diff options
author | Timo Weingärtner <timo@tiwe.de> | 2024-10-24 11:18:07 +0200 |
---|---|---|
committer | Timo Weingärtner <timo@tiwe.de> | 2024-10-24 11:18:07 +0200 |
commit | 43718b8be48640580bf9cc0d57e98b8f5d166998 (patch) | |
tree | 9640cb9d37e96be95e9ac2420b8c7b69c41be61d | |
parent | 86ff9a1cd6428d469d1015a8b7b781501eb0ad49 (diff) | |
parent | da301a83b9bf37988bcb4b3029ee2dcd85983995 (diff) | |
download | openssh-known-hosts-43718b8be48640580bf9cc0d57e98b8f5d166998.tar.gz |
Merge tag '0.6.3' into debian
release 0.6.3
-rw-r--r-- | changelog | 93 | ||||
-rw-r--r-- | examples/curl | 2 | ||||
-rw-r--r-- | examples/kit_edu | 5 | ||||
-rw-r--r-- | examples/kit_edu.filter | 2 | ||||
-rw-r--r-- | examples/rsync | 2 | ||||
-rwxr-xr-x | plugins/curl | 13 | ||||
-rwxr-xr-x | plugins/psql | 2 | ||||
-rwxr-xr-x | plugins/rsync | 13 | ||||
-rwxr-xr-x | update-openssh-known-hosts | 76 |
9 files changed, 154 insertions, 54 deletions
@@ -1,4 +1,93 @@ -commit 43b1b4cbfb1aeabf3c9542c27c971790bf77cf91 (HEAD, master) +commit 274f3a6fca8d003140eed1fdd6bf70e016403bad +Author: Timo Weingärtner <timo@tiwe.de> +Date: 2024-10-24 10:55:42 +0200 + + remove examples/kit_edu, service gone + +commit b29ad4a5696aa1cbf85b77ae64c99865e57d2d6b +Author: Guillem Jover <guillem@hadrons.org> +Date: 2024-09-30 01:39:13 +0200 + + Add sopv support + + This is a subset of the Stateless OpenPGP CLI + <https://datatracker.ietf.org/doc/draft-dkg-openpgp-stateless-cli/>, + that can easily replace the GnuPG usage. + + There are multiple implementations providing this interface. + +commit 31b9dc01eb871055de006a3fb94fdaea2059966a +Author: Guillem Jover <guillem@hadrons.org> +Date: 2024-10-02 03:32:13 +0200 + + Clarify comment on exit code override to workaround overlapping codes + + The framework expects to be able to ignore specific exit codes from the + plugins, but if we are possibly returning exit codes from different + tools, then it's hard to untangle what tool generated which exit code. + + In the plugins at hand the exit code 1 seems like a safe one, given both + curl and rsync usage, so we currently turn any OpenPGP verification + error into that. + +commit c26168119320ca5b03e6b420e3c4192d1e2ecc6a +Author: Guillem Jover <guillem@hadrons.org> +Date: 2024-09-30 02:00:58 +0200 + + Current gpgv requires the datafile for detached signatures + + Otherwise we get the following error: + + gpgv: no signed data + gpgv: can't hash datafile: No data + +commit a18b87e43ece9a448ab912225e1a26d8fd4b3e7f +Author: Guillem Jover <guillem@hadrons.org> +Date: 2024-09-30 01:36:22 +0200 + + Use OpenPGP when referring to the standard or objects + + These are OpenPGP signatures that any conforming implementation should + be able to handle. They are not specific to GnuPG, which is one of many + implementations, even though a very prominent one. + +commit f855dc5ac98432ef4b126446c50a9737d98f0fb8 +Author: Timo Weingärtner <timo@tiwe.de> +Date: 2021-07-19 13:36:58 +0200 + + always use read with -r + +commit 53614d19826293d753aad599f2b2900d8d6303ed +Author: Timo Weingärtner <timo@tiwe.de> +Date: 2021-07-19 13:35:16 +0200 + + factor out download_source() + +commit 265011411069c0c26dd693f714a43a6c7e6ad9ea +Author: Timo Weingärtner <timo@tiwe.de> +Date: 2021-07-19 13:33:32 +0200 + + use bash arrays in path_search() + +commit 0b161b76dac289f4b7100916bac27961aed88120 +Author: Timo Weingärtner <timo@tiwe.de> +Date: 2021-07-19 13:24:53 +0200 + + make config variables readonly + +commit 4a715d24969a351ddd255fccee9dfd7e726d2555 +Author: Timo Weingärtner <timo@tiwe.de> +Date: 2016-05-25 12:36:29 +0200 + + plugins/psql: fix spelling in comment + +commit 5759da2f6316fccc56d722e06d6e4bdda26251be (tag: 0.6.2) +Author: Timo Weingärtner <timo@tiwe.de> +Date: 2015-02-17 19:50:11 +0100 + + changelog for 0.6.2 + +commit 43b1b4cbfb1aeabf3c9542c27c971790bf77cf91 Author: Timo Weingärtner <timo@tiwe.de> Date: 2015-02-17 19:39:41 +0100 @@ -6,7 +95,7 @@ Date: 2015-02-17 19:39:41 +0100 applied with care, the two remaining things are meant that way -commit 0e971e742afad1669dbae0d75eead51e76af1899 (origin/master) +commit 0e971e742afad1669dbae0d75eead51e76af1899 Author: Timo Weingärtner <timo@tiwe.de> Date: 2015-01-22 20:34:42 +0100 diff --git a/examples/curl b/examples/curl index 18ed01b..b8f6d96 100644 --- a/examples/curl +++ b/examples/curl @@ -6,4 +6,4 @@ URL='https://www.example.com/known_hosts' # optional: SIGURL='http://www.example.com/known_hosts.sig' -KEYRING='/path/to/gpgv-compatible.keyring' +KEYRING='/path/to/openpgp-compatible.keyring' diff --git a/examples/kit_edu b/examples/kit_edu deleted file mode 100644 index e676499..0000000 --- a/examples/kit_edu +++ /dev/null @@ -1,5 +0,0 @@ -PLUGIN=curl -EXIT_IGNORE='6 7 28' - -CURL_OPTIONS='--connect-timeout 10' -URL='https://rzadmin.rz.uni-karlsruhe.de/openssh/ssh_known_hosts' diff --git a/examples/kit_edu.filter b/examples/kit_edu.filter deleted file mode 100644 index 556ab25..0000000 --- a/examples/kit_edu.filter +++ /dev/null @@ -1,2 +0,0 @@ -allow \.(fzk|uka|uni-karlsruhe)\.de$ -allow \.kit\.edu$ diff --git a/examples/rsync b/examples/rsync index 1d9fd4c..cbb6d64 100644 --- a/examples/rsync +++ b/examples/rsync @@ -11,5 +11,5 @@ URL='rsync://rsync.example.com/pub/known_hosts' # optional: SIGURL='rsync://rsync.example.com/pub/known_hosts.sig' -KEYRING='/path/to/gpgv-compatible.keyring' +KEYRING='/path/to/openpgp-compatible.keyring' diff --git a/plugins/curl b/plugins/curl index 9c47601..3ae028c 100755 --- a/plugins/curl +++ b/plugins/curl @@ -5,8 +5,8 @@ # ENVIRONMENT VARIABLES: # URL URL to download known_hosts file from # CURL_OPTIONS options passed to curl -# SIGURL URL of the GnuPG signature -# KEYRING path to the keyring for use by gpgv +# SIGURL URL of the OpenPGP signature +# KEYRING path to the OpenPGP keyring with certificates # set -e @@ -14,8 +14,13 @@ set -e if [ "${SIGURL}" ]; then curl -fRz "./current" -m 300 ${CURL_OPTIONS} -o new.sig "${SIGURL}" -o new "${URL}" [ -e new ] || exit 0 - gpgv --keyring "${KEYRING}" --status-fd 2 new.sig || exit 1 - # return 1 because it's not clear what other codes may used + if command -v sopv >/dev/null; then + sopv verify new.sig "${KEYRING}" <new || exit 1 + else + gpgv --keyring "${KEYRING}" --status-fd 2 new.sig new || exit 1 + fi + # return 1 because it's not clear what other codes may be safe to + # use that do not overlap with codes from curl. else curl -fRz "./current" -m 300 ${CURL_OPTIONS} -o new "${URL}" fi diff --git a/plugins/psql b/plugins/psql index a7c0a72..2e194f6 100755 --- a/plugins/psql +++ b/plugins/psql @@ -4,7 +4,7 @@ # # uses psql to download a TABLE (or VIEW) of the form: # CREATE TABLE known_hosts ( -# namelist text, # comma seperated +# namelist text, # comma separated # type text, # key text # ); diff --git a/plugins/rsync b/plugins/rsync index 1a57660..1ee6831 100755 --- a/plugins/rsync +++ b/plugins/rsync @@ -4,8 +4,8 @@ # # ENVIRONMENT VARIABLES: # URL URL to download known_hosts file from -# SIGURL URL of the GnuPG signature -# KEYRING path to the keyring for use by gpgv +# SIGURL URL of the OpenPGP signature +# KEYRING path to the OpenPGP keyring with certificates # set -e @@ -15,8 +15,13 @@ rsync -vt --timeout=300 "${URL}" new if [ "${SIGURL}" ]; then rsync -vt --timeout=300 "${SIGURL}" new.sig - gpgv --keyring "${KEYRING}" --status-fd 2 new.sig || exit 1 - # return 1 because it's not clear what other codes may used + if command -v sopv >/dev/null; then + sopv verify new.sig "${KEYRING}" <new || exit 1 + else + gpgv --keyring "${KEYRING}" --status-fd 2 new.sig new || exit 1 + fi + # return 1 because it's not clear what other codes may be safe to + # use that do not overlap with codes from rsync. fi # vim:set ft=sh: diff --git a/update-openssh-known-hosts b/update-openssh-known-hosts index 6d72663..9eee3ec 100755 --- a/update-openssh-known-hosts +++ b/update-openssh-known-hosts @@ -25,23 +25,24 @@ CACHEDIR=${CACHEDIR:-/var/cache/openssh-known-hosts} LOCK=${LOCK:-/var/lock/openssh-known-hosts} OUTFILE=${OUTFILE:-/var/lib/openssh-known-hosts/ssh_known_hosts} +readonly CONFDIR PLUGIN_PATH CACHEDIR LOCK OUTFILE + path_search () { - search="$1" - shift - local IFS - IFS=: - set -- $@ + local search=$1 + local -a pathlist + IFS=: read -ra pathlist <<< "$2" + if [[ ${search} =~ / ]]; then echo "${search}" return 0 fi - for path; do + for path in "${pathlist[@]}"; do if [ -f "${path}/${search}" ]; then echo "${path}/${search}" return 0 fi done - echo "'${search}' not found in '$*'!" >&2 + echo "'${search}' not found in '$2'!" >&2 exit 127 } @@ -51,6 +52,36 @@ cleanup () { lockfile-remove "${LOCK}" } +download_source () ( + local sourcename=$1 + local sourcefile=$2 + + cd "${CACHEDIR}/${sourcename}" + set -a + . "${sourcefile}" + set +a + # shellcheck disable=SC2091 + $(path_search "$PLUGIN" "$PLUGIN_PATH") >| log 2>&1 || { + exitcode=$? + rm -f new + ignore='' + for e in ${EXIT_IGNORE:-0}; do + if [[ $e = "$exitcode" ]]; then + ignore=1 + break + fi + done + if [ -z "$ignore" ] || [ "$fail" ]; then + echo "${source} exited with code ${exitcode}, log follows:" + cat log + echo + fi + if [ "$fail" ]; then + exit 1 + fi + } >&2 +) + if [ $# -eq 1 ] && [ "$1" = "-f" ]; then fail=1 else @@ -68,33 +99,10 @@ cd "${CACHEDIR}" find -mindepth 2 -maxdepth 2 -type f -name new -delete -run-parts --list "${CONFDIR}/sources/" | while read sourcefile; do +run-parts --list "${CONFDIR}/sources/" | while read -r sourcefile; do source=${sourcefile##*/} mkdir -p "${source}" - ( - set -a - cd "${source}" - . "${sourcefile}" - $(path_search "$PLUGIN" "$PLUGIN_PATH") >| log 2>&1 || { - exitcode=$? - rm -f new - ignore='' - for e in ${EXIT_IGNORE:-0}; do - if [[ $e = "$exitcode" ]]; then - ignore=1 - break - fi - done - if [ -z "$ignore" -o "$fail" ]; then - echo "${source} exited with code ${exitcode}, log follows:" - cat log - echo - fi - if [ "$fail" ]; then - exit 1 - fi - } >&2 - ) || exit 1 + download_source "${source}" "${sourcefile}" if [ -e "${source}/new" ]; then mv "${source}/new" "${source}/current" fi @@ -107,8 +115,8 @@ run-parts --list "${CONFDIR}/sources/" | while read sourcefile; do unset filter[$i] fi done - while read hostlist rest; do - IFS=, read -a hostarray <<<"$hostlist" + while read -r hostlist rest; do + IFS=, read -ra hostarray <<<"$hostlist" new_hostlist='' for host in "${hostarray[@]}"; do for rule in "${filter[@]}"; do |