X-Git-Url: https://codewiz.org/gitweb?a=blobdiff_plain;f=src%2Fmonkeysphere-server;h=1e05799a00ca9ef64cdabec33ce3a51cc3fa3cdc;hb=927efbbbbb1477658a350d4aa2ba49d6d2d2842b;hp=40a6b5481cd3156372aa29d9d4348ec96cf9da03;hpb=3cea2ab969f54fc33ed238c5b326fb3868392a15;p=monkeysphere.git diff --git a/src/monkeysphere-server b/src/monkeysphere-server index 40a6b54..1e05799 100755 --- a/src/monkeysphere-server +++ b/src/monkeysphere-server @@ -11,9 +11,12 @@ ######################################################################## PGRM=$(basename $0) -SHAREDIR=${SHAREDIR:-"/usr/share/monkeysphere"} -export SHAREDIR -. "${SHAREDIR}/common" +SHARE=${SHARE:-"/usr/share/monkeysphere"} +export SHARE +. "${SHARE}/common" || exit 1 + +VARLIB="/var/lib/monkeysphere" +export VARLIB # date in UTF format if needed DATE=$(date -u '+%FT%T') @@ -21,6 +24,9 @@ DATE=$(date -u '+%FT%T') # unset some environment variables that could screw things up GREP_OPTIONS= +# default return code +ERR=0 + ######################################################################## # FUNCTIONS ######################################################################## @@ -31,25 +37,173 @@ usage: $PGRM [args] MonkeySphere server admin tool. subcommands: - update-users (s) [USER]... update users authorized_keys files + update-users (u) [USER]... update users authorized_keys files gen-key (g) [HOSTNAME] generate gpg key for the server show-fingerprint (f) show server's host key fingerprint - publish-key (p) publish server key to keyserver - trust-keys (t) KEYID... mark keyids as trusted + publish-key (p) publish server's host key to keyserver + trust-key (t) KEYID import and tsign a certification key help (h,?) this help EOF } +su_monkeysphere_user() { + su --preserve-environment "$MONKEYSPHERE_USER" -- -c "$@" +} + +# function to interact with the host gnupg keyring +gpg_host() { + local returnCode + + GNUPGHOME="$GNUPGHOME_HOST" + export GNUPGHOME + + # NOTE: we supress this warning because we need the monkeysphere + # user to be able to read the host pubring. we realize this might + # be problematic, but it's the simplest solution, without too much + # loss of security. + gpg --no-permission-warning "$@" + returnCode="$?" + + # always reset the permissions on the host pubring so that the + # monkeysphere user can read the trust signatures + chgrp "$MONKEYSPHERE_USER" "${GNUPGHOME_HOST}/pubring.gpg" + chmod g+r "${GNUPGHOME_HOST}/pubring.gpg" + + return "$returnCode" +} + +# function to interact with the authentication gnupg keyring +gpg_authentication() { + GNUPGHOME="$GNUPGHOME_AUTHENTICATION" + export GNUPGHOME + + su_monkeysphere_user "gpg $@" +} + +# update authorized_keys for users +update_users() { + if [ "$1" ] ; then + # get users from command line + unames="$@" + else + # or just look at all users if none specified + unames=$(getent passwd | cut -d: -f1) + fi + + # set mode + MODE="authorized_keys" + + # set gnupg home + GNUPGHOME="$GNUPGHOME_AUTHENTICATION" + + # check to see if the gpg trust database has been initialized + if [ ! -s "${GNUPGHOME}/trustdb.gpg" ] ; then + failure "GNUPG trust database uninitialized. Please see MONKEYSPHERE-SERVER(8)." + fi + + # make sure the authorized_keys directory exists + mkdir -p "${VARLIB}/authorized_keys" + + # loop over users + for uname in $unames ; do + # check all specified users exist + if ! getent passwd "$uname" >/dev/null ; then + error "----- unknown user '$uname' -----" + continue + fi + + # set authorized_user_ids and raw authorized_keys variables, + # translating ssh-style path variables + authorizedUserIDs=$(translate_ssh_variables "$uname" "$AUTHORIZED_USER_IDS") + rawAuthorizedKeys=$(translate_ssh_variables "$uname" "$RAW_AUTHORIZED_KEYS") + + # if neither is found, skip user + if [ ! -s "$authorizedUserIDs" ] ; then + if [ "$rawAuthorizedKeys" = '-' -o ! -s "$rawAuthorizedKeys" ] ; then + continue + fi + fi + + log "----- user: $uname -----" + + # make temporary directory + TMPDIR=$(mktemp -d) + + # trap to delete temporary directory on exit + trap "rm -rf $TMPDIR" EXIT + + # create temporary authorized_user_ids file + TMP_AUTHORIZED_USER_IDS="${TMPDIR}/authorized_user_ids" + touch "$TMP_AUTHORIZED_USER_IDS" + + # create temporary authorized_keys file + AUTHORIZED_KEYS="${TMPDIR}/authorized_keys" + touch "$AUTHORIZED_KEYS" + + # set restrictive permissions on the temporary files + # FIXME: is there a better way to do this? + chmod 0700 "$TMPDIR" + chmod 0600 "$AUTHORIZED_KEYS" + chmod 0600 "$TMP_AUTHORIZED_USER_IDS" + chown -R "$MONKEYSPHERE_USER" "$TMPDIR" + + # if the authorized_user_ids file exists... + if [ -s "$authorizedUserIDs" ] ; then + # copy user authorized_user_ids file to temporary + # location + cat "$authorizedUserIDs" > "$TMP_AUTHORIZED_USER_IDS" + + # export needed variables + export AUTHORIZED_KEYS + export TMP_AUTHORIZED_USER_IDS + + # process authorized_user_ids file, as monkeysphere + # user + su_monkeysphere_user \ + ". ${SHARE}/common; process_authorized_user_ids $TMP_AUTHORIZED_USER_IDS" + ERR="$?" + fi + + # add user-controlled authorized_keys file path if specified + if [ "$rawAuthorizedKeys" != '-' -a -s "$rawAuthorizedKeys" ] ; then + log -n "adding raw authorized_keys file... " + cat "$rawAuthorizedKeys" >> "$AUTHORIZED_KEYS" + loge "done." + fi + + # openssh appears to check the contents of the + # authorized_keys file as the user in question, so the + # file must be readable by that user at least. + # FIXME: is there a better way to do this? + chown root "$AUTHORIZED_KEYS" + chgrp $(getent passwd "$uname" | cut -f4 -d:) "$AUTHORIZED_KEYS" + chmod g+r "$AUTHORIZED_KEYS" + + # if the resulting authorized_keys file is not empty, move + # it into place + mv -f "$AUTHORIZED_KEYS" "${VARLIB}/authorized_keys/${uname}" + + log "authorized_keys file updated." + + # destroy temporary directory + rm -rf "$TMPDIR" + done +} + # generate server gpg key gen_key() { local hostName + local userID + local keyParameters + local fingerprint hostName=${1:-$(hostname --fqdn)} - service=${SERVICE:-"ssh"} - userID="${service}://${hostName}" - if gpg --list-key ="$userID" > /dev/null 2>&1 ; then + SERVICE=${SERVICE:-"ssh"} + userID="${SERVICE}://${hostName}" + + if gpg_host --list-key ="$userID" > /dev/null 2>&1 ; then failure "Key for '$userID' already exists" fi @@ -78,7 +232,7 @@ Expire-Date: $KEY_EXPIRE EOF ) - # add the revoker field if requested + # add the revoker field if specified # FIXME: the "1:" below assumes that $REVOKER's key is an RSA key. why? # FIXME: why is this marked "sensitive"? how will this signature ever # be transmitted to the expected revoker? @@ -90,7 +244,7 @@ EOF ) fi - echo "The following key parameters will be used:" + echo "The following key parameters will be used for the host private key:" echo "$keyParameters" read -p "Generate key? [Y|n]: " OK; OK=${OK:=Y} @@ -106,33 +260,101 @@ EOF EOF ) - log "generating server key... " - echo "$keyParameters" | gpg --batch --gen-key + log "generating server key..." + echo "$keyParameters" | gpg_host --batch --gen-key # output the server fingerprint fingerprint_server_key "=${userID}" # find the key fingerprint of the server primary key - keyID=$(gpg --list-key --with-colons --with-fingerprint "=${userID}" | \ + fingerprint=$(gpg_host --list-key --with-colons --with-fingerprint "=${userID}" | \ grep '^fpr:' | head -1 | cut -d: -f10) - # write the key to the file + # translate the private key to ssh format, and export to a file + # for sshs usage. # NOTE: assumes that the primary key is the proper key to use - (umask 077 && gpgsecret2ssh "$keyID" > "${MS_HOME}/ssh_host_rsa_key") - log "Private SSH host key output to file: ${MS_HOME}/ssh_host_rsa_key" + (umask 077 && \ + gpg_host --export-secret-key "$fingerprint" | \ + openpgp2ssh "$fingerprint" > "${VARLIB}/ssh_host_rsa_key") + log "Private SSH host key output to file: ${VARLIB}/ssh_host_rsa_key" } # gpg output key fingerprint fingerprint_server_key() { - local ID + gpg_host --fingerprint --list-secret-keys +} - if [ -z "$1" ] ; then - ID="$1" - else - ID="=ssh://$(hostname --fqdn)" +# publish server key to keyserver +publish_server_key() { + read -p "really publish key to $KEYSERVER? [y|N]: " OK; OK=${OK:=N} + if [ ${OK/y/Y} != 'Y' ] ; then + failure "aborting." + fi + + # publish host key + # FIXME: need to figure out better way to identify host key + # dummy command so as not to publish fakes keys during testing + # eventually: + #gpg_authentication "--keyring $GNUPGHOME_HOST/pubring.gpg --keyserver $KEYSERVER --send-keys $(hostname -f)" + failure "NOT PUBLISHED (to avoid permanent publication errors during monkeysphere development)." +} + +# retrieve key from web of trust, and set owner trust to "full" +# if key is found. +trust_key() { + local keyID + local trustLevel + + keyID="$1" + + # default values for trust depth and domain + DEPTH=${DEPTH:-1} + DOMAIN=${DOMAIN:-} + + if [ -z "$keyID" ] ; then + failure "You must specify key to trust." + fi + + export keyID + + # export host ownertrust to authentication keyring + gpg_host --export-ownertrust | gpg_authentication "--import-ownertrust" + + # get the key from the key server + gpg_authentication "--keyserver $KEYSERVER --recv-key $keyID" + + # get the full fingerprint of a key ID + fingerprint=$(gpg_authentication "--list-key --with-colons --with-fingerprint $keyID" | \ + grep '^fpr:' | grep "$keyID" | cut -d: -f10) + + if [ -z "$fingerprint" ] ; then + failure "Could not find key '$keyID'." fi - gpg --fingerprint --list-secret-keys "$ID" + echo "key found:" + gpg_authentication "--fingerprint $fingerprint" + + # export the key to the host keyring + gpg_authentication "--export $keyID" | gpg_host --import + + # ltsign command + # NOTE: *all* user IDs will be ltsigned + ltsignCommand=$(cat </dev/null ; then - error "----- unknown user '$uname' -----" - continue - fi - - # set authorized_user_ids variable, - # translate ssh-style path variables - authorizedUserIDs=$(translate_ssh_variables "$uname" "$AUTHORIZED_USER_IDS") - - # skip user if authorized_user_ids file does not exist - if [ ! -f "$authorizedUserIDs" ] ; then - continue - fi - - log "----- user: $uname -----" - - # temporary authorized_keys file - AUTHORIZED_KEYS=$(mktemp) - - # skip if the user's authorized_user_ids file is empty - if [ ! -s "$authorizedUserIDs" ] ; then - log "authorized_user_ids file '$authorizedUserIDs' is empty." - continue - fi - - # process authorized_user_ids file - log "processing authorized_user_ids file..." - process_authorized_user_ids "$authorizedUserIDs" - - # add user-controlled authorized_keys file path if specified - if [ "$USER_CONTROLLED_AUTHORIZED_KEYS" != '-' ] ; then - userAuthorizedKeys=$(translate_ssh_variables "$uname" "$USER_CONTROLLED_AUTHORIZED_KEYS") - if [ -f "$userAuthorizedKeys" ] ; then - log -n "adding user's authorized_keys file... " - cat "$userAuthorizedKeys" >> "$AUTHORIZED_KEYS" - loge "done." - fi - fi - - # move the temp authorized_keys file into place - mv -f "$AUTHORIZED_KEYS" "${CACHE}/authorized_keys/${uname}" - - log "authorized_keys file updated." - done + 'update-users'|'update-user'|'u') + update_users "$@" ;; 'gen-key'|'g') - gen_key "$1" + gen_key "$@" ;; 'show-fingerprint'|'f') - fingerprint_server_key "$@" + fingerprint_server_key ;; 'publish-key'|'p') publish_server_key ;; - 'trust-keys'|'trust-key'|'t') - if [ -z "$1" ] ; then - failure "You must specify at least one key to trust." - fi - - # process key IDs - for keyID ; do - trust_key "$keyID" - done + 'trust-key'|'t') + trust_key "$@" ;; 'help'|'h'|'?')