Added server config variable to specify user authorized_user_ids file,
authorJameson Graef Rollins <jrollins@phys.columbia.edu>
Thu, 19 Jun 2008 19:22:46 +0000 (15:22 -0400)
committerJameson Graef Rollins <jrollins@phys.columbia.edu>
Thu, 19 Jun 2008 19:22:46 +0000 (15:22 -0400)
and changed default.

debian/changelog
etc/monkeysphere-server.conf
src/common
src/monkeysphere
src/monkeysphere-server
src/monkeysphere-ssh-proxycommand

index 74c5d8bb5adbe293cc360c4986407a8f10c30975..9bfcc26ede3c992acc8ad4d6cc7232884f1f8271 100644 (file)
@@ -1,9 +1,14 @@
 monkeysphere (0.2-1) UNRELEASED; urgency=low
 
+  [ Daniel Kahn Gillmor ]
   * NOT YET RELEASED (switch to "experimental" when ready to release)
-  * 
 
- -- Daniel Kahn Gillmor <dkg-debian.org@fifthhorseman.net>  Thu, 19 Jun 2008 04:03:45 -0400
+  [ Jameson Graef Rollins ]
+  * Add AUTHORIZED_USER_IDS config variable for server, which defaults to
+    %h/.config/monkeysphere/authorized_user_ids, instead of
+    /etc/monkeysphere/authorized_user_ids.
+
+ -- Jameson Graef Rollins <jrollins@phys.columbia.edu>  Thu, 19 Jun 2008 15:22:05 -0400
 
 monkeysphere (0.1-1) experimental; urgency=low
 
index 3915bf46f4168d7c1a25e89148920c75566e3f66..847e8795ea4c53f0825a4f64262c761c5f364218 100644 (file)
 #   a = authentication
 #REQUIRED_USER_KEY_CAPABILITY="a"
 
+# Path to authorized_user_ids file to process to create
+# authorized_keys file.  '%h' will be replaced by the home directory
+# of the user, and %u will be replaced by the username of the user.
+# For purely admin-controlled authorized_user_ids, you might put them
+# in /etc/monkeysphere/authorized_user_ids/%u
+#AUTHORIZED_USER_IDS="%h/.config/monkeysphere/authorized_user_ids"
+
 # Whether to add user controlled authorized_keys file to
 # monkeysphere-generated authorized_keys file.  Should be path to file
 # where '%h' will be replaced by the home directory of the user.
 # To not add any user-controlled file, put "-"
-#USER_CONTROLLED_AUTHORIZED_KEYS=%h/.ssh/authorized_keys
+#USER_CONTROLLED_AUTHORIZED_KEYS="%h/.ssh/authorized_keys"
index c39506d729a14503ebc992adbb92fc3d3e1ae256..89efc46a4014dbcfedaec546018c09d066e3509b 100644 (file)
@@ -85,6 +85,24 @@ remove_line() {
     fi
 }
 
+# translate ssh-style path variables %h and %u
+translate_ssh_variables() {
+    local uname
+    local home
+
+    uname="$1"
+    path="$2"
+
+    # get the user's home directory
+    userHome=$(getent passwd "$uname" | cut -d: -f6)
+
+    # translate ssh-style path variables
+    path=${path/\%u/"$uname"}
+    path=${path/\%h/"$userHome"}
+
+    echo "$path"
+}
+
 ### CONVERTION UTILITIES
 
 # output the ssh key for a given key ID
@@ -358,6 +376,7 @@ update_userid() {
     local userID
 
     userID="$1"
+    authorizedUserIDs="$2"
 
     log "processing userid: '$userID'"
 
@@ -365,12 +384,12 @@ update_userid() {
     process_user_id "$userID" | grep -q "^0 "
 
     # check if user ID is in the authorized_user_ids file
-    if ! grep -q "^${userID}\$" "$AUTHORIZED_USER_IDS" ; then
+    if ! grep -q "^${userID}\$" "$authorizedUserIDs" ; then
        read -p "user ID not currently authorized.  authorize? [Y|n]: " OK; OK=${OK:=Y}
        if [ ${OK/y/Y} = 'Y' ] ; then
            # add if specified
            log -n " adding user ID to authorized_user_ids file... "
-           echo "$userID" >> "$AUTHORIZED_USER_IDS"
+           echo "$userID" >> "$authorizedUserIDs"
            loge "done."
        else
            # else do nothing
@@ -384,18 +403,19 @@ remove_userid() {
     local userID
 
     userID="$1"
+    authorizedUserIDs="$2"
 
     log "processing userid: '$userID'"
 
     # check if user ID is in the authorized_user_ids file
-    if ! grep -q "^${userID}\$" "$AUTHORIZED_USER_IDS" ; then
+    if ! grep -q "^${userID}\$" "$authorizedUserIDs" ; then
        log " user ID not currently authorized."
        return 1
     fi
 
     # remove user ID from file
     log -n " removing user ID '$userID'... "
-    remove_line "$AUTHORIZED_USER_IDS" "^${userID}$"
+    remove_line "$authorizedUserIDs" "^${userID}$"
     loge "done."
 }
 
@@ -480,7 +500,9 @@ process_known_hosts() {
 process_authorized_user_ids() {
     local userid
 
-    cat "$AUTHORIZED_USER_IDS" | meat | \
+    authorizedUserIDs="$1"
+
+    cat "$authorizedUserIDs" | meat | \
     while read -r userid ; do
        process_uid_authorized_keys "$userid"
     done
index a6cecfd63de025c3b4195842bf6c431f33ecf5c1..a9c9d5856002acf42e99c4f757e347a7d3967536 100755 (executable)
@@ -164,7 +164,7 @@ case $COMMAND in
            failure "you must specify at least one userid."
        fi
        for userID ; do
-           update_userid "$userID"
+           update_userid "$userID" "$AUTHORIZED_USER_IDS"
        done
        log "Run the following to update your monkeysphere authorized_keys file:"
        log "$PGRM update-authorized_keys"
@@ -175,7 +175,7 @@ case $COMMAND in
            failure "you must specify at least one userid."
        fi
        for userID ; do
-           remove_userid "$userID"
+           remove_userid "$userID" "$AUTHORIZED_USER_IDS"
        done
        log "Run the following to update your monkeysphere authorized_keys file:"
        log "$PGRM update-authorized_keys"
@@ -191,7 +191,7 @@ case $COMMAND in
 
        # process authorized_user_ids file
        log "processing authorized_user_ids file..."
-       process_authorized_user_ids
+       process_authorized_user_ids "$AUTHORIZED_USER_IDS"
        log "authorized_keys file updated."
        ;;
 
index 96a1070ea173f917d098cd711cc6f80b6abddf64..bfd5db84477cc40c5c3c9e044ebbd241cd7a0e98 100755 (executable)
@@ -139,6 +139,7 @@ GNUPGHOME=${GNUPGHOME:-"${MS_HOME}/gnupg"}
 KEYSERVER=${KEYSERVER:-"subkeys.pgp.net"}
 CHECK_KEYSERVER=${CHECK_KEYSERVER:="true"}
 REQUIRED_USER_KEY_CAPABILITY=${REQUIRED_USER_KEY_CAPABILITY:-"a"}
+AUTHORIZED_USER_IDS=${AUTHORIZED_USER_IDS:-"%h/.config/monkeysphere/authorized_user_ids"}
 USER_CONTROLLED_AUTHORIZED_KEYS=${USER_CONTROLLED_AUTHORIZED_KEYS:-"%h/.ssh/authorized_keys"}
 
 export GNUPGHOME
@@ -153,40 +154,44 @@ mkdir -p "${CACHE}/authorized_keys"
 case $COMMAND in
     'update-users'|'update-user'|'s')
        if [ "$1" ] ; then
+           # get users from command line
            unames="$@"
        else
-           unames=$(ls -1 "${MS_HOME}/authorized_user_ids")
+           # or just look at all users if none specified
+           unames=$(getent passwd | cut -d: -f1)
        fi
 
+       # loop over users
        for uname in $unames ; do
            MODE="authorized_keys"
 
+           # set authorized_user_ids variable,
+           # translate ssh-style path variables
+           authorizedUserIDs=$(translate_ssh_variables "$uname" "$AUTHORIZED_USER_IDS")
+
+           # skip user if authorized_user_ids file does not exist
+           if [ ! -f "$authorizedUserIDs" ] ; then
+               continue
+           fi
+
            log "----- user: $uname -----"
 
-           # set variables for the user
-           AUTHORIZED_USER_IDS="${MS_HOME}/authorized_user_ids/${uname}"
            # temporary authorized_keys file
-           AUTHORIZED_KEYS="${CACHE}/authorized_keys/${uname}.tmp"
-
-            # make sure user's authorized_user_ids file exists
-           touch "$AUTHORIZED_USER_IDS"
-           # make sure the authorized_keys file exists and is clear
-           > "$AUTHORIZED_KEYS"
+           AUTHORIZED_KEYS=$(mktemp)
 
            # skip if the user's authorized_user_ids file is empty
-           if [ ! -s "$AUTHORIZED_USER_IDS" ] ; then
-               log "authorized_user_ids file for '$uname' is empty."
+           if [ ! -s "$authorizedUserIDs" ] ; then
+               log "authorized_user_ids file '$authorizedUserIDs' is empty."
                continue
            fi
 
            # process authorized_user_ids file
            log "processing authorized_user_ids file..."
-           process_authorized_user_ids
+           process_authorized_user_ids "$authorizedUserIDs"
 
            # add user-controlled authorized_keys file path if specified
            if [ "$USER_CONTROLLED_AUTHORIZED_KEYS" != '-' ] ; then
-               userHome=$(getent passwd "$uname" | cut -d: -f6)
-               userAuthorizedKeys=${USER_CONTROLLED_AUTHORIZED_KEYS/\%h/"$userHome"}
+               userAuthorizedKeys=$(translate_ssh_variables "$uname" "$USER_CONTROLLED_AUTHORIZED_KEYS")
                if [ -f "$userAuthorizedKeys" ] ; then
                    log -n "adding user's authorized_keys file... "
                    cat "$userAuthorizedKeys" >> "$AUTHORIZED_KEYS"
@@ -195,7 +200,7 @@ case $COMMAND in
            fi
 
            # move the temp authorized_keys file into place
-           mv -f "${CACHE}/authorized_keys/${uname}.tmp" "${CACHE}/authorized_keys/${uname}"
+           mv -f "$AUTHORIZED_KEYS" "${CACHE}/authorized_keys/${uname}"
 
            log "authorized_keys file updated."
        done
@@ -236,15 +241,16 @@ case $COMMAND in
            failure "You must specify at least one user ID."
        fi
 
-       # set variables for the user
-       AUTHORIZED_USER_IDS="$MS_HOME"/authorized_user_ids/"$uname"
+       # set authorized_user_ids variable,
+       # translate ssh-style path variables
+       authorizedUserIDs=$(translate_ssh_variables "$uname" "$AUTHORIZED_USER_IDS")
 
         # make sure user's authorized_user_ids file exists
-       touch "$AUTHORIZED_USER_IDS"
+       touch "$authorizedUserIDs"
 
        # process the user IDs
        for userID ; do
-           update_userid "$userID"
+           update_userid "$userID" "$authorizedUserIDs"
        done
 
        log "Run the following to update user's authorized_keys file:"
@@ -261,15 +267,18 @@ case $COMMAND in
            failure "You must specify at least one user ID."
        fi
 
-       # set variables for the user
-       AUTHORIZED_USER_IDS="$MS_HOME"/authorized_user_ids/"$uname"
+       # set authorized_user_ids variable,
+       # translate ssh-style path variables
+       authorizedUserIDs=$(translate_ssh_variables "$uname" "$AUTHORIZED_USER_IDS")
 
         # make sure user's authorized_user_ids file exists
-       touch "$AUTHORIZED_USER_IDS"
+       if [ ! -f "$authorizedUserIDs" ] ; then
+           failure "authorized_user_ids file '$authorizedUserIDs' does not exist."
+       fi
 
        # process the user IDs
        for userID ; do
-           remove_userid "$userID"
+           remove_userid "$userID" "$authorizedUserIDs"
        done
 
        log "Run the following to update user's authorized_keys file:"
index 4cbcd5138bda3a5904eb3741c5a64993c67d0484..f4d4b0d9affb8835ae812e22c9fa58f5388c3fbf 100755 (executable)
@@ -49,7 +49,7 @@ if [ "$PORT" != '22' ] ; then
 fi
 
 # if the host is in the gpg keyring...
-if gpg --list-key ="${URI}" >/dev/null ; then
+if gpg --list-key ="${URI}" 2>&1 >/dev/null ; then
     # do not check the keyserver
     CHECK_KEYSERVER="false"
 # if the host is NOT in the keyring...