local nHostsBAD
local fileCheck
local host
+ local newUmask
# the number of hosts specified on command line
nHosts="$#"
# touch the known_hosts file so that the file permission check
# below won't fail upon not finding the file
if [ ! -f "$KNOWN_HOSTS" ]; then
- [ -d $(dirname "$KNOWN_HOSTS") ] || mkdir -m 0700 $(dirname "$KNOWN_HOSTS")
- touch "$KNOWN_HOSTS"
+ # make sure to create any files or directories with the appropriate write bits turned off:
+ newUmask=$(printf "%04o" $(( 0$(umask) | 0022 ))
+ [ -d $(dirname "$KNOWN_HOSTS") ] || (umask "$newUmask" && mkdir -p -m 0700 $(dirname "$KNOWN_HOSTS") ) || failure "Could not create path to known_hosts file '$KNOWN_HOSTS'"
+ # make sure to create this file with the appropriate bits turned off:
+ (umask "$newUmask" && touch "$KNOWN_HOSTS") || failure "Unable to create known_hosts file '$KNOWN_HOSTS'"
fi
# check permissions on the known_hosts file path
- check_key_file_permissions $(whoami) "$KNOWN_HOSTS" || failure
+ check_key_file_permissions $(whoami) "$KNOWN_HOSTS" || failure "Bad permissions governing known_hosts file '$KNOWN_HOSTS'"
# create a lockfile on known_hosts:
lock create "$KNOWN_HOSTS"
# if the host is NOT in the keyring...
else
# if the host key is found in the known_hosts file...
- # FIXME: this only works for default known_hosts location
- hostKey=$(ssh-keygen -F "$HOST" 2>/dev/null)
+ hostKey=$( [ ! -r "$KNOWN_HOSTS" ] || ssh-keygen -F "$HOST" -f "$KNOWN_HOSTS" 2>/dev/null)
if [ "$hostKey" ] ; then
# do not check the keyserver