install src/monkeysphere-server $(DESTDIR)$(PREFIX)/sbin
install -m 0644 src/common $(DESTDIR)$(PREFIX)/share/monkeysphere
install doc/* $(DESTDIR)$(PREFIX)/share/doc/monkeysphere
+ install -m 0644 etc/gnupg-host.conf $(DESTDIR)$(ETCPREFIX)/etc/monkeysphere/gnupg-host.conf$(ETCSUFFIX)
+ install -m 0644 etc/gnupg-authentication.conf $(DESTDIR)$(ETCPREFIX)/etc/monkeysphere/gnupg-authentication.conf$(ETCSUFFIX)
install -m 0644 etc/monkeysphere.conf $(DESTDIR)$(ETCPREFIX)/etc/monkeysphere/monkeysphere.conf$(ETCSUFFIX)
install -m 0644 etc/monkeysphere-server.conf $(DESTDIR)$(ETCPREFIX)/etc/monkeysphere/monkeysphere-server.conf$(ETCSUFFIX)
+monkeysphere (0.19-1) experimental; urgency=low
+
+ [ Daniel Kahn Gillmor ]
+ * simulating an X11 session in the test script.
+ * updated packaging so that symlinks to config files are correct.
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 29 Oct 2008 02:47:49 -0400
+
+monkeysphere (0.18-1) experimental; urgency=low
+
+ [ Jameson Graef Rollins ]
+ * Fix bugs in authorized_{user_ids,keys} file permission checking.
+ * Add new monkeysphere tmpdir to enable atomic moves of authorized_keys
+ files.
+ * chown authorized_keys files to `whoami`, for compatibility with test
+ suite.
+ * major improvements to test suite, added more tests.
+
+ [ Daniel Kahn Gillmor ]
+ * update make install to ensure placement of
+ /etc/monkeysphere/gnupg-{host,authentication}.conf
+ * choose either --quick-random or --debug-quick-random depending on
+ which gpg supports for the test suite.
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 29 Oct 2008 00:41:38 -0400
+
monkeysphere (0.17-1) experimental; urgency=low
+ [ Jameson Graef Rollins ]
* Fix some bugs in, and cleanup, authorized_keys file creation in
monkeysphere-server update-users.
* Move to using the empty string for not adding a user-controlled
authorized_keys file in the RAW_AUTHORIZED_KEYS variable.
- -- Jameson Graef Rollins <jrollins@phys.columbia.edu> Mon, 27 Oct 2008 07:39:10 -0400
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 28 Oct 2008 02:04:22 -0400
monkeysphere (0.16-1) experimental; urgency=low
Section: net
Priority: extra
Maintainer: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
-Uploaders: Jameson Rollins <jrollins@fifthhorseman.net>
+Uploaders: Jameson Graef Rollins <jrollins@phys.columbia.edu>
Build-Depends: debhelper (>= 7.0), libgnutls-dev (>= 2.4.0)
Standards-Version: 3.8.0.1
Homepage: http://web.monkeysphere.info/
+++ /dev/null
-var/lib/monkeysphere
-var/lib/monkeysphere/authorized_keys
-usr/bin
-usr/sbin
-usr/share
-usr/share/monkeysphere
-usr/share/man
-usr/share/man/man1
-usr/share/man/man5
-usr/share/man/man8
-etc/monkeysphere
-etc/monkeysphere/authorized_user_ids
-usr/share/monkeysphere
var/lib/monkeysphere
var/lib/monkeysphere/authorized_keys
+var/lib/monkeysphere/tmp
+usr/bin
+usr/sbin
+usr/share
+usr/share/monkeysphere
+usr/share/man
+usr/share/man/man1
+usr/share/man/man5
+usr/share/man/man8
etc/monkeysphere
# install host gnupg home directory
install --owner root --group monkeysphere --mode 750 -d "$VARLIB"/gnupg-host
# link in the gpg.conf
-ln -sTf "$ETC"/gpg-host.conf "$VARLIB"/gnupg-host/gpg.conf
+ln -sTf "$ETC"/gnupg-host.conf "$VARLIB"/gnupg-host/gpg.conf
# install authentication gnupg home directory
install --owner monkeysphere --group monkeysphere --mode 700 -d "$VARLIB"/gnupg-authentication
# link in the gpg.conf
-ln -sTf "$ETC"/gpg-authentication.conf "$VARLIB"/gnupg-authentication/gpg.conf
+ln -sTf "$ETC"/gnupg-authentication.conf "$VARLIB"/gnupg-authentication/gpg.conf
# Path to a user controlled authorized_keys file to be added to the
# monkeysphere-generated authorized_keys file. '%h' will be replaced
# by the home directory of the user, and '%u' will by replaced by the
-# username of the user. To not add any user-controlled file set this
-# variable to be the empty string, "".
-#RAW_AUTHORIZED_KEYS="%h/.ssh/authorized_keys"
+# username of the user. Setting this variable to 'none' prevents the
+# inclusion of user controlled authorized_keys file.
+# RAW_AUTHORIZED_KEYS="%h/.ssh/authorized_keys"
#
PORTNAME= monkeysphere
-PORTVERSION= 0.16
+PORTVERSION= 0.19
CATEGORIES= security
MASTER_SITES= http://archive.monkeysphere.info/debian/pool/monkeysphere/m/monkeysphere/
# hack for debian orig tarballs
LIB_DEPENDS= gnutls.26:${PORTSDIR}/security/gnutls
RUN_DEPENDS= base64:${PORTSDIR}/converters/base64 \
- gpg:${PORTSDIR}/security/gnupg \
+ gpg:${PORTSDIR}/security/gnupg1 \
lockfile:${PORTSDIR}/mail/procmail \
/usr/local/bin/getopt:${PORTSDIR}/misc/getopt \
bash:${PORTSDIR}/shells/bash
find . -iname '*.orig' -delete
post-install:
+ @if [ ! -f ${PREFIX}/etc/monkeysphere/gnupg-host.conf ]; then \
+ ${CP} -p ${PREFIX}/etc/monkeysphere/gnupg-host.conf.sample ${PREFIX}/etc/monkeysphere/gnupg-host.conf ; \
+ fi
+ @if [ ! -f ${PREFIX}/etc/monkeysphere/gnupg-authentication.conf ]; then \
+ ${CP} -p ${PREFIX}/etc/monkeysphere/gnupg-authentication.conf.sample ${PREFIX}/etc/monkeysphere/gnupg-authentication.conf ; \
+ fi
@if [ ! -f ${PREFIX}/etc/monkeysphere/monkeysphere.conf ]; then \
${CP} -p ${PREFIX}/etc/monkeysphere/monkeysphere.conf.sample ${PREFIX}/etc/monkeysphere/monkeysphere.conf ; \
fi
-MD5 (monkeysphere_0.16.orig.tar.gz) = 4bc223e8004e0e374bd54f0315585c49
-SHA256 (monkeysphere_0.16.orig.tar.gz) = f2dbd031315f99c82099a4a902f2240cca97536b035ef75872e72a65f324c9d7
-SIZE (monkeysphere_0.16.orig.tar.gz) = 66062
+MD5 (monkeysphere_0.19.orig.tar.gz) = 64c643dd0ab642bbc8814aec1718000e
+SHA256 (monkeysphere_0.19.orig.tar.gz) = 321b77c1e10fe48ffbef8491893f5dd22842c35c11464efa7893150ce756a522
+SIZE (monkeysphere_0.19.orig.tar.gz) = 68335
# MySQL puts its data in /var/db/mysql
VARLIB="/var/monkeysphere"
+ETCDIR="/usr/local/etc/monkeysphere"
case $2 in
POST-INSTALL)
fi
fi
- ## set up the cache directories:
+ ## set up the cache directories, and link them to the config files:
install -d -o root -g monkeysphere -m 750 "$VARLIB"/gnupg-host
- cat <<EOF > "$VARLIB"/gnupg-host/gpg.conf
-list-options show-uid-validity
-EOF
+ ln -sf "$ETCDIR"/gnupg-host.conf "$VARLIB"/gnupg-host/gpg.conf
install -d -o monkeysphere -g monkeysphere -m 700 "$VARLIB"/gnupg-authentication
-# install authentication gpg.conf
- cat <<EOF > "$VARLIB"/gnupg-authentication/gpg.conf
-list-options show-uid-validity
-primary-keyring $VARLIB/gnupg-authentication/pubring.gpg
-keyring $VARLIB/gnupg-host/pubring.gpg
-EOF
+ ln -sf "$ETCDIR"/gnupg-authentication.conf "$VARLIB"/gnupg-authentication/gpg.conf
+
chown monkeysphere:monkeysphere "$VARLIB"/gnupg-authentication/gpg.conf
monkeysphere-server diagnostics
# failure function. exits with code 255, unless specified otherwise.
failure() {
- echo "$1" >&2
+ [ "$1" ] && echo "$1" >&2
exit ${2:-'255'}
}
# check that a file is properly owned, and that all it's parent
# directories are not group/other writable
check_key_file_permissions() {
- local user
+ local uname
local path
+ local stat
local access
local gAccess
local oAccess
[ "$1" = "w" ]
}
- user="$1"
+ uname="$1"
path="$2"
- # return 0 is path does not exist
- [ -e "$path" ] || return 0
+ # return 255 if cannot stat file
+ if ! stat=$(ls -ld "$path" 2>/dev/null) ; then
+ log error "could not stat path '$path'."
+ return 255
+ fi
- owner=$(ls -l "$path" | awk '{ print $3 }')
- gAccess=$(ls -l "$path" | cut -c6)
- oAccess=$(ls -l "$path" | cut -c9)
+ owner=$(echo "$stat" | awk '{ print $3 }')
+ gAccess=$(echo "$stat" | cut -c6)
+ oAccess=$(echo "$stat" | cut -c9)
- # check owner
- if [ "$owner" != "$user" -a "$owner" != 'root' ] ; then
+ # return 1 if path has invalid owner
+ if [ "$owner" != "$uname" -a "$owner" != 'root' ] ; then
+ log error "improper ownership on path '$path'."
return 1
fi
- # check group/other writability
+ # return 2 if path has group or other writability
if is_write "$gAccess" || is_write "$oAccess" ; then
+ log error "improper group or other writability on path '$path'."
return 2
fi
+ # return zero if all clear, or go to next path
if [ "$path" = '/' ] ; then
return 0
else
- check_key_file_permissions $(dirname "$path")
+ check_key_file_permissions "$uname" $(dirname "$path")
fi
}
else
log debug " - unacceptable primary key."
if [ -z "$sshKey" ] ; then
- log error " ! primary key could not be translated (not RSA or DSA?)."
+ log error " ! primary key could not be translated (not RSA or DSA?)."
else
echo "1:${sshKey}"
fi
log debug "processing authorized_user_ids file..."
if ! meat "$authorizedUserIDs" > /dev/null ; then
- log debug "no user IDs to process."
+ log debug " no user IDs to process."
return
fi
'update-known_hosts'|'update-known-hosts'|'k')
MODE='known_hosts'
+ # touch the known_hosts file so that the file permission check
+ # below won't fail upon not finding the file
+ (umask 0022 && touch "$KNOWN_HOSTS")
+
# check permissions on the known_hosts file path
- if ! check_key_file_permissions "$USER" "$KNOWN_HOSTS" ; then
- failure "Improper permissions on known_hosts file path."
- fi
+ check_key_file_permissions "$USER" "$KNOWN_HOSTS" || failure
# if hosts are specified on the command line, process just
# those hosts
MODE='authorized_keys'
# check permissions on the authorized_user_ids file path
- if ! check_key_file_permissions "$USER" "$AUTHORIZED_USER_IDS" ; then
- failure "Improper permissions on authorized_user_ids file path."
- fi
+ check_key_file_permissions "$USER" "$AUTHORIZED_USER_IDS" || failure
# check permissions on the authorized_keys file path
- if ! check_key_file_permissions "$USER" "$AUTHORIZED_KEYS" ; then
- failure "Improper permissions on authorized_keys file path."
- fi
+ check_key_file_permissions "$USER" "$AUTHORIZED_KEYS" || failure
# exit if the authorized_user_ids file is empty
if [ ! -e "$AUTHORIZED_USER_IDS" ] ; then
SYSDATADIR=${MONKEYSPHERE_SYSDATADIR:-"/var/lib/monkeysphere"}
export SYSDATADIR
+# monkeysphere temp directory, in sysdatadir to enable atomic moves of
+# authorized_keys files
+MSTMPDIR="${SYSDATADIR}/tmp"
+export MSTMPDIR
+
# UTC date in ISO 8601 format if needed
DATE=$(date -u '+%FT%T')
unames=$(getent passwd | cut -d: -f1)
fi
+ RETCODE=0
+
# set mode
MODE="authorized_keys"
# loop over users
for uname in $unames ; do
# check all specified users exist
- if ! getent passwd "$uname" >/dev/null ; then
+ if ! id "$uname" >/dev/null ; then
log error "----- unknown user '$uname' -----"
continue
fi
log verbose "----- user: $uname -----"
# make temporary directory
- TMPLOC=$(mktemp -d ${TMPDIR:-/tmp}/tmp.XXXXXXXXXX)
+ TMPLOC=$(mktemp -d ${MSTMPDIR}/tmp.XXXXXXXXXX)
# trap to delete temporary directory on exit
trap "rm -rf $TMPLOC" EXIT
chown -R "$MONKEYSPHERE_USER" "$TMPLOC"
# process authorized_user_ids file
+ log debug "checking for authorized_user_ids..."
# translating ssh-style path variables
authorizedUserIDs=$(translate_ssh_variables "$uname" "$AUTHORIZED_USER_IDS")
if [ -s "$authorizedUserIDs" ] ; then
". ${SYSSHAREDIR}/common; process_authorized_user_ids $TMP_AUTHORIZED_USER_IDS"
RETURN="$?"
else
- log error "Improper permissions on path '$AUTHORIZED_USER_IDS'."
+ log debug "not processing authorized_user_ids."
fi
+ else
+ log debug "empty or absent authorized_user_ids file."
fi
# add user-controlled authorized_keys file if specified
# translate ssh-style path variables
rawAuthorizedKeys=$(translate_ssh_variables "$uname" "$RAW_AUTHORIZED_KEYS")
- if [ "$rawAuthorizedKeys" -a -s "$rawAuthorizedKeys" ] ; then
- # check permissions on the authorized_keys file path
- if check_key_file_permissions "$uname" "$rawAuthorizedKeys" ; then
- log verbose "adding raw authorized_keys file... "
- cat "$rawAuthorizedKeys" >> "$AUTHORIZED_KEYS"
+ if [ "$rawAuthorizedKeys" != 'none' ] ; then
+ log debug "checking for raw authorized_keys..."
+ if [ -s "$rawAuthorizedKeys" ] ; then
+ # check permissions on the authorized_keys file path
+ if check_key_file_permissions "$uname" "$rawAuthorizedKeys" ; then
+ log verbose "adding raw authorized_keys file... "
+ cat "$rawAuthorizedKeys" >> "$AUTHORIZED_KEYS"
+ else
+ log debug "not adding raw authorized_keys file."
+ fi
else
- log error "Improper permissions on path '$RAW_AUTHORIZED_KEYS'. Not added to authorized_keys file."
+ log debug "empty or absent authorized_keys file."
fi
fi
# openssh appears to check the contents of the
# authorized_keys file as the user in question, so the
# file must be readable by that user at least.
- # FIXME: is there a better way to do this?
- chown root "$AUTHORIZED_KEYS"
- chgrp $(getent passwd "$uname" | cut -f4 -d:) "$AUTHORIZED_KEYS"
- chmod g+r "$AUTHORIZED_KEYS"
- mv -f "$AUTHORIZED_KEYS" "${SYSDATADIR}/authorized_keys/${uname}"
+ # but in general, we don't want the user tampering with
+ # this file directly, so we'll adopt this approach: Own
+ # the file by the monkeysphere-server invoker (usually
+ # root, but should be the same uid that sshd is launched
+ # as); change the group of the file so that members of the
+ # user's group can read it.
+
+ # FIXME: is there a better way to do this?
+ chown $(whoami) "$AUTHORIZED_KEYS" && \
+ chgrp $(id -g "$uname") "$AUTHORIZED_KEYS" && \
+ chmod g+r "$AUTHORIZED_KEYS" && \
+ mv -f "$AUTHORIZED_KEYS" "${SYSDATADIR}/authorized_keys/${uname}" || \
+ {
+ log error "Failed to install authorized_keys for '$uname'!"
+ rm -f "${SYSDATADIR}/authorized_keys/${uname}"
+ # indicate that there has been a failure:
+ RETURN=1
+ }
else
rm -f "${SYSDATADIR}/authorized_keys/${uname}"
fi
(umask 077 && \
gpg_host --export-secret-key "$fingerprint" | \
openpgp2ssh "$fingerprint" > "${SYSDATADIR}/ssh_host_rsa_key")
- log info "Private SSH host key output to file: ${SYSDATADIR}/ssh_host_rsa_key"
+ log info "private SSH host key output to file: ${SYSDATADIR}/ssh_host_rsa_key"
}
# extend the lifetime of a host key:
GNUPGHOME="$TEMPDIR"/admin/.gnupg gpg "$@"
}
-launch_sshd() {
+# test ssh connection
+# first argument is expected return code from ssh connection
+ssh_test() {
+ umask 0077
+
+ CODE=${1:-0}
+
+ # start the ssh daemon on the socket
+ echo "##### starting ssh server..."
socat EXEC:"/usr/sbin/sshd -f ${SSHD_CONFIG} -i -D -e" "UNIX-LISTEN:${SOCKET}" 2> "$TEMPDIR"/sshd.log &
- export SSHD_PID=$!
+ SSHD_PID="$!"
+ # wait until the socket is created before continuing
while [ ! -S "$SOCKET" ] ; do
sleep 1
done
-}
-ssh_test() {
+ set +e
+
+ # make a client connection to the socket
+ echo "##### starting ssh client..."
ssh-agent bash -c \
"monkeysphere subkey-to-ssh-agent && ssh -F $TEMPDIR/testuser/.ssh/config testhost true"
+ RETURN="$?"
+
+ # kill the sshd process if it's still running
+ kill "$SSHD_PID"
+
+ set -e
+
+ echo "##### return $RETURN"
+ if [ "$RETURN" = "$CODE" ] ; then
+ echo "##### ssh connection test returned as desired"
+ return 0
+ else
+ echo "##### ssh connection test failed. expected return code $CODE"
+ return 1
+ fi
}
failed_cleanup() {
cleanup
}
-cleanup() {
- if ( ps "$SSHD_PID" >/dev/null ) ; then
- echo "### stopping still-running sshd..."
- kill "$SSHD_PID"
+get_gpg_prng_arg() {
+ if (gpg --quick-random --version >/dev/null 2>&1) ; then
+ echo quick-random
+ elif (gpg --debug-quick-random --version >/dev/null 2>&1) ; then
+ echo debug-quick-random
fi
+}
+cleanup() {
echo "### removing temp dir..."
rm -rf "$TEMPDIR"
## setup trap
trap failed_cleanup EXIT
+
+### SETUP VARIABLES
## set up some variables to ensure that we're operating strictly in
## the tests, not system-wide:
export MONKEYSPHERE_SYSDATADIR="$TEMPDIR"
export MONKEYSPHERE_SYSCONFIGDIR="$TEMPDIR"
export MONKEYSPHERE_SYSSHAREDIR="$TESTDIR"/../src
-export MONKEYSPHERE_MONKEYSPHERE_USER="$USER"
+export MONKEYSPHERE_MONKEYSPHERE_USER=$(whoami)
export MONKEYSPHERE_CHECK_KEYSERVER=false
+export MONKEYSPHERE_LOG_LEVEL=DEBUG
export SSHD_CONFIG="$TEMPDIR"/sshd_config
export SOCKET="$TEMPDIR"/ssh-socket
+export SSHD_PID=
+
+# Make sure $DISPLAY is set to convince ssh and monkeysphere to fall
+# back on $SSH_ASKPASS. Make sure it's not set to the current actual
+# $DISPLAY (if one exists) because this test suite should not be doing
+# *anything* with any running X11 session.
+export DISPLAY=monkeys
+
+### CONFIGURE ENVIRONMENTS
# copy in admin and testuser home to tmp
echo "### copying admin and testuser homes..."
cp -a "$TESTDIR"/home/admin "$TEMPDIR"/
cp -a "$TESTDIR"/home/testuser "$TEMPDIR"/
-cat <<EOF >> "$TEMPDIR"/testuser/.ssh/config
-UserKnownHostsFile $TEMPDIR/testuser/.ssh/known_hosts
-ProxyCommand $TEMPDIR/testuser/.ssh/proxy-command %h %p $SOCKET
+# set up environment for testuser
+TESTHOME="$TEMPDIR"/testuser
+export GNUPGHOME="$TESTHOME"/.gnupg
+export SSH_ASKPASS="$TESTHOME"/.ssh/askpass
+export MONKEYSPHERE_HOME="$TESTHOME"/.monkeysphere
+cat <<EOF >> "$TESTHOME"/.ssh/config
+UserKnownHostsFile $TESTHOME/.ssh/known_hosts
+IdentityFile $TESTHOME/.ssh/no-such-identity
+ProxyCommand $TESTHOME/.ssh/proxy-command %h %p $SOCKET
EOF
-
-cat <<EOF >> "$TEMPDIR"/testuser/.monkeysphere/monkeysphere.conf
-KNOWN_HOSTS=$TEMPDIR/testuser/.ssh/known_hosts
+cat <<EOF >> "$MONKEYSPHERE_HOME"/monkeysphere.conf
+KNOWN_HOSTS=$TESTHOME/.ssh/known_hosts
EOF
+get_gpg_prng_arg >> "$GNUPGHOME"/gpg.conf
-# set up a simple default monkeysphere-server.conf
-cat <<EOF >> "$TEMPDIR"/monkeysphere-server.conf
-AUTHORIZED_USER_IDS="$TEMPDIR/testuser/.monkeysphere/authorized_user_ids"
+# set up sshd
+echo "### configuring sshd..."
+cp etc/ssh/sshd_config "$SSHD_CONFIG"
+# write the sshd_config
+cat <<EOF >> "$SSHD_CONFIG"
+HostKey ${MONKEYSPHERE_SYSDATADIR}/ssh_host_rsa_key
+AuthorizedKeysFile ${MONKEYSPHERE_SYSDATADIR}/authorized_keys/%u
EOF
-### SERVER TESTS
-
-# setup monkeysphere temp gnupghome directories
+# set up monkeysphere-server
+echo "### configuring monkeysphere..."
mkdir -p -m 750 "$MONKEYSPHERE_SYSDATADIR"/gnupg-host
mkdir -p -m 700 "$MONKEYSPHERE_SYSDATADIR"/gnupg-authentication
mkdir -p -m 700 "$MONKEYSPHERE_SYSDATADIR"/authorized_keys
+mkdir -p -m 700 "$MONKEYSPHERE_SYSDATADIR"/tmp
+cp etc/monkeysphere/monkeysphere-server.conf "$TEMPDIR"/monkeysphere-server.conf
+cat <<EOF >> "$TEMPDIR"/monkeysphere-server.conf
+AUTHORIZED_USER_IDS="$MONKEYSPHERE_HOME/authorized_user_ids"
+EOF
cat <<EOF > "$MONKEYSPHERE_SYSDATADIR"/gnupg-authentication/gpg.conf
primary-keyring ${MONKEYSPHERE_SYSDATADIR}/gnupg-authentication/pubring.gpg
keyring ${MONKEYSPHERE_SYSDATADIR}/gnupg-host/pubring.gpg
EOF
+
+### SERVER TESTS
+
# create a new host key
echo "### generating server key..."
# add gpg.conf with quick-random
-echo "quick-random" >> "$MONKEYSPHERE_SYSCONFIGDIR"/gnupg-host/gpg.conf
+get_gpg_prng_arg >> "$MONKEYSPHERE_SYSCONFIGDIR"/gnupg-host/gpg.conf
echo | monkeysphere-server gen-key --length 1024 --expire 0 testhost
# remove the gpg.conf
rm "$MONKEYSPHERE_SYSCONFIGDIR"/gnupg-host/gpg.conf
echo "### adding admin as certifier..."
echo y | monkeysphere-server add-identity-certifier "$TEMPDIR"/admin/.gnupg/pubkey.gpg
-# initialize base sshd_config
-cp etc/ssh/sshd_config "$SSHD_CONFIG"
-# write the sshd_config
-cat <<EOF >> "$SSHD_CONFIG"
-HostKey ${MONKEYSPHERE_SYSDATADIR}/ssh_host_rsa_key
-AuthorizedKeysFile ${MONKEYSPHERE_SYSDATADIR}/authorized_keys/%u
-EOF
-
-# launch test sshd with the new host key.
-echo "### starting sshd..."
-launch_sshd
### TESTUSER TESTS
-# generate an auth subkey for the test user
+# generate an auth subkey for the test user that expires in 2 days
echo "### generating key for testuser..."
-export GNUPGHOME="$TEMPDIR"/testuser/.gnupg
-export SSH_ASKPASS="$TEMPDIR"/testuser/.ssh/askpass
-export MONKEYSPHERE_HOME="$TEMPDIR"/testuser/.monkeysphere
-
-monkeysphere gen-subkey --expire 0
+monkeysphere gen-subkey --expire 2
# add server key to testuser keychain
echo "### export server key to testuser..."
echo "### export testuser key to server..."
gpg --export testuser | monkeysphere-server gpg-authentication-cmd --import
echo "### update server authorized_keys file for this testuser..."
-monkeysphere-server update-users "$USER"
+monkeysphere-server update-users $(whoami)
# connect to test sshd, using monkeysphere-ssh-proxycommand to verify
# the identity before connection. This should work in both directions!
-echo "### testuser connecting to sshd socket..."
+echo "### ssh connection test for success..."
ssh_test
-# kill the previous sshd process if it's still running
-kill "$SSHD_PID"
-
-# now remove the testuser's authorized_user_ids file and reupdate
-# authorized_keys file...
-echo "### removing testuser authorized_user_ids and reupdating authorized_keys..."
-rm -f "$TEMPDIR"/testuser/.monkeysphere/authorized_user_ids
-monkeysphere-server update-users "$USER"
-
-# restart the sshd
-echo "### restarting sshd..."
-launch_sshd
-
-# and make sure the user can no longer connect
-echo "### testuser attempting to connect to sshd socket..."
-# FIXME: this prompts for the passphrase for the default identity
-# file. how can this be avoided?
-ssh_test || SSH_RETURN="$?"
-if [ "$SSH_RETURN" != '255' ] ; then
- exit
-fi
+# remove the testuser's authorized_user_ids file, update, and make
+# sure that the ssh authentication FAILS
+echo "### removing testuser authorized_user_ids and updating..."
+mv "$TESTHOME"/.monkeysphere/authorized_user_ids{,.bak}
+monkeysphere-server update-users $(whoami)
+echo "### ssh connection test for server authentication denial..."
+ssh_test 255
+mv "$TESTHOME"/.monkeysphere/authorized_user_ids{.bak,}
+
+# put improper permissions on authorized_user_ids file, update, and
+# make sure ssh authentication FAILS
+echo "### setting group writability on authorized_user_ids and updating..."
+chmod g+w "$TESTHOME"/.monkeysphere/authorized_user_ids
+monkeysphere-server update-users $(whoami)
+echo "### ssh connection test for server authentication denial..."
+ssh_test 255
+chmod g-w "$TESTHOME"/.monkeysphere/authorized_user_ids
+echo "### setting other writability on authorized_user_ids and updating..."
+chmod o+w "$TESTHOME"/.monkeysphere/authorized_user_ids
+monkeysphere-server update-users $(whoami)
+echo "### ssh connection test for server authentication denial..."
+ssh_test 255
+chmod o-w "$TESTHOME"/.monkeysphere/authorized_user_ids
+
trap - EXIT
--- /dev/null
+# Base monkeysphere-server.conf for monkeysphere tests
+
+# AUTHORIZED_USER_IDS variable will be added dynamically during test.
+
+RAW_AUTHORIZED_KEYS=none
-# command to avoid depleting the system entropy
-quick-random
# other options
verify-options show-uid-validity
list-options show-uid-validity
# monkeysphere config for testuser in monkeysphere test suite
+LOG_LEVEL=DEBUG
+
# KNOWN_HOSTS will be dynamically defined after creation.
But if you want a tarball of the most recent release, we publish those
too. The [latest
-tarball](http://archive.monkeysphere.info/debian/pool/monkeysphere/m/monkeysphere/monkeysphere_0.16.orig.tar.gz)
+tarball](http://archive.monkeysphere.info/debian/pool/monkeysphere/m/monkeysphere/monkeysphere_0.19.orig.tar.gz)
has these checksums:
<pre>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
-checksums for the monkeysphere 0.16 release:
+checksums for the monkeysphere 0.19 release:
MD5:
-4bc223e8004e0e374bd54f0315585c49 monkeysphere_0.16.orig.tar.gz
+64c643dd0ab642bbc8814aec1718000e monkeysphere_0.19.orig.tar.gz
SHA1:
-82c78ea1aeecb3059a14af9dfab0f471ce315e38 monkeysphere_0.16.orig.tar.gz
+ea3c263b084d2c0b7922cd96677be192201700e4 monkeysphere_0.19.orig.tar.gz
SHA256:
-f2dbd031315f99c82099a4a902f2240cca97536b035ef75872e72a65f324c9d7 monkeysphere_0.16.orig.tar.gz
+321b77c1e10fe48ffbef8491893f5dd22842c35c11464efa7893150ce756a522 monkeysphere_0.19.orig.tar.gz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
-iQIVAwUBSQQdZRjmZ/HrivMUAQJaIA/6AnZG0yYJJ+0C4S0McnBnLMyiA4zQzVsH
-5J9dAYO771h0TZnlre1NZdgiP37YiPA1et24O/S7da0Ud/CND+V7CGrsxPzsfEbP
-xTPVDST2BgvnDo9LYN4Q9h7QD4lOiGjhoJM6PN/R6Zo2OGiw+yZ8RP+BW5AxW21e
-3AnasZ2XLEmwqI0AMl9OWsLk4NzeS7t+ycWjwJKINOk/5ghzlOR0Use/mRyTHvzy
-GhMjrLoqtgHo85pAfAWT7LkwTt+FDVRzLZl2shzJszewvPFva+z2A8kvuY+vAzUw
-CSvIAC5MSrheFUg1JC+6efVbUTgn3RZj+zn7CxyttVuRzjyrnY2WkiMOT5mKuZCg
-LR42FEXnDCNHjreVLB6PoU1bOseohRbfK2yN+oDSoXmO4GoKetokGEWU/S+pi/gq
-dhjyMZUYv1pgE9Vtz3ps0vVC4e8D/i39qEm7JB2AWPWU4jGX5cLCeEkrfXGsGWyu
-OxGGywarXfNp83R62QTh2cPZlkACj3IwoYgZ2h8r98ikyJlQE0Y7V8uHKsx1DMJX
-JBemkEVW5P7pZiRS7X2zqLGIDNwqBKNRnjZ7bAhqThJXpCBWNuZ+DjGY743BBddr
-RAfQUvdjbSEOD78NMh6pLLg3iYJA902EVXZX8Q8JQnjg5GlUrB2yS5uz82dwjbpx
-dy0gzEhr4DA=
-=DY0y
+iQIVAwUBSQgMCRjmZ/HrivMUAQI2Jg//bZoSxx0Nor6uBikRGHQny8LzgUT/0kpv
+xg0eRmL9kQwhGis/sdOiJ9cHykJ1ukhRiIZGfxPBdxiQbWGs9nM6147TGIDgqx6D
+yYIW41dvzTRB0TwjNd7g1q6MaSiDNuU/6dD+ooM3/IiR8PDR7X8we0WhSM63KD+v
+HeMsN51UMhBfeaZ06fxrjYoJCvnp0YNYJpLuvtd5tzxqJCJA2Vh5VqJMbMP/MtbY
+zM/zuNXRI1mJnQZeU++IaAnimX7c7SsGjLaloZG8mapYqqY0tKJ5Yod6aeloq+i5
+wI4gZuuPcgAntD6cnPaqB1ni/d71yywme5F75zpezXGzKzDSh1J5oE6akjMi2lJE
+DSOKp7zb7TvDwXxCl+vOVod81F260gPhonlTsD/LpBfPGPBdWlWP+fFchb9N/a2u
+weCMhUYX1u8Jg/bHIycjoQjPEgZwCkJT9RKF1NTLyWvb4P4a3sPe+fauCMZFbTQ/
+3EYPRBY+PfIDO09XswdB5O3gq6B33ChyWJpdwlXEEHMcFt1FuezuP0avVM9/3ZNp
+MkqalDrUEd65X8o+CE3KjFxjMceVdda9mz2netnoHrFMW6X3mFqE2fTldgHi1mCT
+hMCqpPzY04+HOHYZ0GapR3pvedd4dwhkNYrdpckp+nJMTRfexEPH/NXDVNH/mxKg
+jLoIos0SaiY=
+=VUsz
-----END PGP SIGNATURE-----
</pre>
--- /dev/null
+[[meta title="Monkeysphere 0.17-1 released!"]]
+
+# Monkeysphere 0.17-1 released! #
+
+Monkeysphere 0.17-1 has been released.
+
+Notes from the changelog:
+
+<pre>
+ [ Jameson Graef Rollins ]
+ * Fix some bugs in, and cleanup, authorized_keys file creation in
+ monkeysphere-server update-users.
+ * Move to using the empty string for not adding a user-controlled
+ authorized_keys file in the RAW_AUTHORIZED_KEYS variable.
+</pre>
+
+[[Download]] it now!
--- /dev/null
+[[meta title="Monkeysphere 0.18-1 released!"]]
+
+# Monkeysphere 0.18-1 released! #
+
+Monkeysphere 0.18-1 has been released.
+
+Notes from the changelog:
+
+<pre>
+ [ Jameson Graef Rollins ]
+ * Fix bugs in authorized_{user_ids,keys} file permission checking.
+ * Add new monkeysphere tmpdir to enable atomic moves of authorized_keys
+ files.
+ * chown authorized_keys files to `whoami`, for compatibility with test
+ suite.
+ * major improvements to test suite, added more tests.
+
+ [ Daniel Kahn Gillmor ]
+ * update make install to ensure placement of
+ /etc/monkeysphere/gnupg-{host,authentication}.conf
+ * choose either --quick-random or --debug-quick-random depending on
+ which gpg supports for the test suite.
+</pre>
+
+[[Download]] it now!
--- /dev/null
+[[meta title="Monkeysphere 0.19-1 released!"]]
+
+# Monkeysphere 0.19-1 released! #
+
+Monkeysphere 0.19-1 has been released.
+
+Notes from the changelog:
+
+<pre>
+ [ Daniel Kahn Gillmor ]
+ * simulating an X11 session in the test script.
+ * updated packaging so that symlinks to config files are correct.
+</pre>
+
+[[Download]] it now!
projects / monkeysphere.git / commitdiff