Separate required key capability variables for users and hosts.
authorJameson Graef Rollins <jrollins@phys.columbia.edu>
Sun, 15 Jun 2008 15:46:07 +0000 (11:46 -0400)
committerJameson Graef Rollins <jrollins@phys.columbia.edu>
Sun, 15 Jun 2008 15:46:07 +0000 (11:46 -0400)
Change default for user to be "a", and host to be "e a".

etc/monkeysphere-server.conf
etc/monkeysphere.conf
src/common
src/monkeysphere
src/monkeysphere-server

index 3c16c5fe112690a3ec1f9d467d92ad300bf3a9c0..82da49783f91fc3faff6c1fd240af84596efa2b1 100644 (file)
@@ -1,20 +1,23 @@
 # MonkeySphere server configuration file.
 
+# This is an sh-style shell configuration file.  Variable names should
+# be separated from their assignements by a single '=' and no spaces.
+
 # GPG home directory for server
 #GNUPGHOME=/etc/monkeysphere/gnupg
 
 # GPG keyserver to search for keys
 #KEYSERVER=subkeys.pgp.net
 
-# Required key capabilities
+# Required user key capabilities
 # Must be quoted, lowercase, space-seperated list of the following:
 #   e = encrypt
 #   s = sign
 #   c = certify
 #   a = authentication
-#REQUIRED_KEY_CAPABILITY="e a"
+#REQUIRED_USER_KEY_CAPABILITY="a"
 
 # Whether to add user controlled authorized_keys file to
 # monkeysphere-generated authorized_keys file.  Should be path to file
-# where '%h' will be substituted for the user's home directory.
+# where '%h' will be replaced by the home directory of the user.
 #USER_CONTROLLED_AUTHORIZED_KEYS=%h/.ssh/authorized_keys
index 385165a28a83e99e1d224999a747e9cc7029a76e..d478b9315843ddb0cd93437494e322dff038d642 100644 (file)
@@ -1,5 +1,8 @@
 # MonkeySphere system-wide client configuration file.
 
+# This is an sh-style shell configuration file.  Variable names should
+# be separated from their assignements by a single '=' and no spaces.
+
 # authorized_user_ids file
 #AUTHORIZED_USER_IDS=~/.config/monkeysphere/authorized_user_ids
 
@@ -15,7 +18,8 @@
 #   s = sign
 #   c = certify
 #   a = authentication
-#REQUIRED_KEY_CAPABILITY="e a"
+#REQUIRED_HOST_KEY_CAPABILITY="e a"
+#REQUIRED_USER_KEY_CAPABILITY="a"
 
 # Path to user-controlled authorized_keys file to add to
 # Monkeysphere-generated authorized_keys file. If empty, then no
index 19b5485a37feb2118edb350ae0e34da67e36613a..8d8e5063258910ebb75f7fe032ff3a438648cc84 100644 (file)
@@ -1,13 +1,13 @@
 # -*-shell-script-*-
 
-# Shared bash functions for the monkeysphere
+# Shared sh functions for the monkeysphere
 #
 # Written by
 # Jameson Rollins <jrollins@fifthhorseman.net>
 #
 # Copyright 2008, released under the GPL, version 3 or later
 
-# all caps variables are meant to be user supplied (ie. from config
+# all-caps variables are meant to be user supplied (ie. from config
 # file) and are considered global
 
 ########################################################################
@@ -123,13 +123,14 @@ gpg2authorized_keys() {
 # userid and key policy checking
 # the following checks policy on the returned keys
 # - checks that full key has appropriate valididy (u|f)
-# - checks key has specified capability (REQUIRED_KEY_CAPABILITY)
+# - checks key has specified capability (REQUIRED_*_KEY_CAPABILITY)
 # - checks that particular desired user id has appropriate validity
 # see /usr/share/doc/gnupg/DETAILS.gz
 # expects global variable: "MODE"
 process_user_id() {
     local userID
     local cacheDir
+    local requiredCapability
     local requiredPubCapability
     local gpgOut
     local line
@@ -148,7 +149,13 @@ process_user_id() {
     userID="$1"
     cacheDir="$2"
 
-    requiredPubCapability=$(echo "$REQUIRED_KEY_CAPABILITY" | tr "[:lower:]" "[:upper:]")
+    # set the required key capability based on the mode
+    if [ "$MODE" = 'known_hosts' ] ; then
+       requiredCapability="$REQUIRED_HOST_KEY_CAPABILITY"
+    elif [ "$MODE" = 'authorized_keys' ] ; then
+       requiredCapability="$REQUIRED_USER_KEY_CAPABILITY"      
+    fi
+    requiredPubCapability=$(echo "$requiredCapability" | tr "[:lower:]" "[:upper:]")
 
     # fetch keys from keyserver, return 1 if none found
     gpg_fetch_userid "$userID" || return 1
@@ -207,7 +214,7 @@ process_user_id() {
                keyOK=true
 
                # add primary key ID to key list if it has required capability
-               if check_capability "$capability" $REQUIRED_KEY_CAPABILITY ; then
+               if check_capability "$capability" $requiredCapability ; then
                    keyIDs[${#keyIDs[*]}]="$keyid"
                fi
                ;;
@@ -230,7 +237,7 @@ process_user_id() {
                ;;
            'sub') # sub keys
                # add sub key ID to key list if it has required capability
-               if check_capability "$capability" $REQUIRED_KEY_CAPABILITY ; then
+               if check_capability "$capability" $requiredCapability ; then
                    keyIDs[${#keyIDs[*]}]="$keyid"
                fi
                ;;
@@ -282,16 +289,16 @@ process_user_id() {
 update_userid() {
     local userID
     local cacheDir
-    local userIDKeyCache
+    local keyCache
 
     userID="$1"
     cacheDir="$2"
 
     log "processing userid: '$userID'"
 
-    userIDKeyCache=$(process_user_id "$userID" "$cacheDir")
+    keyCachePath=$(process_user_id "$userID" "$cacheDir")
 
-    if [ -z "$userIDKeyCache" ] ; then
+    if [ -z "$keyCachePath" ] ; then
        return 1
     fi
     if ! grep -q "^${userID}\$" "$AUTHORIZED_USER_IDS" ; then
@@ -328,17 +335,17 @@ remove_userid() {
 process_host() {
     local host
     local cacheDir
-    local hostKeyCachePath
+    local keyCachePath
 
     host="$1"
     cacheDir="$2"
 
     log "processing host: '$host'"
 
-    hostKeyCachePath=$(process_user_id "ssh://${host}" "$cacheDir")
+    keyCachePath=$(process_user_id "ssh://${host}" "$cacheDir")
     if [ $? = 0 ] ; then
        ssh-keygen -R "$host" -f "$USER_KNOWN_HOSTS"
-       cat "$hostKeyCachePath" >> "$USER_KNOWN_HOSTS"
+       cat "$keyCachePath" >> "$USER_KNOWN_HOSTS"
     fi
 }
 
@@ -425,7 +432,7 @@ process_authorized_ids() {
 # EXPERIMENTAL (unused) process userids found in authorized_keys file
 # go through line-by-line, extract monkeysphere userids from comment
 # fields, and process each userid
-process_userids_from_authorized_keys() {
+process_authorized_keys() {
     local authorizedKeys
     local cacheDir
     local userID
index 1ba51d79619de218f1c50bf205e752ec50232145..ff4423ba11107365afb2343f46232baf35bf1b22 100755 (executable)
@@ -118,7 +118,8 @@ MS_CONF=${MS_CONF:-"${MS_HOME}/monkeysphere.conf"}
 AUTHORIZED_USER_IDS=${AUTHORIZED_USER_IDS:-"${MS_HOME}/authorized_user_ids"}
 GNUPGHOME=${GNUPGHOME:-"${HOME}/.gnupg"}
 KEYSERVER=${KEYSERVER:-"subkeys.pgp.net"}
-REQUIRED_KEY_CAPABILITY=${REQUIRED_KEY_CAPABILITY:-"e a"}
+REQUIRED_HOST_KEY_CAPABILITY=${REQUIRED_HOST_KEY_CAPABILITY:-"e a"}
+REQUIRED_USER_KEY_CAPABILITY=${REQUIRED_USER_KEY_CAPABILITY:-"a"}
 USER_CONTROLLED_AUTHORIZED_KEYS=${USER_CONTROLLED_AUTHORIZED_KEYS:-"%h/.ssh/authorized_keys"}
 USER_KNOWN_HOSTS=${USER_KNOWN_HOSTS:-"${HOME}/.ssh/known_hosts"}
 HASH_KNOWN_HOSTS=${HASH_KNOWN_HOSTS:-"true"}
index e05b4b71c8253ac7d8c335705253f8a52c8433d2..7d1113899c897c605c668a1d3c118a3265099f22 100755 (executable)
@@ -113,7 +113,7 @@ MS_CONF=${MS_CONF:-"$MS_HOME"/monkeysphere-server.conf}
 # set empty config variable with defaults
 GNUPGHOME=${GNUPGHOME:-"$MS_HOME"/gnupg}
 KEYSERVER=${KEYSERVER:-subkeys.pgp.net}
-REQUIRED_KEY_CAPABILITY=${REQUIRED_KEY_CAPABILITY:-"e a"}
+REQUIRED_USER_KEY_CAPABILITY=${REQUIRED_USER_KEY_CAPABILITY:-"a"}
 USER_CONTROLLED_AUTHORIZED_KEYS=${USER_CONTROLLED_AUTHORIZED_KEYS:-%h/.ssh/authorized_keys}
 
 export GNUPGHOME