3 # rhesus: monkeysphere authorized_keys/known_hosts generating script
6 # Jameson Rollins <jrollins@fifthhorseman.net>
8 # Copyright 2008, released under the GPL, version 3 or later
12 ########################################################################
14 ########################################################################
18 usage: $PGRM k|known_hosts [userid...]
19 $PGRM a|authorized_keys [userid...]
20 Monkeysphere update of known_hosts or authorized_keys file.
21 If userids are specified, only specified userids will be processed
22 (userids must be included in the appropriate auth_*_ids file).
36 # cut out all comments(#) and blank lines from standard input
38 grep -v -e "^[[:space:]]*#" -e '^$'
41 # cut a specified line from standard input
43 head --line="$1" | tail -1
46 # retrieve all keys with given user id from keyserver
47 # FIXME: need to figure out how to retrieve all matching keys
53 gpg --quiet --batch --command-fd 0 --with-colons \
54 --keyserver "$KEYSERVER" \
55 --search ="$id" >/dev/null 2>&1
58 # convert escaped characters from gpg output back into original
60 # FIXME: undo all escape character translation in with-colons gpg output
62 echo "$1" | sed 's/\\x3a/:/'
65 # stand in until we get dkg's gpg2ssh program
74 if [ "$mode" = 'authorized_keys' -o "$mode" = 'a' ] ; then
75 gpgkey2ssh "$keyID" | sed -e "s/COMMENT/$userID/"
76 elif [ "$mode" = 'known_hosts' -o "$mode" = 'k' ] ; then
77 echo -n "$userID "; gpgkey2ssh "$keyID" | sed -e 's/ COMMENT//'
81 # userid and key policy checking
82 # the following checks policy on the returned keys
83 # - checks that full key has appropriate valididy (u|f)
84 # - checks key has appropriate capability (E|A)
85 # - checks that particular desired user id has appropriate validity
86 # see /usr/share/doc/gnupg/DETAILS.gz
87 # FIXME: add some more status output
88 # expects global variable: "mode"
100 # fetch all keys from keyserver
101 # if none found, break
102 if ! gpg_fetch_keys "$userID" ; then
103 echo " no keys found."
107 # some crazy piping here that takes the output of gpg and
108 # pipes it into a "while read" loop that reads each line
109 # of standard input one-by-one.
110 gpg --fixed-list-mode --list-key --with-colons \
111 --with-fingerprint ="$userID" 2> /dev/null | \
112 cut -d : -f 1,2,5,10,12 | \
113 while IFS=: read -r type validity keyid uidfpr capability ; do
114 # process based on record type
117 # new key, wipe the slate
121 # check primary key validity
122 if [ "$validity" != 'u' -a "$validity" != 'f' ] ; then
125 # check capability is not Disabled...
126 if echo "$capability" | grep -q 'D' ; then
129 # check capability is Encryption and Authentication
130 # FIXME: make more flexible capability specification
132 if echo "$capability" | grep -q -v 'E' ; then
133 if echo "$capability" | grep -q -v 'A' ; then
137 keyCapability="$capability"
142 # if key ok, get fingerprint
143 if [ "$keyOK" ] ; then
144 keyFingerprint="$uidfpr"
148 # check key ok and we have key fingerprint
149 if [ -z "$keyOK" -o -z "$keyFingerprint" ] ; then
153 if [ "$validity" != 'u' -a "$validity" != 'f' ] ; then
156 # check the uid matches
157 if [ "$(unescape "$uidfpr")" != "$userID" ] ; then
161 # FIXME: needs to apply extra options if specified
162 echo -n " valid key found; generating ssh key(s)... "
163 userIDHash=$(echo "$userID" | sha1sum | awk '{ print $1 }')
164 # export the key with gpg2ssh
165 #gpg --export "$keyFingerprint" | gpg2ssh "$mode" > "$cacheDir"/"$userIDHash"."$keyFingerprint"
166 # stand in until we get dkg's gpg2ssh program
167 gpg2ssh_tmp "$mode" "$keyID" "$userID" > "$cacheDir"/"$userIDHash"."$keyFingerprint"
168 if [ "$?" = 0 ] ; then
178 # process the auth_*_ids file
179 # go through line-by-line, extracting and processing each user id
180 # expects global variable: "mode"
181 process_auth_file() {
191 # find number of user ids in auth_user_ids file
192 nLines=$(meat <"$authIDsFile" | wc -l)
194 # clean out keys file and remake keys directory
198 # loop through all user ids
199 for line in $(seq 1 $nLines) ; do
201 # FIXME: needs to handle extra options if necessary
202 userID=$(meat <"$authIDsFile" | cutline "$line" )
204 # process the user id and extract keys
205 log "processing user id: '$userID'"
206 process_user_id "$userID" "$cacheDir"
210 ########################################################################
212 ########################################################################
214 if [ -z "$1" ] ; then
224 if ! id -u "$USER" > /dev/null 2>&1 ; then
225 failure "invalid user '$USER'."
228 # set user home directory
229 HOME=$(getent passwd "$USER" | cut -d: -f6)
231 # set ms home directory
232 MS_HOME=${MS_HOME:-"$HOME"/.config/monkeysphere}
234 # load configuration file
235 MS_CONF=${MS_CONF:-"$MS_HOME"/monkeysphere.conf}
236 [ -e "$MS_CONF" ] && . "$MS_CONF"
238 # set config variable defaults
239 STAGING_AREA=${STAGING_AREA:-"$MS_HOME"}
240 AUTH_HOST_FILE=${AUTH_HOST_FILE:-"$MS_HOME"/auth_host_ids}
241 AUTH_USER_FILE=${AUTH_USER_FILE:-"$MS_HOME"/auth_user_ids}
242 GNUPGHOME=${GNUPGHOME:-"$HOME"/.gnupg}
243 KEYSERVER=${KEYSERVER:-subkeys.pgp.net}
245 USER_KNOW_HOSTS="$HOME"/.ssh/known_hosts
246 USER_AUTHORIZED_KEYS="$HOME"/.ssh/authorized_keys
248 # export USER and GNUPGHOME variables, since they are used by gpg
253 hostKeysCacheDir="$STAGING_AREA"/host_keys
254 userKeysCacheDir="$STAGING_AREA"/user_keys
255 msKnownHosts="$STAGING_AREA"/known_hosts
256 msAuthorizedKeys="$STAGING_AREA"/authorized_keys
259 if [ "$mode" = 'known_hosts' -o "$mode" = 'k' ] ; then
261 authFileType=auth_host_ids
262 authIDsFile="$AUTH_HOST_FILE"
263 outFile="$msKnownHosts"
264 cacheDir="$hostKeysCacheDir"
265 userFile="$USER_KNOWN_HOSTS"
266 elif [ "$mode" = 'authorized_keys' -o "$mode" = 'a' ] ; then
267 fileType=authorized_keys
268 authFileType=auth_user_ids
269 authIDsFile="$AUTH_USER_FILE"
270 outFile="$msAuthorizedKeys"
271 cacheDir="$userKeysCacheDir"
272 userFile="$USER_AUTHORIZED_KEYS"
274 failure "unknown command '$mode'."
277 # check auth ids file
278 if [ ! -s "$authIDsFile" ] ; then
279 echo "'$authFileType' file is empty or does not exist."
283 log "user '$USER': monkeysphere $fileType generation"
285 # make sure gpg home exists with proper permissions
286 mkdir -p -m 0700 "$GNUPGHOME"
288 # if users are specified on the command line, process just
291 # process userids given on the command line
293 if ! grep -q "$userID" "$authIDsFile" ; then
294 log "userid '$userID' not in $authFileType file."
297 log "processing user id: '$userID'"
298 process_user_id "$userID" "$cacheDir"
300 # otherwise if no users are specified, process the entire
303 # process the auth file
304 process_auth_file "$authIDsFile" "$cacheDir"
307 # write output key file
308 log "writing ms $fileType file... "
310 if [ "$(ls "$cacheDir")" ] ; then
311 log -n "adding gpg keys... "
312 cat "$cacheDir"/* > "$outFile"
315 log "no gpg keys to add."
317 if [ -s "$userFile" ] ; then
318 log -n "adding user $fileType file... "
319 cat "$userFile" >> "$outFile"
322 log "ms $fileType file generated:"