portability.
* fixed busted lockfile arrangement, where empty file was being locked
* portability fixes in the way we use date, mktemp, hostname, su
- * stop using stat, since the syntax appears to be totally unportable
+ * stop using /usr/bin/stat, since the syntax appears to be totally
+ unportable
* require GNU getopt, and test for getopt failures (look for getopt in
/usr/local/bin first, since that's where FreeBSD's GNU-compatible
getopt lives.
+ * monkeysphere-server diagnostics now counts problems and suggests a
+ re-run after they have been resolved.
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 11 Sep 2008 23:16:31 -0400
local fingerprint
local badhostkeys
local sshd_config
+ local problemsfound=0
# FIXME: what's the correct, cross-platform answer?
sshd_config=/etc/ssh/sshd_config
if ! id monkeysphere >/dev/null ; then
echo "! No monkeysphere user found! Please create a monkeysphere system user."
+ problemsfound=$(($problemsfound+1))
fi
if ! [ -d "$VARLIB" ] ; then
echo "! no $VARLIB directory found. Please create it."
+ problemsfound=$(($problemsfound+1))
fi
echo "Checking host GPG key..."
if (( "$keysfound" < 1 )); then
echo "! No host key found."
echo " - Recommendation: run 'monkeysphere-server gen-key'"
+ problemsfound=$(($problemsfound+1))
elif (( "$keysfound" > 1 )); then
echo "! More than one host key found?"
# FIXME: recommend a way to resolve this
+ problemsfound=$(($problemsfound+1))
else
create=$(echo "$seckey" | grep ^sec: | cut -f6 -d:)
expire=$(echo "$seckey" | grep ^sec: | cut -f7 -d:)
if (( "$expire" < "$curdate" )); then
echo "! Host key is expired."
echo " - Recommendation: extend lifetime of key with 'monkeysphere-server extend-key'"
+ problemsfound=$(($problemsfound+1))
elif (( "$expire" < "$warndate" )); then
echo "! Host key expires in less than $warnwindow:" $(advance_date $(( $expire - $curdate )) seconds +%F)
echo " - Recommendation: extend lifetime of key with 'monkeysphere-server extend-key'"
+ problemsfound=$(($problemsfound+1))
fi
fi
if [ "$create" ] && (( "$create" > "$curdate" )); then
echo "! Host key was created in the future(?!). Is your clock correct?"
echo " - Recommendation: Check clock ($(date +%F_%T)); use NTP?"
+ problemsfound=$(($problemsfound+1))
fi
# check for UserID expiration:
if [ "$create" ] && (( "$create" > "$curdate" )); then
echo "! User ID '$uid' was created in the future(?!). Is your clock correct?"
echo " - Recommendation: Check clock ($(date +%F_%T)); use NTP?"
+ problemsfound=$(($problemsfound+1))
fi
if [ "$expire" ] ; then
if (( "$expire" < "$curdate" )); then
echo "! User ID '$uid' is expired."
- # FIXME: recommend a way to resolve this
+ # FIXME: recommend a way to resolve this
+ problemsfound=$(($problemsfound+1))
elif (( "$expire" < "$warndate" )); then
echo "! User ID '$uid' expires in less than $warnwindow:" $(advance_date $(( $expire - $curdate )) seconds +%F)
# FIXME: recommend a way to resolve this
+ problemsfound=$(($problemsfound+1))
fi
fi
done
echo "Checking host SSH key..."
if [ ! -s "${VARLIB}/ssh_host_rsa_key" ] ; then
echo "! The host key as prepared for SSH (${VARLIB}/ssh_host_rsa_key) is missing or empty."
+ problemsfound=$(($problemsfound+1))
else
if [ $(ls -l "${VARLIB}/ssh_host_rsa_key" | cut -f1 -d\ ) != '-rw-------' ] ; then
echo "! Permissions seem wrong for ${VARLIB}/ssh_host_rsa_key -- should be 0600."
+ problemsfound=$(($problemsfound+1))
fi
# propose changes needed for sshd_config (if any)
if ! grep -q "^HostKey[[:space:]]\+${VARLIB}/ssh_host_rsa_key$" "$sshd_config"; then
echo "! $sshd_config does not point to the monkeysphere host key (${VARLIB}/ssh_host_rsa_key)."
echo " - Recommendation: add a line to $sshd_config: 'HostKey ${VARLIB}/ssh_host_rsa_key'"
+ problemsfound=$(($problemsfound+1))
fi
if badhostkeys=$(grep -i '^HostKey' "$sshd_config" | grep -q -v "^HostKey[[:space:]]\+${VARLIB}/ssh_host_rsa_key$") ; then
echo "! $sshd_config refers to some non-monkeysphere host keys:"
echo "$badhostkeys"
echo " - Recommendation: remove the above HostKey lines from $sshd_config"
+ problemsfound=$(($problemsfound+1))
fi
fi
fi
echo "! $sshd_config refers to non-monkeysphere authorized_keys files:"
echo "$badauthorizedkeys"
echo " - Recommendation: remove the above AuthorizedKeysFile lines from $sshd_config"
+ problemsfound=$(($problemsfound+1))
+ fi
+
+ if [ "$problemsfound" -gt 0 ]; then
+ echo "When the above $problemsfound problem"$([ "$problemsfound" -eq 1 ] || echo "s")" are resolved, please re-run:"
+ echo " monkeysphere-server diagnostics"
fi
}