clean up the diagnostics functions, check for ID-Certifiers in m-a d
authorDaniel Kahn Gillmor <dkg@fifthhorseman.net>
Fri, 20 Feb 2009 03:06:43 +0000 (22:06 -0500)
committerDaniel Kahn Gillmor <dkg@fifthhorseman.net>
Fri, 20 Feb 2009 03:06:43 +0000 (22:06 -0500)
src/share/ma/diagnostics
src/share/mh/diagnostics

index 7810c562134fc6a2c257044409bb5a0dc0088b47..ce463b211c1a811d7db8c28e2f2026532e046918 100644 (file)
@@ -47,7 +47,10 @@ if ! [ -d "$MADATADIR" ] ; then
     exit
 fi    
 
-# FIXME: what's the correct, cross-platform answer?
+# FIXME: what's the correct, cross-platform way to determine where
+# sshd_config lives?
+sshd_config=/etc/ssh/sshd_config
+
 seckey=$(gpg_core --list-secret-keys --fingerprint --with-colons --fixed-list-mode)
 keysfound=$(echo "$seckey" | grep -c ^sec:)
 curdate=$(date +%s)
@@ -97,7 +100,16 @@ fi
 # FIXME: look to see that the ownertrust rules are set properly on the
 #    sphere keyring
 
-# FIXME: make sure that at least one identity certifier exists
+# make sure that at least one identity certifier exists
+echo
+echo "Checking for Identity Certifiers..."
+if ! monkeysphere-authentication list-identity-certifiers | egrep -q '^[A-F0-9]{40}:' then
+    echo "! No Identity Certifiers found!"
+    echo " - Recommendation: once you know who should be able to certify identities for 
+     connecting users, you should add their key, with: 
+      monkeysphere-authentication add-identity-certifier"
+    problemsfound=$(($problemsfound+1))
+fi
 
 # FIXME: look at the timestamps on the monkeysphere-generated
 # authorized_keys files -- warn if they seem out-of-date.
index 51530e3a67d5efb224b418f2608a122777872cc0..2f65f899f4cfdd7f0e4aad9fe1304ee50bf46ec2 100644 (file)
@@ -25,13 +25,10 @@ local expire
 local uid
 local fingerprint
 local badhostkeys
-local sshd_config
 local problemsfound=0
 
 report_cruft
 
-# FIXME: what's the correct, cross-platform answer?
-sshd_config=/etc/ssh/sshd_config
 seckey=$(gpg_host --list-secret-keys --fingerprint --with-colons --fixed-list-mode)
 keysfound=$(echo "$seckey" | grep -c ^sec:)
 curdate=$(date +%s)
@@ -52,7 +49,7 @@ fi
 echo "Checking host GPG key..."
 if (( "$keysfound" < 1 )); then
     echo "! No host key found."
-    echo " - Recommendation: run 'monkeysphere-host gen-key' or 'monkeysphere-host import-key'"
+    echo " - Recommendation: run 'monkeysphere-host import-key'"
     problemsfound=$(($problemsfound+1))
 elif (( "$keysfound" > 1 )); then
     echo "! More than one host key found?"
@@ -116,35 +113,9 @@ else
 # FIXME: propose adding a revoker to the host key if none exist (do we
 #   have a way to do that after key generation?)
 
-    # Ensure that the ssh_host_rsa_key file is present and non-empty:
-    echo
-    echo "Checking host SSH key..."
-    if [ ! -s "${SYSDATADIR}/ssh_host_rsa_key" ] ; then
-       echo "! The host key as prepared for SSH (${SYSDATADIR}/ssh_host_rsa_key) is missing or empty."
-       problemsfound=$(($problemsfound+1))
-    else
-       if [ $(ls -l "${SYSDATADIR}/ssh_host_rsa_key" | cut -f1 -d\ ) != '-rw-------' ] ; then
-           echo "! Permissions seem wrong for ${SYSDATADIR}/ssh_host_rsa_key -- should be 0600."
-           problemsfound=$(($problemsfound+1))
-       fi
-
-       # propose changes needed for sshd_config (if any)
-       if ! grep -q "^HostKey[[:space:]]\+${SYSDATADIR}/ssh_host_rsa_key$" "$sshd_config"; then
-           echo "! $sshd_config does not point to the monkeysphere host key (${SYSDATADIR}/ssh_host_rsa_key)."
-           echo " - Recommendation: add a line to $sshd_config: 'HostKey ${SYSDATADIR}/ssh_host_rsa_key'"
-           problemsfound=$(($problemsfound+1))
-       fi
-       if badhostkeys=$(grep -i '^HostKey' "$sshd_config" | grep -v "^HostKey[[:space:]]\+${SYSDATADIR}/ssh_host_rsa_key$") ; then
-           echo "! $sshd_config refers to some non-monkeysphere host keys:"
-           echo "$badhostkeys"
-           echo " - Recommendation: remove the above HostKey lines from $sshd_config"
-           problemsfound=$(($problemsfound+1))
-       fi
+# FIXME: test (with ssh-keyscan?) that the running ssh
+# daemon is actually offering the monkeysphere host key.
 
-        # FIXME: test (with ssh-keyscan?) that the running ssh
-        # daemon is actually offering the monkeysphere host key.
-
-    fi
 fi
 
 # FIXME: look at the ownership/privileges of the various keyrings,