X-Git-Url: https://codewiz.org/gitweb?a=blobdiff_plain;ds=sidebyside;f=src%2Fmonkeysphere-server;h=ce800593da8fec3cf82722393dc9ca7d05a31d3d;hb=38d9be677ee1928e92b6c914a5467fe9bf8bcd4e;hp=68c4b243ce5e50b8541f0ece0e7498c0621a4570;hpb=de3031b28bbccd2cb47a9029e69064330ee137e8;p=monkeysphere.git diff --git a/src/monkeysphere-server b/src/monkeysphere-server index 68c4b24..ce80059 100755 --- a/src/monkeysphere-server +++ b/src/monkeysphere-server @@ -47,15 +47,13 @@ subcommands: publish-key (p) publish server's host key to keyserver add-identity-certifier (a) KEYID import and tsign a certification key - -n|--domain DOMAIN domain of certifier () - -t|--trust TRUST trust level of certifier (2) + -n|--domain DOMAIN limit ID certifications to IDs in DOMAIN () + -t|--trust TRUST trust level of certifier (full) -d|--depth DEPTH trust depth for certifier (1) remove-identity-certifier (r) KEYID remove a certification key list-identity-certifiers (l) list certification keys - gpg-authentication-cmd execute a gpg command to the - authentication keyring as the - monkeysphere user + gpg-authentication-cmd CMD gnupg-authentication command help (h,?) this help @@ -145,13 +143,15 @@ update_users() { log "----- user: $uname -----" + # exit if the authorized_user_ids file is empty if ! check_key_file_permissions "$uname" "$AUTHORIZED_USER_IDS" ; then - log "Improper permissions on authorized_user_ids file." + log "Improper permissions on authorized_user_ids file path." continue fi + # check permissions on the authorized_keys file path if ! check_key_file_permissions "$uname" "$RAW_AUTHORIZED_KEYS" ; then - log "Improper permissions on authorized_keys file." + log "Improper permissions on authorized_keys file path path." continue fi @@ -208,8 +208,7 @@ update_users() { chgrp $(getent passwd "$uname" | cut -f4 -d:) "$AUTHORIZED_KEYS" chmod g+r "$AUTHORIZED_KEYS" - # if the resulting authorized_keys file is not empty, move - # it into place + # move the resulting authorized_keys file into place mv -f "$AUTHORIZED_KEYS" "${VARLIB}/authorized_keys/${uname}" # destroy temporary directory @@ -344,6 +343,10 @@ EOF fingerprint=$(gpg_host --list-key --with-colons --with-fingerprint "=${userID}" | \ grep '^fpr:' | head -1 | cut -d: -f10) + # export host ownertrust to authentication keyring + log "setting ultimate owner trust for server key..." + echo "${fingerprint}:6:" | gpg_authentication "--import-ownertrust" + # translate the private key to ssh format, and export to a file # for sshs usage. # NOTE: assumes that the primary key is the proper key to use @@ -360,7 +363,7 @@ fingerprint_server_key() { # publish server key to keyserver publish_server_key() { - read -p "really publish key to $KEYSERVER? (y/N) " OK; OK=${OK:=N} + read -p "Really publish key to $KEYSERVER? (y/N) " OK; OK=${OK:=N} if [ ${OK/y/Y} != 'Y' ] ; then failure "aborting." fi @@ -369,8 +372,11 @@ publish_server_key() { # FIXME: need to figure out better way to identify host key # dummy command so as not to publish fakes keys during testing # eventually: - #gpg_authentication "--keyring $GNUPGHOME_HOST/pubring.gpg --keyserver $KEYSERVER --send-keys $(hostname -f)" - failure "NOT PUBLISHED (to avoid permanent publication errors during monkeysphere development)." + #gpg_authentication "--keyserver $KEYSERVER --send-keys $(hostname -f)" + echo "NOT PUBLISHED (to avoid permanent publication errors during monkeysphere development)." + echo "The following command should publish the key:" + echo "monkeysphere-server gpg-authentication-cmd '--keyserver $KEYSERVER --send-keys $(hostname -f)'" + exit 255 } # retrieve key from web of trust, import it into the host keyring, and @@ -382,10 +388,11 @@ add_certifier() { local keyID local fingerprint local ltsignCommand + local trustval # set default values for trust depth and domain domain= - trust=2 + trust=full depth=1 # get options @@ -422,11 +429,11 @@ add_certifier() { done keyID="$1" + if [ -z "$keyID" ] ; then + failure "You must specify the key ID of a key to add." + fi export keyID - # export host ownertrust to authentication keyring - gpg_host --export-ownertrust | gpg_authentication "--import-ownertrust" - # get the key from the key server gpg_authentication "--keyserver $KEYSERVER --recv-key '$keyID'" @@ -437,7 +444,8 @@ add_certifier() { echo "key found:" gpg_authentication "--fingerprint $fingerprint" - read -p "Are you sure you want to add this key as a certifier of users on this system? (y/N) " OK; OK=${OK:-N} + echo "Are you sure you want to add this key as a certifier of" + read -p "users on this system? (y/N) " OK; OK=${OK:-N} if [ "${OK/y/Y}" != 'Y' ] ; then failure "aborting." fi @@ -445,18 +453,26 @@ add_certifier() { # export the key to the host keyring gpg_authentication "--export $keyID" | gpg_host --import + if [ "$trust" == marginal ]; then + trustval=1 + elif [ "$trust" == full ]; then + trustval=2 + else + failure "trust value requested ('$trust') was unclear (only 'marginal' or 'full' are supported)" + fi + # ltsign command # NOTE: *all* user IDs will be ltsigned ltsignCommand=$(cat <