X-Git-Url: https://codewiz.org/gitweb?a=blobdiff_plain;f=src%2Fcommon;h=0f98923805600d7d916aa3a1dc352193e627c6dd;hb=0c2c01095b4e3e707a08e9ff6ebe61f18689bcaa;hp=8643080f595a67aee3f6e46aa1e4922a8a9bc2e6;hpb=4793624c65673268128fb0146cd9bd1b3cfeb6c4;p=monkeysphere.git diff --git a/src/common b/src/common old mode 100755 new mode 100644 index 8643080..0f98923 --- a/src/common +++ b/src/common @@ -14,8 +14,8 @@ # managed directories ETC="/etc/monkeysphere" export ETC -LIB="/var/lib/monkeysphere" -export LIB +CACHE="/var/cache/monkeysphere" +export CACHE ######################################################################## failure() { @@ -23,14 +23,8 @@ failure() { exit ${2:-'1'} } -# write output to stdout -log() { - echo -n "ms: " - echo "$@" -} - # write output to stderr -loge() { +log() { echo -n "ms: " 1>&2 echo "$@" 1>&2 } @@ -82,27 +76,36 @@ unescape() { echo "$1" | sed 's/\\x3a/:/' } -# stand in until we get dkg's gpg2ssh program -gpg2ssh_tmp() { +# convert key from gpg to ssh known_hosts format +gpg2known_hosts() { local keyID - local userID local host - keyID="$2" - userID="$3" - - if [ "$mode" = 'authorized_keys' ] ; then - gpgkey2ssh "$keyID" | sed -e "s/COMMENT/${userID}/" + keyID="$1" + host=$(echo "$2" | sed -e "s|ssh://||") # NOTE: it seems that ssh-keygen -R removes all comment fields from # all lines in the known_hosts file. why? # NOTE: just in case, the COMMENT can be matched with the # following regexp: # '^MonkeySphere[[:digit:]]{4}(-[[:digit:]]{2}){2}T[[:digit:]]{2}(:[[:digit:]]{2}){2}$' - elif [ "$MODE" = 'known_hosts' ] ; then - host=$(echo "$userID" | sed -e "s|ssh://||") - echo -n "$host "; gpgkey2ssh "$keyID" | sed -e "s/COMMENT/MonkeySphere${DATE}/" - fi + echo -n "$host " + gpg --export "$keyID" | \ + openpgp2ssh "$keyID" | tr -d '\n' + echo " MonkeySphere${DATE}" +} + +# convert key from gpg to ssh authorized_keys format +gpg2authorized_keys() { + local keyID + local userID + + keyID="$1" + userID="$2" + + gpg --export "$keyID" | \ + openpgp2ssh "$keyID" | tr -d '\n' + echo " MonkeySphere${DATE}:${userID}" } # userid and key policy checking @@ -144,7 +147,7 @@ process_user_id() { # return 1 if there only "tru" lines are output from gpg if [ -z "$(echo "$gpgOut" | grep -v '^tru:')" ] ; then - loge " key not found." + log " key not found." return 1 fi @@ -173,18 +176,18 @@ process_user_id() { # check primary key validity if [ "$validity" != 'u' -a "$validity" != 'f' ] ; then - loge " unacceptable primary key validity ($validity)." + log " unacceptable primary key validity ($validity)." continue fi # check capability is not Disabled... if check_capability "$capability" 'D' ; then - loge " key disabled." + log " key disabled." continue fi # check overall key capability # must be Encryption and Authentication if ! check_capability "$capability" $requiredPubCapability ; then - loge " unacceptable primary key capability ($capability)." + log " unacceptable primary key capability ($capability)." continue fi @@ -233,17 +236,23 @@ process_user_id() { # key cache file if [ "$keyOK" -a "$uidOK" -a "${keyIDs[*]}" ] ; then for keyID in ${keyIDs[@]} ; do - loge " acceptable key/uid found." - - # export the key with gpg2ssh - # FIXME: needs to apply extra options for authorized_keys - # lines if specified - gpg2ssh_tmp "$keyID" "$userID" >> "$cacheDir"/"$userIDHash"."$pubKeyID" - - # hash the cache file if specified - if [ "$MODE" = 'known_hosts' -a "$HASH_KNOWN_HOSTS" ] ; then - ssh-keygen -H -f "$cacheDir"/"$userIDHash"."$pubKeyID" > /dev/null 2>&1 - rm "$cacheDir"/"$userIDHash"."$pubKeyID".old + log " acceptable key/uid found." + + if [ "$MODE" = 'known_hosts' ] ; then + # export the key + gpg2known_hosts "$keyID" "$userID" >> \ + "$cacheDir"/"$userIDHash"."$pubKeyID" + # hash the cache file if specified + if [ "$HASH_KNOWN_HOSTS" ] ; then + ssh-keygen -H -f "$cacheDir"/"$userIDHash"."$pubKeyID" > /dev/null 2>&1 + rm "$cacheDir"/"$userIDHash"."$pubKeyID".old + fi + elif [ "$MODE" = 'authorized_keys' ] ; then + # export the key + # FIXME: needs to apply extra options for authorized_keys + # lines if specified + gpg2authorized_keys "$keyID" "$userID" >> \ + "$cacheDir"/"$userIDHash"."$pubKeyID" fi done fi @@ -283,21 +292,76 @@ process_known_hosts() { cacheDir="$2" # take all the hosts from the known_hosts file (first field), - # grep out all the hashed hosts (lines starting with '|') + # grep out all the hashed hosts (lines starting with '|')... cut -d ' ' -f 1 "$knownHosts" | \ grep -v '^|.*$' | \ while IFS=, read -r -a hosts ; do - # process each host + # ...and process each host for host in ${hosts[*]} ; do process_host "$host" "$cacheDir" done done } -# process authorized_keys file +# update an authorized_keys file after first processing the +# authorized_user_ids file +update_authorized_keys() { + local msAuthorizedKeys + local userAuthorizedKeys + local cacheDir + + msAuthorizedKeys="$1" + userAuthorizedKeys="$2" + cacheDir="$3" + + process_authorized_ids "$AUTHORIZED_USER_IDS" "$cacheDir" + + # write output key file + log "writing monkeysphere authorized_keys file... " + touch "$msAuthorizedKeys" + if [ "$(ls "$cacheDir")" ] ; then + log -n "adding gpg keys... " + cat "$cacheDir"/* > "$msAuthorizedKeys" + echo "done." + else + log "no gpg keys to add." + fi + if [ "$userAuthorizedKeys" -a -s "$userAuthorizedKeys" ] ; then + log -n "adding user authorized_keys file... " + cat "$userAuthorizedKeys" >> "$msAuthorizedKeys" + echo "done." + fi + log "monkeysphere authorized_keys file generated: $msAuthorizedKeys" +} + +# process an authorized_*_ids file +# go through line-by-line, extract each userid, and process +process_authorized_ids() { + local authorizedIDs + local cacheDir + local userID + + authorizedIDs="$1" + cacheDir="$2" + + # clean out keys file and remake keys directory + rm -rf "$cacheDir" + mkdir -p "$cacheDir" + + # loop through all user ids in file + # FIXME: needs to handle authorized_keys options + cat "$authorizedIDs" | meat | \ + while read -r userID ; do + # process the userid + log "processing userid: '$userID'" + process_user_id "$userID" "$cacheDir" > /dev/null + done +} + +# EXPERIMENTAL (unused) process userids found in authorized_keys file # go through line-by-line, extract monkeysphere userids from comment # fields, and process each userid -process_authorized_keys() { +process_userids_from_authorized_keys() { local authorizedKeys local cacheDir local userID @@ -328,26 +392,42 @@ process_authorized_keys() { done } -# process an authorized_*_ids file -# go through line-by-line, extract each userid, and process -process_authorized_ids() { - local authorizedIDs - local cacheDir +# update the cache for userid, and prompt to add file to +# authorized_user_ids file if the userid is found in gpg +# and not already in file. +update_userid() { local userID + local cacheDir + local userIDKeyCache - authorizedIDs="$1" + userID="$1" cacheDir="$2" - # clean out keys file and remake keys directory - rm -rf "$cacheDir" - mkdir -p "$cacheDir" + log "processing userid: '$userID'" + userIDKeyCache=$(process_user_id "$userID" "$cacheDir") + if [ -z "$userIDKeyCache" ] ; then + return 1 + fi + if ! grep -q "^${userID}\$" "$AUTHORIZED_USER_IDS" ; then + echo "the following userid is not in the authorized_user_ids file:" + echo " $userID" + read -p "would you like to add? [Y|n]: " OK; OK=${OK:=Y} + if [ ${OK/y/Y} = 'Y' ] ; then + log -n " adding userid to authorized_user_ids file... " + echo "$userID" >> "$AUTHORIZED_USER_IDS" + echo "done." + fi + fi +} - # loop through all user ids in file - # FIXME: needs to handle authorized_keys options - cat "$authorizedIDs" | meat | \ - while read -r userID ; do - # process the userid - log "processing userid: '$userID'" - process_user_id "$userID" "$cacheDir" > /dev/null - done +# retrieve key from web of trust, and set owner trust to "full" +# if key is found. +trust_key() { + # get the key from the key server + gpg --keyserver "$KEYSERVER" --recv-key "$keyID" || failure "could not retrieve key '$keyID'" + + # edit the key to change trust + # FIXME: need to figure out how to automate this, + # in a batch mode or something. + gpg --edit-key "$keyID" }