X-Git-Url: https://codewiz.org/gitweb?a=blobdiff_plain;f=src%2Fmonkeysphere-server;h=6279c4561a324fc40dc7a358df409ef9bb06056c;hb=deb41134ca527508253244cfa8860a2031034825;hp=a109cf533229c78074e1fe543e37569b49618321;hpb=f049fa104308997359dcd4eb7fd68cabe06a43ba;p=monkeysphere.git diff --git a/src/monkeysphere-server b/src/monkeysphere-server index a109cf5..6279c45 100755 --- a/src/monkeysphere-server +++ b/src/monkeysphere-server @@ -1,4 +1,4 @@ -#!/bin/sh +#!/bin/bash # monkeysphere-server: MonkeySphere server admin tool # @@ -28,14 +28,15 @@ GREP_OPTIONS= usage() { cat < [args] -Monkeysphere server admin tool. +MonkeySphere server admin tool. subcommands: update-users (s) [USER]... update users authorized_keys files - gen-key (g) generate gpg key for the server + gen-key (g) [HOSTNAME] generate gpg key for the server publish-key (p) publish server key to keyserver trust-keys (t) KEYID... mark keyids as trusted - update-user-userids (u) USER UID... add/update userids for a user + update-user-userids (u) USER UID... add/update user IDs for a user + remove-user-userids (r) USER UID... remove user IDs for a user help (h,?) this help EOF @@ -43,14 +44,26 @@ EOF # generate server gpg key gen_key() { + local hostName + + hostName=${1:-$(hostname --fqdn)} + # set key defaults KEY_TYPE=${KEY_TYPE:-"RSA"} KEY_LENGTH=${KEY_LENGTH:-"2048"} - KEY_USAGE=${KEY_USAGE:-"encrypt,auth"} - SERVICE=${SERVICE:-"ssh"} - HOSTNAME_FQDN=${HOSTNAME_FQDN:-$(hostname -f)} + KEY_USAGE=${KEY_USAGE:-"auth,encrypt"} + cat < = key expires in n days + w = key expires in n weeks + m = key expires in n months + y = key expires in n years +EOF + read -p "Key is valid for? ($EXPIRE) " EXPIRE; EXPIRE=${EXPIRE:-"0"} - USERID=${USERID:-"$SERVICE"://"$HOSTNAME_FQDN"} + SERVICE=${SERVICE:-"ssh"} + USERID=${USERID:-"$SERVICE"://"$hostName"} # set key parameters keyParameters=$(cat < /dev/null | grep '^pub:' | cut -d: -f5) - - # dummy command so as not to publish fakes keys during testing - # eventually: - #gpg --send-keys --keyserver "$KEYSERVER" "$keyID" - echo "NOT PUBLISHED: gpg --send-keys --keyserver $KEYSERVER $keyID" + echo "done." } ######################################################################## @@ -125,11 +125,10 @@ MS_CONF=${MS_CONF:-"$MS_HOME"/monkeysphere-server.conf} [ -e "$MS_CONF" ] && . "$MS_CONF" # set empty config variable with defaults -GNUPGHOME=${GNUPGHOME:-"$MS_HOME"/gnupg} -KEYSERVER=${KEYSERVER:-subkeys.pgp.net} -REQUIRED_KEY_CAPABILITY=${REQUIRED_KEY_CAPABILITY:-"e a"} -USER_CONTROLLED_AUTHORIZED_KEYS=${USER_CONTROLLED_AUTHORIZED_KEYS:-%h/.ssh/authorized_keys} -STAGING_AREA=${STAGING_AREA:-"$LIB"/stage} +GNUPGHOME=${GNUPGHOME:-"${MS_HOME}/gnupg"} +KEYSERVER=${KEYSERVER:-"subkeys.pgp.net"} +REQUIRED_USER_KEY_CAPABILITY=${REQUIRED_USER_KEY_CAPABILITY:-"a"} +USER_CONTROLLED_AUTHORIZED_KEYS=${USER_CONTROLLED_AUTHORIZED_KEYS:-"%h/.ssh/authorized_keys"} export GNUPGHOME @@ -137,7 +136,7 @@ export GNUPGHOME mkdir -p -m 0700 "$GNUPGHOME" case $COMMAND in - 'update-users'|'s') + 'update-users'|'update-user'|'s') if [ "$1" ] ; then unames="$@" else @@ -149,13 +148,17 @@ case $COMMAND in log "----- user: $uname -----" + # set variables for the user AUTHORIZED_USER_IDS="$MS_HOME"/authorized_user_ids/"$uname" - cacheDir="$STAGING_AREA"/"$uname"/user_keys - msAuthorizedKeys="$STAGING_AREA"/"$uname"/authorized_keys + msAuthorizedKeys="$CACHE"/"$uname"/authorized_keys + cacheDir="$CACHE"/"$uname"/user_keys + + # make sure user's authorized_user_ids file exists + touch "$AUTHORIZED_USER_IDS" - # make sure authorized_user_ids file exists + # skip if the user's authorized_user_ids file is empty if [ ! -s "$AUTHORIZED_USER_IDS" ] ; then - log "authorized_user_ids file for '$uname' is empty or does not exist." + log "authorized_user_ids file for '$uname' is empty." continue fi @@ -166,43 +169,80 @@ case $COMMAND in fi # update authorized_keys - update_authorized_keys "$cacheDir" "$msAuthorizedKeys" "$userAuthorizedKeys" + update_authorized_keys "$msAuthorizedKeys" "$userAuthorizedKeys" "$cacheDir" done log "----- done. -----" ;; 'gen-key'|'g') - gen_key + gen_key "$1" ;; 'publish-key'|'p') - publish_key + publish_server_key ;; - 'trust-keys'|'t') + 'trust-keys'|'trust-key'|'t') if [ -z "$1" ] ; then - failure "you must specify at least one key to trust." + failure "You must specify at least one key to trust." fi + + # process key IDs for keyID ; do trust_key "$keyID" done ;; - 'update-user-userids'|'u') + 'update-user-userids'|'update-user-userid'|'u') uname="$1" shift if [ -z "$uname" ] ; then - failure "you must specify user." + failure "You must specify user." fi if [ -z "$1" ] ; then - failure "you must specify at least one userid." + failure "You must specify at least one user ID." fi + + # set variables for the user AUTHORIZED_USER_IDS="$MS_HOME"/authorized_user_ids/"$uname" - userKeysCacheDir="$STAGING_AREA"/"$uname"/user_keys + cacheDir="$CACHE"/"$uname"/user_keys + + # make sure user's authorized_user_ids file exists + touch "$AUTHORIZED_USER_IDS" + + # process the user IDs for userID ; do - update_userid "$userID" "$userKeysCacheDir" + update_userid "$userID" "$cacheDir" done + + log "Run the following to update user's authorized_keys file:" + log "$PGRM update-users $uname" + ;; + + 'remove-user-userids'|'remove-user-userid'|'r') + uname="$1" + shift + if [ -z "$uname" ] ; then + failure "You must specify user." + fi + if [ -z "$1" ] ; then + failure "You must specify at least one user ID." + fi + + # set variables for the user + AUTHORIZED_USER_IDS="$MS_HOME"/authorized_user_ids/"$uname" + + # make sure user's authorized_user_ids file exists + touch "$AUTHORIZED_USER_IDS" + + # process the user IDs + for userID ; do + remove_userid "$userID" + done + + log "Run the following to update user's authorized_keys file:" + log "$PGRM update-users $uname" ;; 'help'|'h'|'?') @@ -211,6 +251,6 @@ case $COMMAND in *) failure "Unknown command: '$COMMAND' -Type 'cereal-admin help' for usage." +Type '$PGRM help' for usage." ;; esac