X-Git-Url: https://codewiz.org/gitweb?a=blobdiff_plain;f=src%2Fmonkeysphere;h=cb6c06c1907ac384a9450189bd2b82381f100994;hb=e71c7bb4dff26178f714cd0fcdbb3058effa4066;hp=a6ca62d7949189104cea0978e814b723b160143e;hpb=c32302172e3533b2170329206ff011d6e3a26a49;p=monkeysphere.git diff --git a/src/monkeysphere b/src/monkeysphere index a6ca62d..6db4827 100755 --- a/src/monkeysphere +++ b/src/monkeysphere @@ -1,209 +1,248 @@ -#!/bin/bash +#!/usr/bin/env bash -# monkeysphere: MonkeySphere client tool +# monkeysphere: Monkeysphere client tool # # The monkeysphere scripts are written by: # Jameson Rollins +# Jamie McClelland +# Daniel Kahn Gillmor +# Micah Anderson # -# They are Copyright 2008, and are all released under the GPL, version 3 +# They are Copyright 2008-2009, and are all released under the GPL, version 3 # or later. ######################################################################## +set -e + PGRM=$(basename $0) -SHAREDIR=${SHAREDIR:-"/usr/share/monkeysphere"} -export SHAREDIR -. "${SHAREDIR}/common" +SYSSHAREDIR=${MONKEYSPHERE_SYSSHAREDIR:-"/usr/share/monkeysphere"} +export SYSSHAREDIR +. "${SYSSHAREDIR}/common" || exit 1 -GLOBAL_CONFIG=${GLOBAL_CONFIG:-"${ETC}/monkeysphere.conf"} -[ -r "$GLOBAL_CONFIG" ] && . "$GLOBAL_CONFIG" +# sharedir for host functions +MSHAREDIR="${SYSSHAREDIR}/m" -# date in UTF format if needed +# UTC date in ISO 8601 format if needed DATE=$(date -u '+%FT%T') # unset some environment variables that could screw things up -GREP_OPTIONS= +unset GREP_OPTIONS + +# set the file creation mask to be only owner rw +umask 077 ######################################################################## # FUNCTIONS ######################################################################## usage() { -cat < [args] -MonkeySphere client tool. + cat <&2 +usage: $PGRM [options] [args] +Monkeysphere client tool. subcommands: - update-known_hosts (k) [HOST]... update known_hosts file - update-userids (u) [USERID]... add/update user IDs - remove-userids (r) [USERID]... remove user IDs - update-authorized_keys (a) update authorized_keys file - gen-subkey (g) KEYID generate an 'a' capable subkey - help (h,?) this help + update-known_hosts (k) [HOST]... update known_hosts file + update-authorized_keys (a) update authorized_keys file + gen-subkey (g) [KEYID] generate an authentication subkey + --length (-l) BITS key length in bits (2048) + ssh-proxycommand monkeysphere ssh ProxyCommand + subkey-to-ssh-agent (s) store authentication subkey in ssh-agent + version (v) show version number + help (h,?) this help EOF } -# generate a subkey with the 'a' usage flags set -# FIXME: this needs some tweaking to clean it up -gen_subkey(){ - local keyID - local gpgOut - local userID +# user gpg command to define common options +gpg_user() { + gpg --no-greeting --quiet --no-tty "$@" +} - keyID="$1" +# take a secret key ID and check that only zero or one ID is provided, +# and that it corresponds to only a single secret key ID +check_gpg_sec_key_id() { + local gpgSecOut + + case "$#" in + 0) + gpgSecOut=$(gpg_user --fixed-list-mode --list-secret-keys --with-colons 2>/dev/null | egrep '^sec:') + ;; + 1) + gpgSecOut=$(gpg_user --fixed-list-mode --list-secret-keys --with-colons "$keyID" | egrep '^sec:') || failure + ;; + *) + failure "You must specify only a single primary key ID." + ;; + esac + + # check that only a single secret key was found + case $(echo "$gpgSecOut" | grep -c '^sec:') in + 0) + failure "No secret keys found. Create an OpenPGP key with the following command: + gpg --gen-key" + ;; + 1) + echo "$gpgSecOut" | cut -d: -f5 + ;; + *) + echo "Multiple primary secret keys found:" + echo "$gpgSecOut" | cut -d: -f5 + echo "Please specify which primary key to use." + failure + ;; + esac +} - gpgOut=$(gpg --fixed-list-mode --list-keys --with-colons \ - "$keyID" 2> /dev/null) +# check that a valid authentication subkey does not already exist +check_gpg_authentication_subkey() { + local keyID + local IFS + local line + local type + local validity + local usage - # return 1 if there only "tru" lines are output from gpg - if [ -z "$(echo "$gpgOut" | grep -v '^tru:')" ] ; then - failure "Key ID '$keyID' not found." - fi + keyID="$1" - # set subkey defaults - SUBKEY_TYPE=${SUBKEY_TYPE:-"RSA"} - #SUBKEY_LENGTH=${SUBKEY_LENGTH:-"2048"} - SUBKEY_USAGE=${SUBKEY_USAGE:-"auth"} - SUBKEY_EXPIRE=${SUBKEY_EXPIRE:-"0"} - cat < = key expires in n days - w = key expires in n weeks - m = key expires in n months - y = key expires in n years -EOF - read -p "Key is valid for? ($SUBKEY_EXPIRE) " SUBKEY_EXPIRE; SUBKEY_EXPIRE=${SUBKEY_EXPIRE:-"0"} - - # generate the list of commands that will be passed to edit-key - editCommands=$(cat <&2 + if [ "$PROMPT" = "true" ] ; then + read -p "Are you sure you would like to generate another one? (y/N) " OK; OK=${OK:N} + if [ "${OK/y/Y}" != 'Y' ] ; then + failure "aborting." + fi + break + else + failure "aborting." + fi + fi + done } ######################################################################## # MAIN ######################################################################## -COMMAND="$1" -[ "$COMMAND" ] || failure "Type '$PGRM help' for usage." -shift - -# set ms home directory -MS_HOME=${MS_HOME:-"${HOME}/.config/monkeysphere"} - -# load configuration file -MS_CONF=${MS_CONF:-"${MS_HOME}/monkeysphere.conf"} -[ -e "$MS_CONF" ] && . "$MS_CONF" - -# set empty config variable with defaults -AUTHORIZED_USER_IDS=${AUTHORIZED_USER_IDS:-"${MS_HOME}/authorized_user_ids"} -GNUPGHOME=${GNUPGHOME:-"${HOME}/.gnupg"} -KEYSERVER=${KEYSERVER:-"subkeys.pgp.net"} -REQUIRED_HOST_KEY_CAPABILITY=${REQUIRED_HOST_KEY_CAPABILITY:-"e a"} -REQUIRED_USER_KEY_CAPABILITY=${REQUIRED_USER_KEY_CAPABILITY:-"a"} -USER_CONTROLLED_AUTHORIZED_KEYS=${USER_CONTROLLED_AUTHORIZED_KEYS:-"${HOME}/.ssh/authorized_keys"} -USER_KNOWN_HOSTS=${USER_KNOWN_HOSTS:-"${HOME}/.ssh/known_hosts"} -HASH_KNOWN_HOSTS=${HASH_KNOWN_HOSTS:-"true"} - +# set unset default variables +GNUPGHOME=${GNUPGHOME:="${HOME}/.gnupg"} +KNOWN_HOSTS="${HOME}/.ssh/known_hosts" +HASH_KNOWN_HOSTS="true" +AUTHORIZED_KEYS="${HOME}/.ssh/authorized_keys" + +# unset the check keyserver variable, since that needs to have +# different defaults for the different functions +unset CHECK_KEYSERVER + +# load global config +[ -r "${SYSCONFIGDIR}/monkeysphere.conf" ] \ + && . "${SYSCONFIGDIR}/monkeysphere.conf" + +# set monkeysphere home directory +MONKEYSPHERE_HOME=${MONKEYSPHERE_HOME:="${HOME}/.monkeysphere"} +mkdir -p -m 0700 "$MONKEYSPHERE_HOME" + +# load local config +[ -e ${MONKEYSPHERE_CONFIG:="${MONKEYSPHERE_HOME}/monkeysphere.conf"} ] \ + && . "$MONKEYSPHERE_CONFIG" + +# set empty config variables with ones from the environment +GNUPGHOME=${MONKEYSPHERE_GNUPGHOME:=$GNUPGHOME} +LOG_LEVEL=${MONKEYSPHERE_LOG_LEVEL:=$LOG_LEVEL} +KEYSERVER=${MONKEYSPHERE_KEYSERVER:=$KEYSERVER} +# if keyserver not specified in env or conf, then look in gpg.conf +if [ -z "$KEYSERVER" ] ; then + if [ -f "${GNUPGHOME}/gpg.conf" ] ; then + KEYSERVER=$(grep -e "^[[:space:]]*keyserver " "${GNUPGHOME}/gpg.conf" | tail -1 | awk '{ print $2 }') + fi +fi +PROMPT=${MONKEYSPHERE_PROMPT:=$PROMPT} +KNOWN_HOSTS=${MONKEYSPHERE_KNOWN_HOSTS:=$KNOWN_HOSTS} +HASH_KNOWN_HOSTS=${MONKEYSPHERE_HASH_KNOWN_HOSTS:=$HASH_KNOWN_HOSTS} +AUTHORIZED_KEYS=${MONKEYSPHERE_AUTHORIZED_KEYS:=$AUTHORIZED_KEYS} + +# other variables not in config file +AUTHORIZED_USER_IDS=${MONKEYSPHERE_AUTHORIZED_USER_IDS:="${MONKEYSPHERE_HOME}/authorized_user_ids"} +REQUIRED_HOST_KEY_CAPABILITY=${MONKEYSPHERE_REQUIRED_HOST_KEY_CAPABILITY:="a"} +REQUIRED_USER_KEY_CAPABILITY=${MONKEYSPHERE_REQUIRED_USER_KEY_CAPABILITY:="a"} + +# export GNUPGHOME and make sure gpg home exists with proper +# permissions export GNUPGHOME - -# stagging locations -hostKeysCacheDir="${MS_HOME}/host_keys" -userKeysCacheDir="${MS_HOME}/user_keys" -msAuthorizedKeys="${MS_HOME}/authorized_keys" - -# make sure gpg home exists with proper permissions mkdir -p -m 0700 "$GNUPGHOME" +export LOG_LEVEL -# make sure the user monkeysphere home directory exists -mkdir -p -m 0700 "$MS_HOME" -mkdir -p "$hostKeysCacheDir" -mkdir -p "$userKeysCacheDir" -touch "$AUTHORIZED_USER_IDS" +# get subcommand +COMMAND="$1" +[ "$COMMAND" ] || failure "Type '$PGRM help' for usage." +shift case $COMMAND in 'update-known_hosts'|'update-known-hosts'|'k') - MODE='known_hosts' - - # touch the known_hosts file to make sure it exists - # ssh-keygen complains if it doesn't exist - touch "$USER_KNOWN_HOSTS" + # whether or not to check keyservers + CHECK_KEYSERVER=${MONKEYSPHERE_CHECK_KEYSERVER:=${CHECK_KEYSERVER:="true"}} - # if hosts are specified on the command line, process just - # those hosts + # if hosts are specified on the command line, process just + # those hosts if [ "$1" ] ; then - for host ; do - process_host "$host" "$hostKeysCacheDir" - done + update_known_hosts "$@" - # otherwise, if no hosts are specified, process every user - # in the user's known_hosts file + # otherwise, if no hosts are specified, process every host + # in the user's known_hosts file else - if [ ! -s "$USER_KNOWN_HOSTS" ] ; then - failure "known_hosts file '$USER_KNOWN_HOSTS' is empty." - fi - log "processing known_hosts file..." - process_known_hosts "$hostKeysCacheDir" + process_known_hosts fi ;; - 'update-userids'|'update-userid'|'u') - if [ -z "$1" ] ; then - failure "you must specify at least one userid." - fi - for userID ; do - update_userid "$userID" "$userKeysCacheDir" - done - log "Run the following to update your monkeysphere authorized_keys file:" - log "$PGRM update-authorized_keys" + 'update-authorized_keys'|'update-authorized-keys'|'a') + # whether or not to check keyservers + CHECK_KEYSERVER=${MONKEYSPHERE_CHECK_KEYSERVER:=${CHECK_KEYSERVER:="true"}} + + # process authorized_user_ids file + process_authorized_user_ids "$AUTHORIZED_USER_IDS" ;; - 'remove-userids'|'remove-userid'|'r') - if [ -z "$1" ] ; then - failure "you must specify at least one userid." - fi - for userID ; do - remove_userid "$userID" - done - log "Run the following to update your monkeysphere authorized_keys file:" - log "$PGRM update-authorized_keys" + 'import-subkey'|'i') + source "${MSHAREDIR}/import_subkey" + import_subkey "$@" ;; - 'update-authorized_keys'|'update-authorized-keys'|'a') - MODE='authorized_keys' + 'gen-subkey'|'g') + source "${MSHAREDIR}/gen_subkey" + gen_subkey "$@" + ;; - # fail if the authorized_user_ids file is empty - if [ ! -s "$AUTHORIZED_USER_IDS" ] ; then - failure "$AUTHORIZED_USER_IDS is empty." - fi + 'ssh-proxycommand'|'p') + source "${MSHAREDIR}/ssh_proxycommand" + ssh_proxycommand "$@" + ;; - # update authorized_keys - update_authorized_keys "$msAuthorizedKeys" "$USER_CONTROLLED_AUTHORIZED_KEYS" "$userKeysCacheDir" + 'subkey-to-ssh-agent'|'s') + source "${MSHAREDIR}/subkey_to_ssh_agent" + subkey_to_ssh_agent "$@" ;; - 'gen-subkey'|'g') - keyID="$1" - if [ -z "$keyID" ] ; then - failure "You must specify the key ID of your primary key." - fi - gen_subkey "$keyID" + 'version'|'v') + version ;; - 'help'|'h'|'?') + '--help'|'help'|'-h'|'h'|'?') usage ;;