1# -*-shell-script-*-
2# This should be sourced by bash (though we welcome changes to make it POSIX sh compliant)
3
4# Monkeysphere authentication diagnostics subcommand
5#
6# The monkeysphere scripts are written by:
7# Jameson Rollins <jrollins@finestructure.net>
8# Jamie McClelland <jm@mayfirst.org>
9# Daniel Kahn Gillmor <dkg@fifthhorseman.net>
10#
11# They are Copyright 2008-2009, and are all released under the GPL,
12# version 3 or later.
13
14# check on the status and validity of the key and public certificates
15
16diagnostics() {
17
18local seckey
19local keysfound
20local curdate
21local warnwindow
22local warndate
23local create
24local expire
25local uid
26local fingerprint
27local badhostkeys
28local sshd_config
29local problemsfound=0
30
31report_cruft
32
33if ! id monkeysphere >/dev/null ; then
34    echo "! No monkeysphere user found!  Please create a monkeysphere system user with bash as its shell."
35    problemsfound=$(($problemsfound+1))
36fi
37
38if ! [ -d "$SYSDATADIR" ] ; then
39    echo "! no $SYSDATADIR directory found.  Please create it."
40    problemsfound=$(($problemsfound+1))
41fi
42
43echo "Checking for authentication directory..."
44if ! [ -d "$MADATADIR" ] ; then
45    echo "! No authentication data directory found."
46    echo " - Recommendation: run 'monkeysphere-authentication setup'"
47    exit
48fi
49
50# FIXME: what's the correct, cross-platform way to determine where
51# sshd_config lives?
52sshd_config=/etc/ssh/sshd_config
53
54seckey=$(gpg_core --list-secret-keys --fingerprint --with-colons)
55keysfound=$(echo "$seckey" | grep -c ^sec:)
56curdate=$(date +%s)
57# warn when anything is 2 months away from expiration
58warnwindow='2 months'
59warndate=$(advance_date $warnwindow +%s)
60
61echo "Checking core GPG key..."
62if (( "$keysfound" < 1 )); then
63    echo "! No core key found."
64    echo " - Recommendation: run 'monkeysphere-authentication setup'"
65    problemsfound=$(($problemsfound+1))
66elif (( "$keysfound" > 1 )); then
67    echo "! More than one core key found?"
68    # FIXME: recommend a way to resolve this
69    problemsfound=$(($problemsfound+1))
70else
71    create=$(echo "$seckey" | grep ^sec: | cut -f6 -d:)
72    expire=$(echo "$seckey" | grep ^sec: | cut -f7 -d:)
73    fingerprint=$(echo "$seckey" | awk -F: '/^fpr:/{ if (ok) { print $10 } ; ok=0 } /^pub:/{ ok=1 }')
74    # check for key expiration:
75    if [ "$expire" ]; then
76	if (( "$expire"  < "$curdate" )); then
77	    echo "! Core key is expired."
78	    echo " - Recommendation: ???"
79	    problemsfound=$(($problemsfound+1))
80	elif (( "$expire" < "$warndate" )); then
81	    echo "! Core key expires in less than $warnwindow:" $(advance_date $(( $expire - $curdate )) seconds +%F)
82	    echo " - Recommendation: ???"
83	    problemsfound=$(($problemsfound+1))
84	fi
85    fi
86
87    # and weirdnesses:
88    if [ "$create" ] && (( "$create" > "$curdate" )); then
89	echo "! Core key was created in the future(?!). Is your clock correct?"
90	echo " - Recommendation: Check clock ($(date +%F_%T)); use NTP?"
91	problemsfound=$(($problemsfound+1))
92    fi
93
94fi
95
96# FIXME: look at the ownership/privileges of the various keyrings,
97#    directories housing them, etc (what should those values be?  can
98#    we make them as minimal as possible?)
99
100# FIXME: look to see that the ownertrust rules are set properly on the
101#    sphere keyring
102
103# make sure that at least one identity certifier exists
104echo
105echo "Checking for Identity Certifiers..."
106if ! ( monkeysphere-authentication list-identity-certifiers | egrep '^[A-F0-9]{40}:' >/dev/null ) ; then
107    echo "! No Identity Certifiers found!"
108    echo " - Recommendation: once you know who should be able to certify the identities of
109     connecting users, you should add their key, with:
110      monkeysphere-authentication add-identity-certifier"
111    problemsfound=$(($problemsfound+1))
112fi
113
114# FIXME: look at the timestamps on the monkeysphere-generated
115# authorized_keys files -- warn if they seem out-of-date.
116
117# FIXME: check for a cronjob that updates monkeysphere-generated
118# authorized_keys?
119
120echo
121echo "Checking for Monkeysphere-enabled public-key authentication for users ..."
122# Ensure that User ID authentication is enabled:
123if echo "AuthorizedKeysFile foo bar" | /usr/sbin/sshd -t -f /dev/stdin; then
124    # OpenSSH >= 6.0, multiple authorized_keys file supported
125    if ! grep -q "^AuthorizedKeysFile[[:space:]]\+.*[[:space:]]*${SYSDATADIR}/authorized_keys/%u$" "$sshd_config"; then
126        echo "! $sshd_config does not point to monkeysphere authorized keys."
127        echo " - Recommendation: add a line to $sshd_config: 'AuthorizedKeysFile %h/.ssh/authorized_keys %h/.ssh/authorized_keys2 ${SYSDATADIR}/authorized_keys/%u'"
128        problemsfound=$(($problemsfound+1))
129    fi
130    if [ "$RAW_AUTHORIZED_KEYS" != none ]; then
131        if badauthorizedkeys=$(grep -i '^AuthorizedKeysFile' "$sshd_config" | grep -v "^AuthorizedKeysFile[[:space:]]\+${SYSDATADIR}/authorized_keys/%u$") ; then
132            echo "! $sshd_config refers to non-monkeysphere authorized_keys files:"
133            echo "$badauthorizedkeys"
134            echo " - Recommendation: disable authorized_keys import: 'echo RAW_AUTHORIZED_KEYS=none >> ${SYSCONFIGDIR}/monkeysphere-authentication.conf'"
135            problemsfound=$(($problemsfound+1))
136        fi
137    fi
138else
139    # OpenSSH < 6.0, single authorized_keys file
140    if ! grep -q "^AuthorizedKeysFile[[:space:]]\+${SYSDATADIR}/authorized_keys/%u$" "$sshd_config"; then
141        echo "! $sshd_config does not point to monkeysphere authorized keys."
142        echo " - Recommendation: add a line to $sshd_config: 'AuthorizedKeysFile ${SYSDATADIR}/authorized_keys/%u'"
143        problemsfound=$(($problemsfound+1))
144    fi
145    if badauthorizedkeys=$(grep -i '^AuthorizedKeysFile' "$sshd_config" | grep -v "^AuthorizedKeysFile[[:space:]]\+${SYSDATADIR}/authorized_keys/%u$") ; then
146        echo "! $sshd_config refers to non-monkeysphere authorized_keys files:"
147        echo "$badauthorizedkeys"
148        echo " - Recommendation: remove the above AuthorizedKeysFile lines from $sshd_config"
149        problemsfound=$(($problemsfound+1))
150    fi
151fi
152
153if [ "$problemsfound" -gt 0 ]; then
154    echo "When the above $problemsfound issue"$(if [ "$problemsfound" -eq 1 ] ; then echo " is" ; else echo "s are" ; fi)" resolved, please re-run:"
155    echo "  monkeysphere-authentication diagnostics"
156else
157    echo "Everything seems to be in order!"
158fi
159
160}
161