3 # monkeysphere-server: MonkeySphere server admin tool
5 # The monkeysphere scripts are written by:
6 # Jameson Rollins <jrollins@fifthhorseman.net>
8 # They are Copyright 2008, and are all released under the GPL, version 3
11 ########################################################################
14 SHAREDIR=${SHAREDIR:-"/usr/share/monkeysphere"}
16 . "${SHAREDIR}/common"
18 # date in UTF format if needed
19 DATE=$(date -u '+%FT%T')
21 # unset some environment variables that could screw things up
24 ########################################################################
26 ########################################################################
30 usage: $PGRM <subcommand> [args]
31 MonkeySphere server admin tool.
34 gen-key (g) [HOSTNAME] generate gpg key for the server
35 show-fingerprint (f) show server's host key fingerprint
36 publish-key (p) publish server key to keyserver
37 trust-keys (t) KEYID... mark keyids as trusted
39 update-users (s) [USER]... update users authorized_keys files
40 update-user-userids (u) USER UID... add/update user IDs for a user
41 remove-user-userids (r) USER UID... remove user IDs for a user
47 # generate server gpg key
51 hostName=${1:-$(hostname --fqdn)}
54 KEY_TYPE=${KEY_TYPE:-"RSA"}
55 KEY_LENGTH=${KEY_LENGTH:-"2048"}
56 KEY_USAGE=${KEY_USAGE:-"auth"}
58 Please specify how long the key should be valid.
59 0 = key does not expire
60 <n> = key expires in n days
61 <n>w = key expires in n weeks
62 <n>m = key expires in n months
63 <n>y = key expires in n years
65 read -p "Key is valid for? ($EXPIRE) " EXPIRE; EXPIRE=${EXPIRE:-"0"}
67 SERVICE=${SERVICE:-"ssh"}
68 USERID=${USERID:-"$SERVICE"://"$hostName"}
71 keyParameters=$(cat <<EOF
73 Key-Length: $KEY_LENGTH
80 # add the revoker field if requested
81 # FIXME: the 1: below assumes that $REVOKER's key is an RSA key. why?
82 # FIXME: why is this marked "sensitive"? how will this signature ever
83 # be transmitted to the expected revoker?
84 if [ "$REVOKER" ] ; then
85 keyParameters="${keyParameters}"$(cat <<EOF
87 Revoker: 1:$REVOKER sensitive
92 echo "The following key parameters will be used:"
95 read -p "generate key? [Y|n]: " OK; OK=${OK:=Y}
96 if [ ${OK/y/Y} != 'Y' ] ; then
100 if gpg --list-key ="$USERID" > /dev/null 2>&1 ; then
101 failure "key for '$USERID' already exists"
105 keyParameters="${keyParameters}"$(cat <<EOF
112 log -n "generating server key... "
113 echo "$keyParameters" | gpg --batch --gen-key
115 fingerprint_server_key
118 fingerprint_server_key() {
119 gpg --fingerprint --list-secret-keys =ssh://$(hostname --fqdn)
122 ########################################################################
124 ########################################################################
127 [ "$COMMAND" ] || failure "Type '$PGRM help' for usage."
130 # set ms home directory
131 MS_HOME=${MS_HOME:-"$ETC"}
133 # load configuration file
134 MS_CONF=${MS_CONF:-"$MS_HOME"/monkeysphere-server.conf}
135 [ -e "$MS_CONF" ] && . "$MS_CONF"
137 # set empty config variable with defaults
138 GNUPGHOME=${GNUPGHOME:-"${MS_HOME}/gnupg"}
139 KEYSERVER=${KEYSERVER:-"subkeys.pgp.net"}
140 CHECK_KEYSERVER=${CHECK_KEYSERVER:="true"}
141 REQUIRED_USER_KEY_CAPABILITY=${REQUIRED_USER_KEY_CAPABILITY:-"a"}
142 AUTHORIZED_USER_IDS=${AUTHORIZED_USER_IDS:-"%h/.config/monkeysphere/authorized_user_ids"}
143 USER_CONTROLLED_AUTHORIZED_KEYS=${USER_CONTROLLED_AUTHORIZED_KEYS:-"%h/.ssh/authorized_keys"}
147 # make sure the monkeysphere home directory exists
148 mkdir -p "${MS_HOME}/authorized_user_ids"
149 # make sure gpg home exists with proper permissions
150 mkdir -p -m 0700 "$GNUPGHOME"
151 # make sure the authorized_keys directory exists
152 mkdir -p "${CACHE}/authorized_keys"
155 'update-users'|'update-user'|'s')
157 # get users from command line
160 # or just look at all users if none specified
161 unames=$(getent passwd | cut -d: -f1)
165 for uname in $unames ; do
166 MODE="authorized_keys"
168 # set authorized_user_ids variable,
169 # translate ssh-style path variables
170 authorizedUserIDs=$(translate_ssh_variables "$uname" "$AUTHORIZED_USER_IDS")
172 # skip user if authorized_user_ids file does not exist
173 if [ ! -f "$authorizedUserIDs" ] ; then
177 log "----- user: $uname -----"
179 # temporary authorized_keys file
180 AUTHORIZED_KEYS=$(mktemp)
182 # skip if the user's authorized_user_ids file is empty
183 if [ ! -s "$authorizedUserIDs" ] ; then
184 log "authorized_user_ids file '$authorizedUserIDs' is empty."
188 # process authorized_user_ids file
189 log "processing authorized_user_ids file..."
190 process_authorized_user_ids "$authorizedUserIDs"
192 # add user-controlled authorized_keys file path if specified
193 if [ "$USER_CONTROLLED_AUTHORIZED_KEYS" != '-' ] ; then
194 userAuthorizedKeys=$(translate_ssh_variables "$uname" "$USER_CONTROLLED_AUTHORIZED_KEYS")
195 if [ -f "$userAuthorizedKeys" ] ; then
196 log -n "adding user's authorized_keys file... "
197 cat "$userAuthorizedKeys" >> "$AUTHORIZED_KEYS"
202 # move the temp authorized_keys file into place
203 mv -f "$AUTHORIZED_KEYS" "${CACHE}/authorized_keys/${uname}"
205 log "authorized_keys file updated."
208 log "----- done. -----"
215 'show-fingerprint'|'f')
216 fingerprint_server_key
223 'trust-keys'|'trust-key'|'t')
224 if [ -z "$1" ] ; then
225 failure "You must specify at least one key to trust."
234 'update-user-userids'|'update-user-userid'|'u')
237 if [ -z "$uname" ] ; then
238 failure "You must specify user."
240 if [ -z "$1" ] ; then
241 failure "You must specify at least one user ID."
244 # set authorized_user_ids variable,
245 # translate ssh-style path variables
246 authorizedUserIDs=$(translate_ssh_variables "$uname" "$AUTHORIZED_USER_IDS")
248 # make sure user's authorized_user_ids file exists
249 touch "$authorizedUserIDs"
251 # process the user IDs
253 update_userid "$userID" "$authorizedUserIDs"
256 log "Run the following to update user's authorized_keys file:"
257 log "$PGRM update-users $uname"
260 'remove-user-userids'|'remove-user-userid'|'r')
263 if [ -z "$uname" ] ; then
264 failure "You must specify user."
266 if [ -z "$1" ] ; then
267 failure "You must specify at least one user ID."
270 # set authorized_user_ids variable,
271 # translate ssh-style path variables
272 authorizedUserIDs=$(translate_ssh_variables "$uname" "$AUTHORIZED_USER_IDS")
274 # make sure user's authorized_user_ids file exists
275 if [ ! -f "$authorizedUserIDs" ] ; then
276 failure "authorized_user_ids file '$authorizedUserIDs' does not exist."
279 # process the user IDs
281 remove_userid "$userID" "$authorizedUserIDs"
284 log "Run the following to update user's authorized_keys file:"
285 log "$PGRM update-users $uname"
293 failure "Unknown command: '$COMMAND'
294 Type '$PGRM help' for usage."