3 # monkeysphere-server: MonkeySphere server admin tool
5 # The monkeysphere scripts are written by:
6 # Jameson Rollins <jrollins@fifthhorseman.net>
8 # They are Copyright 2008, and are all released under the GPL, version 3
11 ########################################################################
14 SHAREDIR=${SHAREDIR:-"/usr/share/monkeysphere"}
16 . "${SHAREDIR}/common"
18 # date in UTF format if needed
19 DATE=$(date -u '+%FT%T')
21 # unset some environment variables that could screw things up
24 ########################################################################
26 ########################################################################
30 usage: $PGRM <subcommand> [args]
31 Monkeysphere server admin tool.
34 update-users (s) [USER]... update user authorized_keys file
35 gen-key (g) generate gpg key for the server
36 publish-key (p) publish server gpg to keyserver
37 trust-key (t) KEYID [KEYID]... mark keyid as trusted
38 update-user-userids (u) USER UID [UID]... add/update userid for user
44 # generate server gpg key
46 KEY_TYPE=${KEY_TYPE:-RSA}
47 KEY_LENGTH=${KEY_LENGTH:-2048}
48 KEY_USAGE=${KEY_USAGE:-encrypt,auth}
49 SERVICE=${SERVICE:-ssh}
50 HOSTNAME_FQDN=${HOSTNAME_FQDN:-$(hostname -f)}
52 USERID=${USERID:-"$SERVICE"://"$HOSTNAME_FQDN"}
54 echo "key parameters:"
57 Key-Length: $KEY_LENGTH
62 read -p "generate key? [Y|n]: " OK; OK=${OK:=Y}
63 if [ ${OK/y/Y} != 'Y' ] ; then
67 if gpg --list-key ="$USERID" > /dev/null 2>&1 ; then
68 failure "key for '$USERID' already exists"
71 echo "generating server key..."
72 gpg --batch --gen-key <<EOF
74 Key-Length: $KEY_LENGTH
81 # publish server key to keyserver
83 read -p "publish key to $KEYSERVER? [Y|n]: " OK; OK=${OK:=Y}
84 if [ ${OK/y/Y} != 'Y' ] ; then
88 keyID=$(gpg --list-key --with-colons ="$USERID" 2> /dev/null | grep '^pub:' | cut -d: -f5)
90 # dummy command so as not to publish fakes keys during testing
92 #gpg --send-keys --keyserver "$KEYSERVER" "$keyID"
93 echo "gpg --send-keys --keyserver $KEYSERVER $keyID"
96 ########################################################################
98 ########################################################################
101 [ "$COMMAND" ] || failure "Type '$PGRM help' for usage."
104 # set ms home directory
105 MS_HOME=${MS_HOME:-"$ETC"}
107 # load configuration file
108 MS_CONF=${MS_CONF:-"$MS_HOME"/monkeysphere-server.conf}
109 [ -e "$MS_CONF" ] && . "$MS_CONF"
111 # set empty config variable with defaults
112 GNUPGHOME=${GNUPGHOME:-"$MS_HOME"/gnupg}
113 KEYSERVER=${KEYSERVER:-subkeys.pgp.net}
114 REQUIRED_KEY_CAPABILITY=${REQUIRED_KEY_CAPABILITY:-"e a"}
115 USER_CONTROLLED_AUTHORIZED_KEYS=${USER_CONTROLLED_AUTHORIZED_KEYS:-%h/.ssh/authorized_keys}
116 STAGING_AREA=${STAGING_AREA:-"$LIB"/stage}
120 # make sure gpg home exists with proper permissions
121 mkdir -p -m 0700 "$GNUPGHOME"
128 unames=$(ls -1 "$MS_HOME"/authorized_user_ids)
131 for uname in $unames ; do
132 MODE="authorized_keys"
133 authorizedUserIDs="$MS_HOME"/authorized_user_ids/"$uname"
134 cacheDir="$STAGING_AREA"/"$uname"/user_keys
135 msAuthorizedKeys="$STAGING_AREA"/"$uname"/authorized_keys
137 # make sure authorized_user_ids file exists
138 if [ ! -s "$authorizedUserIDs" ] ; then
139 log "authorized_user_ids file for '$uname' is empty or does not exist."
143 log "processing authorized_keys for user '$uname'..."
145 process_authorized_ids "$authorizedUserIDs" "$cacheDir"
147 # write output key file
148 log "writing monkeysphere authorized_keys file... "
149 touch "$msAuthorizedKeys"
150 if [ "$(ls "$cacheDir")" ] ; then
151 log -n "adding gpg keys... "
152 cat "$cacheDir"/* > "$msAuthorizedKeys"
155 log "no gpg keys to add."
157 if [ "$USER_CONTROLLED_AUTHORIZED_KEYS" ] ; then
158 userHome=$(getent passwd "$uname" | cut -d: -f6)
159 userAuthorizedKeys=${USER_CONTROLLED_AUTHORIZED_KEYS/\%h/"$userHome"}
160 if [ -s "$userAuthorizedKeys" ] ; then
161 log -n "adding user authorized_keys file... "
162 cat "$userAuthorizedKeys" >> "$msAuthorizedKeys"
166 log "monkeysphere authorized_keys file generated:"
167 log "$msAuthorizedKeys"
180 if [ -z "$1" ] ; then
181 failure "you must specify at least one key to trust."
188 'update-user-userids'|'u')
191 if [ -z "$uname" ] ; then
192 failure "you must specify user."
194 if [ -z "$1" ] ; then
195 failure "you must specify at least one userid."
197 AUTHORIZED_USER_IDS="$MS_HOME"/authorized_user_ids/"$uname"
198 userKeysCacheDir="$STAGING_AREA"/"$uname"/user_keys
200 update_userid "$userID" "$userKeysCacheDir"
209 failure "Unknown command: '$COMMAND'
210 Type 'cereal-admin help' for usage."