3 # monkeysphere-server: MonkeySphere server admin tool
5 # The monkeysphere scripts are written by:
6 # Jameson Rollins <jrollins@fifthhorseman.net>
8 # They are Copyright 2008, and are all released under the GPL, version 3
11 ########################################################################
14 SHAREDIR=${SHAREDIR:-"/usr/share/monkeysphere"}
16 . "${SHAREDIR}/common"
18 # date in UTF format if needed
19 DATE=$(date -u '+%FT%T')
21 # unset some environment variables that could screw things up
24 ########################################################################
26 ########################################################################
30 usage: $PGRM <subcommand> [args]
31 MonkeySphere server admin tool.
34 gen-key (g) [HOSTNAME] generate gpg key for the server
35 show-fingerprint (f) show server's host key fingerprint
36 publish-key (p) publish server key to keyserver
37 trust-keys (t) KEYID... mark keyids as trusted
39 update-users (s) [USER]... update users authorized_keys files
40 update-user-userids (u) USER UID... add/update user IDs for a user
41 remove-user-userids (r) USER UID... remove user IDs for a user
47 # generate server gpg key
51 hostName=${1:-$(hostname --fqdn)}
54 KEY_TYPE=${KEY_TYPE:-"RSA"}
55 KEY_LENGTH=${KEY_LENGTH:-"2048"}
56 KEY_USAGE=${KEY_USAGE:-"auth"}
58 Please specify how long the key should be valid.
59 0 = key does not expire
60 <n> = key expires in n days
61 <n>w = key expires in n weeks
62 <n>m = key expires in n months
63 <n>y = key expires in n years
65 read -p "Key is valid for? ($EXPIRE) " EXPIRE; EXPIRE=${EXPIRE:-"0"}
67 SERVICE=${SERVICE:-"ssh"}
68 USERID=${USERID:-"$SERVICE"://"$hostName"}
71 keyParameters=$(cat <<EOF
73 Key-Length: $KEY_LENGTH
80 # add the revoker field if requested
81 # FIXME: the 1: below assumes that $REVOKER's key is an RSA key. why?
82 # FIXME: why is this marked "sensitive"? how will this signature ever
83 # be transmitted to the expected revoker?
84 if [ "$REVOKER" ] ; then
85 keyParameters="${keyParameters}"$(cat <<EOF
87 Revoker: 1:$REVOKER sensitive
92 echo "The following key parameters will be used:"
95 read -p "generate key? [Y|n]: " OK; OK=${OK:=Y}
96 if [ ${OK/y/Y} != 'Y' ] ; then
100 if gpg --list-key ="$USERID" > /dev/null 2>&1 ; then
101 failure "key for '$USERID' already exists"
105 keyParameters="${keyParameters}"$(cat <<EOF
112 log -n "generating server key... "
113 echo "$keyParameters" | gpg --batch --gen-key
115 fingerprint_server_key
118 fingerprint_server_key() {
119 gpg --fingerprint --list-secret-keys =ssh://$(hostname --fqdn)
122 ########################################################################
124 ########################################################################
127 [ "$COMMAND" ] || failure "Type '$PGRM help' for usage."
130 # set ms home directory
131 MS_HOME=${MS_HOME:-"$ETC"}
133 # load configuration file
134 MS_CONF=${MS_CONF:-"$MS_HOME"/monkeysphere-server.conf}
135 [ -e "$MS_CONF" ] && . "$MS_CONF"
137 # set empty config variable with defaults
138 GNUPGHOME=${GNUPGHOME:-"${MS_HOME}/gnupg"}
139 KEYSERVER=${KEYSERVER:-"subkeys.pgp.net"}
140 CHECK_KEYSERVER=${CHECK_KEYSERVER:="true"}
141 REQUIRED_USER_KEY_CAPABILITY=${REQUIRED_USER_KEY_CAPABILITY:-"a"}
142 USER_CONTROLLED_AUTHORIZED_KEYS=${USER_CONTROLLED_AUTHORIZED_KEYS:-"%h/.ssh/authorized_keys"}
146 # make sure the monkeysphere home directory exists
147 mkdir -p "${MS_HOME}/authorized_user_ids"
148 # make sure gpg home exists with proper permissions
149 mkdir -p -m 0700 "$GNUPGHOME"
150 # make sure the authorized_keys directory exists
151 mkdir -p "${CACHE}/authorized_keys"
154 'update-users'|'update-user'|'s')
158 unames=$(ls -1 "${MS_HOME}/authorized_user_ids")
161 for uname in $unames ; do
162 MODE="authorized_keys"
164 log "----- user: $uname -----"
166 # set variables for the user
167 AUTHORIZED_USER_IDS="${MS_HOME}/authorized_user_ids/${uname}"
168 # temporary authorized_keys file
169 AUTHORIZED_KEYS="${CACHE}/authorized_keys/${uname}.tmp"
171 # make sure user's authorized_user_ids file exists
172 touch "$AUTHORIZED_USER_IDS"
173 # make sure the authorized_keys file exists and is clear
176 # skip if the user's authorized_user_ids file is empty
177 if [ ! -s "$AUTHORIZED_USER_IDS" ] ; then
178 log "authorized_user_ids file for '$uname' is empty."
182 # process authorized_user_ids file
183 log "processing authorized_user_ids file..."
184 process_authorized_user_ids
186 # add user-controlled authorized_keys file path if specified
187 if [ "$USER_CONTROLLED_AUTHORIZED_KEYS" != '-' ] ; then
188 userHome=$(getent passwd "$uname" | cut -d: -f6)
189 userAuthorizedKeys=${USER_CONTROLLED_AUTHORIZED_KEYS/\%h/"$userHome"}
190 log -n "adding user's authorized_keys file... "
191 cat "$userAuthorizedKeys" >> "$AUTHORIZED_KEYS"
195 # move the temp authorized_keys file into place
196 mv -f "${CACHE}/authorized_keys/${uname}.tmp" "${CACHE}/authorized_keys/${uname}"
198 log "authorized_keys file updated."
201 log "----- done. -----"
208 'show-fingerprint'|'f')
209 fingerprint_server_key
216 'trust-keys'|'trust-key'|'t')
217 if [ -z "$1" ] ; then
218 failure "You must specify at least one key to trust."
227 'update-user-userids'|'update-user-userid'|'u')
230 if [ -z "$uname" ] ; then
231 failure "You must specify user."
233 if [ -z "$1" ] ; then
234 failure "You must specify at least one user ID."
237 # set variables for the user
238 AUTHORIZED_USER_IDS="$MS_HOME"/authorized_user_ids/"$uname"
240 # make sure user's authorized_user_ids file exists
241 touch "$AUTHORIZED_USER_IDS"
243 # process the user IDs
245 update_userid "$userID"
248 log "Run the following to update user's authorized_keys file:"
249 log "$PGRM update-users $uname"
252 'remove-user-userids'|'remove-user-userid'|'r')
255 if [ -z "$uname" ] ; then
256 failure "You must specify user."
258 if [ -z "$1" ] ; then
259 failure "You must specify at least one user ID."
262 # set variables for the user
263 AUTHORIZED_USER_IDS="$MS_HOME"/authorized_user_ids/"$uname"
265 # make sure user's authorized_user_ids file exists
266 touch "$AUTHORIZED_USER_IDS"
268 # process the user IDs
270 remove_userid "$userID"
273 log "Run the following to update user's authorized_keys file:"
274 log "$PGRM update-users $uname"
282 failure "Unknown command: '$COMMAND'
283 Type '$PGRM help' for usage."