X-Git-Url: https://codewiz.org/gitweb?a=blobdiff_plain;f=src%2Fmonkeysphere;h=57597e29f696bb2e60c5cbc822c218e06873e770;hb=46586fc0f24e24166a52c2a0efb3e2ab838eea81;hp=f279d86395a249b5169df2fd9d26fa30b1aceb90;hpb=4793624c65673268128fb0146cd9bd1b3cfeb6c4;p=monkeysphere.git diff --git a/src/monkeysphere b/src/monkeysphere index f279d86..57597e2 100755 --- a/src/monkeysphere +++ b/src/monkeysphere @@ -1,146 +1,291 @@ -#!/bin/sh +#!/bin/bash + +# monkeysphere: MonkeySphere client tool +# +# The monkeysphere scripts are written by: +# Jameson Rollins +# +# They are Copyright 2008, and are all released under the GPL, version 3 +# or later. ######################################################################## PGRM=$(basename $0) -SHAREDIR=${SHAREDIR:-"/usr/share/monkeysphere"} -export SHAREDIR -. "${SHAREDIR}/common" - -GLOBAL_CONFIG=${GLOBAL_CONFIG:-"${ETC}"/monkeysphere.conf} -[ -r "$GLOBAL_CONFIG" ] && . "$GLOBAL_CONFIG" +SHARE=${MONKEYSPHERE_SHARE:-"/usr/share/monkeysphere"} +export SHARE +. "${SHARE}/common" || exit 1 # date in UTF format if needed DATE=$(date -u '+%FT%T') # unset some environment variables that could screw things up -GREP_OPTIONS= +unset GREP_OPTIONS + +# default return code +RETURN=0 + +# set the file creation mask to be only owner rw +umask 077 ######################################################################## # FUNCTIONS ######################################################################## usage() { -cat < [args] -Monkeysphere client tool. + cat < [options] [args] +MonkeySphere client tool. subcommands: - update-known-hosts (k) [HOST]... update known_hosts file - update-authorized-keys (a) update authorized_keys file - update-userid (u) [USERID]... add/update userid to - authorized_user_ids - help (h,?) this help + update-known_hosts (k) [HOST]... update known_hosts file + update-authorized_keys (a) update authorized_keys file + gen-subkey (g) KEYID generate an 'a' capable subkey + -l|--length BITS key length in bits (2048) + -e|--expire EXPIRE date to expire + help (h,?) this help + +EOF +} + +# generate a subkey with the 'a' usage flags set +gen_subkey(){ + local keyLength + local keyExpire + local keyID + local gpgOut + local userID + + # set default key parameter values + keyLength= + keyExpire= + + # get options + TEMP=$(getopt -o l:e: -l length:,expire: -n "$PGRM" -- "$@") + + if [ $? != 0 ] ; then + exit 1 + fi + + # Note the quotes around `$TEMP': they are essential! + eval set -- "$TEMP" + while true ; do + case "$1" in + -l|--length) + keyLength="$2" + shift 2 + ;; + -e|--expire) + keyExpire="$2" + shift 2 + ;; + --) + shift + ;; + *) + break + ;; + esac + done + + if [ -z "$1" ] ; then + # find all secret keys + keyID=$(gpg --with-colons --list-secret-keys | grep ^sec | cut -f5 -d:) + # if multiple sec keys exist, fail + if (( $(echo "$keyID" | wc -l) > 1 )) ; then + echo "Multiple secret keys found:" + echo "$keyID" + failure "Please specify which primary key to use." + fi + else + keyID="$1" + fi + if [ -z "$keyID" ] ; then + failure "You have no secret key available. You should create an OpenPGP +key before joining the monkeysphere. You can do this with: + gpg --gen-key" + fi + + # get key output, and fail if not found + gpgOut=$(gpg --quiet --fixed-list-mode --list-secret-keys --with-colons \ + "$keyID") || failure + + # fail if multiple sec lines are returned, which means the id + # given is not unique + if [ $(echo "$gpgOut" | grep '^sec:' | wc -l) -gt '1' ] ; then + failure "Key ID '$keyID' is not unique." + fi + + # prompt if an authentication subkey already exists + if echo "$gpgOut" | egrep "^(sec|ssb):" | cut -d: -f 12 | grep -q a ; then + echo "An authentication subkey already exists for key '$keyID'." + read -p "Are you sure you would like to generate another one? (y/N) " OK; OK=${OK:N} + if [ "${OK/y/Y}" != 'Y' ] ; then + failure "aborting." + fi + fi + + # set subkey defaults + # prompt about key expiration if not specified + if [ -z "$keyExpire" ] ; then + cat < = key expires in n days + w = key expires in n weeks + m = key expires in n months + y = key expires in n years +EOF + while [ -z "$keyExpire" ] ; do + read -p "Key is valid for? (0) " keyExpire + if ! test_gpg_expire ${keyExpire:=0} ; then + echo "invalid value" + unset keyExpire + fi + done + elif ! test_gpg_expire "$keyExpire" ; then + failure "invalid key expiration value '$keyExpire'." + fi + + # generate the list of commands that will be passed to edit-key + editCommands=$(cat </dev/null; then + ssh-askpass "Please enter your passphrase for $keyID: " > "$fifoDir/pass" + else + read -s -p "Please enter your passphrase for $keyID: " PASS + echo "$PASS" > "$fifoDir/pass" + fi + rm -rf "$fifoDir" + wait + log "done." } ######################################################################## # MAIN ######################################################################## -COMMAND="$1" -[ "$COMMAND" ] || failure "Type '$PGRM help' for usage." -shift +# unset variables that should be defined only in config file +unset KEYSERVER +unset CHECK_KEYSERVER +unset KNOWN_HOSTS +unset HASH_KNOWN_HOSTS +unset AUTHORIZED_KEYS -# set ms home directory -MS_HOME=${MS_HOME:-"$HOME"/.config/monkeysphere} +# load global config +[ -r "${ETC}/monkeysphere.conf" ] && . "${ETC}/monkeysphere.conf" -# load configuration file -MS_CONF=${MS_CONF:-"$MS_HOME"/monkeysphere.conf} -[ -e "$MS_CONF" ] && . "$MS_CONF" +# set monkeysphere home directory +MONKEYSPHERE_HOME=${MONKEYSPHERE_HOME:="${HOME}/.config/monkeysphere"} +mkdir -p -m 0700 "$MONKEYSPHERE_HOME" -# set empty config variable with defaults -AUTHORIZED_USER_IDS=${AUTHORIZED_USER_IDS:-"$MS_HOME"/authorized_user_ids} -GNUPGHOME=${GNUPGHOME:-"$HOME"/.gnupg} -KEYSERVER=${KEYSERVER:-subkeys.pgp.net} -REQUIRED_KEY_CAPABILITY=${REQUIRED_KEY_CAPABILITY:-"e a"} -USER_CONTROLLED_AUTHORIZED_KEYS=${USER_CONTROLLED_AUTHORIZED_KEYS:-%h/.ssh/authorized_keys} -USER_KNOWN_HOSTS=${USER_KNOWN_HOSTS:-"$HOME"/.ssh/known_hosts} -HASH_KNOWN_HOSTS=${HASH_KNOWN_HOSTS:-} +# load local config +[ -e ${MONKEYSPHERE_CONFIG:="${MONKEYSPHERE_HOME}/monkeysphere.conf"} ] && . "$MONKEYSPHERE_CONFIG" -export GNUPGHOME +# set empty config variables with ones from the environment, or from +# config file, or with defaults +GNUPGHOME=${MONKEYSPHERE_GNUPGHOME:=${GNUPGHOME:="${HOME}/.gnupg"}} +KEYSERVER=${MONKEYSPHERE_KEYSERVER:="$KEYSERVER"} +# if keyserver not specified in env or monkeysphere.conf, +# look in gpg.conf +if [ -z "$KEYSERVER" ] ; then + if [ -f "${GNUPGHOME}/gpg.conf" ] ; then + KEYSERVER=$(grep -e "^[[:space:]]*keyserver " "${GNUPGHOME}/gpg.conf" | tail -1 | awk '{ print $2 }') + fi +fi +# if it's still not specified, use the default +KEYSERVER=${KEYSERVER:="subkeys.pgp.net"} +CHECK_KEYSERVER=${MONKEYSPHERE_CHECK_KEYSERVER:=${CHECK_KEYSERVER:="true"}} +KNOWN_HOSTS=${MONKEYSPHERE_KNOWN_HOSTS:=${KNOWN_HOSTS:="${HOME}/.ssh/known_hosts"}} +HASH_KNOWN_HOSTS=${MONKEYSPHERE_HASH_KNOWN_HOSTS:=${HASH_KNOWN_HOSTS:="true"}} +AUTHORIZED_KEYS=${MONKEYSPHERE_AUTHORIZED_KEYS:=${AUTHORIZED_KEYS:="${HOME}/.ssh/authorized_keys"}} -# stagging locations -hostKeysCacheDir="$MS_HOME"/host_keys -userKeysCacheDir="$MS_HOME"/user_keys -msAuthorizedKeys="$MS_HOME"/authorized_keys +# other variables not in config file +AUTHORIZED_USER_IDS=${MONKEYSPHERE_AUTHORIZED_USER_IDS:="${MONKEYSPHERE_HOME}/authorized_user_ids"} +REQUIRED_HOST_KEY_CAPABILITY=${MONKEYSPHERE_REQUIRED_HOST_KEY_CAPABILITY:="a"} +REQUIRED_USER_KEY_CAPABILITY=${MONKEYSPHERE_REQUIRED_USER_KEY_CAPABILITY:="a"} -# make sure gpg home exists with proper permissions +# export GNUPGHOME and make sure gpg home exists with proper +# permissions +export GNUPGHOME mkdir -p -m 0700 "$GNUPGHOME" +# get subcommand +COMMAND="$1" +[ "$COMMAND" ] || failure "Type '$PGRM help' for usage." +shift + case $COMMAND in - 'update-known-hosts'|'k') + 'update-known_hosts'|'update-known-hosts'|'k') MODE='known_hosts' - # touch the known_hosts file to make sure it exists - touch "$USER_KNOWN_HOSTS" + # check permissions on the known_hosts file path + if ! check_key_file_permissions "$USER" "$KNOWN_HOSTS" ; then + failure "Improper permissions on known_hosts file path." + fi # if hosts are specified on the command line, process just # those hosts if [ "$1" ] ; then - for host ; do - process_host "$host" "$hostKeysCacheDir" - done + update_known_hosts "$@" + RETURN="$?" - # otherwise, if no hosts are specified, process the user - # known_hosts file + # otherwise, if no hosts are specified, process every host + # in the user's known_hosts file else - if [ ! -s "$USER_KNOWN_HOSTS" ] ; then - failure "known_hosts file '$USER_KNOWN_HOSTS' is empty." + # exit if the known_hosts file does not exist + if [ ! -e "$KNOWN_HOSTS" ] ; then + log "known_hosts file '$KNOWN_HOSTS' does not exist." + exit fi - log "processing known_hosts file..." - process_known_hosts "$USER_KNOWN_HOSTS" "$hostKeysCacheDir" + + process_known_hosts + RETURN="$?" fi ;; - 'update-authorized-keys'|'a') + 'update-authorized_keys'|'update-authorized-keys'|'a') MODE='authorized_keys' - log "processing authorized_user_ids file..." - - # make sure authorized_user_ids file exists - if [ ! -s "$AUTHORIZED_USER_IDS" ] ; then - log "authorized_user_ids file is empty or does not exist." - exit + # check permissions on the authorized_user_ids file path + if ! check_key_file_permissions "$USER" "$AUTHORIZED_USER_IDS" ; then + failure "Improper permissions on authorized_user_ids file path." fi - process_authorized_ids "$AUTHORIZED_USER_IDS" "$userKeysCacheDir" - - # write output key file - log "writing monkeysphere authorized_keys file... " - touch "$msAuthorizedKeys" - if [ "$(ls "$userKeysCacheDir")" ] ; then - log -n "adding gpg keys... " - cat "$userKeysCacheDir"/* > "$msAuthorizedKeys" - echo "done." - else - log "no gpg keys to add." + # check permissions on the authorized_keys file path + if ! check_key_file_permissions "$USER" "$AUTHORIZED_KEYS" ; then + failure "Improper permissions on authorized_keys file path." fi - if [ "$USER_CONTROLLED_AUTHORIZED_KEYS" ] ; then - userAuthorizedKeys=${USER_CONTROLLED_AUTHORIZED_KEYS/\%h/"$HOME"} - if [ -s "$userAuthorizedKeys" ] ; then - log -n "adding user authorized_keys file... " - cat "$userAuthorizedKeys" >> "$msAuthorizedKeys" - echo "done." - fi + + # exit if the authorized_user_ids file is empty + if [ ! -e "$AUTHORIZED_USER_IDS" ] ; then + log "authorized_user_ids file '$AUTHORIZED_USER_IDS' does not exist." + exit fi - log "monkeysphere authorized_keys file generated:" - log "$msAuthorizedKeys" + + # process authorized_user_ids file + process_authorized_user_ids "$AUTHORIZED_USER_IDS" + RETURN="$?" ;; - 'update-userid'|'u') - if [ -z "$1" ] ; then - failure "you must specify at least one userid." - fi - for userID ; do - if ! grep -q "^${userID}\$" "$AUTHORIZED_USER_IDS" ; then - log "userid '$userID' not in authorized_user_ids file." - continue - fi - log "processing user id: '$userID'" - process_user_id "$userID" "$userKeysCacheDir" > /dev/null - done + 'gen-subkey'|'g') + gen_subkey "$@" ;; 'help'|'h'|'?') @@ -149,6 +294,8 @@ case $COMMAND in *) failure "Unknown command: '$COMMAND' -Type 'cereal-admin help' for usage." +Type '$PGRM help' for usage." ;; esac + +exit "$RETURN"