export ETC
CACHE="/var/cache/monkeysphere"
export CACHE
+ERR=0
+export ERR
########################################################################
### UTILITY FUNCTIONS
+error() {
+ log "$1"
+ ERR=${2:-'1'}
+}
+
failure() {
echo "$1" >&2
exit ${2:-'1'}
# write output to stderr
log() {
- echo -n "ms: " 1>&2
- echo "$@" 1>&2
+ echo -n "ms: " >&2
+ echo "$@" >&2
}
loge() {
- echo "$@" 1>&2
+ echo "$@" >&2
}
# cut out all comments(#) and blank lines from standard input
# get the user's home directory
userHome=$(getent passwd "$uname" | cut -d: -f6)
- # translate ssh-style path variables
+ # translate '%u' to user name
path=${path/\%u/"$uname"}
+ # translate '%h' to user home directory
path=${path/\%h/"$userHome"}
echo "$path"
gpg --export "$keyID" | openpgp2ssh "$keyID" 2> /dev/null
}
+# output the ssh key for a given secret key ID
+gpgsecret2ssh() {
+ local keyID
+
+ #keyID="$1" #TMP
+ # only use last 16 characters until openpgp2ssh can take all 40 #TMP
+ keyID=$(echo "$1" | cut -c 25-) #TMP
+
+ gpg --export-secret-key "$keyID" | openpgp2ssh "$keyID" 2> /dev/null
+}
+
# output known_hosts line from ssh key
ssh2known_hosts() {
local host
keyID="$1"
gpg --list-key --with-colons --fixed-list-mode \
- --with-fingerprint "$keyID" | grep "$keyID" | \
- grep '^fpr:' | cut -d: -f10
+ --with-fingerprint --with-fingerprint "$keyID" | \
+ grep '^fpr:' | grep "$keyID" | cut -d: -f10
}
########################################################################
done
}
-# process a host in known_host file
-process_host_known_hosts() {
+# process hosts in the known_host file
+process_hosts_known_hosts() {
local host
local userID
local ok
local keyid
local tmpfile
- host="$1"
- userID="ssh://${host}"
-
- log "processing host: $host"
-
- process_user_id "ssh://${host}" | \
- while read -r ok keyid ; do
- sshKey=$(gpg2ssh "$keyid")
- # remove the old host key line
- remove_line "$KNOWN_HOSTS" "$sshKey"
- # if key OK, add new host line
- if [ "$ok" -eq '0' ] ; then
- # hash if specified
- if [ "$HASH_KNOWN_HOSTS" = 'true' ] ; then
- # FIXME: this is really hackish cause ssh-keygen won't
- # hash from stdin to stdout
- tmpfile=$(mktemp)
- ssh2known_hosts "$host" "$sshKey" > "$tmpfile"
- ssh-keygen -H -f "$tmpfile" 2> /dev/null
- cat "$tmpfile" >> "$KNOWN_HOSTS"
- rm -f "$tmpfile" "${tmpfile}.old"
- else
- ssh2known_hosts "$host" "$sshKey" >> "$KNOWN_HOSTS"
+ # create a lockfile on known_hosts
+ lockfile-create "$KNOWN_HOSTS"
+
+ for host ; do
+ log "processing host: $host"
+
+ userID="ssh://${host}"
+
+ process_user_id "ssh://${host}" | \
+ while read -r ok keyid ; do
+ sshKey=$(gpg2ssh "$keyid")
+ # remove the old host key line
+ remove_line "$KNOWN_HOSTS" "$sshKey"
+ # if key OK, add new host line
+ if [ "$ok" -eq '0' ] ; then
+ # hash if specified
+ if [ "$HASH_KNOWN_HOSTS" = 'true' ] ; then
+ # FIXME: this is really hackish cause ssh-keygen won't
+ # hash from stdin to stdout
+ tmpfile=$(mktemp)
+ ssh2known_hosts "$host" "$sshKey" > "$tmpfile"
+ ssh-keygen -H -f "$tmpfile" 2> /dev/null
+ cat "$tmpfile" >> "$KNOWN_HOSTS"
+ rm -f "$tmpfile" "${tmpfile}.old"
+ else
+ ssh2known_hosts "$host" "$sshKey" >> "$KNOWN_HOSTS"
+ fi
fi
- fi
+ done
+ # touch the lockfile, for good measure.
+ lockfile-touch --oneshot "$KNOWN_HOSTS"
done
+
+ # remove the lockfile
+ lockfile-remove "$KNOWN_HOSTS"
}
-# process a uid in an authorized_keys file
-process_uid_authorized_keys() {
+# process uids for the authorized_keys file
+process_uids_authorized_keys() {
local userID
local ok
local keyid
- userID="$1"
+ # create a lockfile on authorized_keys
+ lockfile-create "$AUTHORIZED_KEYS"
- log "processing user ID: $userID"
+ for userID ; do
+ log "processing user ID: $userID"
- process_user_id "$userID" | \
- while read -r ok keyid ; do
- sshKey=$(gpg2ssh "$keyid")
- # remove the old host key line
- remove_line "$AUTHORIZED_KEYS" "$sshKey"
- # if key OK, add new host line
- if [ "$ok" -eq '0' ] ; then
- ssh2authorized_keys "$userID" "$sshKey" >> "$AUTHORIZED_KEYS"
- fi
+ process_user_id "$userID" | \
+ while read -r ok keyid ; do
+ sshKey=$(gpg2ssh "$keyid")
+ # remove the old host key line
+ remove_line "$AUTHORIZED_KEYS" "$sshKey"
+ # if key OK, add new host line
+ if [ "$ok" -eq '0' ] ; then
+ ssh2authorized_keys "$userID" "$sshKey" >> "$AUTHORIZED_KEYS"
+ fi
+ done
+ # touch the lockfile, for good measure.
+ lockfile-touch --oneshot "$AUTHORIZED_KEYS"
done
+
+ # remove the lockfile
+ lockfile-remove "$AUTHORIZED_KEYS"
}
# process known_hosts file
cat "$KNOWN_HOSTS" | meat | \
cut -d ' ' -f 1 | grep -v '^|.*$' | \
while IFS=, read -r -a hosts ; do
- # and process each host
- for host in ${hosts[*]} ; do
- process_host_known_hosts "$host"
- done
+ process_hosts_known_hosts ${hosts[@]}
done
}
cat "$authorizedUserIDs" | meat | \
while read -r userid ; do
- process_uid_authorized_keys "$userid"
+ process_uids_authorized_keys "$userid"
done
}
trust_key() {
# get the key from the key server
if ! gpg --keyserver "$KEYSERVER" --recv-key "$keyID" ; then
- log "could not retrieve key '$keyID'"
- return 1
+ failure "Could not retrieve key '$keyID'."
fi
# get key fingerprint
# import "full" trust for fingerprint into gpg
echo ${fingerprint}:5: | gpg --import-ownertrust
if [ $? = 0 ] ; then
- log "owner trust updated."
+ log "Owner trust updated."
else
- failure "there was a problem changing owner trust."
+ failure "There was a problem changing owner trust."
fi
}
# dummy command so as not to publish fakes keys during testing
# eventually:
#gpg --keyserver "$KEYSERVER" --send-keys $(hostname -f)
- echo "NOT PUBLISHED (to avoid permanent publication errors during monkeysphere development).
+ failure "NOT PUBLISHED (to avoid permanent publication errors during monkeysphere development).
To publish manually, do: gpg --keyserver $KEYSERVER --send-keys $(hostname -f)"
- return 1
}
projects / monkeysphere.git / blobdiff