3 # monkeysphere-host: Monkeysphere host admin tool
5 # The monkeysphere scripts are written by:
6 # Jameson Rollins <jrollins@finestructure.net>
7 # Jamie McClelland <jm@mayfirst.org>
8 # Daniel Kahn Gillmor <dkg@fifthhorseman.net>
9 # Micah Anderson <micah@riseup.net>
11 # They are Copyright 2008-2009, and are all released under the GPL,
14 ########################################################################
17 # set the pipefail option so pipelines fail on first command failure
22 SYSSHAREDIR=${MONKEYSPHERE_SYSSHAREDIR:-"/usr/share/monkeysphere"}
24 . "${SYSSHAREDIR}/common" || exit 1
26 SYSDATADIR=${MONKEYSPHERE_SYSDATADIR:-"/var/lib/monkeysphere"}
29 # sharedir for host functions
30 MHSHAREDIR="${SYSSHAREDIR}/mh"
32 # datadir for host functions
33 MHDATADIR="${SYSDATADIR}/host"
36 HOST_KEY_FILE="${SYSDATADIR}/ssh_host_rsa_key.pub.gpg"
38 # UTC date in ISO 8601 format if needed
39 DATE=$(date -u '+%FT%T')
41 # unset some environment variables that could screw things up
44 ########################################################################
46 ########################################################################
50 usage: $PGRM <subcommand> [options] [args]
51 Monkeysphere host admin tool.
54 import-key (i) FILE NAME[:PORT] import existing ssh key to gpg
55 show-key (s) output all host key information
56 publish-key (p) publish host key to keyserver
57 set-expire (e) [EXPIRE] set host key expiration
58 add-hostname (n+) NAME[:PORT] add hostname user ID to host key
59 revoke-hostname (n-) NAME[:PORT] revoke hostname user ID
60 add-revoker (r+) [KEYID|FILE] add a revoker to the host key
61 revoke-key generate and/or publish revocation
62 certificate for host key
64 version (v) show version number
67 See ${PGRM}(8) for more info.
71 # function to interact with the gpg keyring
73 GNUPGHOME="$GNUPGHOME_HOST" gpg --no-greeting --quiet --no-tty "$@"
76 # command to list the info about the host key, in colon format, to
79 gpg_host --list-keys --with-colons --fixed-list-mode \
80 --with-fingerprint --with-fingerprint \
81 "0x${HOST_FINGERPRINT}!"
85 # command for edit key scripts, takes scripts on stdin
87 gpg_host --command-fd 0 --edit-key "0x${HOST_FINGERPRINT}!" "$@"
90 # export the host public key to the monkeysphere gpg pub key file
91 update_gpg_pub_file() {
92 log debug "updating openpgp public key file '$HOST_KEY_FILE'..."
93 gpg_host --export --armor --export-options export-minimal \
94 "0x${HOST_FINGERPRINT}!" > "$HOST_KEY_FILE"
97 # load the host fingerprint into the fingerprint variable, using the
98 # export gpg pub key file
99 # FIXME: this seems much less than ideal, with all this temp keyring
100 # stuff. is there a way we can do this without having to create temp
101 # files? what if we stored the fingerprint in MHDATADIR/fingerprint?
103 if [ -f "$HOST_KEY_FILE" ] ; then
104 HOST_FINGERPRINT=$( \
105 (FUBAR=$(mktemp -d) && export GNUPGHOME="$FUBAR" \
106 && gpg --quiet --import \
107 && gpg --quiet --list-keys --with-colons --with-fingerprint \
108 && rm -rf "$FUBAR") <"$HOST_KEY_FILE" \
109 | grep '^fpr:' | cut -d: -f10 )
111 failure "host key gpg pub file not found."
115 # load the host fingerprint into the fingerprint variable, using the
116 # gpg host secret key
117 load_fingerprint_secret() {
118 HOST_FINGERPRINT=$( \
119 gpg_host --list-secret-key --with-colons --with-fingerprint \
120 | grep '^fpr:' | cut -d: -f10 )
123 # fail if host key present
125 [ ! -s "$HOST_KEY_FILE" ] \
126 || failure "An OpenPGP host key already exists."
129 # fail if host key not present
130 check_host_no_key() {
131 [ -s "$HOST_KEY_FILE" ] \
132 || failure "You don't appear to have a Monkeysphere host key on this server.
133 Please run 'monkeysphere-host import-key...' first."
136 # output the index of a user ID on the host key
137 # return 1 if user ID not found
143 # match to only ultimately trusted user IDs
144 tmpuidMatch="u:$(echo $userID | gpg_escape)"
146 # find the index of the requsted user ID
147 # NOTE: this is based on circumstantial evidence that the order of
148 # this output is the appropriate index
149 line=$(gpg_host_list | egrep '^(uid|uat):' | cut -f2,10 -d: | \
150 grep -n -x -F "$tmpuidMatch" 2>/dev/null)
152 if [ "$line" ] ; then
160 # show info about the host key
167 export GNUPGHOME=$(msmktempdir)
169 # trap to remove tmp dir if break
170 trap "rm -rf $GNUPGHOME" EXIT
172 # import the host key into the tmp dir
173 gpg --quiet --import <"$HOST_KEY_FILE"
176 TMPSSH="$GNUPGHOME"/ssh_host_key_rsa_pub
177 openpgp2ssh <"$HOST_KEY_FILE" 2>/dev/null >"$TMPSSH"
179 # get the gpg fingerprint
180 HOST_FINGERPRINT=$(gpg --quiet --list-keys --with-colons --with-fingerprint \
181 | grep '^fpr:' | cut -d: -f10 )
183 # list the host key info
184 # FIXME: make no-show-keyring work so we don't have to do the grep'ing
185 # FIXME: can we show uid validity somehow?
186 gpg --list-keys --fingerprint \
187 --list-options show-unusable-uids 2>/dev/null \
188 | grep -v "^${GNUPGHOME}/pubring.gpg$" \
191 # list revokers, if there are any
192 revokers=$(gpg --list-keys --with-colons --fixed-list-mode \
193 | awk -F: '/^rvk:/{ print $10 }' )
194 if [ "$revokers" ] ; then
195 echo "The following keys are allowed to revoke this host key:"
196 for key in $revokers ; do
202 # list the pgp fingerprint
203 echo "OpenPGP fingerprint: $HOST_FINGERPRINT"
205 # list the ssh fingerprint
206 echo -n "ssh fingerprint: "
207 ssh-keygen -l -f "$TMPSSH" | awk '{ print $1, $2, $4 }'
209 # remove the tmp file
214 ########################################################################
216 ########################################################################
218 # load configuration file
219 [ -e ${MONKEYSPHERE_HOST_CONFIG:="${SYSCONFIGDIR}/monkeysphere-host.conf"} ] \
220 && . "$MONKEYSPHERE_HOST_CONFIG"
222 # set empty config variable with ones from the environment, or with
224 LOG_LEVEL=${MONKEYSPHERE_LOG_LEVEL:=$LOG_LEVEL}
225 KEYSERVER=${MONKEYSPHERE_KEYSERVER:=$KEYSERVER}
226 CHECK_KEYSERVER=${MONKEYSPHERE_CHECK_KEYSERVER:=$CHECK_KEYSERVER}
227 MONKEYSPHERE_USER=${MONKEYSPHERE_MONKEYSPHERE_USER:=$MONKEYSPHERE_USER}
228 PROMPT=${MONKEYSPHERE_PROMPT:=$PROMPT}
231 GNUPGHOME_HOST=${MONKEYSPHERE_GNUPGHOME_HOST:="${MHDATADIR}"}
233 # export variables needed in su invocation
237 export CHECK_KEYSERVER
238 export MONKEYSPHERE_USER
240 export GNUPGHOME_HOST
242 export HOST_FINGERPRINT
246 [ "$COMMAND" ] || failure "Type '$PGRM help' for usage."
252 source "${MHSHAREDIR}/import_key"
256 'show-key'|'show'|'s')
261 'set-expire'|'extend-key'|'e')
264 source "${MHSHAREDIR}/set_expire"
268 'add-hostname'|'add-name'|'n+')
271 source "${MHSHAREDIR}/add_hostname"
275 'revoke-hostname'|'revoke-name'|'n-')
278 source "${MHSHAREDIR}/revoke_hostname"
285 source "${MHSHAREDIR}/add_revoker"
292 source "${MHSHAREDIR}/revoke_key"
296 'publish-key'|'publish'|'p')
299 source "${MHSHAREDIR}/publish_key"
305 source "${MHSHAREDIR}/diagnostics"
309 'update-gpg-pub-file')
310 load_fingerprint_secret
318 '--help'|'help'|'-h'|'h'|'?')
323 failure "Unknown command: '$COMMAND'
324 Type '$PGRM help' for usage."