3 # monkeysphere-server: MonkeySphere server admin tool
5 # The monkeysphere scripts are written by:
6 # Jameson Rollins <jrollins@fifthhorseman.net>
8 # They are Copyright 2008, and are all released under the GPL, version 3
11 ########################################################################
14 SHAREDIR=${SHAREDIR:-"/usr/share/monkeysphere"}
16 . "${SHAREDIR}/common"
18 # date in UTF format if needed
19 DATE=$(date -u '+%FT%T')
21 # unset some environment variables that could screw things up
24 ########################################################################
26 ########################################################################
30 usage: $PGRM <subcommand> [args]
31 MonkeySphere server admin tool.
34 update-users (s) [USER]... update users authorized_keys files
35 gen-key (g) [HOSTNAME] generate gpg key for the server
36 show-fingerprint (f) show server's host key fingerprint
37 publish-key (p) publish server key to keyserver
38 trust-keys (t) KEYID... mark keyids as trusted
44 # generate server gpg key
48 hostName=${1:-$(hostname --fqdn)}
49 service=${SERVICE:-"ssh"}
50 userID="${service}://${hostName}"
52 if gpg --list-key ="$userID" > /dev/null 2>&1 ; then
53 failure "Key for '$userID' already exists"
57 KEY_TYPE=${KEY_TYPE:-"RSA"}
58 KEY_LENGTH=${KEY_LENGTH:-"2048"}
59 KEY_USAGE=${KEY_USAGE:-"auth"}
60 KEY_EXPIRE=${KEY_EXPIRE:-"0"}
62 Please specify how long the key should be valid.
63 0 = key does not expire
64 <n> = key expires in n days
65 <n>w = key expires in n weeks
66 <n>m = key expires in n months
67 <n>y = key expires in n years
69 read -p "Key is valid for? ($KEY_EXPIRE) " KEY_EXPIRE; KEY_EXPIRE=${KEY_EXPIRE:-"0"}
72 keyParameters=$(cat <<EOF
74 Key-Length: $KEY_LENGTH
77 Expire-Date: $KEY_EXPIRE
81 # add the revoker field if requested
82 # FIXME: the "1:" below assumes that $REVOKER's key is an RSA key. why?
83 # FIXME: why is this marked "sensitive"? how will this signature ever
84 # be transmitted to the expected revoker?
85 if [ "$REVOKER" ] ; then
86 keyParameters="${keyParameters}"$(cat <<EOF
88 Revoker: 1:$REVOKER sensitive
93 echo "The following key parameters will be used:"
96 read -p "Generate key? [Y|n]: " OK; OK=${OK:=Y}
97 if [ ${OK/y/Y} != 'Y' ] ; then
102 keyParameters="${keyParameters}"$(cat <<EOF
109 log "generating server key... "
110 echo "$keyParameters" | gpg --batch --gen-key
112 # output the server fingerprint
113 fingerprint_server_key "=${userID}"
115 # find the key fingerprint of the server primary key
116 keyID=$(gpg --list-key --with-colons --with-fingerprint "=${userID}" | \
117 grep '^fpr:' | head -1 | cut -d: -f10)
119 # write the key to the file
120 # NOTE: assumes that the primary key is the proper key to use
121 (umask 077 && gpgsecret2ssh "$keyID" > "${MS_HOME}/ssh_host_rsa_key")
122 log "Private SSH host key output to file: ${MS_HOME}/ssh_host_rsa_key"
125 # gpg output key fingerprint
126 fingerprint_server_key() {
129 if [ -z "$1" ] ; then
132 ID="=ssh://$(hostname --fqdn)"
135 gpg --fingerprint --list-secret-keys "$ID"
138 ########################################################################
140 ########################################################################
143 [ "$COMMAND" ] || failure "Type '$PGRM help' for usage."
146 # set ms home directory
147 MS_HOME=${MS_HOME:-"$ETC"}
149 # load configuration file
150 MS_CONF=${MS_CONF:-"$MS_HOME"/monkeysphere-server.conf}
151 [ -e "$MS_CONF" ] && . "$MS_CONF"
153 # set empty config variable with defaults
154 GNUPGHOME=${GNUPGHOME:-"${MS_HOME}/gnupg"}
155 KEYSERVER=${KEYSERVER:-"subkeys.pgp.net"}
156 CHECK_KEYSERVER=${CHECK_KEYSERVER:="true"}
157 REQUIRED_USER_KEY_CAPABILITY=${REQUIRED_USER_KEY_CAPABILITY:-"a"}
158 AUTHORIZED_USER_IDS=${AUTHORIZED_USER_IDS:-"%h/.config/monkeysphere/authorized_user_ids"}
159 USER_CONTROLLED_AUTHORIZED_KEYS=${USER_CONTROLLED_AUTHORIZED_KEYS:-"%h/.ssh/authorized_keys"}
163 # make sure the monkeysphere home directory exists
164 mkdir -p "${MS_HOME}/authorized_user_ids"
165 # make sure gpg home exists with proper permissions
166 mkdir -p -m 0700 "$GNUPGHOME"
167 # make sure the authorized_keys directory exists
168 mkdir -p "${CACHE}/authorized_keys"
171 'update-users'|'update-user'|'s')
173 # get users from command line
176 # or just look at all users if none specified
177 unames=$(getent passwd | cut -d: -f1)
181 for uname in $unames ; do
182 MODE="authorized_keys"
184 # check all specified users exist
185 if ! getent passwd "$uname" >/dev/null ; then
186 error "----- unknown user '$uname' -----"
190 # set authorized_user_ids variable,
191 # translate ssh-style path variables
192 authorizedUserIDs=$(translate_ssh_variables "$uname" "$AUTHORIZED_USER_IDS")
194 # skip user if authorized_user_ids file does not exist
195 if [ ! -f "$authorizedUserIDs" ] ; then
199 log "----- user: $uname -----"
201 # temporary authorized_keys file
202 AUTHORIZED_KEYS=$(mktemp)
204 # skip if the user's authorized_user_ids file is empty
205 if [ ! -s "$authorizedUserIDs" ] ; then
206 log "authorized_user_ids file '$authorizedUserIDs' is empty."
210 # process authorized_user_ids file
211 log "processing authorized_user_ids file..."
212 process_authorized_user_ids "$authorizedUserIDs"
214 # add user-controlled authorized_keys file path if specified
215 if [ "$USER_CONTROLLED_AUTHORIZED_KEYS" != '-' ] ; then
216 userAuthorizedKeys=$(translate_ssh_variables "$uname" "$USER_CONTROLLED_AUTHORIZED_KEYS")
217 if [ -f "$userAuthorizedKeys" ] ; then
218 log -n "adding user's authorized_keys file... "
219 cat "$userAuthorizedKeys" >> "$AUTHORIZED_KEYS"
224 # move the temp authorized_keys file into place
225 mv -f "$AUTHORIZED_KEYS" "${CACHE}/authorized_keys/${uname}"
227 log "authorized_keys file updated."
235 'show-fingerprint'|'f')
236 fingerprint_server_key "$@"
243 'trust-keys'|'trust-key'|'t')
244 if [ -z "$1" ] ; then
245 failure "You must specify at least one key to trust."
259 failure "Unknown command: '$COMMAND'
260 Type '$PGRM help' for usage."