1# -*-shell-script-*- 2# This should be sourced by bash (though we welcome changes to make it POSIX sh compliant) 3 4# Monkeysphere authentication diagnostics subcommand 5# 6# The monkeysphere scripts are written by: 7# Jameson Rollins <jrollins@finestructure.net> 8# Jamie McClelland <jm@mayfirst.org> 9# Daniel Kahn Gillmor <dkg@fifthhorseman.net> 10# 11# They are Copyright 2008-2009, and are all released under the GPL, 12# version 3 or later. 13 14# check on the status and validity of the key and public certificates 15 16diagnostics() { 17 18local seckey 19local keysfound 20local curdate 21local warnwindow 22local warndate 23local create 24local expire 25local uid 26local fingerprint 27local badhostkeys 28local sshd_config 29local problemsfound=0 30 31report_cruft 32 33if ! id monkeysphere >/dev/null ; then 34 echo "! No monkeysphere user found! Please create a monkeysphere system user with bash as its shell." 35 problemsfound=$(($problemsfound+1)) 36fi 37 38if ! [ -d "$SYSDATADIR" ] ; then 39 echo "! no $SYSDATADIR directory found. Please create it." 40 problemsfound=$(($problemsfound+1)) 41fi 42 43echo "Checking for authentication directory..." 44if ! [ -d "$MADATADIR" ] ; then 45 echo "! No authentication data directory found." 46 echo " - Recommendation: run 'monkeysphere-authentication setup'" 47 exit 48fi 49 50# FIXME: what's the correct, cross-platform way to determine where 51# sshd_config lives? 52sshd_config=/etc/ssh/sshd_config 53 54seckey=$(gpg_core --list-secret-keys --fingerprint --with-colons) 55keysfound=$(echo "$seckey" | grep -c ^sec:) 56curdate=$(date +%s) 57# warn when anything is 2 months away from expiration 58warnwindow='2 months' 59warndate=$(advance_date $warnwindow +%s) 60 61echo "Checking core GPG key..." 62if (( "$keysfound" < 1 )); then 63 echo "! No core key found." 64 echo " - Recommendation: run 'monkeysphere-authentication setup'" 65 problemsfound=$(($problemsfound+1)) 66elif (( "$keysfound" > 1 )); then 67 echo "! More than one core key found?" 68 # FIXME: recommend a way to resolve this 69 problemsfound=$(($problemsfound+1)) 70else 71 create=$(echo "$seckey" | grep ^sec: | cut -f6 -d:) 72 expire=$(echo "$seckey" | grep ^sec: | cut -f7 -d:) 73 fingerprint=$(echo "$seckey" | awk -F: '/^fpr:/{ if (ok) { print $10 } ; ok=0 } /^pub:/{ ok=1 }') 74 # check for key expiration: 75 if [ "$expire" ]; then 76 if (( "$expire" < "$curdate" )); then 77 echo "! Core key is expired." 78 echo " - Recommendation: ???" 79 problemsfound=$(($problemsfound+1)) 80 elif (( "$expire" < "$warndate" )); then 81 echo "! Core key expires in less than $warnwindow:" $(advance_date $(( $expire - $curdate )) seconds +%F) 82 echo " - Recommendation: ???" 83 problemsfound=$(($problemsfound+1)) 84 fi 85 fi 86 87 # and weirdnesses: 88 if [ "$create" ] && (( "$create" > "$curdate" )); then 89 echo "! Core key was created in the future(?!). Is your clock correct?" 90 echo " - Recommendation: Check clock ($(date +%F_%T)); use NTP?" 91 problemsfound=$(($problemsfound+1)) 92 fi 93 94fi 95 96# FIXME: look at the ownership/privileges of the various keyrings, 97# directories housing them, etc (what should those values be? can 98# we make them as minimal as possible?) 99 100# FIXME: look to see that the ownertrust rules are set properly on the 101# sphere keyring 102 103# make sure that at least one identity certifier exists 104echo 105echo "Checking for Identity Certifiers..." 106if ! ( monkeysphere-authentication list-identity-certifiers | egrep '^[A-F0-9]{40}:' >/dev/null ) ; then 107 echo "! No Identity Certifiers found!" 108 echo " - Recommendation: once you know who should be able to certify the identities of 109 connecting users, you should add their key, with: 110 monkeysphere-authentication add-identity-certifier" 111 problemsfound=$(($problemsfound+1)) 112fi 113 114# FIXME: look at the timestamps on the monkeysphere-generated 115# authorized_keys files -- warn if they seem out-of-date. 116 117# FIXME: check for a cronjob that updates monkeysphere-generated 118# authorized_keys? 119 120echo 121echo "Checking for Monkeysphere-enabled public-key authentication for users ..." 122# Ensure that User ID authentication is enabled: 123if echo "AuthorizedKeysFile foo bar" | /usr/sbin/sshd -t -f /dev/stdin; then 124 # OpenSSH >= 6.0, multiple authorized_keys file supported 125 if ! grep -q "^AuthorizedKeysFile[[:space:]]\+.*[[:space:]]*${SYSDATADIR}/authorized_keys/%u$" "$sshd_config"; then 126 echo "! $sshd_config does not point to monkeysphere authorized keys." 127 echo " - Recommendation: add a line to $sshd_config: 'AuthorizedKeysFile %h/.ssh/authorized_keys %h/.ssh/authorized_keys2 ${SYSDATADIR}/authorized_keys/%u'" 128 problemsfound=$(($problemsfound+1)) 129 fi 130 if [ "$RAW_AUTHORIZED_KEYS" != none ]; then 131 if badauthorizedkeys=$(grep -i '^AuthorizedKeysFile' "$sshd_config" | grep -v "^AuthorizedKeysFile[[:space:]]\+${SYSDATADIR}/authorized_keys/%u$") ; then 132 echo "! $sshd_config refers to non-monkeysphere authorized_keys files:" 133 echo "$badauthorizedkeys" 134 echo " - Recommendation: disable authorized_keys import: 'echo RAW_AUTHORIZED_KEYS=none >> ${SYSCONFIGDIR}/monkeysphere-authentication.conf'" 135 problemsfound=$(($problemsfound+1)) 136 fi 137 fi 138else 139 # OpenSSH < 6.0, single authorized_keys file 140 if ! grep -q "^AuthorizedKeysFile[[:space:]]\+${SYSDATADIR}/authorized_keys/%u$" "$sshd_config"; then 141 echo "! $sshd_config does not point to monkeysphere authorized keys." 142 echo " - Recommendation: add a line to $sshd_config: 'AuthorizedKeysFile ${SYSDATADIR}/authorized_keys/%u'" 143 problemsfound=$(($problemsfound+1)) 144 fi 145 if badauthorizedkeys=$(grep -i '^AuthorizedKeysFile' "$sshd_config" | grep -v "^AuthorizedKeysFile[[:space:]]\+${SYSDATADIR}/authorized_keys/%u$") ; then 146 echo "! $sshd_config refers to non-monkeysphere authorized_keys files:" 147 echo "$badauthorizedkeys" 148 echo " - Recommendation: remove the above AuthorizedKeysFile lines from $sshd_config" 149 problemsfound=$(($problemsfound+1)) 150 fi 151fi 152 153if [ "$problemsfound" -gt 0 ]; then 154 echo "When the above $problemsfound issue"$(if [ "$problemsfound" -eq 1 ] ; then echo " is" ; else echo "s are" ; fi)" resolved, please re-run:" 155 echo " monkeysphere-authentication diagnostics" 156else 157 echo "Everything seems to be in order!" 158fi 159 160} 161