+monkeysphere (0.34) unstable; urgency=low
+
+ * fix keys-for-user so that it outputs proper authorized_keys lines
+ (close MS #2550)
+
+ -- Jameson Rollins <jrollins@finestructure.net> Sun, 17 Oct 2010 19:18:29 -0400
+
monkeysphere (0.33) unstable; urgency=low
[ Daniel Kahn Gillmor ]
\fBmonkeysphere\-authentication\fP takes various subcommands:
.TP
-.B update\-users [ACCOUNT]...
+.B update\-users [USER]...
Rebuild the monkeysphere-controlled authorized_keys files. For each
specified account, the user ID's listed in the account's
authorized_user_ids file are processed. For each user ID, gpg will be
specified, then all accounts on the system are processed. `u' may be
used in place of `update\-users'.
.TP
+.B keys\-for\-user USER
+Output to stdout authorized_keys lines for USER. This command behaves
+exactly like update\-users (above), except that the resulting
+authorized_keys lines are output to stdout, instead of being written
+to the monkeysphere-controlled authorized_keys file.
+.TP
.B refresh\-keys
Refresh all keys in the monkeysphere-authentication keyring. If no
accounts are specified, then all accounts on the system are processed.
`r' may be used in place of `refresh\-keys'.
.TP
-.B keys\-for\-user USER
-Output to stdout all acceptable keys for a given user. User IDs are
-read from the user's authorized_user_ids file (see
-MONKEYSPHERE_AUTHORIZED_USER_IDS below).
-.TP
.B add\-id\-certifier KEYID|FILE
Instruct system to trust user identity certifications made by KEYID.
The key ID will be loaded from the keyserver. A file may be loaded
monkeysphere-x509 file will be ignored.
.TP
__SYSDATADIR_PREFIX__/monkeysphere/authorized_keys/USER
-Monkeysphere-generated user authorized_keys files.
+Monkeysphere-controlled user authorized_keys files.
.TP
~/.monkeysphere/authorized_user_ids
A list of OpenPGP user IDs, one per line. OpenPGP keys with an
subcommands:
update-users (u) [USER]... update user authorized_keys files
+ keys-for-user (k) USER output user authorized_keys lines to stdout
refresh-keys (r) refresh keys in keyring
- keys-for-user (k) USER output valid keys for user
add-id-certifier (c+) KEYID|FILE import and tsign a certification key
[--domain (-n) DOMAIN] limit ID certifications to DOMAIN
source "${MASHAREDIR}/setup"
setup
source "${MASHAREDIR}/update_users"
- update_users "$@"
+ OUTPUT_STDOUT= update_users "$@"
;;
- 'refresh-keys'|'refresh'|'r')
+ 'keys-for-user'|'k')
source "${MASHAREDIR}/setup"
setup
- gpg_sphere --keyserver "$KEYSERVER" --refresh-keys
+ source "${MASHAREDIR}/update_users"
+ OUTPUT_STDOUT=true update_users "$1"
;;
- 'keys-for-user'|'k')
- source "${MASHAREDIR}/keys_for_user"
- keys_for_user "$@"
+ 'refresh-keys'|'refresh'|'r')
+ source "${MASHAREDIR}/setup"
+ setup
+ gpg_sphere --keyserver "$KEYSERVER" --refresh-keys
;;
'add-identity-certifier'|'add-id-certifier'|'add-certifier'|'c+')
+++ /dev/null
-# -*-shell-script-*-
-# This should be sourced by bash (though we welcome changes to make it POSIX sh compliant)
-
-# Monkeysphere authentication keys-for-user subcommand
-#
-# The monkeysphere scripts are written by:
-# Jameson Rollins <jrollins@finestructure.net>
-# Daniel Kahn Gillmor <dkg@fifthhorseman.net>
-#
-# They are Copyright 2008-2010, and are all released under the GPL,
-# version 3 or later.
-
-# This command could be run as an sshd AuthorizedKeysCommand to
-# provide the authorized keys for a user, based on OpenPGP user id's
-# listed in the user's authorized_user_ids file.
-
-keys_for_user() {
-
-local uname
-local authorizedUserIDs
-local line
-
-# get users from command line
-uname="$1"
-
-# path to authorized_user_ids file, translating ssh-style path
-# variables
-authorizedUserIDs=$(translate_ssh_variables "$uname" "$AUTHORIZED_USER_IDS")
-
-# exit if the authorized_user_ids file is empty
-if [ ! -s "$authorizedUserIDs" ] ; then
- failure "authorized_user_ids file '$authorizedUserIDs' is empty or does not exist."
-fi
-
-log debug "authorized_user_ids file: $authorizedUserIDs"
-
-# check permissions on the authorized_user_ids file path
-check_key_file_permissions "$uname" "$authorizedUserIDs" || failure
-
-GNUPGHOME="$GNUPGHOME_SPHERE"
-export GNUPGHOME
-
-# extract user IDs from authorized_user_ids file
-IFS=$'\n'
-for line in $(meat "$authorizedUserIDs") ; do
- if [[ "$line" =~ ^[[:space:]] ]] ; then
- continue
- fi
- printf '%s' "$line" | \
- su_monkeysphere_user ". ${SYSSHAREDIR}/common; read X; keys_for_userid \"\$X\"" || true
-done
-
-}
# the same uid that sshd is launched as); change the group of
# the file so that members of the user's group can read it.
- # FIXME: is there a better way to do this?
- chown $(whoami) "$AUTHORIZED_KEYS" && \
- chgrp $(id -g "$uname") "$AUTHORIZED_KEYS" && \
- chmod g+r "$AUTHORIZED_KEYS" && \
- mv -f "$AUTHORIZED_KEYS" "${authorizedKeysDir}/${uname}" || \
- {
- log error "Failed to install authorized_keys for '$uname'!"
- rm -f "${authorizedKeysDir}/${uname}"
- # indicate that there has been a failure:
- returnCode=1
- }
+ if [ "$OUTPUT_STDOUT" ] ; then
+ log debug "outputting keys to stdout..."
+ cat "$AUTHORIZED_KEYS"
+ else
+ log debug "moving new file to ${authorizedKeysDir}/${uname}..."
+ # FIXME: is there a better way to do this?
+ chown $(whoami) "$AUTHORIZED_KEYS" && \
+ chgrp $(id -g "$uname") "$AUTHORIZED_KEYS" && \
+ chmod g+r "$AUTHORIZED_KEYS" && \
+ mv -f "$AUTHORIZED_KEYS" "${authorizedKeysDir}/${uname}" || \
+ {
+ log error "Failed to install authorized_keys for '$uname'!"
+ rm -f "${authorizedKeysDir}/${uname}"
+ # indicate that there has been a failure:
+ returnCode=1
+ }
+ fi
else
rm -f "${authorizedKeysDir}/${uname}"
fi