projects
/
monkeysphere.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
redirect sample refresh keys cron tab to /dev/null.
[monkeysphere.git]
/
src
/
monkeysphere-server
diff --git
a/src/monkeysphere-server
b/src/monkeysphere-server
index 9d0d9b33b80101942491b64a68e86c6803bc00a4..ce800593da8fec3cf82722393dc9ca7d05a31d3d 100755
(executable)
--- a/
src/monkeysphere-server
+++ b/
src/monkeysphere-server
@@
-47,8
+47,8
@@
subcommands:
publish-key (p) publish server's host key to keyserver
add-identity-certifier (a) KEYID import and tsign a certification key
publish-key (p) publish server's host key to keyserver
add-identity-certifier (a) KEYID import and tsign a certification key
- -n|--domain DOMAIN
domain of certifier
()
- -t|--trust TRUST trust level of certifier (
2
)
+ -n|--domain DOMAIN
limit ID certifications to IDs in DOMAIN
()
+ -t|--trust TRUST trust level of certifier (
full
)
-d|--depth DEPTH trust depth for certifier (1)
remove-identity-certifier (r) KEYID remove a certification key
list-identity-certifiers (l) list certification keys
-d|--depth DEPTH trust depth for certifier (1)
remove-identity-certifier (r) KEYID remove a certification key
list-identity-certifiers (l) list certification keys
@@
-143,13
+143,15
@@
update_users() {
log "----- user: $uname -----"
log "----- user: $uname -----"
+ # exit if the authorized_user_ids file is empty
if ! check_key_file_permissions "$uname" "$AUTHORIZED_USER_IDS" ; then
if ! check_key_file_permissions "$uname" "$AUTHORIZED_USER_IDS" ; then
- log "Improper permissions on authorized_user_ids file."
+ log "Improper permissions on authorized_user_ids file
path
."
continue
fi
continue
fi
+ # check permissions on the authorized_keys file path
if ! check_key_file_permissions "$uname" "$RAW_AUTHORIZED_KEYS" ; then
if ! check_key_file_permissions "$uname" "$RAW_AUTHORIZED_KEYS" ; then
- log "Improper permissions on authorized_keys file."
+ log "Improper permissions on authorized_keys file
path path
."
continue
fi
continue
fi
@@
-206,8
+208,7
@@
update_users() {
chgrp $(getent passwd "$uname" | cut -f4 -d:) "$AUTHORIZED_KEYS"
chmod g+r "$AUTHORIZED_KEYS"
chgrp $(getent passwd "$uname" | cut -f4 -d:) "$AUTHORIZED_KEYS"
chmod g+r "$AUTHORIZED_KEYS"
- # if the resulting authorized_keys file is not empty, move
- # it into place
+ # move the resulting authorized_keys file into place
mv -f "$AUTHORIZED_KEYS" "${VARLIB}/authorized_keys/${uname}"
# destroy temporary directory
mv -f "$AUTHORIZED_KEYS" "${VARLIB}/authorized_keys/${uname}"
# destroy temporary directory
@@
-342,6
+343,10
@@
EOF
fingerprint=$(gpg_host --list-key --with-colons --with-fingerprint "=${userID}" | \
grep '^fpr:' | head -1 | cut -d: -f10)
fingerprint=$(gpg_host --list-key --with-colons --with-fingerprint "=${userID}" | \
grep '^fpr:' | head -1 | cut -d: -f10)
+ # export host ownertrust to authentication keyring
+ log "setting ultimate owner trust for server key..."
+ echo "${fingerprint}:6:" | gpg_authentication "--import-ownertrust"
+
# translate the private key to ssh format, and export to a file
# for sshs usage.
# NOTE: assumes that the primary key is the proper key to use
# translate the private key to ssh format, and export to a file
# for sshs usage.
# NOTE: assumes that the primary key is the proper key to use
@@
-383,10
+388,11
@@
add_certifier() {
local keyID
local fingerprint
local ltsignCommand
local keyID
local fingerprint
local ltsignCommand
+ local trustval
# set default values for trust depth and domain
domain=
# set default values for trust depth and domain
domain=
- trust=
2
+ trust=
full
depth=1
# get options
depth=1
# get options
@@
-423,11
+429,11
@@
add_certifier() {
done
keyID="$1"
done
keyID="$1"
+ if [ -z "$keyID" ] ; then
+ failure "You must specify the key ID of a key to add."
+ fi
export keyID
export keyID
- # export host ownertrust to authentication keyring
- gpg_host --export-ownertrust | gpg_authentication "--import-ownertrust"
-
# get the key from the key server
gpg_authentication "--keyserver $KEYSERVER --recv-key '$keyID'"
# get the key from the key server
gpg_authentication "--keyserver $KEYSERVER --recv-key '$keyID'"
@@
-438,7
+444,8
@@
add_certifier() {
echo "key found:"
gpg_authentication "--fingerprint $fingerprint"
echo "key found:"
gpg_authentication "--fingerprint $fingerprint"
- read -p "Are you sure you want to add this key as a certifier of users on this system? (y/N) " OK; OK=${OK:-N}
+ echo "Are you sure you want to add this key as a certifier of"
+ read -p "users on this system? (y/N) " OK; OK=${OK:-N}
if [ "${OK/y/Y}" != 'Y' ] ; then
failure "aborting."
fi
if [ "${OK/y/Y}" != 'Y' ] ; then
failure "aborting."
fi
@@
-446,18
+453,26
@@
add_certifier() {
# export the key to the host keyring
gpg_authentication "--export $keyID" | gpg_host --import
# export the key to the host keyring
gpg_authentication "--export $keyID" | gpg_host --import
+ if [ "$trust" == marginal ]; then
+ trustval=1
+ elif [ "$trust" == full ]; then
+ trustval=2
+ else
+ failure "trust value requested ('$trust') was unclear (only 'marginal' or 'full' are supported)"
+ fi
+
# ltsign command
# NOTE: *all* user IDs will be ltsigned
ltsignCommand=$(cat <<EOF
ltsign
y
# ltsign command
# NOTE: *all* user IDs will be ltsigned
ltsignCommand=$(cat <<EOF
ltsign
y
-$trust
+$trust
val
$depth
$domain
y
save
EOF
$depth
$domain
y
save
EOF
-)
+
)
# ltsign the key
echo "$ltsignCommand" | gpg_host --quiet --command-fd 0 --edit-key "$fingerprint"
# ltsign the key
echo "$ltsignCommand" | gpg_host --quiet --command-fd 0 --edit-key "$fingerprint"
@@
-472,6
+487,9
@@
remove_certifier() {
local fingerprint
keyID="$1"
local fingerprint
keyID="$1"
+ if [ -z "$keyID" ] ; then
+ failure "You must specify the key ID of a key to remove."
+ fi
# delete the requested key (with prompting)
gpg_host --delete-key "$keyID"
# delete the requested key (with prompting)
gpg_host --delete-key "$keyID"
@@
-550,16
+568,10
@@
case $COMMAND in
;;
'add-identity-certifier'|'add-certifier'|'a')
;;
'add-identity-certifier'|'add-certifier'|'a')
- if [ -z "$1" ] ; then
- failure "You must specify a key ID."
- fi
add_certifier "$1"
;;
'remove-identity-certifier'|'remove-certifier'|'r')
add_certifier "$1"
;;
'remove-identity-certifier'|'remove-certifier'|'r')
- if [ -z "$1" ] ; then
- failure "You must specify a key ID."
- fi
remove_certifier "$1"
;;
remove_certifier "$1"
;;