X-Git-Url: https://codewiz.org/gitweb?a=blobdiff_plain;f=src%2Fmonkeysphere-host;h=64023e056c7ad6de9e6a1c5bf978d503010ecfbf;hb=0c874fdd6abfa4b74d7805f2d2d121f08211b4aa;hp=3c2e3eead29106f3c15d43824ef13e47b98c9c6e;hpb=69354c87864076343793fb270b296ccb89bf3759;p=monkeysphere.git

diff --git a/src/monkeysphere-host b/src/monkeysphere-host
index 3c2e3ee..64023e0 100755
--- a/src/monkeysphere-host
+++ b/src/monkeysphere-host
@@ -32,6 +32,13 @@ MHSHAREDIR="${SYSSHAREDIR}/mh"
 # datadir for host functions
 MHDATADIR="${SYSDATADIR}/host"
 
+# temp directory for temp gnupghome directories for add_revoker
+MHTMPDIR="${MHDATADIR}/tmp"
+export MHTMPDIR
+
+# host pub key files
+HOST_KEY_FILE="${SYSDATADIR}/ssh_host_rsa_key.pub.gpg"
+
 # UTC date in ISO 8601 format if needed
 DATE=$(date -u '+%FT%T')
 
@@ -68,19 +75,6 @@ subcommands:
 EOF
 }
 
-# function to run command as monkeysphere user
-su_monkeysphere_user() {
-    # if the current user is the monkeysphere user, then just eval
-    # command
-    if [ $(id -un) = "$MONKEYSPHERE_USER" ] ; then
-	eval "$@"
-
-    # otherwise su command as monkeysphere user
-    else
-	su "$MONKEYSPHERE_USER" -c "$@"
-    fi
-}
-
 # function to interact with the gpg keyring
 gpg_host() {
     GNUPGHOME="$GNUPGHOME_HOST" gpg "$@"
@@ -100,25 +94,51 @@ gpg_host_edit() {
 	"0x${HOST_FINGERPRINT}!" "$@"
 }
 
-# export the host key to stdout
-gpg_host_export() {
+# export the host public key to the monkeysphere gpg pub key file
+create_gpg_pub_file() {
+    log debug "creating openpgp public key file..."
     gpg_host --export --armor --export-options export-minimal \
-	"0x${HOST_FINGERPRINT}!"
+	"0x${HOST_FINGERPRINT}!" > "$HOST_KEY_FILE"
+    log info "GPG host public key file: $HOST_KEY_FILE"
 }
 
-# export the host key to the monkeysphere host file key
-gpg_host_export_to_ssh_file() {
-    log debug "exporting openpgp public key..."
+# load the host fingerprint into the fingerprint variable, using the
+# export gpg pub key file
+# FIXME: this seems much less than ideal, with all this temp keyring
+# stuff.  is there a way we can do this without having to create temp
+# files?
+load_fingerprint() {
+    if [ -f "$HOST_KEY_FILE" ] ; then
+	HOST_FINGERPRINT=$( \
+	    (FUBAR=$(mktemp -d) && export GNUPGHOME="$FUBAR" \
+	    && gpg --quiet --import \
+	    && gpg --quiet --list-keys --with-colons --with-fingerprint \
+	    && rm -rf "$FUBAR") <"$HOST_KEY_FILE" \
+	    | grep '^fpr:' | cut -d: -f10 )
+    else
+	HOST_FINGERPRINT=
+    fi
+}
 
-    gpg_host_export > "$HOST_KEY_PUB_GPG"
-    log info "SSH host public key in OpenPGP form: $HOST_KEY_PUB_GPG"
+# load the host fingerprint into the fingerprint variable, using the
+# gpg host secret key
+load_fingerprint_secret() {
+    HOST_FINGERPRINT=$( \
+	gpg_host --quiet --list-secret-key \
+	--with-colons --with-fingerprint \
+	| grep '^fpr:' | cut -d: -f10 )
 }
 
-# output just key fingerprint
-fingerprint_host_key() {
-    gpg_host --list-secret-keys --fingerprint \
-	--with-colons --fixed-list-mode 2> /dev/null | \
-	grep '^fpr:' | head -1 | cut -d: -f10 2>/dev/null
+# fail if host key present
+check_host_key() {
+    [ -z "$HOST_FINGERPRINT" ] \
+	|| failure "An OpenPGP host key already exists."
+}
+
+# fail if host key not present
+check_host_no_key() {
+    [ "$HOST_FINGERPRINT" ] \
+	|| failure "You don't appear to have a Monkeysphere host key on this server.  Please run 'monkeysphere-host expert import-key' first."
 }
 
 # output the index of a user ID on the host key
@@ -145,35 +165,20 @@ find_host_userid() {
     fi
 }
 
-# function to check for host secret key
-check_host_fail() {
-    [ "$HOST_FINGERPRINT" ] || \
-	failure "You don't appear to have a Monkeysphere host key on this server.  Please run 'monkeysphere-host expert import-key' first."
-}
-
 # show info about the host key
 show_key() {
-    local fingerprintSSH
-
-    # FIXME: should not have to be priviledged user to see this info.
-    # should be taken from publicly accessible key files, instead of
-    # the keyring.
-
     gpg_host --fingerprint --list-key --list-options show-unusable-uids \
-	"0x${HOST_FINGERPRINT}!" 2>/dev/null
+	"0x${HOST_FINGERPRINT}!" 2>/dev/null || true
+    # FIXME: make sure expiration date is shown
 
     echo "OpenPGP fingerprint: $HOST_FINGERPRINT"
 
-    if [ -f "$HOST_KEY_PUB" ] ; then
-	fingerprintSSH=$(ssh-keygen -l -f "$HOST_KEY_PUB" | \
-	    awk '{ print $1, $2, $4 }')
-
-	echo "ssh fingerprint: $fingerprintSSH"
-    else
-	log error "SSH host key not found."
-    fi
+    echo -n "ssh fingerprint: "
+    ssh-keygen -l -f /dev/stdin \
+	<<<$( gpg_host --export FEE16FA3 2>/dev/null \
+	| openpgp2ssh 8445B5203A8443B4B04F637DD4DE66B2FEE16FA3 2>/dev/null) \
+	| awk '{ print $1, $2, $4 }'
 
-    # FIXME: show expiration date
     # FIXME: other relevant key parameters?
 }
 
@@ -200,13 +205,6 @@ MONKEYSPHERE_USER=${MONKEYSPHERE_MONKEYSPHERE_USER:=${MONKEYSPHERE_USER:="monkey
 CHECK_KEYSERVER=${MONKEYSPHERE_CHECK_KEYSERVER:="true"}
 GNUPGHOME_HOST=${MONKEYSPHERE_GNUPGHOME_HOST:="${MHDATADIR}"}
 
-# host key fingerprint
-HOST_FINGERPRINT=$(fingerprint_host_key)
-
-# host pub key files
-HOST_KEY_PUB="${SYSDATADIR}/ssh_host_rsa_key.pub"
-HOST_KEY_PUB_GPG="${SYSDATADIR}/ssh_host_rsa_key.pub.gpg"
-
 # export variables needed in su invocation
 export DATE
 export MODE
@@ -215,52 +213,58 @@ export MONKEYSPHERE_USER
 export KEYSERVER
 export GNUPGHOME_HOST
 export GNUPGHOME
-export HOST_FINGERPRINT
+export HOST_FINGERPRINT=
 
 # get subcommand
 COMMAND="$1"
 [ "$COMMAND" ] || failure "Type '$PGRM help' for usage."
 shift
 
-
 case $COMMAND in
     'show-key'|'show'|'s')
-	check_host_fail
+	load_fingerprint
+	check_host_no_key
 	show_key
 	;;
 
     'set-expire'|'extend-key'|'e')
-	check_host_fail
+	load_fingerprint
+	check_host_no_key
 	source "${MHSHAREDIR}/set_expire"
 	set_expire "$@"
 	;;
 
     'add-hostname'|'add-name'|'n+')
-	check_host_fail
+	load_fingerprint
+	check_host_no_key
 	source "${MHSHAREDIR}/add_hostname"
 	add_hostname "$@"
 	;;
 
     'revoke-hostname'|'revoke-name'|'n-')
-	check_host_fail
+	load_fingerprint
+	check_host_no_key
 	source "${MHSHAREDIR}/revoke_hostname"
 	revoke_hostname "$@"
 	;;
 
     'add-revoker'|'o')
-	check_host_fail
+	load_fingerprint
+	check_host_no_key
 	source "${MHSHAREDIR}/add_revoker"
 	add_revoker "$@"
 	;;
 
     'revoke-key'|'r')
-	check_host_fail
+	load_fingerprint
+	check_host_no_key
 	source "${MHSHAREDIR}/revoke_key"
 	revoke_key "$@"
 	;;
 
     'publish-key'|'publish'|'p')
-	check_host_fail
+	load_fingerprint
+	check_host_no_key
 	source "${MHSHAREDIR}/publish_key"
 	publish_key
 	;;
@@ -283,11 +287,15 @@ EOF
 		;;
 
 	    'import-key'|'i')
+		load_fingerprint
+		check_host_key
 		source "${MHSHAREDIR}/import_key"
 		import_key "$@"
 		;;
 
 	    'gen-key'|'g')
+		load_fingerprint
+		check_host_key
 		source "${MHSHAREDIR}/gen_key"
 		gen_key "$@"
 		;;