src/monkeysphere-server

   1 #!/bin/sh
   2
   3 # monkeysphere-server: MonkeySphere server admin tool
   4 #
   5 # The monkeysphere scripts are written by:
   6 # Jameson Rollins <jrollins@fifthhorseman.net>
   7 #
   8 # They are Copyright 2008, and are all released under the GPL, version 3
   9 # or later.
  10
  11 ########################################################################
  12 PGRM=$(basename $0)
  13
  14 SHAREDIR=${SHAREDIR:-"/usr/share/monkeysphere"}
  15 export SHAREDIR
  16 . "${SHAREDIR}/common"
  17
  18 # date in UTF format if needed
  19 DATE=$(date -u '+%FT%T')
  20
  21 # unset some environment variables that could screw things up
  22 GREP_OPTIONS=
  23
  24 ########################################################################
  25 # FUNCTIONS
  26 ########################################################################
  27
  28 usage() {
  29 cat <<EOF
  30 usage: $PGRM <subcommand> [args]
  31 Monkeysphere server admin tool.
  32
  33 subcommands:
  34   update-users (s) [USER]...                 update user authorized_keys file
  35   gen-key (g)                                generate gpg key for the server
  36   publish-key (p)                            publish server gpg to keyserver
  37   trust-key (t) KEYID [KEYID]...             mark keyid as trusted
  38   update-user-userids (u) USER UID [UID]...  add/update userid for user
  39   help (h,?)                                 this help
  40
  41 EOF
  42 }
  43
  44 # generate server gpg key
  45 gen_key() {
  46     KEY_TYPE=${KEY_TYPE:-RSA}
  47     KEY_LENGTH=${KEY_LENGTH:-2048}
  48     KEY_USAGE=${KEY_USAGE:-encrypt,auth}
  49     SERVICE=${SERVICE:-ssh}
  50     HOSTNAME_FQDN=${HOSTNAME_FQDN:-$(hostname -f)}
  51
  52     USERID=${USERID:-"$SERVICE"://"$HOSTNAME_FQDN"}
  53
  54     echo "key parameters:"
  55     cat <<EOF
  56 Key-Type: $KEY_TYPE
  57 Key-Length: $KEY_LENGTH
  58 Key-Usage: $KEY_USAGE
  59 Name-Real: $USERID
  60 EOF
  61
  62     read -p "generate key? [Y|n]: " OK; OK=${OK:=Y}
  63     if [ ${OK/y/Y} != 'Y' ] ; then
  64         failure "aborting."
  65     fi
  66
  67     if gpg --list-key ="$USERID" > /dev/null 2>&1 ; then
  68         failure "key for '$USERID' already exists"
  69     fi
  70
  71     echo "generating server key..."
  72     gpg --batch --gen-key <<EOF
  73 Key-Type: $KEY_TYPE
  74 Key-Length: $KEY_LENGTH
  75 Key-Usage: $KEY_USAGE
  76 Name-Real: $USERID
  77 %commit
  78 EOF
  79 }
  80
  81 # publish server key to keyserver
  82 publish_key() {
  83     read -p "publish key to $KEYSERVER? [Y|n]: " OK; OK=${OK:=Y}
  84     if [ ${OK/y/Y} != 'Y' ] ; then
  85         failure "aborting."
  86     fi
  87
  88     keyID=$(gpg --list-key --with-colons ="$USERID" 2> /dev/null | grep '^pub:' | cut -d: -f5)
  89
  90     # dummy command so as not to publish fakes keys during testing
  91     # eventually:
  92     #gpg --send-keys --keyserver "$KEYSERVER" "$keyID"
  93     echo "gpg --send-keys --keyserver $KEYSERVER $keyID"
  94 }
  95
  96 ########################################################################
  97 # MAIN
  98 ########################################################################
  99
 100 COMMAND="$1"
 101 [ "$COMMAND" ] || failure "Type '$PGRM help' for usage."
 102 shift
 103
 104 # set ms home directory
 105 MS_HOME=${MS_HOME:-"$ETC"}
 106
 107 # load configuration file
 108 MS_CONF=${MS_CONF:-"$MS_HOME"/monkeysphere-server.conf}
 109 [ -e "$MS_CONF" ] && . "$MS_CONF"
 110
 111 # set empty config variable with defaults
 112 GNUPGHOME=${GNUPGHOME:-"$MS_HOME"/gnupg}
 113 KEYSERVER=${KEYSERVER:-subkeys.pgp.net}
 114 REQUIRED_KEY_CAPABILITY=${REQUIRED_KEY_CAPABILITY:-"e a"}
 115 USER_CONTROLLED_AUTHORIZED_KEYS=${USER_CONTROLLED_AUTHORIZED_KEYS:-%h/.ssh/authorized_keys}
 116 STAGING_AREA=${STAGING_AREA:-"$LIB"/stage}
 117
 118 export GNUPGHOME
 119
 120 # make sure gpg home exists with proper permissions
 121 mkdir -p -m 0700 "$GNUPGHOME"
 122
 123 case $COMMAND in
 124     'update-users'|'s')
 125         if [ "$1" ] ; then
 126             unames="$@"
 127         else
 128             unames=$(ls -1 "$MS_HOME"/authorized_user_ids)
 129         fi
 130
 131         for uname in $unames ; do
 132             MODE="authorized_keys"
 133             authorizedUserIDs="$MS_HOME"/authorized_user_ids/"$uname"
 134             cacheDir="$STAGING_AREA"/"$uname"/user_keys
 135             msAuthorizedKeys="$STAGING_AREA"/"$uname"/authorized_keys
 136
 137             # make sure authorized_user_ids file exists
 138             if [ ! -s "$authorizedUserIDs" ] ; then
 139                 log "authorized_user_ids file for '$uname' is empty or does not exist."
 140                 continue
 141             fi
 142
 143             log "processing authorized_keys for user '$uname'..."
 144
 145             process_authorized_ids "$authorizedUserIDs" "$cacheDir"
 146
 147             # write output key file
 148             log "writing monkeysphere authorized_keys file... "
 149             touch "$msAuthorizedKeys"
 150             if [ "$(ls "$cacheDir")" ] ; then
 151                 log -n "adding gpg keys... "
 152                 cat "$cacheDir"/* > "$msAuthorizedKeys"
 153                 echo "done."
 154             else
 155                 log "no gpg keys to add."
 156             fi
 157             if [ "$USER_CONTROLLED_AUTHORIZED_KEYS" ] ; then
 158                 userHome=$(getent passwd "$uname" | cut -d: -f6)
 159                 userAuthorizedKeys=${USER_CONTROLLED_AUTHORIZED_KEYS/\%h/"$userHome"}
 160                 if [ -s "$userAuthorizedKeys" ] ; then
 161                     log -n "adding user authorized_keys file... "
 162                     cat "$userAuthorizedKeys" >> "$msAuthorizedKeys"
 163                     echo "done."
 164                 fi
 165             fi
 166             log "monkeysphere authorized_keys file generated:"
 167             log "$msAuthorizedKeys"
 168         done
 169         ;;
 170
 171     'gen-key'|'g')
 172         gen_key
 173         ;;
 174
 175     'publish-key'|'p')
 176         publish_key
 177         ;;
 178
 179     'trust-key'|'t')
 180         if [ -z "$1" ] ; then
 181             failure "you must specify at least one key to trust."
 182         fi
 183         for keyID ; do
 184             trust_key "$keyID"
 185         done
 186         ;;
 187
 188     'update-user-userids'|'u')
 189         uname="$1"
 190         shift
 191         if [ -z "$uname" ] ; then
 192             failure "you must specify user."
 193         fi
 194         if [ -z "$1" ] ; then
 195             failure "you must specify at least one userid."
 196         fi
 197         AUTHORIZED_USER_IDS="$MS_HOME"/authorized_user_ids/"$uname"
 198         userKeysCacheDir="$STAGING_AREA"/"$uname"/user_keys
 199         for userID ; do
 200             update_userid "$userID" "$userKeysCacheDir"
 201         done
 202         ;;
 203
 204     'help'|'h'|'?')
 205         usage
 206         ;;
 207
 208     *)
 209         failure "Unknown command: '$COMMAND'
 210 Type 'cereal-admin help' for usage."
 211         ;;
 212 esac