add start of a rhesus authorized_keys generator.
authorJameson Graef Rollins <jrollins@phys.columbia.edu>
Sun, 30 Mar 2008 06:00:11 +0000 (02:00 -0400)
committerJameson Graef Rollins <jrollins@phys.columbia.edu>
Sun, 30 Mar 2008 06:00:11 +0000 (02:00 -0400)
start of a monkeysphere.conf file (in bash)

monkeysphere.conf [new file with mode: 0644]
rhesus/README [new file with mode: 0644]
rhesus/rhesus [new file with mode: 0755]

diff --git a/monkeysphere.conf b/monkeysphere.conf
new file mode 100644 (file)
index 0000000..1e3abf9
--- /dev/null
@@ -0,0 +1,7 @@
+# monkeysphere configuration file
+# this is currently meant to be sourced by bash.
+CONF_DIR=/etc/monkeysphere
+AUTH_USER_IDS_DIR="$CONF_DIR"/auth_user_ids
+KEYRING="$CONF_DIR"/keyring.gpg
+KEYSERVER=subkeys.pgp.net
+GNUPGHOME="$CONF_DIR"/gnupg
diff --git a/rhesus/README b/rhesus/README
new file mode 100644 (file)
index 0000000..226361c
--- /dev/null
@@ -0,0 +1,7 @@
+rhesus is the monkeysphere authorized_keys generator.
+
+It's goal is to take a user's auth_user_ids file, which contains gpg
+user ids (and possibly authorized_keys options), use gpg to fetch the
+keys of the specified users, do a monkeysphere policy check on each
+id, and generate authorized_keys lines for verified id.
+
diff --git a/rhesus/rhesus b/rhesus/rhesus
new file mode 100755 (executable)
index 0000000..7979e41
--- /dev/null
@@ -0,0 +1,88 @@
+#!/bin/sh
+
+# rhesus: monkeysphere authorized_keys update script
+#
+# Written by
+# Jameson Rollins <jrollins@fifthhorseman.net>
+#
+# Copyright 2008, released under the GPL, version 3 or later
+
+##################################################
+# load conf file
+#. /etc/monkeysphere/monkeysphere.conf
+. ~/ms/monkeysphere.conf
+
+# user name of user to update
+USERNAME="$1"
+
+#AUTH_KEYS_DIR_BASE=/var/lib/monkeysphere/authorized_keys/
+AUTH_KEYS_DIR_BASE=~/ms/authorized_keys
+
+AUTH_KEYS_DIR="$AUTH_KEYS_DIR_BASE"/"$USERNAME"
+AUTH_KEYS_FILE="$AUTH_KEYS_DIR"/authorized_keys
+
+AUTH_USER_IDS="$AUTH_USER_IDS_DIR"/"$USERNAME"
+
+export GNUPGHOME
+##################################################
+
+### FUNCTIONS
+
+failure() {
+    echo "$1" >&2
+    exit ${2:-'1'}
+}
+
+meat() {
+    grep -v -e "^[[:space:]]*#" -e '^$' "$1"
+}
+
+cutline() {
+    head --line="$1" | tail -1
+}
+
+### MAIN
+
+# make sure the gnupg home exists with proper permissions
+mkdir -p "$GNUPGHOME"
+chmod 0700 "$GNUPGHOME"
+
+# find number of user ids in auth_user_ids file
+NLINES=$(meat "$AUTH_USER_IDS" | wc -l)
+
+# clean out keys file and remake keys directory
+rm -rf "$AUTH_KEYS_DIR"/keys
+mkdir -p "$AUTH_KEYS_DIR"/keys
+
+# loop through all user ids, and generate ssh keys
+for (( N=1; N<=$NLINES; N=N+1 )) ; do
+    # get user id
+    USERID=$(meat "$AUTH_USER_IDS" | head --line="$N" | tail -1)
+    USERID_HASH=$(echo "$USERID" | sha1sum | awk '{ print $1 }')
+
+    # get key id from user id
+    #KEYID=$(gpguser2key "$USERID")
+    KEYID="$USERID"
+
+    echo "Receiving keys for: $USERID ($KEYID)..."
+
+    # is primary key revoked && kill
+    # for all associated keys (primary and sub)
+    #  - type "A"
+    #  - not revoked
+    #  - signed by trusted user
+    #  output ssh key
+
+    # Receive keys into key ring
+    if gpg --recv-keys --keyserver "$KEYSERVER" "$KEYID" ; then
+       # convert pgp key to ssh key, and write to cache file
+       KEYFILE="$AUTH_KEYS_DIR"/keys/"$USERID_HASH"
+       gpgkey2ssh "$KEYID" | sed -e "s/COMMENT/$USERID/" > "$KEYFILE"
+    fi
+done
+
+echo "Writing authorized_keys file '$AUTH_KEYS_FILE'..."
+cat "$AUTH_KEYS_DIR"/keys/* > "$AUTH_KEYS_FILE" || > "$AUTH_KEYS_FILE"
+if [ -s ~"$USERNAME"/.ssh/authorized_keys ] ; then
+    cat ~"$USERNAME"/.ssh/authorized_keys >> "$AUTH_KEYS_FILE"
+fi