3 # monkeysphere-server: MonkeySphere server admin tool
5 # The monkeysphere scripts are written by:
6 # Jameson Rollins <jrollins@fifthhorseman.net>
8 # They are Copyright 2008, and are all released under the GPL, version 3
11 ########################################################################
14 SHAREDIR=${SHAREDIR:-"/usr/share/monkeysphere"}
16 . "${SHAREDIR}/common"
18 # date in UTF format if needed
19 DATE=$(date -u '+%FT%T')
21 # unset some environment variables that could screw things up
24 ########################################################################
26 ########################################################################
30 usage: $PGRM <subcommand> [args]
31 MonkeySphere server admin tool.
34 update-users (s) [USER]... update users authorized_keys files
35 gen-key (g) [HOSTNAME] generate gpg key for the server
36 show-fingerprint (f) show server's host key fingerprint
37 publish-key (p) publish server key to keyserver
38 trust-keys (t) KEYID... mark keyids as trusted
44 # generate server gpg key
48 hostName=${1:-$(hostname --fqdn)}
51 KEY_TYPE=${KEY_TYPE:-"RSA"}
52 KEY_LENGTH=${KEY_LENGTH:-"2048"}
53 KEY_USAGE=${KEY_USAGE:-"auth"}
55 Please specify how long the key should be valid.
56 0 = key does not expire
57 <n> = key expires in n days
58 <n>w = key expires in n weeks
59 <n>m = key expires in n months
60 <n>y = key expires in n years
62 read -p "Key is valid for? ($EXPIRE) " EXPIRE; EXPIRE=${EXPIRE:-"0"}
64 SERVICE=${SERVICE:-"ssh"}
65 USERID=${USERID:-"$SERVICE"://"$hostName"}
68 keyParameters=$(cat <<EOF
70 Key-Length: $KEY_LENGTH
77 # add the revoker field if requested
78 # FIXME: the 1: below assumes that $REVOKER's key is an RSA key. why?
79 # FIXME: why is this marked "sensitive"? how will this signature ever
80 # be transmitted to the expected revoker?
81 if [ "$REVOKER" ] ; then
82 keyParameters="${keyParameters}"$(cat <<EOF
84 Revoker: 1:$REVOKER sensitive
89 echo "The following key parameters will be used:"
92 read -p "generate key? [Y|n]: " OK; OK=${OK:=Y}
93 if [ ${OK/y/Y} != 'Y' ] ; then
97 if gpg --list-key ="$USERID" > /dev/null 2>&1 ; then
98 failure "key for '$USERID' already exists"
102 keyParameters="${keyParameters}"$(cat <<EOF
109 log -n "generating server key... "
110 echo "$keyParameters" | gpg --batch --gen-key
112 fingerprint_server_key
115 fingerprint_server_key() {
116 gpg --fingerprint --list-secret-keys =ssh://$(hostname --fqdn)
119 ########################################################################
121 ########################################################################
124 [ "$COMMAND" ] || failure "Type '$PGRM help' for usage."
127 # set ms home directory
128 MS_HOME=${MS_HOME:-"$ETC"}
130 # load configuration file
131 MS_CONF=${MS_CONF:-"$MS_HOME"/monkeysphere-server.conf}
132 [ -e "$MS_CONF" ] && . "$MS_CONF"
134 # set empty config variable with defaults
135 GNUPGHOME=${GNUPGHOME:-"${MS_HOME}/gnupg"}
136 KEYSERVER=${KEYSERVER:-"subkeys.pgp.net"}
137 CHECK_KEYSERVER=${CHECK_KEYSERVER:="true"}
138 REQUIRED_USER_KEY_CAPABILITY=${REQUIRED_USER_KEY_CAPABILITY:-"a"}
139 AUTHORIZED_USER_IDS=${AUTHORIZED_USER_IDS:-"%h/.config/monkeysphere/authorized_user_ids"}
140 USER_CONTROLLED_AUTHORIZED_KEYS=${USER_CONTROLLED_AUTHORIZED_KEYS:-"%h/.ssh/authorized_keys"}
144 # make sure the monkeysphere home directory exists
145 mkdir -p "${MS_HOME}/authorized_user_ids"
146 # make sure gpg home exists with proper permissions
147 mkdir -p -m 0700 "$GNUPGHOME"
148 # make sure the authorized_keys directory exists
149 mkdir -p "${CACHE}/authorized_keys"
152 'update-users'|'update-user'|'s')
154 # get users from command line
157 # or just look at all users if none specified
158 unames=$(getent passwd | cut -d: -f1)
162 for uname in $unames ; do
163 MODE="authorized_keys"
165 # check all specified users exist
166 if ! getent passwd | cut -d: -f1 | grep -q "^${uname}$" ; then
167 error "----- unknown user '$uname' -----"
171 # set authorized_user_ids variable,
172 # translate ssh-style path variables
173 authorizedUserIDs=$(translate_ssh_variables "$uname" "$AUTHORIZED_USER_IDS")
175 # skip user if authorized_user_ids file does not exist
176 if [ ! -f "$authorizedUserIDs" ] ; then
180 log "----- user: $uname -----"
182 # temporary authorized_keys file
183 AUTHORIZED_KEYS=$(mktemp)
185 # skip if the user's authorized_user_ids file is empty
186 if [ ! -s "$authorizedUserIDs" ] ; then
187 log "authorized_user_ids file '$authorizedUserIDs' is empty."
191 # process authorized_user_ids file
192 log "processing authorized_user_ids file..."
193 process_authorized_user_ids "$authorizedUserIDs"
195 # add user-controlled authorized_keys file path if specified
196 if [ "$USER_CONTROLLED_AUTHORIZED_KEYS" != '-' ] ; then
197 userAuthorizedKeys=$(translate_ssh_variables "$uname" "$USER_CONTROLLED_AUTHORIZED_KEYS")
198 if [ -f "$userAuthorizedKeys" ] ; then
199 log -n "adding user's authorized_keys file... "
200 cat "$userAuthorizedKeys" >> "$AUTHORIZED_KEYS"
205 # move the temp authorized_keys file into place
206 mv -f "$AUTHORIZED_KEYS" "${CACHE}/authorized_keys/${uname}"
208 log "authorized_keys file updated."
216 'show-fingerprint'|'f')
217 fingerprint_server_key
224 'trust-keys'|'trust-key'|'t')
225 if [ -z "$1" ] ; then
226 failure "You must specify at least one key to trust."
240 failure "Unknown command: '$COMMAND'
241 Type '$PGRM help' for usage."