- # if at least one key was found...
- if [ "$nKeys" -gt 0 ] ; then
- # if ok keys were found, return 0
- if [ "$nKeysOK" -gt 0 ] ; then
- return 0
- # else return 2
- else
- return 2
- fi
- # if no keys were found, return 1
- else
- return 1
- fi
-}
-
-# update the known_hosts file for a set of hosts listed on command
-# line
-update_known_hosts() {
- local returnCode=0
- local nHosts
- local nHostsOK
- local nHostsBAD
- local fileCheck
- local host
- local newUmask
-
- # the number of hosts specified on command line
- nHosts="$#"
-
- nHostsOK=0
- nHostsBAD=0
-
- # touch the known_hosts file so that the file permission check
- # below won't fail upon not finding the file
- if [ ! -f "$KNOWN_HOSTS" ]; then
- # make sure to create any files or directories with the appropriate write bits turned off:
- newUmask=$(printf "%04o" $(( 0$(umask) | 0022 )) )
- [ -d $(dirname "$KNOWN_HOSTS") ] \
- || (umask "$newUmask" && mkdir -p -m 0700 $(dirname "$KNOWN_HOSTS") ) \
- || failure "Could not create path to known_hosts file '$KNOWN_HOSTS'"
- # make sure to create this file with the appropriate bits turned off:
- (umask "$newUmask" && touch "$KNOWN_HOSTS") \
- || failure "Unable to create known_hosts file '$KNOWN_HOSTS'"
- fi
-
- # check permissions on the known_hosts file path
- check_key_file_permissions $(whoami) "$KNOWN_HOSTS" \
- || failure "Bad permissions governing known_hosts file '$KNOWN_HOSTS'"
-
- # create a lockfile on known_hosts:
- lock create "$KNOWN_HOSTS"
- # FIXME: we're discarding any pre-existing EXIT trap; is this bad?
- trap "lock remove $KNOWN_HOSTS" EXIT
-
- # note pre update file checksum
- fileCheck=$(file_hash "$KNOWN_HOSTS")
-
- for host ; do
- # process the host
- process_host_known_hosts "$host" || returnCode="$?"
- # note the result
- case "$returnCode" in
- 0)
- nHostsOK=$((nHostsOK+1))
- ;;
- 2)
- nHostsBAD=$((nHostsBAD+1))
- ;;
- esac
-
- # touch the lockfile, for good measure.
- lock touch "$KNOWN_HOSTS"
- done
-
- # remove the lockfile and the trap
- lock remove "$KNOWN_HOSTS"
- trap - EXIT
-
- # note if the known_hosts file was updated
- if [ "$(file_hash "$KNOWN_HOSTS")" != "$fileCheck" ] ; then
- log debug "known_hosts file updated."
- fi
-
- # if an acceptable host was found, return 0
- if [ "$nHostsOK" -gt 0 ] ; then
- return 0
- # else if no ok hosts were found...
- else
- # if no bad host were found then no hosts were found at all,
- # and return 1
- if [ "$nHostsBAD" -eq 0 ] ; then
- return 1
- # else if at least one bad host was found, return 2
- else
- return 2
- fi
- fi
-}
-
-# process hosts from a known_hosts file
-process_known_hosts() {
- local hosts
-
- # exit if the known_hosts file does not exist
- if [ ! -e "$KNOWN_HOSTS" ] ; then
- failure "known_hosts file '$KNOWN_HOSTS' does not exist."
- fi
-
- log debug "processing known_hosts file:"
- log debug " $KNOWN_HOSTS"
-
- hosts=$(meat "$KNOWN_HOSTS" | cut -d ' ' -f 1 | grep -v '^|.*$' | tr , ' ' | tr '\n' ' ')
-
- if [ -z "$hosts" ] ; then
- log debug "no hosts to process."
- return
- fi
-
- # take all the hosts from the known_hosts file (first
- # field), grep out all the hashed hosts (lines starting
- # with '|')...
- update_known_hosts $hosts