Major rework to remove all caching. Everything processed straight
authorJameson Graef Rollins <jrollins@phys.columbia.edu>
Tue, 17 Jun 2008 15:11:27 +0000 (11:11 -0400)
committerJameson Graef Rollins <jrollins@phys.columbia.edu>
Tue, 17 Jun 2008 17:57:30 +0000 (13:57 -0400)
from gpg keyring.  Major code simplification and cleanup.

etc/monkeysphere.conf
src/common
src/monkeysphere
src/monkeysphere-server

index 003ecf689591c2b61440158564afac854a900e88..17c1a14f64927efde45d7b157416523a523d2f63 100644 (file)
@@ -3,9 +3,6 @@
 # This is an sh-style shell configuration file.  Variable names should
 # be separated from their assignements by a single '=' and no spaces.
 
-# authorized_user_ids file
-#AUTHORIZED_USER_IDS=~/.config/monkeysphere/authorized_user_ids
-
 # GPG home directory
 #GNUPGHOME=~/.gnupg
 
 #REQUIRED_HOST_KEY_CAPABILITY="e a"
 #REQUIRED_USER_KEY_CAPABILITY="a"
 
-# Path to user-controlled authorized_keys file to add to
-# Monkeysphere-generated authorized_keys file.
-# To not add any user-controlled file, put "-"
-#USER_CONTROLLED_AUTHORIZED_KEYS=~/.ssh/authorized_keys
-
-# User known_hosts file
-#USER_KNOWN_HOSTS=~/.ssh/known_hosts
+# ssh known_hosts file
+#KNOWN_HOSTS=~/.ssh/known_hosts
 
 # Whether or not to hash the generated known_hosts lines.
 # Should be "true" or "false"
 #HASH_KNOWN_HOSTS=true
+
+# ssh authorized_keys file
+#AUTHORIZED_KEYS=~/.ssh/known_hosts
index 64d28cb221871c351d798c31d74f908bcb3b8265..7a904534d4f9b3fb1302dd7b30b1612923d69916 100644 (file)
 # file) and are considered global
 
 ########################################################################
+### COMMON VARIABLES
+
 # managed directories
 ETC="/etc/monkeysphere"
 export ETC
 CACHE="/var/cache/monkeysphere"
 export CACHE
+
 ########################################################################
+### UTILITY FUNCTIONS
 
 failure() {
     echo "$1" >&2
@@ -29,6 +33,10 @@ log() {
     echo "$@" 1>&2
 }
 
+loge() {
+    echo "$@" 1>&2
+}
+
 # cut out all comments(#) and blank lines from standard input
 meat() {
     grep -v -e "^[[:space:]]*#" -e '^$'
@@ -39,72 +47,89 @@ cutline() {
     head --line="$1" | tail -1
 }
 
-# retrieve all keys with given user id from keyserver
-# FIXME: need to figure out how to retrieve all matching keys
-# (not just first 5)
-gpg_fetch_userid() {
-    local userID
-
-    userID="$1"
-
-    log "checking keyserver $KEYSERVER..."
-    echo 1,2,3,4,5 | \
-       gpg --quiet --batch --command-fd 0 --with-colons \
-       --keyserver "$KEYSERVER" \
-       --search ="$userID" >/dev/null 2>&1
-    if [ "$?" = 0 ] ; then
-       log "  user ID found on keyserver."
-       return 0
-    else
-       log "  user ID not found on keyserver."
-       return 1
-    fi
-}
-
 # check that characters are in a string (in an AND fashion).
 # used for checking key capability
 # check_capability capability a [b...]
 check_capability() {
-    local capability
+    local usage
     local capcheck
 
-    capability="$1"
+    usage="$1"
     shift 1
 
     for capcheck ; do
-       if echo "$capability" | grep -q -v "$capcheck" ; then
+       if echo "$usage" | grep -q -v "$capcheck" ; then
            return 1
        fi
     done
     return 0
 }
 
-# get the full fingerprint of a key ID
-get_key_fingerprint() {
+# convert escaped characters from gpg output back into original
+# character
+# FIXME: undo all escape character translation in with-colons gpg output
+unescape() {
+    echo "$1" | sed 's/\\x3a/:/'
+}
+
+# remove all lines with specified string from specified file
+remove_file_line() {
+    local file
+    local string
+
+    file="$1"
+    string="$2"
+
+    if [ "$file" -a "$string" ] ; then
+       grep -v "$string" "$file" | sponge "$file"
+    fi
+}
+
+### CONVERTION UTILITIES
+
+# output the ssh key for a given key ID
+gpg2ssh() {
     local keyID
+    
+    #keyID="$1" #TMP
+    # only use last 16 characters until openpgp2ssh can take all 40 #TMP
+    keyID=$(echo "$1" | cut -c 25-) #TMP
 
-    keyID="$1"
+    gpg --export "$keyID" | openpgp2ssh "$keyID" 2> /dev/null
+}
 
-    gpg --list-key --with-colons --fixed-list-mode \
-       --with-fingerprint "$keyID" | grep "$keyID" | \
-       grep '^fpr:' | cut -d: -f10
+# output known_hosts line from ssh key
+ssh2known_hosts() {
+    local host
+    local key
+
+    host="$1"
+    key="$2"
+
+    echo -n "$host "
+    echo -n "$key" | tr -d '\n'
+    echo " MonkeySphere${DATE}"
 }
 
+# output authorized_keys line from ssh key
+ssh2authorized_keys() {
+    local userID
+    local key
+    
+    userID="$1"
+    key="$2"
 
-# convert escaped characters from gpg output back into original
-# character
-# FIXME: undo all escape character translation in with-colons gpg output
-unescape() {
-    echo "$1" | sed 's/\\x3a/:/'
+    echo -n "$key" | tr -d '\n'
+    echo " MonkeySphere${DATE}: ${userID}"
 }
 
 # convert key from gpg to ssh known_hosts format
 gpg2known_hosts() {
-    local keyID
     local host
+    local keyID
 
-    keyID="$1"
-    host=$(echo "$2" | sed -e "s|ssh://||")
+    host="$1"
+    keyID="$2"
 
     # NOTE: it seems that ssh-keygen -R removes all comment fields from
     # all lines in the known_hosts file.  why?
@@ -112,53 +137,88 @@ gpg2known_hosts() {
     # following regexp:
     # '^MonkeySphere[[:digit:]]{4}(-[[:digit:]]{2}){2}T[[:digit:]]{2}(:[[:digit:]]{2}){2}$'
     echo -n "$host "
-    gpg --export "$keyID" | \
-       openpgp2ssh "$keyID" | tr -d '\n'
+    gpg2ssh "$keyID" | tr -d '\n'
     echo " MonkeySphere${DATE}"
 }
 
 # convert key from gpg to ssh authorized_keys format
 gpg2authorized_keys() {
+    local userID
     local keyID
+
+    userID="$1"
+    keyID="$2"
+
+    # NOTE: just in case, the COMMENT can be matched with the
+    # following regexp:
+    # '^MonkeySphere[[:digit:]]{4}(-[[:digit:]]{2}){2}T[[:digit:]]{2}(:[[:digit:]]{2}){2}$'
+    gpg2ssh "$keyID" | tr -d '\n'
+    echo " MonkeySphere${DATE}: ${userID}"
+}
+
+### GPG UTILITIES
+
+# retrieve all keys with given user id from keyserver
+# FIXME: need to figure out how to retrieve all matching keys
+# (not just first N (5 in this case))
+gpg_fetch_userid() {
     local userID
 
+    userID="$1"
+
+    log -n " checking keyserver $KEYSERVER... "
+    echo 1,2,3,4,5 | \
+       gpg --quiet --batch --with-colons \
+       --command-fd 0 --keyserver "$KEYSERVER" \
+       --search ="$userID" > /dev/null 2>&1
+    loge "done."
+}
+
+# get the full fingerprint of a key ID
+get_key_fingerprint() {
+    local keyID
+
     keyID="$1"
-    userID="$2"
 
-    gpg --export "$keyID" | \
-       openpgp2ssh "$keyID" | tr -d '\n'
-    echo " MonkeySphere${DATE}: ${userID}"
+    gpg --list-key --with-colons --fixed-list-mode \
+       --with-fingerprint "$keyID" | grep "$keyID" | \
+       grep '^fpr:' | cut -d: -f10
 }
 
+########################################################################
+### PROCESSING FUNCTIONS
+
 # userid and key policy checking
 # the following checks policy on the returned keys
 # - checks that full key has appropriate valididy (u|f)
 # - checks key has specified capability (REQUIRED_*_KEY_CAPABILITY)
-# - checks that particular desired user id has appropriate validity
-# see /usr/share/doc/gnupg/DETAILS.gz
+# - checks that requested user ID has appropriate validity
+# (see /usr/share/doc/gnupg/DETAILS.gz)
+# output is one line for every found key, in the following format:
+#
+# flag fingerprint
+#
+# "flag" is an acceptability flag, 0 = ok, 1 = bad
+# "fingerprint" is the fingerprint of the key
+#
 # expects global variable: "MODE"
 process_user_id() {
     local userID
-    local cacheDir
     local requiredCapability
     local requiredPubCapability
     local gpgOut
-    local userIDHash
-    local keyCacheDir
-    local line
     local type
     local validity
     local keyid
     local uidfpr
     local usage
     local keyOK
-    local pubKeyID
     local uidOK
-    local keyIDs
-    local keyID
+    local lastKey
+    local lastKeyOK
+    local fingerprint
 
     userID="$1"
-    cacheDir="$2"
 
     # set the required key capability based on the mode
     if [ "$MODE" = 'known_hosts' ] ; then
@@ -181,12 +241,10 @@ process_user_id() {
 
     # if the gpg query return code is not 0, return 1
     if [ "$?" -ne 0 ] ; then
-        log "  key not found."
+        log "  key not found."
         return 1
     fi
 
-    echo "$gpgOut"
-
     # loop over all lines in the gpg output and process.
     # need to do it this way (as opposed to "while read...") so that
     # variables set in loop will be visible outside of loop
@@ -198,22 +256,25 @@ process_user_id() {
                # new key, wipe the slate
                keyOK=
                uidOK=
-               pubKeyOK=
+               lastKey=pub
+               lastKeyOK=
                fingerprint=
 
+               log " primary key found: $keyid"
+
                # if overall key is not valid, skip
                if [ "$validity" != 'u' -a "$validity" != 'f' ] ; then
-                   log "  unacceptable primary key validity ($validity)."
+                   log "  unacceptable primary key validity ($validity)."
                    continue
                fi
                # if overall key is disabled, skip
                if check_capability "$usage" 'D' ; then
-                   log "  key disabled."
+                   log "  key disabled."
                    continue
                fi
                # if overall key capability is not ok, skip
                if ! check_capability "$usage" $requiredPubCapability ; then
-                   log "  unacceptable primary key capability ($usage)."
+                   log "  unacceptable primary key capability ($usage)."
                    continue
                fi
 
@@ -222,14 +283,10 @@ process_user_id() {
 
                # mark primary key as ok if capability is ok
                if check_capability "$usage" $requiredCapability ; then
-                   pubKeyOK=true
+                   lastKeyOK=true
                fi
                ;;
            'uid') # user ids
-               # if the overall key is not ok, skip
-               if [ -z "$keyOK" ] ; then
-                   continue
-               fi
                # if an acceptable user ID was already found, skip
                if [ "$uidOK" ] ; then
                    continue
@@ -248,8 +305,8 @@ process_user_id() {
 
                # output a line for the primary key
                # 0 = ok, 1 = bad
-               if [ "$keyOK" -a "$uidOK" -a "$pubKeyOK" ] ; then
-                   log "  acceptable key found"
+               if [ "$keyOK" -a "$uidOK" -a "$lastKeyOK" ] ; then
+                   log "  * acceptable key found."
                    echo 0 "$fingerprint"
                else
                    echo 1 "$fingerprint"
@@ -257,13 +314,10 @@ process_user_id() {
                ;;
            'sub') # sub keys
                # unset acceptability of last key
-               subKeyOK=
+               lastKey=sub
+               lastKeyOK=
                fingerprint=
 
-               # if the overall key is not ok, skip
-               if [ -z "$keyOK" ] ; then
-                   continue
-               fi
                # if sub key validity is not ok, skip
                if [ "$validity" != 'u' -a "$validity" != 'f' ] ; then
                    continue
@@ -274,15 +328,20 @@ process_user_id() {
                fi
 
                # mark sub key as ok
-               subKeyOK=true
+               lastKeyOK=true
                ;;
            'fpr') # key fingerprint
                fingerprint="$uidfpr"
 
+               # if the last key was the pub key, skip
+               if [ "$lastKey" = pub ] ; then
+                   continue
+               fi
+               
                # output a line for the last subkey
                # 0 = ok, 1 = bad
-               if [ "$keyOK" -a "$uidOK" -a "$subKeyOK" ] ; then
-                   log "  acceptable key found"
+               if [ "$keyOK" -a "$uidOK" -a "$lastKeyOK" ] ; then
+                   log "  * acceptable key found."
                    echo 0 "$fingerprint"
                else
                    echo 1 "$fingerprint"
@@ -297,32 +356,25 @@ process_user_id() {
 # and not already in file.
 update_userid() {
     local userID
-    local cacheDir
-    local keyCache
 
     userID="$1"
-    cacheDir="$2"
 
     log "processing userid: '$userID'"
 
-    # return 1 if there is no output of the user ID processing
-    # ie. no key was found
-    keyCachePath=$(process_user_id "$userID" "$cacheDir")
-    if [ -z "$keyCachePath" ] ; then
-       return 1
-    fi
+    # process the user ID to pull it from keyserver
+    process_user_id "$userID" | grep -q "^0 "
 
     # check if user ID is in the authorized_user_ids file
     if ! grep -q "^${userID}\$" "$AUTHORIZED_USER_IDS" ; then
        read -p "user ID not currently authorized.  authorize? [Y|n]: " OK; OK=${OK:=Y}
        if [ ${OK/y/Y} = 'Y' ] ; then
            # add if specified
-           log -n "adding user ID to authorized_user_ids file... "
+           log -n " adding user ID to authorized_user_ids file... "
            echo "$userID" >> "$AUTHORIZED_USER_IDS"
-           echo "done."
+           loge "done."
        else
            # else do nothing
-           log "authorized_user_ids file untouched."
+           log " authorized_user_ids file untouched."
        fi
     fi
 }
@@ -337,53 +389,70 @@ remove_userid() {
 
     # check if user ID is in the authorized_user_ids file
     if ! grep -q "^${userID}\$" "$AUTHORIZED_USER_IDS" ; then
-       log "user ID not currently authorized."
+       log " user ID not currently authorized."
        return 1
     fi
 
     # remove user ID from file
-    log -n "removing user ID '$userID'... "
-    grep -v "$userID" "$AUTHORIZED_USER_IDS" | sponge "$AUTHORIZED_USER_IDS"
-    echo "done."
+    log -n " removing user ID '$userID'... "
+    remove_file_line "$AUTHORIZED_USER_IDS" "^${userID}$"
+    loge "done."
 }
 
-# remove all keys from specified key cache from known_hosts file
-remove_known_hosts_host_keys() {
-    local keyCachePath
-    local hosts
-    local type
-    local key
-    local comment
+# process a host in known_host file
+process_host_known_hosts() {
+    local host
+    local userID
+    local ok
+    local keyid
+    local tmpfile
 
-    keyCachePath="$1"
+    host="$1"
+    userID="ssh://${host}"
+
+    log "processing host: $host"
 
-    meat "${keyCachePath}/keys" | \
-    while read -r hosts type key comment ; do
-       grep -v "$key" "$USER_KNOWN_HOSTS" | sponge "$USER_KNOWN_HOSTS"
+    process_user_id "ssh://${host}" | \
+    while read -r ok keyid ; do
+       sshKey=$(gpg2ssh "$keyid")
+       # remove the old host key line
+       remove_file_line "$KNOWN_HOSTS" "$sshKey"
+       # if key OK, add new host line
+       if [ "$ok" -eq '0' ] ; then
+           # hash if specified
+           if [ "$HASH_KNOWN_HOSTS" = 'true' ] ; then
+               # FIXME: this is really hackish cause ssh-keygen won't
+               # hash from stdin to stdout
+               tmpfile=$(mktemp)
+               ssh2known_hosts "$host" "$sshKey" > "$tmpfile"
+               ssh-keygen -H -f "$tmpfile" 2> /dev/null
+               cat "$tmpfile" >> "$KNOWN_HOSTS"
+               rm -f "$tmpfile" "${tmpfile}.old"
+           else
+               ssh2known_hosts "$host" "$sshKey" >> "$KNOWN_HOSTS"
+           fi
+       fi
     done
 }
 
-# process a host for addition to a known_host file
-process_host() {
-    local host
-    local cacheDir
-    local keyCachePath
+# process a uid in an authorized_keys file
+process_uid_authorized_keys() {
+    local userID
+    local ok
+    local keyid
 
-    host="$1"
-    cacheDir="$2"
+    userID="$1"
 
-    log "processing host: $host"
+    log "processing user ID: $userID"
 
-    userID="ssh://${host}"
-    process_user_id "ssh://${host}"
-    exit
-    process_user_id "ssh://${host}" | \
-    while read -r ok key ; do
+    process_user_id "$userID" | \
+    while read -r ok keyid ; do
+       sshKey=$(gpg2ssh "$keyid")
        # remove the old host key line
-       remove_known_hosts_host_keys "$key"
+       remove_file_line "$AUTHORIZED_KEYS" "$sshKey"
        # if key OK, add new host line
        if [ "$ok" -eq '0' ] ; then
-           known_hosts_line "$host" "$key" >> "$USER_KNOWN_HOSTS"
+           ssh2authorized_keys "$userID" "$sshKey" >> "$AUTHORIZED_KEYS"
        fi
     done
 }
@@ -392,110 +461,69 @@ process_host() {
 # go through line-by-line, extract each host, and process with the
 # host processing function
 process_known_hosts() {
-    local cacheDir
     local hosts
     local host
 
-    cacheDir="$1"
-
     # take all the hosts from the known_hosts file (first field),
     # grep out all the hashed hosts (lines starting with '|')...
-    meat "$USER_KNOWN_HOSTS" | cut -d ' ' -f 1 | grep -v '^|.*$' | \
+    cat "$KNOWN_HOSTS" | meat | \
+       cut -d ' ' -f 1 | grep -v '^|.*$' | \
     while IFS=, read -r -a hosts ; do
-       # ...and process each host
+       # and process each host
        for host in ${hosts[*]} ; do
-           process_host "$host" "$cacheDir"
+           process_host_known_hosts "$host"
        done
     done
 }
 
-# update an authorized_keys file after first processing the 
-# authorized_user_ids file
-update_authorized_keys() {
-    local msAuthorizedKeys
-    local userAuthorizedKeys
-    local cacheDir
-
-    msAuthorizedKeys="$1"
-    userAuthorizedKeys="$2"
-    cacheDir="$3"
-
-    process_authorized_ids "$AUTHORIZED_USER_IDS" "$cacheDir"
-
-    # write output key file
-    log "writing monkeysphere authorized_keys file... "
-    touch "$msAuthorizedKeys"
-    if [ "$(ls "$cacheDir")" ] ; then
-       log -n "adding gpg keys... "
-       cat "$cacheDir"/* > "$msAuthorizedKeys"
-       echo "done."
-    else
-       log "no gpg keys to add."
-    fi
-    if [ "$userAuthorizedKeys" != "-" -a -s "$userAuthorizedKeys" ] ; then
-       log -n "adding user authorized_keys file... "
-       cat "$userAuthorizedKeys" >> "$msAuthorizedKeys"
-       echo "done."
-    fi
-    log "monkeysphere authorized_keys file generated:"
-    log "$msAuthorizedKeys"
-}
-
-# process an authorized_*_ids file
-# go through line-by-line, extract each userid, and process
-process_authorized_ids() {
-    local authorizedIDs
-    local cacheDir
-    local userID
-
-    authorizedIDs="$1"
-    cacheDir="$2"
+# process an authorized_user_ids file for authorized_keys
+process_authorized_user_ids() {
+    local userid
 
-    process_user_id "$userID" | \
-    while read -r ok key ; do
-       # remove the old host key line
-       remove_authorized_keys_user_keys "$key"
-       # if key OK, add new host line
-       if [ "$ok" -eq '0' ] ; then
-           authorized_keys_line "$userID" "$key" >> "$USER_AUTHORIZED_KEYS"
-       fi
+    cat "$AUTHORIZED_USER_IDS" | meat | \
+    while read -r userid ; do
+       process_uid_authorized_keys "$userid"
     done
 }
 
 # EXPERIMENTAL (unused) process userids found in authorized_keys file
 # go through line-by-line, extract monkeysphere userids from comment
 # fields, and process each userid
+# NOT WORKING
 process_authorized_keys() {
     local authorizedKeys
-    local cacheDir
     local userID
 
     authorizedKeys="$1"
-    cacheDir="$2"
 
     # take all the monkeysphere userids from the authorized_keys file
     # comment field (third field) that starts with "MonkeySphere uid:"
     # FIXME: needs to handle authorized_keys options (field 0)
-    cat "$authorizedKeys" | \
+    cat "$authorizedKeys" | meat | \
     while read -r options keytype key comment ; do
        # if the comment field is empty, assume the third field was
        # the comment
        if [ -z "$comment" ] ; then
            comment="$key"
        fi
-       if ! echo "$comment" | grep '^MonkeySphere userID:.*$' ; then
+
+       if echo "$comment" | egrep -v -q '^MonkeySphere[[:digit:]]{4}(-[[:digit:]]{2}){2}T[[:digit:]]{2}(:[[:digit:]]{2}){2}:' ; then
            continue
        fi
-       userID=$(echo "$comment" | sed -e "/^MonkeySphere userID://")
+       userID=$(echo "$comment" | awk "{ print $2 }")
        if [ -z "$userID" ] ; then
            continue
        fi
+
        # process the userid
        log "processing userid: '$userID'"
-       process_user_id "$userID" "$cacheDir" > /dev/null
+       process_user_id "$userID" > /dev/null
     done
 }
 
+##################################################
+### GPG HELPER FUNCTIONS
+
 # retrieve key from web of trust, and set owner trust to "full"
 # if key is found.
 trust_key() {
index 8e4c4eb7823ad57b7fdb20bbf03d48af4131a8b3..6853f581ff2ff1b81083ed385ba3566326be7f32 100755 (executable)
@@ -53,7 +53,7 @@ gen_subkey(){
 
     keyID="$1"
 
-    gpgOut=$(gpg --fixed-list-mode --list-keys --with-colons \
+    gpgOut=$(gpg --quiet --fixed-list-mode --list-keys --with-colons \
        "$keyID" 2> /dev/null)
 
     # return 1 if there only "tru" lines are output from gpg
@@ -90,8 +90,9 @@ save
 EOF
 )
 
-    echo "generating subkey..."
+    log "generating subkey..."
     echo "$editCommands" | gpg --expert --command-fd 0 --edit-key "$keyID"
+    log "done."
 }
 
 ########################################################################
@@ -116,25 +117,19 @@ KEYSERVER=${KEYSERVER:-"subkeys.pgp.net"}
 CHECK_KEYSERVER=${CHECK_KEYSERVER:="true"}
 REQUIRED_HOST_KEY_CAPABILITY=${REQUIRED_HOST_KEY_CAPABILITY:-"e a"}
 REQUIRED_USER_KEY_CAPABILITY=${REQUIRED_USER_KEY_CAPABILITY:-"a"}
-USER_CONTROLLED_AUTHORIZED_KEYS=${USER_CONTROLLED_AUTHORIZED_KEYS:-"${HOME}/.ssh/authorized_keys"}
-USER_KNOWN_HOSTS=${USER_KNOWN_HOSTS:-"${HOME}/.ssh/known_hosts"}
+KNOWN_HOSTS=${KNOWN_HOSTS:-"${HOME}/.ssh/known_hosts"}
+AUTHORIZED_KEYS=${AUTHORIZED_KEYS:-"${HOME}/.ssh/authorized_keys"}
 HASH_KNOWN_HOSTS=${HASH_KNOWN_HOSTS:-"true"}
 
 export GNUPGHOME
 
-# stagging locations
-hostKeysCacheDir="${MS_HOME}/host_keys"
-userKeysCacheDir="${MS_HOME}/user_keys"
-msAuthorizedKeys="${MS_HOME}/authorized_keys"
-
 # make sure gpg home exists with proper permissions
 mkdir -p -m 0700 "$GNUPGHOME"
 
 # make sure the user monkeysphere home directory exists
 mkdir -p -m 0700 "$MS_HOME"
-mkdir -p "$hostKeysCacheDir"
-mkdir -p "$userKeysCacheDir"
 touch "$AUTHORIZED_USER_IDS"
+touch "$AUTHORIZED_KEYS"
 
 case $COMMAND in
     'update-known_hosts'|'update-known-hosts'|'k')
@@ -142,23 +137,25 @@ case $COMMAND in
 
         # touch the known_hosts file to make sure it exists
        # ssh-keygen complains if it doesn't exist
-       touch "$USER_KNOWN_HOSTS"
+       touch "$KNOWN_HOSTS"
 
         # if hosts are specified on the command line, process just
         # those hosts
        if [ "$1" ] ; then
             for host ; do
-               process_host "$host"
+               process_host_known_hosts "$host"
            done
+           log "known_hosts file updated."
 
         # otherwise, if no hosts are specified, process every user
         # in the user's known_hosts file
        else
-           if [ ! -s "$USER_KNOWN_HOSTS" ] ; then
-               failure "known_hosts file '$USER_KNOWN_HOSTS' is empty."
+           if [ ! -s "$KNOWN_HOSTS" ] ; then
+               failure "known_hosts file '$KNOWN_HOSTS' is empty."
            fi
            log "processing known_hosts file..."
            process_known_hosts
+           log "known_hosts file updated."
        fi
        ;;
 
@@ -192,8 +189,10 @@ case $COMMAND in
            failure "$AUTHORIZED_USER_IDS is empty."
        fi
 
-       # update authorized_keys
-       update_authorized_keys "$msAuthorizedKeys" "$USER_CONTROLLED_AUTHORIZED_KEYS" "$userKeysCacheDir"
+       # process authorized_user_ids file
+       log "processing authorized_user_ids file..."
+       process_authorized_user_ids
+       log "authorized_keys file updated."
        ;;
 
     'gen-subkey'|'g')
index 6279c4561a324fc40dc7a358df409ef9bb06056c..560d249867d780183f9b070ed341c099bf948963 100755 (executable)
@@ -106,7 +106,7 @@ EOF
 
     log -n "generating server key... "
     echo "$keyParameters" | gpg --batch --gen-key
-    echo "done."
+    loge "done."
 }
 
 ########################################################################
@@ -127,20 +127,25 @@ MS_CONF=${MS_CONF:-"$MS_HOME"/monkeysphere-server.conf}
 # set empty config variable with defaults
 GNUPGHOME=${GNUPGHOME:-"${MS_HOME}/gnupg"}
 KEYSERVER=${KEYSERVER:-"subkeys.pgp.net"}
+CHECK_KEYSERVER=${CHECK_KEYSERVER:="true"}
 REQUIRED_USER_KEY_CAPABILITY=${REQUIRED_USER_KEY_CAPABILITY:-"a"}
 USER_CONTROLLED_AUTHORIZED_KEYS=${USER_CONTROLLED_AUTHORIZED_KEYS:-"%h/.ssh/authorized_keys"}
 
 export GNUPGHOME
 
+# make sure the monkeysphere home directory exists
+mkdir -p "${MS_HOME}/authorized_user_ids"
 # make sure gpg home exists with proper permissions
 mkdir -p -m 0700 "$GNUPGHOME"
+# make sure the authorized_keys directory exists
+mkdir -p "${CACHE}/authorized_keys"
 
 case $COMMAND in
     'update-users'|'update-user'|'s')
        if [ "$1" ] ; then
            unames="$@"
        else
-           unames=$(ls -1 "$MS_HOME"/authorized_user_ids)
+           unames=$(ls -1 "${MS_HOME}/authorized_user_ids")
        fi
 
        for uname in $unames ; do
@@ -149,12 +154,14 @@ case $COMMAND in
            log "----- user: $uname -----"
 
            # set variables for the user
-           AUTHORIZED_USER_IDS="$MS_HOME"/authorized_user_ids/"$uname"
-           msAuthorizedKeys="$CACHE"/"$uname"/authorized_keys
-           cacheDir="$CACHE"/"$uname"/user_keys
+           AUTHORIZED_USER_IDS="${MS_HOME}/authorized_user_ids/${uname}"
+           # temporary authorized_keys file
+           AUTHORIZED_KEYS="${CACHE}/authorized_keys/${uname}.tmp"
 
             # make sure user's authorized_user_ids file exists
            touch "$AUTHORIZED_USER_IDS"
+           # make sure the authorized_keys file exists and is clear
+           > "$AUTHORIZED_KEYS"
 
            # skip if the user's authorized_user_ids file is empty
            if [ ! -s "$AUTHORIZED_USER_IDS" ] ; then
@@ -162,14 +169,23 @@ case $COMMAND in
                continue
            fi
 
-           # set user-controlled authorized_keys file path
-           if [ "$USER_CONTROLLED_AUTHORIZED_KEYS" ] ; then
+           # process authorized_user_ids file
+           log "processing authorized_user_ids file..."
+           process_authorized_user_ids
+
+           # add user-controlled authorized_keys file path if specified
+           if [ "$USER_CONTROLLED_AUTHORIZED_KEYS" != '-' ] ; then
                userHome=$(getent passwd "$uname" | cut -d: -f6)
                userAuthorizedKeys=${USER_CONTROLLED_AUTHORIZED_KEYS/\%h/"$userHome"}
+               log -n "adding user's authorized_keys file... "
+               cat "$userAuthorizedKeys" >> "$AUTHORIZED_KEYS"
+               loge "done."
            fi
 
-           # update authorized_keys
-           update_authorized_keys "$msAuthorizedKeys" "$userAuthorizedKeys" "$cacheDir"
+           # move the temp authorized_keys file into place
+           mv -f "${CACHE}/authorized_keys/${uname}.tmp" "${CACHE}/authorized_keys/${uname}"
+
+           log "authorized_keys file updated."
        done
 
        log "----- done. -----"
@@ -206,14 +222,13 @@ case $COMMAND in
 
        # set variables for the user
        AUTHORIZED_USER_IDS="$MS_HOME"/authorized_user_ids/"$uname"
-       cacheDir="$CACHE"/"$uname"/user_keys
 
         # make sure user's authorized_user_ids file exists
        touch "$AUTHORIZED_USER_IDS"
 
        # process the user IDs
        for userID ; do
-           update_userid "$userID" "$cacheDir"
+           update_userid "$userID"
        done
 
        log "Run the following to update user's authorized_keys file:"