summary |
shortlog |
log |
commit | commitdiff |
tree
raw |
patch |
inline | side by side (from parent 1:
014bf21)
Improve ms-server update-user function. Update/fix config files to
remove some unwanted configs, and clarify some things.
[ Daniel Kahn Gillmor ]
* new version (above: change UNRELEASED to experimental when releasing)
[ Daniel Kahn Gillmor ]
* new version (above: change UNRELEASED to experimental when releasing)
- -- Daniel Kahn Gillmor <dkg-debian.org@fifthhorseman.net> Mon, 23 Jun 2008 19:58:47 -0400
+ [ Jameson Graef Rollins ]
+ * Move files in /var/cache/monkeysphere and GNUPGHOME for server to
+ the more appropriate /var/lib/monkeysphere.
+
+ -- Jameson Graef Rollins <jrollins@phys.columbia.edu> Tue, 24 Jun 2008 00:22:09 -0400
monkeysphere (0.2-2) experimental; urgency=low
monkeysphere (0.2-2) experimental; urgency=low
-var/cache/monkeysphere
-var/cache/monkeysphere/authorized_keys
+var/lib/monkeysphere
+var/lib/monkeysphere/authorized_keys
usr/bin
usr/sbin
usr/share
usr/bin
usr/sbin
usr/share
-var/cache/monkeysphere
-var/cache/monkeysphere/authorized_keys
+var/lib/monkeysphere
+var/lib/monkeysphere/authorized_keys
and how the monkeysphere can help you reduce these threat vectors:
threat model reduction diagrams.
and how the monkeysphere can help you reduce these threat vectors:
threat model reduction diagrams.
-Determine how openssh handles multiple processes writing to
- known_hosts/authorized_keys files (lockfile, atomic appends?)
-
Handle unverified monkeysphere hosts in such a way that they're not
always removed from known_hosts file. Ask user to lsign the host
key?
Handle unverified monkeysphere hosts in such a way that they're not
always removed from known_hosts file. Ask user to lsign the host
key?
expects from authorized_keys: we don't want monkeysphere to be a
weak link in the filesystem.
expects from authorized_keys: we don't want monkeysphere to be a
weak link in the filesystem.
-What happens when a user account has no corresponding
- /etc/monkeysphere/authorized_user_ids/$USER file? What gets placed
- in /var/cache/monkeysphere/authorized_keys/$USER? It looks
- currently untouched, which could mean bad things for such a user.
- - if authorized_user_ids is empty, then the user's authorized_keys
- file will be also, unless the user-controlled authorized_keys file
- is added. I believe this is expected, correct behavior.
-
Consider the default permissions for
Consider the default permissions for
- /var/cache/monkeysphere/authorized_keys/* (and indeed the whole
+ /var/lib/monkeysphere/authorized_keys/* (and indeed the whole
directory path leading up to that)
directory path leading up to that)
-As an administrator, how do i reverse the effect of a
- "monkeysphere-server trust-keys" that i later decide i should not
- have run?
-
Make sure alternate ports are handled for known_hosts.
Script to import private key into ssh agent.
Make sure alternate ports are handled for known_hosts.
Script to import private key into ssh agent.
Update monkeysphere-ssh-proxycommand man page with new keyserver
checking policy info.
Update monkeysphere-ssh-proxycommand man page with new keyserver
checking policy info.
-Update monkeysphere-ssh-proxycommand man page with info about
- no-connect option.
-
File bug against seahorse about how, when creating new primary keys,
it presents option for "RSA (sign only)" but then creates an "esca"
key.
File bug against seahorse about how, when creating new primary keys,
it presents option for "RSA (sign only)" but then creates an "esca"
key.
generate authorized_keys file (which would be moved into place by
root). Host keyring would be owned by root.
generate authorized_keys file (which would be moved into place by
root). Host keyring would be owned by root.
-Check permissions of authorized_user_ids file to be writable only by
- user and root (same as authorized_keys)
-
-Improve function that sets owner trust for keys in server keychain.
-
Test and document what happens when any filesystem that the
monkeysphere-server relies on and modifies (/tmp, /etc, and /var?)
fills up.
Test and document what happens when any filesystem that the
monkeysphere-server relies on and modifies (/tmp, /etc, and /var?)
fills up.
-Consider moving monkeysphere-managed files (gpg homedirs? temporary
- files?) into /var.
-
Optimize keyserver access, particularly on monkeysphere-server
update-users -- is there a way to query the keyserver all in a
chunk?
Optimize keyserver access, particularly on monkeysphere-server
update-users -- is there a way to query the keyserver all in a
chunk?
# This is an sh-style shell configuration file. Variable names should
# be separated from their assignements by a single '=' and no spaces.
# This is an sh-style shell configuration file. Variable names should
# be separated from their assignements by a single '=' and no spaces.
-#FIXME: shouldn't this be in /var by default? These are not text
-#files, and they should generally not be managed directly by the
-#admin:
-# GPG home directory for server
-#GNUPGHOME=/etc/monkeysphere/gnupg
-
# GPG keyserver to search for keys
#KEYSERVER=subkeys.pgp.net
# GPG keyserver to search for keys
#KEYSERVER=subkeys.pgp.net
-# Required user key capabilities
-# Must be quoted, lowercase, space-seperated list of the following:
-# e = encrypt
-# s = sign
-# c = certify
-# a = authentication
-#REQUIRED_USER_KEY_CAPABILITY="a"
-
# Path to authorized_user_ids file to process to create
# authorized_keys file. '%h' will be replaced by the home directory
# of the user, and %u will be replaced by the username of the user.
# Path to authorized_user_ids file to process to create
# authorized_keys file. '%h' will be replaced by the home directory
# of the user, and %u will be replaced by the username of the user.
# in /etc/monkeysphere/authorized_user_ids/%u
#AUTHORIZED_USER_IDS="%h/.config/monkeysphere/authorized_user_ids"
# in /etc/monkeysphere/authorized_user_ids/%u
#AUTHORIZED_USER_IDS="%h/.config/monkeysphere/authorized_user_ids"
-#FIXME: why is the following variable named USER_CONTROLLED_...?
-#shouldn't this be something like MONKEYSPHERE_RAW_AUTHORIZED_KEYS
-#instead? For example, what about a server where the administrator
-#has locked down the authorized_keys file from user control, but still
-#wants to combine raw authorized_keys for some users with the
-#monkeysphere?
-
# Whether to add user controlled authorized_keys file to
# monkeysphere-generated authorized_keys file. Should be path to file
# where '%h' will be replaced by the home directory of the user or
# '%u' by the username. To not add any user-controlled file, put "-"
# Whether to add user controlled authorized_keys file to
# monkeysphere-generated authorized_keys file. Should be path to file
# where '%h' will be replaced by the home directory of the user or
# '%u' by the username. To not add any user-controlled file, put "-"
-#FIXME: this usage of "-" contravenes the normal convention where "-"
-#means standard in/out. Why not use "none" or "" instead?
-#USER_CONTROLLED_AUTHORIZED_KEYS="%h/.ssh/authorized_keys"
+# FIXME: this usage of "-" contravenes the normal convention where "-"
+# means standard in/out. Why not use "none" or "" instead?
+#RAW_AUTHORIZED_KEYS="%h/.ssh/authorized_keys"
# GPG keyserver to search for keys
#KEYSERVER=subkeys.pgp.net
# GPG keyserver to search for keys
#KEYSERVER=subkeys.pgp.net
-# FIXME: consider removing REQUIRED_*_KEY_CAPABILITY entirely from
-# this example config, given our discussion
-# Required key capabilities
-# Must be quoted, lowercase, space-seperated list of the following:
-# e = encrypt
-# s = sign
-# c = certify
-# a = authentication
-#REQUIRED_HOST_KEY_CAPABILITY="a"
-#REQUIRED_USER_KEY_CAPABILITY="a"
+# Set whether or not to check keyservers at every monkeysphere
+# interaction, including all ssh connections if you use the
+# monkeysphere-ssh-proxycommand.
+# NOTE: setting CHECK_KEYSERVER to true will leak information about
+# the timing and frequency of your ssh connections to the maintainer
+# of the keyserver.
+#CHECK_KEYSERVER=true
# ssh known_hosts file
#KNOWN_HOSTS=~/.ssh/known_hosts
# ssh known_hosts file
#KNOWN_HOSTS=~/.ssh/known_hosts
#HASH_KNOWN_HOSTS=true
# ssh authorized_keys file (FIXME: why is this relevant in this file?)
#HASH_KNOWN_HOSTS=true
# ssh authorized_keys file (FIXME: why is this relevant in this file?)
-#AUTHORIZED_KEYS=~/.ssh/known_hosts
-
-# check keyservers at every ssh connection:
-# This overrides other environment variables (FIXME: what does this mean???)
-# NOTE: setting CHECK_KEYSERVER to true will leak information about
-# the timing and frequency of your ssh connections to the maintainer
-# of the keyserver.
-#CHECK_KEYSERVER=true
+#AUTHORIZED_KEYS=~/.ssh/authorized_keys
# managed directories
ETC="/etc/monkeysphere"
export ETC
# managed directories
ETC="/etc/monkeysphere"
export ETC
-CACHE="/var/cache/monkeysphere"
-export CACHE
########################################################################
### UTILITY FUNCTIONS
########################################################################
### UTILITY FUNCTIONS
[ -e "$MS_CONF" ] && . "$MS_CONF"
# set empty config variable with defaults
[ -e "$MS_CONF" ] && . "$MS_CONF"
# set empty config variable with defaults
-AUTHORIZED_USER_IDS=${AUTHORIZED_USER_IDS:-"${MS_HOME}/authorized_user_ids"}
GNUPGHOME=${GNUPGHOME:-"${HOME}/.gnupg"}
KEYSERVER=${KEYSERVER:-"subkeys.pgp.net"}
CHECK_KEYSERVER=${CHECK_KEYSERVER:="true"}
GNUPGHOME=${GNUPGHOME:-"${HOME}/.gnupg"}
KEYSERVER=${KEYSERVER:-"subkeys.pgp.net"}
CHECK_KEYSERVER=${CHECK_KEYSERVER:="true"}
-REQUIRED_HOST_KEY_CAPABILITY=${REQUIRED_HOST_KEY_CAPABILITY:-"a"}
-REQUIRED_USER_KEY_CAPABILITY=${REQUIRED_USER_KEY_CAPABILITY:-"a"}
KNOWN_HOSTS=${KNOWN_HOSTS:-"${HOME}/.ssh/known_hosts"}
KNOWN_HOSTS=${KNOWN_HOSTS:-"${HOME}/.ssh/known_hosts"}
-AUTHORIZED_KEYS=${AUTHORIZED_KEYS:-"${HOME}/.ssh/authorized_keys"}
HASH_KNOWN_HOSTS=${HASH_KNOWN_HOSTS:-"true"}
HASH_KNOWN_HOSTS=${HASH_KNOWN_HOSTS:-"true"}
+AUTHORIZED_KEYS=${AUTHORIZED_KEYS:-"${HOME}/.ssh/authorized_keys"}
+
+# other variables
+AUTHORIZED_USER_IDS=${AUTHORIZED_USER_IDS:-"${MS_HOME}/authorized_user_ids"}
+REQUIRED_HOST_KEY_CAPABILITY=${REQUIRED_HOST_KEY_CAPABILITY:-"a"}
+REQUIRED_USER_KEY_CAPABILITY=${REQUIRED_USER_KEY_CAPABILITY:-"a"}
# make sure the user monkeysphere home directory exists
mkdir -p -m 0700 "$MS_HOME"
touch "$AUTHORIZED_USER_IDS"
# make sure the user monkeysphere home directory exists
mkdir -p -m 0700 "$MS_HOME"
touch "$AUTHORIZED_USER_IDS"
-touch "$AUTHORIZED_KEYS"
case $COMMAND in
'update-known_hosts'|'update-known-hosts'|'k')
case $COMMAND in
'update-known_hosts'|'update-known-hosts'|'k')
########################################################################
PGRM=$(basename $0)
########################################################################
PGRM=$(basename $0)
-SHAREDIR=${SHAREDIR:-"/usr/share/monkeysphere"}
-export SHAREDIR
-. "${SHAREDIR}/common"
+SHARE=${SHARE:-"/usr/share/monkeysphere"}
+export SHARE
+. "${SHARE}/common"
+
+VARLIB="/var/lib/monkeysphere"
+export VARLIB
# date in UTF format if needed
DATE=$(date -u '+%FT%T')
# date in UTF format if needed
DATE=$(date -u '+%FT%T')
local hostName
hostName=${1:-$(hostname --fqdn)}
local hostName
hostName=${1:-$(hostname --fqdn)}
- service=${SERVICE:-"ssh"}
- userID="${service}://${hostName}"
+
+ SERVICE=${SERVICE:-"ssh"}
+ userID="${SERVICE}://${hostName}"
if gpg --list-key ="$userID" > /dev/null 2>&1 ; then
failure "Key for '$userID' already exists"
if gpg --list-key ="$userID" > /dev/null 2>&1 ; then
failure "Key for '$userID' already exists"
[ -e "$MS_CONF" ] && . "$MS_CONF"
# set empty config variable with defaults
[ -e "$MS_CONF" ] && . "$MS_CONF"
# set empty config variable with defaults
-GNUPGHOME=${GNUPGHOME:-"${MS_HOME}/gnupg"}
KEYSERVER=${KEYSERVER:-"subkeys.pgp.net"}
CHECK_KEYSERVER=${CHECK_KEYSERVER:="true"}
KEYSERVER=${KEYSERVER:-"subkeys.pgp.net"}
CHECK_KEYSERVER=${CHECK_KEYSERVER:="true"}
-REQUIRED_USER_KEY_CAPABILITY=${REQUIRED_USER_KEY_CAPABILITY:-"a"}
AUTHORIZED_USER_IDS=${AUTHORIZED_USER_IDS:-"%h/.config/monkeysphere/authorized_user_ids"}
AUTHORIZED_USER_IDS=${AUTHORIZED_USER_IDS:-"%h/.config/monkeysphere/authorized_user_ids"}
-USER_CONTROLLED_AUTHORIZED_KEYS=${USER_CONTROLLED_AUTHORIZED_KEYS:-"%h/.ssh/authorized_keys"}
+RAW_AUTHORIZED_KEYS=${RAW_AUTHORIZED_KEYS:-"%h/.ssh/authorized_keys"}
+# other variables
+REQUIRED_USER_KEY_CAPABILITY=${REQUIRED_USER_KEY_CAPABILITY:-"a"}
+GNUPGHOME_HOST=${GNUPGHOME_HOST:-"${VARLIB}/gnupg-host"}
+GNUPGHOME_AUTHENTICATION=${GNUPGHOME_AUTHENTICATION:-"${VARLIB}/gnupg-authentication"}
-# make sure the monkeysphere home directory exists
-mkdir -p "${MS_HOME}/authorized_user_ids"
-# make sure gpg home exists with proper permissions
+# set default GNUPGHOME, and make sure the directory exists
+GNUPGHOME="$GNUPGHOME_HOST"
+export GNUPGHOME
mkdir -p -m 0700 "$GNUPGHOME"
mkdir -p -m 0700 "$GNUPGHOME"
-# make sure the authorized_keys directory exists
-mkdir -p "${CACHE}/authorized_keys"
case $COMMAND in
'update-users'|'update-user'|'u')
case $COMMAND in
'update-users'|'update-user'|'u')
unames=$(getent passwd | cut -d: -f1)
fi
unames=$(getent passwd | cut -d: -f1)
fi
+ # set mode
+ MODE="authorized_keys"
+
+ # make sure the authorized_keys directory exists
+ mkdir -p "${VARLIB}/authorized_keys"
+
+ # set GNUPGHOME, and make sure the directory exists
+ GNUPGHOME="$GNUPGHOME_AUTHENTICATION"
+ export GNUPGHOME
+ mkdir -p -m 0700 "$GNUPGHOME"
+
# loop over users
for uname in $unames ; do
# loop over users
for uname in $unames ; do
- MODE="authorized_keys"
-
# check all specified users exist
if ! getent passwd "$uname" >/dev/null ; then
error "----- unknown user '$uname' -----"
continue
fi
# check all specified users exist
if ! getent passwd "$uname" >/dev/null ; then
error "----- unknown user '$uname' -----"
continue
fi
- log "----- user: $uname -----"
-
- # set authorized_user_ids variable, translating ssh-style
- # path variables
+ # set authorized_user_ids and raw authorized_keys variables,
+ # translating ssh-style path variables
authorizedUserIDs=$(translate_ssh_variables "$uname" "$AUTHORIZED_USER_IDS")
authorizedUserIDs=$(translate_ssh_variables "$uname" "$AUTHORIZED_USER_IDS")
+ rawAuthorizedKeys=$(translate_ssh_variables "$uname" "$RAW_AUTHORIZED_KEYS")
+
+ # if neither is found, skip user
+ if [ ! -s "$authorizedUserIDs" -a ! -s "$rawAuthorizedKeys" ] ; then
+ continue
+ fi
+
+ log "----- user: $uname -----"
# temporary authorized_keys file
AUTHORIZED_KEYS=$(mktemp)
# temporary authorized_keys file
AUTHORIZED_KEYS=$(mktemp)
+ # trap to delete file on exit
+ trap "rm -f $AUTHORIZE_KEYS" EXIT
+
# process authorized_user_ids file
if [ -s "$authorizedUserIDs" ] ; then
log "processing authorized_user_ids file..."
# process authorized_user_ids file
if [ -s "$authorizedUserIDs" ] ; then
log "processing authorized_user_ids file..."
fi
# add user-controlled authorized_keys file path if specified
fi
# add user-controlled authorized_keys file path if specified
- if [ "$USER_CONTROLLED_AUTHORIZED_KEYS" != '-' ] ; then
- userAuthorizedKeys=$(translate_ssh_variables "$uname" "$USER_CONTROLLED_AUTHORIZED_KEYS")
- if [ -s "$userAuthorizedKeys" ] ; then
- log -n "adding user's authorized_keys file... "
- cat "$userAuthorizedKeys" >> "$AUTHORIZED_KEYS"
+ if [ "$RAW_AUTHORIZED_KEYS" != '-' ] ; then
+ if [ -s "$rawAuthorizedKeys" ] ; then
+ log -n "adding raw authorized_keys file... "
+ cat "$rawAuthorizedKeys" >> "$AUTHORIZED_KEYS"
- # if the resulting authorized_keys file is not empty
+ # if the resulting authorized_keys file is not empty, move
+ # the temp authorized_keys file into place
if [ -s "$AUTHORIZED_KEYS" ] ; then
# openssh appears to check the contents of the
# authorized_keys file as the user in question, so the
if [ -s "$AUTHORIZED_KEYS" ] ; then
# openssh appears to check the contents of the
# authorized_keys file as the user in question, so the
chgrp $(getent passwd "$uname" | cut -f4 -d:) "$AUTHORIZED_KEYS"
chmod g+r "$AUTHORIZED_KEYS"
chgrp $(getent passwd "$uname" | cut -f4 -d:) "$AUTHORIZED_KEYS"
chmod g+r "$AUTHORIZED_KEYS"
- # move the temp authorized_keys file into place
- mv -f "$AUTHORIZED_KEYS" "${CACHE}/authorized_keys/${uname}"
+ mv -f "$AUTHORIZED_KEYS" "${VARLIB}/authorized_keys/${uname}"
log "authorized_keys file updated."
log "authorized_keys file updated."