/mandos/trunk

To get this branch, use:
bzr branch http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos-monitor

  • Committer: Teddy Hogeborn
  • Date: 2014-06-22 02:19:30 UTC
  • Revision ID: teddy@recompile.se-20140622021930-icl7h4cm97blhjml
mandos-keygen: Generate "checker" option to use SSH fingerprints.

To turn this off, use a new "--no-ssh" option to mandos-keygen.

* INSTALL (Mandos Server, Mandos Client): Document new suggested
                                          installation of SSH.
* Makefile (confdir/clients.conf): Use new "--no-ssh" option to
                                   "mandos-keygen".
* debian/control (mandos/Depends): Changed to "fping | ssh-client".
  (mandos-client/Recommends): New; set to "ssh".
* intro.xml (FREQUENTLY ASKED QUESTIONS): Rename and rewrite section
                                          called "Faking ping
                                          replies?" to address new
                                          default behavior.
* mandos-clients.conf.xml (OPTIONS/checker): Briefly discuss new
                                             behavior of
                                             mandos-keygen.
* mandos-keygen: Bug fix: Suppress failure output of "shred" to remove
                 "sec*", since no such files may exist.
 (password mode): Scan for SSH key fingerprints and output as new
                  "checker" and "ssh_fingerprint" options, unless new
                  "--no-ssh" option is given.
* mandos-keygen.xml (SYNOPSIS/--force): Bug fix: Document short form.
  (OPTIONS/--no-ssh): New.
  (SEE ALSO): Add reference "ssh-keyscan(1)".
* plugins.d/mandos-client.xml (SECURITY): Briefly mention the
                                          possibility of using SSH key
                                          fingerprints for checking.

Show diffs side-by-side

added added

removed removed

Lines of Context:
3
3
4
4
# Mandos Monitor - Control and monitor the Mandos server
5
5
6
 
# Copyright © 2009-2016 Teddy Hogeborn
7
 
# Copyright © 2009-2016 Björn Påhlsson
 
6
# Copyright © 2009-2014 Teddy Hogeborn
 
7
# Copyright © 2009-2014 Björn Påhlsson
8
8
9
9
# This program is free software: you can redistribute it and/or modify
10
10
# it under the terms of the GNU General Public License as published by
39
39
import urwid
40
40
 
41
41
from dbus.mainloop.glib import DBusGMainLoop
42
 
from gi.repository import GLib
 
42
try:
 
43
    import gobject
 
44
except ImportError:
 
45
    from gi.repository import GObject as gobject
43
46
 
44
47
import dbus
45
48
 
46
49
import locale
47
50
 
48
 
if sys.version_info.major == 2:
 
51
if sys.version_info[0] == 2:
49
52
    str = unicode
50
53
 
51
54
locale.setlocale(locale.LC_ALL, '')
57
60
domain = 'se.recompile'
58
61
server_interface = domain + '.Mandos'
59
62
client_interface = domain + '.Mandos.Client'
60
 
version = "1.7.7"
61
 
 
62
 
try:
63
 
    dbus.OBJECT_MANAGER_IFACE
64
 
except AttributeError:
65
 
    dbus.OBJECT_MANAGER_IFACE = "org.freedesktop.DBus.ObjectManager"
 
63
version = "1.6.5"
66
64
 
67
65
def isoformat_to_datetime(iso):
68
66
    "Parse an ISO 8601 date string to a datetime.datetime()"
89
87
        self.proxy = proxy_object # Mandos Client proxy object
90
88
        self.properties = dict() if properties is None else properties
91
89
        self.property_changed_match = (
92
 
            self.proxy.connect_to_signal("PropertiesChanged",
93
 
                                         self.properties_changed,
94
 
                                         dbus.PROPERTIES_IFACE,
 
90
            self.proxy.connect_to_signal("PropertyChanged",
 
91
                                         self._property_changed,
 
92
                                         client_interface,
95
93
                                         byte_arrays=True))
96
94
        
97
95
        if properties is None:
102
100
        
103
101
        super(MandosClientPropertyCache, self).__init__(**kwargs)
104
102
    
105
 
    def properties_changed(self, interface, properties, invalidated):
106
 
        """This is called whenever we get a PropertiesChanged signal
107
 
        It updates the changed properties in the "properties" dict.
 
103
    def _property_changed(self, property, value):
 
104
        """Helper which takes positional arguments"""
 
105
        return self.property_changed(property=property, value=value)
 
106
    
 
107
    def property_changed(self, property=None, value=None):
 
108
        """This is called whenever we get a PropertyChanged signal
 
109
        It updates the changed property in the "properties" dict.
108
110
        """
109
111
        # Update properties dict with new value
110
 
        if interface == client_interface:
111
 
            self.properties.update(properties)
 
112
        self.properties[property] = value
112
113
    
113
114
    def delete(self):
114
115
        self.property_changed_match.remove()
160
161
                                         self.rejected,
161
162
                                         client_interface,
162
163
                                         byte_arrays=True))
163
 
        self.logger('Created client {}'
164
 
                    .format(self.properties["Name"]), level=0)
 
164
        #self.logger('Created client {0}'
 
165
        #            .format(self.properties["Name"]))
165
166
    
166
167
    def using_timer(self, flag):
167
168
        """Call this method with True or False when timer should be
169
170
        """
170
171
        if flag and self._update_timer_callback_tag is None:
171
172
            # Will update the shown timer value every second
172
 
            self._update_timer_callback_tag = (GLib.timeout_add
 
173
            self._update_timer_callback_tag = (gobject.timeout_add
173
174
                                               (1000,
174
175
                                                self.update_timer))
175
176
        elif not (flag or self._update_timer_callback_tag is None):
176
 
            GLib.source_remove(self._update_timer_callback_tag)
 
177
            gobject.source_remove(self._update_timer_callback_tag)
177
178
            self._update_timer_callback_tag = None
178
179
    
179
180
    def checker_completed(self, exitstatus, condition, command):
180
181
        if exitstatus == 0:
181
 
            self.logger('Checker for client {} (command "{}")'
182
 
                        ' succeeded'.format(self.properties["Name"],
183
 
                                            command), level=0)
184
182
            self.update()
185
183
            return
186
184
        # Checker failed
187
185
        if os.WIFEXITED(condition):
188
 
            self.logger('Checker for client {} (command "{}") failed'
189
 
                        ' with exit code {}'
 
186
            self.logger('Checker for client {0} (command "{1}")'
 
187
                        ' failed with exit code {2}'
190
188
                        .format(self.properties["Name"], command,
191
189
                                os.WEXITSTATUS(condition)))
192
190
        elif os.WIFSIGNALED(condition):
193
 
            self.logger('Checker for client {} (command "{}") was'
194
 
                        ' killed by signal {}'
 
191
            self.logger('Checker for client {0} (command "{1}") was'
 
192
                        ' killed by signal {2}'
195
193
                        .format(self.properties["Name"], command,
196
194
                                os.WTERMSIG(condition)))
 
195
        elif os.WCOREDUMP(condition):
 
196
            self.logger('Checker for client {0} (command "{1}")'
 
197
                        ' dumped core'
 
198
                        .format(self.properties["Name"], command))
 
199
        else:
 
200
            self.logger('Checker for client {0} completed'
 
201
                        ' mysteriously'
 
202
                        .format(self.properties["Name"]))
197
203
        self.update()
198
204
    
199
205
    def checker_started(self, command):
200
 
        """Server signals that a checker started."""
201
 
        self.logger('Client {} started checker "{}"'
202
 
                    .format(self.properties["Name"],
203
 
                            command), level=0)
 
206
        """Server signals that a checker started. This could be useful
 
207
           to log in the future. """
 
208
        #self.logger('Client {0} started checker "{1}"'
 
209
        #            .format(self.properties["Name"],
 
210
        #                    str(command)))
 
211
        pass
204
212
    
205
213
    def got_secret(self):
206
 
        self.logger('Client {} received its secret'
 
214
        self.logger('Client {0} received its secret'
207
215
                    .format(self.properties["Name"]))
208
216
    
209
217
    def need_approval(self, timeout, default):
210
218
        if not default:
211
 
            message = 'Client {} needs approval within {} seconds'
 
219
            message = 'Client {0} needs approval within {1} seconds'
212
220
        else:
213
 
            message = 'Client {} will get its secret in {} seconds'
 
221
            message = 'Client {0} will get its secret in {1} seconds'
214
222
        self.logger(message.format(self.properties["Name"],
215
223
                                   timeout/1000))
216
224
    
217
225
    def rejected(self, reason):
218
 
        self.logger('Client {} was rejected; reason: {}'
 
226
        self.logger('Client {0} was rejected; reason: {1}'
219
227
                    .format(self.properties["Name"], reason))
220
228
    
221
229
    def selectable(self):
265
273
            else:
266
274
                timer = datetime.timedelta()
267
275
            if self.properties["ApprovedByDefault"]:
268
 
                message = "Approval in {}. (d)eny?"
 
276
                message = "Approval in {0}. (d)eny?"
269
277
            else:
270
 
                message = "Denial in {}. (a)pprove?"
 
278
                message = "Denial in {0}. (a)pprove?"
271
279
            message = message.format(str(timer).rsplit(".", 1)[0])
272
280
            self.using_timer(True)
273
281
        elif self.properties["LastCheckerStatus"] != 0:
281
289
                timer = max(expires - datetime.datetime.utcnow(),
282
290
                            datetime.timedelta())
283
291
            message = ('A checker has failed! Time until client'
284
 
                       ' gets disabled: {}'
 
292
                       ' gets disabled: {0}'
285
293
                       .format(str(timer).rsplit(".", 1)[0]))
286
294
            self.using_timer(True)
287
295
        else:
288
296
            message = "enabled"
289
297
            self.using_timer(False)
290
 
        self._text = "{}{}".format(base, message)
 
298
        self._text = "{0}{1}".format(base, message)
291
299
        
292
300
        if not urwid.supports_unicode():
293
301
            self._text = self._text.encode("ascii", "replace")
306
314
            self.update_hook()
307
315
    
308
316
    def update_timer(self):
309
 
        """called by GLib. Will indefinitely loop until
310
 
        GLib.source_remove() on tag is called
311
 
        """
 
317
        """called by gobject. Will indefinitely loop until
 
318
        gobject.source_remove() on tag is called"""
312
319
        self.update()
313
320
        return True             # Keep calling this
314
321
    
315
322
    def delete(self, **kwargs):
316
323
        if self._update_timer_callback_tag is not None:
317
 
            GLib.source_remove(self._update_timer_callback_tag)
 
324
            gobject.source_remove(self._update_timer_callback_tag)
318
325
            self._update_timer_callback_tag = None
319
326
        for match in self.match_objects:
320
327
            match.remove()
333
340
        """Handle keys.
334
341
        This overrides the method from urwid.FlowWidget"""
335
342
        if key == "+":
336
 
            self.proxy.Set(client_interface, "Enabled",
337
 
                           dbus.Boolean(True), ignore_reply = True,
338
 
                           dbus_interface = dbus.PROPERTIES_IFACE)
 
343
            self.proxy.Enable(dbus_interface = client_interface,
 
344
                              ignore_reply=True)
339
345
        elif key == "-":
340
 
            self.proxy.Set(client_interface, "Enabled", False,
341
 
                           ignore_reply = True,
342
 
                           dbus_interface = dbus.PROPERTIES_IFACE)
 
346
            self.proxy.Disable(dbus_interface = client_interface,
 
347
                               ignore_reply=True)
343
348
        elif key == "a":
344
349
            self.proxy.Approve(dbus.Boolean(True, variant_level=1),
345
350
                               dbus_interface = client_interface,
353
358
                                                  .object_path,
354
359
                                                  ignore_reply=True)
355
360
        elif key == "s":
356
 
            self.proxy.Set(client_interface, "CheckerRunning",
357
 
                           dbus.Boolean(True), ignore_reply = True,
358
 
                           dbus_interface = dbus.PROPERTIES_IFACE)
 
361
            self.proxy.StartChecker(dbus_interface = client_interface,
 
362
                                    ignore_reply=True)
359
363
        elif key == "S":
360
 
            self.proxy.Set(client_interface, "CheckerRunning",
361
 
                           dbus.Boolean(False), ignore_reply = True,
362
 
                           dbus_interface = dbus.PROPERTIES_IFACE)
 
364
            self.proxy.StopChecker(dbus_interface = client_interface,
 
365
                                   ignore_reply=True)
363
366
        elif key == "C":
364
367
            self.proxy.CheckedOK(dbus_interface = client_interface,
365
368
                                 ignore_reply=True)
373
376
        else:
374
377
            return key
375
378
    
376
 
    def properties_changed(self, interface, properties, invalidated):
377
 
        """Call self.update() if any properties changed.
 
379
    def property_changed(self, property=None, **kwargs):
 
380
        """Call self.update() if old value is not new value.
378
381
        This overrides the method from MandosClientPropertyCache"""
379
 
        old_values = { key: self.properties.get(key)
380
 
                       for key in properties.keys() }
381
 
        super(MandosClientWidget, self).properties_changed(
382
 
            interface, properties, invalidated)
383
 
        if any(old_values[key] != self.properties.get(key)
384
 
               for key in old_values):
 
382
        property_name = str(property)
 
383
        old_value = self.properties.get(property_name)
 
384
        super(MandosClientWidget, self).property_changed(
 
385
            property=property, **kwargs)
 
386
        if self.properties.get(property_name) != old_value:
385
387
            self.update()
386
388
 
387
389
 
401
403
    """This is the entire user interface - the whole screen
402
404
    with boxes, lists of client widgets, etc.
403
405
    """
404
 
    def __init__(self, max_log_length=1000, log_level=1):
 
406
    def __init__(self, max_log_length=1000):
405
407
        DBusGMainLoop(set_as_default=True)
406
408
        
407
409
        self.screen = urwid.curses_display.Screen()
445
447
        self.log = []
446
448
        self.max_log_length = max_log_length
447
449
        
448
 
        self.log_level = log_level
449
 
        
450
450
        # We keep a reference to the log widget so we can remove it
451
451
        # from the ListWalker without it getting destroyed
452
452
        self.logbox = ConstrainedListBox(self.log)
463
463
                              "q: Quit  ?: Help"))
464
464
        
465
465
        self.busname = domain + '.Mandos'
466
 
        self.main_loop = GLib.MainLoop()
 
466
        self.main_loop = gobject.MainLoop()
467
467
    
468
468
    def client_not_found(self, fingerprint, address):
469
 
        self.log_message("Client with address {} and fingerprint {}"
470
 
                         " could not be found"
 
469
        self.log_message("Client with address {0} and fingerprint"
 
470
                         " {1} could not be found"
471
471
                         .format(address, fingerprint))
472
472
    
473
473
    def rebuild(self):
486
486
            self.uilist.append(self.logbox)
487
487
        self.topwidget = urwid.Pile(self.uilist)
488
488
    
489
 
    def log_message(self, message, level=1):
 
489
    def log_message(self, message):
490
490
        """Log message formatted with timestamp"""
491
 
        if level < self.log_level:
492
 
            return
493
491
        timestamp = datetime.datetime.now().isoformat()
494
 
        self.log_message_raw("{}: {}".format(timestamp, message),
495
 
                             level=level)
 
492
        self.log_message_raw(timestamp + ": " + message)
496
493
    
497
 
    def log_message_raw(self, markup, level=1):
 
494
    def log_message_raw(self, markup):
498
495
        """Add a log message to the log buffer."""
499
 
        if level < self.log_level:
500
 
            return
501
496
        self.log.append(urwid.Text(markup, wrap=self.log_wrap))
502
497
        if (self.max_log_length
503
498
            and len(self.log) > self.max_log_length):
510
505
        """Toggle visibility of the log buffer."""
511
506
        self.log_visible = not self.log_visible
512
507
        self.rebuild()
513
 
        self.log_message("Log visibility changed to: {}"
514
 
                         .format(self.log_visible), level=0)
 
508
        #self.log_message("Log visibility changed to: "
 
509
        #                 + str(self.log_visible))
515
510
    
516
511
    def change_log_display(self):
517
512
        """Change type of log display.
522
517
            self.log_wrap = "clip"
523
518
        for textwidget in self.log:
524
519
            textwidget.set_wrap_mode(self.log_wrap)
525
 
        self.log_message("Wrap mode: {}".format(self.log_wrap),
526
 
                         level=0)
 
520
        #self.log_message("Wrap mode: " + self.log_wrap)
527
521
    
528
 
    def find_and_remove_client(self, path, interfaces):
 
522
    def find_and_remove_client(self, path, name):
529
523
        """Find a client by its object path and remove it.
530
524
        
531
 
        This is connected to the InterfacesRemoved signal from the
 
525
        This is connected to the ClientRemoved signal from the
532
526
        Mandos server object."""
533
 
        if client_interface not in interfaces:
534
 
            # Not a Mandos client object; ignore
535
 
            return
536
527
        try:
537
528
            client = self.clients_dict[path]
538
529
        except KeyError:
539
530
            # not found?
540
 
            self.log_message("Unknown client {!r} removed"
541
 
                             .format(path))
 
531
            self.log_message("Unknown client {0!r} ({1!r}) removed"
 
532
                             .format(name, path))
542
533
            return
543
534
        client.delete()
544
535
    
545
 
    def add_new_client(self, path, ifs_and_props):
546
 
        """Find a client by its object path and remove it.
547
 
        
548
 
        This is connected to the InterfacesAdded signal from the
549
 
        Mandos server object.
550
 
        """
551
 
        if client_interface not in ifs_and_props:
552
 
            # Not a Mandos client object; ignore
553
 
            return
 
536
    def add_new_client(self, path):
554
537
        client_proxy_object = self.bus.get_object(self.busname, path)
555
538
        self.add_client(MandosClientWidget(server_proxy_object
556
539
                                           =self.mandos_serv,
561
544
                                           delete_hook
562
545
                                           =self.remove_client,
563
546
                                           logger
564
 
                                           =self.log_message,
565
 
                                           properties
566
 
                                           = dict(ifs_and_props[
567
 
                                               client_interface])),
 
547
                                           =self.log_message),
568
548
                        path=path)
569
549
    
570
550
    def add_client(self, client, path=None):
605
585
            mandos_clients = dbus.Dictionary()
606
586
        
607
587
        (self.mandos_serv
608
 
         .connect_to_signal("InterfacesRemoved",
 
588
         .connect_to_signal("ClientRemoved",
609
589
                            self.find_and_remove_client,
610
 
                            dbus_interface
611
 
                            = dbus.OBJECT_MANAGER_IFACE,
 
590
                            dbus_interface=server_interface,
612
591
                            byte_arrays=True))
613
592
        (self.mandos_serv
614
 
         .connect_to_signal("InterfacesAdded",
 
593
         .connect_to_signal("ClientAdded",
615
594
                            self.add_new_client,
616
 
                            dbus_interface
617
 
                            = dbus.OBJECT_MANAGER_IFACE,
 
595
                            dbus_interface=server_interface,
618
596
                            byte_arrays=True))
619
597
        (self.mandos_serv
620
598
         .connect_to_signal("ClientNotFound",
638
616
                            path=path)
639
617
        
640
618
        self.refresh()
641
 
        self._input_callback_tag = (GLib.io_add_watch
 
619
        self._input_callback_tag = (gobject.io_add_watch
642
620
                                    (sys.stdin.fileno(),
643
 
                                     GLib.IO_IN,
 
621
                                     gobject.IO_IN,
644
622
                                     self.process_input))
645
623
        self.main_loop.run()
646
624
        # Main loop has finished, we should close everything now
647
 
        GLib.source_remove(self._input_callback_tag)
 
625
        gobject.source_remove(self._input_callback_tag)
648
626
        self.screen.stop()
649
627
    
650
628
    def stop(self):
674
652
            elif key == "window resize":
675
653
                self.size = self.screen.get_cols_rows()
676
654
                self.refresh()
677
 
            elif key == "ctrl l":
678
 
                self.screen.clear()
 
655
            elif key == "\f":  # Ctrl-L
679
656
                self.refresh()
680
657
            elif key == "l" or key == "D":
681
658
                self.toggle_log_display()
693
670
                                            "?: Help",
694
671
                                            "l: Log window toggle",
695
672
                                            "TAB: Switch window",
696
 
                                            "w: Wrap (log lines)",
697
 
                                            "v: Toggle verbose log",
698
 
                                            ))))
 
673
                                            "w: Wrap (log)"))))
699
674
                self.log_message_raw(("bold",
700
675
                                      "  "
701
676
                                      .join(("Clients:",
714
689
                else:
715
690
                    self.topwidget.set_focus(self.logbox)
716
691
                self.refresh()
717
 
            elif key == "v":
718
 
                if self.log_level == 0:
719
 
                    self.log_level = 1
720
 
                    self.log_message("Verbose mode: Off")
721
 
                else:
722
 
                    self.log_level = 0
723
 
                    self.log_message("Verbose mode: On")
724
692
            #elif (key == "end" or key == "meta >" or key == "G"
725
693
            #      or key == ">"):
726
694
            #    pass            # xxx end-of-buffer