rhesus/rhesus

   1 #!/bin/sh -e
   2
   3 # rhesus: monkeysphere authorized_keys/known_hosts generating script
   4 #
   5 # Written by
   6 # Jameson Rollins <jrollins@fifthhorseman.net>
   7 #
   8 # Copyright 2008, released under the GPL, version 3 or later
   9
  10 CMD=$(basename $0)
  11
  12 ########################################################################
  13 # FUNCTIONS
  14 ########################################################################
  15
  16 usage() {
  17 cat <<EOF
  18 usage: $CMD -k|--known_hosts
  19        $CMD -a|--authorized_keys
  20 EOF
  21 }
  22
  23 failure() {
  24     echo "$1" >&2
  25     exit ${2:-'1'}
  26 }
  27
  28 log() {
  29     echo -n "ms: "
  30     echo "$@"
  31 }
  32
  33 # cut out all comments(#) and blank lines from standard input
  34 meat() {
  35     grep -v -e "^[[:space:]]*#" -e '^$'
  36 }
  37
  38 # cut a specified line from standard input
  39 cutline() {
  40     head --line="$1" | tail -1
  41 }
  42
  43 # retrieve all keys with given user id from keyserver
  44 # FIXME: need to figure out how to retrieve all matching keys
  45 # (not just first 5)
  46 gpg_fetch_keys() {
  47     local id
  48     id="$1"
  49     echo 1,2,3,4,5 | \
  50         gpg --quiet --batch --command-fd 0 --with-colons \
  51         --keyserver "$KEYSERVER" \
  52         --search ="$id" >/dev/null 2>&1
  53 }
  54
  55 # convert escaped characters from gpg output back into original
  56 # character
  57 # FIXME: undo all escape character translation in with-colons gpg output
  58 unescape() {
  59     echo "$1" | sed 's/\\x3a/:/'
  60 }
  61
  62 # stand in until we get dkg's gpg2ssh program
  63 gpg2ssh_tmp() {
  64     local mode
  65     local keyID
  66
  67     mode="$1"
  68     keyID="$2"
  69     userID="$3"
  70
  71     if [ "$mode" = '--authorized_keys' -o "$mode" = '-a' ] ; then
  72         gpgkey2ssh "$keyID" | sed -e "s/COMMENT/$userID/"
  73     elif [ "$mode" = '--known_hosts' -o "$mode" = '-k' ] ; then
  74         echo -n "$userID "; gpgkey2ssh "$keyID" | sed -e 's/ COMMENT//'
  75     fi
  76 }
  77
  78 # userid and key policy checking
  79 # the following checks policy on the returned keys
  80 # - checks that full key has appropriate valididy (u|f)
  81 # - checks key has appropriate capability (E|A)
  82 # - checks that particular desired user id has appropriate validity
  83 # see /usr/share/doc/gnupg/DETAILS.gz
  84 # FIXME: add some more status output
  85 # expects global variable: "mode"
  86 process_user_id() {
  87     local userID
  88     local cacheDir
  89     local keyOK
  90     local keyCapability
  91     local keyFingerprint
  92     local userIDHash
  93
  94     userID="$1"
  95     cacheDir="$2"
  96
  97     # fetch all keys from keyserver
  98     # if none found, break
  99     if ! gpg_fetch_keys "$userID" ; then
 100         echo "    no keys found."
 101         return
 102     fi
 103
 104     # some crazy piping here that takes the output of gpg and
 105     # pipes it into a "while read" loop that reads each line
 106     # of standard input one-by-one.
 107     gpg --fixed-list-mode --list-key --with-colons \
 108         --with-fingerprint ="$userID" 2> /dev/null | \
 109     cut -d : -f 1,2,5,10,12 | \
 110     while IFS=: read -r type validity keyid uidfpr capability ; do
 111         # process based on record type
 112         case $type in
 113             'pub')
 114                 # new key, wipe the slate
 115                 keyOK=
 116                 keyCapability=
 117                 keyFingerprint=
 118                 # check primary key validity
 119                 if [ "$validity" != 'u' -a "$validity" != 'f' ] ; then
 120                     continue
 121                 fi
 122                 # check capability is not Disabled...
 123                 if echo "$capability" | grep -q 'D' ; then
 124                     continue
 125                 fi
 126                 # check capability is Encryption and Authentication
 127                 # FIXME: make more flexible capability specification
 128                 # (ie. in conf file)
 129                 if echo "$capability" | grep -q -v 'E' ; then
 130                     if echo "$capability" | grep -q -v 'A' ; then
 131                         continue
 132                     fi
 133                 fi
 134                 keyCapability="$capability"
 135                 keyOK=true
 136                 keyID="$keyid"
 137                 ;;
 138             'fpr')
 139                 # if key ok, get fingerprint
 140                 if [ "$keyOK" ] ; then
 141                     keyFingerprint="$uidfpr"
 142                 fi
 143                 ;;
 144             'uid')
 145                 # check key ok and we have key fingerprint
 146                 if [ -z "$keyOK" -o  -z "$keyFingerprint" ] ; then
 147                     continue
 148                 fi
 149                 # check key validity
 150                 if [ "$validity" != 'u' -a "$validity" != 'f' ] ; then
 151                     continue
 152                 fi
 153                 # check the uid matches
 154                 if [ "$(unescape "$uidfpr")" != "$userID" ] ; then
 155                     continue
 156                 fi
 157                 # convert the key
 158                 # FIXME: needs to apply extra options if specified
 159                 echo -n "    valid key found; generating ssh key(s)... "
 160                 userIDHash=$(echo "$userID" | sha1sum | awk '{ print $1 }')
 161                 # export the key with gpg2ssh
 162                 #gpg --export "$keyFingerprint" | gpg2ssh "$mode" > "$cacheDir"/"$userIDHash"."$keyFingerprint"
 163                 # stand in until we get dkg's gpg2ssh program
 164                 gpg2ssh_tmp "$mode" "$keyID" "$userID" > "$cacheDir"/"$userIDHash"."$keyFingerprint"
 165                 if [ "$?" = 0 ] ; then
 166                     echo "done."
 167                 else
 168                     echo "error."
 169                 fi
 170                 ;;
 171         esac
 172     done
 173 }
 174
 175 # process the auth_*_ids file
 176 # go through line-by-line, extracting and processing each user id
 177 # expects global variable: "mode"
 178 process_auth_file() {
 179     local authIDsFile
 180     local cacheDir
 181     local nLines
 182     local line
 183     local userID
 184
 185     authIDsFile="$1"
 186     cacheDir="$2"
 187
 188     # find number of user ids in auth_user_ids file
 189     nLines=$(meat <"$authIDsFile" | wc -l)
 190
 191     # make sure gpg home exists with proper permissions
 192     mkdir -p -m 0700 "$GNUPGHOME"
 193
 194     # clean out keys file and remake keys directory
 195     rm -rf "$cacheDir"
 196     mkdir -p "$cacheDir"
 197
 198     # loop through all user ids
 199     for line in $(seq 1 $nLines) ; do
 200         # get user id
 201         # FIXME: needs to handle extra options if necessary
 202         userID=$(meat <"$authIDsFile" | cutline "$line" )
 203
 204         # process the user id and extract keys
 205         log "processing user id: '$userID'"
 206         process_user_id "$userID" "$cacheDir"
 207     done
 208 }
 209
 210
 211 ########################################################################
 212 # MAIN
 213 ########################################################################
 214
 215 if [ -z "$1" ] ; then
 216     usage
 217     exit 1
 218 fi
 219
 220 # check mode
 221 mode="$1"
 222 shift 1
 223
 224 # check user
 225 if ! id -u "$USER" > /dev/null 2>&1 ; then
 226     failure "invalid user '$USER'."
 227 fi
 228
 229 # set user home directory
 230 HOME=$(getent passwd "$USER" | cut -d: -f6)
 231
 232 # get ms home directory
 233 MS_HOME=${MS_HOME:-"$HOME"/.config/monkeysphere}
 234
 235 # load configuration file
 236 MS_CONF=${MS_CONF:-"$MS_HOME"/monkeysphere.conf}
 237 [ -e "$MS_CONF" ] && . "$MS_CONF"
 238
 239 # set config variable defaults
 240 STAGING_AREA=${STAGING_AREA:-"$MS_HOME"}
 241 AUTH_HOST_FILE=${AUTH_HOST_FILE:-"$MS_HOME"/auth_host_ids}
 242 AUTH_USER_FILE=${AUTH_USER_FILE:-"$MS_HOME"/auth_user_ids}
 243 GNUPGHOME=${GNUPGHOME:-"$HOME"/.gnupg}
 244 KEYSERVER=${KEYSERVER:-subkeys.pgp.net}
 245
 246 USER_KNOW_HOSTS="$HOME"/.ssh/known_hosts
 247 USER_AUTHORIZED_KEYS="$HOME"/.ssh/authorized_keys
 248
 249 # export USER and GNUPGHOME variables, since they are used by gpg
 250 export USER
 251 export GNUPGHOME
 252
 253 # stagging locations
 254 hostKeysCacheDir="$STAGING_AREA"/host_keys
 255 userKeysCacheDir="$STAGING_AREA"/user_keys
 256 msKnownHosts="$STAGING_AREA"/known_hosts
 257 msAuthorizedKeys="$STAGING_AREA"/authorized_keys
 258
 259 # set mode variables
 260 if [ "$mode" = '--known_hosts' -o "$mode" = '-k' ] ; then
 261     fileType=known_hosts
 262     authIDsFile="$AUTH_HOST_FILE"
 263     outFile="$msKnownHosts"
 264     cacheDir="$hostKeysCacheDir"
 265     userFile="$USER_KNOWN_HOSTS"
 266 elif [ "$mode" = '--authorized_keys' -o "$mode" = '-a' ] ; then
 267     fileType=authorized_keys
 268     authIDsFile="$AUTH_USER_FILE"
 269     outFile="$msAuthorizedKeys"
 270     cacheDir="$userKeysCacheDir"
 271     userFile="$USER_AUTHORIZED_KEYS"
 272 else
 273     failure "unknown command '$mode'."
 274 fi
 275
 276 # check auth ids file
 277 if [ ! -s "$authIDsFile" ] ; then
 278     echo "'$authIDsFile' file is empty or does not exist."
 279     exit
 280 fi
 281
 282 log "user '$USER': monkeysphere $fileType generation..."
 283
 284 # process the auth file
 285 process_auth_file "$authIDsFile" "$cacheDir"
 286
 287 # write output key file
 288 log "writing ms $fileType file... "
 289 > "$outFile"
 290 if [ "$(ls "$cacheDir")" ] ; then
 291     log -n "adding gpg keys... "
 292     cat "$cacheDir"/* > "$outFile"
 293     echo "done."
 294 else
 295     log "no gpg keys to add."
 296 fi
 297 if [ -s "$userFile" ] ; then
 298     log -n "adding user $fileType file... "
 299     cat "$userFile" >> "$outFile"
 300     echo "done."
 301 fi
 302 log "ms $fileType file generated:"
 303 log "$outFile"