* monkeysphere-server diagnostics now counts problems and suggests a
re-run after they have been resolved.
- -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 11 Sep 2008 23:16:31 -0400
+ [ Jameson Graef Rollins ]
+ * Genericize fs location variables.
+ * break out gpg.conf files into SYSCONFIGDIR, and not auto-generated at
+ install.
+
+ -- Jameson Graef Rollins <jrollins@phys.columbia.edu> Sat, 11 Oct 2008 14:27:17 -0400
monkeysphere (0.15-1) experimental; urgency=low
# install host gnupg home directory
install --owner root --group monkeysphere --mode 750 -d "$VARLIB"/gnupg-host
# link in the gpg.conf
-ln -s "$ETC"/gnupg-host.conf "$VARLIB"/gnupg-host/gpg.conf
+ln -sTf "$ETC"/gpg-host.conf "$VARLIB"/gnupg-host/gpg.conf
# install authentication gnupg home directory
install --owner monkeysphere --group monkeysphere --mode 700 -d "$VARLIB"/gnupg-authentication
# link in the gpg.conf
-ln -s "$ETC"/gnupg-authentication.conf "$VARLIB"/gnupg-authentication/gpg.conf
+ln -sTf "$ETC"/gpg-authentication.conf "$VARLIB"/gnupg-authentication/gpg.conf
--- /dev/null
+#!/bin/sh -e
+
+# preinst script for monkeysphere
+
+# Author: Jameson Rollins <jrollins@fifthhorseman.net>
+# Copyright 2008
+
+ETC="/etc/monkeysphere"
+VARLIB="/var/lib/monkeysphere"
+
+# move the gpg.conf files from the GNUPGHOMEs if they're there to
+# /etc, where they will be linked back into the GNUPGHOMEs later
+if [ -f "$VARLIB"/gnupg-host/gpg.conf -a ! -L "$VARLIB"/gnupg-host/gpg.conf ] ; then
+ mv "$VARLIB"/gnupg-host/gpg.conf "$ETC"/gpg-host.conf
+ chown root:root "$ETC"/gpg-host.conf
+ ln -s "$ETC"/gpg-host.conf "$VARLIB"/gnupg-host/gpg.conf
+fi
+if [ -f "$VARLIB"/gnupg-authentication/gpg.conf -a ! -L "$VARLIB"/gnupg-authentication/gpg.conf ] ; then
+ mv "$VARLIB"/gnupg-authentication/gpg.conf "$ETC"/gpg-authentication.conf
+ chown root:root "$ETC"/gpg-authentication.conf
+ ln -s "$ETC"/gpg-authentication.conf "$VARLIB"/gnupg-authentication/gpg.conf
+fi
# Monkeysphere authentication GNUPG home gpg.conf
+# Location of the various Monkeysphere keyrings.
+# It is highly recommended that you
+# DO NOT MODIFY
+# these variables.
primary-keyring /var/lib/monkeysphere/gnupg-authentication/pubring.gpg
keyring /var/lib/monkeysphere/gnupg-host/pubring.gpg
+# PGP keyserver to use for PGP queries.
keyserver hkp://pgp.mit.edu
+# GPG list options. It is recommended that you have at least
+# "show-uid-validity".
list-options show-uid-validity
# Monkeysphere host GNUPG home gpg.conf
+# GPG list options. It is recommended that you have at least
+# "show-uid-validity".
list-options show-uid-validity
userID="$1"
- log info " checking keyserver $KEYSERVER... "
+ log verbose " checking keyserver $KEYSERVER... "
echo 1,2,3,4,5 | \
gpg --quiet --batch --with-colons \
--command-fd 0 --keyserver "$KEYSERVER" \
# if overall key is not valid, skip
if [ "$validity" != 'u' -a "$validity" != 'f' ] ; then
- log error " - unacceptable primary key validity ($validity)."
+ log debug " - unacceptable primary key validity ($validity)."
continue
fi
# if overall key is disabled, skip
if check_capability "$usage" 'D' ; then
- log error " - key disabled."
+ log debug " - key disabled."
continue
fi
# if overall key capability is not ok, skip
if ! check_capability "$usage" $requiredPubCapability ; then
- log error " - unacceptable primary key capability ($usage)."
+ log debug " - unacceptable primary key capability ($usage)."
continue
fi
;;
'uid') # user ids
if [ "$lastKey" != pub ] ; then
- log error " - got a user ID after a sub key?! user IDs should only follow primary keys!"
+ log verbose " - got a user ID after a sub key?! user IDs should only follow primary keys!"
continue
fi
# if an acceptable user ID was already found, skip
echo "0:${sshKey}"
fi
else
- log error " - unacceptable primary key."
+ log debug " - unacceptable primary key."
if [ -z "$sshKey" ] ; then
log error " ! primary key could not be translated (not RSA or DSA?)."
else
echo "0:${sshKey}"
fi
else
- log error " - unacceptable sub key."
+ log debug " - unacceptable sub key."
if [ -z "$sshKey" ] ; then
log error " ! sub key could not be translated (not RSA or DSA?)."
else
# note if the known_hosts file was updated
if [ "$(file_hash "$KNOWN_HOSTS")" != "$fileCheck" ] ; then
- log verbose "known_hosts file updated."
+ log debug "known_hosts file updated."
fi
# if an acceptable host was found, return 0
process_known_hosts() {
local hosts
- log verbose "processing known_hosts file..."
+ log debug "processing known_hosts file..."
hosts=$(meat "$KNOWN_HOSTS" | cut -d ' ' -f 1 | grep -v '^|.*$' | tr , ' ' | tr '\n' ' ')
if [ -z "$hosts" ] ; then
- log error "no hosts to process."
+ log debug "no hosts to process."
return
fi
# note if the authorized_keys file was updated
if [ "$(file_hash "$AUTHORIZED_KEYS")" != "$fileCheck" ] ; then
- log verbose "authorized_keys file updated."
+ log debug "authorized_keys file updated."
fi
# if an acceptable id was found, return 0
authorizedUserIDs="$1"
- log verbose "processing authorized_user_ids file..."
+ log debug "processing authorized_user_ids file..."
if ! meat "$authorizedUserIDs" > /dev/null ; then
- log error "no user IDs to process."
+ log debug "no user IDs to process."
return
fi
########################################################################
PGRM=$(basename $0)
-SHARE=${MONKEYSPHERE_SHARE:-"/usr/share/monkeysphere"}
-export SHARE
-. "${SHARE}/common" || exit 1
+SYSSHAREDIR=${MONKEYSPHERE_SYSSHAREDIR:-"/usr/share/monkeysphere"}
+export SYSSHAREDIR
+. "${SYSSHAREDIR}/common" || exit 1
# UTC date in ISO 8601 format if needed
DATE=$(date -u '+%FT%T')
usage() {
cat <<EOF >&2
usage: $PGRM <subcommand> [options] [args]
-MonkeySphere client tool.
+Monkeysphere client tool.
subcommands:
update-known_hosts (k) [HOST]... update known_hosts file
########################################################################
PGRM=$(basename $0)
-SHARE=${MONKEYSPHERE_SHARE:-"/usr/share/monkeysphere"}
-export SHARE
-. "${SHARE}/common" || exit 1
+SYSSHAREDIR=${MONKEYSPHERE_SYSSHAREDIR:-"/usr/share/monkeysphere"}
+export SYSSHAREDIR
+. "${SYSSHAREDIR}/common" || exit 1
-SYSDATADIR=${MONKEYSPHERE_SYSDATADIR:-"/var/lib/monkeysphere"
+SYSDATADIR=${MONKEYSPHERE_SYSDATADIR:-"/var/lib/monkeysphere"}
export SYSDATADIR
# UTC date in ISO 8601 format if needed
usage() {
cat <<EOF >&2
usage: $PGRM <subcommand> [options] [args]
-MonkeySphere server admin tool.
+Monkeysphere server admin tool.
subcommands:
update-users (u) [USER]... update user authorized_keys files
fi
# make sure the authorized_keys directory exists
- mkdir -p "${VARLIB}/authorized_keys"
+ mkdir -p "${SYSDATADIR}/authorized_keys"
# loop over users
for uname in $unames ; do
# process authorized_user_ids file, as monkeysphere
# user
su_monkeysphere_user \
- ". ${SHARE}/common; process_authorized_user_ids $TMP_AUTHORIZED_USER_IDS"
+ ". ${SYSSHAREDIR}/common; process_authorized_user_ids $TMP_AUTHORIZED_USER_IDS"
RETURN="$?"
fi
chmod g+r "$AUTHORIZED_KEYS"
# move the resulting authorized_keys file into place
- mv -f "$AUTHORIZED_KEYS" "${VARLIB}/authorized_keys/${uname}"
+ mv -f "$AUTHORIZED_KEYS" "${SYSDATADIR}/authorized_keys/${uname}"
# destroy temporary directory
rm -rf "$TMPLOC"
# NOTE: assumes that the primary key is the proper key to use
(umask 077 && \
gpg_host --export-secret-key "$fingerprint" | \
- openpgp2ssh "$fingerprint" > "${VARLIB}/ssh_host_rsa_key")
- log info "Private SSH host key output to file: ${VARLIB}/ssh_host_rsa_key"
+ openpgp2ssh "$fingerprint" > "${SYSDATADIR}/ssh_host_rsa_key")
+ log info "Private SSH host key output to file: ${SYSDATADIR}/ssh_host_rsa_key"
}
# extend the lifetime of a host key:
problemsfound=$(($problemsfound+1))
fi
- if ! [ -d "$VARLIB" ] ; then
- echo "! no $VARLIB directory found. Please create it."
+ if ! [ -d "$SYSDATADIR" ] ; then
+ echo "! no $SYSDATADIR directory found. Please create it."
problemsfound=$(($problemsfound+1))
fi
# Ensure that the ssh_host_rsa_key file is present and non-empty:
echo
echo "Checking host SSH key..."
- if [ ! -s "${VARLIB}/ssh_host_rsa_key" ] ; then
- echo "! The host key as prepared for SSH (${VARLIB}/ssh_host_rsa_key) is missing or empty."
+ if [ ! -s "${SYSDATADIR}/ssh_host_rsa_key" ] ; then
+ echo "! The host key as prepared for SSH (${SYSDATADIR}/ssh_host_rsa_key) is missing or empty."
problemsfound=$(($problemsfound+1))
else
- if [ $(ls -l "${VARLIB}/ssh_host_rsa_key" | cut -f1 -d\ ) != '-rw-------' ] ; then
- echo "! Permissions seem wrong for ${VARLIB}/ssh_host_rsa_key -- should be 0600."
+ if [ $(ls -l "${SYSDATADIR}/ssh_host_rsa_key" | cut -f1 -d\ ) != '-rw-------' ] ; then
+ echo "! Permissions seem wrong for ${SYSDATADIR}/ssh_host_rsa_key -- should be 0600."
problemsfound=$(($problemsfound+1))
fi
# propose changes needed for sshd_config (if any)
- if ! grep -q "^HostKey[[:space:]]\+${VARLIB}/ssh_host_rsa_key$" "$sshd_config"; then
- echo "! $sshd_config does not point to the monkeysphere host key (${VARLIB}/ssh_host_rsa_key)."
- echo " - Recommendation: add a line to $sshd_config: 'HostKey ${VARLIB}/ssh_host_rsa_key'"
+ if ! grep -q "^HostKey[[:space:]]\+${SYSDATADIR}/ssh_host_rsa_key$" "$sshd_config"; then
+ echo "! $sshd_config does not point to the monkeysphere host key (${SYSDATADIR}/ssh_host_rsa_key)."
+ echo " - Recommendation: add a line to $sshd_config: 'HostKey ${SYSDATADIR}/ssh_host_rsa_key'"
problemsfound=$(($problemsfound+1))
fi
- if badhostkeys=$(grep -i '^HostKey' "$sshd_config" | grep -v "^HostKey[[:space:]]\+${VARLIB}/ssh_host_rsa_key$") ; then
+ if badhostkeys=$(grep -i '^HostKey' "$sshd_config" | grep -v "^HostKey[[:space:]]\+${SYSDATADIR}/ssh_host_rsa_key$") ; then
echo "! $sshd_config refers to some non-monkeysphere host keys:"
echo "$badhostkeys"
echo " - Recommendation: remove the above HostKey lines from $sshd_config"
echo
echo "Checking for MonkeySphere-enabled public-key authentication for users ..."
# Ensure that User ID authentication is enabled:
- if ! grep -q "^AuthorizedKeysFile[[:space:]]\+${VARLIB}/authorized_keys/%u$" "$sshd_config"; then
+ if ! grep -q "^AuthorizedKeysFile[[:space:]]\+${SYSDATADIR}/authorized_keys/%u$" "$sshd_config"; then
echo "! $sshd_config does not point to monkeysphere authorized keys."
- echo " - Recommendation: add a line to $sshd_config: 'AuthorizedKeysFile ${VARLIB}/authorized_keys/%u'"
+ echo " - Recommendation: add a line to $sshd_config: 'AuthorizedKeysFile ${SYSDATADIR}/authorized_keys/%u'"
problemsfound=$(($problemsfound+1))
fi
- if badauthorizedkeys=$(grep -i '^AuthorizedKeysFile' "$sshd_config" | grep -v "^AuthorizedKeysFile[[:space:]]\+${VARLIB}/authorized_keys/%u$") ; then
+ if badauthorizedkeys=$(grep -i '^AuthorizedKeysFile' "$sshd_config" | grep -v "^AuthorizedKeysFile[[:space:]]\+${SYSDATADIR}/authorized_keys/%u$") ; then
echo "! $sshd_config refers to non-monkeysphere authorized_keys files:"
echo "$badauthorizedkeys"
echo " - Recommendation: remove the above AuthorizedKeysFile lines from $sshd_config"
# other variables
CHECK_KEYSERVER=${MONKEYSPHERE_CHECK_KEYSERVER:="true"}
REQUIRED_USER_KEY_CAPABILITY=${MONKEYSPHERE_REQUIRED_USER_KEY_CAPABILITY:="a"}
-GNUPGHOME_HOST=${MONKEYSPHERE_GNUPGHOME_HOST:="${VARLIB}/gnupg-host"}
-GNUPGHOME_AUTHENTICATION=${MONKEYSPHERE_GNUPGHOME_AUTHENTICATION:="${VARLIB}/gnupg-authentication"}
+GNUPGHOME_HOST=${MONKEYSPHERE_GNUPGHOME_HOST:="${SYSDATADIR}/gnupg-host"}
+GNUPGHOME_AUTHENTICATION=${MONKEYSPHERE_GNUPGHOME_AUTHENTICATION:="${SYSDATADIR}/gnupg-authentication"}
# export variables needed in su invocation
export DATE
Thoughts?
--dkg
+
+---
+
+[[bugs/done]] on 2008-10-11
symlink to them from the monkeysphere-specific `$GNUPGHOME`s in
`/var/lib/monkeysphere`, since `gpg` does not seem to allow for
overriding the location of the `gpg.conf` independent of `$GNUPGHOME`.
+
+---
+
+All the gpg.conf files now reside in /etc/monkeysphere, and are linked
+in into the GNUPGHOMEs in /var/lib/monkeysphere.
+
+[[bugs/done]] on 2008-10-11