From 15637a9ab9b4fe7ea537988f5cc145d35948d783 Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Thu, 19 Jun 2008 15:22:46 -0400 Subject: [PATCH] Added server config variable to specify user authorized_user_ids file, and changed default. --- debian/changelog | 9 +++-- etc/monkeysphere-server.conf | 9 ++++- src/common | 32 +++++++++++++++--- src/monkeysphere | 6 ++-- src/monkeysphere-server | 55 ++++++++++++++++++------------- src/monkeysphere-ssh-proxycommand | 2 +- 6 files changed, 78 insertions(+), 35 deletions(-) diff --git a/debian/changelog b/debian/changelog index 74c5d8b..9bfcc26 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,9 +1,14 @@ monkeysphere (0.2-1) UNRELEASED; urgency=low + [ Daniel Kahn Gillmor ] * NOT YET RELEASED (switch to "experimental" when ready to release) - * - -- Daniel Kahn Gillmor Thu, 19 Jun 2008 04:03:45 -0400 + [ Jameson Graef Rollins ] + * Add AUTHORIZED_USER_IDS config variable for server, which defaults to + %h/.config/monkeysphere/authorized_user_ids, instead of + /etc/monkeysphere/authorized_user_ids. + + -- Jameson Graef Rollins Thu, 19 Jun 2008 15:22:05 -0400 monkeysphere (0.1-1) experimental; urgency=low diff --git a/etc/monkeysphere-server.conf b/etc/monkeysphere-server.conf index 3915bf4..847e879 100644 --- a/etc/monkeysphere-server.conf +++ b/etc/monkeysphere-server.conf @@ -17,8 +17,15 @@ # a = authentication #REQUIRED_USER_KEY_CAPABILITY="a" +# Path to authorized_user_ids file to process to create +# authorized_keys file. '%h' will be replaced by the home directory +# of the user, and %u will be replaced by the username of the user. +# For purely admin-controlled authorized_user_ids, you might put them +# in /etc/monkeysphere/authorized_user_ids/%u +#AUTHORIZED_USER_IDS="%h/.config/monkeysphere/authorized_user_ids" + # Whether to add user controlled authorized_keys file to # monkeysphere-generated authorized_keys file. Should be path to file # where '%h' will be replaced by the home directory of the user. # To not add any user-controlled file, put "-" -#USER_CONTROLLED_AUTHORIZED_KEYS=%h/.ssh/authorized_keys +#USER_CONTROLLED_AUTHORIZED_KEYS="%h/.ssh/authorized_keys" diff --git a/src/common b/src/common index c39506d..89efc46 100644 --- a/src/common +++ b/src/common @@ -85,6 +85,24 @@ remove_line() { fi } +# translate ssh-style path variables %h and %u +translate_ssh_variables() { + local uname + local home + + uname="$1" + path="$2" + + # get the user's home directory + userHome=$(getent passwd "$uname" | cut -d: -f6) + + # translate ssh-style path variables + path=${path/\%u/"$uname"} + path=${path/\%h/"$userHome"} + + echo "$path" +} + ### CONVERTION UTILITIES # output the ssh key for a given key ID @@ -358,6 +376,7 @@ update_userid() { local userID userID="$1" + authorizedUserIDs="$2" log "processing userid: '$userID'" @@ -365,12 +384,12 @@ update_userid() { process_user_id "$userID" | grep -q "^0 " # check if user ID is in the authorized_user_ids file - if ! grep -q "^${userID}\$" "$AUTHORIZED_USER_IDS" ; then + if ! grep -q "^${userID}\$" "$authorizedUserIDs" ; then read -p "user ID not currently authorized. authorize? [Y|n]: " OK; OK=${OK:=Y} if [ ${OK/y/Y} = 'Y' ] ; then # add if specified log -n " adding user ID to authorized_user_ids file... " - echo "$userID" >> "$AUTHORIZED_USER_IDS" + echo "$userID" >> "$authorizedUserIDs" loge "done." else # else do nothing @@ -384,18 +403,19 @@ remove_userid() { local userID userID="$1" + authorizedUserIDs="$2" log "processing userid: '$userID'" # check if user ID is in the authorized_user_ids file - if ! grep -q "^${userID}\$" "$AUTHORIZED_USER_IDS" ; then + if ! grep -q "^${userID}\$" "$authorizedUserIDs" ; then log " user ID not currently authorized." return 1 fi # remove user ID from file log -n " removing user ID '$userID'... " - remove_line "$AUTHORIZED_USER_IDS" "^${userID}$" + remove_line "$authorizedUserIDs" "^${userID}$" loge "done." } @@ -480,7 +500,9 @@ process_known_hosts() { process_authorized_user_ids() { local userid - cat "$AUTHORIZED_USER_IDS" | meat | \ + authorizedUserIDs="$1" + + cat "$authorizedUserIDs" | meat | \ while read -r userid ; do process_uid_authorized_keys "$userid" done diff --git a/src/monkeysphere b/src/monkeysphere index a6cecfd..a9c9d58 100755 --- a/src/monkeysphere +++ b/src/monkeysphere @@ -164,7 +164,7 @@ case $COMMAND in failure "you must specify at least one userid." fi for userID ; do - update_userid "$userID" + update_userid "$userID" "$AUTHORIZED_USER_IDS" done log "Run the following to update your monkeysphere authorized_keys file:" log "$PGRM update-authorized_keys" @@ -175,7 +175,7 @@ case $COMMAND in failure "you must specify at least one userid." fi for userID ; do - remove_userid "$userID" + remove_userid "$userID" "$AUTHORIZED_USER_IDS" done log "Run the following to update your monkeysphere authorized_keys file:" log "$PGRM update-authorized_keys" @@ -191,7 +191,7 @@ case $COMMAND in # process authorized_user_ids file log "processing authorized_user_ids file..." - process_authorized_user_ids + process_authorized_user_ids "$AUTHORIZED_USER_IDS" log "authorized_keys file updated." ;; diff --git a/src/monkeysphere-server b/src/monkeysphere-server index 96a1070..bfd5db8 100755 --- a/src/monkeysphere-server +++ b/src/monkeysphere-server @@ -139,6 +139,7 @@ GNUPGHOME=${GNUPGHOME:-"${MS_HOME}/gnupg"} KEYSERVER=${KEYSERVER:-"subkeys.pgp.net"} CHECK_KEYSERVER=${CHECK_KEYSERVER:="true"} REQUIRED_USER_KEY_CAPABILITY=${REQUIRED_USER_KEY_CAPABILITY:-"a"} +AUTHORIZED_USER_IDS=${AUTHORIZED_USER_IDS:-"%h/.config/monkeysphere/authorized_user_ids"} USER_CONTROLLED_AUTHORIZED_KEYS=${USER_CONTROLLED_AUTHORIZED_KEYS:-"%h/.ssh/authorized_keys"} export GNUPGHOME @@ -153,40 +154,44 @@ mkdir -p "${CACHE}/authorized_keys" case $COMMAND in 'update-users'|'update-user'|'s') if [ "$1" ] ; then + # get users from command line unames="$@" else - unames=$(ls -1 "${MS_HOME}/authorized_user_ids") + # or just look at all users if none specified + unames=$(getent passwd | cut -d: -f1) fi + # loop over users for uname in $unames ; do MODE="authorized_keys" + # set authorized_user_ids variable, + # translate ssh-style path variables + authorizedUserIDs=$(translate_ssh_variables "$uname" "$AUTHORIZED_USER_IDS") + + # skip user if authorized_user_ids file does not exist + if [ ! -f "$authorizedUserIDs" ] ; then + continue + fi + log "----- user: $uname -----" - # set variables for the user - AUTHORIZED_USER_IDS="${MS_HOME}/authorized_user_ids/${uname}" # temporary authorized_keys file - AUTHORIZED_KEYS="${CACHE}/authorized_keys/${uname}.tmp" - - # make sure user's authorized_user_ids file exists - touch "$AUTHORIZED_USER_IDS" - # make sure the authorized_keys file exists and is clear - > "$AUTHORIZED_KEYS" + AUTHORIZED_KEYS=$(mktemp) # skip if the user's authorized_user_ids file is empty - if [ ! -s "$AUTHORIZED_USER_IDS" ] ; then - log "authorized_user_ids file for '$uname' is empty." + if [ ! -s "$authorizedUserIDs" ] ; then + log "authorized_user_ids file '$authorizedUserIDs' is empty." continue fi # process authorized_user_ids file log "processing authorized_user_ids file..." - process_authorized_user_ids + process_authorized_user_ids "$authorizedUserIDs" # add user-controlled authorized_keys file path if specified if [ "$USER_CONTROLLED_AUTHORIZED_KEYS" != '-' ] ; then - userHome=$(getent passwd "$uname" | cut -d: -f6) - userAuthorizedKeys=${USER_CONTROLLED_AUTHORIZED_KEYS/\%h/"$userHome"} + userAuthorizedKeys=$(translate_ssh_variables "$uname" "$USER_CONTROLLED_AUTHORIZED_KEYS") if [ -f "$userAuthorizedKeys" ] ; then log -n "adding user's authorized_keys file... " cat "$userAuthorizedKeys" >> "$AUTHORIZED_KEYS" @@ -195,7 +200,7 @@ case $COMMAND in fi # move the temp authorized_keys file into place - mv -f "${CACHE}/authorized_keys/${uname}.tmp" "${CACHE}/authorized_keys/${uname}" + mv -f "$AUTHORIZED_KEYS" "${CACHE}/authorized_keys/${uname}" log "authorized_keys file updated." done @@ -236,15 +241,16 @@ case $COMMAND in failure "You must specify at least one user ID." fi - # set variables for the user - AUTHORIZED_USER_IDS="$MS_HOME"/authorized_user_ids/"$uname" + # set authorized_user_ids variable, + # translate ssh-style path variables + authorizedUserIDs=$(translate_ssh_variables "$uname" "$AUTHORIZED_USER_IDS") # make sure user's authorized_user_ids file exists - touch "$AUTHORIZED_USER_IDS" + touch "$authorizedUserIDs" # process the user IDs for userID ; do - update_userid "$userID" + update_userid "$userID" "$authorizedUserIDs" done log "Run the following to update user's authorized_keys file:" @@ -261,15 +267,18 @@ case $COMMAND in failure "You must specify at least one user ID." fi - # set variables for the user - AUTHORIZED_USER_IDS="$MS_HOME"/authorized_user_ids/"$uname" + # set authorized_user_ids variable, + # translate ssh-style path variables + authorizedUserIDs=$(translate_ssh_variables "$uname" "$AUTHORIZED_USER_IDS") # make sure user's authorized_user_ids file exists - touch "$AUTHORIZED_USER_IDS" + if [ ! -f "$authorizedUserIDs" ] ; then + failure "authorized_user_ids file '$authorizedUserIDs' does not exist." + fi # process the user IDs for userID ; do - remove_userid "$userID" + remove_userid "$userID" "$authorizedUserIDs" done log "Run the following to update user's authorized_keys file:" diff --git a/src/monkeysphere-ssh-proxycommand b/src/monkeysphere-ssh-proxycommand index 4cbcd51..f4d4b0d 100755 --- a/src/monkeysphere-ssh-proxycommand +++ b/src/monkeysphere-ssh-proxycommand @@ -49,7 +49,7 @@ if [ "$PORT" != '22' ] ; then fi # if the host is in the gpg keyring... -if gpg --list-key ="${URI}" >/dev/null ; then +if gpg --list-key ="${URI}" 2>&1 >/dev/null ; then # do not check the keyserver CHECK_KEYSERVER="false" # if the host is NOT in the keyring... -- 2.25.1