added ability to specify subkeys to add to agent with MONKEYSPHERE_SUBKEYS_FOR_AGENT...
authorJameson Graef Rollins <jrollins@finestructure.net>
Mon, 2 Mar 2009 20:35:06 +0000 (15:35 -0500)
committerJameson Graef Rollins <jrollins@finestructure.net>
Mon, 2 Mar 2009 20:35:06 +0000 (15:35 -0500)
packaging/debian/changelog
src/share/m/subkey_to_ssh_agent

index 8b3b92206ed4f2f15061c49bbe4dcfdbecb3500c..786d41063dd5dcbdbd3afc636849175001da4af2 100644 (file)
@@ -8,13 +8,15 @@ monkeysphere (0.24~pre-1) UNRELEASED; urgency=low
     - improved transitions/0.23 script so it no longer fails in common
       circumstances (Closes: #517779)
     - RSA only: no longer handles DSA keys
+    - added ability to specify subkeys to add to ssh agent with
+      new MONKEYSPHERE_SUBKEYS_FOR_AGENT environment variable
   * update/cleanup maintainer scripts
   * remove GnuTLS dependency.
   * remove versioned coreutils | base64 dependency.
   * added Build-Deps for dh_autotest.
   * switch to Architecture: all
 
- -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Sun, 01 Mar 2009 11:47:41 -0500
+ -- Jameson Graef Rollins <jrollins@finestructure.net>  Mon, 02 Mar 2009 15:33:44 -0500
 
 monkeysphere (0.23.1-1) unstable; urgency=low
 
index ec596bd76e148eadf4380dda3793dd79a8a62df0..aa647a628ae9f0e96e04948056f9279cbf5789d2 100644 (file)
@@ -37,26 +37,34 @@ subkey_to_ssh_agent() {
     if [ "$sshaddresponse" = "2" ]; then
        failure "Could not connect to ssh-agent"
     fi
-    
-    # get list of secret keys (to work around bug
-    # https://bugs.g10code.com/gnupg/issue945):
-    secretkeys=$(gpg_user --list-secret-keys --with-colons --fixed-list-mode \
-       --fingerprint | \
-       grep '^fpr:' | cut -f10 -d: | awk '{ print "0x" $1 "!" }')
-
-    if [ -z "$secretkeys" ]; then
-       failure "You have no secret keys in your keyring!
+
+    # if the MONKEYSPHERE_SUBKEYS_FOR_AGENT variable is set, use the
+    # keys specified there
+    if [ "$MONKEYSPHERE_SUBKEYS_FOR_AGENT" ] ; then
+       authsubkeys="$MONKEYSPHERE_SUBKEYS_FOR_AGENT"
+
+    # otherwise find all authentication-capable subkeys and use those
+    else
+       # get list of secret keys
+       # (to work around bug https://bugs.g10code.com/gnupg/issue945):
+       secretkeys=$(gpg_user --list-secret-keys --with-colons --fixed-list-mode \
+           --fingerprint | \
+           grep '^fpr:' | cut -f10 -d: | awk '{ print "0x" $1 "!" }')
+
+       if [ -z "$secretkeys" ]; then
+           failure "You have no secret keys in your keyring!
 You might want to run 'gpg --gen-key'."
-    fi
+       fi
     
-    authsubkeys=$(gpg_user --list-secret-keys --with-colons --fixed-list-mode \
-       --fingerprint --fingerprint $secretkeys | \
-       cut -f1,5,10,12 -d: | grep -A1 '^ssb:[^:]*::[^:]*a[^:]*$' | \
-       grep '^fpr::' | cut -f3 -d: | sort -u)
-
-    if [ -z "$authsubkeys" ]; then
-       failure "no authentication-capable subkeys available.
-You might want to 'monkeysphere gen-subkey'"
+       authsubkeys=$(gpg_user --list-secret-keys --with-colons --fixed-list-mode \
+           --fingerprint --fingerprint $secretkeys | \
+           cut -f1,5,10,12 -d: | grep -A1 '^ssb:[^:]*::[^:]*a[^:]*$' | \
+           grep '^fpr::' | cut -f3 -d: | sort -u)
+
+       if [ -z "$authsubkeys" ]; then
+           failure "no authentication-capable subkeys available.
+You might want to run 'monkeysphere gen-subkey'."
+       fi
     fi
 
     workingdir=$(msmktempdir)
@@ -68,7 +76,16 @@ You might want to 'monkeysphere gen-subkey'"
     # through to ssh-add.  should we limit it to known ones?  For
     # example: -d or -c and/or -t <lifetime> 
 
-    for subkey in $authsubkeys; do 
+    for subkey in $authsubkeys; do
+       # test that the subkey has proper capability
+       capability=$(gpg_user --list-secret-keys --with-colons --fixed-list-mode \
+           --fingerprint --fingerprint "0x${subkey}!" \
+           | egrep -B 1 "^fpr:::::::::${subkey}:$" | grep "^ssb:" | cut -d: -f12)
+       if ! check_capability "$capability" 'a' ; then
+           log error "Did not find authentication-capable subkey with key ID '$subkey'."
+           continue
+       fi
+
        # choose a label by which this key will be known in the agent:
        # we are labelling the key by User ID instead of by
        # fingerprint, but filtering out all / characters to make sure