-#!/bin/bash
+#!/usr/bin/env bash
# monkeysphere-server: MonkeySphere server admin tool
#
VARLIB="/var/lib/monkeysphere"
export VARLIB
-# date in UTF format if needed
+# UTC date in ISO 8601 format if needed
DATE=$(date -u '+%FT%T')
# unset some environment variables that could screw things up
}
su_monkeysphere_user() {
- su --preserve-environment "$MONKEYSPHERE_USER" -- -c "$@"
+ su -m "$MONKEYSPHERE_USER" -c "$@"
}
# function to interact with the host gnupg keyring
# dumping to a file named ' ' so that the ssh-keygen output
# doesn't claim any potentially bogus hostname(s):
- tmpkey=$(mktemp -d)
+ tmpkey=$(mktemp -d ${TMPDIR:-/tmp}/tmp.XXXXXXXXXX)
gpg_authentication "--export $fingerprint" | openpgp2ssh "$fingerprint" 2>/dev/null > "$tmpkey/ "
echo -n "ssh fingerprint: "
(cd "$tmpkey" && ssh-keygen -l -f ' ' | awk '{ print $2 }')
for uname in $unames ; do
# check all specified users exist
if ! getent passwd "$uname" >/dev/null ; then
- log info "----- unknown user '$uname' -----"
+ log error "----- unknown user '$uname' -----"
continue
fi
fi
fi
- log info "----- user: $uname -----"
+ log verbose "----- user: $uname -----"
# exit if the authorized_user_ids file is empty
if ! check_key_file_permissions "$uname" "$AUTHORIZED_USER_IDS" ; then
- log error "Improper permissions on authorized_user_ids file path."
+ log error "Improper permissions on path '$AUTHORIZED_USER_IDS'."
continue
fi
# check permissions on the authorized_keys file path
if ! check_key_file_permissions "$uname" "$RAW_AUTHORIZED_KEYS" ; then
- log error "Improper permissions on authorized_keys file path path."
+ log error "Improper permissions on path '$RAW_AUTHORIZED_KEYS'."
continue
fi
# make temporary directory
- TMPDIR=$(mktemp -d)
+ TMPDIR=$(mktemp -d ${TMPDIR:-/tmp}/tmp.XXXXXXXXXX)
# trap to delete temporary directory on exit
trap "rm -rf $TMPDIR" EXIT
# add user-controlled authorized_keys file path if specified
if [ "$rawAuthorizedKeys" != '-' -a -s "$rawAuthorizedKeys" ] ; then
- log info "adding raw authorized_keys file... "
+ log verbose "adding raw authorized_keys file... "
cat "$rawAuthorizedKeys" >> "$AUTHORIZED_KEYS"
fi
revoker=
# get options
- TEMP=$(getopt -o e:l:r -l expire:,length:,revoker: -n "$PGRM" -- "$@")
+ TEMP=$(PATH="/usr/local/bin:$PATH" getopt -o e:l:r -l expire:,length:,revoker: -n "$PGRM" -- "$@") || failure "getopt failed! Does your getopt support GNU-style long options?"
if [ $? != 0 ] ; then
exit 1
esac
done
- hostName=${1:-$(hostname --fqdn)}
+ hostName=${1:-$(hostname -f)}
userID="ssh://${hostName}"
# check for presense of key with user ID
EOF
)
- log info "generating server key..."
+ log verbose "generating server key..."
echo "$keyParameters" | gpg_host --batch --gen-key
# output the server fingerprint
fingerprint=$(fingerprint_server_key)
# export host ownertrust to authentication keyring
- log info "setting ultimate owner trust for server key..."
+ log verbose "setting ultimate owner trust for server key..."
echo "${fingerprint}:6:" | gpg_authentication "--import-ownertrust"
# translate the private key to ssh format, and export to a file
gpg_authentication "--keyserver $KEYSERVER --send-keys '0x${fingerprint}!'"
}
+
diagnostics() {
# * check on the status and validity of the key and public certificates
local seckey
curdate=$(date +%s)
# warn when anything is 2 months away from expiration
warnwindow='2 months'
- warndate=$(date +%s -d "$warnwindow")
+ warndate=$(advance_date $warnwindow +%s)
+
+ if ! id monkeysphere >/dev/null ; then
+ echo "! No monkeysphere user found! Please create a monkeysphere system user."
+ fi
+
+ if ! [ -d "$VARLIB" ] ; then
+ echo "! no $VARLIB directory found. Please create it."
+ fi
echo "Checking host GPG key..."
if (( "$keysfound" < 1 )); then
echo "! Host key is expired."
echo " - Recommendation: extend lifetime of key with 'monkeysphere-server extend-key'"
elif (( "$expire" < "$warndate" )); then
- echo "! Host key expires in less than $warnwindow:" $(date -d "$(( $expire - $curdate )) seconds" +%F)
+ echo "! Host key expires in less than $warnwindow:" $(advance_date $(( $expire - $curdate )) seconds +%F)
echo " - Recommendation: extend lifetime of key with 'monkeysphere-server extend-key'"
fi
fi
echo "! User ID '$uid' is expired."
# FIXME: recommend a way to resolve this
elif (( "$expire" < "$warndate" )); then
- echo "! User ID '$uid' expires in less than $warnwindow:" $(date -d "$(( $expire - $curdate )) seconds" +%F)
+ echo "! User ID '$uid' expires in less than $warnwindow:" $(advance_date $(( $expire - $curdate )) seconds +%F)
# FIXME: recommend a way to resolve this
fi
fi
if [ ! -s "${VARLIB}/ssh_host_rsa_key" ] ; then
echo "! The host key as prepared for SSH (${VARLIB}/ssh_host_rsa_key) is missing or empty."
else
- if [ $(stat -c '%a' "${VARLIB}/ssh_host_rsa_key") != 600 ] ; then
+ if [ $(ls -l "${VARLIB}/ssh_host_rsa_key" | cut -f1 -d\ ) != '-rw-------' ] ; then
echo "! Permissions seem wrong for ${VARLIB}/ssh_host_rsa_key -- should be 0600."
fi
depth=1
# get options
- TEMP=$(getopt -o n:t:d: -l domain:,trust:,depth: -n "$PGRM" -- "$@")
+ TEMP=$(PATH="/usr/local/bin:$PATH" getopt -o n:t:d: -l domain:,trust:,depth: -n "$PGRM" -- "$@") || failure "getopt failed! Does your getopt support GNU-style long options?"
if [ $? != 0 ] ; then
exit 1
# defaults
LOG_LEVEL=${MONKEYSPHERE_LOG_LEVEL:=${LOG_LEVEL:="INFO"}}
KEYSERVER=${MONKEYSPHERE_KEYSERVER:=${KEYSERVER:="subkeys.pgp.net"}}
-AUTHORIZED_USER_IDS=${MONKEYSPHERE_AUTHORIZED_USER_IDS:=${AUTHORIZED_USER_IDS:="%h/.config/monkeysphere/authorized_user_ids"}}
+AUTHORIZED_USER_IDS=${MONKEYSPHERE_AUTHORIZED_USER_IDS:=${AUTHORIZED_USER_IDS:="%h/.monkeysphere/authorized_user_ids"}}
RAW_AUTHORIZED_KEYS=${MONKEYSPHERE_RAW_AUTHORIZED_KEYS:=${RAW_AUTHORIZED_KEYS:="%h/.ssh/authorized_keys"}}
MONKEYSPHERE_USER=${MONKEYSPHERE_MONKEYSPHERE_USER:=${MONKEYSPHERE_USER:="monkeysphere"}}