From 4b444020fa50e4f22a427b981c582b35cdb4efb1 Mon Sep 17 00:00:00 2001
From: Timo Weingärtner <timo@tiwe.de>
Date: Sat, 25 Feb 2012 21:17:00 +0100
Subject: Imported Debian version 0.2
---
README | 24 ++++++++++++
debian/README | 22 -----------
debian/changelog | 9 +++++
debian/control | 13 +++----
debian/copyright | 5 +--
debian/openssh-known-hosts.cron.d | 2 +-
debian/openssh-known-hosts.docs | 2 +-
debian/openssh-known-hosts.examples | 1 +
debian/openssh-known-hosts.install | 4 +-
debian/openssh-known-hosts.manpages | 1 +
debian/rules | 12 ++----
examples/curl | 9 +++++
examples/psql | 12 ++++++
examples/rsync | 10 +++++
examples/symlink | 5 +++
plugins/curl | 11 +++++-
plugins/rsync | 10 ++++-
update-known-hosts | 74 ------------------------------------
update-openssh-known-hosts | 76 +++++++++++++++++++++++++++++++++++++
update-openssh-known-hosts.8 | 42 ++++++++++++++++++++
20 files changed, 222 insertions(+), 122 deletions(-)
create mode 100644 README
delete mode 100644 debian/README
create mode 100644 debian/openssh-known-hosts.examples
create mode 100644 debian/openssh-known-hosts.manpages
create mode 100644 examples/curl
create mode 100644 examples/psql
create mode 100644 examples/rsync
create mode 100644 examples/symlink
delete mode 100755 update-known-hosts
create mode 100755 update-openssh-known-hosts
create mode 100644 update-openssh-known-hosts.8
diff --git a/README b/README
new file mode 100644
index 0000000..bcbbf4e
--- /dev/null
+++ b/README
@@ -0,0 +1,24 @@
+Writing a source definition:
+============================
+
+Place a file in /etc/openssh-known-hosts/sources. Its name must follow
+run-parts' conventions.
+
+Basic variables:
+ * PLUGIN: name of the plugin to use
+ * EXIT_IGNORE: space-seperated list of exitcodes which should be ignored, no
+ update is performed for this source then (optional)
+
+For examples see /usr/share/doc/openssh-known-hosts/examples/*.
+
+Writing a plugin:
+=================
+
+Place an executeable in /usr/local/share/openssh-known-hosts/plugins. Your
+plugin gets the variables set in the source definition in its environment. The
+working directory will be set to the source's cache directory. All your plugin
+has to do is to create a file named "new". "current" must not be touched but
+can be used as a hint to skip downloading the same file again. stdout and
+stderr will be connected to "log", which will be output on error. You needn't
+create "new" if it would be identical to "current".
+
diff --git a/debian/README b/debian/README
deleted file mode 100644
index 8a521a8..0000000
--- a/debian/README
+++ /dev/null
@@ -1,22 +0,0 @@
-Writing a source definition:
-============================
-
-Place a file in /etc/openssh-known-hosts/sources/. Its name must follow
-run-parts' conventions.
-
-Basic variables:
- * PLUGIN: name of the plugin to use
- * EXIT_IGNORE: space-seperated list of exitcodes which should be ignored, no
- update is performed for this source then (optional)
-
-
-Writing a plugin:
-=================
-
-Place an executeable in /usr/local/share/openssh-known-hosts/plugins. Your
-plugin gets the variables set in the source definition in its environment. The
-working directory will be set to the source's cache directory. All your plugin
-has to do is to create a file named "new". "current" must not be touched but
-can be used as a hint to skip downloading the same file again. stdout and
-stderr will be connected to "log", which will be output on error.
-
diff --git a/debian/changelog b/debian/changelog
index bfc242e..9df9cde 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+openssh-known-hosts (0.2) unstable; urgency=low
+
+ * Add examples.
+ * Add optional GnuPG verification in curl and rsync plugins.
+ * Upload to unstable (Closes: #534891)
+ * Rename update-known-hosts to update-$package and install it in /usr/sbin.
+
+ -- Timo Weingärtner <timo@tiwe.de> Sun, 28 Jun 2009 01:57:44 +0200
+
openssh-known-hosts (0.1) fsmi-lenny; urgency=low
* Initial Release.
diff --git a/debian/control b/debian/control
index 6f86622..e23b98f 100644
--- a/debian/control
+++ b/debian/control
@@ -4,14 +4,13 @@ Priority: extra
Maintainer: Timo Weingärtner <timo@tiwe.de>
Build-Depends: debhelper (>= 7)
Standards-Version: 3.8.1
-#Homepage: <insert the upstream URL, if relevant>
Package: openssh-known-hosts
Architecture: all
-Depends: dash, lockfile-progs, ${shlibs:Depends}, ${misc:Depends}
-Recommends: openssh-client
-Suggests: postgresql-client, rsync, curl
+Depends: dash, lockfile-progs, ${misc:Depends}
+Recommends: openssh-client, cron
+Suggests: postgresql-client, rsync, curl, gpgv
Description: known_hosts downloader for OpenSSH
- This package allows you to download public hostkeys from various sources and
- merge them together into one file for use by OpenSSH. Plugins for some types
- of sources are included, new plugins can easily be written.
+ This package allows you to download public hostkeys from multiple sources
+ and merge them together into one file for use by OpenSSH. Plugins for some
+ types of sources are included, new plugins can easily be written.
diff --git a/debian/copyright b/debian/copyright
index a60558a..0e558ce 100644
--- a/debian/copyright
+++ b/debian/copyright
@@ -1,6 +1,6 @@
Copyright:
- <Copyright (C) 2009 Timo Weingärtner>
+ Copyright (C) 2009 Timo Weingärtner <timo@tiwe.de>
License:
@@ -21,6 +21,3 @@ License:
On Debian systems, the complete text of the GNU General
Public License can be found in `/usr/share/common-licenses/GPL'.
-The Debian packaging is (C) 2009, Timo Weingärtner <timo@tiwe.de> and
-is licensed under the GPL, see above.
-
diff --git a/debian/openssh-known-hosts.cron.d b/debian/openssh-known-hosts.cron.d
index d1fef7b..27f4f64 100644
--- a/debian/openssh-known-hosts.cron.d
+++ b/debian/openssh-known-hosts.cron.d
@@ -1,4 +1,4 @@
#
# Regular cron jobs for the openssh-known-hosts package
#
-0 * * * * root [ -x /usr/share/openssh-known-hosts/update-known-hosts ] && /usr/share/openssh-known-hosts/update-known-hosts
+0 * * * * root [ -x /usr/sbin/update-openssh-known-hosts ] && /usr/sbin/update-openssh-known-hosts
diff --git a/debian/openssh-known-hosts.docs b/debian/openssh-known-hosts.docs
index 2c0d173..ba8894c 100644
--- a/debian/openssh-known-hosts.docs
+++ b/debian/openssh-known-hosts.docs
@@ -1,2 +1,2 @@
-debian/README
+README
diff --git a/debian/openssh-known-hosts.examples b/debian/openssh-known-hosts.examples
new file mode 100644
index 0000000..e39721e
--- /dev/null
+++ b/debian/openssh-known-hosts.examples
@@ -0,0 +1 @@
+examples/*
diff --git a/debian/openssh-known-hosts.install b/debian/openssh-known-hosts.install
index 8e9375a..e7b7cf1 100644
--- a/debian/openssh-known-hosts.install
+++ b/debian/openssh-known-hosts.install
@@ -1,2 +1,2 @@
-update-known-hosts usr/share/openssh-known-hosts/
-plugins usr/share/openssh-known-hosts/
+update-openssh-known-hosts usr/sbin/
+plugins usr/share/openssh-known-hosts/
diff --git a/debian/openssh-known-hosts.manpages b/debian/openssh-known-hosts.manpages
new file mode 100644
index 0000000..6ae64ea
--- /dev/null
+++ b/debian/openssh-known-hosts.manpages
@@ -0,0 +1 @@
+update-openssh-known-hosts.8
diff --git a/debian/rules b/debian/rules
index bf240d0..f1516b9 100755
--- a/debian/rules
+++ b/debian/rules
@@ -28,20 +28,19 @@ configure-stamp:
touch configure-stamp
-#Architecture
build: build-arch build-indep
build-arch: build-arch-stamp
-build-arch-stamp: configure-stamp
+build-arch-stamp: configure-stamp
touch $@
build-indep: build-indep-stamp
-build-indep-stamp: configure-stamp
+build-indep-stamp: configure-stamp
touch $@
-clean:
+clean:
dh_testdir
dh_testroot
rm -f build-arch-stamp build-indep-stamp configure-stamp
@@ -73,16 +72,11 @@ binary-common:
dh_installchangelogs
dh_installdocs
dh_installexamples
-# dh_installmime
dh_installcron
dh_installman
- dh_link
- dh_strip
dh_compress
dh_fixperms
- dh_makeshlibs
dh_installdeb
- dh_shlibdeps
dh_gencontrol
dh_md5sums
dh_builddeb
diff --git a/examples/curl b/examples/curl
new file mode 100644
index 0000000..18ed01b
--- /dev/null
+++ b/examples/curl
@@ -0,0 +1,9 @@
+PLUGIN=curl
+# see curl(1), section "EXIT CODES" for details:
+EXIT_IGNORE='6 7 28'
+
+URL='https://www.example.com/known_hosts'
+
+# optional:
+SIGURL='http://www.example.com/known_hosts.sig'
+KEYRING='/path/to/gpgv-compatible.keyring'
diff --git a/examples/psql b/examples/psql
new file mode 100644
index 0000000..e2e72cb
--- /dev/null
+++ b/examples/psql
@@ -0,0 +1,12 @@
+PLUGIN=psql
+# from psql(1): psql returns 2 if the connection to the server went bad and
+# the session was not interactive
+EXIT_IGNORE=2
+
+PGCLUSTER=8.3/db.example.com:
+PGDATABASE=exampledb
+PGUSER=exampleuser
+PGPASSWORD=foobar # beware: will be readable from /proc/<pid>/environ, better:
+PGPASSFILE=/path/to/.pgpass
+
+TABLE=known_hosts
diff --git a/examples/rsync b/examples/rsync
new file mode 100644
index 0000000..f8d9861
--- /dev/null
+++ b/examples/rsync
@@ -0,0 +1,10 @@
+PLUGIN=rsync
+# see rsync(1), section "EXIT VALUES" for details:
+EXIT_IGNORE=10
+
+URL='rsync://rsync.example.com/pub/known_hosts'
+
+# optional:
+SIGURL='rsync://rsync.example.com/pub/known_hosts.sig'
+KEYRING='/path/to/gpgv-compatible.keyring'
+
diff --git a/examples/symlink b/examples/symlink
new file mode 100644
index 0000000..c1a9ba2
--- /dev/null
+++ b/examples/symlink
@@ -0,0 +1,5 @@
+PLUGIN=symlink
+# EXIT_IGNORE doesn't make sense here
+EXIT_IGNORE=
+
+LINKDEST=/etc/ssh/ssh_known_hosts_local
diff --git a/plugins/curl b/plugins/curl
index 8e658cc..5964613 100755
--- a/plugins/curl
+++ b/plugins/curl
@@ -4,10 +4,19 @@
#
# ENVIRONMENT VARIABLES:
# URL URL to download known_hosts file from
+# SIGURL URL of the GnuPG signature
+# KEYRING path to the keyring for use by gpgv
#
set -e
-curl -Rz "./current" -m 300 -o new "${URL}"
+if [ "${SIGURL}" ]; then
+ curl -Rz "./current" -m 300 -o new.sig "${SIGURL}" -o new "${URL}"
+ [ -e new ] || exit 0
+ gpgv --keyring "${KEYRING}" --status-fd 2 new.sig || exit 1
+ # return 1 because it's not clear what other codes may used
+else
+ curl -Rz "./current" -m 300 -o new "${URL}"
+fi
# vim:set ft=sh:
diff --git a/plugins/rsync b/plugins/rsync
index 17a1e54..2d51a9d 100755
--- a/plugins/rsync
+++ b/plugins/rsync
@@ -3,7 +3,9 @@
# rsync plugin
#
# ENVIRONMENT VARIABLES:
-# URL URL to download known_hosts file from
+# URL URL to download known_hosts file from
+# SIGURL URL of the GnuPG signature
+# KEYRING path to the keyring for use by gpgv
#
set -e
@@ -11,4 +13,10 @@ set -e
ln -f current new || true
rsync -vt --timeout=300 "${URL}" new
+if [ "${SIGURL}" ]; then
+ rsync -vt --timeout=300 "${SIGURL}" new.sig
+ gpgv --keyring "${KEYRING}" --status-fd 2 new.sig || exit 1
+ # return 1 because it's not clear what other codes may used
+fi
+
# vim:set ft=sh:
diff --git a/update-known-hosts b/update-known-hosts
deleted file mode 100755
index 14f873f..0000000
--- a/update-known-hosts
+++ /dev/null
@@ -1,74 +0,0 @@
-#!/bin/dash
-
-set -euC
-
-CONFDIR=/etc/openssh-known-hosts
-PLUGIN_PATH=/usr/share/openssh-known-hosts/plugins:/usr/local/share/openssh-known-hosts/plugins
-CACHEDIR=/var/cache/openssh-known-hosts
-LOCK=/var/lock/openssh-known-hosts
-OUTFILE=/var/lib/openssh-known-hosts/ssh_known_hosts
-
-path_search () {
- if [ "${1}" != "${1#*/}" ]; then
- echo $1
- else
- echo "$2" | tr ':' '\n' | while read -r path; do
- if [ -f "${path}/${1}" ]; then
- echo "${path}/${1}"
- break
- fi
- done
- fi
-}
-
-lockfile-create "${LOCK}"
-lockfile-touch "${LOCK}" &
-LOCKPID="$!"
-
-cd "${CACHEDIR}"
-
-find -mindepth 2 -maxdepth 2 -type f -name new -delete
-
-run-parts --list "${CONFDIR}/sources/" | while read source; do
- source=`basename ${source}`
- mkdir -p ${source}
- (
- set -a
- cd ${source}
- . "${CONFDIR}/sources/${source}"
- `path_search "$PLUGIN" "$PLUGIN_PATH"` >| log 2>&1 || {
- exitcode=$?
- rm -f new
- ignore=''
- for e in ${EXIT_IGNORE:-0}; do
- if [ "$e" = "$exitcode" ]; then
- ignore=1
- break
- fi
- done
- if [ ! "$ignore" ]; then
- echo "${source} exited with code ${exitcode}, log follows:"
- cat log
- echo
- fi
- }
- )
- if [ -e ${source}/new ]; then
- mv ${source}/new ${source}/current
- fi
- if [ -e ${source}/current ]; then
- cat ${source}/current >&3
- fi
-done 3>| "${OUTFILE}.new"
-
-mv "${OUTFILE}.new" "${OUTFILE}"
-
-for d in *; do
- [ -d $d ] || continue
- [ -e "${CONFDIR}/sources/$d" ] || rm -fr $d
-done
-
-kill "${LOCKPID}"
-lockfile-remove "${LOCK}"
-
-# vim:set ft=sh:
diff --git a/update-openssh-known-hosts b/update-openssh-known-hosts
new file mode 100755
index 0000000..136535a
--- /dev/null
+++ b/update-openssh-known-hosts
@@ -0,0 +1,76 @@
+#!/bin/dash
+
+set -euC
+
+CONFDIR=/etc/openssh-known-hosts
+PLUGIN_PATH=/usr/share/openssh-known-hosts/plugins:/usr/local/share/openssh-known-hosts/plugins
+CACHEDIR=/var/cache/openssh-known-hosts
+LOCK=/var/lock/openssh-known-hosts
+OUTFILE=/var/lib/openssh-known-hosts/ssh_known_hosts
+
+path_search () {
+ if [ "${1}" != "${1#*/}" ]; then
+ echo $1
+ else
+ echo "$2" | tr ':' '\n' | while read -r path; do
+ if [ -f "${path}/${1}" ]; then
+ echo "${path}/${1}"
+ break
+ fi
+ done
+ fi
+}
+
+lockfile-create "${LOCK}"
+lockfile-touch "${LOCK}" &
+LOCKPID="$!"
+
+mkdir -p "${CACHEDIR}"
+cd "${CACHEDIR}"
+
+find -mindepth 2 -maxdepth 2 -type f -name new -delete
+
+run-parts --list "${CONFDIR}/sources/" | while read sourcefile; do
+ source=`basename ${sourcefile}`
+ mkdir -p ${source}
+ (
+ set -a
+ cd ${source}
+ . "${sourcefile}"
+ `path_search "$PLUGIN" "$PLUGIN_PATH"` >| log 2>&1 || {
+ exitcode=$?
+ rm -f new
+ ignore=''
+ for e in ${EXIT_IGNORE:-0}; do
+ if [ "$e" = "$exitcode" ]; then
+ ignore=1
+ break
+ fi
+ done
+ if [ ! "$ignore" ]; then
+ echo "${source} exited with code ${exitcode}, log follows:"
+ cat log
+ echo
+ fi
+ }
+ )
+ if [ -e ${source}/new ]; then
+ mv ${source}/new ${source}/current
+ fi
+ if [ -e ${source}/current ]; then
+ cat ${source}/current >&3
+ fi
+done 3>| "${OUTFILE}.new"
+
+mv "${OUTFILE}.new" "${OUTFILE}"
+
+# clean up cache dirs of vanished sources
+for d in *; do
+ [ -d $d ] || continue
+ [ -e "${CONFDIR}/sources/$d" ] || rm -fr $d
+done
+
+kill "${LOCKPID}"
+lockfile-remove "${LOCK}"
+
+# vim:set ft=sh:
diff --git a/update-openssh-known-hosts.8 b/update-openssh-known-hosts.8
new file mode 100644
index 0000000..445c7d6
--- /dev/null
+++ b/update-openssh-known-hosts.8
@@ -0,0 +1,42 @@
+.\" Hey, EMACS: -*- nroff -*-
+.\" First parameter, NAME, should be all caps
+.\" Second parameter, SECTION, should be 1-8, maybe w/ subsection
+.\" other parameters are allowed: see man(7), man(1)
+.TH OPENSSH-KNOWN-HOSTS 8 "2009-06-28"
+.\" Please adjust this date whenever revising the manpage.
+.\"
+.\" Some roff macros, for reference:
+.\" .nh disable hyphenation
+.\" .hy enable hyphenation
+.\" .ad l left justify
+.\" .ad b justify to both left and right margins
+.\" .nf disable filling
+.\" .fi enable filling
+.\" .br insert line break
+.\" .sp <n> insert n+1 empty lines
+.\" for manpage-specific macros, see man(7)
+.SH NAME
+update-openssh-known-hosts \- known_hosts downloader for OpenSSH
+.SH SYNOPSIS
+.B update-openssh-known-hosts
+.SH DESCRIPTION
+This manual page documents briefly the
+.B update-openssh-known-hosts
+command.
+.PP
+.\" TeX users may be more comfortable with the \fB<whatever>\fP and
+.\" \fI<whatever>\fP escape sequences to invode bold face and italics,
+.\" respectively.
+\fBupdate-openssh-known-hosts\fP is a program that downloads public hostkeys from multiple sources
+and merges them together into one file for use by OpenSSH.
+.SH OPTIONS
+This program takes no options.
+.SH SEE ALSO
+.BR sshd (8),
+.BR /usr/share/doc/openssh-known-hosts ,
+.BR /usr/share/openssh-known-hosts/plugins/* .
+.SH AUTHOR
+openssh-known-hosts was written by Timo Weingärtner <timo@tiwe.de>.
+.PP
+This manual page was written by Timo Weingärtner <timo@tiwe.de>,
+for the Debian project (but may be used by others).
--
cgit v1.2.3