From 0ae461de6b7bf10d3b085dfd9a5d6d29ffd29116 Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Sun, 1 Feb 2009 13:08:46 -0500 Subject: [PATCH] some general fixes: - fix some references to old function names - move fingerprint_server_key to be fingerprint_host_key - update diagnostic scripts --- src/monkeysphere-host | 10 ++-- src/share/ma/diagnostics | 111 +++++++++-------------------------- src/share/mh/add_hostname | 2 +- src/share/mh/diagnostics | 35 ++--------- src/share/mh/extend_key | 2 +- src/share/mh/gen_key | 4 +- src/share/mh/import_key | 4 +- src/share/mh/publish_key | 2 +- src/share/mh/revoke_hostname | 2 +- 9 files changed, 45 insertions(+), 127 deletions(-) diff --git a/src/monkeysphere-host b/src/monkeysphere-host index 3f4a434..f172209 100755 --- a/src/monkeysphere-host +++ b/src/monkeysphere-host @@ -52,7 +52,7 @@ subcommands: revoke-hostname (n-) NAME[:PORT] revoke hostname user ID add-revoker (o) FINGERPRINT add a revoker to the host key revoke-key (r) revoke host key - publish-key (p) publish server host key to keyserver + publish-key (p) publish host key to keyserver expert run expert command expert help expert command help @@ -91,7 +91,7 @@ gpg_host() { } # output just key fingerprint -fingerprint_server_key() { +fingerprint_host_key() { # set the pipefail option so functions fails if can't read sec key set -o pipefail @@ -102,8 +102,8 @@ fingerprint_server_key() { # function to check for host secret key check_host_keyring() { - fingerprint_server_key >/dev/null \ - || failure "You don't appear to have a Monkeysphere host key on this server. Please run 'monkeysphere-server gen-key' first." + fingerprint_host_key >/dev/null \ + || failure "You don't appear to have a Monkeysphere host key on this server. Please run 'monkeysphere-host import-key' first." } # show info about the host key @@ -113,7 +113,7 @@ show_key() { # FIXME: you shouldn't have to be root to see the host key fingerprint check_host_keyring - fingerprintPGP=$(fingerprint_server_key) + fingerprintPGP=$(fingerprint_host_key) gpg_host "--fingerprint --list-key --list-options show-unusable-uids $fingerprintPGP" 2>/dev/null echo "OpenPGP fingerprint: $fingerprintPGP" diff --git a/src/share/ma/diagnostics b/src/share/ma/diagnostics index 73e93a0..45a8ce2 100644 --- a/src/share/ma/diagnostics +++ b/src/share/ma/diagnostics @@ -28,15 +28,6 @@ local badhostkeys local sshd_config local problemsfound=0 -# FIXME: what's the correct, cross-platform answer? -sshd_config=/etc/ssh/sshd_config -seckey=$(gpg_host --list-secret-keys --fingerprint --with-colons --fixed-list-mode) -keysfound=$(echo "$seckey" | grep -c ^sec:) -curdate=$(date +%s) -# warn when anything is 2 months away from expiration -warnwindow='2 months' -warndate=$(advance_date $warnwindow +%s) - if ! id monkeysphere >/dev/null ; then echo "! No monkeysphere user found! Please create a monkeysphere system user with bash as its shell." problemsfound=$(($problemsfound+1)) @@ -47,13 +38,28 @@ if ! [ -d "$SYSDATADIR" ] ; then problemsfound=$(($problemsfound+1)) fi -echo "Checking host GPG key..." +echo "Checking for authentication directory..." +if ! [ -d "$MADATADIR" ] ; then + echo "! No authentication data directory found." + echo " - Recommendation: run 'monkeysphere-authentication setup'" + exit +fi + +# FIXME: what's the correct, cross-platform answer? +seckey=$(gpg_core --list-secret-keys --fingerprint --with-colons --fixed-list-mode) +keysfound=$(echo "$seckey" | grep -c ^sec:) +curdate=$(date +%s) +# warn when anything is 2 months away from expiration +warnwindow='2 months' +warndate=$(advance_date $warnwindow +%s) + +echo "Checking core GPG key..." if (( "$keysfound" < 1 )); then - echo "! No host key found." - echo " - Recommendation: run 'monkeysphere-server gen-key'" + echo "! No core key found." + echo " - Recommendation: run 'monkeysphere-authentication setup'" problemsfound=$(($problemsfound+1)) elif (( "$keysfound" > 1 )); then - echo "! More than one host key found?" + echo "! More than one core key found?" # FIXME: recommend a way to resolve this problemsfound=$(($problemsfound+1)) else @@ -63,86 +69,23 @@ else # check for key expiration: if [ "$expire" ]; then if (( "$expire" < "$curdate" )); then - echo "! Host key is expired." - echo " - Recommendation: extend lifetime of key with 'monkeysphere-server extend-key'" + echo "! Core key is expired." + echo " - Recommendation: ???" problemsfound=$(($problemsfound+1)) elif (( "$expire" < "$warndate" )); then - echo "! Host key expires in less than $warnwindow:" $(advance_date $(( $expire - $curdate )) seconds +%F) - echo " - Recommendation: extend lifetime of key with 'monkeysphere-server extend-key'" + echo "! Core key expires in less than $warnwindow:" $(advance_date $(( $expire - $curdate )) seconds +%F) + echo " - Recommendation: ???" problemsfound=$(($problemsfound+1)) fi fi # and weirdnesses: if [ "$create" ] && (( "$create" > "$curdate" )); then - echo "! Host key was created in the future(?!). Is your clock correct?" + echo "! Core key was created in the future(?!). Is your clock correct?" echo " - Recommendation: Check clock ($(date +%F_%T)); use NTP?" problemsfound=$(($problemsfound+1)) fi - - # check for UserID expiration: - echo "$seckey" | grep ^uid: | cut -d: -f6,7,10 | \ - while IFS=: read create expire uid ; do - # FIXME: should we be doing any checking on the form - # of the User ID? Should we be unmangling it somehow? - - if [ "$create" ] && (( "$create" > "$curdate" )); then - echo "! User ID '$uid' was created in the future(?!). Is your clock correct?" - echo " - Recommendation: Check clock ($(date +%F_%T)); use NTP?" - problemsfound=$(($problemsfound+1)) - fi - if [ "$expire" ] ; then - if (( "$expire" < "$curdate" )); then - echo "! User ID '$uid' is expired." - # FIXME: recommend a way to resolve this - problemsfound=$(($problemsfound+1)) - elif (( "$expire" < "$warndate" )); then - echo "! User ID '$uid' expires in less than $warnwindow:" $(advance_date $(( $expire - $curdate )) seconds +%F) - # FIXME: recommend a way to resolve this - problemsfound=$(($problemsfound+1)) - fi - fi - done -# FIXME: verify that the host key is properly published to the -# keyservers (do this with the non-privileged user) - -# FIXME: check that there are valid, non-expired certifying signatures -# attached to the host key after fetching from the public keyserver -# (do this with the non-privileged user as well) - -# FIXME: propose adding a revoker to the host key if none exist (do we -# have a way to do that after key generation?) - - # Ensure that the ssh_host_rsa_key file is present and non-empty: - echo - echo "Checking host SSH key..." - if [ ! -s "${SYSDATADIR}/ssh_host_rsa_key" ] ; then - echo "! The host key as prepared for SSH (${SYSDATADIR}/ssh_host_rsa_key) is missing or empty." - problemsfound=$(($problemsfound+1)) - else - if [ $(ls -l "${SYSDATADIR}/ssh_host_rsa_key" | cut -f1 -d\ ) != '-rw-------' ] ; then - echo "! Permissions seem wrong for ${SYSDATADIR}/ssh_host_rsa_key -- should be 0600." - problemsfound=$(($problemsfound+1)) - fi - - # propose changes needed for sshd_config (if any) - if ! grep -q "^HostKey[[:space:]]\+${SYSDATADIR}/ssh_host_rsa_key$" "$sshd_config"; then - echo "! $sshd_config does not point to the monkeysphere host key (${SYSDATADIR}/ssh_host_rsa_key)." - echo " - Recommendation: add a line to $sshd_config: 'HostKey ${SYSDATADIR}/ssh_host_rsa_key'" - problemsfound=$(($problemsfound+1)) - fi - if badhostkeys=$(grep -i '^HostKey' "$sshd_config" | grep -v "^HostKey[[:space:]]\+${SYSDATADIR}/ssh_host_rsa_key$") ; then - echo "! $sshd_config refers to some non-monkeysphere host keys:" - echo "$badhostkeys" - echo " - Recommendation: remove the above HostKey lines from $sshd_config" - problemsfound=$(($problemsfound+1)) - fi - - # FIXME: test (with ssh-keyscan?) that the running ssh - # daemon is actually offering the monkeysphere host key. - - fi fi # FIXME: look at the ownership/privileges of the various keyrings, @@ -150,7 +93,7 @@ fi # we make them as minimal as possible?) # FIXME: look to see that the ownertrust rules are set properly on the -# authentication keyring +# sphere keyring # FIXME: make sure that at least one identity certifier exists @@ -161,7 +104,7 @@ fi # authorized_keys? echo -echo "Checking for MonkeySphere-enabled public-key authentication for users ..." +echo "Checking for Monkeysphere-enabled public-key authentication for users ..." # Ensure that User ID authentication is enabled: if ! grep -q "^AuthorizedKeysFile[[:space:]]\+${SYSDATADIR}/authorized_keys/%u$" "$sshd_config"; then echo "! $sshd_config does not point to monkeysphere authorized keys." @@ -177,7 +120,7 @@ fi if [ "$problemsfound" -gt 0 ]; then echo "When the above $problemsfound issue"$(if [ "$problemsfound" -eq 1 ] ; then echo " is" ; else echo "s are" ; fi)" resolved, please re-run:" - echo " monkeysphere-server diagnostics" + echo " monkeysphere-authentication expert diagnostics" else echo "Everything seems to be in order!" fi diff --git a/src/share/mh/add_hostname b/src/share/mh/add_hostname index 10d5f58..267f109 100644 --- a/src/share/mh/add_hostname +++ b/src/share/mh/add_hostname @@ -27,7 +27,7 @@ fi userID="ssh://${1}" -fingerprint=$(fingerprint_server_key) +fingerprint=$(fingerprint_host_key) # match to only ultimately trusted user IDs tmpuidMatch="u:$(echo $userID | gpg_escape)" diff --git a/src/share/mh/diagnostics b/src/share/mh/diagnostics index 7e76da6..96065e6 100644 --- a/src/share/mh/diagnostics +++ b/src/share/mh/diagnostics @@ -50,7 +50,7 @@ fi echo "Checking host GPG key..." if (( "$keysfound" < 1 )); then echo "! No host key found." - echo " - Recommendation: run 'monkeysphere-server gen-key'" + echo " - Recommendation: run 'monkeysphere-host gen-key' or 'monkeysphere-host import-key'" problemsfound=$(($problemsfound+1)) elif (( "$keysfound" > 1 )); then echo "! More than one host key found?" @@ -64,11 +64,11 @@ else if [ "$expire" ]; then if (( "$expire" < "$curdate" )); then echo "! Host key is expired." - echo " - Recommendation: extend lifetime of key with 'monkeysphere-server extend-key'" + echo " - Recommendation: extend lifetime of key with 'monkeysphere-host extend-key'" problemsfound=$(($problemsfound+1)) elif (( "$expire" < "$warndate" )); then echo "! Host key expires in less than $warnwindow:" $(advance_date $(( $expire - $curdate )) seconds +%F) - echo " - Recommendation: extend lifetime of key with 'monkeysphere-server extend-key'" + echo " - Recommendation: extend lifetime of key with 'monkeysphere-host extend-key'" problemsfound=$(($problemsfound+1)) fi fi @@ -97,7 +97,7 @@ else # FIXME: recommend a way to resolve this problemsfound=$(($problemsfound+1)) elif (( "$expire" < "$warndate" )); then - echo "! User ID '$uid' expires in less than $warnwindow:" $(advance_date $(( $expire - $curdate )) seconds +%F) + echo "! User ID '$uid' expires in less than $warnwindow:" $(advance_date $(( $expire - $curdate )) seconds +%F) # FIXME: recommend a way to resolve this problemsfound=$(($problemsfound+1)) fi @@ -149,35 +149,10 @@ fi # directories housing them, etc (what should those values be? can # we make them as minimal as possible?) -# FIXME: look to see that the ownertrust rules are set properly on the -# authentication keyring - -# FIXME: make sure that at least one identity certifier exists - -# FIXME: look at the timestamps on the monkeysphere-generated -# authorized_keys files -- warn if they seem out-of-date. - -# FIXME: check for a cronjob that updates monkeysphere-generated -# authorized_keys? - -echo -echo "Checking for MonkeySphere-enabled public-key authentication for users ..." -# Ensure that User ID authentication is enabled: -if ! grep -q "^AuthorizedKeysFile[[:space:]]\+${SYSDATADIR}/authorized_keys/%u$" "$sshd_config"; then - echo "! $sshd_config does not point to monkeysphere authorized keys." - echo " - Recommendation: add a line to $sshd_config: 'AuthorizedKeysFile ${SYSDATADIR}/authorized_keys/%u'" - problemsfound=$(($problemsfound+1)) -fi -if badauthorizedkeys=$(grep -i '^AuthorizedKeysFile' "$sshd_config" | grep -v "^AuthorizedKeysFile[[:space:]]\+${SYSDATADIR}/authorized_keys/%u$") ; then - echo "! $sshd_config refers to non-monkeysphere authorized_keys files:" - echo "$badauthorizedkeys" - echo " - Recommendation: remove the above AuthorizedKeysFile lines from $sshd_config" - problemsfound=$(($problemsfound+1)) -fi if [ "$problemsfound" -gt 0 ]; then echo "When the above $problemsfound issue"$(if [ "$problemsfound" -eq 1 ] ; then echo " is" ; else echo "s are" ; fi)" resolved, please re-run:" - echo " monkeysphere-server diagnostics" + echo " monkeysphere-host expert diagnostics" else echo "Everything seems to be in order!" fi diff --git a/src/share/mh/extend_key b/src/share/mh/extend_key index ccbaf0e..d03b89a 100644 --- a/src/share/mh/extend_key +++ b/src/share/mh/extend_key @@ -15,7 +15,7 @@ extend_key() { -local fpr=$(fingerprint_server_key) +local fpr=$(fingerprint_host_key) local extendTo="$1" # get the new expiration date diff --git a/src/share/mh/gen_key b/src/share/mh/gen_key index c0445db..a73d85e 100644 --- a/src/share/mh/gen_key +++ b/src/share/mh/gen_key @@ -24,7 +24,7 @@ local fingerprint # check for presense of secret key # FIXME: is this the proper test to be doing here? -fingerprint_server_key >/dev/null \ +fingerprint_host_key >/dev/null \ && failure "An OpenPGP host key already exists." # get options @@ -83,7 +83,7 @@ log verbose "generating host key..." echo "$keyParameters" | gpg_host --batch --gen-key # find the key fingerprint of the newly generated key -fingerprint=$(fingerprint_server_key) +fingerprint=$(fingerprint_host_key) # translate the private key to ssh format, and export to a file # for sshs usage. diff --git a/src/share/mh/import_key b/src/share/mh/import_key index 0f16d27..e7b713f 100644 --- a/src/share/mh/import_key +++ b/src/share/mh/import_key @@ -20,7 +20,7 @@ local userID # check for presense of secret key # FIXME: is this the proper test to be doing here? -fingerprint_server_key >/dev/null \ +fingerprint_host_key >/dev/null \ && failure "An OpenPGP host key already exists." # get options @@ -72,7 +72,7 @@ log verbose "importing ssh key..." pem2openpgp "$userID" "$keyExpire" < "$sshKey" | gpg_host --import) # find the key fingerprint of the newly converted key -fingerprint=$(fingerprint_server_key) +fingerprint=$(fingerprint_host_key) # export host ownertrust to authentication keyring log verbose "setting ultimate owner trust for host key..." diff --git a/src/share/mh/publish_key b/src/share/mh/publish_key index b7ab01d..988b450 100644 --- a/src/share/mh/publish_key +++ b/src/share/mh/publish_key @@ -21,7 +21,7 @@ if [ ${OK/y/Y} != 'Y' ] ; then fi # find the key fingerprint -fingerprint=$(fingerprint_server_key) +fingerprint=$(fingerprint_host_key) # publish host key # FIXME: need to define how to do this diff --git a/src/share/mh/revoke_hostname b/src/share/mh/revoke_hostname index b519cf6..06b5810 100644 --- a/src/share/mh/revoke_hostname +++ b/src/share/mh/revoke_hostname @@ -38,7 +38,7 @@ fi userID="ssh://${1}" -fingerprint=$(fingerprint_server_key) +fingerprint=$(fingerprint_host_key) # match to only ultimately trusted user IDs tmpuidMatch="u:$(echo $userID | gpg_escape)" -- 2.25.1