Small tweaks to prepare for upcoming changes.
[monkeysphere.git] / src / monkeysphere-server
1 #!/bin/bash
2
3 # monkeysphere-server: MonkeySphere server admin tool
4 #
5 # The monkeysphere scripts are written by:
6 # Jameson Rollins <jrollins@fifthhorseman.net>
7 #
8 # They are Copyright 2008, and are all released under the GPL, version 3
9 # or later.
10
11 ########################################################################
12 PGRM=$(basename $0)
13
14 SHARE=${SHARE:-"/usr/share/monkeysphere"}
15 export SHARE
16 . "${SHARE}/common"
17
18 VARLIB="/var/lib/monkeysphere"
19 export VARLIB
20
21 # date in UTF format if needed
22 DATE=$(date -u '+%FT%T')
23
24 # unset some environment variables that could screw things up
25 GREP_OPTIONS=
26
27 # default return code
28 ERR=0
29
30 ########################################################################
31 # FUNCTIONS
32 ########################################################################
33
34 usage() {
35 cat <<EOF
36 usage: $PGRM <subcommand> [args]
37 MonkeySphere server admin tool.
38
39 subcommands:
40   update-users (u) [USER]...            update users authorized_keys files
41   gen-key (g) [HOSTNAME]                generate gpg key for the server
42   show-fingerprint (f)                  show server's host key fingerprint
43   publish-key (p)                       publish server's host key to keyserver
44   trust-key (t) KEYID [LEVEL]           set owner trust for keyid
45   help (h,?)                            this help
46
47 EOF
48 }
49
50 # generate server gpg key
51 gen_key() {
52     local hostName
53
54     hostName=${1:-$(hostname --fqdn)}
55
56     SERVICE=${SERVICE:-"ssh"}
57     userID="${SERVICE}://${hostName}"
58
59     if gpg --list-key ="$userID" > /dev/null 2>&1 ; then
60         failure "Key for '$userID' already exists"
61     fi
62
63     # set key defaults
64     KEY_TYPE=${KEY_TYPE:-"RSA"}
65     KEY_LENGTH=${KEY_LENGTH:-"2048"}
66     KEY_USAGE=${KEY_USAGE:-"auth"}
67     KEY_EXPIRE=${KEY_EXPIRE:-"0"}
68     cat <<EOF
69 Please specify how long the key should be valid.
70          0 = key does not expire
71       <n>  = key expires in n days
72       <n>w = key expires in n weeks
73       <n>m = key expires in n months
74       <n>y = key expires in n years
75 EOF
76     read -p "Key is valid for? ($KEY_EXPIRE) " KEY_EXPIRE; KEY_EXPIRE=${KEY_EXPIRE:-"0"}
77
78     # set key parameters
79     keyParameters=$(cat <<EOF
80 Key-Type: $KEY_TYPE
81 Key-Length: $KEY_LENGTH
82 Key-Usage: $KEY_USAGE
83 Name-Real: $userID
84 Expire-Date: $KEY_EXPIRE
85 EOF
86 )
87
88     # add the revoker field if requested
89     # FIXME: the "1:" below assumes that $REVOKER's key is an RSA key.  why?
90     # FIXME: why is this marked "sensitive"?  how will this signature ever
91     # be transmitted to the expected revoker?
92     if [ "$REVOKER" ] ; then
93         keyParameters="${keyParameters}"$(cat <<EOF
94
95 Revoker: 1:$REVOKER sensitive
96 EOF
97 )
98     fi
99
100     echo "The following key parameters will be used:"
101     echo "$keyParameters"
102
103     read -p "Generate key? [Y|n]: " OK; OK=${OK:=Y}
104     if [ ${OK/y/Y} != 'Y' ] ; then
105         failure "aborting."
106     fi
107
108     # add commit command
109     keyParameters="${keyParameters}"$(cat <<EOF
110
111 %commit
112 %echo done
113 EOF
114 )
115
116     log "generating server key... "
117     echo "$keyParameters" | gpg --batch --gen-key
118
119     # output the server fingerprint
120     fingerprint_server_key "=${userID}"
121
122     # find the key fingerprint of the server primary key
123     keyID=$(gpg --list-key --with-colons --with-fingerprint "=${userID}" | \
124         grep '^fpr:' | head -1 | cut -d: -f10)
125
126     # write the key to the file
127     # NOTE: assumes that the primary key is the proper key to use
128     (umask 077 && gpgsecret2ssh "$keyID" > "${MS_HOME}/ssh_host_rsa_key")
129     log "Private SSH host key output to file: ${MS_HOME}/ssh_host_rsa_key"
130 }
131
132 # gpg output key fingerprint
133 fingerprint_server_key() {
134     local ID
135
136     if [ -z "$1" ] ; then
137         ID="$1"
138     else
139         ID="=ssh://$(hostname --fqdn)"
140     fi
141
142     gpg --fingerprint --list-secret-keys "$ID"
143 }
144
145 ########################################################################
146 # MAIN
147 ########################################################################
148
149 COMMAND="$1"
150 [ "$COMMAND" ] || failure "Type '$PGRM help' for usage."
151 shift
152
153 # set ms home directory
154 MS_HOME=${MS_HOME:-"$ETC"}
155
156 # load configuration file
157 MS_CONF=${MS_CONF:-"$MS_HOME"/monkeysphere-server.conf}
158 [ -e "$MS_CONF" ] && . "$MS_CONF"
159
160 # set empty config variable with defaults
161 MONKEYSPHERE_USER=${MONKEYSPHERE_USER:-"monkeysphere"}
162 KEYSERVER=${KEYSERVER:-"subkeys.pgp.net"}
163 CHECK_KEYSERVER=${CHECK_KEYSERVER:="true"}
164 AUTHORIZED_USER_IDS=${AUTHORIZED_USER_IDS:-"%h/.config/monkeysphere/authorized_user_ids"}
165 RAW_AUTHORIZED_KEYS=${RAW_AUTHORIZED_KEYS:-"%h/.ssh/authorized_keys"}
166
167 # other variables
168 REQUIRED_USER_KEY_CAPABILITY=${REQUIRED_USER_KEY_CAPABILITY:-"a"}
169 GNUPGHOME_HOST=${GNUPGHOME_HOST:-"${VARLIB}/gnupg-host"}
170 GNUPGHOME_AUTHENTICATION=${GNUPGHOME_AUTHENTICATION:-"${VARLIB}/gnupg-authentication"}
171
172 # set default GNUPGHOME, and make sure the directory exists.  this is
173 # true for all functions expect user authentication
174 # (ie. update-users).
175 GNUPGHOME="$GNUPGHOME_HOST"
176 export GNUPGHOME
177 mkdir -p -m 0700 "$GNUPGHOME"
178
179 case $COMMAND in
180     'update-users'|'update-user'|'u')
181         if [ "$1" ] ; then
182             # get users from command line
183             unames="$@"
184         else
185             # or just look at all users if none specified
186             unames=$(getent passwd | cut -d: -f1)
187         fi
188
189         # set mode
190         MODE="authorized_keys"
191
192         # make sure the authorized_keys directory exists
193         mkdir -p "${VARLIB}/authorized_keys"
194
195         # set GNUPGHOME, and make sure the directory exists
196         GNUPGHOME="$GNUPGHOME_AUTHENTICATION"
197         export GNUPGHOME
198         mkdir -p -m 0700 "$GNUPGHOME"
199
200         # loop over users
201         for uname in $unames ; do
202             # check all specified users exist
203             if ! getent passwd "$uname" >/dev/null ; then
204                 error "----- unknown user '$uname' -----"
205                 continue
206             fi
207
208             # set authorized_user_ids and raw authorized_keys variables,
209             # translating ssh-style path variables
210             authorizedUserIDs=$(translate_ssh_variables "$uname" "$AUTHORIZED_USER_IDS")
211             rawAuthorizedKeys=$(translate_ssh_variables "$uname" "$RAW_AUTHORIZED_KEYS")
212
213             # if neither is found, skip user
214             if [ ! -s "$authorizedUserIDs" -a ! -s "$rawAuthorizedKeys" ] ; then
215                 continue
216             fi
217
218             log "----- user: $uname -----"
219
220             # temporary authorized_keys file
221             AUTHORIZED_KEYS=$(mktemp)
222
223             # trap to delete file on exit
224             trap "rm -f $AUTHORIZE_KEYS" EXIT
225
226             # process authorized_user_ids file
227             if [ -s "$authorizedUserIDs" ] ; then
228                 log "processing authorized_user_ids file..."
229                 process_authorized_user_ids "$authorizedUserIDs"
230             fi
231
232             # add user-controlled authorized_keys file path if specified
233             if [ "$RAW_AUTHORIZED_KEYS" != '-' ] ; then
234                 if [ -s "$rawAuthorizedKeys" ] ; then
235                     log -n "adding raw authorized_keys file... "
236                     cat "$rawAuthorizedKeys" >> "$AUTHORIZED_KEYS"
237                     loge "done."
238                 fi
239             fi
240
241             # if the resulting authorized_keys file is not empty, move
242             # the temp authorized_keys file into place
243             if [ -s "$AUTHORIZED_KEYS" ] ; then
244                 # openssh appears to check the contents of the
245                 # authorized_keys file as the user in question, so the
246                 # file must be readable by that user at least.
247                 # FIXME: is there a better way to do this?
248                 chgrp $(getent passwd "$uname" | cut -f4 -d:) "$AUTHORIZED_KEYS"
249                 chmod g+r "$AUTHORIZED_KEYS"
250
251                 mv -f "$AUTHORIZED_KEYS" "${VARLIB}/authorized_keys/${uname}"
252
253                 log "authorized_keys file updated."
254
255             # else destroy it
256             else
257                 rm -f "$AUTHORIZED_KEYS"
258             fi
259         done
260         ;;
261
262     'gen-key'|'g')
263         gen_key "$1"
264         ;;
265
266     'show-fingerprint'|'f')
267         fingerprint_server_key "$@"
268         ;;
269
270     'publish-key'|'p')
271         publish_server_key
272         ;;
273
274     'trust-key'|'trust-key'|'t')
275         trust_key "$@"
276         ;;
277
278     'help'|'h'|'?')
279         usage
280         ;;
281
282     *)
283         failure "Unknown command: '$COMMAND'
284 Type '$PGRM help' for usage."
285         ;;
286 esac
287
288 exit "$ERR"