and changed default.
monkeysphere (0.2-1) UNRELEASED; urgency=low
+ [ Daniel Kahn Gillmor ]
* NOT YET RELEASED (switch to "experimental" when ready to release)
- *
- -- Daniel Kahn Gillmor <dkg-debian.org@fifthhorseman.net> Thu, 19 Jun 2008 04:03:45 -0400
+ [ Jameson Graef Rollins ]
+ * Add AUTHORIZED_USER_IDS config variable for server, which defaults to
+ %h/.config/monkeysphere/authorized_user_ids, instead of
+ /etc/monkeysphere/authorized_user_ids.
+
+ -- Jameson Graef Rollins <jrollins@phys.columbia.edu> Thu, 19 Jun 2008 15:22:05 -0400
monkeysphere (0.1-1) experimental; urgency=low
# a = authentication
#REQUIRED_USER_KEY_CAPABILITY="a"
+# Path to authorized_user_ids file to process to create
+# authorized_keys file. '%h' will be replaced by the home directory
+# of the user, and %u will be replaced by the username of the user.
+# For purely admin-controlled authorized_user_ids, you might put them
+# in /etc/monkeysphere/authorized_user_ids/%u
+#AUTHORIZED_USER_IDS="%h/.config/monkeysphere/authorized_user_ids"
+
# Whether to add user controlled authorized_keys file to
# monkeysphere-generated authorized_keys file. Should be path to file
# where '%h' will be replaced by the home directory of the user.
# To not add any user-controlled file, put "-"
-#USER_CONTROLLED_AUTHORIZED_KEYS=%h/.ssh/authorized_keys
+#USER_CONTROLLED_AUTHORIZED_KEYS="%h/.ssh/authorized_keys"
fi
}
+# translate ssh-style path variables %h and %u
+translate_ssh_variables() {
+ local uname
+ local home
+
+ uname="$1"
+ path="$2"
+
+ # get the user's home directory
+ userHome=$(getent passwd "$uname" | cut -d: -f6)
+
+ # translate ssh-style path variables
+ path=${path/\%u/"$uname"}
+ path=${path/\%h/"$userHome"}
+
+ echo "$path"
+}
+
### CONVERTION UTILITIES
# output the ssh key for a given key ID
local userID
userID="$1"
+ authorizedUserIDs="$2"
log "processing userid: '$userID'"
process_user_id "$userID" | grep -q "^0 "
# check if user ID is in the authorized_user_ids file
- if ! grep -q "^${userID}\$" "$AUTHORIZED_USER_IDS" ; then
+ if ! grep -q "^${userID}\$" "$authorizedUserIDs" ; then
read -p "user ID not currently authorized. authorize? [Y|n]: " OK; OK=${OK:=Y}
if [ ${OK/y/Y} = 'Y' ] ; then
# add if specified
log -n " adding user ID to authorized_user_ids file... "
- echo "$userID" >> "$AUTHORIZED_USER_IDS"
+ echo "$userID" >> "$authorizedUserIDs"
loge "done."
else
# else do nothing
local userID
userID="$1"
+ authorizedUserIDs="$2"
log "processing userid: '$userID'"
# check if user ID is in the authorized_user_ids file
- if ! grep -q "^${userID}\$" "$AUTHORIZED_USER_IDS" ; then
+ if ! grep -q "^${userID}\$" "$authorizedUserIDs" ; then
log " user ID not currently authorized."
return 1
fi
# remove user ID from file
log -n " removing user ID '$userID'... "
- remove_line "$AUTHORIZED_USER_IDS" "^${userID}$"
+ remove_line "$authorizedUserIDs" "^${userID}$"
loge "done."
}
process_authorized_user_ids() {
local userid
- cat "$AUTHORIZED_USER_IDS" | meat | \
+ authorizedUserIDs="$1"
+
+ cat "$authorizedUserIDs" | meat | \
while read -r userid ; do
process_uid_authorized_keys "$userid"
done
failure "you must specify at least one userid."
fi
for userID ; do
- update_userid "$userID"
+ update_userid "$userID" "$AUTHORIZED_USER_IDS"
done
log "Run the following to update your monkeysphere authorized_keys file:"
log "$PGRM update-authorized_keys"
failure "you must specify at least one userid."
fi
for userID ; do
- remove_userid "$userID"
+ remove_userid "$userID" "$AUTHORIZED_USER_IDS"
done
log "Run the following to update your monkeysphere authorized_keys file:"
log "$PGRM update-authorized_keys"
# process authorized_user_ids file
log "processing authorized_user_ids file..."
- process_authorized_user_ids
+ process_authorized_user_ids "$AUTHORIZED_USER_IDS"
log "authorized_keys file updated."
;;
KEYSERVER=${KEYSERVER:-"subkeys.pgp.net"}
CHECK_KEYSERVER=${CHECK_KEYSERVER:="true"}
REQUIRED_USER_KEY_CAPABILITY=${REQUIRED_USER_KEY_CAPABILITY:-"a"}
+AUTHORIZED_USER_IDS=${AUTHORIZED_USER_IDS:-"%h/.config/monkeysphere/authorized_user_ids"}
USER_CONTROLLED_AUTHORIZED_KEYS=${USER_CONTROLLED_AUTHORIZED_KEYS:-"%h/.ssh/authorized_keys"}
export GNUPGHOME
case $COMMAND in
'update-users'|'update-user'|'s')
if [ "$1" ] ; then
+ # get users from command line
unames="$@"
else
- unames=$(ls -1 "${MS_HOME}/authorized_user_ids")
+ # or just look at all users if none specified
+ unames=$(getent passwd | cut -d: -f1)
fi
+ # loop over users
for uname in $unames ; do
MODE="authorized_keys"
+ # set authorized_user_ids variable,
+ # translate ssh-style path variables
+ authorizedUserIDs=$(translate_ssh_variables "$uname" "$AUTHORIZED_USER_IDS")
+
+ # skip user if authorized_user_ids file does not exist
+ if [ ! -f "$authorizedUserIDs" ] ; then
+ continue
+ fi
+
log "----- user: $uname -----"
- # set variables for the user
- AUTHORIZED_USER_IDS="${MS_HOME}/authorized_user_ids/${uname}"
# temporary authorized_keys file
- AUTHORIZED_KEYS="${CACHE}/authorized_keys/${uname}.tmp"
-
- # make sure user's authorized_user_ids file exists
- touch "$AUTHORIZED_USER_IDS"
- # make sure the authorized_keys file exists and is clear
- > "$AUTHORIZED_KEYS"
+ AUTHORIZED_KEYS=$(mktemp)
# skip if the user's authorized_user_ids file is empty
- if [ ! -s "$AUTHORIZED_USER_IDS" ] ; then
- log "authorized_user_ids file for '$uname' is empty."
+ if [ ! -s "$authorizedUserIDs" ] ; then
+ log "authorized_user_ids file '$authorizedUserIDs' is empty."
continue
fi
# process authorized_user_ids file
log "processing authorized_user_ids file..."
- process_authorized_user_ids
+ process_authorized_user_ids "$authorizedUserIDs"
# add user-controlled authorized_keys file path if specified
if [ "$USER_CONTROLLED_AUTHORIZED_KEYS" != '-' ] ; then
- userHome=$(getent passwd "$uname" | cut -d: -f6)
- userAuthorizedKeys=${USER_CONTROLLED_AUTHORIZED_KEYS/\%h/"$userHome"}
+ userAuthorizedKeys=$(translate_ssh_variables "$uname" "$USER_CONTROLLED_AUTHORIZED_KEYS")
if [ -f "$userAuthorizedKeys" ] ; then
log -n "adding user's authorized_keys file... "
cat "$userAuthorizedKeys" >> "$AUTHORIZED_KEYS"
fi
# move the temp authorized_keys file into place
- mv -f "${CACHE}/authorized_keys/${uname}.tmp" "${CACHE}/authorized_keys/${uname}"
+ mv -f "$AUTHORIZED_KEYS" "${CACHE}/authorized_keys/${uname}"
log "authorized_keys file updated."
done
failure "You must specify at least one user ID."
fi
- # set variables for the user
- AUTHORIZED_USER_IDS="$MS_HOME"/authorized_user_ids/"$uname"
+ # set authorized_user_ids variable,
+ # translate ssh-style path variables
+ authorizedUserIDs=$(translate_ssh_variables "$uname" "$AUTHORIZED_USER_IDS")
# make sure user's authorized_user_ids file exists
- touch "$AUTHORIZED_USER_IDS"
+ touch "$authorizedUserIDs"
# process the user IDs
for userID ; do
- update_userid "$userID"
+ update_userid "$userID" "$authorizedUserIDs"
done
log "Run the following to update user's authorized_keys file:"
failure "You must specify at least one user ID."
fi
- # set variables for the user
- AUTHORIZED_USER_IDS="$MS_HOME"/authorized_user_ids/"$uname"
+ # set authorized_user_ids variable,
+ # translate ssh-style path variables
+ authorizedUserIDs=$(translate_ssh_variables "$uname" "$AUTHORIZED_USER_IDS")
# make sure user's authorized_user_ids file exists
- touch "$AUTHORIZED_USER_IDS"
+ if [ ! -f "$authorizedUserIDs" ] ; then
+ failure "authorized_user_ids file '$authorizedUserIDs' does not exist."
+ fi
# process the user IDs
for userID ; do
- remove_userid "$userID"
+ remove_userid "$userID" "$authorizedUserIDs"
done
log "Run the following to update user's authorized_keys file:"
fi
# if the host is in the gpg keyring...
-if gpg --list-key ="${URI}" >/dev/null ; then
+if gpg --list-key ="${URI}" 2>&1 >/dev/null ; then
# do not check the keyserver
CHECK_KEYSERVER="false"
# if the host is NOT in the keyring...