# version 3 or later.
########################################################################
+set -e
+
PGRM=$(basename $0)
SYSSHAREDIR=${MONKEYSPHERE_SYSSHAREDIR:-"/usr/share/monkeysphere"}
export SYSSHAREDIR
. "${SYSSHAREDIR}/common" || exit 1
+SYSDATADIR=${MONKEYSPHERE_SYSDATADIR:-"/var/lib/monkeysphere"}
+export SYSDATADIR
+
# sharedir for authentication functions
MASHAREDIR="${SYSSHAREDIR}/ma"
-SYSDATADIR=${MONKEYSPHERE_SYSDATADIR:-"/var/lib/monkeysphere"}
-export SYSDATADIR
+# datadir for authentication functions
+MADATADIR="${SYSDATADIR}/authentication"
# temp directory to enable atomic moves of authorized_keys files
-MATMPDIR="${SYSDATADIR}/tmp"
+MATMPDIR="${MADATADIR}/tmp"
export MSTMPDIR
# UTC date in ISO 8601 format if needed
Monkeysphere authentication admin tool.
subcommands:
+ setup (s) setup monkeysphere user authentication
update-users (u) [USER]... update user authorized_keys files
add-id-certifier (c+) KEYID import and tsign a certification key
--domain (-n) DOMAIN limit ID certifications to DOMAIN
EOF
}
-# function to run command as monkeysphere user
-su_monkeysphere_user() {
- # if the current user is the monkeysphere user, then just eval
- # command
- if [ $(id -un) = "$MONKEYSPHERE_USER" ] ; then
- eval "$@"
-
- # otherwise su command as monkeysphere user
- else
- su "$MONKEYSPHERE_USER" -c "$@"
- fi
-}
-
# function to interact with the gpg core keyring
gpg_core() {
- local returnCode
-
GNUPGHOME="$GNUPGHOME_CORE"
export GNUPGHOME
- # NOTE: we supress this warning because we need the monkeysphere
- # user to be able to read the host pubring. we realize this might
- # be problematic, but it's the simplest solution, without too much
- # loss of security.
- gpg --no-permission-warning "$@"
- returnCode="$?"
-
- # always reset the permissions on the host pubring so that the
- # monkeysphere user can read the trust signatures
- chgrp "$MONKEYSPHERE_USER" "${GNUPGHOME_CORE}/pubring.gpg"
- chmod g+r "${GNUPGHOME_CORE}/pubring.gpg"
-
- return "$returnCode"
+ gpg "$@"
}
# function to interact with the gpg sphere keyring
-# FIXME: this function requires basically accepts only a single
-# argument because of problems with quote expansion. this needs to be
-# fixed/improved.
+# FIXME: this function requires only a single argument because of
+# problems with quote expansion. this needs to be fixed/improved.
gpg_sphere() {
GNUPGHOME="$GNUPGHOME_SPHERE"
export GNUPGHOME
su_monkeysphere_user "gpg $@"
}
+# load the core fingerprint into the fingerprint variable, using the
+# gpg host secret key
+core_fingerprint() {
+ log debug "determining core key fingerprint..."
+ gpg_core --quiet --list-secret-key \
+ --with-colons --fixed-list-mode --with-fingerprint \
+ | grep ^fpr: | cut -d: -f10
+}
+
+# export signatures from core to sphere
+gpg_core_sphere_sig_transfer() {
+ log debug "exporting core local sigs to sphere..."
+ gpg_core --export-options export-local-sigs --export | \
+ gpg_sphere "--import-options import-local-sigs --import"
+}
+
########################################################################
# MAIN
########################################################################
# other variables
CHECK_KEYSERVER=${MONKEYSPHERE_CHECK_KEYSERVER:="true"}
REQUIRED_USER_KEY_CAPABILITY=${MONKEYSPHERE_REQUIRED_USER_KEY_CAPABILITY:="a"}
-GNUPGHOME_CORE=${MONKEYSPHERE_GNUPGHOME_CORE:="${SYSDATADIR}/authentication/core"}
-GNUPGHOME_SPHERE=${MONKEYSPHERE_GNUPGHOME_SPHERE:="${SYSDATADIR}/authentication/sphere"}
+GNUPGHOME_CORE=${MONKEYSPHERE_GNUPGHOME_CORE:="${MADATADIR}/core"}
+GNUPGHOME_SPHERE=${MONKEYSPHERE_GNUPGHOME_SPHERE:="${MADATADIR}/sphere"}
+CORE_KEYLENGTH=${MONKEYSPHERE_CORE_KEYLENGTH:="2048"}
# export variables needed in su invocation
export DATE
export GNUPGHOME_CORE
export GNUPGHOME_SPHERE
export GNUPGHOME
+export CORE_KEYLENGTH
# get subcommand
COMMAND="$1"
shift
case $COMMAND in
+ 'setup'|'setup'|'s')
+ source "${MASHAREDIR}/setup"
+ setup "$@"
+ ;;
+
'update-users'|'update-user'|'u')
source "${MASHAREDIR}/update_users"
update_users "$@"
list_certifiers "$@"
;;
- 'expert'|'e')
+ 'expert')
SUBCOMMAND="$1"
shift
case "$SUBCOMMAND" in
projects / monkeysphere.git / blobdiff