From 4b444020fa50e4f22a427b981c582b35cdb4efb1 Mon Sep 17 00:00:00 2001 From: Timo Weingärtner Date: Sat, 25 Feb 2012 21:17:00 +0100 Subject: Imported Debian version 0.2 --- README | 24 ++++++++++++ debian/README | 22 ----------- debian/changelog | 9 +++++ debian/control | 13 +++---- debian/copyright | 5 +-- debian/openssh-known-hosts.cron.d | 2 +- debian/openssh-known-hosts.docs | 2 +- debian/openssh-known-hosts.examples | 1 + debian/openssh-known-hosts.install | 4 +- debian/openssh-known-hosts.manpages | 1 + debian/rules | 12 ++---- examples/curl | 9 +++++ examples/psql | 12 ++++++ examples/rsync | 10 +++++ examples/symlink | 5 +++ plugins/curl | 11 +++++- plugins/rsync | 10 ++++- update-known-hosts | 74 ------------------------------------ update-openssh-known-hosts | 76 +++++++++++++++++++++++++++++++++++++ update-openssh-known-hosts.8 | 42 ++++++++++++++++++++ 20 files changed, 222 insertions(+), 122 deletions(-) create mode 100644 README delete mode 100644 debian/README create mode 100644 debian/openssh-known-hosts.examples create mode 100644 debian/openssh-known-hosts.manpages create mode 100644 examples/curl create mode 100644 examples/psql create mode 100644 examples/rsync create mode 100644 examples/symlink delete mode 100755 update-known-hosts create mode 100755 update-openssh-known-hosts create mode 100644 update-openssh-known-hosts.8 diff --git a/README b/README new file mode 100644 index 0000000..bcbbf4e --- /dev/null +++ b/README @@ -0,0 +1,24 @@ +Writing a source definition: +============================ + +Place a file in /etc/openssh-known-hosts/sources. Its name must follow +run-parts' conventions. + +Basic variables: + * PLUGIN: name of the plugin to use + * EXIT_IGNORE: space-seperated list of exitcodes which should be ignored, no + update is performed for this source then (optional) + +For examples see /usr/share/doc/openssh-known-hosts/examples/*. + +Writing a plugin: +================= + +Place an executeable in /usr/local/share/openssh-known-hosts/plugins. Your +plugin gets the variables set in the source definition in its environment. The +working directory will be set to the source's cache directory. All your plugin +has to do is to create a file named "new". "current" must not be touched but +can be used as a hint to skip downloading the same file again. stdout and +stderr will be connected to "log", which will be output on error. You needn't +create "new" if it would be identical to "current". + diff --git a/debian/README b/debian/README deleted file mode 100644 index 8a521a8..0000000 --- a/debian/README +++ /dev/null @@ -1,22 +0,0 @@ -Writing a source definition: -============================ - -Place a file in /etc/openssh-known-hosts/sources/. Its name must follow -run-parts' conventions. - -Basic variables: - * PLUGIN: name of the plugin to use - * EXIT_IGNORE: space-seperated list of exitcodes which should be ignored, no - update is performed for this source then (optional) - - -Writing a plugin: -================= - -Place an executeable in /usr/local/share/openssh-known-hosts/plugins. Your -plugin gets the variables set in the source definition in its environment. The -working directory will be set to the source's cache directory. All your plugin -has to do is to create a file named "new". "current" must not be touched but -can be used as a hint to skip downloading the same file again. stdout and -stderr will be connected to "log", which will be output on error. - diff --git a/debian/changelog b/debian/changelog index bfc242e..9df9cde 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,12 @@ +openssh-known-hosts (0.2) unstable; urgency=low + + * Add examples. + * Add optional GnuPG verification in curl and rsync plugins. + * Upload to unstable (Closes: #534891) + * Rename update-known-hosts to update-$package and install it in /usr/sbin. + + -- Timo Weingärtner Sun, 28 Jun 2009 01:57:44 +0200 + openssh-known-hosts (0.1) fsmi-lenny; urgency=low * Initial Release. diff --git a/debian/control b/debian/control index 6f86622..e23b98f 100644 --- a/debian/control +++ b/debian/control @@ -4,14 +4,13 @@ Priority: extra Maintainer: Timo Weingärtner Build-Depends: debhelper (>= 7) Standards-Version: 3.8.1 -#Homepage: Package: openssh-known-hosts Architecture: all -Depends: dash, lockfile-progs, ${shlibs:Depends}, ${misc:Depends} -Recommends: openssh-client -Suggests: postgresql-client, rsync, curl +Depends: dash, lockfile-progs, ${misc:Depends} +Recommends: openssh-client, cron +Suggests: postgresql-client, rsync, curl, gpgv Description: known_hosts downloader for OpenSSH - This package allows you to download public hostkeys from various sources and - merge them together into one file for use by OpenSSH. Plugins for some types - of sources are included, new plugins can easily be written. + This package allows you to download public hostkeys from multiple sources + and merge them together into one file for use by OpenSSH. Plugins for some + types of sources are included, new plugins can easily be written. diff --git a/debian/copyright b/debian/copyright index a60558a..0e558ce 100644 --- a/debian/copyright +++ b/debian/copyright @@ -1,6 +1,6 @@ Copyright: - + Copyright (C) 2009 Timo Weingärtner License: @@ -21,6 +21,3 @@ License: On Debian systems, the complete text of the GNU General Public License can be found in `/usr/share/common-licenses/GPL'. -The Debian packaging is (C) 2009, Timo Weingärtner and -is licensed under the GPL, see above. - diff --git a/debian/openssh-known-hosts.cron.d b/debian/openssh-known-hosts.cron.d index d1fef7b..27f4f64 100644 --- a/debian/openssh-known-hosts.cron.d +++ b/debian/openssh-known-hosts.cron.d @@ -1,4 +1,4 @@ # # Regular cron jobs for the openssh-known-hosts package # -0 * * * * root [ -x /usr/share/openssh-known-hosts/update-known-hosts ] && /usr/share/openssh-known-hosts/update-known-hosts +0 * * * * root [ -x /usr/sbin/update-openssh-known-hosts ] && /usr/sbin/update-openssh-known-hosts diff --git a/debian/openssh-known-hosts.docs b/debian/openssh-known-hosts.docs index 2c0d173..ba8894c 100644 --- a/debian/openssh-known-hosts.docs +++ b/debian/openssh-known-hosts.docs @@ -1,2 +1,2 @@ -debian/README +README diff --git a/debian/openssh-known-hosts.examples b/debian/openssh-known-hosts.examples new file mode 100644 index 0000000..e39721e --- /dev/null +++ b/debian/openssh-known-hosts.examples @@ -0,0 +1 @@ +examples/* diff --git a/debian/openssh-known-hosts.install b/debian/openssh-known-hosts.install index 8e9375a..e7b7cf1 100644 --- a/debian/openssh-known-hosts.install +++ b/debian/openssh-known-hosts.install @@ -1,2 +1,2 @@ -update-known-hosts usr/share/openssh-known-hosts/ -plugins usr/share/openssh-known-hosts/ +update-openssh-known-hosts usr/sbin/ +plugins usr/share/openssh-known-hosts/ diff --git a/debian/openssh-known-hosts.manpages b/debian/openssh-known-hosts.manpages new file mode 100644 index 0000000..6ae64ea --- /dev/null +++ b/debian/openssh-known-hosts.manpages @@ -0,0 +1 @@ +update-openssh-known-hosts.8 diff --git a/debian/rules b/debian/rules index bf240d0..f1516b9 100755 --- a/debian/rules +++ b/debian/rules @@ -28,20 +28,19 @@ configure-stamp: touch configure-stamp -#Architecture build: build-arch build-indep build-arch: build-arch-stamp -build-arch-stamp: configure-stamp +build-arch-stamp: configure-stamp touch $@ build-indep: build-indep-stamp -build-indep-stamp: configure-stamp +build-indep-stamp: configure-stamp touch $@ -clean: +clean: dh_testdir dh_testroot rm -f build-arch-stamp build-indep-stamp configure-stamp @@ -73,16 +72,11 @@ binary-common: dh_installchangelogs dh_installdocs dh_installexamples -# dh_installmime dh_installcron dh_installman - dh_link - dh_strip dh_compress dh_fixperms - dh_makeshlibs dh_installdeb - dh_shlibdeps dh_gencontrol dh_md5sums dh_builddeb diff --git a/examples/curl b/examples/curl new file mode 100644 index 0000000..18ed01b --- /dev/null +++ b/examples/curl @@ -0,0 +1,9 @@ +PLUGIN=curl +# see curl(1), section "EXIT CODES" for details: +EXIT_IGNORE='6 7 28' + +URL='https://www.example.com/known_hosts' + +# optional: +SIGURL='http://www.example.com/known_hosts.sig' +KEYRING='/path/to/gpgv-compatible.keyring' diff --git a/examples/psql b/examples/psql new file mode 100644 index 0000000..e2e72cb --- /dev/null +++ b/examples/psql @@ -0,0 +1,12 @@ +PLUGIN=psql +# from psql(1): psql returns 2 if the connection to the server went bad and +# the session was not interactive +EXIT_IGNORE=2 + +PGCLUSTER=8.3/db.example.com: +PGDATABASE=exampledb +PGUSER=exampleuser +PGPASSWORD=foobar # beware: will be readable from /proc//environ, better: +PGPASSFILE=/path/to/.pgpass + +TABLE=known_hosts diff --git a/examples/rsync b/examples/rsync new file mode 100644 index 0000000..f8d9861 --- /dev/null +++ b/examples/rsync @@ -0,0 +1,10 @@ +PLUGIN=rsync +# see rsync(1), section "EXIT VALUES" for details: +EXIT_IGNORE=10 + +URL='rsync://rsync.example.com/pub/known_hosts' + +# optional: +SIGURL='rsync://rsync.example.com/pub/known_hosts.sig' +KEYRING='/path/to/gpgv-compatible.keyring' + diff --git a/examples/symlink b/examples/symlink new file mode 100644 index 0000000..c1a9ba2 --- /dev/null +++ b/examples/symlink @@ -0,0 +1,5 @@ +PLUGIN=symlink +# EXIT_IGNORE doesn't make sense here +EXIT_IGNORE= + +LINKDEST=/etc/ssh/ssh_known_hosts_local diff --git a/plugins/curl b/plugins/curl index 8e658cc..5964613 100755 --- a/plugins/curl +++ b/plugins/curl @@ -4,10 +4,19 @@ # # ENVIRONMENT VARIABLES: # URL URL to download known_hosts file from +# SIGURL URL of the GnuPG signature +# KEYRING path to the keyring for use by gpgv # set -e -curl -Rz "./current" -m 300 -o new "${URL}" +if [ "${SIGURL}" ]; then + curl -Rz "./current" -m 300 -o new.sig "${SIGURL}" -o new "${URL}" + [ -e new ] || exit 0 + gpgv --keyring "${KEYRING}" --status-fd 2 new.sig || exit 1 + # return 1 because it's not clear what other codes may used +else + curl -Rz "./current" -m 300 -o new "${URL}" +fi # vim:set ft=sh: diff --git a/plugins/rsync b/plugins/rsync index 17a1e54..2d51a9d 100755 --- a/plugins/rsync +++ b/plugins/rsync @@ -3,7 +3,9 @@ # rsync plugin # # ENVIRONMENT VARIABLES: -# URL URL to download known_hosts file from +# URL URL to download known_hosts file from +# SIGURL URL of the GnuPG signature +# KEYRING path to the keyring for use by gpgv # set -e @@ -11,4 +13,10 @@ set -e ln -f current new || true rsync -vt --timeout=300 "${URL}" new +if [ "${SIGURL}" ]; then + rsync -vt --timeout=300 "${SIGURL}" new.sig + gpgv --keyring "${KEYRING}" --status-fd 2 new.sig || exit 1 + # return 1 because it's not clear what other codes may used +fi + # vim:set ft=sh: diff --git a/update-known-hosts b/update-known-hosts deleted file mode 100755 index 14f873f..0000000 --- a/update-known-hosts +++ /dev/null @@ -1,74 +0,0 @@ -#!/bin/dash - -set -euC - -CONFDIR=/etc/openssh-known-hosts -PLUGIN_PATH=/usr/share/openssh-known-hosts/plugins:/usr/local/share/openssh-known-hosts/plugins -CACHEDIR=/var/cache/openssh-known-hosts -LOCK=/var/lock/openssh-known-hosts -OUTFILE=/var/lib/openssh-known-hosts/ssh_known_hosts - -path_search () { - if [ "${1}" != "${1#*/}" ]; then - echo $1 - else - echo "$2" | tr ':' '\n' | while read -r path; do - if [ -f "${path}/${1}" ]; then - echo "${path}/${1}" - break - fi - done - fi -} - -lockfile-create "${LOCK}" -lockfile-touch "${LOCK}" & -LOCKPID="$!" - -cd "${CACHEDIR}" - -find -mindepth 2 -maxdepth 2 -type f -name new -delete - -run-parts --list "${CONFDIR}/sources/" | while read source; do - source=`basename ${source}` - mkdir -p ${source} - ( - set -a - cd ${source} - . "${CONFDIR}/sources/${source}" - `path_search "$PLUGIN" "$PLUGIN_PATH"` >| log 2>&1 || { - exitcode=$? - rm -f new - ignore='' - for e in ${EXIT_IGNORE:-0}; do - if [ "$e" = "$exitcode" ]; then - ignore=1 - break - fi - done - if [ ! "$ignore" ]; then - echo "${source} exited with code ${exitcode}, log follows:" - cat log - echo - fi - } - ) - if [ -e ${source}/new ]; then - mv ${source}/new ${source}/current - fi - if [ -e ${source}/current ]; then - cat ${source}/current >&3 - fi -done 3>| "${OUTFILE}.new" - -mv "${OUTFILE}.new" "${OUTFILE}" - -for d in *; do - [ -d $d ] || continue - [ -e "${CONFDIR}/sources/$d" ] || rm -fr $d -done - -kill "${LOCKPID}" -lockfile-remove "${LOCK}" - -# vim:set ft=sh: diff --git a/update-openssh-known-hosts b/update-openssh-known-hosts new file mode 100755 index 0000000..136535a --- /dev/null +++ b/update-openssh-known-hosts @@ -0,0 +1,76 @@ +#!/bin/dash + +set -euC + +CONFDIR=/etc/openssh-known-hosts +PLUGIN_PATH=/usr/share/openssh-known-hosts/plugins:/usr/local/share/openssh-known-hosts/plugins +CACHEDIR=/var/cache/openssh-known-hosts +LOCK=/var/lock/openssh-known-hosts +OUTFILE=/var/lib/openssh-known-hosts/ssh_known_hosts + +path_search () { + if [ "${1}" != "${1#*/}" ]; then + echo $1 + else + echo "$2" | tr ':' '\n' | while read -r path; do + if [ -f "${path}/${1}" ]; then + echo "${path}/${1}" + break + fi + done + fi +} + +lockfile-create "${LOCK}" +lockfile-touch "${LOCK}" & +LOCKPID="$!" + +mkdir -p "${CACHEDIR}" +cd "${CACHEDIR}" + +find -mindepth 2 -maxdepth 2 -type f -name new -delete + +run-parts --list "${CONFDIR}/sources/" | while read sourcefile; do + source=`basename ${sourcefile}` + mkdir -p ${source} + ( + set -a + cd ${source} + . "${sourcefile}" + `path_search "$PLUGIN" "$PLUGIN_PATH"` >| log 2>&1 || { + exitcode=$? + rm -f new + ignore='' + for e in ${EXIT_IGNORE:-0}; do + if [ "$e" = "$exitcode" ]; then + ignore=1 + break + fi + done + if [ ! "$ignore" ]; then + echo "${source} exited with code ${exitcode}, log follows:" + cat log + echo + fi + } + ) + if [ -e ${source}/new ]; then + mv ${source}/new ${source}/current + fi + if [ -e ${source}/current ]; then + cat ${source}/current >&3 + fi +done 3>| "${OUTFILE}.new" + +mv "${OUTFILE}.new" "${OUTFILE}" + +# clean up cache dirs of vanished sources +for d in *; do + [ -d $d ] || continue + [ -e "${CONFDIR}/sources/$d" ] || rm -fr $d +done + +kill "${LOCKPID}" +lockfile-remove "${LOCK}" + +# vim:set ft=sh: diff --git a/update-openssh-known-hosts.8 b/update-openssh-known-hosts.8 new file mode 100644 index 0000000..445c7d6 --- /dev/null +++ b/update-openssh-known-hosts.8 @@ -0,0 +1,42 @@ +.\" Hey, EMACS: -*- nroff -*- +.\" First parameter, NAME, should be all caps +.\" Second parameter, SECTION, should be 1-8, maybe w/ subsection +.\" other parameters are allowed: see man(7), man(1) +.TH OPENSSH-KNOWN-HOSTS 8 "2009-06-28" +.\" Please adjust this date whenever revising the manpage. +.\" +.\" Some roff macros, for reference: +.\" .nh disable hyphenation +.\" .hy enable hyphenation +.\" .ad l left justify +.\" .ad b justify to both left and right margins +.\" .nf disable filling +.\" .fi enable filling +.\" .br insert line break +.\" .sp insert n+1 empty lines +.\" for manpage-specific macros, see man(7) +.SH NAME +update-openssh-known-hosts \- known_hosts downloader for OpenSSH +.SH SYNOPSIS +.B update-openssh-known-hosts +.SH DESCRIPTION +This manual page documents briefly the +.B update-openssh-known-hosts +command. +.PP +.\" TeX users may be more comfortable with the \fB\fP and +.\" \fI\fP escape sequences to invode bold face and italics, +.\" respectively. +\fBupdate-openssh-known-hosts\fP is a program that downloads public hostkeys from multiple sources +and merges them together into one file for use by OpenSSH. +.SH OPTIONS +This program takes no options. +.SH SEE ALSO +.BR sshd (8), +.BR /usr/share/doc/openssh-known-hosts , +.BR /usr/share/openssh-known-hosts/plugins/* . +.SH AUTHOR +openssh-known-hosts was written by Timo Weingärtner . +.PP +This manual page was written by Timo Weingärtner , +for the Debian project (but may be used by others). -- cgit v1.2.3