_keys file... "
                    cat "$userAuthorizedKeys" >> "$AUTHORIZED_KEYS"
                if [ -f "$userAuthorizedKeys" ] ; then
                    log -n "adding user's authorized_keys file... "
                    cat "$userAuthorizedKeys" >> "$AUTHORIZED_KEYS"


@@ -195,7 +200,7 @@ case $COMMAND in
            fi
 
            # move the temp authorized_keys file into place
            fi
 
            # move the temp authorized_keys file into place

-           mv -f "${CACHE}/authorized_keys/${uname}.tmp" "${CACHE}/authorized_keys/${uname}"
+           mv -f "$AUTHORIZED_KEYS" "${CACHE}/authorized_keys/${uname}"

 
            log "authorized_keys file updated."
        done
 
            log "authorized_keys file updated."
        done


@@ -236,15 +241,16 @@ case $COMMAND in
            failure "You must specify at least one user ID."
        fi
 
            failure "You must specify at least one user ID."
        fi
 

-       # set variables for the user
-       AUTHORIZED_USER_IDS="$MS_HOME"/authorized_user_ids/"$uname"
+       # set authorized_user_ids variable,
+       # translate ssh-style path variables
+       authorizedUserIDs=$(translate_ssh_variables "$uname" "$AUTHORIZED_USER_IDS")

 
         # make sure user's authorized_user_ids file exists
 
         # make sure user's authorized_user_ids file exists

-       touch "$AUTHORIZED_USER_IDS"
+       touch "$authorizedUserIDs"

 
        # process the user IDs
        for userID ; do
 
        # process the user IDs
        for userID ; do

-           update_userid "$userID"
+           update_userid "$userID" "$authorizedUserIDs"

        done
 
        log "Run the following to update user's authorized_keys file:"
        done
 
        log "Run the following to update user's authorized_keys file:"


@@ -261,15 +267,18 @@ case $COMMAND in
            failure "You must specify at least one user ID."
        fi
 
            failure "You must specify at least one user ID."
        fi
 

-       # set variables for the user
-       AUTHORIZED_USER_IDS="$MS_HOME"/authorized_user_ids/"$uname"
+       # set authorized_user_ids variable,
+       # translate ssh-style path variables
+       authorizedUserIDs=$(translate_ssh_variables "$uname" "$AUTHORIZED_USER_IDS")

 
         # make sure user's authorized_user_ids file exists
 
         # make sure user's authorized_user_ids file exists

-       touch "$AUTHORIZED_USER_IDS"
+       if [ ! -f "$authorizedUserIDs" ] ; then
+           failure "authorized_user_ids file '$authorizedUserIDs' does not exist."
+       fi

 
        # process the user IDs
        for userID ; do
 
        # process the user IDs
        for userID ; do

-           remove_userid "$userID"
+           remove_userid "$userID" "$authorizedUserIDs"

        done
 
        log "Run the following to update user's authorized_keys file:"
        done
 
        log "Run the following to update user's authorized_keys file:"

diff --git a/src/monkeysphere-ssh-proxycommand b/src/monkeysphere-ssh-proxycommand
index 4cbcd5138bda3a5904eb3741c5a64993c67d0484..f4d4b0d9affb8835ae812e22c9fa58f5388c3fbf 100755 (executable)
--- a/src/monkeysphere-ssh-proxycommand
+++ b/src/monkeysphere-ssh-proxycommand
@@ -49,7 +49,7 @@ if [ "$PORT" != '22' ] ; then
 fi
 
 # if the host is in the gpg keyring...
 fi
 
 # if the host is in the gpg keyring...

-if gpg --list-key ="${URI}" >/dev/null ; then
+if gpg --list-key ="${URI}" 2>&1 >/dev/null ; then

     # do not check the keyserver
     CHECK_KEYSERVER="false"
 # if the host is NOT in the keyring...
     # do not check the keyserver
     CHECK_KEYSERVER="false"
 # if the host is NOT in the keyring...