From: Jameson Graef Rollins Date: Tue, 17 Jun 2008 00:00:46 +0000 (-0400) Subject: Merge branch 'master' into no-cache X-Git-Tag: monkeysphere_0.1-1~19^2~4 X-Git-Url: https://codewiz.org/gitweb?p=monkeysphere.git;a=commitdiff_plain;h=e619b23879fde5703da435141754324dcf7cfa53;hp=114c8d24c679e2a2339700395bc32929c3b4dcba Merge branch 'master' into no-cache Conflicts: src/common src/monkeysphere src/monkeysphere-ssh-proxycommand --- diff --git a/etc/monkeysphere-server.conf b/etc/monkeysphere-server.conf index 82da497..3915bf4 100644 --- a/etc/monkeysphere-server.conf +++ b/etc/monkeysphere-server.conf @@ -20,4 +20,5 @@ # Whether to add user controlled authorized_keys file to # monkeysphere-generated authorized_keys file. Should be path to file # where '%h' will be replaced by the home directory of the user. +# To not add any user-controlled file, put "-" #USER_CONTROLLED_AUTHORIZED_KEYS=%h/.ssh/authorized_keys diff --git a/etc/monkeysphere.conf b/etc/monkeysphere.conf index d478b93..003ecf6 100644 --- a/etc/monkeysphere.conf +++ b/etc/monkeysphere.conf @@ -22,14 +22,13 @@ #REQUIRED_USER_KEY_CAPABILITY="a" # Path to user-controlled authorized_keys file to add to -# Monkeysphere-generated authorized_keys file. If empty, then no -# user-controlled file will be added. +# Monkeysphere-generated authorized_keys file. +# To not add any user-controlled file, put "-" #USER_CONTROLLED_AUTHORIZED_KEYS=~/.ssh/authorized_keys # User known_hosts file #USER_KNOWN_HOSTS=~/.ssh/known_hosts -# Whether or not to hash the generated known_hosts lines -# (empty mean "no"). -#HASH_KNOWN_HOSTS= - +# Whether or not to hash the generated known_hosts lines. +# Should be "true" or "false" +#HASH_KNOWN_HOSTS=true diff --git a/src/common b/src/common index 8b078d6..64d28cb 100644 --- a/src/common +++ b/src/common @@ -44,19 +44,20 @@ cutline() { # (not just first 5) gpg_fetch_userid() { local userID - userID="$1" - # if CHECK_KEYSERVER variable set, check the keyserver - # for the user ID - if [ "CHECK_KEYSERVER" ] ; then - echo 1,2,3,4,5 | \ - gpg --quiet --batch --command-fd 0 --with-colons \ - --keyserver "$KEYSERVER" \ - --search ="$userID" >/dev/null 2>&1 + userID="$1" - # otherwise just return true + log "checking keyserver $KEYSERVER..." + echo 1,2,3,4,5 | \ + gpg --quiet --batch --command-fd 0 --with-colons \ + --keyserver "$KEYSERVER" \ + --search ="$userID" >/dev/null 2>&1 + if [ "$?" = 0 ] ; then + log " user ID found on keyserver." + return 0 else - return + log " user ID not found on keyserver." + return 1 fi } @@ -167,8 +168,11 @@ process_user_id() { fi requiredPubCapability=$(echo "$requiredCapability" | tr "[:lower:]" "[:upper:]") - # fetch keys from keyserver, return 1 if none found - gpg_fetch_userid "$userID" || return 1 + # if CHECK_KEYSERVER variable set, check the keyserver + # for the user ID + if [ "$CHECK_KEYSERVER" = "true" ] ; then + gpg_fetch_userid "$userID" + fi # output gpg info for (exact) userid and store gpgOut=$(gpg --list-key --fixed-list-mode --with-colon \ @@ -428,7 +432,7 @@ update_authorized_keys() { else log "no gpg keys to add." fi - if [ "$userAuthorizedKeys" -a -s "$userAuthorizedKeys" ] ; then + if [ "$userAuthorizedKeys" != "-" -a -s "$userAuthorizedKeys" ] ; then log -n "adding user authorized_keys file... " cat "$userAuthorizedKeys" >> "$msAuthorizedKeys" echo "done." diff --git a/src/monkeysphere b/src/monkeysphere index 91401b9..8e4c4eb 100755 --- a/src/monkeysphere +++ b/src/monkeysphere @@ -113,9 +113,10 @@ MS_CONF=${MS_CONF:-"${MS_HOME}/monkeysphere.conf"} AUTHORIZED_USER_IDS=${AUTHORIZED_USER_IDS:-"${MS_HOME}/authorized_user_ids"} GNUPGHOME=${GNUPGHOME:-"${HOME}/.gnupg"} KEYSERVER=${KEYSERVER:-"subkeys.pgp.net"} +CHECK_KEYSERVER=${CHECK_KEYSERVER:="true"} REQUIRED_HOST_KEY_CAPABILITY=${REQUIRED_HOST_KEY_CAPABILITY:-"e a"} REQUIRED_USER_KEY_CAPABILITY=${REQUIRED_USER_KEY_CAPABILITY:-"a"} -USER_CONTROLLED_AUTHORIZED_KEYS=${USER_CONTROLLED_AUTHORIZED_KEYS:-"%h/.ssh/authorized_keys"} +USER_CONTROLLED_AUTHORIZED_KEYS=${USER_CONTROLLED_AUTHORIZED_KEYS:-"${HOME}/.ssh/authorized_keys"} USER_KNOWN_HOSTS=${USER_KNOWN_HOSTS:-"${HOME}/.ssh/known_hosts"} HASH_KNOWN_HOSTS=${HASH_KNOWN_HOSTS:-"true"} @@ -157,7 +158,7 @@ case $COMMAND in failure "known_hosts file '$USER_KNOWN_HOSTS' is empty." fi log "processing known_hosts file..." - process_known_hosts "$USER_KNOWN_HOSTS" + process_known_hosts fi ;; @@ -191,11 +192,8 @@ case $COMMAND in failure "$AUTHORIZED_USER_IDS is empty." fi - # set user-controlled authorized_keys file path - userAuthorizedKeys=${USER_CONTROLLED_AUTHORIZED_KEYS/\%h/"$HOME"} - # update authorized_keys - update_authorized_keys "$msAuthorizedKeys" "$userAuthorizedKeys" "$userKeysCacheDir" + update_authorized_keys "$msAuthorizedKeys" "$USER_CONTROLLED_AUTHORIZED_KEYS" "$userKeysCacheDir" ;; 'gen-subkey'|'g') diff --git a/src/monkeysphere-server b/src/monkeysphere-server index 3cc7454..6279c45 100755 --- a/src/monkeysphere-server +++ b/src/monkeysphere-server @@ -32,7 +32,7 @@ MonkeySphere server admin tool. subcommands: update-users (s) [USER]... update users authorized_keys files - gen-key (g) generate gpg key for the server + gen-key (g) [HOSTNAME] generate gpg key for the server publish-key (p) publish server key to keyserver trust-keys (t) KEYID... mark keyids as trusted update-user-userids (u) USER UID... add/update user IDs for a user @@ -44,14 +44,26 @@ EOF # generate server gpg key gen_key() { + local hostName + + hostName=${1:-$(hostname --fqdn)} + # set key defaults KEY_TYPE=${KEY_TYPE:-"RSA"} KEY_LENGTH=${KEY_LENGTH:-"2048"} KEY_USAGE=${KEY_USAGE:-"auth,encrypt"} - SERVICE=${SERVICE:-"ssh"} - HOSTNAME_FQDN=${HOSTNAME_FQDN:-$(hostname -f)} + cat < = key expires in n days + w = key expires in n weeks + m = key expires in n months + y = key expires in n years +EOF + read -p "Key is valid for? ($EXPIRE) " EXPIRE; EXPIRE=${EXPIRE:-"0"} - USERID=${USERID:-"$SERVICE"://"$HOSTNAME_FQDN"} + SERVICE=${SERVICE:-"ssh"} + USERID=${USERID:-"$SERVICE"://"$hostName"} # set key parameters keyParameters=$(cat <