monkeysphere (0.2-1) UNRELEASED; urgency=low
- * NOT YET RELEASED
- *
+ [ Daniel Kahn Gillmor ]
+ * NOT YET RELEASED (switch to "experimental" when ready to release)
- -- Daniel Kahn Gillmor <dkg-debian.org@fifthhorseman.net> Thu, 19 Jun 2008 04:03:45 -0400
+ [ Jameson Graef Rollins ]
+ * Add AUTHORIZED_USER_IDS config variable for server, which defaults to
+ %h/.config/monkeysphere/authorized_user_ids, instead of
+ /etc/monkeysphere/authorized_user_ids.
+ * Remove {update,remove}-userids functions, since we decided they
+ weren't useful enough to be worth maintaining.
+ * Better handling of unknown users in server update-users
+ * Add file locking when modifying known_hosts or authorized_keys
-monkeysphere (0.1-1) unstable; urgency=low
+ -- Jameson Graef Rollins <jrollins@phys.columbia.edu> Fri, 20 Jun 2008 00:43:44 -0400
+
+monkeysphere (0.1-1) experimental; urgency=low
* First release of debian package for monkeysphere.
* This is experimental -- please report bugs!
var/cache/monkeysphere
var/cache/monkeysphere/authorized_keys
etc/monkeysphere
-etc/monkeysphere/authorized_user_ids
doc/george/host-key-publication for what dkg went through on
2008-06-19
-Streamline authorized_user_ids setup (including question of where
- authorized_user_ids files should go). See
- doc/george/user-id-configuration for what dkg went through on
- 2008-06-19
-
Ensure that authorized_user_ids are under as tight control as ssh
expects from authorized_keys: we don't want monkeysphere to be a
weak link in the filesystem.
-What happens when there are no entries in the authorized_user_ids file
- for a user? /var/cache/monkeysphere/authorized_keys/$USER.tmp
- seems like it gets created and then left there.
-
What happens when a user account has no corresponding
/etc/monkeysphere/authorized_user_ids/$USER file? What gets placed
in /var/cache/monkeysphere/authorized_keys/$USER? It looks
currently untouched, which could mean bad things for such a user.
+ - if authorized_user_ids is empty, then the user's authorized_keys
+ file will be also, unless the user-controlled authorized_keys file
+ is added. I believe this is expected, correct behavior.
Consider the default permissions for
/var/cache/monkeysphere/authorized_keys/* (and indeed the whole
directory path leading up to that)
-What should happen when an admin does
- "monkeysphere-server update-users not_an_existent_user"?
- currently, it adds
- /etc/monkeysphere/authorized_user_ids/not_an_existent_user, which
- seems rather wrong.
-
-is /var/cache/monkeysphere/authorized_keys/$USER.tmp guaranteed to
- avoid collisions? Why not use a real mktemp file?
-
As an administrator, how do i reverse the effect of a
"monkeysphere-server trust-keys" that i later decide i should not
have run?
* changes to this system *
******************************************************************************
+2008-06-20 - micah
+ * Commented out the 'export SSHD_OOM_ADJUST=-17' from the
+ /etc/init.d/ssh initscript, and the 'SSHD_OOM_ADJUST=-17' from
+ /etc/default/ssh in order to make this error go away:
+ "error writing /proc/self/oom_adj: Operation not permitted"
+ (c.f. Debian #487325)
+
+200r-06-20 - dkg
+ * touched /etc/environment to get rid of some spurious auth.log
+ entries.
+ * turned up sshd's LogLevel from INFO to DEBUG
+
+2008-06-19 - dkg
+ * installed rsync (for maintaining a public apt repo)
+
+ * configured mathopd to listen on port 80, serving /srv/www as /
+ and /srv/apt as /debian. We've got nothing in /srv/www at the
+ moment, though.
+
+ * installed lsof and psmisc as sysadmin utilities. sorry for the
+ bloat!
+
+ * installed strace to try to figure out why onak is segfaulting.
+
2008-06-19 - dkg
* removed etch sources, switched "testing" to "lenny", added
lenny/updates, removed all contrib and non-free.
Some outstanding questions:
- * why are the authorized_user_ids stored in /etc/ and not in people's
- home directories?
-
- * why are authorized_user_ids managed with a special sub-command of
- monkeysphere-server, instead of just being hand-managed files, the
- way that authorized_keys are in stock openssh?
-
* Should we ship a scheduled monkeysphere-server update-users cron
job automatically?
# a = authentication
#REQUIRED_USER_KEY_CAPABILITY="a"
+# Path to authorized_user_ids file to process to create
+# authorized_keys file. '%h' will be replaced by the home directory
+# of the user, and %u will be replaced by the username of the user.
+# For purely admin-controlled authorized_user_ids, you might put them
+# in /etc/monkeysphere/authorized_user_ids/%u
+#AUTHORIZED_USER_IDS="%h/.config/monkeysphere/authorized_user_ids"
+
# Whether to add user controlled authorized_keys file to
# monkeysphere-generated authorized_keys file. Should be path to file
# where '%h' will be replaced by the home directory of the user.
# To not add any user-controlled file, put "-"
-#USER_CONTROLLED_AUTHORIZED_KEYS=%h/.ssh/authorized_keys
+#USER_CONTROLLED_AUTHORIZED_KEYS="%h/.ssh/authorized_keys"
.B ProxyCommand monkeysphere-ssh-proxycommand %h %p
-The script is very simple, and can easily be incorporated into other
-ProxyCommand scripts. It first tests to see if the host is in the
-known_hosts file. If it's not, the CHECK_KEYSERVER variable is set to
-true and "update-known_hosts" is run for the host to check for a host
-key for that host. If the host is found in the known_hosts file,
-CHECK_KEYSERVER is set to false and "update-known_hosts" is run to
-update from the local keychain.
+The script can easily be incorporated into other ProxyCommand scripts
+by calling it with the "--no-connect" option, ie:
-Run the following command for more info:
+.B monkeysphere-ssh-proxycommand --no-connect "$HOST" "$PORT"
-.B less $(which monkeysphere-ssh-proxycommand)
+This will run everything but will not exec netcat to make the tcp
+connection to the host.
+
+.SH KEYSERVER CHECKING
+
+The proxy command has a fairly nuanced policy for when keyservers are
+queried when processing host. If the host userID is not found in
+either the user's keyring or in the known_hosts file, then the
+keyserver is queried for the host userID. If the host userID is found
+in the user's keyring, then the keyserver is not checked. This is
+because... If the host userID is not found in the user's keyring, but
+the host is listed in the known_hosts file, then defered check is
+scheduled.
+
+.SH ENVIRONMENT VARIABLES
+
+.TP
+KEYSERVER The keyserver to query.
.SH AUTHOR
known_hosts file will be processed. `k' may be used in place of
`update-known_hosts'.
.TP
-.B update-userids [USERID]...
-Add/update a user ID to the authorized_user_ids file. The user IDs
-specified should be exact matches to OpenPGP user IDs. For each
-specified user ID, gpg will be queried for a key associated with that
-user ID, querying a keyserver if specified. If a key is found, the
-user ID will be added to the user's authorized_user_ids file (if it
-wasn't already present). `u' may be used in place of
-`update-userids'.
-.TP
-.B remove-userids [USERID]...
-Remove a user ID from the authorized_user_ids file. The user IDs
-specified should be exact matches to OpenPGP user IDs. `r' may be
-used in place of `remove-userids'.
-.TP
.B update-authorized_keys
Update the monkeysphere authorized_keys file. For each user ID in the
user's authorized_user_ids file, gpg will be queried for keys
GPG keys are considered acceptable if the following criteria are met:
.TP
.B capability
-For host keys, the key must have both the "authentication" ("a") and
-"encrypt" ("e") capability flags. For user keys, the key must have
-the "authentication" ("a") capability flag.
+The key must have the "authentication" ("a") usage flag set.
.TP
.B validity
The key must be "fully" valid, and must not be expired or revoked.
~/.config/monkeysphere/authorized_user_ids
OpenPGP user IDs associated with keys that will be checked for
addition to the authorized_keys file.
-.TP
-~/.config/monkeysphere/authorized_keys
-Monkeysphere generated authorized_keys file.
.SH AUTHOR
.TP
.B update-users [USER]...
Update the admin-controlled authorized_keys files for user. For each
-user specified, update the user's authorized_keys file in
+user specified, user ID's listed in the user's authorized_user_ids
+file are processed, and the user's authorized_keys file in
/var/cache/monkeysphere/authorized_keys/USER. See `man monkeysphere'
for more info. If the USER_CONTROLLED_AUTHORIZED_KEYS variable is
set, then a user-controlled authorized_keys file (usually
Mark key specified with key IDs with full owner trust. `t' may be used
in place of `trust-keys'.
.TP
-.B update-user-userids USER USERID...
-Add/update a user ID to the authorized_user_ids file for USER. `u' may
-be used in place of `update-user-userids'.
-.TP
-.B remove-user-userids USER USERID...
-Remove a user ID from the authorized_user_ids file for USER. `r' may
-be used in place of `remove-user-userids'.
-.TP
.B help
Output a brief usage summary. `h' or `?' may be used in place of
`help'.
export ETC
CACHE="/var/cache/monkeysphere"
export CACHE
+ERR=0
+export ERR
########################################################################
### UTILITY FUNCTIONS
+error() {
+ log "$1"
+ ERR=${2:-'1'}
+}
+
failure() {
echo "$1" >&2
exit ${2:-'1'}
# write output to stderr
log() {
- echo -n "ms: " 1>&2
- echo "$@" 1>&2
+ echo -n "ms: " >&2
+ echo "$@" >&2
}
loge() {
- echo "$@" 1>&2
+ echo "$@" >&2
}
# cut out all comments(#) and blank lines from standard input
fi
}
+# translate ssh-style path variables %h and %u
+translate_ssh_variables() {
+ local uname
+ local home
+
+ uname="$1"
+ path="$2"
+
+ # get the user's home directory
+ userHome=$(getent passwd "$uname" | cut -d: -f6)
+
+ # translate '%u' to user name
+ path=${path/\%u/"$uname"}
+ # translate '%h' to user home directory
+ path=${path/\%h/"$userHome"}
+
+ echo "$path"
+}
+
### CONVERTION UTILITIES
# output the ssh key for a given key ID
done
}
-# update the cache for userid, and prompt to add file to
-# authorized_user_ids file if the userid is found in gpg
-# and not already in file.
-update_userid() {
- local userID
-
- userID="$1"
-
- log "processing userid: '$userID'"
-
- # process the user ID to pull it from keyserver
- process_user_id "$userID" | grep -q "^0 "
-
- # check if user ID is in the authorized_user_ids file
- if ! grep -q "^${userID}\$" "$AUTHORIZED_USER_IDS" ; then
- read -p "user ID not currently authorized. authorize? [Y|n]: " OK; OK=${OK:=Y}
- if [ ${OK/y/Y} = 'Y' ] ; then
- # add if specified
- log -n " adding user ID to authorized_user_ids file... "
- echo "$userID" >> "$AUTHORIZED_USER_IDS"
- loge "done."
- else
- # else do nothing
- log " authorized_user_ids file untouched."
- fi
- fi
-}
-
-# remove a userid from the authorized_user_ids file
-remove_userid() {
- local userID
-
- userID="$1"
-
- log "processing userid: '$userID'"
-
- # check if user ID is in the authorized_user_ids file
- if ! grep -q "^${userID}\$" "$AUTHORIZED_USER_IDS" ; then
- log " user ID not currently authorized."
- return 1
- fi
-
- # remove user ID from file
- log -n " removing user ID '$userID'... "
- remove_line "$AUTHORIZED_USER_IDS" "^${userID}$"
- loge "done."
-}
-
-# process a host in known_host file
-process_host_known_hosts() {
+# process hosts in the known_host file
+process_hosts_known_hosts() {
local host
local userID
local ok
local keyid
local tmpfile
- host="$1"
- userID="ssh://${host}"
-
- log "processing host: $host"
-
- process_user_id "ssh://${host}" | \
- while read -r ok keyid ; do
- sshKey=$(gpg2ssh "$keyid")
- # remove the old host key line
- remove_line "$KNOWN_HOSTS" "$sshKey"
- # if key OK, add new host line
- if [ "$ok" -eq '0' ] ; then
- # hash if specified
- if [ "$HASH_KNOWN_HOSTS" = 'true' ] ; then
- # FIXME: this is really hackish cause ssh-keygen won't
- # hash from stdin to stdout
- tmpfile=$(mktemp)
- ssh2known_hosts "$host" "$sshKey" > "$tmpfile"
- ssh-keygen -H -f "$tmpfile" 2> /dev/null
- cat "$tmpfile" >> "$KNOWN_HOSTS"
- rm -f "$tmpfile" "${tmpfile}.old"
- else
- ssh2known_hosts "$host" "$sshKey" >> "$KNOWN_HOSTS"
+ # create a lockfile on known_hosts
+ lockfile-create "$KNOWN_HOSTS"
+
+ for host ; do
+ log "processing host: $host"
+
+ userID="ssh://${host}"
+
+ process_user_id "ssh://${host}" | \
+ while read -r ok keyid ; do
+ sshKey=$(gpg2ssh "$keyid")
+ # remove the old host key line
+ remove_line "$KNOWN_HOSTS" "$sshKey"
+ # if key OK, add new host line
+ if [ "$ok" -eq '0' ] ; then
+ # hash if specified
+ if [ "$HASH_KNOWN_HOSTS" = 'true' ] ; then
+ # FIXME: this is really hackish cause ssh-keygen won't
+ # hash from stdin to stdout
+ tmpfile=$(mktemp)
+ ssh2known_hosts "$host" "$sshKey" > "$tmpfile"
+ ssh-keygen -H -f "$tmpfile" 2> /dev/null
+ cat "$tmpfile" >> "$KNOWN_HOSTS"
+ rm -f "$tmpfile" "${tmpfile}.old"
+ else
+ ssh2known_hosts "$host" "$sshKey" >> "$KNOWN_HOSTS"
+ fi
fi
- fi
+ done
+ # touch the lockfile, for good measure.
+ lockfile-touch --oneshot "$KNOWN_HOSTS"
done
+
+ # remove the lockfile
+ lockfile-remove "$KNOWN_HOSTS"
}
-# process a uid in an authorized_keys file
-process_uid_authorized_keys() {
+# process uids for the authorized_keys file
+process_uids_authorized_keys() {
local userID
local ok
local keyid
- userID="$1"
+ # create a lockfile on authorized_keys
+ lockfile-create "$AUTHORIZED_KEYS"
- log "processing user ID: $userID"
+ for userID ; do
+ log "processing user ID: $userID"
- process_user_id "$userID" | \
- while read -r ok keyid ; do
- sshKey=$(gpg2ssh "$keyid")
- # remove the old host key line
- remove_line "$AUTHORIZED_KEYS" "$sshKey"
- # if key OK, add new host line
- if [ "$ok" -eq '0' ] ; then
- ssh2authorized_keys "$userID" "$sshKey" >> "$AUTHORIZED_KEYS"
- fi
+ process_user_id "$userID" | \
+ while read -r ok keyid ; do
+ sshKey=$(gpg2ssh "$keyid")
+ # remove the old host key line
+ remove_line "$AUTHORIZED_KEYS" "$sshKey"
+ # if key OK, add new host line
+ if [ "$ok" -eq '0' ] ; then
+ ssh2authorized_keys "$userID" "$sshKey" >> "$AUTHORIZED_KEYS"
+ fi
+ done
+ # touch the lockfile, for good measure.
+ lockfile-touch --oneshot "$AUTHORIZED_KEYS"
done
+
+ # remove the lockfile
+ lockfile-remove "$AUTHORIZED_KEYS"
}
# process known_hosts file
cat "$KNOWN_HOSTS" | meat | \
cut -d ' ' -f 1 | grep -v '^|.*$' | \
while IFS=, read -r -a hosts ; do
- # and process each host
- for host in ${hosts[*]} ; do
- process_host_known_hosts "$host"
- done
+ process_hosts_known_hosts ${hosts[@]}
done
}
process_authorized_user_ids() {
local userid
- cat "$AUTHORIZED_USER_IDS" | meat | \
+ authorizedUserIDs="$1"
+
+ cat "$authorizedUserIDs" | meat | \
while read -r userid ; do
- process_uid_authorized_keys "$userid"
+ process_uids_authorized_keys "$userid"
done
}
subcommands:
update-known_hosts (k) [HOST]... update known_hosts file
- update-userids (u) [USERID]... add/update user IDs
- remove-userids (r) [USERID]... remove user IDs
update-authorized_keys (a) update authorized_keys file
gen-subkey (g) KEYID generate an 'a' capable subkey
help (h,?) this help
# if hosts are specified on the command line, process just
# those hosts
if [ "$1" ] ; then
- for host ; do
- process_host_known_hosts "$host"
- done
- log "known_hosts file updated."
+ process_hosts_known_hosts "$@"
- # otherwise, if no hosts are specified, process every user
+ # otherwise, if no hosts are specified, process every host
# in the user's known_hosts file
else
if [ ! -s "$KNOWN_HOSTS" ] ; then
fi
log "processing known_hosts file..."
process_known_hosts
- log "known_hosts file updated."
fi
- ;;
- 'update-userids'|'update-userid'|'u')
- if [ -z "$1" ] ; then
- failure "you must specify at least one userid."
- fi
- for userID ; do
- update_userid "$userID"
- done
- log "Run the following to update your monkeysphere authorized_keys file:"
- log "$PGRM update-authorized_keys"
- ;;
-
- 'remove-userids'|'remove-userid'|'r')
- if [ -z "$1" ] ; then
- failure "you must specify at least one userid."
- fi
- for userID ; do
- remove_userid "$userID"
- done
- log "Run the following to update your monkeysphere authorized_keys file:"
- log "$PGRM update-authorized_keys"
+ log "known_hosts file updated."
;;
'update-authorized_keys'|'update-authorized-keys'|'a')
# process authorized_user_ids file
log "processing authorized_user_ids file..."
- process_authorized_user_ids
+ process_authorized_user_ids "$AUTHORIZED_USER_IDS"
log "authorized_keys file updated."
;;
MonkeySphere server admin tool.
subcommands:
+ update-users (s) [USER]... update users authorized_keys files
gen-key (g) [HOSTNAME] generate gpg key for the server
show-fingerprint (f) show server's host key fingerprint
publish-key (p) publish server key to keyserver
trust-keys (t) KEYID... mark keyids as trusted
-
- update-users (s) [USER]... update users authorized_keys files
- update-user-userids (u) USER UID... add/update user IDs for a user
- remove-user-userids (r) USER UID... remove user IDs for a user
help (h,?) this help
EOF
KEYSERVER=${KEYSERVER:-"subkeys.pgp.net"}
CHECK_KEYSERVER=${CHECK_KEYSERVER:="true"}
REQUIRED_USER_KEY_CAPABILITY=${REQUIRED_USER_KEY_CAPABILITY:-"a"}
+AUTHORIZED_USER_IDS=${AUTHORIZED_USER_IDS:-"%h/.config/monkeysphere/authorized_user_ids"}
USER_CONTROLLED_AUTHORIZED_KEYS=${USER_CONTROLLED_AUTHORIZED_KEYS:-"%h/.ssh/authorized_keys"}
export GNUPGHOME
case $COMMAND in
'update-users'|'update-user'|'s')
if [ "$1" ] ; then
+ # get users from command line
unames="$@"
else
- unames=$(ls -1 "${MS_HOME}/authorized_user_ids")
+ # or just look at all users if none specified
+ unames=$(getent passwd | cut -d: -f1)
fi
+ # loop over users
for uname in $unames ; do
MODE="authorized_keys"
+ # check all specified users exist
+ if ! getent passwd "$uname" >/dev/null ; then
+ error "----- unknown user '$uname' -----"
+ continue
+ fi
+
+ # set authorized_user_ids variable,
+ # translate ssh-style path variables
+ authorizedUserIDs=$(translate_ssh_variables "$uname" "$AUTHORIZED_USER_IDS")
+
+ # skip user if authorized_user_ids file does not exist
+ if [ ! -f "$authorizedUserIDs" ] ; then
+ continue
+ fi
+
log "----- user: $uname -----"
- # set variables for the user
- AUTHORIZED_USER_IDS="${MS_HOME}/authorized_user_ids/${uname}"
# temporary authorized_keys file
- AUTHORIZED_KEYS="${CACHE}/authorized_keys/${uname}.tmp"
-
- # make sure user's authorized_user_ids file exists
- touch "$AUTHORIZED_USER_IDS"
- # make sure the authorized_keys file exists and is clear
- > "$AUTHORIZED_KEYS"
+ AUTHORIZED_KEYS=$(mktemp)
# skip if the user's authorized_user_ids file is empty
- if [ ! -s "$AUTHORIZED_USER_IDS" ] ; then
- log "authorized_user_ids file for '$uname' is empty."
+ if [ ! -s "$authorizedUserIDs" ] ; then
+ log "authorized_user_ids file '$authorizedUserIDs' is empty."
continue
fi
# process authorized_user_ids file
log "processing authorized_user_ids file..."
- process_authorized_user_ids
+ process_authorized_user_ids "$authorizedUserIDs"
# add user-controlled authorized_keys file path if specified
if [ "$USER_CONTROLLED_AUTHORIZED_KEYS" != '-' ] ; then
- userHome=$(getent passwd "$uname" | cut -d: -f6)
- userAuthorizedKeys=${USER_CONTROLLED_AUTHORIZED_KEYS/\%h/"$userHome"}
+ userAuthorizedKeys=$(translate_ssh_variables "$uname" "$USER_CONTROLLED_AUTHORIZED_KEYS")
if [ -f "$userAuthorizedKeys" ] ; then
log -n "adding user's authorized_keys file... "
cat "$userAuthorizedKeys" >> "$AUTHORIZED_KEYS"
fi
# move the temp authorized_keys file into place
- mv -f "${CACHE}/authorized_keys/${uname}.tmp" "${CACHE}/authorized_keys/${uname}"
+ mv -f "$AUTHORIZED_KEYS" "${CACHE}/authorized_keys/${uname}"
log "authorized_keys file updated."
done
-
- log "----- done. -----"
;;
'gen-key'|'g')
done
;;
- 'update-user-userids'|'update-user-userid'|'u')
- uname="$1"
- shift
- if [ -z "$uname" ] ; then
- failure "You must specify user."
- fi
- if [ -z "$1" ] ; then
- failure "You must specify at least one user ID."
- fi
-
- # set variables for the user
- AUTHORIZED_USER_IDS="$MS_HOME"/authorized_user_ids/"$uname"
-
- # make sure user's authorized_user_ids file exists
- touch "$AUTHORIZED_USER_IDS"
-
- # process the user IDs
- for userID ; do
- update_userid "$userID"
- done
-
- log "Run the following to update user's authorized_keys file:"
- log "$PGRM update-users $uname"
- ;;
-
- 'remove-user-userids'|'remove-user-userid'|'r')
- uname="$1"
- shift
- if [ -z "$uname" ] ; then
- failure "You must specify user."
- fi
- if [ -z "$1" ] ; then
- failure "You must specify at least one user ID."
- fi
-
- # set variables for the user
- AUTHORIZED_USER_IDS="$MS_HOME"/authorized_user_ids/"$uname"
-
- # make sure user's authorized_user_ids file exists
- touch "$AUTHORIZED_USER_IDS"
-
- # process the user IDs
- for userID ; do
- remove_userid "$userID"
- done
-
- log "Run the following to update user's authorized_keys file:"
- log "$PGRM update-users $uname"
- ;;
-
'help'|'h'|'?')
usage
;;
Type '$PGRM help' for usage."
;;
esac
+
+exit "$ERR"
fi
# if the host is in the gpg keyring...
-if gpg --list-key ="${URI}" >/dev/null ; then
+if gpg --list-key ="${URI}" 2>&1 >/dev/null ; then
# do not check the keyserver
CHECK_KEYSERVER="false"
# if the host is NOT in the keyring...
#!/bin/sh
+# seckey2sshagent: this is a hack of a script to cope with the fact
+# that openpgp2ssh currently cannot support encrypted secret keys.
+
+# the basic operating principal is:
+
+# export the secret key in encrypted format to a new keyring
+
+# remove the passphrase in that keyring
+
+# use that keyring with openpgp2ssh
+
+# Authors: Daniel Kahn Gillmor <dkg@fifthhorseman.net>,
+# Jameson Rollins <jrollins@fifthhorseman.net>
+
+
cleanup() {
echo -n "removing temp gpg home... "
rm -rf $FOO
projects / monkeysphere.git / commitdiff