3 # Shared sh functions for the monkeysphere
6 # Jameson Rollins <jrollins@fifthhorseman.net>
8 # Copyright 2008, released under the GPL, version 3 or later
10 # all-caps variables are meant to be user supplied (ie. from config
11 # file) and are considered global
13 ########################################################################
17 ETC="/etc/monkeysphere"
19 CACHE="/var/cache/monkeysphere"
22 ########################################################################
30 # write output to stderr
40 # cut out all comments(#) and blank lines from standard input
42 grep -v -e "^[[:space:]]*#" -e '^$'
45 # cut a specified line from standard input
47 head --line="$1" | tail -1
50 # check that characters are in a string (in an AND fashion).
51 # used for checking key capability
52 # check_capability capability a [b...]
61 if echo "$usage" | grep -q -v "$capcheck" ; then
68 # convert escaped characters from gpg output back into original
70 # FIXME: undo all escape character translation in with-colons gpg output
72 echo "$1" | sed 's/\\x3a/:/'
75 # remove all lines with specified string from specified file
83 if [ "$file" -a "$string" ] ; then
84 grep -v "$string" "$file" | sponge "$file"
88 ### CONVERTION UTILITIES
90 # output the ssh key for a given key ID
95 # only use last 16 characters until openpgp2ssh can take all 40 #TMP
96 keyID=$(echo "$1" | cut -c 25-) #TMP
98 gpg --export "$keyID" | openpgp2ssh "$keyID" 2> /dev/null
101 # output known_hosts line from ssh key
110 echo -n "$key" | tr -d '\n'
111 echo " MonkeySphere${DATE}"
114 # output authorized_keys line from ssh key
115 ssh2authorized_keys() {
122 echo -n "$key" | tr -d '\n'
123 echo " MonkeySphere${DATE} ${userID}"
126 # convert key from gpg to ssh known_hosts format
134 # NOTE: it seems that ssh-keygen -R removes all comment fields from
135 # all lines in the known_hosts file. why?
136 # NOTE: just in case, the COMMENT can be matched with the
138 # '^MonkeySphere[[:digit:]]{4}(-[[:digit:]]{2}){2}T[[:digit:]]{2}(:[[:digit:]]{2}){2}$'
140 gpg2ssh "$keyID" | tr -d '\n'
141 echo " MonkeySphere${DATE}"
144 # convert key from gpg to ssh authorized_keys format
145 gpg2authorized_keys() {
152 # NOTE: just in case, the COMMENT can be matched with the
154 # '^MonkeySphere[[:digit:]]{4}(-[[:digit:]]{2}){2}T[[:digit:]]{2}(:[[:digit:]]{2}){2}$'
155 gpg2ssh "$keyID" | tr -d '\n'
156 echo " MonkeySphere${DATE} ${userID}"
161 # retrieve all keys with given user id from keyserver
162 # FIXME: need to figure out how to retrieve all matching keys
163 # (not just first N (5 in this case))
169 log -n " checking keyserver $KEYSERVER... "
171 gpg --quiet --batch --with-colons \
172 --command-fd 0 --keyserver "$KEYSERVER" \
173 --search ="$userID" > /dev/null 2>&1
177 # get the full fingerprint of a key ID
178 get_key_fingerprint() {
183 gpg --list-key --with-colons --fixed-list-mode \
184 --with-fingerprint "$keyID" | grep "$keyID" | \
185 grep '^fpr:' | cut -d: -f10
188 ########################################################################
189 ### PROCESSING FUNCTIONS
191 # userid and key policy checking
192 # the following checks policy on the returned keys
193 # - checks that full key has appropriate valididy (u|f)
194 # - checks key has specified capability (REQUIRED_*_KEY_CAPABILITY)
195 # - checks that requested user ID has appropriate validity
196 # (see /usr/share/doc/gnupg/DETAILS.gz)
197 # output is one line for every found key, in the following format:
201 # "flag" is an acceptability flag, 0 = ok, 1 = bad
202 # "fingerprint" is the fingerprint of the key
204 # expects global variable: "MODE"
207 local requiredCapability
208 local requiredPubCapability
223 # set the required key capability based on the mode
224 if [ "$MODE" = 'known_hosts' ] ; then
225 requiredCapability="$REQUIRED_HOST_KEY_CAPABILITY"
226 elif [ "$MODE" = 'authorized_keys' ] ; then
227 requiredCapability="$REQUIRED_USER_KEY_CAPABILITY"
229 requiredPubCapability=$(echo "$requiredCapability" | tr "[:lower:]" "[:upper:]")
231 # if CHECK_KEYSERVER variable set, check the keyserver
233 if [ "$CHECK_KEYSERVER" = "true" ] ; then
234 gpg_fetch_userid "$userID"
237 # output gpg info for (exact) userid and store
238 gpgOut=$(gpg --list-key --fixed-list-mode --with-colon \
239 --with-fingerprint --with-fingerprint \
240 ="$userID" 2>/dev/null)
242 # if the gpg query return code is not 0, return 1
243 if [ "$?" -ne 0 ] ; then
244 log " - key not found."
248 # loop over all lines in the gpg output and process.
249 # need to do it this way (as opposed to "while read...") so that
250 # variables set in loop will be visible outside of loop
251 echo "$gpgOut" | cut -d: -f1,2,5,10,12 | \
252 while IFS=: read -r type validity keyid uidfpr usage ; do
253 # process based on record type
255 'pub') # primary keys
256 # new key, wipe the slate
263 log " primary key found: $keyid"
265 # if overall key is not valid, skip
266 if [ "$validity" != 'u' -a "$validity" != 'f' ] ; then
267 log " - unacceptable primary key validity ($validity)."
270 # if overall key is disabled, skip
271 if check_capability "$usage" 'D' ; then
272 log " - key disabled."
275 # if overall key capability is not ok, skip
276 if ! check_capability "$usage" $requiredPubCapability ; then
277 log " - unacceptable primary key capability ($usage)."
281 # mark overall key as ok
284 # mark primary key as ok if capability is ok
285 if check_capability "$usage" $requiredCapability ; then
290 # if an acceptable user ID was already found, skip
291 if [ "$uidOK" ] ; then
294 # if the user ID does not match, skip
295 if [ "$(unescape "$uidfpr")" != "$userID" ] ; then
298 # if the user ID validity is not ok, skip
299 if [ "$validity" != 'u' -a "$validity" != 'f' ] ; then
303 # mark user ID acceptable
306 # output a line for the primary key
308 if [ "$keyOK" -a "$uidOK" -a "$lastKeyOK" ] ; then
309 log " * acceptable key found."
310 echo 0 "$fingerprint"
312 echo 1 "$fingerprint"
316 # unset acceptability of last key
321 # if sub key validity is not ok, skip
322 if [ "$validity" != 'u' -a "$validity" != 'f' ] ; then
325 # if sub key capability is not ok, skip
326 if ! check_capability "$usage" $requiredCapability ; then
333 'fpr') # key fingerprint
334 fingerprint="$uidfpr"
336 # if the last key was the pub key, skip
337 if [ "$lastKey" = pub ] ; then
341 # output a line for the last subkey
343 if [ "$keyOK" -a "$uidOK" -a "$lastKeyOK" ] ; then
344 log " * acceptable key found."
345 echo 0 "$fingerprint"
347 echo 1 "$fingerprint"
354 # update the cache for userid, and prompt to add file to
355 # authorized_user_ids file if the userid is found in gpg
356 # and not already in file.
362 log "processing userid: '$userID'"
364 # process the user ID to pull it from keyserver
365 process_user_id "$userID" | grep -q "^0 "
367 # check if user ID is in the authorized_user_ids file
368 if ! grep -q "^${userID}\$" "$AUTHORIZED_USER_IDS" ; then
369 read -p "user ID not currently authorized. authorize? [Y|n]: " OK; OK=${OK:=Y}
370 if [ ${OK/y/Y} = 'Y' ] ; then
372 log -n " adding user ID to authorized_user_ids file... "
373 echo "$userID" >> "$AUTHORIZED_USER_IDS"
377 log " authorized_user_ids file untouched."
382 # remove a userid from the authorized_user_ids file
388 log "processing userid: '$userID'"
390 # check if user ID is in the authorized_user_ids file
391 if ! grep -q "^${userID}\$" "$AUTHORIZED_USER_IDS" ; then
392 log " user ID not currently authorized."
396 # remove user ID from file
397 log -n " removing user ID '$userID'... "
398 remove_line "$AUTHORIZED_USER_IDS" "^${userID}$"
402 # process a host in known_host file
403 process_host_known_hosts() {
411 userID="ssh://${host}"
413 log "processing host: $host"
415 process_user_id "ssh://${host}" | \
416 while read -r ok keyid ; do
417 sshKey=$(gpg2ssh "$keyid")
418 # remove the old host key line
419 remove_line "$KNOWN_HOSTS" "$sshKey"
420 # if key OK, add new host line
421 if [ "$ok" -eq '0' ] ; then
423 if [ "$HASH_KNOWN_HOSTS" = 'true' ] ; then
424 # FIXME: this is really hackish cause ssh-keygen won't
425 # hash from stdin to stdout
427 ssh2known_hosts "$host" "$sshKey" > "$tmpfile"
428 ssh-keygen -H -f "$tmpfile" 2> /dev/null
429 cat "$tmpfile" >> "$KNOWN_HOSTS"
430 rm -f "$tmpfile" "${tmpfile}.old"
432 ssh2known_hosts "$host" "$sshKey" >> "$KNOWN_HOSTS"
438 # process a uid in an authorized_keys file
439 process_uid_authorized_keys() {
446 log "processing user ID: $userID"
448 process_user_id "$userID" | \
449 while read -r ok keyid ; do
450 sshKey=$(gpg2ssh "$keyid")
451 # remove the old host key line
452 remove_line "$AUTHORIZED_KEYS" "$sshKey"
453 # if key OK, add new host line
454 if [ "$ok" -eq '0' ] ; then
455 ssh2authorized_keys "$userID" "$sshKey" >> "$AUTHORIZED_KEYS"
460 # process known_hosts file
461 # go through line-by-line, extract each host, and process with the
462 # host processing function
463 process_known_hosts() {
467 # take all the hosts from the known_hosts file (first field),
468 # grep out all the hashed hosts (lines starting with '|')...
469 cat "$KNOWN_HOSTS" | meat | \
470 cut -d ' ' -f 1 | grep -v '^|.*$' | \
471 while IFS=, read -r -a hosts ; do
472 # and process each host
473 for host in ${hosts[*]} ; do
474 process_host_known_hosts "$host"
479 # process an authorized_user_ids file for authorized_keys
480 process_authorized_user_ids() {
483 cat "$AUTHORIZED_USER_IDS" | meat | \
484 while read -r userid ; do
485 process_uid_authorized_keys "$userid"
489 # EXPERIMENTAL (unused) process userids found in authorized_keys file
490 # go through line-by-line, extract monkeysphere userids from comment
491 # fields, and process each userid
493 process_authorized_keys() {
499 # take all the monkeysphere userids from the authorized_keys file
500 # comment field (third field) that starts with "MonkeySphere uid:"
501 # FIXME: needs to handle authorized_keys options (field 0)
502 cat "$authorizedKeys" | meat | \
503 while read -r options keytype key comment ; do
504 # if the comment field is empty, assume the third field was
506 if [ -z "$comment" ] ; then
510 if echo "$comment" | egrep -v -q '^MonkeySphere[[:digit:]]{4}(-[[:digit:]]{2}){2}T[[:digit:]]{2}(:[[:digit:]]{2}){2}' ; then
513 userID=$(echo "$comment" | awk "{ print $2 }")
514 if [ -z "$userID" ] ; then
519 log "processing userid: '$userID'"
520 process_user_id "$userID" > /dev/null
524 ##################################################
525 ### GPG HELPER FUNCTIONS
527 # retrieve key from web of trust, and set owner trust to "full"
530 # get the key from the key server
531 if ! gpg --keyserver "$KEYSERVER" --recv-key "$keyID" ; then
532 log "could not retrieve key '$keyID'"
536 # get key fingerprint
537 fingerprint=$(get_key_fingerprint "$keyID")
539 # attach a "non-exportable" signature to the key
540 # this is required for the key to have any validity at all
541 # the 'y's on stdin indicates "yes, i really want to sign"
542 echo -e 'y\ny' | gpg --lsign-key --command-fd 0 "$fingerprint"
544 # import "full" trust for fingerprint into gpg
545 echo ${fingerprint}:5: | gpg --import-ownertrust
547 log "owner trust updated."
549 failure "there was a problem changing owner trust."
553 # publish server key to keyserver
554 publish_server_key() {
555 read -p "really publish key to $KEYSERVER? [y|N]: " OK; OK=${OK:=N}
556 if [ ${OK/y/Y} != 'Y' ] ; then
561 # FIXME: need to figure out better way to identify host key
562 # dummy command so as not to publish fakes keys during testing
564 #gpg --keyserver "$KEYSERVER" --send-keys $(hostname -f)
565 echo "NOT PUBLISHED (to avoid permanent publication errors during monkeysphere development).
566 To publish manually, do: gpg --keyserver $KEYSERVER --send-keys $(hostname -f)"