From d2874b94fedbe6d043d44ca3562879251e6ea10f Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Tue, 17 Feb 2009 19:09:44 -0500 Subject: [PATCH] add ability to bypass prompting with a MONKEYSPHERE_PROMPT variable, for functions that prompt for confirmation. Also fix publish_key function (NOT TESTED). --- src/monkeysphere-authentication | 9 +++++++-- src/monkeysphere-host | 13 +++++++++---- src/share/ma/add_certifier | 8 +------- src/share/ma/remove_certifier | 7 +++++-- src/share/mh/add_hostname | 14 +++++++++----- src/share/mh/add_revoker | 12 ++++++++---- src/share/mh/publish_key | 29 +++++++++++++++++++++++++---- src/share/mh/revoke_hostname | 14 +++++++++----- src/share/mh/set_expire | 9 +++++++++ tests/basic | 2 +- 10 files changed, 83 insertions(+), 34 deletions(-) diff --git a/src/monkeysphere-authentication b/src/monkeysphere-authentication index 60cb5f2..c349e6f 100755 --- a/src/monkeysphere-authentication +++ b/src/monkeysphere-authentication @@ -114,11 +114,14 @@ gpg_core_sphere_sig_transfer() { # MAIN ######################################################################## -# unset variables that should be defined only in config file +# unset variables that should be defined only in config file of in +# MONKEYSPHERE_ variables +unset LOG_LEVEL unset KEYSERVER unset AUTHORIZED_USER_IDS unset RAW_AUTHORIZED_KEYS unset MONKEYSPHERE_USER +unset PROMPT # load configuration file [ -e ${MONKEYSPHERE_AUTHENTICATION_CONFIG:="${SYSCONFIGDIR}/monkeysphere-authentication.conf"} ] && . "$MONKEYSPHERE_AUTHENTICATION_CONFIG" @@ -130,6 +133,7 @@ KEYSERVER=${MONKEYSPHERE_KEYSERVER:=${KEYSERVER:="pool.sks-keyservers.net"}} AUTHORIZED_USER_IDS=${MONKEYSPHERE_AUTHORIZED_USER_IDS:=${AUTHORIZED_USER_IDS:="%h/.monkeysphere/authorized_user_ids"}} RAW_AUTHORIZED_KEYS=${MONKEYSPHERE_RAW_AUTHORIZED_KEYS:=${RAW_AUTHORIZED_KEYS:="%h/.ssh/authorized_keys"}} MONKEYSPHERE_USER=${MONKEYSPHERE_MONKEYSPHERE_USER:=${MONKEYSPHERE_USER:="monkeysphere"}} +PROMPT=${MONKEYSPHERE_PROMPT:=${PROMPT:="true"}} # other variables CHECK_KEYSERVER=${MONKEYSPHERE_CHECK_KEYSERVER:="true"} @@ -142,8 +146,9 @@ CORE_KEYLENGTH=${MONKEYSPHERE_CORE_KEYLENGTH:="2048"} export DATE export MODE export LOG_LEVEL -export MONKEYSPHERE_USER export KEYSERVER +export MONKEYSPHERE_USER +export PROMPT export CHECK_KEYSERVER export REQUIRED_USER_KEY_CAPABILITY export GNUPGHOME_CORE diff --git a/src/monkeysphere-host b/src/monkeysphere-host index a7b9697..2dc6003 100755 --- a/src/monkeysphere-host +++ b/src/monkeysphere-host @@ -177,6 +177,7 @@ show_key() { # trap to remove tmp dir if break trap "rm -rf $GNUPGHOME" EXIT + # import the host key into the tmp dir gpg --quiet --import <"$HOST_KEY_FILE" HOST_FINGERPRINT=$(gpg --quiet --list-keys --with-colons --with-fingerprint \ @@ -208,9 +209,12 @@ show_key() { # MAIN ######################################################################## -# unset variables that should be defined only in config file +# unset variables that should be defined only in config file of in +# MONKEYSPHERE_ variables +unset LOG_LEVEL unset KEYSERVER unset MONKEYSPHERE_USER +unset PROMPT # load configuration file [ -e ${MONKEYSPHERE_HOST_CONFIG:="${SYSCONFIGDIR}/monkeysphere-host.conf"} ] && . "$MONKEYSPHERE_HOST_CONFIG" @@ -219,9 +223,8 @@ unset MONKEYSPHERE_USER # defaults LOG_LEVEL=${MONKEYSPHERE_LOG_LEVEL:=${LOG_LEVEL:="INFO"}} KEYSERVER=${MONKEYSPHERE_KEYSERVER:=${KEYSERVER:="pool.sks-keyservers.net"}} -AUTHORIZED_USER_IDS=${MONKEYSPHERE_AUTHORIZED_USER_IDS:=${AUTHORIZED_USER_IDS:="%h/.monkeysphere/authorized_user_ids"}} -RAW_AUTHORIZED_KEYS=${MONKEYSPHERE_RAW_AUTHORIZED_KEYS:=${RAW_AUTHORIZED_KEYS:="%h/.ssh/authorized_keys"}} MONKEYSPHERE_USER=${MONKEYSPHERE_MONKEYSPHERE_USER:=${MONKEYSPHERE_USER:="monkeysphere"}} +PROMPT=${MONKEYSPHERE_PROMPT:=${PROMPT:="true"}} # other variables CHECK_KEYSERVER=${MONKEYSPHERE_CHECK_KEYSERVER:="true"} @@ -231,8 +234,10 @@ GNUPGHOME_HOST=${MONKEYSPHERE_GNUPGHOME_HOST:="${MHDATADIR}"} export DATE export MODE export LOG_LEVEL -export MONKEYSPHERE_USER export KEYSERVER +export MONKEYSPHERE_USER +export PROMPT +export CHECK_KEYSERVER export GNUPGHOME_HOST export GNUPGHOME export HOST_FINGERPRINT= diff --git a/src/share/ma/add_certifier b/src/share/ma/add_certifier index 28c229a..54ea673 100644 --- a/src/share/ma/add_certifier +++ b/src/share/ma/add_certifier @@ -36,8 +36,6 @@ local fingerprint local ltsignCommand local trustval -PROMPT=true - # get options while true ; do case "$1" in @@ -53,10 +51,6 @@ while true ; do depth="$2" shift 2 ;; - -y) - PROMPT=false - shift 1 - ;; *) if [ "$(echo "$1" | cut -c 1)" = '-' ] ; then failure "Unknown option '$1'. @@ -114,7 +108,7 @@ fi log info "key found:" gpg_sphere "--fingerprint 0x${fingerprint}!" -if [ "$PROMPT" = true ] ; then +if [ "$PROMPT" = "true" ] ; then echo "Are you sure you want to add the above key as a" read -p "certifier of users on this system? (y/N) " OK; OK=${OK:-N} if [ "${OK/y/Y}" != 'Y' ] ; then diff --git a/src/share/ma/remove_certifier b/src/share/ma/remove_certifier index 4e56264..8271ae0 100644 --- a/src/share/ma/remove_certifier +++ b/src/share/ma/remove_certifier @@ -23,13 +23,16 @@ if [ -z "$keyID" ] ; then failure "You must specify the key ID of a key to remove." fi -if gpg_sphere "--list-key --fingerprint 0x${keyID}!" ; then +# FIXME: should we be doing a fancier list_certifier output here? +gpg_core --list-key --fingerprint "0x${keyID}!" || failure + +if [ "$PROMPT" = "true" ] ; then read -p "Really remove above listed identity certifier? (y/N) " OK; OK=${OK:-N} if [ "${OK/y/Y}" != 'Y' ] ; then failure "Identity certifier not removed." fi else - failure + log debug "certifier removed without prompting." fi # delete the requested key from the sphere keyring diff --git a/src/share/mh/add_hostname b/src/share/mh/add_hostname index 910faf6..70bbec3 100644 --- a/src/share/mh/add_hostname +++ b/src/share/mh/add_hostname @@ -31,11 +31,15 @@ userID="ssh://${1}" find_host_userid > /dev/null && \ failure "Host userID '$userID' already exists." -echo "The following user ID will be added to the host key:" -echo " $userID" -read -p "Are you sure you would like to add this user ID? (y/N) " OK; OK=${OK:=N} -if [ ${OK/y/Y} != 'Y' ] ; then - failure "User ID not added." +if [ "$PROMPT" = "true" ] ; then + echo "The following user ID will be added to the host key:" + echo " $userID" + read -p "Are you sure you would like to add this user ID? (y/N) " OK; OK=${OK:=N} + if [ ${OK/y/Y} != 'Y' ] ; then + failure "User ID not added." + fi +else + log debug "adding user ID without prompting." fi # edit-key script command to add user ID diff --git a/src/share/mh/add_revoker b/src/share/mh/add_revoker index 1464ae8..b4113df 100644 --- a/src/share/mh/add_revoker +++ b/src/share/mh/add_revoker @@ -77,10 +77,14 @@ fi log info "key found:" gpg_host --fingerprint "0x${fingerprint}!" -echo "Are you sure you want to add the above key as a" -read -p "revoker of the host key? (y/N) " OK; OK=${OK:-N} -if [ "${OK/y/Y}" != 'Y' ] ; then - failure "Revoker not added." +if [ "$PROMPT" = "true" ] ; then + echo "Are you sure you want to add the above key as a" + read -p "revoker of the host key? (y/N) " OK; OK=${OK:-N} + if [ "${OK/y/Y}" != 'Y' ] ; then + failure "revoker not added." + fi +else + log debug "adding revoker without prompting." fi # edit-key script to add revoker diff --git a/src/share/mh/publish_key b/src/share/mh/publish_key index 600dfcf..b433ad7 100644 --- a/src/share/mh/publish_key +++ b/src/share/mh/publish_key @@ -15,12 +15,33 @@ publish_key() { -read -p "Really publish host key to $KEYSERVER? (y/N) " OK; OK=${OK:=N} -if [ ${OK/y/Y} != 'Y' ] ; then - failure "key not published." +local GNUPGHOME + +if [ "$PROMPT" = "true" ] ; then + read -p "Really publish host key to $KEYSERVER? (y/N) " OK; OK=${OK:=N} + if [ ${OK/y/Y} != 'Y' ] ; then + failure "key not published." + fi +else + log debug "publishing key without prompting." fi +# create a temporary gnupg directory from which to publish the key +export GNUPGHOME=$(mktemp -d) + +# trap to remove tmp dir if break +trap "rm -rf $GNUPGHOME" EXIT + +# import the host key into the tmp dir +su_monkeysphere_user \ + "gpg --quiet --import" <"$HOST_KEY_FILE" + # publish host key -gpg_sphere "--keyserver $KEYSERVER --send-keys '0x${HOST_FINGERPRINT}!'" +su_monkeysphere_user \ + "gpg --keyserver $KEYSERVER --send-keys '0x${HOST_FINGERPRINT}!'" + +# remove the tmp file +trap - EXIT +rm -rf "$GNUPGHOME" } diff --git a/src/share/mh/revoke_hostname b/src/share/mh/revoke_hostname index 99ba603..77f1f0d 100644 --- a/src/share/mh/revoke_hostname +++ b/src/share/mh/revoke_hostname @@ -42,11 +42,15 @@ userID="ssh://${1}" uidIndex=$(find_host_userid) || \ failure "No non-revoked user ID found matching '$userID'." -echo "The following host key user ID will be revoked:" -echo " $userID" -read -p "Are you sure you would like to revoke this user ID? (y/N) " OK; OK=${OK:=N} -if [ ${OK/y/Y} != 'Y' ] ; then - failure "User ID not revoked." +if [ "$PROMPT" = "true" ] ; then + echo "The following host key user ID will be revoked:" + echo " $userID" + read -p "Are you sure you would like to revoke this user ID? (y/N) " OK; OK=${OK:=N} + if [ ${OK/y/Y} != 'Y' ] ; then + failure "User ID not revoked." + fi +else + log debug "revoking user ID without prompting." fi # edit-key script command to revoke user ID diff --git a/src/share/mh/set_expire b/src/share/mh/set_expire index 0b581d9..14d2501 100644 --- a/src/share/mh/set_expire +++ b/src/share/mh/set_expire @@ -21,6 +21,15 @@ local extendTo # get the new expiration date extendTo=$(get_gpg_expiration "$1") +if [ "$PROMPT" = "true" ] ; then + read -p "Are you sure you want to change the expiration on the host key to '$extendTo'? (y/N) " OK; OK=${OK:-N} + if [ "${OK/y/Y}" != 'Y' ] ; then + failure "expiration not set." + fi +else + log debug "extending without prompting." +fi + log info "setting host key expiration to ${extendTo}:" log debug "executing host expire script..." diff --git a/tests/basic b/tests/basic index d78a594..9114f32 100755 --- a/tests/basic +++ b/tests/basic @@ -242,7 +242,7 @@ gpg --export testuser | monkeysphere-authentication gpg-cmd --import echo "##################################################" echo "### update server authorized_keys file for this testuser..." monkeysphere-authentication update-users $(whoami) -# FIXME: NOT FAILING PROPERLY FOR: +# FIXME: this is maybe not failing properly for: # ms: improper group or other writability on path '/tmp'. -- 2.25.1