X-Git-Url: https://codewiz.org/gitweb?a=blobdiff_plain;f=src%2Fmonkeysphere-server;h=560d249867d780183f9b070ed341c099bf948963;hb=b92675786ac883551528b3870c71c98066d60c0f;hp=f1b4892f75b33cd328dc1096389c59cf23eefbad;hpb=4793624c65673268128fb0146cd9bd1b3cfeb6c4;p=monkeysphere.git diff --git a/src/monkeysphere-server b/src/monkeysphere-server index f1b4892..560d249 100755 --- a/src/monkeysphere-server +++ b/src/monkeysphere-server @@ -1,4 +1,12 @@ -#!/bin/sh +#!/bin/bash + +# monkeysphere-server: MonkeySphere server admin tool +# +# The monkeysphere scripts are written by: +# Jameson Rollins +# +# They are Copyright 2008, and are all released under the GPL, version 3 +# or later. ######################################################################## PGRM=$(basename $0) @@ -20,36 +28,64 @@ GREP_OPTIONS= usage() { cat < [args] -Monkeysphere server admin tool. +MonkeySphere server admin tool. subcommands: - update-users (s) [USER]... update authorized_keys file - gen-key (g) generate gpg key for the host - publish-key (p) publish host gpg to keyserver - trust-key (t) KEYID [KEYID]... mark keyid as trusted - update-user-userid (u) USER UID [UID]... add/update userid for user - help (h,?) this help + update-users (s) [USER]... update users authorized_keys files + gen-key (g) [HOSTNAME] generate gpg key for the server + publish-key (p) publish server key to keyserver + trust-keys (t) KEYID... mark keyids as trusted + update-user-userids (u) USER UID... add/update user IDs for a user + remove-user-userids (r) USER UID... remove user IDs for a user + help (h,?) this help EOF } # generate server gpg key gen_key() { - KEY_TYPE=${KEY_TYPE:-RSA} - KEY_LENGTH=${KEY_LENGTH:-2048} - KEY_USAGE=${KEY_USAGE:-encrypt,auth} - SERVICE=${SERVICE:-ssh} - HOSTNAME_FQDN=${HOSTNAME_FQDN:-$(hostname -f)} + local hostName - USERID=${USERID:-"$SERVICE"://"$HOSTNAME_FQDN"} + hostName=${1:-$(hostname --fqdn)} - echo "key parameters:" + # set key defaults + KEY_TYPE=${KEY_TYPE:-"RSA"} + KEY_LENGTH=${KEY_LENGTH:-"2048"} + KEY_USAGE=${KEY_USAGE:-"auth,encrypt"} cat < = key expires in n days + w = key expires in n weeks + m = key expires in n months + y = key expires in n years +EOF + read -p "Key is valid for? ($EXPIRE) " EXPIRE; EXPIRE=${EXPIRE:-"0"} + + SERVICE=${SERVICE:-"ssh"} + USERID=${USERID:-"$SERVICE"://"$hostName"} + + # set key parameters + keyParameters=$(cat < /dev/null | grep '^pub:' | cut -d: -f5) +) - # dummy command so as not to publish fakes keys during testing - # eventually: - #gpg --send-keys --keyserver "$KEYSERVER" "$keyID" - echo "gpg --send-keys --keyserver $KEYSERVER $keyID" -} - -# trust key -trust_key() { - for keyID ; do - # get the key from the key server - gpg --keyserver "$KEYSERVER" --recv-key "$keyID" || failure "could not retrieve key '$keyID'" - - # edit the key to change trust - # FIXME: need to figure out how to automate this, - # in a batch mode or something. - gpg --edit-key "$keyID" - done + log -n "generating server key... " + echo "$keyParameters" | gpg --batch --gen-key + loge "done." } ######################################################################## @@ -114,98 +125,139 @@ MS_CONF=${MS_CONF:-"$MS_HOME"/monkeysphere-server.conf} [ -e "$MS_CONF" ] && . "$MS_CONF" # set empty config variable with defaults -GNUPGHOME=${GNUPGHOME:-"$MS_HOME"/gnupg} -KEYSERVER=${KEYSERVER:-subkeys.pgp.net} -REQUIRED_KEY_CAPABILITY=${REQUIRED_KEY_CAPABILITY:-"e a"} -USER_CONTROLLED_AUTHORIZED_KEYS=${USER_CONTROLLED_AUTHORIZED_KEYS:-%h/.ssh/authorized_keys} -STAGING_AREA=${STAGING_AREA:-"$LIB"/stage} +GNUPGHOME=${GNUPGHOME:-"${MS_HOME}/gnupg"} +KEYSERVER=${KEYSERVER:-"subkeys.pgp.net"} +CHECK_KEYSERVER=${CHECK_KEYSERVER:="true"} +REQUIRED_USER_KEY_CAPABILITY=${REQUIRED_USER_KEY_CAPABILITY:-"a"} +USER_CONTROLLED_AUTHORIZED_KEYS=${USER_CONTROLLED_AUTHORIZED_KEYS:-"%h/.ssh/authorized_keys"} export GNUPGHOME +# make sure the monkeysphere home directory exists +mkdir -p "${MS_HOME}/authorized_user_ids" # make sure gpg home exists with proper permissions mkdir -p -m 0700 "$GNUPGHOME" +# make sure the authorized_keys directory exists +mkdir -p "${CACHE}/authorized_keys" case $COMMAND in - 'update-users'|'s') + 'update-users'|'update-user'|'s') if [ "$1" ] ; then unames="$@" else - unames=$(ls -1 "$MS_HOME"/authorized_user_ids) + unames=$(ls -1 "${MS_HOME}/authorized_user_ids") fi for uname in $unames ; do MODE="authorized_keys" - authorizedUserIDs="$MS_HOME"/authorized_user_ids/"$uname" - cacheDir="$STAGING_AREA"/"$uname"/user_keys - msAuthorizedKeys="$STAGING_AREA"/"$uname"/authorized_keys - # make sure authorized_user_ids file exists - if [ ! -s "$authorizedUserIDs" ] ; then - log "authorized_user_ids file for '$uname' is empty or does not exist." - continue - fi + log "----- user: $uname -----" - log "processing authorized_keys for user '$uname'..." + # set variables for the user + AUTHORIZED_USER_IDS="${MS_HOME}/authorized_user_ids/${uname}" + # temporary authorized_keys file + AUTHORIZED_KEYS="${CACHE}/authorized_keys/${uname}.tmp" - process_authorized_ids "$authorizedUserIDs" "$cacheDir" + # make sure user's authorized_user_ids file exists + touch "$AUTHORIZED_USER_IDS" + # make sure the authorized_keys file exists and is clear + > "$AUTHORIZED_KEYS" - # write output key file - log "writing monkeysphere authorized_keys file... " - touch "$msAuthorizedKeys" - if [ "$(ls "$cacheDir")" ] ; then - log -n "adding gpg keys... " - cat "$cacheDir"/* > "$msAuthorizedKeys" - echo "done." - else - log "no gpg keys to add." + # skip if the user's authorized_user_ids file is empty + if [ ! -s "$AUTHORIZED_USER_IDS" ] ; then + log "authorized_user_ids file for '$uname' is empty." + continue fi - if [ "$USER_CONTROLLED_AUTHORIZED_KEYS" ] ; then + + # process authorized_user_ids file + log "processing authorized_user_ids file..." + process_authorized_user_ids + + # add user-controlled authorized_keys file path if specified + if [ "$USER_CONTROLLED_AUTHORIZED_KEYS" != '-' ] ; then userHome=$(getent passwd "$uname" | cut -d: -f6) userAuthorizedKeys=${USER_CONTROLLED_AUTHORIZED_KEYS/\%h/"$userHome"} - if [ -s "$userAuthorizedKeys" ] ; then - log -n "adding user authorized_keys file... " - cat "$userAuthorizedKeys" >> "$msAuthorizedKeys" - echo "done." - fi + log -n "adding user's authorized_keys file... " + cat "$userAuthorizedKeys" >> "$AUTHORIZED_KEYS" + loge "done." fi - log "monkeysphere authorized_keys file generated:" - log "$msAuthorizedKeys" + + # move the temp authorized_keys file into place + mv -f "${CACHE}/authorized_keys/${uname}.tmp" "${CACHE}/authorized_keys/${uname}" + + log "authorized_keys file updated." done + + log "----- done. -----" ;; 'gen-key'|'g') - gen_key + gen_key "$1" ;; 'publish-key'|'p') - publish_key + publish_server_key ;; - 'trust-key'|'t') + 'trust-keys'|'trust-key'|'t') if [ -z "$1" ] ; then - failure "you must specify at least one key to trust." + failure "You must specify at least one key to trust." fi - trust_key "$@" + + # process key IDs + for keyID ; do + trust_key "$keyID" + done ;; - 'update-user-userid'|'u') + 'update-user-userids'|'update-user-userid'|'u') uname="$1" shift if [ -z "$uname" ] ; then - failure "you must specify user." + failure "You must specify user." fi if [ -z "$1" ] ; then - failure "you must specify at least one userid." + failure "You must specify at least one user ID." fi + + # set variables for the user + AUTHORIZED_USER_IDS="$MS_HOME"/authorized_user_ids/"$uname" + + # make sure user's authorized_user_ids file exists + touch "$AUTHORIZED_USER_IDS" + + # process the user IDs for userID ; do - AUTHORIZED_USER_IDS="$MS_HOME"/authorized_user_ids/"$uname" - if ! grep -q "^${userID}\$" "$AUTHORIZED_USER_IDS" ; then - log "userid '$userID' not in authorized_user_ids file." - continue - fi - log "processing user id: '$userID'" - process_user_id "$userID" "$userKeysCacheDir" > /dev/null + update_userid "$userID" + done + + log "Run the following to update user's authorized_keys file:" + log "$PGRM update-users $uname" + ;; + + 'remove-user-userids'|'remove-user-userid'|'r') + uname="$1" + shift + if [ -z "$uname" ] ; then + failure "You must specify user." + fi + if [ -z "$1" ] ; then + failure "You must specify at least one user ID." + fi + + # set variables for the user + AUTHORIZED_USER_IDS="$MS_HOME"/authorized_user_ids/"$uname" + + # make sure user's authorized_user_ids file exists + touch "$AUTHORIZED_USER_IDS" + + # process the user IDs + for userID ; do + remove_userid "$userID" done + + log "Run the following to update user's authorized_keys file:" + log "$PGRM update-users $uname" ;; 'help'|'h'|'?') @@ -214,6 +266,6 @@ case $COMMAND in *) failure "Unknown command: '$COMMAND' -Type 'cereal-admin help' for usage." +Type '$PGRM help' for usage." ;; esac