X-Git-Url: https://codewiz.org/gitweb?a=blobdiff_plain;f=src%2Fmonkeysphere;h=cb6c06c1907ac384a9450189bd2b82381f100994;hb=e71c7bb4dff26178f714cd0fcdbb3058effa4066;hp=58f0fdc632edaeb8f7aa679b24dbfa6e6c81809c;hpb=736054b1c1d8e3433d709ea8bbeb1b8ac7257927;p=monkeysphere.git diff --git a/src/monkeysphere b/src/monkeysphere index 58f0fdc..6db4827 100755 --- a/src/monkeysphere +++ b/src/monkeysphere @@ -1,183 +1,248 @@ -#!/bin/bash +#!/usr/bin/env bash -# monkeysphere: MonkeySphere client tool +# monkeysphere: Monkeysphere client tool # # The monkeysphere scripts are written by: # Jameson Rollins +# Jamie McClelland +# Daniel Kahn Gillmor +# Micah Anderson # -# They are Copyright 2008, and are all released under the GPL, version 3 +# They are Copyright 2008-2009, and are all released under the GPL, version 3 # or later. ######################################################################## +set -e + PGRM=$(basename $0) -SHAREDIR=${SHAREDIR:-"/usr/share/monkeysphere"} -export SHAREDIR -. "${SHAREDIR}/common" +SYSSHAREDIR=${MONKEYSPHERE_SYSSHAREDIR:-"/usr/share/monkeysphere"} +export SYSSHAREDIR +. "${SYSSHAREDIR}/common" || exit 1 -GLOBAL_CONFIG=${GLOBAL_CONFIG:-"${ETC}/monkeysphere.conf"} -[ -r "$GLOBAL_CONFIG" ] && . "$GLOBAL_CONFIG" +# sharedir for host functions +MSHAREDIR="${SYSSHAREDIR}/m" -# date in UTF format if needed +# UTC date in ISO 8601 format if needed DATE=$(date -u '+%FT%T') # unset some environment variables that could screw things up -GREP_OPTIONS= +unset GREP_OPTIONS + +# set the file creation mask to be only owner rw +umask 077 ######################################################################## # FUNCTIONS ######################################################################## usage() { -cat < [args] -MonkeySphere client tool. + cat <&2 +usage: $PGRM [options] [args] +Monkeysphere client tool. subcommands: - update-known_hosts (k) [HOST]... update known_hosts file - update-authorized_keys (a) update authorized_keys file - gen-subkey (g) KEYID generate an 'a' capable subkey - help (h,?) this help + update-known_hosts (k) [HOST]... update known_hosts file + update-authorized_keys (a) update authorized_keys file + gen-subkey (g) [KEYID] generate an authentication subkey + --length (-l) BITS key length in bits (2048) + ssh-proxycommand monkeysphere ssh ProxyCommand + subkey-to-ssh-agent (s) store authentication subkey in ssh-agent + version (v) show version number + help (h,?) this help EOF } -# generate a subkey with the 'a' usage flags set -# FIXME: this needs some tweaking to clean it up -gen_subkey(){ - local keyID - local gpgOut - local userID +# user gpg command to define common options +gpg_user() { + gpg --no-greeting --quiet --no-tty "$@" +} - keyID="$1" +# take a secret key ID and check that only zero or one ID is provided, +# and that it corresponds to only a single secret key ID +check_gpg_sec_key_id() { + local gpgSecOut + + case "$#" in + 0) + gpgSecOut=$(gpg_user --fixed-list-mode --list-secret-keys --with-colons 2>/dev/null | egrep '^sec:') + ;; + 1) + gpgSecOut=$(gpg_user --fixed-list-mode --list-secret-keys --with-colons "$keyID" | egrep '^sec:') || failure + ;; + *) + failure "You must specify only a single primary key ID." + ;; + esac + + # check that only a single secret key was found + case $(echo "$gpgSecOut" | grep -c '^sec:') in + 0) + failure "No secret keys found. Create an OpenPGP key with the following command: + gpg --gen-key" + ;; + 1) + echo "$gpgSecOut" | cut -d: -f5 + ;; + *) + echo "Multiple primary secret keys found:" + echo "$gpgSecOut" | cut -d: -f5 + echo "Please specify which primary key to use." + failure + ;; + esac +} - gpgOut=$(gpg --quiet --fixed-list-mode --list-keys --with-colons \ - "$keyID" 2> /dev/null) +# check that a valid authentication subkey does not already exist +check_gpg_authentication_subkey() { + local keyID + local IFS + local line + local type + local validity + local usage - # return 1 if there only "tru" lines are output from gpg - if [ -z "$(echo "$gpgOut" | grep -v '^tru:')" ] ; then - failure "Key ID '$keyID' not found." - fi + keyID="$1" - # set subkey defaults - SUBKEY_TYPE=${SUBKEY_TYPE:-"RSA"} - #SUBKEY_LENGTH=${SUBKEY_LENGTH:-"2048"} - SUBKEY_USAGE=${SUBKEY_USAGE:-"auth"} - SUBKEY_EXPIRE=${SUBKEY_EXPIRE:-"0"} - cat < = key expires in n days - w = key expires in n weeks - m = key expires in n months - y = key expires in n years -EOF - read -p "Key is valid for? ($SUBKEY_EXPIRE) " SUBKEY_EXPIRE; SUBKEY_EXPIRE=${SUBKEY_EXPIRE:-"0"} - - # generate the list of commands that will be passed to edit-key - editCommands=$(cat <&2 + if [ "$PROMPT" = "true" ] ; then + read -p "Are you sure you would like to generate another one? (y/N) " OK; OK=${OK:N} + if [ "${OK/y/Y}" != 'Y' ] ; then + failure "aborting." + fi + break + else + failure "aborting." + fi + fi + done } ######################################################################## # MAIN ######################################################################## -COMMAND="$1" -[ "$COMMAND" ] || failure "Type '$PGRM help' for usage." -shift - -# set ms home directory -MS_HOME=${MS_HOME:-"${HOME}/.config/monkeysphere"} - -# load configuration file -MS_CONF=${MS_CONF:-"${MS_HOME}/monkeysphere.conf"} -[ -e "$MS_CONF" ] && . "$MS_CONF" - -# set empty config variable with defaults -AUTHORIZED_USER_IDS=${AUTHORIZED_USER_IDS:-"${MS_HOME}/authorized_user_ids"} -GNUPGHOME=${GNUPGHOME:-"${HOME}/.gnupg"} -KEYSERVER=${KEYSERVER:-"subkeys.pgp.net"} -CHECK_KEYSERVER=${CHECK_KEYSERVER:="true"} -REQUIRED_HOST_KEY_CAPABILITY=${REQUIRED_HOST_KEY_CAPABILITY:-"a"} -REQUIRED_USER_KEY_CAPABILITY=${REQUIRED_USER_KEY_CAPABILITY:-"a"} -KNOWN_HOSTS=${KNOWN_HOSTS:-"${HOME}/.ssh/known_hosts"} -AUTHORIZED_KEYS=${AUTHORIZED_KEYS:-"${HOME}/.ssh/authorized_keys"} -HASH_KNOWN_HOSTS=${HASH_KNOWN_HOSTS:-"true"} - +# set unset default variables +GNUPGHOME=${GNUPGHOME:="${HOME}/.gnupg"} +KNOWN_HOSTS="${HOME}/.ssh/known_hosts" +HASH_KNOWN_HOSTS="true" +AUTHORIZED_KEYS="${HOME}/.ssh/authorized_keys" + +# unset the check keyserver variable, since that needs to have +# different defaults for the different functions +unset CHECK_KEYSERVER + +# load global config +[ -r "${SYSCONFIGDIR}/monkeysphere.conf" ] \ + && . "${SYSCONFIGDIR}/monkeysphere.conf" + +# set monkeysphere home directory +MONKEYSPHERE_HOME=${MONKEYSPHERE_HOME:="${HOME}/.monkeysphere"} +mkdir -p -m 0700 "$MONKEYSPHERE_HOME" + +# load local config +[ -e ${MONKEYSPHERE_CONFIG:="${MONKEYSPHERE_HOME}/monkeysphere.conf"} ] \ + && . "$MONKEYSPHERE_CONFIG" + +# set empty config variables with ones from the environment +GNUPGHOME=${MONKEYSPHERE_GNUPGHOME:=$GNUPGHOME} +LOG_LEVEL=${MONKEYSPHERE_LOG_LEVEL:=$LOG_LEVEL} +KEYSERVER=${MONKEYSPHERE_KEYSERVER:=$KEYSERVER} +# if keyserver not specified in env or conf, then look in gpg.conf +if [ -z "$KEYSERVER" ] ; then + if [ -f "${GNUPGHOME}/gpg.conf" ] ; then + KEYSERVER=$(grep -e "^[[:space:]]*keyserver " "${GNUPGHOME}/gpg.conf" | tail -1 | awk '{ print $2 }') + fi +fi +PROMPT=${MONKEYSPHERE_PROMPT:=$PROMPT} +KNOWN_HOSTS=${MONKEYSPHERE_KNOWN_HOSTS:=$KNOWN_HOSTS} +HASH_KNOWN_HOSTS=${MONKEYSPHERE_HASH_KNOWN_HOSTS:=$HASH_KNOWN_HOSTS} +AUTHORIZED_KEYS=${MONKEYSPHERE_AUTHORIZED_KEYS:=$AUTHORIZED_KEYS} + +# other variables not in config file +AUTHORIZED_USER_IDS=${MONKEYSPHERE_AUTHORIZED_USER_IDS:="${MONKEYSPHERE_HOME}/authorized_user_ids"} +REQUIRED_HOST_KEY_CAPABILITY=${MONKEYSPHERE_REQUIRED_HOST_KEY_CAPABILITY:="a"} +REQUIRED_USER_KEY_CAPABILITY=${MONKEYSPHERE_REQUIRED_USER_KEY_CAPABILITY:="a"} + +# export GNUPGHOME and make sure gpg home exists with proper +# permissions export GNUPGHOME - -# make sure gpg home exists with proper permissions mkdir -p -m 0700 "$GNUPGHOME" +export LOG_LEVEL -# make sure the user monkeysphere home directory exists -mkdir -p -m 0700 "$MS_HOME" -touch "$AUTHORIZED_USER_IDS" -touch "$AUTHORIZED_KEYS" +# get subcommand +COMMAND="$1" +[ "$COMMAND" ] || failure "Type '$PGRM help' for usage." +shift case $COMMAND in 'update-known_hosts'|'update-known-hosts'|'k') - MODE='known_hosts' - - # touch the known_hosts file to make sure it exists - # ssh-keygen complains if it doesn't exist - touch "$KNOWN_HOSTS" + # whether or not to check keyservers + CHECK_KEYSERVER=${MONKEYSPHERE_CHECK_KEYSERVER:=${CHECK_KEYSERVER:="true"}} - # if hosts are specified on the command line, process just - # those hosts + # if hosts are specified on the command line, process just + # those hosts if [ "$1" ] ; then - process_hosts_known_hosts "$@" + update_known_hosts "$@" - # otherwise, if no hosts are specified, process every host - # in the user's known_hosts file + # otherwise, if no hosts are specified, process every host + # in the user's known_hosts file else - if [ ! -s "$KNOWN_HOSTS" ] ; then - failure "known_hosts file '$KNOWN_HOSTS' is empty." - fi - log "processing known_hosts file..." process_known_hosts fi - - log "known_hosts file updated." ;; 'update-authorized_keys'|'update-authorized-keys'|'a') - MODE='authorized_keys' - - # fail if the authorized_user_ids file is empty - if [ ! -s "$AUTHORIZED_USER_IDS" ] ; then - failure "$AUTHORIZED_USER_IDS is empty." - fi + # whether or not to check keyservers + CHECK_KEYSERVER=${MONKEYSPHERE_CHECK_KEYSERVER:=${CHECK_KEYSERVER:="true"}} # process authorized_user_ids file - log "processing authorized_user_ids file..." process_authorized_user_ids "$AUTHORIZED_USER_IDS" - log "authorized_keys file updated." + ;; + + 'import-subkey'|'i') + source "${MSHAREDIR}/import_subkey" + import_subkey "$@" ;; 'gen-subkey'|'g') - keyID="$1" - if [ -z "$keyID" ] ; then - failure "You must specify the key ID of your primary key." - fi - gen_subkey "$keyID" + source "${MSHAREDIR}/gen_subkey" + gen_subkey "$@" + ;; + + 'ssh-proxycommand'|'p') + source "${MSHAREDIR}/ssh_proxycommand" + ssh_proxycommand "$@" + ;; + + 'subkey-to-ssh-agent'|'s') + source "${MSHAREDIR}/subkey_to_ssh_agent" + subkey_to_ssh_agent "$@" + ;; + + 'version'|'v') + version ;; - 'help'|'h'|'?') + '--help'|'help'|'-h'|'h'|'?') usage ;;