X-Git-Url: https://codewiz.org/gitweb?a=blobdiff_plain;f=src%2Fmonkeysphere-host;h=a6fa62fbd80dafcb4fb218b7b7d3e58b82a50cdb;hb=be606510fb37cac8ca7eddadf719efb0598a2ed2;hp=1f6825662382232440d1f85edb5b5eed53febf39;hpb=2e76a0c288f2c043e205f443410fb7dd0e239953;p=monkeysphere.git diff --git a/src/monkeysphere-host b/src/monkeysphere-host index 1f68256..a6fa62f 100755 --- a/src/monkeysphere-host +++ b/src/monkeysphere-host @@ -3,23 +3,32 @@ # monkeysphere-host: Monkeysphere host admin tool # # The monkeysphere scripts are written by: -# Jameson Rollins +# Jameson Rollins # Jamie McClelland # Daniel Kahn Gillmor +# Micah Anderson # -# They are Copyright 2008, and are all released under the GPL, version 3 -# or later. +# They are Copyright 2008-2009, and are all released under the GPL, +# version 3 or later. ######################################################################## +set -e + PGRM=$(basename $0) SYSSHAREDIR=${MONKEYSPHERE_SYSSHAREDIR:-"/usr/share/monkeysphere"} export SYSSHAREDIR . "${SYSSHAREDIR}/common" || exit 1 -SYSDATADIR=${MONKEYSPHERE_SYSDATADIR:-"/var/lib/monkeysphere/host"} +SYSDATADIR=${MONKEYSPHERE_SYSDATADIR:-"/var/lib/monkeysphere"} export SYSDATADIR +# sharedir for host functions +MHSHAREDIR="${SYSSHAREDIR}/mh" + +# datadir for host functions +MHDATADIR="${SYSDATADIR}/host" + # UTC date in ISO 8601 format if needed DATE=$(date -u '+%FT%T') @@ -40,21 +49,15 @@ Monkeysphere host admin tool. subcommands: show-key (s) output all host key information - extend-key (e) EXPIRE extend host key expiration + set-expire (e) EXPIRE set host key expiration add-hostname (n+) NAME[:PORT] add hostname user ID to host key revoke-hostname (n-) NAME[:PORT] revoke hostname user ID add-revoker (o) FINGERPRINT add a revoker to the host key revoke-key (r) revoke host key - publish-key (p) publish server host key to keyserver + publish-key (p) publish host key to keyserver - expert - import-key (i) [NAME[:PORT]] import existing ssh key to gpg - --keyfile (-f) FILE key file to import - --expire (-e) EXPIRE date to expire - gen-key (g) [NAME[:PORT]] generate gpg key for the host - --length (-l) BITS key length in bits (2048) - --expire (-e) EXPIRE date to expire - diagnostics (d) monkeysphere host status + expert run expert command + expert help expert command help version (v) show version number help (h,?) this help @@ -75,7 +78,7 @@ su_monkeysphere_user() { fi } -# function to interact with the host gnupg keyring +# function to interact with the gpg keyring gpg_host() { local returnCode @@ -86,19 +89,11 @@ gpg_host() { # user to be able to read the host pubring. we realize this might # be problematic, but it's the simplest solution, without too much # loss of security. - gpg --no-permission-warning "$@" - returnCode="$?" - - # always reset the permissions on the host pubring so that the - # monkeysphere user can read the trust signatures - chgrp "$MONKEYSPHERE_USER" "${GNUPGHOME_HOST}/pubring.gpg" - chmod g+r "${GNUPGHOME_HOST}/pubring.gpg" - - return "$returnCode" + gpg "$@" } # output just key fingerprint -fingerprint_server_key() { +fingerprint_host_key() { # set the pipefail option so functions fails if can't read sec key set -o pipefail @@ -109,37 +104,32 @@ fingerprint_server_key() { # function to check for host secret key check_host_keyring() { - fingerprint_server_key >/dev/null \ - || failure "You don't appear to have a Monkeysphere host key on this server. Please run 'monkeysphere-server gen-key' first." + fingerprint_host_key >/dev/null \ + || failure "You don't appear to have a Monkeysphere host key on this server. Please run 'monkeysphere-host import-key' first." } # show info about the host key show_key() { local fingerprintPGP local fingerprintSSH - local ret=0 # FIXME: you shouldn't have to be root to see the host key fingerprint - if is_root ; then - check_host_keyring - fingerprintPGP=$(fingerprint_server_key) - gpg_authentication "--fingerprint --list-key --list-options show-unusable-uids $fingerprintPGP" 2>/dev/null - echo "OpenPGP fingerprint: $fingerprintPGP" - else - log info "You must be root to see host OpenPGP fingerprint." - ret='1' - fi + check_host_keyring + fingerprintPGP=$(fingerprint_host_key) - if [ -f "${SYSDATADIR}/ssh_host_rsa_key.pub" ] ; then - fingerprintSSH=$(ssh-keygen -l -f "${SYSDATADIR}/ssh_host_rsa_key.pub" | \ + gpg_host --fingerprint --list-key --list-options show-unusable-uids "0x${fingerprintPGP}!" 2>/dev/null + echo "OpenPGP fingerprint: $fingerprintPGP" + + if [ -f "${MHDATADIR}/ssh_host_rsa_key.pub" ] ; then + fingerprintSSH=$(ssh-keygen -l -f "${MHDATADIR}/ssh_host_rsa_key.pub" | \ awk '{ print $1, $2, $4 }') echo "ssh fingerprint: $fingerprintSSH" else log info "SSH host key not found." - ret='1' fi -return $ret + # FIXME: show expiration date + # FIXME: other relevant key parameters? } ######################################################################## @@ -148,12 +138,10 @@ return $ret # unset variables that should be defined only in config file unset KEYSERVER -unset AUTHORIZED_USER_IDS -unset RAW_AUTHORIZED_KEYS unset MONKEYSPHERE_USER # load configuration file -[ -e ${MONKEYSPHERE_SERVER_CONFIG:="${SYSCONFIGDIR}/monkeysphere-server.conf"} ] && . "$MONKEYSPHERE_SERVER_CONFIG" +[ -e ${MONKEYSPHERE_HOST_CONFIG:="${SYSCONFIGDIR}/monkeysphere-host.conf"} ] && . "$MONKEYSPHERE_HOST_CONFIG" # set empty config variable with ones from the environment, or with # defaults @@ -165,20 +153,15 @@ MONKEYSPHERE_USER=${MONKEYSPHERE_MONKEYSPHERE_USER:=${MONKEYSPHERE_USER:="monkey # other variables CHECK_KEYSERVER=${MONKEYSPHERE_CHECK_KEYSERVER:="true"} -REQUIRED_USER_KEY_CAPABILITY=${MONKEYSPHERE_REQUIRED_USER_KEY_CAPABILITY:="a"} -GNUPGHOME_HOST=${MONKEYSPHERE_GNUPGHOME_HOST:="${SYSDATADIR}/gnupg-host"} -GNUPGHOME_AUTHENTICATION=${MONKEYSPHERE_GNUPGHOME_AUTHENTICATION:="${SYSDATADIR}/gnupg-authentication"} +GNUPGHOME_HOST=${MONKEYSPHERE_GNUPGHOME_HOST:="${MHDATADIR}"} # export variables needed in su invocation export DATE export MODE -export MONKEYSPHERE_USER export LOG_LEVEL +export MONKEYSPHERE_USER export KEYSERVER -export CHECK_KEYSERVER -export REQUIRED_USER_KEY_CAPABILITY export GNUPGHOME_HOST -export GNUPGHOME_AUTHENTICATION export GNUPGHOME # get subcommand @@ -188,53 +171,76 @@ shift case $COMMAND in 'show-key'|'show'|'s') - show_server_key + check_host_keyring + show_key ;; - 'extend-key'|'e') + # FIXME: what should we call this command? + 'set-expire'|'extend-key'|'e') check_host_keyring + source "${MHSHAREDIR}/extend_key" extend_key "$@" ;; 'add-hostname'|'add-name'|'n+') check_host_keyring + source "${MHSHAREDIR}/add_hostname" add_hostname "$@" ;; 'revoke-hostname'|'revoke-name'|'n-') check_host_keyring + source "${MHSHAREDIR}/revoke_hostname" revoke_hostname "$@" ;; 'add-revoker'|'o') check_host_keyring + source "${MHSHAREDIR}/add_revoker" add_revoker "$@" ;; 'revoke-key'|'r') check_host_keyring + source "${MHSHAREDIR}/revoke_key" revoke_key "$@" ;; 'publish-key'|'publish'|'p') check_host_keyring - publish_server_key + source "${MHSHAREDIR}/publish_key" + publish_key ;; 'expert'|'e') - check_user SUBCOMMAND="$1" shift case "$SUBCOMMAND" in + 'help'|'h'|'?') + cat < [options] [args] + +expert subcommands: + import-key (i) [NAME[:PORT]] import existing ssh key to gpg + gen-key (g) [NAME[:PORT]] generate gpg key for the host + --length (-l) BITS key length in bits (2048) + diagnostics (d) monkeysphere host status + +EOF + ;; + 'import-key'|'i') + source "${MHSHAREDIR}/import_key" import_key "$@" ;; 'gen-key'|'g') + source "${MHSHAREDIR}/gen_key" gen_key "$@" ;; 'diagnostics'|'d') + source "${MHSHAREDIR}/diagnostics" diagnostics ;;