SYSSHAREDIR=${MONKEYSPHERE_SYSSHAREDIR:-"/usr/share/monkeysphere"}
export SYSSHAREDIR
-. "${SYSSHAREDIR}/common" || exit 1
+. "${SYSSHAREDIR}/defaultenv"
+. "${SYSSHAREDIR}/common"
SYSDATADIR=${MONKEYSPHERE_SYSDATADIR:-"/var/lib/monkeysphere"}
export SYSDATADIR
# datadir for host functions
MHDATADIR="${SYSDATADIR}/host"
-# temp directory for temp gnupghome directories for add_revoker
-MHTMPDIR="${MHDATADIR}/tmp"
-export MHTMPDIR
-
# host pub key files
-HOST_KEY_PUB="${SYSDATADIR}/ssh_host_rsa_key.pub"
-HOST_KEY_PUB_GPG="${SYSDATADIR}/ssh_host_rsa_key.pub.gpg"
+HOST_KEY_FILE="${SYSDATADIR}/ssh_host_rsa_key.pub.gpg"
# UTC date in ISO 8601 format if needed
DATE=$(date -u '+%FT%T')
# unset some environment variables that could screw things up
unset GREP_OPTIONS
-# default return code
-RETURN=0
-
########################################################################
# FUNCTIONS
########################################################################
Monkeysphere host admin tool.
subcommands:
+ import-key (i) FILE NAME[:PORT] import existing ssh key to gpg
show-key (s) output all host key information
- set-expire (e) EXPIRE set host key expiration
+ publish-key (p) publish host key to keyserver
+ set-expire (e) [EXPIRE] set host key expiration
add-hostname (n+) NAME[:PORT] add hostname user ID to host key
revoke-hostname (n-) NAME[:PORT] revoke hostname user ID
- add-revoker (o) FINGERPRINT add a revoker to the host key
- revoke-key (r) revoke host key
- publish-key (p) publish host key to keyserver
-
- expert <expert-subcommand> run expert command
- expert help expert command help
+ add-revoker (r+) KEYID|FILE add a revoker to the host key
+ revoke-key generate and/or publish revocation
+ certificate for host key
version (v) show version number
help (h,?) this help
+See ${PGRM}(8) for more info.
EOF
}
# function to interact with the gpg keyring
gpg_host() {
- GNUPGHOME="$GNUPGHOME_HOST" gpg "$@"
+ GNUPGHOME="$GNUPGHOME_HOST" gpg --no-greeting --quiet --no-tty "$@"
}
-# command to list the info about the host key, in colon format
+# command to list the info about the host key, in colon format, to
+# stdout
gpg_host_list() {
gpg_host --list-keys --with-colons --fixed-list-mode \
--with-fingerprint --with-fingerprint \
# command for edit key scripts, takes scripts on stdin
gpg_host_edit() {
- gpg_host --quiet --command-fd 0 --edit-key \
- "0x${HOST_FINGERPRINT}!" "$@"
-}
-
-# export the host key to stdout
-gpg_host_export() {
- gpg_host --export --armor --export-options export-minimal \
- "0x${HOST_FINGERPRINT}!"
+ gpg_host --command-fd 0 --edit-key "0x${HOST_FINGERPRINT}!" "$@"
}
# export the host public key to the monkeysphere gpg pub key file
-create_gpg_pub_file() {
- log debug "creating openpgp public key file..."
- gpg_host_export > "$HOST_KEY_PUB_GPG"
- log info "GPG host public key file: $HOST_KEY_PUB_GPG"
+update_gpg_pub_file() {
+ log debug "updating openpgp public key file '$HOST_KEY_FILE'..."
+ gpg_host --export --armor --export-options export-minimal \
+ "0x${HOST_FINGERPRINT}!" > "$HOST_KEY_FILE"
}
# load the host fingerprint into the fingerprint variable, using the
# export gpg pub key file
# FIXME: this seems much less than ideal, with all this temp keyring
# stuff. is there a way we can do this without having to create temp
-# files?
+# files? what if we stored the fingerprint in MHDATADIR/fingerprint?
load_fingerprint() {
- if [ -f "$HOST_KEY_PUB_GPG" ] ; then
+ if [ -f "$HOST_KEY_FILE" ] ; then
HOST_FINGERPRINT=$( \
- (FUBAR=$(mktemp -d) && export GNUPGHOME="$FUBAR" \
+ (FUBAR=$(msmktempdir) && export GNUPGHOME="$FUBAR" \
&& gpg --quiet --import \
&& gpg --quiet --list-keys --with-colons --with-fingerprint \
- && rm -rf "$FUBAR") <"$HOST_KEY_PUB_GPG" \
+ && rm -rf "$FUBAR") <"$HOST_KEY_FILE" \
| grep '^fpr:' | cut -d: -f10 )
else
- HOST_FINGERPRINT=
+ failure "host key gpg pub file not found."
fi
}
# gpg host secret key
load_fingerprint_secret() {
HOST_FINGERPRINT=$( \
- gpg_host --quiet --list-secret-key \
- --with-colons --with-fingerprint \
+ gpg_host --list-secret-key --with-colons --with-fingerprint \
| grep '^fpr:' | cut -d: -f10 )
}
-# output host key ssh fingerprint
-load_ssh_fingerprint() {
- [ -f "$HOST_KEY_PUB" ] || return 0
- HOST_FINGERPRINT_SSH=$(ssh-keygen -l -f "$HOST_KEY_PUB" \
- | awk '{ print $1, $2, $4 }')
-}
-
# fail if host key present
check_host_key() {
- [ -z "$HOST_FINGERPRINT" ] \
+ [ ! -s "$HOST_KEY_FILE" ] \
|| failure "An OpenPGP host key already exists."
}
# fail if host key not present
check_host_no_key() {
- [ "$HOST_FINGERPRINT" ] \
- || failure "You don't appear to have a Monkeysphere host key on this server. Please run 'monkeysphere-host expert import-key' first."
+ [ -s "$HOST_KEY_FILE" ] \
+ || failure "You don't appear to have a Monkeysphere host key on this server.
+Please run 'monkeysphere-host import-key...' first."
}
-# output the index of a user ID on the host key
-# return 1 if user ID not found
+# return 0 if user ID was found.
+# return 1 if user ID not found.
find_host_userid() {
local userID="$1"
local tmpuidMatch
- local line
- # match to only ultimately trusted user IDs
- tmpuidMatch="u:$(echo $userID | gpg_escape)"
+ # match to only "unknown" user IDs (host has no need for ultimate trust)
+ tmpuidMatch="uid:-:$(echo $userID | gpg_escape)"
- # find the index of the requsted user ID
- # NOTE: this is based on circumstantial evidence that the order of
- # this output is the appropriate index
- line=$(gpg_host_list | egrep '^(uid|uat):' | cut -f2,10 -d: | \
- grep -n -x -F "$tmpuidMatch" 2>/dev/null)
-
- if [ "$line" ] ; then
- echo ${line%%:*}
- return 0
- else
- return 1
- fi
+ # See whether the requsted user ID is present
+ gpg_host_list | cut -f1,2,10 -d: | \
+ grep -q -x -F "$tmpuidMatch" 2>/dev/null
}
# show info about the host key
show_key() {
- gpg_host --fingerprint --list-key --list-options show-unusable-uids \
- "0x${HOST_FINGERPRINT}!" 2>/dev/null || true
- # FIXME: make sure expiration date is shown
+ local GNUPGHOME
+ local TMPSSH
+ local revokers
- echo "OpenPGP fingerprint: $HOST_FINGERPRINT"
+ # tmp gpghome dir
+ export GNUPGHOME=$(msmktempdir)
- load_ssh_fingerprint
+ # trap to remove tmp dir if break
+ trap "rm -rf $GNUPGHOME" EXIT
- if [ "$HOST_FINGERPRINT_SSH" ] ; then
- echo "ssh fingerprint: $HOST_FINGERPRINT_SSH"
- else
- log error "SSH host key not found."
+ # import the host key into the tmp dir
+ gpg --quiet --import <"$HOST_KEY_FILE"
+
+ # create the ssh key
+ TMPSSH="$GNUPGHOME"/ssh_host_key_rsa_pub
+ gpg --export | openpgp2ssh 2>/dev/null >"$TMPSSH"
+
+ # get the gpg fingerprint
+ HOST_FINGERPRINT=$(gpg --quiet --list-keys --with-colons --with-fingerprint \
+ | grep '^fpr:' | cut -d: -f10 )
+
+ # list the host key info
+ # FIXME: make no-show-keyring work so we don't have to do the grep'ing
+ # FIXME: can we show uid validity somehow?
+ gpg --list-keys --fingerprint \
+ --list-options show-unusable-uids 2>/dev/null \
+ | grep -v "^${GNUPGHOME}/pubring.gpg$" \
+ | egrep -v '^-+$'
+
+ # list revokers, if there are any
+ revokers=$(gpg --list-keys --with-colons --fixed-list-mode \
+ | awk -F: '/^rvk:/{ print $10 }' )
+ if [ "$revokers" ] ; then
+ echo "The following keys are allowed to revoke this host key:"
+ for key in $revokers ; do
+ echo "revoker: $key"
+ done
+ echo
fi
- # FIXME: other relevant key parameters?
+ # list the pgp fingerprint
+ echo "OpenPGP fingerprint: $HOST_FINGERPRINT"
+
+ # list the ssh fingerprint
+ echo -n "ssh fingerprint: "
+ ssh-keygen -l -f "$TMPSSH" | awk '{ print $1, $2, $4 }'
+
+ # remove the tmp file
+ trap - EXIT
+ rm -rf "$GNUPGHOME"
}
########################################################################
# MAIN
########################################################################
-# unset variables that should be defined only in config file
-unset KEYSERVER
-unset MONKEYSPHERE_USER
-
# load configuration file
-[ -e ${MONKEYSPHERE_HOST_CONFIG:="${SYSCONFIGDIR}/monkeysphere-host.conf"} ] && . "$MONKEYSPHERE_HOST_CONFIG"
+[ -e ${MONKEYSPHERE_HOST_CONFIG:="${SYSCONFIGDIR}/monkeysphere-host.conf"} ] \
+ && . "$MONKEYSPHERE_HOST_CONFIG"
# set empty config variable with ones from the environment, or with
# defaults
-LOG_LEVEL=${MONKEYSPHERE_LOG_LEVEL:=${LOG_LEVEL:="INFO"}}
-KEYSERVER=${MONKEYSPHERE_KEYSERVER:=${KEYSERVER:="pool.sks-keyservers.net"}}
-AUTHORIZED_USER_IDS=${MONKEYSPHERE_AUTHORIZED_USER_IDS:=${AUTHORIZED_USER_IDS:="%h/.monkeysphere/authorized_user_ids"}}
-RAW_AUTHORIZED_KEYS=${MONKEYSPHERE_RAW_AUTHORIZED_KEYS:=${RAW_AUTHORIZED_KEYS:="%h/.ssh/authorized_keys"}}
-MONKEYSPHERE_USER=${MONKEYSPHERE_MONKEYSPHERE_USER:=${MONKEYSPHERE_USER:="monkeysphere"}}
+LOG_LEVEL=${MONKEYSPHERE_LOG_LEVEL:=$LOG_LEVEL}
+KEYSERVER=${MONKEYSPHERE_KEYSERVER:=$KEYSERVER}
+CHECK_KEYSERVER=${MONKEYSPHERE_CHECK_KEYSERVER:=$CHECK_KEYSERVER}
+MONKEYSPHERE_USER=${MONKEYSPHERE_MONKEYSPHERE_USER:=$MONKEYSPHERE_USER}
+MONKEYSPHERE_GROUP=$(get_primary_group "$MONKEYSPHERE_USER")
+PROMPT=${MONKEYSPHERE_PROMPT:=$PROMPT}
# other variables
-CHECK_KEYSERVER=${MONKEYSPHERE_CHECK_KEYSERVER:="true"}
GNUPGHOME_HOST=${MONKEYSPHERE_GNUPGHOME_HOST:="${MHDATADIR}"}
+LOG_PREFIX=${MONKEYSPHERE_LOG_PREFIX:='ms: '}
# export variables needed in su invocation
export DATE
-export MODE
export LOG_LEVEL
-export MONKEYSPHERE_USER
export KEYSERVER
+export CHECK_KEYSERVER
+export MONKEYSPHERE_USER
+export MONKEYSPHERE_GROUP
+export PROMPT
export GNUPGHOME_HOST
export GNUPGHOME
-export HOST_FINGERPRINT=
-export HOST_FINGERPRINT_SSH=
+export HOST_FINGERPRINT
+export LOG_PREFIX
# get subcommand
COMMAND="$1"
-[ "$COMMAND" ] || failure "Type '$PGRM help' for usage."
+[ "$COMMAND" ] || $PGRM help
shift
case $COMMAND in
+ 'import-key'|'i')
+ check_host_key
+ source "${MHSHAREDIR}/import_key"
+ import_key "$@"
+ ;;
+
'show-key'|'show'|'s')
- load_fingerprint
check_host_no_key
show_key
;;
'set-expire'|'extend-key'|'e')
- load_fingerprint
check_host_no_key
+ load_fingerprint
source "${MHSHAREDIR}/set_expire"
set_expire "$@"
;;
'add-hostname'|'add-name'|'n+')
- load_fingerprint
check_host_no_key
+ load_fingerprint
source "${MHSHAREDIR}/add_hostname"
add_hostname "$@"
;;
'revoke-hostname'|'revoke-name'|'n-')
- load_fingerprint
check_host_no_key
+ load_fingerprint
source "${MHSHAREDIR}/revoke_hostname"
revoke_hostname "$@"
;;
- 'add-revoker'|'o')
- load_fingerprint
+ 'add-revoker'|'r+')
check_host_no_key
+ load_fingerprint
source "${MHSHAREDIR}/add_revoker"
add_revoker "$@"
;;
- 'revoke-key'|'r')
- load_fingerprint
+ 'revoke-key')
check_host_no_key
+ load_fingerprint
source "${MHSHAREDIR}/revoke_key"
revoke_key "$@"
;;
'publish-key'|'publish'|'p')
- load_fingerprint
check_host_no_key
+ load_fingerprint
source "${MHSHAREDIR}/publish_key"
publish_key
;;
- 'expert')
- SUBCOMMAND="$1"
- shift
- case "$SUBCOMMAND" in
- 'help'|'h'|'?')
- cat <<EOF
-usage: $PGRM expert <subcommand> [options] [args]
-
-expert subcommands:
- import-key (i) FILE [NAME[:PORT]] import existing ssh key to gpg
- gen-key (g) [NAME[:PORT]] generate gpg key for the host
- --length (-l) BITS key length in bits (2048)
- diagnostics (d) monkeysphere host status
+ 'diagnostics'|'d')
+ source "${MHSHAREDIR}/diagnostics"
+ diagnostics
+ ;;
-EOF
- ;;
-
- 'import-key'|'i')
- load_fingerprint
- check_host_key
- source "${MHSHAREDIR}/import_key"
- import_key "$@"
- ;;
-
- 'gen-key'|'g')
- load_fingerprint
- check_host_key
- source "${MHSHAREDIR}/gen_key"
- gen_key "$@"
- ;;
-
- 'diagnostics'|'d')
- source "${MHSHAREDIR}/diagnostics"
- diagnostics
- ;;
-
- *)
- failure "Unknown expert subcommand: '$COMMAND'
-Type '$PGRM help' for usage."
- ;;
- esac
+ 'update-gpg-pub-file')
+ load_fingerprint_secret
+ update_gpg_pub_file
;;
'version'|'v')
- echo "$VERSION"
+ version
;;
'--help'|'help'|'-h'|'h'|'?')
Type '$PGRM help' for usage."
;;
esac
-
-exit "$RETURN"