Move to /var/lib/monkeysphere instead of /var/cache/monkeysphere.
authorJameson Graef Rollins <jrollins@phys.columbia.edu>
Tue, 24 Jun 2008 04:38:03 +0000 (00:38 -0400)
committerJameson Graef Rollins <jrollins@phys.columbia.edu>
Tue, 24 Jun 2008 04:38:03 +0000 (00:38 -0400)
Improve ms-server update-user function.  Update/fix config files to
remove some unwanted configs, and clarify some things.

debian/changelog
debian/dirs
debian/monkeysphere.dirs
doc/TODO
etc/monkeysphere-server.conf
etc/monkeysphere.conf
src/common
src/monkeysphere
src/monkeysphere-server

index 9807c8ea099ca8f9ae4d6b1f571d6c381ad7ee4d..bfb188dec2eb7bff768add2525bc2d2485104e08 100644 (file)
@@ -3,7 +3,11 @@ monkeysphere (0.3-1) UNRELEASED; urgency=low
   [ Daniel Kahn Gillmor ]
   * new version (above: change UNRELEASED to experimental when releasing)
 
- -- Daniel Kahn Gillmor <dkg-debian.org@fifthhorseman.net>  Mon, 23 Jun 2008 19:58:47 -0400
+  [ Jameson Graef Rollins ]
+  * Move files in /var/cache/monkeysphere and GNUPGHOME for server to
+    the more appropriate /var/lib/monkeysphere.
+
+ -- Jameson Graef Rollins <jrollins@phys.columbia.edu>  Tue, 24 Jun 2008 00:22:09 -0400
 
 monkeysphere (0.2-2) experimental; urgency=low
 
index b458649fbeef34dc0cc0fa0090fd9f917c1c8b8a..43b742ae9448d9ac532a159bc6699ec02c01835a 100644 (file)
@@ -1,5 +1,5 @@
-var/cache/monkeysphere
-var/cache/monkeysphere/authorized_keys
+var/lib/monkeysphere
+var/lib/monkeysphere/authorized_keys
 usr/bin
 usr/sbin
 usr/share
index 6e9089952ab4095b9bc12d9163cc9aeeacf7299e..b0b2d9c195b1670e544f669625ed86e0fee76e70 100644 (file)
@@ -1,4 +1,4 @@
 usr/share/monkeysphere
-var/cache/monkeysphere
-var/cache/monkeysphere/authorized_keys
+var/lib/monkeysphere
+var/lib/monkeysphere/authorized_keys
 etc/monkeysphere
index e1e90f0ec84994a02ff060e4fe81250f6ec43a43..e50da4dd1de55be70ec231905cb238b4fc2469a6 100644 (file)
--- a/doc/TODO
+++ b/doc/TODO
@@ -5,9 +5,6 @@ Detail advantages of monkeysphere: detail the race conditions in ssh,
    and how the monkeysphere can help you reduce these threat vectors:
    threat model reduction diagrams.
 
-Determine how openssh handles multiple processes writing to
-   known_hosts/authorized_keys files (lockfile, atomic appends?)
-
 Handle unverified monkeysphere hosts in such a way that they're not
    always removed from known_hosts file.  Ask user to lsign the host
    key?
@@ -30,22 +27,10 @@ Ensure that authorized_user_ids are under as tight control as ssh
    expects from authorized_keys: we don't want monkeysphere to be a
    weak link in the filesystem.
 
-What happens when a user account has no corresponding
-   /etc/monkeysphere/authorized_user_ids/$USER file?  What gets placed
-   in /var/cache/monkeysphere/authorized_keys/$USER?  It looks
-   currently untouched, which could mean bad things for such a user.
-   - if authorized_user_ids is empty, then the user's authorized_keys
-     file will be also, unless the user-controlled authorized_keys file
-     is added.  I believe this is expected, correct behavior.
-
 Consider the default permissions for
-   /var/cache/monkeysphere/authorized_keys/* (and indeed the whole
+   /var/lib/monkeysphere/authorized_keys/* (and indeed the whole
    directory path leading up to that)
 
-As an administrator, how do i reverse the effect of a
-   "monkeysphere-server trust-keys" that i later decide i should not
-   have run?
-
 Make sure alternate ports are handled for known_hosts.
 
 Script to import private key into ssh agent.
@@ -105,9 +90,6 @@ When using ssh-proxycommand, if only host keys found are expired or
 Update monkeysphere-ssh-proxycommand man page with new keyserver
    checking policy info.
 
-Update monkeysphere-ssh-proxycommand man page with info about
-   no-connect option.
-
 File bug against seahorse about how, when creating new primary keys,
    it presents option for "RSA (sign only)" but then creates an "esca"
    key.
@@ -118,18 +100,10 @@ Privilege separation: monkeysphere user to handle authn keyring and
    generate authorized_keys file (which would be moved into place by
    root).  Host keyring would be owned by root.
 
-Check permissions of authorized_user_ids file to be writable only by
-   user and root (same as authorized_keys)
-
-Improve function that sets owner trust for keys in server keychain.
-
 Test and document what happens when any filesystem that the
    monkeysphere-server relies on and modifies (/tmp, /etc, and /var?)
    fills up.
 
-Consider moving monkeysphere-managed files (gpg homedirs? temporary
-   files?) into /var.
-
 Optimize keyserver access, particularly on monkeysphere-server
    update-users -- is there a way to query the keyserver all in a
    chunk?
index 85b37c1ead976c6d86b0dca1e2e37dc95301722b..defb0f7e9b07c6248fe736fa121cfc10d08403d0 100644 (file)
@@ -3,23 +3,9 @@
 # This is an sh-style shell configuration file.  Variable names should
 # be separated from their assignements by a single '=' and no spaces.
 
-#FIXME: shouldn't this be in /var by default? These are not text
-#files, and they should generally not be managed directly by the
-#admin:
-# GPG home directory for server
-#GNUPGHOME=/etc/monkeysphere/gnupg
-
 # GPG keyserver to search for keys
 #KEYSERVER=subkeys.pgp.net
 
-# Required user key capabilities
-# Must be quoted, lowercase, space-seperated list of the following:
-#   e = encrypt
-#   s = sign
-#   c = certify
-#   a = authentication
-#REQUIRED_USER_KEY_CAPABILITY="a"
-
 # Path to authorized_user_ids file to process to create
 # authorized_keys file.  '%h' will be replaced by the home directory
 # of the user, and %u will be replaced by the username of the user.
 # in /etc/monkeysphere/authorized_user_ids/%u
 #AUTHORIZED_USER_IDS="%h/.config/monkeysphere/authorized_user_ids"
 
-#FIXME: why is the following variable named USER_CONTROLLED_...?
-#shouldn't this be something like MONKEYSPHERE_RAW_AUTHORIZED_KEYS
-#instead?  For example, what about a server where the administrator
-#has locked down the authorized_keys file from user control, but still
-#wants to combine raw authorized_keys for some users with the
-#monkeysphere?
-
 # Whether to add user controlled authorized_keys file to
 # monkeysphere-generated authorized_keys file.  Should be path to file
 # where '%h' will be replaced by the home directory of the user or
 # '%u' by the username.  To not add any user-controlled file, put "-"
-#FIXME: this usage of "-" contravenes the normal convention where "-"
-#means standard in/out.  Why not use "none" or "" instead?
-#USER_CONTROLLED_AUTHORIZED_KEYS="%h/.ssh/authorized_keys"
+# FIXME: this usage of "-" contravenes the normal convention where "-"
+# means standard in/out.  Why not use "none" or "" instead?
+#RAW_AUTHORIZED_KEYS="%h/.ssh/authorized_keys"
index cce936665830de5992f40e37f5d47bbf84406481..aa3a6640bd129eb893fc0aa8c17a8aa77741e430 100644 (file)
@@ -9,16 +9,13 @@
 # GPG keyserver to search for keys
 #KEYSERVER=subkeys.pgp.net
 
-# FIXME: consider removing REQUIRED_*_KEY_CAPABILITY entirely from
-# this example config, given our discussion
-# Required key capabilities
-# Must be quoted, lowercase, space-seperated list of the following:
-#   e = encrypt
-#   s = sign
-#   c = certify
-#   a = authentication
-#REQUIRED_HOST_KEY_CAPABILITY="a"
-#REQUIRED_USER_KEY_CAPABILITY="a"
+# Set whether or not to check keyservers at every monkeysphere
+# interaction, including all ssh connections if you use the
+# monkeysphere-ssh-proxycommand.
+# NOTE: setting CHECK_KEYSERVER to true will leak information about
+# the timing and frequency of your ssh connections to the maintainer
+# of the keyserver.
+#CHECK_KEYSERVER=true
 
 # ssh known_hosts file
 #KNOWN_HOSTS=~/.ssh/known_hosts
 #HASH_KNOWN_HOSTS=true
 
 # ssh authorized_keys file (FIXME: why is this relevant in this file?)
-#AUTHORIZED_KEYS=~/.ssh/known_hosts
-
-# check keyservers at every ssh connection:
-# This overrides other environment variables (FIXME: what does this mean???)
-# NOTE: setting CHECK_KEYSERVER to true will leak information about
-# the timing and frequency of your ssh connections to the maintainer
-# of the keyserver.
-#CHECK_KEYSERVER=true
+#AUTHORIZED_KEYS=~/.ssh/authorized_keys
index 986cc336445d65c2a0cc525bd461e66c5de3f566..ead3736d7241ae1709dceff82494fc66b17e6dfb 100644 (file)
@@ -16,8 +16,6 @@
 # managed directories
 ETC="/etc/monkeysphere"
 export ETC
-CACHE="/var/cache/monkeysphere"
-export CACHE
 
 ########################################################################
 ### UTILITY FUNCTIONS
index 11254e7e570deac44d57ee00442400e2780d52e5..d8d4667c9201a6b286527d39aef6ce07916981dc 100755 (executable)
@@ -128,15 +128,17 @@ MS_CONF=${MS_CONF:-"${MS_HOME}/monkeysphere.conf"}
 [ -e "$MS_CONF" ] && . "$MS_CONF"
 
 # set empty config variable with defaults
-AUTHORIZED_USER_IDS=${AUTHORIZED_USER_IDS:-"${MS_HOME}/authorized_user_ids"}
 GNUPGHOME=${GNUPGHOME:-"${HOME}/.gnupg"}
 KEYSERVER=${KEYSERVER:-"subkeys.pgp.net"}
 CHECK_KEYSERVER=${CHECK_KEYSERVER:="true"}
-REQUIRED_HOST_KEY_CAPABILITY=${REQUIRED_HOST_KEY_CAPABILITY:-"a"}
-REQUIRED_USER_KEY_CAPABILITY=${REQUIRED_USER_KEY_CAPABILITY:-"a"}
 KNOWN_HOSTS=${KNOWN_HOSTS:-"${HOME}/.ssh/known_hosts"}
-AUTHORIZED_KEYS=${AUTHORIZED_KEYS:-"${HOME}/.ssh/authorized_keys"}
 HASH_KNOWN_HOSTS=${HASH_KNOWN_HOSTS:-"true"}
+AUTHORIZED_KEYS=${AUTHORIZED_KEYS:-"${HOME}/.ssh/authorized_keys"}
+
+# other variables
+AUTHORIZED_USER_IDS=${AUTHORIZED_USER_IDS:-"${MS_HOME}/authorized_user_ids"}
+REQUIRED_HOST_KEY_CAPABILITY=${REQUIRED_HOST_KEY_CAPABILITY:-"a"}
+REQUIRED_USER_KEY_CAPABILITY=${REQUIRED_USER_KEY_CAPABILITY:-"a"}
 
 export GNUPGHOME
 
@@ -146,7 +148,6 @@ mkdir -p -m 0700 "$GNUPGHOME"
 # make sure the user monkeysphere home directory exists
 mkdir -p -m 0700 "$MS_HOME"
 touch "$AUTHORIZED_USER_IDS"
-touch "$AUTHORIZED_KEYS"
 
 case $COMMAND in
     'update-known_hosts'|'update-known-hosts'|'k')
index db2f428e5a9377caa2628ee7966ec2bb03b8a7ab..a198c33c762e7dd005f7c2f80e164cc662c6d7b2 100755 (executable)
 ########################################################################
 PGRM=$(basename $0)
 
-SHAREDIR=${SHAREDIR:-"/usr/share/monkeysphere"}
-export SHAREDIR
-. "${SHAREDIR}/common"
+SHARE=${SHARE:-"/usr/share/monkeysphere"}
+export SHARE
+. "${SHARE}/common"
+
+VARLIB="/var/lib/monkeysphere"
+export VARLIB
 
 # date in UTF format if needed
 DATE=$(date -u '+%FT%T')
@@ -49,8 +52,9 @@ gen_key() {
     local hostName
 
     hostName=${1:-$(hostname --fqdn)}
-    service=${SERVICE:-"ssh"}
-    userID="${service}://${hostName}"
+
+    SERVICE=${SERVICE:-"ssh"}
+    userID="${SERVICE}://${hostName}"
 
     if gpg --list-key ="$userID" > /dev/null 2>&1 ; then
        failure "Key for '$userID' already exists"
@@ -154,21 +158,20 @@ MS_CONF=${MS_CONF:-"$MS_HOME"/monkeysphere-server.conf}
 [ -e "$MS_CONF" ] && . "$MS_CONF"
 
 # set empty config variable with defaults
-GNUPGHOME=${GNUPGHOME:-"${MS_HOME}/gnupg"}
 KEYSERVER=${KEYSERVER:-"subkeys.pgp.net"}
 CHECK_KEYSERVER=${CHECK_KEYSERVER:="true"}
-REQUIRED_USER_KEY_CAPABILITY=${REQUIRED_USER_KEY_CAPABILITY:-"a"}
 AUTHORIZED_USER_IDS=${AUTHORIZED_USER_IDS:-"%h/.config/monkeysphere/authorized_user_ids"}
-USER_CONTROLLED_AUTHORIZED_KEYS=${USER_CONTROLLED_AUTHORIZED_KEYS:-"%h/.ssh/authorized_keys"}
+RAW_AUTHORIZED_KEYS=${RAW_AUTHORIZED_KEYS:-"%h/.ssh/authorized_keys"}
 
-export GNUPGHOME
+# other variables
+REQUIRED_USER_KEY_CAPABILITY=${REQUIRED_USER_KEY_CAPABILITY:-"a"}
+GNUPGHOME_HOST=${GNUPGHOME_HOST:-"${VARLIB}/gnupg-host"}
+GNUPGHOME_AUTHENTICATION=${GNUPGHOME_AUTHENTICATION:-"${VARLIB}/gnupg-authentication"}
 
-# make sure the monkeysphere home directory exists
-mkdir -p "${MS_HOME}/authorized_user_ids"
-# make sure gpg home exists with proper permissions
+# set default GNUPGHOME, and make sure the directory exists
+GNUPGHOME="$GNUPGHOME_HOST"
+export GNUPGHOME
 mkdir -p -m 0700 "$GNUPGHOME"
-# make sure the authorized_keys directory exists
-mkdir -p "${CACHE}/authorized_keys"
 
 case $COMMAND in
     'update-users'|'update-user'|'u')
@@ -180,25 +183,43 @@ case $COMMAND in
            unames=$(getent passwd | cut -d: -f1)
        fi
 
+       # set mode
+       MODE="authorized_keys"
+
+        # make sure the authorized_keys directory exists
+       mkdir -p "${VARLIB}/authorized_keys"
+
+       # set GNUPGHOME, and make sure the directory exists
+       GNUPGHOME="$GNUPGHOME_AUTHENTICATION"
+       export GNUPGHOME
+       mkdir -p -m 0700 "$GNUPGHOME"
+
        # loop over users
        for uname in $unames ; do
-           MODE="authorized_keys"
-
            # check all specified users exist
            if ! getent passwd "$uname" >/dev/null ; then
                error "----- unknown user '$uname' -----"
                continue
            fi
 
-           log "----- user: $uname -----"
-
-           # set authorized_user_ids variable, translating ssh-style
-           # path variables
+           # set authorized_user_ids and raw authorized_keys variables,
+           # translating ssh-style path variables
            authorizedUserIDs=$(translate_ssh_variables "$uname" "$AUTHORIZED_USER_IDS")
+           rawAuthorizedKeys=$(translate_ssh_variables "$uname" "$RAW_AUTHORIZED_KEYS")
+
+           # if neither is found, skip user
+           if [ ! -s "$authorizedUserIDs" -a ! -s "$rawAuthorizedKeys" ] ; then
+               continue
+           fi
+
+           log "----- user: $uname -----"
 
            # temporary authorized_keys file
            AUTHORIZED_KEYS=$(mktemp)
 
+           # trap to delete file on exit
+           trap "rm -f $AUTHORIZE_KEYS" EXIT
+
            # process authorized_user_ids file
            if [ -s "$authorizedUserIDs" ] ; then
                log "processing authorized_user_ids file..."
@@ -206,16 +227,16 @@ case $COMMAND in
            fi
 
            # add user-controlled authorized_keys file path if specified
-           if [ "$USER_CONTROLLED_AUTHORIZED_KEYS" != '-' ] ; then
-               userAuthorizedKeys=$(translate_ssh_variables "$uname" "$USER_CONTROLLED_AUTHORIZED_KEYS")
-               if [ -s "$userAuthorizedKeys" ] ; then
-                   log -n "adding user's authorized_keys file... "
-                   cat "$userAuthorizedKeys" >> "$AUTHORIZED_KEYS"
+           if [ "$RAW_AUTHORIZED_KEYS" != '-' ] ; then
+               if [ -s "$rawAuthorizedKeys" ] ; then
+                   log -n "adding raw authorized_keys file... "
+                   cat "$rawAuthorizedKeys" >> "$AUTHORIZED_KEYS"
                    loge "done."
                fi
            fi
 
-           # if the resulting authorized_keys file is not empty
+           # if the resulting authorized_keys file is not empty, move
+           # the temp authorized_keys file into place
            if [ -s "$AUTHORIZED_KEYS" ] ; then
                # openssh appears to check the contents of the
                 # authorized_keys file as the user in question, so the
@@ -224,8 +245,7 @@ case $COMMAND in
                chgrp $(getent passwd "$uname" | cut -f4 -d:) "$AUTHORIZED_KEYS"
                chmod g+r "$AUTHORIZED_KEYS"
 
-               # move the temp authorized_keys file into place
-               mv -f "$AUTHORIZED_KEYS" "${CACHE}/authorized_keys/${uname}"
+               mv -f "$AUTHORIZED_KEYS" "${VARLIB}/authorized_keys/${uname}"
 
                log "authorized_keys file updated."