don't fail if authorized_keys file not present
authorJameson Rollins <jrollins@finestructure.net>
Fri, 22 Oct 2010 20:25:04 +0000 (16:25 -0400)
committerJameson Rollins <jrollins@finestructure.net>
Sun, 24 Oct 2010 15:51:02 +0000 (11:51 -0400)
we create a new function here, touch_key_file_or_fail, which will
touch a new key file if there isn't one already present.  This is now
used in the update_authorized_keys and update_known_hosts functions
when looking for authorized_keys and known_hosts respectively.

Closes Debian 600644

Changelog
src/share/common
src/share/m/update_authorized_keys
src/share/m/update_known_hosts

index 2e145d4993c65308a7bd60a370726cc36de02f19..54db99cb887e8643a4f8eab6f4040985c48e3ac0 100644 (file)
--- a/Changelog
+++ b/Changelog
@@ -6,8 +6,9 @@ monkeysphere (0.34~pre) unstable; urgency=low
     paths.
   * update authorized_keys and known_hosts in temp file that are
     atomically moved into place
+  * don't fail if authorized_keys file not already present (Closes: 600644)
 
- -- Jameson Rollins <jrollins@finestructure.net>  Mon, 18 Oct 2010 16:35:59 -0400
+ -- Jameson Rollins <jrollins@finestructure.net>  Fri, 22 Oct 2010 16:23:31 -0400
 
 monkeysphere (0.33) unstable; urgency=low
 
index d286145f31481f9b5bf806466979f4e08cdd073e..0f760c3c41aaf02147c8d13e94ca9c1741a21438 100644 (file)
@@ -383,6 +383,23 @@ test_gpg_expire() {
     echo "$1" | egrep -q "^[0-9]+[mwy]?$"
 }
 
+# touch a key file if it doesn't exist, including creating needed
+# directories with correct permissions
+touch_key_file_or_fail() {
+    local keyFile="$1"
+    if [ ! -f "$keyFile" ]; then
+       # make sure to create files and directories with the
+       # appropriate write bits turned off:
+       newUmask=$(printf "%04o" $(( 0$(umask) | 0022 )) )
+       [ -d $(dirname "$keyFile") ] \
+           || (umask "$newUmask" && mkdir -p -m 0700 $(dirname "$keyFile") ) \
+           || failure "Could not create path to $keyFile"
+       # make sure to create this file with the appropriate bits turned off:
+       (umask "$newUmask" && touch "$keyFile") \
+           || failure "Unable to create $keyFile"
+    fi
+}
+
 # check that a file is properly owned, and that all it's parent
 # directories are not group/other writable
 check_key_file_permissions() {
@@ -886,7 +903,7 @@ process_authorized_user_ids() {
                fi
                ;;
             (*)
-               ((nline++))
+               ((++nline))
                userIDs[${nline}]="$line"
                unset koptions[${nline}] || true
                ;;
index 544995155f08855e05e54b8ab8ffdd1dd3788fb1..7fae9cd5f784aaa657dc6f76f13005f11b91bfe0 100644 (file)
 # 3 or later.
 
 update_authorized_keys() {
+    local newUmask
     local tmpFile
 
-    log debug "updating authorized_keys file:"
-    log debug " $AUTHORIZED_KEYS"
+    if [ ! -s "$AUTHORIZED_USER_IDS" ] ; then
+       log error "empty or absent authorized_user_ids file."
+       failure
+    fi
+    check_key_file_permissions $(whoami) "$AUTHORIZED_USER_IDS" \
+       || failure "Bad permissions governing authorized_user_ids file '$AUTHORIZED_USER_IDS'"
 
-    check_key_file_permissions $(whoami) "$AUTHORIZED_KEYS" || failure
-    check_key_file_permissions $(whoami) "$AUTHORIZED_USER_IDS" || failure
+    # touch the authorized_keys file so that the file permission check
+    # below won't fail upon not finding the file
+    touch_key_file_or_fail "$AUTHORIZED_KEYS"
+    check_key_file_permissions $(whoami) "$AUTHORIZED_KEYS" \
+       || failure "Bad permissions governing authorized_keys file $AUTHORIZED_KEYS"
 
     lock create "$AUTHORIZED_KEYS"
 
     # FIXME: we're discarding any pre-existing EXIT trap; is this bad?
-    trap "lock remove $AUTHORIZED_KEYS" EXIT
+    trap "log debug TRAP; lock remove $AUTHORIZED_KEYS" EXIT
 
     tmpFile=$(mktemp "${AUTHORIZED_KEYS}.monkeysphere.XXXXXX")
 
-    trap "lock remove $AUTHORIZED_KEYS; rm -f $tmpFile" EXIT
+    trap "log debug TRAP; lock remove $AUTHORIZED_KEYS; rm -f $tmpFile" EXIT
 
     # remove any monkeysphere lines from authorized_keys file this is
     # to insure that that all old authorized keys that are no longer
     # authorized are removed
-    remove_monkeysphere_lines <"$AUTHORIZED_KEYS" >"$tmpFile"
+    log debug "removing old monkeysphere lines..."
+    remove_monkeysphere_lines <"$AUTHORIZED_KEYS" >"$tmpFile" || true
 
     process_authorized_user_ids "$tmpFile" \
        < "$AUTHORIZED_USER_IDS"
index 737666de2d5201c651c878f40f7449636444f570..57176b8f8346041157ad7e0a1792c74f6931e808 100644 (file)
@@ -21,28 +21,18 @@ update_known_hosts() {
 
     # touch the known_hosts file so that the file permission check
     # below won't fail upon not finding the file
-    if [ ! -f "$KNOWN_HOSTS" ]; then
-       # make sure to create any files or directories with the appropriate write bits turned off:
-       newUmask=$(printf "%04o" $(( 0$(umask) | 0022 )) )
-       [ -d $(dirname "$KNOWN_HOSTS") ] \
-           || (umask "$newUmask" && mkdir -p -m 0700 $(dirname "$KNOWN_HOSTS") ) \
-           || failure "Could not create path to known_hosts file '$KNOWN_HOSTS'"
-       # make sure to create this file with the appropriate bits turned off:
-       (umask "$newUmask" && touch "$KNOWN_HOSTS") \
-           || failure "Unable to create known_hosts file '$KNOWN_HOSTS'"
-    fi
-
+    touch_key_file_or_fail "$KNOWN_HOSTS"
     check_key_file_permissions $(whoami) "$KNOWN_HOSTS" \
-       || failure "Bad permissions governing known_hosts file '$KNOWN_HOSTS'"
+       || failure "Bad permissions governing known_hosts file $KNOWN_HOSTS"
 
     lock create "$KNOWN_HOSTS"
 
     # FIXME: we're discarding any pre-existing EXIT trap; is this bad?
-    trap "lock remove $KNOWN_HOSTS" EXIT
+    trap "log debug TRAP; lock remove $KNOWN_HOSTS" EXIT
 
     tmpFile=$(mktemp "${KNOWN_HOSTS}.monkeysphere.XXXXXX")
 
-    trap "lock remove $KNOWN_HOSTS; rm -f $tmpFile" EXIT
+    trap "log debug TRAP; lock remove $KNOWN_HOSTS; rm -f $tmpFile" EXIT
 
     cat "$KNOWN_HOSTS" >"$tmpFile"