X-Git-Url: https://codewiz.org/gitweb?a=blobdiff_plain;f=src%2Fmonkeysphere-server;h=8139387cca858152a2b9a2da42becbddabb04468;hb=a06fe8d31d992b6d57fd12fa615718580a6b62c4;hp=99e5f8007c5b3cba871c76eb685c2648e788002d;hpb=6ac379bdd75617cfab19c3b175a2e10257444de3;p=monkeysphere.git diff --git a/src/monkeysphere-server b/src/monkeysphere-server index 99e5f80..8139387 100755 --- a/src/monkeysphere-server +++ b/src/monkeysphere-server @@ -4,6 +4,7 @@ # # The monkeysphere scripts are written by: # Jameson Rollins +# Jamie McClelland # Daniel Kahn Gillmor # # They are Copyright 2008, and are all released under the GPL, version 3 @@ -19,7 +20,7 @@ export SHARE VARLIB="/var/lib/monkeysphere" export VARLIB -# date in UTF format if needed +# UTC date in ISO 8601 format if needed DATE=$(date -u '+%FT%T') # unset some environment variables that could screw things up @@ -33,7 +34,7 @@ RETURN=0 ######################################################################## usage() { - cat <&2 usage: $PGRM [options] [args] MonkeySphere server admin tool. @@ -44,7 +45,7 @@ subcommands: --length (-l) BITS key length in bits (2048) --expire (-e) EXPIRE date to expire --revoker (-r) FINGERPRINT add a revoker - extend-key (e) EXPIRE extend expiration to EXPIRE + extend-key (e) EXPIRE extend expiration to EXPIRE add-hostname (n+) NAME[:PORT] add hostname user ID to server key revoke-hostname (n-) NAME[:PORT] revoke hostname user ID show-key (s) output all server host key information @@ -115,14 +116,14 @@ show_server_key() { local tmpkey fingerprint=$(fingerprint_server_key) - gpg_authentication "--fingerprint --list-key $fingerprint" + gpg_authentication "--fingerprint --list-key --list-options show-unusable-uids $fingerprint" # dumping to a file named ' ' so that the ssh-keygen output # doesn't claim any potentially bogus hostname(s): tmpkey=$(mktemp -d) gpg_authentication "--export $fingerprint" | openpgp2ssh "$fingerprint" 2>/dev/null > "$tmpkey/ " echo -n "ssh fingerprint: " - (cd "$tmpkey" && ssh-keygen -l -f ' ') + (cd "$tmpkey" && ssh-keygen -l -f ' ' | awk '{ print $2 }') rm -rf "$tmpkey" echo -n "OpenPGP fingerprint: " echo "$fingerprint" @@ -156,7 +157,7 @@ update_users() { for uname in $unames ; do # check all specified users exist if ! getent passwd "$uname" >/dev/null ; then - log "----- unknown user '$uname' -----" + log error "----- unknown user '$uname' -----" continue fi @@ -172,17 +173,17 @@ update_users() { fi fi - log "----- user: $uname -----" + log verbose "----- user: $uname -----" # exit if the authorized_user_ids file is empty if ! check_key_file_permissions "$uname" "$AUTHORIZED_USER_IDS" ; then - log "Improper permissions on authorized_user_ids file path." + log error "Improper permissions on path '$AUTHORIZED_USER_IDS'." continue fi # check permissions on the authorized_keys file path if ! check_key_file_permissions "$uname" "$RAW_AUTHORIZED_KEYS" ; then - log "Improper permissions on authorized_keys file path path." + log error "Improper permissions on path '$RAW_AUTHORIZED_KEYS'." continue fi @@ -226,9 +227,8 @@ update_users() { # add user-controlled authorized_keys file path if specified if [ "$rawAuthorizedKeys" != '-' -a -s "$rawAuthorizedKeys" ] ; then - log -n "adding raw authorized_keys file... " + log verbose "adding raw authorized_keys file... " cat "$rawAuthorizedKeys" >> "$AUTHORIZED_KEYS" - loge "done." fi # openssh appears to check the contents of the @@ -308,12 +308,7 @@ gen_key() { fi # prompt about key expiration if not specified - if [ -z "$keyExpire" ] ; then - keyExpire=$(get_gpg_expiration) - fi - if ! test_gpg_expire "$keyExpire" ; then - failure "invalid key expiration value '$keyExpire'." - fi + keyExpire=$(get_gpg_expiration "$keyExpire") # set key parameters keyParameters=$(cat < "${VARLIB}/ssh_host_rsa_key") - log "Private SSH host key output to file: ${VARLIB}/ssh_host_rsa_key" + log info "Private SSH host key output to file: ${VARLIB}/ssh_host_rsa_key" } # extend the lifetime of a host key: @@ -382,18 +377,16 @@ extend_key() { failure "You don't appear to have a MonkeySphere host key on this server. Try 'monkeysphere-server gen-key' first." fi - if [ -z "$extendTo" ]; then - extendTo=$(get_gpg_expiration) - fi - if ! test_gpg_expire "$extendTo" ; then - failure "invalid expiration value '$extendTo'." - fi + # get the new expiration date + extendTo=$(get_gpg_expiration "$extendTo") gpg_host --quiet --command-fd 0 --edit-key "$fpr" </dev/null ; then + echo "! No monkeysphere user found! Please create a monkeysphere system user." + fi + + if ! [ -d "$VARLIB" ] ; then + echo "! no $VARLIB directory found. Please create it." + fi + echo "Checking host GPG key..." if (( "$keysfound" < 1 )); then echo "! No host key found." @@ -813,6 +818,7 @@ remove_certifier() { if gpg_authentication "--delete-key --batch --yes 0x${keyID}!" ; then # delete key from host keyring as well gpg_host --delete-key --batch --yes "0x${keyID}!" + # update the trustdb for the authentication keyring gpg_authentication "--check-trustdb" @@ -858,8 +864,9 @@ unset MONKEYSPHERE_USER # set empty config variable with ones from the environment, or with # defaults +LOG_LEVEL=${MONKEYSPHERE_LOG_LEVEL:=${LOG_LEVEL:="INFO"}} KEYSERVER=${MONKEYSPHERE_KEYSERVER:=${KEYSERVER:="subkeys.pgp.net"}} -AUTHORIZED_USER_IDS=${MONKEYSPHERE_AUTHORIZED_USER_IDS:=${AUTHORIZED_USER_IDS:="%h/.config/monkeysphere/authorized_user_ids"}} +AUTHORIZED_USER_IDS=${MONKEYSPHERE_AUTHORIZED_USER_IDS:=${AUTHORIZED_USER_IDS:="%h/.monkeysphere/authorized_user_ids"}} RAW_AUTHORIZED_KEYS=${MONKEYSPHERE_RAW_AUTHORIZED_KEYS:=${RAW_AUTHORIZED_KEYS:="%h/.ssh/authorized_keys"}} MONKEYSPHERE_USER=${MONKEYSPHERE_MONKEYSPHERE_USER:=${MONKEYSPHERE_USER:="monkeysphere"}} @@ -873,6 +880,7 @@ GNUPGHOME_AUTHENTICATION=${MONKEYSPHERE_GNUPGHOME_AUTHENTICATION:="${VARLIB}/gnu export DATE export MODE export MONKEYSPHERE_USER +export LOG_LEVEL export KEYSERVER export CHECK_KEYSERVER export REQUIRED_USER_KEY_CAPABILITY