X-Git-Url: https://codewiz.org/gitweb?a=blobdiff_plain;f=src%2Fmonkeysphere-authentication;h=c00965342deed2babe03720e85cdef84ad674345;hb=e71c7bb4dff26178f714cd0fcdbb3058effa4066;hp=7c43aa8790ddde36fba98f4ebc0e6404c95ba22f;hpb=89e447e2001c0406fab6d2e6ca300a19d492435b;p=monkeysphere.git diff --git a/src/monkeysphere-authentication b/src/monkeysphere-authentication index 7c43aa8..c009653 100755 --- a/src/monkeysphere-authentication +++ b/src/monkeysphere-authentication @@ -14,6 +14,9 @@ ######################################################################## set -e +# set the pipefail option so pipelines fail on first command failure +set -o pipefail + PGRM=$(basename $0) SYSSHAREDIR=${MONKEYSPHERE_SYSSHAREDIR:-"/usr/share/monkeysphere"} @@ -31,7 +34,7 @@ MADATADIR="${SYSDATADIR}/authentication" # temp directory to enable atomic moves of authorized_keys files MATMPDIR="${MADATADIR}/tmp" -export MSTMPDIR +export MATMPDIR # UTC date in ISO 8601 format if needed DATE=$(date -u '+%FT%T') @@ -52,108 +55,96 @@ usage: $PGRM [options] [args] Monkeysphere authentication admin tool. subcommands: - setup (s) setup monkeysphere user authentication update-users (u) [USER]... update user authorized_keys files - add-id-certifier (c+) KEYID import and tsign a certification key + + add-id-certifier (c+) [KEYID|FILE] import and tsign a certification key --domain (-n) DOMAIN limit ID certifications to DOMAIN --trust (-t) TRUST trust level of certifier (full) --depth (-d) DEPTH trust depth for certifier (1) remove-id-certifier (c-) KEYID remove a certification key list-id-certifiers (c) list certification keys - expert run expert command - expert help expert command help - version (v) show version number help (h,?) this help +See ${PGRM}(8) for more info. EOF } -# function to run command as monkeysphere user -su_monkeysphere_user() { - # if the current user is the monkeysphere user, then just eval - # command - if [ $(id -un) = "$MONKEYSPHERE_USER" ] ; then - eval "$@" - - # otherwise su command as monkeysphere user - else - su "$MONKEYSPHERE_USER" -c "$@" - fi -} - # function to interact with the gpg core keyring gpg_core() { - local returnCode - GNUPGHOME="$GNUPGHOME_CORE" export GNUPGHOME - # NOTE: we supress this warning because we need the monkeysphere - # user to be able to read the host pubring. we realize this might - # be problematic, but it's the simplest solution, without too much - # loss of security. - gpg --no-permission-warning "$@" - returnCode="$?" - - # always reset the permissions on the host pubring so that the - # monkeysphere user can read the trust signatures - chgrp "$MONKEYSPHERE_USER" "${GNUPGHOME_CORE}/pubring.gpg" - chmod g+r "${GNUPGHOME_CORE}/pubring.gpg" - - return "$returnCode" + gpg --no-greeting --quiet --no-tty "$@" } # function to interact with the gpg sphere keyring -# FIXME: this function requires basically accepts only a single -# argument because of problems with quote expansion. this needs to be -# fixed/improved. +# FIXME: this function requires only a single argument because of +# problems with quote expansion. this needs to be fixed/improved. gpg_sphere() { GNUPGHOME="$GNUPGHOME_SPHERE" export GNUPGHOME + + su_monkeysphere_user "gpg --no-greeting --quiet --no-tty $@" +} - su_monkeysphere_user "gpg $@" +# output to stdout the core fingerprint from the gpg core secret +# keyring +core_fingerprint() { + log debug "determining core key fingerprint..." + gpg_core --list-secret-key --with-colons \ + --fixed-list-mode --with-fingerprint \ + | grep ^fpr: | cut -d: -f10 +} + +# export signatures from core to sphere +gpg_core_sphere_sig_transfer() { + log debug "exporting core local sigs to sphere..." + gpg_core --export-options export-local-sigs --export | \ + gpg_sphere "--import-options import-local-sigs --import" } ######################################################################## # MAIN ######################################################################## -# unset variables that should be defined only in config file -unset KEYSERVER -unset AUTHORIZED_USER_IDS -unset RAW_AUTHORIZED_KEYS -unset MONKEYSPHERE_USER +# set unset default variables +AUTHORIZED_USER_IDS="%h/.monkeysphere/authorized_user_ids" +RAW_AUTHORIZED_KEYS="%h/.ssh/authorized_keys" # load configuration file -[ -e ${MONKEYSPHERE_AUTHENTICATION_CONFIG:="${SYSCONFIGDIR}/monkeysphere-authentication.conf"} ] && . "$MONKEYSPHERE_AUTHENTICATION_CONFIG" - -# set empty config variable with ones from the environment, or with -# defaults -LOG_LEVEL=${MONKEYSPHERE_LOG_LEVEL:=${LOG_LEVEL:="INFO"}} -KEYSERVER=${MONKEYSPHERE_KEYSERVER:=${KEYSERVER:="pool.sks-keyservers.net"}} -AUTHORIZED_USER_IDS=${MONKEYSPHERE_AUTHORIZED_USER_IDS:=${AUTHORIZED_USER_IDS:="%h/.monkeysphere/authorized_user_ids"}} -RAW_AUTHORIZED_KEYS=${MONKEYSPHERE_RAW_AUTHORIZED_KEYS:=${RAW_AUTHORIZED_KEYS:="%h/.ssh/authorized_keys"}} -MONKEYSPHERE_USER=${MONKEYSPHERE_MONKEYSPHERE_USER:=${MONKEYSPHERE_USER:="monkeysphere"}} +[ -e ${MONKEYSPHERE_AUTHENTICATION_CONFIG:="${SYSCONFIGDIR}/monkeysphere-authentication.conf"} ] \ + && . "$MONKEYSPHERE_AUTHENTICATION_CONFIG" + +# set empty config variable with ones from the environment +LOG_LEVEL=${MONKEYSPHERE_LOG_LEVEL:=$LOG_LEVEL} +KEYSERVER=${MONKEYSPHERE_KEYSERVER:=$KEYSERVER} +CHECK_KEYSERVER=${MONKEYSPHERE_CHECK_KEYSERVER:=$CHECK_KEYSERVER} +MONKEYSPHERE_USER=${MONKEYSPHERE_MONKEYSPHERE_USER:=$MONKEYSPHERE_USER} +PROMPT=${MONKEYSPHERE_PROMPT:=$PROMPT} +AUTHORIZED_USER_IDS=${MONKEYSPHERE_AUTHORIZED_USER_IDS:=$AUTHORIZED_USER_IDS} +RAW_AUTHORIZED_KEYS=${MONKEYSPHERE_RAW_AUTHORIZED_KEYS:=$RAW_AUTHORIZED_KEYS} # other variables -CHECK_KEYSERVER=${MONKEYSPHERE_CHECK_KEYSERVER:="true"} REQUIRED_USER_KEY_CAPABILITY=${MONKEYSPHERE_REQUIRED_USER_KEY_CAPABILITY:="a"} GNUPGHOME_CORE=${MONKEYSPHERE_GNUPGHOME_CORE:="${MADATADIR}/core"} GNUPGHOME_SPHERE=${MONKEYSPHERE_GNUPGHOME_SPHERE:="${MADATADIR}/sphere"} +CORE_KEYLENGTH=${MONKEYSPHERE_CORE_KEYLENGTH:="2048"} # export variables needed in su invocation export DATE export MODE export LOG_LEVEL -export MONKEYSPHERE_USER export KEYSERVER +export MONKEYSPHERE_USER +export PROMPT export CHECK_KEYSERVER export REQUIRED_USER_KEY_CAPABILITY export GNUPGHOME_CORE export GNUPGHOME_SPHERE export GNUPGHOME +export CORE_KEYLENGTH # get subcommand COMMAND="$1" @@ -163,62 +154,52 @@ shift case $COMMAND in 'setup'|'setup'|'s') source "${MASHAREDIR}/setup" - setup "$@" + setup ;; 'update-users'|'update-user'|'u') + source "${MASHAREDIR}/setup" + setup source "${MASHAREDIR}/update_users" update_users "$@" ;; 'add-identity-certifier'|'add-id-certifier'|'add-certifier'|'c+') + source "${MASHAREDIR}/setup" + setup source "${MASHAREDIR}/add_certifier" add_certifier "$@" ;; 'remove-identity-certifier'|'remove-id-certifier'|'remove-certifier'|'c-') + source "${MASHAREDIR}/setup" + setup source "${MASHAREDIR}/remove_certifier" remove_certifier "$@" ;; 'list-identity-certifiers'|'list-id-certifiers'|'list-certifiers'|'list-certifier'|'c') + source "${MASHAREDIR}/setup" + setup source "${MASHAREDIR}/list_certifiers" - list_certifiers "$@" + list_certifiers ;; - 'expert'|'e') - SUBCOMMAND="$1" - shift - case "$SUBCOMMAND" in - 'help'|'h'|'?') - cat < [options] [args] - -expert subcommands: - diagnostics (d) monkeysphere authentication status - gpg-cmd CMD execute gpg command - -EOF - ;; - - 'diagnostics'|'d') - source "${MASHAREDIR}/diagnostics" - diagnostics - ;; - - 'gpg-cmd') - gpg_sphere "$@" - ;; + 'diagnostics'|'d') + source "${MASHAREDIR}/setup" + setup + source "${MASHAREDIR}/diagnostics" + diagnostics + ;; - *) - failure "Unknown expert subcommand: '$COMMAND' -Type '$PGRM help' for usage." - ;; - esac + 'gpg-cmd') + source "${MASHAREDIR}/setup" + setup + gpg_sphere "$@" ;; 'version'|'v') - echo "$VERSION" + version ;; '--help'|'help'|'-h'|'h'|'?')