3 # monkeysphere: Monkeysphere client tool
5 # The monkeysphere scripts are written by:
6 # Jameson Rollins <jrollins@fifthhorseman.net>
7 # Jamie McClelland <jm@mayfirst.org>
8 # Daniel Kahn Gillmor <dkg@fifthhorseman.net>
9 # Micah Anderson <micah@riseup.net>
11 # They are Copyright 2008-2009, and are all released under the GPL, version 3
14 ########################################################################
19 SYSSHAREDIR=${MONKEYSPHERE_SYSSHAREDIR:-"/usr/share/monkeysphere"}
21 . "${SYSSHAREDIR}/defaultenv"
22 . "${SYSSHAREDIR}/common"
24 # sharedir for host functions
25 MSHAREDIR="${SYSSHAREDIR}/m"
27 # UTC date in ISO 8601 format if needed
28 DATE=$(date -u '+%FT%T')
30 # unset some environment variables that could screw things up
33 # set the file creation mask to be only owner rw
36 ########################################################################
38 ########################################################################
42 usage: $PGRM <subcommand> [options] [args]
43 Monkeysphere client tool.
46 update-known_hosts (k) [HOST]... update known_hosts file
47 update-authorized_keys (a) update authorized_keys file
48 gen-subkey (g) [KEYID] generate an authentication subkey
49 --length (-l) BITS key length in bits (2048)
50 ssh-proxycommand HOST [PORT] monkeysphere ssh ProxyCommand
51 --no-connect do not make TCP connection to host
52 subkey-to-ssh-agent (s) store authentication subkey in ssh-agent
53 sshfpr (f) KEYID output ssh fingerprint of gpg key
54 version (v) show version number
60 # user gpg command to define common options
62 gpg --no-greeting --quiet --no-tty "$@"
65 # output the ssh fingerprint of a gpg key
66 gpg_ssh_fingerprint() {
68 local tmpfile=$(mktemp)
70 # trap to remove tmp file if break
71 trap "rm -f $tmpfile" EXIT
73 # use temporary file, since ssh-keygen won't accept keys on stdin
74 gpg_user --export "$keyid" | openpgp2ssh "$keyid" >"$tmpfile"
75 ssh-keygen -l -f "$tmpfile" | awk '{ print $1, $2, $4 }'
82 # take a secret key ID and check that only zero or one ID is provided,
83 # and that it corresponds to only a single secret key ID
84 check_gpg_sec_key_id() {
89 gpgSecOut=$(gpg_user --fixed-list-mode --list-secret-keys --with-colons 2>/dev/null | egrep '^sec:')
92 gpgSecOut=$(gpg_user --fixed-list-mode --list-secret-keys --with-colons "$1" | egrep '^sec:') || failure
95 failure "You must specify only a single primary key ID."
99 # check that only a single secret key was found
100 case $(echo "$gpgSecOut" | grep -c '^sec:') in
102 failure "No secret keys found. Create an OpenPGP key with the following command:
106 echo "$gpgSecOut" | cut -d: -f5
109 local seckeys=$(echo "$gpgSecOut" | cut -d: -f5)
110 failure "Multiple primary secret keys found:
112 Please specify which primary key to use."
117 # check that a valid authentication subkey does not already exist
118 check_gpg_authentication_subkey() {
128 # check that a valid authentication key does not already exist
130 for line in $(gpg_user --fixed-list-mode --list-keys --with-colons "$keyID") ; do
131 type=$(echo "$line" | cut -d: -f1)
132 validity=$(echo "$line" | cut -d: -f2)
133 usage=$(echo "$line" | cut -d: -f12)
136 if [ "$type" != 'pub' -a "$type" != 'sub' ] ; then
139 # check for authentication capability
140 if ! check_capability "$usage" 'a' ; then
143 # if authentication key is valid, prompt to continue
144 if [ "$validity" = 'u' ] ; then
145 echo "A valid authentication key already exists for primary key '$keyID'." 1>&2
146 if [ "$PROMPT" = "true" ] ; then
147 printf "Are you sure you would like to generate another one? (y/N) " >&2
149 if [ "${OK/y/Y}" != 'Y' ] ; then
160 ########################################################################
162 ########################################################################
164 # set unset default variables
165 GNUPGHOME=${GNUPGHOME:="${HOME}/.gnupg"}
166 KNOWN_HOSTS="${HOME}/.ssh/known_hosts"
167 HASH_KNOWN_HOSTS="true"
168 AUTHORIZED_KEYS="${HOME}/.ssh/authorized_keys"
170 # unset the check keyserver variable, since that needs to have
171 # different defaults for the different functions
172 unset CHECK_KEYSERVER
175 [ -r "${SYSCONFIGDIR}/monkeysphere.conf" ] \
176 && . "${SYSCONFIGDIR}/monkeysphere.conf"
178 # set monkeysphere home directory
179 MONKEYSPHERE_HOME=${MONKEYSPHERE_HOME:="${HOME}/.monkeysphere"}
180 mkdir -p -m 0700 "$MONKEYSPHERE_HOME"
183 [ -e ${MONKEYSPHERE_CONFIG:="${MONKEYSPHERE_HOME}/monkeysphere.conf"} ] \
184 && . "$MONKEYSPHERE_CONFIG"
186 # set empty config variables with ones from the environment
187 GNUPGHOME=${MONKEYSPHERE_GNUPGHOME:=$GNUPGHOME}
188 LOG_LEVEL=${MONKEYSPHERE_LOG_LEVEL:=$LOG_LEVEL}
189 KEYSERVER=${MONKEYSPHERE_KEYSERVER:=$KEYSERVER}
190 # if keyserver not specified in env or conf, then look in gpg.conf
191 if [ -z "$KEYSERVER" ] ; then
192 if [ -f "${GNUPGHOME}/gpg.conf" ] ; then
193 KEYSERVER=$(grep -e "^[[:space:]]*keyserver " "${GNUPGHOME}/gpg.conf" | tail -1 | awk '{ print $2 }')
196 PROMPT=${MONKEYSPHERE_PROMPT:=$PROMPT}
197 # check the known_hosts file
198 if [ "$MONKEYSPHERE_KNOWN_HOSTS" ] ; then
199 if [ -f "$MONKEYSPHERE_KNOWN_HOSTS" ] ; then
200 KNOWN_HOSTS="$MONKEYSPHERE_KNOWN_HOSTS"
202 failure "specified monkeysphere known_hosts file '$MONKEYSPHERE_KNOWN_HOSTS' does not exist."
205 [ -d $(dirname "$KNOWN_HOSTS") ] \
206 || mkdir -m 0700 $(dirname "$KNOWN_HOSTS")
207 [ -f "$KNOWN_HOSTS" ] \
208 || touch "$KNOWN_HOSTS"
209 HASH_KNOWN_HOSTS=${MONKEYSPHERE_HASH_KNOWN_HOSTS:=$HASH_KNOWN_HOSTS}
210 AUTHORIZED_KEYS=${MONKEYSPHERE_AUTHORIZED_KEYS:=$AUTHORIZED_KEYS}
212 # other variables not in config file
213 AUTHORIZED_USER_IDS=${MONKEYSPHERE_AUTHORIZED_USER_IDS:="${MONKEYSPHERE_HOME}/authorized_user_ids"}
214 REQUIRED_HOST_KEY_CAPABILITY=${MONKEYSPHERE_REQUIRED_HOST_KEY_CAPABILITY:="a"}
215 REQUIRED_USER_KEY_CAPABILITY=${MONKEYSPHERE_REQUIRED_USER_KEY_CAPABILITY:="a"}
216 # note that only using '=' instead of ':=' tests only if the variable
217 # in unset, not if it's "null"
218 LOG_PREFIX=${MONKEYSPHERE_LOG_PREFIX='ms: '}
220 # export GNUPGHOME and make sure gpg home exists with proper
223 mkdir -p -m 0700 "$GNUPGHOME"
228 [ "$COMMAND" ] || failure "Type '$PGRM help' for usage."
232 'update-known_hosts'|'update-known-hosts'|'k')
233 # whether or not to check keyservers
234 CHECK_KEYSERVER=${MONKEYSPHERE_CHECK_KEYSERVER:=${CHECK_KEYSERVER:="true"}}
236 # if hosts are specified on the command line, process just
239 update_known_hosts "$@"
241 # otherwise, if no hosts are specified, process every host
242 # in the user's known_hosts file
248 'update-authorized_keys'|'update-authorized-keys'|'a')
249 # whether or not to check keyservers
250 CHECK_KEYSERVER=${MONKEYSPHERE_CHECK_KEYSERVER:=${CHECK_KEYSERVER:="true"}}
252 # process authorized_user_ids file
253 process_authorized_user_ids "$AUTHORIZED_USER_IDS"
257 source "${MSHAREDIR}/import_subkey"
262 source "${MSHAREDIR}/gen_subkey"
266 'ssh-proxycommand'|'p')
267 source "${MSHAREDIR}/ssh_proxycommand"
268 ssh_proxycommand "$@"
271 'subkey-to-ssh-agent'|'s')
272 source "${MSHAREDIR}/subkey_to_ssh_agent"
273 subkey_to_ssh_agent "$@"
277 gpg_ssh_fingerprint "$@"
284 '--help'|'help'|'-h'|'h'|'?')
289 failure "Unknown command: '$COMMAND'
290 Type '$PGRM help' for usage."