From: Daniel Kahn Gillmor Date: Fri, 20 Feb 2009 03:42:43 +0000 (-0500) Subject: Merge commit 'jrollins/master' X-Git-Tag: monkeysphere_0.23~34 X-Git-Url: https://codewiz.org/gitweb?p=monkeysphere.git;a=commitdiff_plain;h=e13bbc823bc8fe7a28303e45055643e15d0849cd;hp=21e298b8df5108b1337d66ba1a39184be4ce0e4e Merge commit 'jrollins/master' --- diff --git a/src/share/common b/src/share/common index 745a861..653d58b 100644 --- a/src/share/common +++ b/src/share/common @@ -1159,3 +1159,43 @@ list_primary_fingerprints() { awk -F: '/^fpr:/{ print $10 }' rm -rf "$fake" } + + +check_cruft_file() { + local loc="$1" + local version="$2" + + if [ -e "$loc" ] ; then + printf "! The file '%s' is no longer used by\n monkeysphere (as of version %s), and can be removed.\n\n" "$loc" "$version" | log info + fi +} + +check_upgrade_dir() { + local loc="$1" + local version="$2" + + if [ -d "$loc" ] ; then + printf "The presence of directory '%s' indicates that you have\nnot yet completed a monkeysphere upgrade.\nYou should probably run the following script:\n %s/transitions/%s\n\n" "$loc" "$SYSSHAREDIR" "$version" | log info + fi +} + +## look for cruft from old versions of the monkeysphere, and notice if +## upgrades have not been run: +report_cruft() { + check_upgrade_dir "${SYSCONFIGDIR}/gnupg-host" 0.23 + check_upgrade_dir "${SYSCONFIGDIR}/gnupg-authentication" 0.23 + + check_cruft_file "${SYSCONFIGDIR}/gnupg-authentication.conf" 0.23 + check_cruft_file "${SYSCONFIGDIR}/gnupg-host.conf" 0.23 + + local found= + for foo in "${SYSDATADIR}/backup-from-"*"-transition" ; do + if [ -d "$foo" ] ; then + printf "! %s\n" "$foo" | log info + found=true + fi + done + if [ "$found" ] ; then + printf "The directories above are backups left over from a monkeysphere transition.\nThey may contain copies of sensitive data (host keys, certifier lists), but\nthey are no longer needed by monkeysphere.\nYou may remove them at any time.\n\n" | log info + fi +} diff --git a/src/share/m/ssh_proxycommand b/src/share/m/ssh_proxycommand index d2b4527..bd09588 100644 --- a/src/share/m/ssh_proxycommand +++ b/src/share/m/ssh_proxycommand @@ -66,7 +66,7 @@ EOF sshKeyGPGFile=$(msmktempfile) printf "%s" "$sshKeyGPG" >"$sshKeyGPGFile" - sshFingerprint=$(ssh-keygen -l -f "$sshKeyGPGFile" \ + sshFingerprint=$(ssh-keygen -l -f "$sshKeyGPGFile" | \ awk '{ print $2 }') rm -f "$sshKeyGPGFile" diff --git a/src/share/ma/diagnostics b/src/share/ma/diagnostics index 0411080..ce463b2 100644 --- a/src/share/ma/diagnostics +++ b/src/share/ma/diagnostics @@ -28,6 +28,8 @@ local badhostkeys local sshd_config local problemsfound=0 +report_cruft + if ! id monkeysphere >/dev/null ; then echo "! No monkeysphere user found! Please create a monkeysphere system user with bash as its shell." problemsfound=$(($problemsfound+1)) @@ -45,7 +47,10 @@ if ! [ -d "$MADATADIR" ] ; then exit fi -# FIXME: what's the correct, cross-platform answer? +# FIXME: what's the correct, cross-platform way to determine where +# sshd_config lives? +sshd_config=/etc/ssh/sshd_config + seckey=$(gpg_core --list-secret-keys --fingerprint --with-colons --fixed-list-mode) keysfound=$(echo "$seckey" | grep -c ^sec:) curdate=$(date +%s) @@ -95,7 +100,16 @@ fi # FIXME: look to see that the ownertrust rules are set properly on the # sphere keyring -# FIXME: make sure that at least one identity certifier exists +# make sure that at least one identity certifier exists +echo +echo "Checking for Identity Certifiers..." +if ! monkeysphere-authentication list-identity-certifiers | egrep -q '^[A-F0-9]{40}:' then + echo "! No Identity Certifiers found!" + echo " - Recommendation: once you know who should be able to certify identities for + connecting users, you should add their key, with: + monkeysphere-authentication add-identity-certifier" + problemsfound=$(($problemsfound+1)) +fi # FIXME: look at the timestamps on the monkeysphere-generated # authorized_keys files -- warn if they seem out-of-date. diff --git a/src/share/mh/diagnostics b/src/share/mh/diagnostics index d774723..2f65f89 100644 --- a/src/share/mh/diagnostics +++ b/src/share/mh/diagnostics @@ -25,11 +25,10 @@ local expire local uid local fingerprint local badhostkeys -local sshd_config local problemsfound=0 -# FIXME: what's the correct, cross-platform answer? -sshd_config=/etc/ssh/sshd_config +report_cruft + seckey=$(gpg_host --list-secret-keys --fingerprint --with-colons --fixed-list-mode) keysfound=$(echo "$seckey" | grep -c ^sec:) curdate=$(date +%s) @@ -50,7 +49,7 @@ fi echo "Checking host GPG key..." if (( "$keysfound" < 1 )); then echo "! No host key found." - echo " - Recommendation: run 'monkeysphere-host gen-key' or 'monkeysphere-host import-key'" + echo " - Recommendation: run 'monkeysphere-host import-key'" problemsfound=$(($problemsfound+1)) elif (( "$keysfound" > 1 )); then echo "! More than one host key found?" @@ -114,35 +113,9 @@ else # FIXME: propose adding a revoker to the host key if none exist (do we # have a way to do that after key generation?) - # Ensure that the ssh_host_rsa_key file is present and non-empty: - echo - echo "Checking host SSH key..." - if [ ! -s "${SYSDATADIR}/ssh_host_rsa_key" ] ; then - echo "! The host key as prepared for SSH (${SYSDATADIR}/ssh_host_rsa_key) is missing or empty." - problemsfound=$(($problemsfound+1)) - else - if [ $(ls -l "${SYSDATADIR}/ssh_host_rsa_key" | cut -f1 -d\ ) != '-rw-------' ] ; then - echo "! Permissions seem wrong for ${SYSDATADIR}/ssh_host_rsa_key -- should be 0600." - problemsfound=$(($problemsfound+1)) - fi +# FIXME: test (with ssh-keyscan?) that the running ssh +# daemon is actually offering the monkeysphere host key. - # propose changes needed for sshd_config (if any) - if ! grep -q "^HostKey[[:space:]]\+${SYSDATADIR}/ssh_host_rsa_key$" "$sshd_config"; then - echo "! $sshd_config does not point to the monkeysphere host key (${SYSDATADIR}/ssh_host_rsa_key)." - echo " - Recommendation: add a line to $sshd_config: 'HostKey ${SYSDATADIR}/ssh_host_rsa_key'" - problemsfound=$(($problemsfound+1)) - fi - if badhostkeys=$(grep -i '^HostKey' "$sshd_config" | grep -v "^HostKey[[:space:]]\+${SYSDATADIR}/ssh_host_rsa_key$") ; then - echo "! $sshd_config refers to some non-monkeysphere host keys:" - echo "$badhostkeys" - echo " - Recommendation: remove the above HostKey lines from $sshd_config" - problemsfound=$(($problemsfound+1)) - fi - - # FIXME: test (with ssh-keyscan?) that the running ssh - # daemon is actually offering the monkeysphere host key. - - fi fi # FIXME: look at the ownership/privileges of the various keyrings,