#!/bin/sh # rhesus: monkeysphere authorized_keys update script # # Written by # Jameson Rollins # # Copyright 2008, released under the GPL, version 3 or later ################################################## # load conf file CONF_FILE=${CONF_FILE:-"/etc/monkeysphere/monkeysphere.conf"} . "$CONF_FILE" export GNUPGHOME ################################################## CMD=$(basename $0) usage() { cat <&2 exit ${2:-'1'} } meat() { grep -v -e "^[[:space:]]*#" -e '^$' "$1" } cutline() { head --line="$1" | tail -1 } ### MAIN if [ -z "$1" ] ; then usage exit 1 fi # user name of user to update USERNAME="$1" if ! id "$USERNAME" > /dev/null ; then failure "User '$USERNAME' does not exist." fi AUTH_USER_IDS="$AUTH_USER_IDS_DIR"/"$USERNAME" if [ ! -e "$AUTH_USER_IDS" ] ; then failure "No auth_user_ids file for user '$USERNAME'." fi KEYDIR="$AUTH_KEYS_DIR"/"$USERNAME"/keys AUTH_KEYS="$AUTH_KEYS_DIR"/authorized_keys # make sure the gnupg home exists with proper permissions mkdir -p "$GNUPGHOME" chmod 0700 "$GNUPGHOME" # find number of user ids in auth_user_ids file NLINES=$(meat "$AUTH_USER_IDS" | wc -l) # clean out keys file and remake keys directory rm -rf "$KEYDIR" mkdir -p "$KEYDIR" # loop through all user ids, and generate ssh keys for (( N=1; N<=$NLINES; N=N+1 )) ; do # get user id USERID=$(meat "$AUTH_USER_IDS" | cutline "$N" ) USERID_HASH=$(echo "$USERID" | sha1sum | awk '{ print $1 }') KEYFILE="$KEYDIR"/"$USERID_HASH" # search for key on keyserver echo "ms: validating: '$USERID'" RETURN=$(echo 1 | gpg --quiet --batch --command-fd 0 --with-colons --keyserver "$KEYSERVER" --search ="$USERID") # if the key was found... if [ "$RETURN" ] ; then echo "ms: key found." # checking key attributes # see /usr/share/doc/gnupg/DETAILS.gz: PUB_INFO=$(gpg --fixed-list-mode --with-colons --list-keys --with-fingerprint ="$USERID" | grep '^pub:') # extract needed fields KEY_TRUST=$(echo "$PUB_INFO" | cut -d: -f2) KEY_CAPABILITY=$(echo "$PUB_INFO" | cut -d: -f12) # check if key disabled if echo "$KEY_CAPABILITY" | grep -q '[D]' ; then echo "ms: key disabled -> SKIPPING" continue fi # check key capability REQUIRED_KEY_CAPABILITY=${REQUIRED_KEY_CAPABILITY:-'a'} if echo "$KEY_CAPABILITY" | grep -q '[$REQUIRED_KEY_CAPABILITY]' ; then echo "ms: key capability verified ('$KEY_CAPABILITY')." else echo "ms: unacceptable key capability ('$KEY_CAPABILITY') -> SKIPPING" continue fi echo -n "ms: key " # if key is not fully trusted exit # (this includes not revoked or expired) # determine trust case "$KEY_TRUST" in 'i') echo -n "invalid" ;; 'r') echo -n "revoked" ;; 'e') echo -n "expired" ;; '-'|'q'|'n'|'m') echo -n "has unacceptable trust" ;; 'f'|'u') echo -n "fully trusted" # convert pgp key to ssh key, and write to cache file echo -n " -> generating ssh key..." #gpg2ssh "$KEYID" | sed -e "s/COMMENT/$USERID/" > "$KEYFILE" echo " done." continue ;; *) echo -n "has unknown trust" ;; esac echo ". -> SKIPPING" else echo "ms: key not found." fi done if [ $(ls "$KEYDIR") ] ; then echo "ms: writing ms authorized_keys file..." cat "$KEYDIR"/* > "$AUTH_KEYS" else echo "ms: no gpg keys to add to authorized_keys file." fi if [ -s ~"$USERNAME"/.ssh/authorized_keys ] ; then echo "ms: adding user authorized_keys..." cat ~"$USERNAME"/.ssh/authorized_keys >> "$AUTH_KEYS" fi