X-Git-Url: https://codewiz.org/gitweb?a=blobdiff_plain;f=src%2Fmonkeysphere-server;h=3caa63d4ac18061537cb2a111fdcd16f7c91b34e;hb=aaa834da0f1eb3ea52aabc9809dfe3510a159797;hp=69395a4dbb449f4b6dee8e85455586aa955d7e7d;hpb=46586fc0f24e24166a52c2a0efb3e2ab838eea81;p=monkeysphere.git diff --git a/src/monkeysphere-server b/src/monkeysphere-server index 69395a4..3caa63d 100755 --- a/src/monkeysphere-server +++ b/src/monkeysphere-server @@ -1,9 +1,11 @@ -#!/bin/bash +#!/usr/bin/env bash # monkeysphere-server: MonkeySphere server admin tool # # The monkeysphere scripts are written by: # Jameson Rollins +# Jamie McClelland +# Daniel Kahn Gillmor # # They are Copyright 2008, and are all released under the GPL, version 3 # or later. @@ -11,14 +13,19 @@ ######################################################################## PGRM=$(basename $0) -SHARE=${MONKEYSPHERE_SHARE:="/usr/share/monkeysphere"} -export SHARE -. "${SHARE}/common" || exit 1 +SYSSHAREDIR=${MONKEYSPHERE_SYSSHAREDIR:-"/usr/share/monkeysphere"} +export SYSSHAREDIR +. "${SYSSHAREDIR}/common" || exit 1 -VARLIB="/var/lib/monkeysphere" -export VARLIB +SYSDATADIR=${MONKEYSPHERE_SYSDATADIR:-"/var/lib/monkeysphere"} +export SYSDATADIR -# date in UTF format if needed +# monkeysphere temp directory, in sysdatadir to enable atomic moves of +# authorized_keys files +MSTMPDIR="${SYSDATADIR}/tmp" +export MSTMPDIR + +# UTC date in ISO 8601 format if needed DATE=$(date -u '+%FT%T') # unset some environment variables that could screw things up @@ -32,39 +39,58 @@ RETURN=0 ######################################################################## usage() { - cat <&2 usage: $PGRM [options] [args] -MonkeySphere server admin tool. +Monkeysphere server admin tool. subcommands: update-users (u) [USER]... update user authorized_keys files - gen-key (g) [NAME[:PORT]] generate gpg key for the server - -l|--length BITS key length in bits (2048) - -e|--expire EXPIRE date to expire - -r|--revoker FINGERPRINT add a revoker - add-hostname (n+) NAME[:PORT] add hostname user ID to server key + import-key (i) import existing ssh key to gpg + --hostname (-h) NAME[:PORT] hostname for key user ID + --keyfile (-f) FILE key file to import + --expire (-e) EXPIRE date to expire + gen-key (g) generate gpg key for the host + --hostname (-h) NAME[:PORT] hostname for key user ID + --length (-l) BITS key length in bits (2048) + --expire (-e) EXPIRE date to expire + --revoker (-r) FINGERPRINT add a revoker + extend-key (e) EXPIRE extend host key expiration + add-hostname (n+) NAME[:PORT] add hostname user ID to host key revoke-hostname (n-) NAME[:PORT] revoke hostname user ID + add-revoker (o) FINGERPRINT add a revoker to the host key + revoke-key (r) revoke host key show-key (s) output all server host key information - fingerprint (f) output just the key fingerprint publish-key (p) publish server host key to keyserver diagnostics (d) report on server monkeysphere status add-id-certifier (c+) KEYID import and tsign a certification key - -n|--domain DOMAIN limit ID certifications to DOMAIN - -t|--trust TRUST trust level of certifier (full) - -d|--depth DEPTH trust depth for certifier (1) + --domain (-n) DOMAIN limit ID certifications to DOMAIN + --trust (-t) TRUST trust level of certifier (full) + --depth (-d) DEPTH trust depth for certifier (1) remove-id-certifier (c-) KEYID remove a certification key list-id-certifiers (c) list certification keys - gpg-authentication-cmd CMD gnupg-authentication command + gpg-authentication-cmd CMD give a gpg command to the + authentication keyring + + version (v) show version number + help (h,?) this help - -h|--help|help (h,?) this help EOF } +# function to run command as monkeysphere user su_monkeysphere_user() { - su --preserve-environment "$MONKEYSPHERE_USER" -- -c "$@" + # if the current user is the monkeysphere user, then just eval + # command + if [ $(id -un) = "$MONKEYSPHERE_USER" ] ; then + eval "$@" + + # otherwise su command as monkeysphere user + else + su "$MONKEYSPHERE_USER" -c "$@" + fi } # function to interact with the host gnupg keyring @@ -102,15 +128,47 @@ gpg_authentication() { # output just key fingerprint fingerprint_server_key() { - gpg_host --list-secret-keys --fingerprint --with-colons --fixed-list-mode | \ - grep '^fpr:' | head -1 | cut -d: -f10 + # set the pipefail option so functions fails if can't read sec key + set -o pipefail + + gpg_host --list-secret-keys --fingerprint \ + --with-colons --fixed-list-mode 2> /dev/null | \ + grep '^fpr:' | head -1 | cut -d: -f10 2>/dev/null +} + +# function to check for host secret key +check_host_keyring() { + fingerprint_server_key >/dev/null \ + || failure "You don't appear to have a Monkeysphere host key on this server. Please run 'monkeysphere-server gen-key' first." } # output key information show_server_key() { - local fingerprint - fingerprint=$(fingerprint_server_key) - gpg_host --fingerprint --list-secret-key "$fingerprint" + local fingerprintPGP + local fingerprintSSH + local ret=0 + + # FIXME: you shouldn't have to be root to see the host key fingerprint + check_host_keyring + fingerprintPGP=$(fingerprint_server_key) + gpg_authentication "--fingerprint --list-key --list-options show-unusable-uids $fingerprintPGP" 2>/dev/null + if [ $? -ne 0 ] ; then + log info "You must be root to see host OpenPGP fingerprint." + ret='1' + else + echo "OpenPGP fingerprint: $fingerprintPGP" + fi + + if [ -f "${SYSDATADIR}/ssh_host_rsa_key.pub" ] ; then + fingerprintSSH=$(ssh-keygen -l -f "${SYSDATADIR}/ssh_host_rsa_key.pub" | \ + awk '{ print $1, $2, $4 }') + echo "ssh fingerprint: $fingerprintSSH" + else + log info "SSH host key not found." + ret='1' + fi + + return $ret } # update authorized_keys for users @@ -123,6 +181,8 @@ update_users() { unames=$(getent passwd | cut -d: -f1) fi + RETCODE=0 + # set mode MODE="authorized_keys" @@ -135,132 +195,215 @@ update_users() { fi # make sure the authorized_keys directory exists - mkdir -p "${VARLIB}/authorized_keys" + mkdir -p "${SYSDATADIR}/authorized_keys" # loop over users for uname in $unames ; do # check all specified users exist - if ! getent passwd "$uname" >/dev/null ; then - log "----- unknown user '$uname' -----" - continue - fi - - # set authorized_user_ids and raw authorized_keys variables, - # translating ssh-style path variables - authorizedUserIDs=$(translate_ssh_variables "$uname" "$AUTHORIZED_USER_IDS") - rawAuthorizedKeys=$(translate_ssh_variables "$uname" "$RAW_AUTHORIZED_KEYS") - - # if neither is found, skip user - if [ ! -s "$authorizedUserIDs" ] ; then - if [ "$rawAuthorizedKeys" = '-' -o ! -s "$rawAuthorizedKeys" ] ; then - continue - fi - fi - - log "----- user: $uname -----" - - # exit if the authorized_user_ids file is empty - if ! check_key_file_permissions "$uname" "$AUTHORIZED_USER_IDS" ; then - log "Improper permissions on authorized_user_ids file path." + if ! id "$uname" >/dev/null ; then + log error "----- unknown user '$uname' -----" continue fi - # check permissions on the authorized_keys file path - if ! check_key_file_permissions "$uname" "$RAW_AUTHORIZED_KEYS" ; then - log "Improper permissions on authorized_keys file path path." - continue - fi + log verbose "----- user: $uname -----" # make temporary directory - TMPDIR=$(mktemp -d) + TMPLOC=$(mktemp -d ${MSTMPDIR}/tmp.XXXXXXXXXX) || failure "Could not create temporary directory!" # trap to delete temporary directory on exit - trap "rm -rf $TMPDIR" EXIT + trap "rm -rf $TMPLOC" EXIT # create temporary authorized_user_ids file - TMP_AUTHORIZED_USER_IDS="${TMPDIR}/authorized_user_ids" + TMP_AUTHORIZED_USER_IDS="${TMPLOC}/authorized_user_ids" touch "$TMP_AUTHORIZED_USER_IDS" # create temporary authorized_keys file - AUTHORIZED_KEYS="${TMPDIR}/authorized_keys" + AUTHORIZED_KEYS="${TMPLOC}/authorized_keys" touch "$AUTHORIZED_KEYS" # set restrictive permissions on the temporary files # FIXME: is there a better way to do this? - chmod 0700 "$TMPDIR" + chmod 0700 "$TMPLOC" chmod 0600 "$AUTHORIZED_KEYS" chmod 0600 "$TMP_AUTHORIZED_USER_IDS" - chown -R "$MONKEYSPHERE_USER" "$TMPDIR" + chown -R "$MONKEYSPHERE_USER" "$TMPLOC" - # if the authorized_user_ids file exists... + # process authorized_user_ids file + log debug "checking for authorized_user_ids..." + # translating ssh-style path variables + authorizedUserIDs=$(translate_ssh_variables "$uname" "$AUTHORIZED_USER_IDS") if [ -s "$authorizedUserIDs" ] ; then - # copy user authorized_user_ids file to temporary - # location - cat "$authorizedUserIDs" > "$TMP_AUTHORIZED_USER_IDS" - - # export needed variables - export AUTHORIZED_KEYS - export TMP_AUTHORIZED_USER_IDS - - # process authorized_user_ids file, as monkeysphere - # user - su_monkeysphere_user \ - ". ${SHARE}/common; process_authorized_user_ids $TMP_AUTHORIZED_USER_IDS" - RETURN="$?" + # check permissions on the authorized_user_ids file path + if check_key_file_permissions "$uname" "$authorizedUserIDs" ; then + # copy user authorized_user_ids file to temporary + # location + cat "$authorizedUserIDs" > "$TMP_AUTHORIZED_USER_IDS" + + # export needed variables + export AUTHORIZED_KEYS + export TMP_AUTHORIZED_USER_IDS + + # process authorized_user_ids file, as monkeysphere + # user + su_monkeysphere_user \ + ". ${SYSSHAREDIR}/common; process_authorized_user_ids $TMP_AUTHORIZED_USER_IDS" + RETURN="$?" + else + log debug "not processing authorized_user_ids." + fi + else + log debug "empty or absent authorized_user_ids file." fi - # add user-controlled authorized_keys file path if specified - if [ "$rawAuthorizedKeys" != '-' -a -s "$rawAuthorizedKeys" ] ; then - log -n "adding raw authorized_keys file... " - cat "$rawAuthorizedKeys" >> "$AUTHORIZED_KEYS" - loge "done." + # add user-controlled authorized_keys file if specified + # translate ssh-style path variables + rawAuthorizedKeys=$(translate_ssh_variables "$uname" "$RAW_AUTHORIZED_KEYS") + if [ "$rawAuthorizedKeys" != 'none' ] ; then + log debug "checking for raw authorized_keys..." + if [ -s "$rawAuthorizedKeys" ] ; then + # check permissions on the authorized_keys file path + if check_key_file_permissions "$uname" "$rawAuthorizedKeys" ; then + log verbose "adding raw authorized_keys file... " + cat "$rawAuthorizedKeys" >> "$AUTHORIZED_KEYS" + else + log debug "not adding raw authorized_keys file." + fi + else + log debug "empty or absent authorized_keys file." + fi fi - # openssh appears to check the contents of the - # authorized_keys file as the user in question, so the - # file must be readable by that user at least. - # FIXME: is there a better way to do this? - chown root "$AUTHORIZED_KEYS" - chgrp $(getent passwd "$uname" | cut -f4 -d:) "$AUTHORIZED_KEYS" - chmod g+r "$AUTHORIZED_KEYS" + # move the new authorized_keys file into place + if [ -s "$AUTHORIZED_KEYS" ] ; then + # openssh appears to check the contents of the + # authorized_keys file as the user in question, so the + # file must be readable by that user at least. + + # but in general, we don't want the user tampering with + # this file directly, so we'll adopt this approach: Own + # the file by the monkeysphere-server invoker (usually + # root, but should be the same uid that sshd is launched + # as); change the group of the file so that members of the + # user's group can read it. + + # FIXME: is there a better way to do this? + chown $(whoami) "$AUTHORIZED_KEYS" && \ + chgrp $(id -g "$uname") "$AUTHORIZED_KEYS" && \ + chmod g+r "$AUTHORIZED_KEYS" && \ + mv -f "$AUTHORIZED_KEYS" "${SYSDATADIR}/authorized_keys/${uname}" || \ + { + log error "Failed to install authorized_keys for '$uname'!" + rm -f "${SYSDATADIR}/authorized_keys/${uname}" + # indicate that there has been a failure: + RETURN=1 + } + else + rm -f "${SYSDATADIR}/authorized_keys/${uname}" + fi - # move the resulting authorized_keys file into place - mv -f "$AUTHORIZED_KEYS" "${VARLIB}/authorized_keys/${uname}" + # unset the trap + trap - EXIT # destroy temporary directory - rm -rf "$TMPDIR" + rm -rf "$TMPLOC" + done +} + +# import an existing ssh key to a gpg key +import_key() { + local hostName=$(hostname -f) + local keyFile="/etc/ssh/ssh_host_rsa_key" + local keyExpire + local userID + + # check for presense of secret key + # FIXME: is this the proper test to be doing here? + fingerprint_server_key >/dev/null \ + && failure "An OpenPGP host key already exists." + + # get options + while true ; do + case "$1" in + -h|--hostname) + hostName="$2" + shift 2 + ;; + -f|--keyfile) + keyFile="$2" + shift 2 + ;; + -e|--expire) + keyExpire="$2" + shift 2 + ;; + *) + if [ "$(echo "$1" | cut -c 1)" = '-' ] ; then + failure "Unknown option '$1'. +Type '$PGRM help' for usage." + fi + break + ;; + esac done + + if [ ! -f "$keyFile" ] ; then + failure "SSH secret key file '$keyFile' not found." + fi + + userID="ssh://${hostName}" + + # prompt about key expiration if not specified + keyExpire=$(get_gpg_expiration "$keyExpire") + + echo "The following key parameters will be used for the host private key:" + echo "Import: $keyFile" + echo "Name-Real: $userID" + echo "Expire-Date: $keyExpire" + + read -p "Import key? (Y/n) " OK; OK=${OK:=Y} + if [ ${OK/y/Y} != 'Y' ] ; then + failure "aborting." + fi + + log verbose "importing ssh key..." + # translate ssh key to a private key + (umask 077 && \ + pem2openpgp "$userID" "$keyExpire" < "$sshKey" | gpg_host --import) + + # find the key fingerprint of the newly converted key + fingerprint=$(fingerprint_server_key) + + # export host ownertrust to authentication keyring + log verbose "setting ultimate owner trust for host key..." + echo "${fingerprint}:6:" | gpg_host "--import-ownertrust" + echo "${fingerprint}:6:" | gpg_authentication "--import-ownertrust" + + # export public key to file + gpg_authentication "--export-options export-minimal --armor --export 0x${fingerprint}\!" > "${SYSDATADIR}/ssh_host_rsa_key.pub.gpg" + log info "SSH host public key in OpenPGP form: ${SYSDATADIR}/ssh_host_rsa_key.pub.gpg" + + # show info about new key + show_server_key } # generate server gpg key gen_key() { - local keyType - local keyLength - local keyUsage + local keyType="RSA" + local keyLength="2048" + local keyUsage="auth" local keyExpire local revoker - local hostName + local hostName=$(hostname -f) local userID local keyParameters local fingerprint - # set default key parameter values - keyType="RSA" - keyLength="2048" - keyUsage="auth" - keyExpire= - revoker= + # check for presense of secret key + # FIXME: is this the proper test to be doing here? + fingerprint_server_key >/dev/null \ + && failure "An OpenPGP host key already exists." # get options - TEMP=$(getopt -o e:l:r -l expire:,length:,revoker: -n "$PGRM" -- "$@") - - if [ $? != 0 ] ; then - exit 1 - fi - - # Note the quotes around `$TEMP': they are essential! - eval set -- "$TEMP" - while true ; do case "$1" in -l|--length) @@ -275,62 +418,37 @@ gen_key() { revoker="$2" shift 2 ;; - --) - shift - ;; - *) + *) + if [ "$(echo "$1" | cut -c 1)" = '-' ] ; then + failure "Unknown option '$1'. +Type '$PGRM help' for usage." + fi + hostName="$1" break ;; esac done - hostName=${1:-$(hostname --fqdn)} userID="ssh://${hostName}" - # check for presense of key with user ID - if gpg_host --list-key ="$userID" > /dev/null 2>&1 ; then - failure "Key for '$userID' already exists" - fi - # prompt about key expiration if not specified - if [ -z "$keyExpire" ] ; then - cat < = key expires in n days - w = key expires in n weeks - m = key expires in n months - y = key expires in n years -EOF - while [ -z "$keyExpire" ] ; do - read -p "Key is valid for? (0) " keyExpire - if ! test_gpg_expire ${keyExpire:=0} ; then - echo "invalid value" - unset keyExpire - fi - done - elif ! test_gpg_expire "$keyExpire" ; then - failure "invalid key expiration value '$keyExpire'." - fi + keyExpire=$(get_gpg_expiration "$keyExpire") # set key parameters - keyParameters=$(cat < "${VARLIB}/ssh_host_rsa_key") - log "Private SSH host key output to file: ${VARLIB}/ssh_host_rsa_key" + openpgp2ssh "$fingerprint" > "${SYSDATADIR}/ssh_host_rsa_key") + log info "SSH host private key output to file: ${SYSDATADIR}/ssh_host_rsa_key" + ssh-keygen -y -f "${SYSDATADIR}/ssh_host_rsa_key" > "${SYSDATADIR}/ssh_host_rsa_key.pub" + log info "SSH host public key output to file: ${SYSDATADIR}/ssh_host_rsa_key.pub" + gpg_authentication "--export-options export-minimal --armor --export 0x${fingerprint}\!" > "${SYSDATADIR}/ssh_host_rsa_key.pub.gpg" + log info "SSH host public key in OpenPGP form: ${SYSDATADIR}/ssh_host_rsa_key.pub.gpg" + + # show info about new key + show_server_key +} + +# extend the lifetime of a host key: +extend_key() { + local fpr=$(fingerprint_server_key) + local extendTo="$1" + + # get the new expiration date + extendTo=$(get_gpg_expiration "$extendTo") + + gpg_host --quiet --command-fd 0 --edit-key "$fpr" </dev/null ; then + echo "! No monkeysphere user found! Please create a monkeysphere system user with bash as its shell." + problemsfound=$(($problemsfound+1)) + fi + + if ! [ -d "$SYSDATADIR" ] ; then + echo "! no $SYSDATADIR directory found. Please create it." + problemsfound=$(($problemsfound+1)) + fi echo "Checking host GPG key..." if (( "$keysfound" < 1 )); then echo "! No host key found." echo " - Recommendation: run 'monkeysphere-server gen-key'" + problemsfound=$(($problemsfound+1)) elif (( "$keysfound" > 1 )); then echo "! More than one host key found?" # FIXME: recommend a way to resolve this + problemsfound=$(($problemsfound+1)) else create=$(echo "$seckey" | grep ^sec: | cut -f6 -d:) expire=$(echo "$seckey" | grep ^sec: | cut -f7 -d:) @@ -548,10 +730,12 @@ diagnostics() { if [ "$expire" ]; then if (( "$expire" < "$curdate" )); then echo "! Host key is expired." - # FIXME: recommend a way to resolve this other than re-keying? + echo " - Recommendation: extend lifetime of key with 'monkeysphere-server extend-key'" + problemsfound=$(($problemsfound+1)) elif (( "$expire" < "$warndate" )); then - echo "! Host key expires in less than $warnwindow:" $(date -d "$(( $expire - $curdate )) seconds" +%F) - # FIXME: recommend a way to resolve this? + echo "! Host key expires in less than $warnwindow:" $(advance_date $(( $expire - $curdate )) seconds +%F) + echo " - Recommendation: extend lifetime of key with 'monkeysphere-server extend-key'" + problemsfound=$(($problemsfound+1)) fi fi @@ -559,6 +743,7 @@ diagnostics() { if [ "$create" ] && (( "$create" > "$curdate" )); then echo "! Host key was created in the future(?!). Is your clock correct?" echo " - Recommendation: Check clock ($(date +%F_%T)); use NTP?" + problemsfound=$(($problemsfound+1)) fi # check for UserID expiration: @@ -570,14 +755,17 @@ diagnostics() { if [ "$create" ] && (( "$create" > "$curdate" )); then echo "! User ID '$uid' was created in the future(?!). Is your clock correct?" echo " - Recommendation: Check clock ($(date +%F_%T)); use NTP?" + problemsfound=$(($problemsfound+1)) fi if [ "$expire" ] ; then if (( "$expire" < "$curdate" )); then echo "! User ID '$uid' is expired." - # FIXME: recommend a way to resolve this + # FIXME: recommend a way to resolve this + problemsfound=$(($problemsfound+1)) elif (( "$expire" < "$warndate" )); then - echo "! User ID '$uid' expires in less than $warnwindow:" $(date -d "$(( $expire - $curdate )) seconds" +%F) + echo "! User ID '$uid' expires in less than $warnwindow:" $(advance_date $(( $expire - $curdate )) seconds +%F) # FIXME: recommend a way to resolve this + problemsfound=$(($problemsfound+1)) fi fi done @@ -593,24 +781,33 @@ diagnostics() { # have a way to do that after key generation?) # Ensure that the ssh_host_rsa_key file is present and non-empty: + echo echo "Checking host SSH key..." - if [ ! -s "${VARLIB}/ssh_host_rsa_key" ] ; then - echo "! The host key as prepared for SSH (${VARLIB}/ssh_host_rsa_key) is missing or empty." + if [ ! -s "${SYSDATADIR}/ssh_host_rsa_key" ] ; then + echo "! The host key as prepared for SSH (${SYSDATADIR}/ssh_host_rsa_key) is missing or empty." + problemsfound=$(($problemsfound+1)) else - if [ $(stat -c '%a' "${VARLIB}/ssh_host_rsa_key") != 600 ] ; then - echo "! Permissions seem wrong for ${VARLIB}/ssh_host_rsa_key -- should be 0600." + if [ $(ls -l "${SYSDATADIR}/ssh_host_rsa_key" | cut -f1 -d\ ) != '-rw-------' ] ; then + echo "! Permissions seem wrong for ${SYSDATADIR}/ssh_host_rsa_key -- should be 0600." + problemsfound=$(($problemsfound+1)) fi # propose changes needed for sshd_config (if any) - if ! grep -q "^HostKey[[:space:]]\+${VARLIB}/ssh_host_rsa_key$" "$sshd_config"; then - echo "! $sshd_config does not point to the monkeysphere host key (${VARLIB}/ssh_host_rsa_key)." - echo " - Recommendation: add a line to $sshd_config: 'HostKey ${VARLIB}/ssh_host_rsa_key'" + if ! grep -q "^HostKey[[:space:]]\+${SYSDATADIR}/ssh_host_rsa_key$" "$sshd_config"; then + echo "! $sshd_config does not point to the monkeysphere host key (${SYSDATADIR}/ssh_host_rsa_key)." + echo " - Recommendation: add a line to $sshd_config: 'HostKey ${SYSDATADIR}/ssh_host_rsa_key'" + problemsfound=$(($problemsfound+1)) fi - if badhostkeys=$(grep -i '^HostKey' "$sshd_config" | grep -q -v "^HostKey[[:space:]]\+${VARLIB}/ssh_host_rsa_key$") ; then - echo "! /etc/sshd_config refers to some non-monkeysphere host keys:" + if badhostkeys=$(grep -i '^HostKey' "$sshd_config" | grep -v "^HostKey[[:space:]]\+${SYSDATADIR}/ssh_host_rsa_key$") ; then + echo "! $sshd_config refers to some non-monkeysphere host keys:" echo "$badhostkeys" echo " - Recommendation: remove the above HostKey lines from $sshd_config" + problemsfound=$(($problemsfound+1)) fi + + # FIXME: test (with ssh-keyscan?) that the running ssh + # daemon is actually offering the monkeysphere host key. + fi fi @@ -621,18 +818,34 @@ diagnostics() { # FIXME: look to see that the ownertrust rules are set properly on the # authentication keyring -# FIXME: make sure that at least one identity certifier exists +# FIXME: make sure that at least one identity certifier exists + +# FIXME: look at the timestamps on the monkeysphere-generated +# authorized_keys files -- warn if they seem out-of-date. +# FIXME: check for a cronjob that updates monkeysphere-generated +# authorized_keys? + + echo echo "Checking for MonkeySphere-enabled public-key authentication for users ..." # Ensure that User ID authentication is enabled: - if ! grep -q "^AuthorizedKeysFile[[:space:]]\+${VARLIB}/authorized_keys/%u$" "$sshd_config"; then + if ! grep -q "^AuthorizedKeysFile[[:space:]]\+${SYSDATADIR}/authorized_keys/%u$" "$sshd_config"; then echo "! $sshd_config does not point to monkeysphere authorized keys." - echo " - Recommendation: add a line to $sshd_config: 'AuthorizedKeysFile ${VARLIB}/authorized_keys/%u'" + echo " - Recommendation: add a line to $sshd_config: 'AuthorizedKeysFile ${SYSDATADIR}/authorized_keys/%u'" + problemsfound=$(($problemsfound+1)) fi - if badauthorizedkeys=$(grep -i '^AuthorizedKeysFile' "$sshd_config" | grep -q -v "^AuthorizedKeysFile[[:space:]]\+${VARLIB}/authorized_keys/%u$") ; then - echo "! /etc/sshd_config refers to non-monkeysphere authorized_keys files:" + if badauthorizedkeys=$(grep -i '^AuthorizedKeysFile' "$sshd_config" | grep -v "^AuthorizedKeysFile[[:space:]]\+${SYSDATADIR}/authorized_keys/%u$") ; then + echo "! $sshd_config refers to non-monkeysphere authorized_keys files:" echo "$badauthorizedkeys" echo " - Recommendation: remove the above AuthorizedKeysFile lines from $sshd_config" + problemsfound=$(($problemsfound+1)) + fi + + if [ "$problemsfound" -gt 0 ]; then + echo "When the above $problemsfound issue"$(if [ "$problemsfound" -eq 1 ] ; then echo " is" ; else echo "s are" ; fi)" resolved, please re-run:" + echo " monkeysphere-server diagnostics" + else + echo "Everything seems to be in order!" fi } @@ -653,15 +866,6 @@ add_certifier() { depth=1 # get options - TEMP=$(getopt -o n:t:d: -l domain:,trust:,depth: -n "$PGRM" -- "$@") - - if [ $? != 0 ] ; then - exit 1 - fi - - # Note the quotes around `$TEMP': they are essential! - eval set -- "$TEMP" - while true ; do case "$1" in -n|--domain) @@ -676,10 +880,11 @@ add_certifier() { depth="$2" shift 2 ;; - --) - shift - ;; - *) + *) + if [ "$(echo "$1" | cut -c 1)" = '-' ] ; then + failure "Unknown option '$1'. +Type '$PGRM help' for usage." + fi break ;; esac @@ -687,35 +892,66 @@ add_certifier() { keyID="$1" if [ -z "$keyID" ] ; then - failure "You must specify the key ID of a key to add." + failure "You must specify the key ID of a key to add, or specify a file to read the key from." fi + if [ -f "$keyID" ] ; then + echo "Reading key from file '$keyID':" + importinfo=$(gpg_authentication "--import" < "$keyID" 2>&1) || failure "could not read key from '$keyID'" + # FIXME: if this is tried when the key database is not + # up-to-date, i got these errors (using set -x): + +# ++ su -m monkeysphere -c '\''gpg --import'\'' +# Warning: using insecure memory! +# gpg: key D21739E9: public key "Daniel Kahn Gillmor " imported +# gpg: Total number processed: 1 +# gpg: imported: 1 (RSA: 1) +# gpg: can'\''t create `/var/monkeysphere/gnupg-host/pubring.gpg.tmp'\'': Permission denied +# gpg: failed to rebuild keyring cache: Permission denied +# gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model +# gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u +# gpg: next trustdb check due at 2009-01-10' +# + failure 'could not read key from '\''/root/dkg.gpg'\''' +# + echo 'could not read key from '\''/root/dkg.gpg'\''' + + keyID=$(echo "$importinfo" | grep '^gpg: key ' | cut -f2 -d: | cut -f3 -d\ ) + if [ -z "$keyID" ] || [ $(echo "$keyID" | wc -l) -ne 1 ] ; then + failure "Expected there to be a single gpg key in the file." + fi + else + # get the key from the key server + gpg_authentication "--keyserver $KEYSERVER --recv-key '0x${keyID}!'" || failure "Could not receive a key with this ID from the '$KEYSERVER' keyserver." + fi + export keyID - # get the key from the key server - gpg_authentication "--keyserver $KEYSERVER --recv-key '$keyID'" # get the full fingerprint of a key ID - fingerprint=$(gpg_authentication "--list-key --with-colons --with-fingerprint $keyID" | \ + fingerprint=$(gpg_authentication "--list-key --with-colons --with-fingerprint 0x${keyID}!" | \ grep '^fpr:' | grep "$keyID" | cut -d: -f10) + if [ -z "$fingerprint" ] ; then + failure "Key '$keyID' not found." + fi + + echo echo "key found:" - gpg_authentication "--fingerprint $fingerprint" + gpg_authentication "--fingerprint 0x${fingerprint}!" - echo "Are you sure you want to add this key as a certifier of" - read -p "users on this system? (y/N) " OK; OK=${OK:-N} + echo "Are you sure you want to add the above key as a" + read -p "certifier of users on this system? (y/N) " OK; OK=${OK:-N} if [ "${OK/y/Y}" != 'Y' ] ; then - failure "aborting." + failure "Identity certifier not added." fi # export the key to the host keyring - gpg_authentication "--export $keyID" | gpg_host --import + gpg_authentication "--export 0x${fingerprint}!" | gpg_host --import - if [ "$trust" == marginal ]; then + if [ "$trust" = marginal ]; then trustval=1 - elif [ "$trust" == full ]; then + elif [ "$trust" = full ]; then trustval=2 else - failure "trust value requested ('$trust') was unclear (only 'marginal' or 'full' are supported)" + failure "Trust value requested ('$trust') was unclear (only 'marginal' or 'full' are supported)." fi # ltsign command @@ -732,10 +968,17 @@ EOF ) # ltsign the key - echo "$ltsignCommand" | gpg_host --quiet --command-fd 0 --edit-key "0x${fingerprint}"\! + if echo "$ltsignCommand" | \ + gpg_host --quiet --command-fd 0 --edit-key "0x${fingerprint}!" ; then + + # update the trustdb for the authentication keyring + gpg_authentication "--check-trustdb" - # update the trustdb for the authentication keyring - gpg_authentication "--check-trustdb" + echo + echo "Identity certifier added." + else + failure "Problem adding identify certifier." + fi } # delete a certifiers key from the host keyring @@ -748,16 +991,43 @@ remove_certifier() { failure "You must specify the key ID of a key to remove." fi - # delete the requested key (with prompting) - gpg_host --delete-key "$keyID" + if gpg_authentication "--no-options --list-options show-uid-validity --keyring ${GNUPGHOME_AUTHENTICATION}/pubring.gpg --list-key 0x${keyID}!" ; then + read -p "Really remove above listed identity certifier? (y/N) " OK; OK=${OK:-N} + if [ "${OK/y/Y}" != 'Y' ] ; then + failure "Identity certifier not removed." + fi + else + failure + fi + + # delete the requested key + if gpg_authentication "--delete-key --batch --yes 0x${keyID}!" ; then + # delete key from host keyring as well + gpg_host --delete-key --batch --yes "0x${keyID}!" - # update the trustdb for the authentication keyring - gpg_authentication "--check-trustdb" + # update the trustdb for the authentication keyring + gpg_authentication "--check-trustdb" + + echo + echo "Identity certifier removed." + else + failure "Problem removing identity certifier." + fi } # list the host certifiers list_certifiers() { - gpg_host --list-keys + local keys + local key + + # find trusted keys in authentication keychain + keys=$(gpg_authentication "--no-options --list-options show-uid-validity --keyring ${GNUPGHOME_AUTHENTICATION}/pubring.gpg --list-keys --with-colons --fingerprint" | \ + grep ^pub: | cut -d: -f2,5 | egrep '^(u|f):' | cut -d: -f2) + + # output keys + for key in $keys ; do + gpg_authentication "--no-options --list-options show-uid-validity --keyring ${GNUPGHOME_AUTHENTICATION}/pubring.gpg --list-key --fingerprint $key" + done } # issue command to gpg-authentication keyring @@ -776,25 +1046,27 @@ unset RAW_AUTHORIZED_KEYS unset MONKEYSPHERE_USER # load configuration file -[ -e ${MONKEYSPHERE_SERVER_CONFIG:="${ETC}/monkeysphere-server.conf"} ] && . "$MONKEYSPHERE_SERVER_CONFIG" +[ -e ${MONKEYSPHERE_SERVER_CONFIG:="${SYSCONFIGDIR}/monkeysphere-server.conf"} ] && . "$MONKEYSPHERE_SERVER_CONFIG" # set empty config variable with ones from the environment, or with # defaults -KEYSERVER=${MONKEYSPHERE_KEYSERVER:=${KEYSERVER:="subkeys.pgp.net"}} -AUTHORIZED_USER_IDS=${MONKEYSPHERE_AUTHORIZED_USER_IDS:=${AUTHORIZED_USER_IDS:="%h/.config/monkeysphere/authorized_user_ids"}} +LOG_LEVEL=${MONKEYSPHERE_LOG_LEVEL:=${LOG_LEVEL:="INFO"}} +KEYSERVER=${MONKEYSPHERE_KEYSERVER:=${KEYSERVER:="pool.sks-keyservers.net"}} +AUTHORIZED_USER_IDS=${MONKEYSPHERE_AUTHORIZED_USER_IDS:=${AUTHORIZED_USER_IDS:="%h/.monkeysphere/authorized_user_ids"}} RAW_AUTHORIZED_KEYS=${MONKEYSPHERE_RAW_AUTHORIZED_KEYS:=${RAW_AUTHORIZED_KEYS:="%h/.ssh/authorized_keys"}} MONKEYSPHERE_USER=${MONKEYSPHERE_MONKEYSPHERE_USER:=${MONKEYSPHERE_USER:="monkeysphere"}} # other variables CHECK_KEYSERVER=${MONKEYSPHERE_CHECK_KEYSERVER:="true"} REQUIRED_USER_KEY_CAPABILITY=${MONKEYSPHERE_REQUIRED_USER_KEY_CAPABILITY:="a"} -GNUPGHOME_HOST=${MONKEYSPHERE_GNUPGHOME_HOST:="${VARLIB}/gnupg-host"} -GNUPGHOME_AUTHENTICATION=${MONKEYSPHERE_GNUPGHOME_AUTHENTICATION:="${VARLIB}/gnupg-authentication"} +GNUPGHOME_HOST=${MONKEYSPHERE_GNUPGHOME_HOST:="${SYSDATADIR}/gnupg-host"} +GNUPGHOME_AUTHENTICATION=${MONKEYSPHERE_GNUPGHOME_AUTHENTICATION:="${SYSDATADIR}/gnupg-authentication"} # export variables needed in su invocation export DATE export MODE export MONKEYSPHERE_USER +export LOG_LEVEL export KEYSERVER export CHECK_KEYSERVER export REQUIRED_USER_KEY_CAPABILITY @@ -809,30 +1081,49 @@ shift case $COMMAND in 'update-users'|'update-user'|'u') + check_host_keyring update_users "$@" ;; + 'import-key'|'i') + import_key "$@" + ;; + 'gen-key'|'g') gen_key "$@" ;; + 'extend-key'|'e') + check_host_keyring + extend_key "$@" + ;; + 'add-hostname'|'add-name'|'n+') + check_host_keyring add_hostname "$@" ;; 'revoke-hostname'|'revoke-name'|'n-') + check_host_keyring revoke_hostname "$@" ;; - 'show-key'|'show'|'s') - show_server_key + 'add-revoker'|'o') + check_host_keyring + add_revoker "$@" + ;; + + 'revoke-key'|'r') + check_host_keyring + revoke_key "$@" ;; - 'show-fingerprint'|'fingerprint'|'f') - fingerprint_server_key + 'show-key'|'show'|'s') + show_server_key ;; 'publish-key'|'publish'|'p') + check_host_keyring publish_server_key ;; @@ -841,14 +1132,17 @@ case $COMMAND in ;; 'add-identity-certifier'|'add-id-certifier'|'add-certifier'|'c+') + check_host_keyring add_certifier "$@" ;; 'remove-identity-certifier'|'remove-id-certifier'|'remove-certifier'|'c-') + check_host_keyring remove_certifier "$@" ;; 'list-identity-certifiers'|'list-id-certifiers'|'list-certifiers'|'list-certifier'|'c') + check_host_keyring list_certifiers "$@" ;; @@ -856,6 +1150,10 @@ case $COMMAND in gpg_authentication_cmd "$@" ;; + 'version'|'v') + echo "$VERSION" + ;; + '--help'|'help'|'-h'|'h'|'?') usage ;;