diff options
| -rw-r--r-- | README (renamed from debian/README) | 6 | ||||
| -rw-r--r-- | debian/changelog | 9 | ||||
| -rw-r--r-- | debian/control | 13 | ||||
| -rw-r--r-- | debian/copyright | 5 | ||||
| -rw-r--r-- | debian/openssh-known-hosts.cron.d | 2 | ||||
| -rw-r--r-- | debian/openssh-known-hosts.docs | 2 | ||||
| -rw-r--r-- | debian/openssh-known-hosts.examples | 1 | ||||
| -rw-r--r-- | debian/openssh-known-hosts.install | 4 | ||||
| -rw-r--r-- | debian/openssh-known-hosts.manpages | 1 | ||||
| -rwxr-xr-x | debian/rules | 12 | ||||
| -rw-r--r-- | examples/curl | 9 | ||||
| -rw-r--r-- | examples/psql | 12 | ||||
| -rw-r--r-- | examples/rsync | 10 | ||||
| -rw-r--r-- | examples/symlink | 5 | ||||
| -rwxr-xr-x | plugins/curl | 11 | ||||
| -rwxr-xr-x | plugins/rsync | 10 | ||||
| -rwxr-xr-x | update-openssh-known-hosts (renamed from update-known-hosts) | 8 | ||||
| -rw-r--r-- | update-openssh-known-hosts.8 | 42 |
18 files changed, 131 insertions, 31 deletions
@@ -1,7 +1,7 @@ Writing a source definition: ============================ -Place a file in /etc/openssh-known-hosts/sources/. Its name must follow +Place a file in /etc/openssh-known-hosts/sources. Its name must follow run-parts' conventions. Basic variables: @@ -9,6 +9,7 @@ Basic variables: * EXIT_IGNORE: space-seperated list of exitcodes which should be ignored, no update is performed for this source then (optional) +For examples see /usr/share/doc/openssh-known-hosts/examples/*. Writing a plugin: ================= @@ -18,5 +19,6 @@ plugin gets the variables set in the source definition in its environment. The working directory will be set to the source's cache directory. All your plugin has to do is to create a file named "new". "current" must not be touched but can be used as a hint to skip downloading the same file again. stdout and -stderr will be connected to "log", which will be output on error. +stderr will be connected to "log", which will be output on error. You needn't +create "new" if it would be identical to "current". diff --git a/debian/changelog b/debian/changelog index bfc242e..9df9cde 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,12 @@ +openssh-known-hosts (0.2) unstable; urgency=low + + * Add examples. + * Add optional GnuPG verification in curl and rsync plugins. + * Upload to unstable (Closes: #534891) + * Rename update-known-hosts to update-$package and install it in /usr/sbin. + + -- Timo Weingärtner <timo@tiwe.de> Sun, 28 Jun 2009 01:57:44 +0200 + openssh-known-hosts (0.1) fsmi-lenny; urgency=low * Initial Release. diff --git a/debian/control b/debian/control index 6f86622..e23b98f 100644 --- a/debian/control +++ b/debian/control @@ -4,14 +4,13 @@ Priority: extra Maintainer: Timo Weingärtner <timo@tiwe.de> Build-Depends: debhelper (>= 7) Standards-Version: 3.8.1 -#Homepage: <insert the upstream URL, if relevant> Package: openssh-known-hosts Architecture: all -Depends: dash, lockfile-progs, ${shlibs:Depends}, ${misc:Depends} -Recommends: openssh-client -Suggests: postgresql-client, rsync, curl +Depends: dash, lockfile-progs, ${misc:Depends} +Recommends: openssh-client, cron +Suggests: postgresql-client, rsync, curl, gpgv Description: known_hosts downloader for OpenSSH - This package allows you to download public hostkeys from various sources and - merge them together into one file for use by OpenSSH. Plugins for some types - of sources are included, new plugins can easily be written. + This package allows you to download public hostkeys from multiple sources + and merge them together into one file for use by OpenSSH. Plugins for some + types of sources are included, new plugins can easily be written. diff --git a/debian/copyright b/debian/copyright index a60558a..0e558ce 100644 --- a/debian/copyright +++ b/debian/copyright @@ -1,6 +1,6 @@ Copyright: - <Copyright (C) 2009 Timo Weingärtner> + Copyright (C) 2009 Timo Weingärtner <timo@tiwe.de> License: @@ -21,6 +21,3 @@ License: On Debian systems, the complete text of the GNU General Public License can be found in `/usr/share/common-licenses/GPL'. -The Debian packaging is (C) 2009, Timo Weingärtner <timo@tiwe.de> and -is licensed under the GPL, see above. - diff --git a/debian/openssh-known-hosts.cron.d b/debian/openssh-known-hosts.cron.d index d1fef7b..27f4f64 100644 --- a/debian/openssh-known-hosts.cron.d +++ b/debian/openssh-known-hosts.cron.d @@ -1,4 +1,4 @@ # # Regular cron jobs for the openssh-known-hosts package # -0 * * * * root [ -x /usr/share/openssh-known-hosts/update-known-hosts ] && /usr/share/openssh-known-hosts/update-known-hosts +0 * * * * root [ -x /usr/sbin/update-openssh-known-hosts ] && /usr/sbin/update-openssh-known-hosts diff --git a/debian/openssh-known-hosts.docs b/debian/openssh-known-hosts.docs index 2c0d173..ba8894c 100644 --- a/debian/openssh-known-hosts.docs +++ b/debian/openssh-known-hosts.docs @@ -1,2 +1,2 @@ -debian/README +README diff --git a/debian/openssh-known-hosts.examples b/debian/openssh-known-hosts.examples new file mode 100644 index 0000000..e39721e --- /dev/null +++ b/debian/openssh-known-hosts.examples @@ -0,0 +1 @@ +examples/* diff --git a/debian/openssh-known-hosts.install b/debian/openssh-known-hosts.install index 8e9375a..e7b7cf1 100644 --- a/debian/openssh-known-hosts.install +++ b/debian/openssh-known-hosts.install @@ -1,2 +1,2 @@ -update-known-hosts usr/share/openssh-known-hosts/ -plugins usr/share/openssh-known-hosts/ +update-openssh-known-hosts usr/sbin/ +plugins usr/share/openssh-known-hosts/ diff --git a/debian/openssh-known-hosts.manpages b/debian/openssh-known-hosts.manpages new file mode 100644 index 0000000..6ae64ea --- /dev/null +++ b/debian/openssh-known-hosts.manpages @@ -0,0 +1 @@ +update-openssh-known-hosts.8 diff --git a/debian/rules b/debian/rules index bf240d0..f1516b9 100755 --- a/debian/rules +++ b/debian/rules @@ -28,20 +28,19 @@ configure-stamp: touch configure-stamp -#Architecture build: build-arch build-indep build-arch: build-arch-stamp -build-arch-stamp: configure-stamp +build-arch-stamp: configure-stamp touch $@ build-indep: build-indep-stamp -build-indep-stamp: configure-stamp +build-indep-stamp: configure-stamp touch $@ -clean: +clean: dh_testdir dh_testroot rm -f build-arch-stamp build-indep-stamp configure-stamp @@ -73,16 +72,11 @@ binary-common: dh_installchangelogs dh_installdocs dh_installexamples -# dh_installmime dh_installcron dh_installman - dh_link - dh_strip dh_compress dh_fixperms - dh_makeshlibs dh_installdeb - dh_shlibdeps dh_gencontrol dh_md5sums dh_builddeb diff --git a/examples/curl b/examples/curl new file mode 100644 index 0000000..18ed01b --- /dev/null +++ b/examples/curl @@ -0,0 +1,9 @@ +PLUGIN=curl +# see curl(1), section "EXIT CODES" for details: +EXIT_IGNORE='6 7 28' + +URL='https://www.example.com/known_hosts' + +# optional: +SIGURL='http://www.example.com/known_hosts.sig' +KEYRING='/path/to/gpgv-compatible.keyring' diff --git a/examples/psql b/examples/psql new file mode 100644 index 0000000..e2e72cb --- /dev/null +++ b/examples/psql @@ -0,0 +1,12 @@ +PLUGIN=psql +# from psql(1): psql returns 2 if the connection to the server went bad and +# the session was not interactive +EXIT_IGNORE=2 + +PGCLUSTER=8.3/db.example.com: +PGDATABASE=exampledb +PGUSER=exampleuser +PGPASSWORD=foobar # beware: will be readable from /proc/<pid>/environ, better: +PGPASSFILE=/path/to/.pgpass + +TABLE=known_hosts diff --git a/examples/rsync b/examples/rsync new file mode 100644 index 0000000..f8d9861 --- /dev/null +++ b/examples/rsync @@ -0,0 +1,10 @@ +PLUGIN=rsync +# see rsync(1), section "EXIT VALUES" for details: +EXIT_IGNORE=10 + +URL='rsync://rsync.example.com/pub/known_hosts' + +# optional: +SIGURL='rsync://rsync.example.com/pub/known_hosts.sig' +KEYRING='/path/to/gpgv-compatible.keyring' + diff --git a/examples/symlink b/examples/symlink new file mode 100644 index 0000000..c1a9ba2 --- /dev/null +++ b/examples/symlink @@ -0,0 +1,5 @@ +PLUGIN=symlink +# EXIT_IGNORE doesn't make sense here +EXIT_IGNORE= + +LINKDEST=/etc/ssh/ssh_known_hosts_local diff --git a/plugins/curl b/plugins/curl index 8e658cc..5964613 100755 --- a/plugins/curl +++ b/plugins/curl @@ -4,10 +4,19 @@ # # ENVIRONMENT VARIABLES: # URL URL to download known_hosts file from +# SIGURL URL of the GnuPG signature +# KEYRING path to the keyring for use by gpgv # set -e -curl -Rz "./current" -m 300 -o new "${URL}" +if [ "${SIGURL}" ]; then + curl -Rz "./current" -m 300 -o new.sig "${SIGURL}" -o new "${URL}" + [ -e new ] || exit 0 + gpgv --keyring "${KEYRING}" --status-fd 2 new.sig || exit 1 + # return 1 because it's not clear what other codes may used +else + curl -Rz "./current" -m 300 -o new "${URL}" +fi # vim:set ft=sh: diff --git a/plugins/rsync b/plugins/rsync index 17a1e54..2d51a9d 100755 --- a/plugins/rsync +++ b/plugins/rsync @@ -3,7 +3,9 @@ # rsync plugin # # ENVIRONMENT VARIABLES: -# URL URL to download known_hosts file from +# URL URL to download known_hosts file from +# SIGURL URL of the GnuPG signature +# KEYRING path to the keyring for use by gpgv # set -e @@ -11,4 +13,10 @@ set -e ln -f current new || true rsync -vt --timeout=300 "${URL}" new +if [ "${SIGURL}" ]; then + rsync -vt --timeout=300 "${SIGURL}" new.sig + gpgv --keyring "${KEYRING}" --status-fd 2 new.sig || exit 1 + # return 1 because it's not clear what other codes may used +fi + # vim:set ft=sh: diff --git a/update-known-hosts b/update-openssh-known-hosts index 14f873f..136535a 100755 --- a/update-known-hosts +++ b/update-openssh-known-hosts @@ -25,17 +25,18 @@ lockfile-create "${LOCK}" lockfile-touch "${LOCK}" & LOCKPID="$!" +mkdir -p "${CACHEDIR}" cd "${CACHEDIR}" find -mindepth 2 -maxdepth 2 -type f -name new -delete -run-parts --list "${CONFDIR}/sources/" | while read source; do - source=`basename ${source}` +run-parts --list "${CONFDIR}/sources/" | while read sourcefile; do + source=`basename ${sourcefile}` mkdir -p ${source} ( set -a cd ${source} - . "${CONFDIR}/sources/${source}" + . "${sourcefile}" `path_search "$PLUGIN" "$PLUGIN_PATH"` >| log 2>&1 || { exitcode=$? rm -f new @@ -63,6 +64,7 @@ done 3>| "${OUTFILE}.new" mv "${OUTFILE}.new" "${OUTFILE}" +# clean up cache dirs of vanished sources for d in *; do [ -d $d ] || continue [ -e "${CONFDIR}/sources/$d" ] || rm -fr $d diff --git a/update-openssh-known-hosts.8 b/update-openssh-known-hosts.8 new file mode 100644 index 0000000..445c7d6 --- /dev/null +++ b/update-openssh-known-hosts.8 @@ -0,0 +1,42 @@ +.\" Hey, EMACS: -*- nroff -*- +.\" First parameter, NAME, should be all caps +.\" Second parameter, SECTION, should be 1-8, maybe w/ subsection +.\" other parameters are allowed: see man(7), man(1) +.TH OPENSSH-KNOWN-HOSTS 8 "2009-06-28" +.\" Please adjust this date whenever revising the manpage. +.\" +.\" Some roff macros, for reference: +.\" .nh disable hyphenation +.\" .hy enable hyphenation +.\" .ad l left justify +.\" .ad b justify to both left and right margins +.\" .nf disable filling +.\" .fi enable filling +.\" .br insert line break +.\" .sp <n> insert n+1 empty lines +.\" for manpage-specific macros, see man(7) +.SH NAME +update-openssh-known-hosts \- known_hosts downloader for OpenSSH +.SH SYNOPSIS +.B update-openssh-known-hosts +.SH DESCRIPTION +This manual page documents briefly the +.B update-openssh-known-hosts +command. +.PP +.\" TeX users may be more comfortable with the \fB<whatever>\fP and +.\" \fI<whatever>\fP escape sequences to invode bold face and italics, +.\" respectively. +\fBupdate-openssh-known-hosts\fP is a program that downloads public hostkeys from multiple sources +and merges them together into one file for use by OpenSSH. +.SH OPTIONS +This program takes no options. +.SH SEE ALSO +.BR sshd (8), +.BR /usr/share/doc/openssh-known-hosts , +.BR /usr/share/openssh-known-hosts/plugins/* . +.SH AUTHOR +openssh-known-hosts was written by Timo Weingärtner <timo@tiwe.de>. +.PP +This manual page was written by Timo Weingärtner <timo@tiwe.de>, +for the Debian project (but may be used by others). |