X-Git-Url: https://codewiz.org/gitweb?a=blobdiff_plain;f=src%2Fmonkeysphere-server;h=d2cac0e673570f50630e2a664739c23623796b5e;hb=b7a13e19393e347ba66196a49e972d722d7d4780;hp=1e5f2096677cb8dfa9522babeeec5877817b28e0;hpb=0e27af63f34c5bb75cef059fc9d76887251c1517;p=monkeysphere.git diff --git a/src/monkeysphere-server b/src/monkeysphere-server index 1e5f209..d2cac0e 100755 --- a/src/monkeysphere-server +++ b/src/monkeysphere-server @@ -4,6 +4,8 @@ # # The monkeysphere scripts are written by: # Jameson Rollins +# Jamie McClelland +# Daniel Kahn Gillmor # # They are Copyright 2008, and are all released under the GPL, version 3 # or later. @@ -32,31 +34,35 @@ RETURN=0 ######################################################################## usage() { -cat <&2 usage: $PGRM [options] [args] MonkeySphere server admin tool. subcommands: update-users (u) [USER]... update user authorized_keys files - gen-key (g) [HOSTNAME] generate gpg key for the server - -l|--length BITS key length in bits (2048) - -e|--expire EXPIRE date to expire - -r|--revoker FINGERPRINT add a revoker - show-fingerprint (f) show server's host key fingerprint - publish-key (p) publish server's host key to keyserver - diagnostics (d) report on the server's monkeysphere status - - add-identity-certifier (a) KEYID import and tsign a certification key - -n|--domain DOMAIN limit ID certifications to IDs in DOMAIN - -t|--trust TRUST trust level of certifier (full) - -d|--depth DEPTH trust depth for certifier (1) - remove-identity-certifier (r) KEYID remove a certification key - list-identity-certifiers (l) list certification keys + gen-key (g) [NAME[:PORT]] generate gpg key for the server + --length (-l) BITS key length in bits (2048) + --expire (-e) EXPIRE date to expire + --revoker (-r) FINGERPRINT add a revoker + extend-key (e) EXPIRE extend expiration to EXPIRE + add-hostname (n+) NAME[:PORT] add hostname user ID to server key + revoke-hostname (n-) NAME[:PORT] revoke hostname user ID + show-key (s) output all server host key information + publish-key (p) publish server host key to keyserver + diagnostics (d) report on server monkeysphere status + + add-id-certifier (c+) KEYID import and tsign a certification key + --domain (-n) DOMAIN limit ID certifications to DOMAIN + --trust (-t) TRUST trust level of certifier (full) + --depth (-d) DEPTH trust depth for certifier (1) + remove-id-certifier (c-) KEYID remove a certification key + list-id-certifiers (c) list certification keys gpg-authentication-cmd CMD gnupg-authentication command - -h|--help|help (h,?) this help + help (h,?) this help + EOF } @@ -97,6 +103,32 @@ gpg_authentication() { su_monkeysphere_user "gpg $@" } +# output just key fingerprint +fingerprint_server_key() { + gpg_host --list-secret-keys --fingerprint \ + --with-colons --fixed-list-mode 2> /dev/null | \ + grep '^fpr:' | head -1 | cut -d: -f10 +} + +# output key information +show_server_key() { + local fingerprint + local tmpkey + + fingerprint=$(fingerprint_server_key) + gpg_authentication "--fingerprint --list-key --list-options show-unusable-uids $fingerprint" + + # dumping to a file named ' ' so that the ssh-keygen output + # doesn't claim any potentially bogus hostname(s): + tmpkey=$(mktemp -d) + gpg_authentication "--export $fingerprint" | openpgp2ssh "$fingerprint" 2>/dev/null > "$tmpkey/ " + echo -n "ssh fingerprint: " + (cd "$tmpkey" && ssh-keygen -l -f ' ' | awk '{ print $2 }') + rm -rf "$tmpkey" + echo -n "OpenPGP fingerprint: " + echo "$fingerprint" +} + # update authorized_keys for users update_users() { if [ "$1" ] ; then @@ -125,7 +157,7 @@ update_users() { for uname in $unames ; do # check all specified users exist if ! getent passwd "$uname" >/dev/null ; then - log "----- unknown user '$uname' -----" + log error "----- unknown user '$uname' -----" continue fi @@ -141,17 +173,17 @@ update_users() { fi fi - log "----- user: $uname -----" + log verbose "----- user: $uname -----" # exit if the authorized_user_ids file is empty if ! check_key_file_permissions "$uname" "$AUTHORIZED_USER_IDS" ; then - log "Improper permissions on authorized_user_ids file path." + log error "Improper permissions on path '$AUTHORIZED_USER_IDS'." continue fi # check permissions on the authorized_keys file path if ! check_key_file_permissions "$uname" "$RAW_AUTHORIZED_KEYS" ; then - log "Improper permissions on authorized_keys file path path." + log error "Improper permissions on path '$RAW_AUTHORIZED_KEYS'." continue fi @@ -195,9 +227,8 @@ update_users() { # add user-controlled authorized_keys file path if specified if [ "$rawAuthorizedKeys" != '-' -a -s "$rawAuthorizedKeys" ] ; then - log -n "adding raw authorized_keys file... " + log verbose "adding raw authorized_keys file... " cat "$rawAuthorizedKeys" >> "$AUTHORIZED_KEYS" - loge "done." fi # openssh appears to check the contents of the @@ -277,25 +308,7 @@ gen_key() { fi # prompt about key expiration if not specified - if [ -z "$keyExpire" ] ; then - cat < = key expires in n days - w = key expires in n weeks - m = key expires in n months - y = key expires in n years -EOF - while [ -z "$keyExpire" ] ; do - read -p "Key is valid for? (0) " keyExpire - if ! test_gpg_expire ${keyExpire:=0} ; then - echo "invalid value" - unset keyExpire - fi - done - elif ! test_gpg_expire "$keyExpire" ; then - failure "invalid key expiration value '$keyExpire'." - fi + keyExpire=$(get_gpg_expiration "$keyExpire") # set key parameters keyParameters=$(cat < "${VARLIB}/ssh_host_rsa_key") - log "Private SSH host key output to file: ${VARLIB}/ssh_host_rsa_key" + log info "Private SSH host key output to file: ${VARLIB}/ssh_host_rsa_key" } -# gpg output key fingerprint -fingerprint_server_key() { - gpg_host --fingerprint --list-secret-keys +# extend the lifetime of a host key: +extend_key() { + local fpr=$(fingerprint_server_key) + local extendTo="$1" + + if [ -z "$fpr" ] ; then + failure "You don't appear to have a MonkeySphere host key on this server. Try 'monkeysphere-server gen-key' first." + fi + + # get the new expiration date + extendTo=$(get_gpg_expiration "$extendTo") + + gpg_host --quiet --command-fd 0 --edit-key "$fpr" <