X-Git-Url: https://codewiz.org/gitweb?a=blobdiff_plain;f=src%2Fmonkeysphere;h=59cb3d6ac45764e255fa1135f2eecdee24ca5541;hb=b7a13e19393e347ba66196a49e972d722d7d4780;hp=f959a386f56b82ef0f1e51079ff31bd0ae78a862;hpb=9d31bf789228de4126164e4349f19f288c9e7bb0;p=monkeysphere.git diff --git a/src/monkeysphere b/src/monkeysphere index f959a38..59cb3d6 100755 --- a/src/monkeysphere +++ b/src/monkeysphere @@ -4,6 +4,8 @@ # # The monkeysphere scripts are written by: # Jameson Rollins +# Jamie McClelland +# Daniel Kahn Gillmor # # They are Copyright 2008, and are all released under the GPL, version 3 # or later. @@ -32,16 +34,17 @@ umask 077 ######################################################################## usage() { - cat <&2 usage: $PGRM [options] [args] MonkeySphere client tool. subcommands: update-known_hosts (k) [HOST]... update known_hosts file update-authorized_keys (a) update authorized_keys file - gen-subkey (g) KEYID generate an 'a' capable subkey + gen-subkey (g) [KEYID] generate an authentication subkey --length (-l) BITS key length in bits (2048) --expire (-e) EXPIRE date to expire + subkey-to-ssh-agent (s) store authentication subkey in ssh-agent help (h,?) this help EOF @@ -90,7 +93,7 @@ gen_subkey(){ if [ -z "$1" ] ; then # find all secret keys - keyID=$(gpg --with-colons --list-secret-keys | grep ^sec | cut -f5 -d:) + keyID=$(gpg --with-colons --list-secret-keys | grep ^sec | cut -f5 -d: | sort -u) # if multiple sec keys exist, fail if (( $(echo "$keyID" | wc -l) > 1 )) ; then echo "Multiple secret keys found:" @@ -112,7 +115,7 @@ key before joining the monkeysphere. You can do this with: # fail if multiple sec lines are returned, which means the id # given is not unique - if [ $(echo "$gpgOut" | grep '^sec:' | wc -l) -gt '1' ] ; then + if [ $(echo "$gpgOut" | grep -c '^sec:') -gt '1' ] ; then failure "Key ID '$keyID' is not unique." fi @@ -127,25 +130,7 @@ key before joining the monkeysphere. You can do this with: # set subkey defaults # prompt about key expiration if not specified - if [ -z "$keyExpire" ] ; then - cat < = key expires in n days - w = key expires in n weeks - m = key expires in n months - y = key expires in n years -EOF - while [ -z "$keyExpire" ] ; do - read -p "Key is valid for? (0) " keyExpire - if ! test_gpg_expire ${keyExpire:=0} ; then - echo "invalid value" - unset keyExpire - fi - done - elif ! test_gpg_expire "$keyExpire" ; then - failure "invalid key expiration value '$keyExpire'." - fi + keyExpire=$(get_gpg_expiration "$keyExpire") # generate the list of commands that will be passed to edit-key editCommands=$(cat </dev/null; then - ssh-askpass "Please enter your passphrase for $keyID: " > "$fifoDir/pass" - else - read -s -p "Please enter your passphrase for $keyID: " PASS - echo "$PASS" > "$fifoDir/pass" - fi + + passphrase_prompt "Please enter your passphrase for $keyID: " "$fifoDir/pass" + rm -rf "$fifoDir" wait - log "done." + log verbose "done." +} + +function subkey_to_ssh_agent() { + # try to add all authentication subkeys to the agent: + + local sshaddresponse + local secretkeys + local authsubkeys + local workingdir + local keysuccess + local subkey + local publine + local kname + + if ! test_gnu_dummy_s2k_extension ; then + failure "Your version of GnuTLS does not seem capable of using with gpg's exported subkeys. +You may want to consider patching or upgrading. + +For more details, see: + http://lists.gnu.org/archive/html/gnutls-devel/2008-08/msg00005.html" + fi + + # if there's no agent running, don't bother: + if [ -z "$SSH_AUTH_SOCK" ] || ! which ssh-add >/dev/null ; then + failure "No ssh-agent available." + fi + + # and if it looks like it's running, but we can't actually talk to + # it, bail out: + ssh-add -l >/dev/null + sshaddresponse="$?" + if [ "$sshaddresponse" = "2" ]; then + failure "Could not connect to ssh-agent" + fi + + # get list of secret keys (to work around https://bugs.g10code.com/gnupg/issue945): + secretkeys=$(gpg --list-secret-keys --with-colons --fixed-list-mode --fingerprint | \ + grep '^fpr:' | cut -f10 -d: | awk '{ print "0x" $1 "!" }') + + if [ -z "$secretkeys" ]; then + failure "You have no secret keys in your keyring! +You might want to run 'gpg --gen-key'." + fi + + authsubkeys=$(gpg --list-secret-keys --with-colons --fixed-list-mode \ + --fingerprint --fingerprint $secretkeys | \ + cut -f1,5,10,12 -d: | grep -A1 '^ssb:[^:]*::[^:]*a[^:]*$' | \ + grep '^fpr::' | cut -f3 -d: | sort -u) + + if [ -z "$authsubkeys" ]; then + failure "no authentication-capable subkeys available. +You might want to 'monkeysphere gen-subkey'" + fi + + workingdir=$(mktemp -d) + umask 077 + mkfifo "$workingdir/passphrase" + keysuccess=1 + + # FIXME: we're currently allowing any other options to get passed + # through to ssh-add. should we limit it to known ones? For + # example: -d or -c and/or -t + + for subkey in $authsubkeys; do + # choose a label by which this key will be known in the agent: + # we are labelling the key by User ID instead of by + # fingerprint, but filtering out all / characters to make sure + # the filename is legit. + + primaryuid=$(gpg --with-colons --list-key "0x${subkey}!" | grep '^pub:' | cut -f10 -d: | tr -d /) + + #kname="[monkeysphere] $primaryuid" + kname="$primaryuid" + + if [ "$1" = '-d' ]; then + # we're removing the subkey: + gpg --export "0x${subkey}!" | openpgp2ssh "$subkey" > "$workingdir/$kname" + (cd "$workingdir" && ssh-add -d "$kname") + else + # we're adding the subkey: + mkfifo "$workingdir/$kname" + gpg --quiet --passphrase-fd 3 3<"$workingdir/passphrase" \ + --export-options export-reset-subkey-passwd,export-minimal,no-export-attributes \ + --export-secret-subkeys "0x${subkey}!" | openpgp2ssh "$subkey" > "$workingdir/$kname" & + (cd "$workingdir" && DISPLAY=nosuchdisplay SSH_ASKPASS=/bin/false ssh-add "$@" "$kname"