########################################################################
usage() {
-cat <<EOF
+ cat <<EOF
usage: $PGRM <subcommand> [options] [args]
MonkeySphere server admin tool.
-l|--length BITS key length in bits (2048)
-e|--expire EXPIRE date to expire
-r|--revoker FINGERPRINT add a revoker
- show-fingerprint (f) show server's host key fingerprint
- publish-key (p) publish server's host key to keyserver
- diagnostics (d) report on the server's monkeysphere status
+ show-fingerprint (f) show server host key fingerprint
+ publish-key (p) publish server host key to keyserver
+ diagnostics (d) report on server monkeysphere status
- add-identity-certifier (a) KEYID import and tsign a certification key
- -n|--domain DOMAIN limit ID certifications to IDs in DOMAIN
+ add-id-certifier (c+) KEYID import and tsign a certification key
+ -n|--domain DOMAIN limit ID certifications to DOMAIN
-t|--trust TRUST trust level of certifier (full)
-d|--depth DEPTH trust depth for certifier (1)
- remove-identity-certifier (r) KEYID remove a certification key
- list-identity-certifiers (l) list certification keys
+ remove-id-certifier (c-) KEYID remove a certification key
+ list-id-certifiers (c) list certification keys
gpg-authentication-cmd CMD gnupg-authentication command
- help (h,?) this help
+ -h|--help|help (h,?) this help
EOF
}
# FIXME: need to figure out better way to identify host key
# dummy command so as not to publish fakes keys during testing
# eventually:
- #gpg_authentication "--keyserver $KEYSERVER --send-keys $(hostname -f)"
+ #gpg_authentication "--keyserver $KEYSERVER --send-keys =ssh://$(hostname -f)"
echo "NOT PUBLISHED (to avoid permanent publication errors during monkeysphere development)."
echo "The following command should publish the key:"
- echo "monkeysphere-server gpg-authentication-cmd '--keyserver $KEYSERVER --send-keys $(hostname -f)'"
+ echo "monkeysphere-server gpg-authentication-cmd '--keyserver $KEYSERVER --send-keys =ssh://$(hostname -f)'"
exit 255
}
fi
# propose changes needed for sshd_config (if any)
- if ! grep -q "^HostKey ${VARLIB}/ssh_host_rsa_key$" /etc/ssh/sshd_config; then
+ if ! grep -q "^HostKey[[:space:]]\+${VARLIB}/ssh_host_rsa_key$" /etc/ssh/sshd_config; then
echo "! /etc/ssh/sshd_config does not point to the monkeysphere host key (${VARLIB}/ssh_host_rsa_key)."
echo " - Recommendation: add a line to /etc/ssh/sshd_config: 'HostKey ${VARLIB}/ssh_host_rsa_key'"
fi
- if badhostkeys=$(grep '^HostKey' | grep -q -v "^HostKey ${VARLIB}/ssh_host_rsa_key$") ; then
+ if badhostkeys=$(grep -i '^HostKey' | grep -q -v "^HostKey[[:space:]]\+${VARLIB}/ssh_host_rsa_key$") ; then
echo "! /etc/sshd_config refers to some non-monkeysphere host keys:"
echo "$badhostkeys"
- echo "- Recommendation: remove the above HostKey lines from /etc/ssh/sshd_config"
+ echo " - Recommendation: remove the above HostKey lines from /etc/ssh/sshd_config"
fi
fi
fi
# FIXME: make sure that at least one identity certifier exists
+ echo "Checking for MonkeySphere-enabled public-key authentication for users ..."
+ # Ensure that User ID authentication is enabled:
+ if ! grep -q "^AuthorizedKeysFile[[:space:]]\+${VARLIB}/authorized_keys/%u$" /etc/ssh/sshd_config; then
+ echo "! /etc/ssh/sshd_config does not point to monkeysphere authorized keys."
+ echo " - Recommendation: add a line to /etc/ssh/sshd_config: 'AuthorizedKeysFile ${VARLIB}/authorized_keys/%u'"
+ fi
+ if badauthorizedkeys=$(grep -i '^AuthorizedKeysFile' | grep -q -v "^AuthorizedKeysFile[[:space:]]\+${VARLIB}/authorized_keys/%u$") ; then
+ echo "! /etc/sshd_config refers to non-monkeysphere authorized_keys files:"
+ echo "$badauthorizedkeys"
+ echo " - Recommendation: remove the above AuthorizedKeysFile lines from /etc/ssh/sshd_config"
+ fi
+
+
}
# retrieve key from web of trust, import it into the host keyring, and
diagnostics
;;
- 'add-identity-certifier'|'add-certifier'|'a')
+ 'add-identity-certifier'|'add-id-certifier'|'add-certifier'|'c+')
add_certifier "$1"
;;
- 'remove-identity-certifier'|'remove-certifier'|'r')
+ 'remove-identity-certifier'|'remove-id-certifier'|'remove-certifier'|'c-')
remove_certifier "$1"
;;
- 'list-identity-certifiers'|'list-certifiers'|'list-certifier'|'l')
+ 'list-identity-certifiers'|'list-id-certifiers'|'list-certifiers'|'list-certifier'|'c')
list_certifiers "$@"
;;
gpg_authentication_cmd "$@"
;;
- 'help'|'h'|'?')
+ '--help'|'help'|'-h'|'h'|'?')
usage
;;