X-Git-Url: https://codewiz.org/gitweb?a=blobdiff_plain;f=src%2Fmonkeysphere-host;h=4f536e2365a784addde542c4407d073c3c9d7a06;hb=638a70f020f4ccda3deb15e5c697d384e0f705d7;hp=8452e6c082dfddba52ace4638677da8c4e0b869d;hpb=a377e69b60eff2fa9e72bb931acb57833560d594;p=monkeysphere.git diff --git a/src/monkeysphere-host b/src/monkeysphere-host index 8452e6c..4f536e2 100755 --- a/src/monkeysphere-host +++ b/src/monkeysphere-host @@ -34,9 +34,7 @@ MHSHAREDIR="${SYSSHAREDIR}/mh" MHDATADIR="${SYSDATADIR}/host" # host pub key files -HOST_KEY_FILE="${SYSDATADIR}/host_keys.pub.gpg" -# host pub key fingerprints file -HOST_KEY_FPR_FILE="${SYSDATADIR}/host_keys.fprs" +HOST_KEY_FILE="${SYSDATADIR}/host_keys.pub.pgp" # UTC date in ISO 8601 format if needed DATE=$(date -u '+%FT%T') @@ -81,9 +79,14 @@ gpg_host() { # list the info about the a key, in colon format, to stdout gpg_host_list_keys() { - gpg_host --list-keys --with-colons --fixed-list-mode \ - --with-fingerprint --with-fingerprint \ - "$1" + if [ "$1" ] ; then + gpg_host --list-keys --with-colons --fixed-list-mode \ + --with-fingerprint --with-fingerprint \ + "$1" + else + gpg_host --list-keys --with-colons --fixed-list-mode \ + --with-fingerprint --with-fingerprint + fi } # edit key scripts, takes scripts on stdin, and keyID as first input @@ -91,21 +94,12 @@ gpg_host_edit() { gpg_host --command-fd 0 --edit-key "$@" } -# export the monkeysphere gpg pub key file -update_gpg_pub_file() { +# export the monkeysphere OpenPGP pub key file +update_pgp_pub_file() { log debug "updating openpgp public key file '$HOST_KEY_FILE'..." - gpg_host --export --armor --export-options export-minimal > "$HOST_KEY_FILE" - log debug "updating fingerprint file '$HOST_KEY_FPR_FILE'..." - gpg_host --list-secret-key --with-colons --with-fingerprint \ - | awk -F: '/^fpr:/{ print $10 }' > "$HOST_KEY_FPR_FILE" -} - -host_fingerprints() { - local fprs=($(cat "$HOST_KEY_FPR_FILE")) - - log debug "host key fingerprints:" - printf '%s\n' "${fprs[@]}" | log debug - printf '%s\n' "${fprs[@]}" + gpg_host --export --armor --export-options export-minimal \ + $(gpg_host --list-secret-keys --with-colons --fingerprint | grep ^fpr | cut -f10 -d:) \ + > "$HOST_KEY_FILE" } # check that the service name is well formed @@ -116,7 +110,7 @@ check_service_name() { # fail if host key not present check_no_keys() { - [ -s "$HOST_KEY_FILE" ] || [ -s "$HOST_KEY_FPR_FILE" ] \ + [ -s "$HOST_KEY_FILE" ] \ || failure "You don't appear to have a Monkeysphere host key on this server. Please run 'monkeysphere-host import-key' import a key." } @@ -126,7 +120,7 @@ Please run 'monkeysphere-host import-key' import a key." check_key_input() { local keyID="$1" # array of fingerprints - local fprs=($(host_fingerprints)) + local fprs=($(list_primary_fingerprints <"$HOST_KEY_FILE")) case ${#fprs[@]} in 0) @@ -139,7 +133,7 @@ Please run 'monkeysphere-host import-key' to import a key." *) if [ -z "$keyID" ] ; then failure "Your host keyring contains multiple keys. -Please specify one to act on (see 'monkeysphere-host show-key')." +Please specify one to act on (see 'monkeysphere-host show-keys')." fi ;; esac @@ -162,13 +156,32 @@ check_key_userid() { grep -q -x -F "$tmpuidMatch" 2>/dev/null } +prompt_userid_exists() { + local userID="$1" + local gpgOut + local fingerprint + + if gpgOut=$(gpg_host_list_keys "=${userID}" 2>/dev/null) ; then + fingerprint=$(echo "$gpgOut" | grep '^fpr:' | cut -d: -f10) + if [ "$PROMPT" = "true" ] ; then + printf "Service name '%s' is already being used by key '%s'.\nAre you sure you want to use it again? (y/N) " "$fingerprint" "$userID" >&2 + read OK; OK=${OK:=N} + if [ "${OK/y/Y}" != 'Y' ] ; then + failure "Service name not added." + fi + else + log info "Key '%s' is already using the service name '%s'." "$fingerprint" "$userID" >&2 + fi + fi +} + # run command looped over keys multi_key() { local cmd="$1" shift local keys=$@ local i=0 - local fprs=($(host_fingerprints)) + local fprs=($(list_primary_fingerprints <"$HOST_KEY_FILE")) local key check_no_keys @@ -189,8 +202,8 @@ multi_key() { show_key() { local id="$1" local GNUPGHOME - local TMPSSH local fingerprint + local tmpssh local revokers # tmp gpghome dir @@ -202,27 +215,29 @@ show_key() { # import the host key into the tmp dir gpg --quiet --import <"$HOST_KEY_FILE" - # create the ssh key - TMPSSH="$GNUPGHOME"/ssh_host_key_rsa_pub - if ! gpg --export "$id" 2>/dev/null \ - | openpgp2ssh 2>/dev/null >"$TMPSSH" ; then - failure "Key '$id' not found." - fi - # get the gpg fingerprint - fingerprint=$(gpg --quiet --list-keys \ + if gpg --quiet --list-keys \ --with-colons --with-fingerprint "$id" \ - | grep '^fpr:' | cut -d: -f10 ) + | grep '^fpr:' | cut -d: -f10 > "$GNUPGHOME"/fingerprint ; then + fingerprint=$(cat "$GNUPGHOME"/fingerprint) + else + failure "ID '$id' not found." + fi + + # create the ssh key + tmpssh="$GNUPGHOME"/ssh_host_key_rsa_pub + gpg --export "$fingerprint" 2>/dev/null \ + | openpgp2ssh 2>/dev/null >"$tmpssh" # list the host key info # FIXME: make no-show-keyring work so we don't have to do the grep'ing # FIXME: can we show uid validity somehow? - gpg --list-keys --list-options show-unusable-uids "$id" 2>/dev/null \ + gpg --list-keys --list-options show-unusable-uids "$fingerprint" 2>/dev/null \ | grep -v "^${GNUPGHOME}/pubring.gpg$" \ | egrep -v '^-+$' # list revokers, if there are any - revokers=$(gpg --list-keys --with-colons --fixed-list-mode "$id" \ + revokers=$(gpg --list-keys --with-colons --fixed-list-mode "$fingerprint" \ | awk -F: '/^rvk:/{ print $10 }' ) if [ "$revokers" ] ; then echo "The following keys are allowed to revoke this host key:" @@ -237,7 +252,7 @@ show_key() { # list the ssh fingerprint echo -n "ssh fingerprint: " - ssh-keygen -l -f "$TMPSSH" | awk '{ print $1, $2, $4 }' + ssh-keygen -l -f "$tmpssh" | awk '{ print $1, $2, $4 }' # remove the tmp file trap - EXIT @@ -332,8 +347,8 @@ case $COMMAND in diagnostics ;; - 'update-gpg-pub-file') - update_gpg_pub_file + 'update-pgp-pub-file') + update_pgp_pub_file ;; 'version'|'v')