3 # monkeysphere-server: MonkeySphere server admin tool
5 # The monkeysphere scripts are written by:
6 # Jameson Rollins <jrollins@fifthhorseman.net>
8 # They are Copyright 2008, and are all released under the GPL, version 3
11 ########################################################################
14 SHAREDIR=${SHAREDIR:-"/usr/share/monkeysphere"}
16 . "${SHAREDIR}/common"
18 # date in UTF format if needed
19 DATE=$(date -u '+%FT%T')
21 # unset some environment variables that could screw things up
24 ########################################################################
26 ########################################################################
30 usage: $PGRM <subcommand> [args]
31 MonkeySphere server admin tool.
34 update-users (s) [USER]... update users authorized_keys files
35 gen-key (g) [HOSTNAME] generate gpg key for the server
36 publish-key (p) publish server key to keyserver
37 trust-keys (t) KEYID... mark keyids as trusted
38 update-user-userids (u) USER UID... add/update user IDs for a user
39 remove-user-userids (r) USER UID... remove user IDs for a user
45 # generate server gpg key
49 hostName=${1:-$(hostname --fqdn)}
52 KEY_TYPE=${KEY_TYPE:-"RSA"}
53 KEY_LENGTH=${KEY_LENGTH:-"2048"}
54 KEY_USAGE=${KEY_USAGE:-"auth"}
56 Please specify how long the key should be valid.
57 0 = key does not expire
58 <n> = key expires in n days
59 <n>w = key expires in n weeks
60 <n>m = key expires in n months
61 <n>y = key expires in n years
63 read -p "Key is valid for? ($EXPIRE) " EXPIRE; EXPIRE=${EXPIRE:-"0"}
65 SERVICE=${SERVICE:-"ssh"}
66 USERID=${USERID:-"$SERVICE"://"$hostName"}
69 keyParameters=$(cat <<EOF
71 Key-Length: $KEY_LENGTH
78 # add the revoker field if requested
79 # FIXME: the 1: below assumes that $REVOKER's key is an RSA key. why?
80 # FIXME: why is this marked "sensitive"? how will this signature ever
81 # be transmitted to the expected revoker?
82 if [ "$REVOKER" ] ; then
83 keyParameters="${keyParameters}"$(cat <<EOF
85 Revoker: 1:$REVOKER sensitive
90 echo "The following key parameters will be used:"
93 read -p "generate key? [Y|n]: " OK; OK=${OK:=Y}
94 if [ ${OK/y/Y} != 'Y' ] ; then
98 if gpg --list-key ="$USERID" > /dev/null 2>&1 ; then
99 failure "key for '$USERID' already exists"
103 keyParameters="${keyParameters}"$(cat <<EOF
110 log -n "generating server key... "
111 echo "$keyParameters" | gpg --batch --gen-key
113 fingerprint_server_key
116 fingerprint_server_key() {
117 gpg --fingerprint --list-secret-keys =ssh://$(hostname --fqdn)
120 ########################################################################
122 ########################################################################
125 [ "$COMMAND" ] || failure "Type '$PGRM help' for usage."
128 # set ms home directory
129 MS_HOME=${MS_HOME:-"$ETC"}
131 # load configuration file
132 MS_CONF=${MS_CONF:-"$MS_HOME"/monkeysphere-server.conf}
133 [ -e "$MS_CONF" ] && . "$MS_CONF"
135 # set empty config variable with defaults
136 GNUPGHOME=${GNUPGHOME:-"${MS_HOME}/gnupg"}
137 KEYSERVER=${KEYSERVER:-"subkeys.pgp.net"}
138 CHECK_KEYSERVER=${CHECK_KEYSERVER:="true"}
139 REQUIRED_USER_KEY_CAPABILITY=${REQUIRED_USER_KEY_CAPABILITY:-"a"}
140 USER_CONTROLLED_AUTHORIZED_KEYS=${USER_CONTROLLED_AUTHORIZED_KEYS:-"%h/.ssh/authorized_keys"}
144 # make sure the monkeysphere home directory exists
145 mkdir -p "${MS_HOME}/authorized_user_ids"
146 # make sure gpg home exists with proper permissions
147 mkdir -p -m 0700 "$GNUPGHOME"
148 # make sure the authorized_keys directory exists
149 mkdir -p "${CACHE}/authorized_keys"
152 'update-users'|'update-user'|'s')
156 unames=$(ls -1 "${MS_HOME}/authorized_user_ids")
159 for uname in $unames ; do
160 MODE="authorized_keys"
162 log "----- user: $uname -----"
164 # set variables for the user
165 AUTHORIZED_USER_IDS="${MS_HOME}/authorized_user_ids/${uname}"
166 # temporary authorized_keys file
167 AUTHORIZED_KEYS="${CACHE}/authorized_keys/${uname}.tmp"
169 # make sure user's authorized_user_ids file exists
170 touch "$AUTHORIZED_USER_IDS"
171 # make sure the authorized_keys file exists and is clear
174 # skip if the user's authorized_user_ids file is empty
175 if [ ! -s "$AUTHORIZED_USER_IDS" ] ; then
176 log "authorized_user_ids file for '$uname' is empty."
180 # process authorized_user_ids file
181 log "processing authorized_user_ids file..."
182 process_authorized_user_ids
184 # add user-controlled authorized_keys file path if specified
185 if [ "$USER_CONTROLLED_AUTHORIZED_KEYS" != '-' ] ; then
186 userHome=$(getent passwd "$uname" | cut -d: -f6)
187 userAuthorizedKeys=${USER_CONTROLLED_AUTHORIZED_KEYS/\%h/"$userHome"}
188 log -n "adding user's authorized_keys file... "
189 cat "$userAuthorizedKeys" >> "$AUTHORIZED_KEYS"
193 # move the temp authorized_keys file into place
194 mv -f "${CACHE}/authorized_keys/${uname}.tmp" "${CACHE}/authorized_keys/${uname}"
196 log "authorized_keys file updated."
199 log "----- done. -----"
206 'show-fingerprint'|'f')
207 fingerprint_server_key
214 'trust-keys'|'trust-key'|'t')
215 if [ -z "$1" ] ; then
216 failure "You must specify at least one key to trust."
225 'update-user-userids'|'update-user-userid'|'u')
228 if [ -z "$uname" ] ; then
229 failure "You must specify user."
231 if [ -z "$1" ] ; then
232 failure "You must specify at least one user ID."
235 # set variables for the user
236 AUTHORIZED_USER_IDS="$MS_HOME"/authorized_user_ids/"$uname"
238 # make sure user's authorized_user_ids file exists
239 touch "$AUTHORIZED_USER_IDS"
241 # process the user IDs
243 update_userid "$userID"
246 log "Run the following to update user's authorized_keys file:"
247 log "$PGRM update-users $uname"
250 'remove-user-userids'|'remove-user-userid'|'r')
253 if [ -z "$uname" ] ; then
254 failure "You must specify user."
256 if [ -z "$1" ] ; then
257 failure "You must specify at least one user ID."
260 # set variables for the user
261 AUTHORIZED_USER_IDS="$MS_HOME"/authorized_user_ids/"$uname"
263 # make sure user's authorized_user_ids file exists
264 touch "$AUTHORIZED_USER_IDS"
266 # process the user IDs
268 remove_userid "$userID"
271 log "Run the following to update user's authorized_keys file:"
272 log "$PGRM update-users $uname"
280 failure "Unknown command: '$COMMAND'
281 Type '$PGRM help' for usage."