rhesus/rhesus

   1 #!/bin/sh -e
   2
   3 # rhesus: monkeysphere authorized_keys/known_hosts generating script
   4 #
   5 # Written by
   6 # Jameson Rollins <jrollins@fifthhorseman.net>
   7 #
   8 # Copyright 2008, released under the GPL, version 3 or later
   9
  10 CMD=$(basename $0)
  11
  12 ########################################################################
  13 # FUNCTIONS
  14 ########################################################################
  15
  16 usage() {
  17 cat <<EOF
  18 usage: $CMD -k|--known_hosts
  19        $CMD -a|--authorized_keys
  20 EOF
  21 }
  22
  23 failure() {
  24     echo "$1" >&2
  25     exit ${2:-'1'}
  26 }
  27
  28 log() {
  29     echo -n "ms: "
  30     echo "$@"
  31 }
  32
  33 # cut out all comments(#) and blank lines from standard input
  34 meat() {
  35     grep -v -e "^[[:space:]]*#" -e '^$'
  36 }
  37
  38 # cut a specified line from standard input
  39 cutline() {
  40     head --line="$1" | tail -1
  41 }
  42
  43 # retrieve all keys with given user id from keyserver
  44 # FIXME: need to figure out how to retrieve all matching keys
  45 # (not just first 5)
  46 gpg_fetch_keys() {
  47     local id="$1"
  48     echo 1,2,3,4,5 | \
  49         gpg --quiet --batch --command-fd 0 --with-colons \
  50         --keyserver "$KEYSERVER" \
  51         --search ="$id" >/dev/null 2>&1
  52 }
  53
  54 # convert escaped characters from gpg output back into original
  55 # character
  56 # FIXME: undo all escape character translation in with-colons gpg output
  57 unescape() {
  58     echo "$1" | sed 's/\\x3a/:/'
  59 }
  60
  61 # stand in until we get dkg's gpg2ssh program
  62 gpg2ssh_tmp() {
  63     local mode
  64     local keyID
  65
  66     mode="$1"
  67     keyID="$2"
  68     userID="$3"
  69
  70     if [ "$mode" = '--authorized_keys' -o "$mode" = '-a' ] ; then
  71         gpgkey2ssh "$keyID" | sed -e "s/COMMENT/$userID/"
  72     elif [ "$mode" = '--known_hosts' -o "$mode" = '-k' ] ; then
  73         echo -n "$userID "; gpgkey2ssh "$keyID" | sed -e 's/ COMMENT//'
  74     fi
  75 }
  76
  77 # userid and key policy checking
  78 # the following checks policy on the returned keys
  79 # - checks that full key has appropriate valididy (u|f)
  80 # - checks key has appropriate capability (E|A)
  81 # - checks that particular desired user id has appropriate validity
  82 # see /usr/share/doc/gnupg/DETAILS.gz
  83 # FIXME: add some more status output
  84 # expects global variable: "mode"
  85 process_user_id() {
  86     local userID
  87     local cacheDir
  88     local keyOK
  89     local keyCapability
  90     local keyFingerprint
  91     local userIDHash
  92
  93     userID="$1"
  94     cacheDir="$2"
  95
  96     # fetch all keys from keyserver
  97     # if none found, break
  98     if ! gpg_fetch_keys "$userID" ; then
  99         echo "    no keys found."
 100         return
 101     fi
 102
 103     # some crazy piping here that takes the output of gpg and
 104     # pipes it into a "while read" loop that reads each line
 105     # of standard input one-by-one.
 106     gpg --fixed-list-mode --list-key --with-colons \
 107         --with-fingerprint ="$userID" 2> /dev/null | \
 108     cut -d : -f 1,2,5,10,12 | \
 109     while IFS=: read -r type validity keyid uidfpr capability ; do
 110         # process based on record type
 111         case $type in
 112             'pub')
 113                 # new key, wipe the slate
 114                 keyOK=
 115                 keyCapability=
 116                 keyFingerprint=
 117                 # check primary key validity
 118                 if [ "$validity" != 'u' -a "$validity" != 'f' ] ; then
 119                     continue
 120                 fi
 121                 # check capability is not Disabled...
 122                 if echo "$capability" | grep -q 'D' ; then
 123                     continue
 124                 fi
 125                 # check capability is Encryption and Authentication
 126                 # FIXME: make more flexible capability specification
 127                 # (ie. in conf file)
 128                 if echo "$capability" | grep -q -v 'E' ; then
 129                     if echo "$capability" | grep -q -v 'A' ; then
 130                         continue
 131                     fi
 132                 fi
 133                 keyCapability="$capability"
 134                 keyOK=true
 135                 keyID="$keyid"
 136                 ;;
 137             'fpr')
 138                 # if key ok, get fingerprint
 139                 if [ "$keyOK" ] ; then
 140                     keyFingerprint="$uidfpr"
 141                 fi
 142                 ;;
 143             'uid')
 144                 # check key ok and we have key fingerprint
 145                 if [ -z "$keyOK" -o  -z "$keyFingerprint" ] ; then
 146                     continue
 147                 fi
 148                 # check key validity
 149                 if [ "$validity" != 'u' -a "$validity" != 'f' ] ; then
 150                     continue
 151                 fi
 152                 # check the uid matches
 153                 if [ "$(unescape "$uidfpr")" != "$userID" ] ; then
 154                     continue
 155                 fi
 156                 # convert the key
 157                 # FIXME: needs to apply extra options if specified
 158                 echo -n "    valid key found; generating ssh key(s)... "
 159                 userIDHash=$(echo "$userID" | sha1sum | awk '{ print $1 }')
 160                 # export the key with gpg2ssh
 161                 #gpg --export "$keyFingerprint" | gpg2ssh "$mode" > "$cacheDir"/"$userIDHash"."$keyFingerprint"
 162                 # stand in until we get dkg's gpg2ssh program
 163                 gpg2ssh_tmp "$mode" "$keyID" "$userID" > "$cacheDir"/"$userIDHash"."$keyFingerprint"
 164                 if [ "$?" = 0 ] ; then
 165                     echo "done."
 166                 else
 167                     echo "error."
 168                 fi
 169                 ;;
 170         esac
 171     done
 172 }
 173
 174 # process the auth_*_ids file
 175 # go through line-by-line, extracting and processing each user id
 176 # expects global variable: "mode"
 177 process_auth_file() {
 178     local authIDsFile
 179     local cacheDir
 180     local nLines
 181     local line
 182     local userID
 183
 184     authIDsFile="$1"
 185     cacheDir="$2"
 186
 187     # find number of user ids in auth_user_ids file
 188     nLines=$(meat <"$authIDsFile" | wc -l)
 189
 190     # make sure gpg home exists with proper permissions
 191     mkdir -p -m 0700 "$GNUPGHOME"
 192
 193     # clean out keys file and remake keys directory
 194     rm -rf "$cacheDir"
 195     mkdir -p "$cacheDir"
 196
 197     # loop through all user ids
 198     for line in $(seq 1 $nLines) ; do
 199         # get user id
 200         # FIXME: needs to handle extra options if necessary
 201         userID=$(meat <"$authIDsFile" | cutline "$line" )
 202
 203         # process the user id and extract keys
 204         log "processing user id: '$userID'"
 205         process_user_id "$userID" "$cacheDir"
 206     done
 207 }
 208
 209
 210 ########################################################################
 211 # MAIN
 212 ########################################################################
 213
 214 if [ -z "$1" ] ; then
 215     usage
 216     exit 1
 217 fi
 218
 219 # check mode
 220 mode="$1"
 221 shift 1
 222
 223 # check user
 224 if ! id -u "$USER" > /dev/null 2>&1 ; then
 225     failure "invalid user '$USER'."
 226 fi
 227
 228 # set user home directory
 229 HOME=$(getent passwd "$USER" | cut -d: -f6)
 230
 231 # get ms home directory
 232 MS_HOME=${MS_HOME:-"$HOME"/.config/monkeysphere}
 233
 234 # load configuration file
 235 MS_CONF=${MS_CONF:-"$MS_HOME"/monkeysphere.conf}
 236 [ -e "$MS_CONF" ] && . "$MS_CONF"
 237
 238 # set config variable defaults
 239 STAGING_AREA=${STAGING_AREA:-"$MS_HOME"}
 240 AUTH_HOST_FILE=${AUTH_HOST_FILE:-"$MS_HOME"/auth_host_ids}
 241 AUTH_USER_FILE=${AUTH_USER_FILE:-"$MS_HOME"/auth_user_ids}
 242 GNUPGHOME=${GNUPGHOME:-"$HOME"/.gnupg}
 243 KEYSERVER=${KEYSERVER:-subkeys.pgp.net}
 244
 245 USER_KNOW_HOSTS="$HOME"/.ssh/known_hosts
 246 USER_AUTHORIZED_KEYS="$HOME"/.ssh/authorized_keys
 247
 248 # export USER and GNUPGHOME variables, since they are used by gpg
 249 export USER
 250 export GNUPGHOME
 251
 252 # stagging locations
 253 hostKeysCacheDir="$STAGING_AREA"/host_keys
 254 userKeysCacheDir="$STAGING_AREA"/user_keys
 255 msKnownHosts="$STAGING_AREA"/known_hosts
 256 msAuthorizedKeys="$STAGING_AREA"/authorized_keys
 257
 258 # set mode variables
 259 if [ "$mode" = '--known_hosts' -o "$mode" = '-k' ] ; then
 260     fileType=known_hosts
 261     authIDsFile="$AUTH_HOST_FILE"
 262     outFile="$msKnownHosts"
 263     cacheDir="$hostKeysCacheDir"
 264     userFile="$USER_KNOWN_HOSTS"
 265 elif [ "$mode" = '--authorized_keys' -o "$mode" = '-a' ] ; then
 266     fileType=authorized_keys
 267     authIDsFile="$AUTH_USER_FILE"
 268     outFile="$msAuthorizedKeys"
 269     cacheDir="$userKeysCacheDir"
 270     userFile="$USER_AUTHORIZED_KEYS"
 271 else
 272     failure "unknown command '$mode'."
 273 fi
 274
 275 # check auth ids file
 276 if [ ! -s "$authIDsFile" ] ; then
 277     echo $(basename "$authIDsFile") "file is empty or does not exist."
 278     exit
 279 fi
 280
 281 log "user '$USER': monkeysphere $fileType generation..."
 282
 283 # process the auth file
 284 process_auth_file "$authIDsFile" "$cacheDir"
 285
 286 # write output key file
 287 log "writing ms $fileType file... "
 288 > "$outFile"
 289 if [ "$(ls "$cacheDir")" ] ; then
 290     log -n "adding gpg keys... "
 291     cat "$cacheDir"/* > "$outFile"
 292     echo "done."
 293 else
 294     log "no gpg keys to add."
 295 fi
 296 if [ -s "$userFile" ] ; then
 297     log -n "adding user $fileType file... "
 298     cat "$userFile" >> "$outFile"
 299     echo "done."
 300 fi
 301 log "ms $fileType file generated:"
 302 log "$outFile"