import_key() {
-local keyFile
+local sshKeyFile
local hostName
+local domain
local userID
-keyFile="$1"
-[ -f "$keyFile" ]
+sshKeyFile="$1"
+hostName="$2"
+
+# check that key file specified
+if [ -z "$sshKeyFile" ] ; then
+ failure "Must specify ssh key file to import, or specify '-' for stdin."
+fi
+
+# use the default hostname if not specified
+if [ -z "$hostName" ] ; then
+ hostName=$(hostname -f) || failure "Could not determine hostname."
+ # test that the domain is not obviously illegitimate
+ domain=${foo##*.}
+ case $domain in
+ 'local'|'localdomain')
+ failure "Host domain '$domain' is not legitimate. Aborting key import."
+ ;;
+ esac
+ # test that there are at least two parts
+ if (( $(echo "$hostName" | tr . ' ' | wc -w) < 2 )) ; then
+ failure "Host name '$hostName' is not legitimate. Aborting key import."
+ fi
+fi
-hostName=${2:-$(hostname -f)}
userID="ssh://${hostName}"
+if [ "$PROMPT" = "true" ] ; then
+ cat <<EOF
+The ssh key will be imported and an OpenPGP certificate for this host
+will be generated with the following user ID:
+ $userID
+EOF
+ read -p "Are you sure you would like to create certificate? [Y/n] " OK; OK=${OK:-Y}
+ if [ "${OK/y/Y}" != 'Y' ] ; then
+ failure "ssh key not imported."
+ fi
+else
+ log debug "importing key without prompting."
+fi
+
+
# create host home
-mkdir -p "$GNUPGHOME_HOST"
-chmod 700 "$GNUPGHOME_HOST"
+mkdir -p "${MHDATADIR}"
+mkdir -p "${GNUPGHOME_HOST}"
+chmod 700 "${GNUPGHOME_HOST}"
-log verbose "importing ssh key..."
-# translate ssh key to a private key
-PEM2OPENPGP_USAGE_FLAGS=authenticate pem2openpgp "$userID" <"$keyFile" \
- | gpg_host --import
+# import ssh key to a private key
+if [ "$sshKeyFile" = '-' ] ; then
+ log verbose "importing ssh key from stdin..."
+ PEM2OPENPGP_USAGE_FLAGS=authenticate pem2openpgp "$userID" \
+ | gpg_host --import
+else
+ log verbose "importing ssh key from file '$sshKeyFile'..."
+ PEM2OPENPGP_USAGE_FLAGS=authenticate pem2openpgp "$userID" \
+ <"$sshKeyFile" \
+ | gpg_host --import
+fi
-# load the new host fpr into the fpr variable
+# load the new host fpr into the fpr variable. this is so we can
+# create the gpg pub key file. we have to do this from the secret key
+# ring since we obviously don't have the gpg pub key file yet, since
+# that's what we're trying to produce (see below).
load_fingerprint_secret
-# export the host public key to the monkeysphere ssh pub key file
-log debug "creating ssh public key file..."
-ssh-keygen -y -f "$keyFile" > "$HOST_KEY_PUB"
-log info "SSH host public key file: $HOST_KEY_PUB"
-
# export to gpg public key to file
-create_gpg_pub_file
+update_gpg_pub_file
+
+log info "host key imported:"
# show info about new key
show_key