From e6a41995792ee8b7a3dbce1e763e40447e45755f Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Thu, 6 May 2010 11:24:55 -0400 Subject: [PATCH] support x509 anchors for monkeysphere-host, allow shared anchors between m-a and mh (closes MS #2288) --- Changelog | 7 +++++++ man/man8/monkeysphere-authentication.8 | 5 ++++- man/man8/monkeysphere-host.8 | 8 ++++++++ src/share/ma/setup | 10 +++++++++- src/share/mh/publish_key | 9 ++++++++- 5 files changed, 36 insertions(+), 3 deletions(-) diff --git a/Changelog b/Changelog index 6b310c5..d03062e 100644 --- a/Changelog +++ b/Changelog @@ -1,3 +1,10 @@ +monkeysphere (0.31~pre) UNRELEASED; urgency=low + + * support x509 anchors for monkeysphere-host, allow shared anchor + between m-h and m-a (closes MS #2288) + + -- Daniel Kahn Gillmor Thu, 06 May 2010 11:23:38 -0400 + monkeysphere (0.30) unstable; urgency=low * changing tarball creation and packaging strategies diff --git a/man/man8/monkeysphere-authentication.8 b/man/man8/monkeysphere-authentication.8 index ea9debd..7c12673 100644 --- a/man/man8/monkeysphere-authentication.8 +++ b/man/man8/monkeysphere-authentication.8 @@ -177,10 +177,13 @@ false may expose users to abuse by other users on the system. (true) /etc/monkeysphere/monkeysphere\-authentication.conf System monkeysphere-authentication config file. .TP -/etc/monkeysphere/monkeysphere\-authentication\-x509\-anchors.crt +/etc/monkeysphere/monkeysphere\-authentication\-x509\-anchors.crt or\p \ +/etc/monkeysphere/monkeysphere\-x509\-anchors.crt If monkeysphere-authentication is configured to query an hkps keyserver, it will use X.509 Certificate Authority certificates in this file to validate any X.509 certificates used by the keyserver. +If the monkeysphere-authentication-x509 file is present, the +monkeysphere-x509 file will be ignored. .TP /var/lib/monkeysphere/authorized_keys/USER Monkeysphere-generated user authorized_keys files. diff --git a/man/man8/monkeysphere-host.8 b/man/man8/monkeysphere-host.8 index 00ea777..f3e0d43 100644 --- a/man/man8/monkeysphere-host.8 +++ b/man/man8/monkeysphere-host.8 @@ -222,6 +222,14 @@ Monkeysphere\-enabled services on the host. /var/lib/monkeysphere/host/ A locked directory (readable only by the superuser) containing copies of all imported secret keys (this is the host's GNUPGHOME directory). +.TP +/etc/monkeysphere/monkeysphere\-host\-x509\-anchors.crt or\p \ +/etc/monkeysphere/monkeysphere\-x509\-anchors.crt +If monkeysphere-host is configured to query an hkps keyserver for +publish-keys, it will use X.509 Certificate Authority certificates in +this file to validate any X.509 certificates used by the keyserver. +If the monkeysphere-host-x509 file is present, the monkeysphere-x509 +file will be ignored. .SH AUTHOR diff --git a/src/share/ma/setup b/src/share/ma/setup index f965487..3c82c45 100644 --- a/src/share/ma/setup +++ b/src/share/ma/setup @@ -36,6 +36,14 @@ setup() { no-greeting EOF + KEYSERVER_OPTIONS="" + for anchorfile in "${SYSCONFIGDIR}/monkeysphere-authentication-x509-anchors.crt" "${SYSCONFIGDIR}/monkeysphere-x509-anchors.crt"; do + if [ -z "$KEYSERVER_OPTIONS" ] && [ -r "$anchorfile" ] ; then + KEYSERVER_OPTIONS="keyserver-options ca-cert-file=$anchorfile" + log debug "using $anchorfile for keyserver X.509 anchor" + fi + done + log debug "writing sphere gpg.conf..." cat >"${GNUPGHOME_SPHERE}"/gpg.conf <