Also, tweaked some of the output and man pages.
Package: monkeysphere
Architecture: any
-Depends: openssh-client, gnupg | gnupg2, coreutils (>= 6), ${shlibs:Depends}
+Depends: openssh-client, gnupg | gnupg2, coreutils (>= 6), moreutils, ${shlibs:Depends}
Recommends: netcat
Enhances: openssh-client, openssh-server
Description: use the OpenPGP web of trust to verify ssh connections
place of `update-known_hosts'.
.TP
.B update-userids [USERID]...
-Add/update a userid in the authorized_user_ids file. The user IDs
+Add/update a user ID to the authorized_user_ids file. The user IDs
specified should be exact matches to OpenPGP user IDs. For each
specified user ID, gpg will be queried for a key associated with that
user ID, querying a keyserver if none is found in the user's keychain.
If a key is found, it will be added to the user_keys cache (see KEY
CACHES) and the user ID will be added to the user's
-authorized_user_ids file (if it wasn't already present).
+authorized_user_ids file (if it wasn't already present). `u' may be
+used in place of `update-userids'.
+.TP
+.B remove-userids [USERID]...
+Remove a user ID from the authorized_user_ids file. The user IDs
+specified should be exact matches to OpenPGP user IDs. `r' may be
+used in place of `remove-userids'.
.TP
.B update-authorized_keys
Update the monkeysphere authorized_keys file. The monkeysphere
authorized_keys file will be regenerated from the valid keys in the
user_key cache, and the user's independently controlled
-authorized_keys file (usually ~/.ssh/authorized_keys).
+authorized_keys file (usually ~/.ssh/authorized_keys). `a' may be
+used in place of `update-authorized_keys'.
.TP
.B gen-ae-subkey KEYID
Generate an `ae` capable subkey. For the primary key with the
specified key ID, generate a subkey with "authentication" and
"encryption" capability that can be used for MonkeySphere
-transactions.
+transactions. `g' may be used in place of `gen-ae-subkey'.
.TP
.B help
Output a brief usage summary. `h' or `?' may be used in place of
Update the admin-controlled authorized_keys files for user. For each
user specified, update the user's authorized_keys file in
/var/cache/monkeysphere/USER. See `man monkeysphere' for more info.
+`k' may be used in place of `update-known_hosts'.
.TP
.B gen-key
-Generate a gpg key for the host.
+Generate a gpg key for the host. `g' may be used in place of
+`gen-key'.
.TP
.B publish-key
-Publish the host's gpg key to a keyserver.
+Publish the host's gpg key to a keyserver. `p' may be used in place
+of `publish-key'
.TP
.B trust-keys KEYID...
-Mark key specified with KEYID with full owner trust.
+Mark key specified with KEYID with full owner trust. `t' may be used
+in place of `trust-keys'.
.TP
.B update-user-userids USER USERID...
-Add/update a userid in the authorized_user_ids file for USER.
+Add/update a user ID to the authorized_user_ids file for USER. `u' may
+be used in place of `update-user-userids'.
+.TP
+.B remove-user-userids USER USERID...
+Remove a user ID from the authorized_user_ids file for USER. `r' may
+be used in place of `remove-user-userids'.
.TP
.B help
Output a brief usage summary. `h' or `?' may be used in place of
# hash userid for cache file name
userIDHash=$(echo "$userID" | sha1sum | awk '{ print $1 }')
+ # make sure the cache directory exists
+ mkdir -p "$cacheDir"
+
# touch/clear key cache file
# (will be left empty if there are noacceptable keys)
> "$cacheDir"/"$userIDHash"."$pubKeyID"
cacheDir="$2"
log "processing userid: '$userID'"
+
userIDKeyCache=$(process_user_id "$userID" "$cacheDir")
+
if [ -z "$userIDKeyCache" ] ; then
return 1
fi
if ! grep -q "^${userID}\$" "$AUTHORIZED_USER_IDS" ; then
- echo "the following userid is not in the authorized_user_ids file:"
- echo " $userID"
- read -p "would you like to add it? [Y|n]: " OK; OK=${OK:=Y}
+ read -p "user ID not currently authorized. authorize? [Y|n]: " OK; OK=${OK:=Y}
if [ ${OK/y/Y} = 'Y' ] ; then
- log -n "adding userid to authorized_user_ids file... "
+ log -n "adding user ID to authorized_user_ids file... "
echo "$userID" >> "$AUTHORIZED_USER_IDS"
echo "done."
else
fi
}
+# remove a userid from the authorized_user_ids file
+remove_userid() {
+ local userID
+
+ userID="$1"
+
+ log "processing userid: '$userID'"
+
+ if ! grep -q "^${userID}\$" "$AUTHORIZED_USER_IDS" ; then
+ log "user ID not currently authorized."
+ return 1
+ fi
+
+ log -n "removing user ID '$userID'... "
+ grep -v "$userID" "$AUTHORIZED_USER_IDS" | sponge "$AUTHORIZED_USER_IDS"
+ echo "done."
+}
+
# process a host for addition to a known_host file
process_host() {
local host
cat "$userAuthorizedKeys" >> "$msAuthorizedKeys"
echo "done."
fi
- log "monkeysphere authorized_keys file generated: $msAuthorizedKeys"
+ log "monkeysphere authorized_keys file generated:"
+ log "$msAuthorizedKeys"
}
# process an authorized_*_ids file
subcommands:
update-known_hosts (k) [HOST]... update known_hosts file
- update-userids (u) [USERID]... add/update userid
+ update-userids (u) [USERID]... add/update user IDs
+ remove-userids (r) [USERID]... remove user IDs
update-authorized_keys (a) update authorized_keys file
gen-ae-subkey (g) KEYID generate an 'ae' capable subkey
help (h,?) this help
fi
;;
- 'update-userids'|'u')
+ 'update-userids'|'update-userid'|'u')
if [ -z "$1" ] ; then
failure "you must specify at least one userid."
fi
for userID ; do
update_userid "$userID" "$userKeysCacheDir"
done
+ log "run the following to update your monkeysphere authorized_keys file:"
+ log "$PGRM update-authorized_keys"
+ ;;
+
+ 'remove-userids'|'remove-userid'|'r')
+ if [ -z "$1" ] ; then
+ failure "you must specify at least one userid."
+ fi
+ for userID ; do
+ remove_userid "$userID"
+ done
+ log "run the following to update your monkeysphere authorized_keys file:"
+ log "$PGRM update-authorized_keys"
;;
'update-authorized_keys'|'update-authorized-keys'|'a')
gen-key (g) generate gpg key for the server
publish-key (p) publish server key to keyserver
trust-keys (t) KEYID... mark keyids as trusted
- update-user-userids (u) USER UID... add/update userids for a user
+ update-user-userids (u) USER UID... add/update user IDs for a user
+ remove-user-userids (r) USER UID... remove user IDs for a user
help (h,?) this help
EOF
done
;;
- 'update-user-userids'|'u')
+ 'update-user-userids'|'update-user-userid'|'u')
uname="$1"
shift
if [ -z "$uname" ] ; then
for userID ; do
update_userid "$userID" "$cacheDir"
done
+
+ log "run the following to update user's authorized_keys file:"
+ log "$PGRM update-users $uname"
+ ;;
+
+ 'remove-user-userids'|'remove-user-userid'|'r')
+ uname="$1"
+ shift
+ if [ -z "$uname" ] ; then
+ failure "you must specify user."
+ fi
+ if [ -z "$1" ] ; then
+ failure "you must specify at least one userid."
+ fi
+
+ # set variables for the user
+ AUTHORIZED_USER_IDS="$MS_HOME"/authorized_user_ids/"$uname"
+
+ # make sure user's authorized_user_ids file exists
+ touch "$AUTHORIZED_USER_IDS"
+
+ # process the user IDs
+ for userID ; do
+ remove_userid "$userID"
+ done
+
+ log "run the following to update user's authorized_keys file:"
+ log "$PGRM update-users $uname"
;;
'help'|'h'|'?')