3 # rhesus: monkeysphere authorized_keys update script
6 # Jameson Rollins <jrollins@fifthhorseman.net>
8 # Copyright 2008, released under the GPL, version 3 or later
10 ##################################################
12 CONF_FILE=${CONF_FILE:-"/etc/monkeysphere/monkeysphere.conf"}
16 ##################################################
32 grep -v -e "^[[:space:]]*#" -e '^$' "$1"
36 head --line="$1" | tail -1
46 # user name of user to update
48 if ! id "$USERNAME" > /dev/null ; then
49 failure "User '$USERNAME' does not exist."
52 AUTH_USER_IDS="$AUTH_USER_IDS_DIR"/"$USERNAME"
53 if [ ! -e "$AUTH_USER_IDS" ] ; then
54 failure "No auth_user_ids file for user '$USERNAME'."
57 KEYDIR="$AUTH_KEYS_DIR"/"$USERNAME"/keys
58 AUTH_KEYS="$AUTH_KEYS_DIR"/authorized_keys
60 # make sure the gnupg home exists with proper permissions
62 chmod 0700 "$GNUPGHOME"
64 # find number of user ids in auth_user_ids file
65 NLINES=$(meat "$AUTH_USER_IDS" | wc -l)
67 # clean out keys file and remake keys directory
71 # loop through all user ids, and generate ssh keys
72 for (( N=1; N<=$NLINES; N=N+1 )) ; do
74 USERID=$(meat "$AUTH_USER_IDS" | cutline "$N" )
75 USERID_HASH=$(echo "$USERID" | sha1sum | awk '{ print $1 }')
77 KEYFILE="$KEYDIR"/"$USERID_HASH"
79 # search for key on keyserver
80 echo "ms: validating: '$USERID'"
81 RETURN=$(echo 1 | gpg --quiet --batch --command-fd 0 --with-colons --keyserver "$KEYSERVER" --search ="$USERID")
83 # if the key was found...
84 if [ "$RETURN" ] ; then
87 # checking key attributes
88 # see /usr/share/doc/gnupg/DETAILS.gz:
90 PUB_INFO=$(gpg --fixed-list-mode --with-colons --list-keys --with-fingerprint ="$USERID" | grep '^pub:')
92 # extract needed fields
93 KEY_TRUST=$(echo "$PUB_INFO" | cut -d: -f2)
94 KEY_CAPABILITY=$(echo "$PUB_INFO" | cut -d: -f12)
96 # check if key disabled
97 if echo "$KEY_CAPABILITY" | grep -q '[D]' ; then
98 echo "ms: key disabled -> SKIPPING"
102 # check key capability
103 REQUIRED_KEY_CAPABILITY=${REQUIRED_KEY_CAPABILITY:-'a'}
104 if echo "$KEY_CAPABILITY" | grep -q '[$REQUIRED_KEY_CAPABILITY]' ; then
105 echo "ms: key capability verified ('$KEY_CAPABILITY')."
107 echo "ms: unacceptable key capability ('$KEY_CAPABILITY') -> SKIPPING"
113 # if key is not fully trusted exit
114 # (this includes not revoked or expired)
124 echo -n "has unacceptable trust" ;;
126 echo -n "fully trusted"
127 # convert pgp key to ssh key, and write to cache file
128 echo -n " -> generating ssh key..."
129 #gpg2ssh "$KEYID" | sed -e "s/COMMENT/$USERID/" > "$KEYFILE"
134 echo -n "has unknown trust" ;;
138 echo "ms: key not found."
142 if [ $(ls "$KEYDIR") ] ; then
143 echo "ms: writing ms authorized_keys file..."
144 cat "$KEYDIR"/* > "$AUTH_KEYS"
146 echo "ms: no gpg keys to add to authorized_keys file."
148 if [ -s ~"$USERNAME"/.ssh/authorized_keys ] ; then
149 echo "ms: adding user authorized_keys..."
150 cat ~"$USERNAME"/.ssh/authorized_keys >> "$AUTH_KEYS"