Monkeysphere README
--------------------
+===================
-Default file locations:
+Default files locations (by variable):
MS_HOME=~/.config/monkeysphere
-STAGING_AREA=$MS_HOME
+MS_CONF=$MS_HOME/monkeysphere.conf
+AUTH_HOST_FILE=$MS_HOME/auth_host_ids
+AUTH_USER_FILE=$MS_HOME/auth_user_ids
GNUPGHOME=~/.gnupg
-$MS_HOME/monkeysphere.conf
-$MS_HOME/auth_host_ids
-$MS_HOME/auth_user_ids
+STAGING_AREA=$MS_HOME
+
$STAGING_AREA/host_keys/KEYHASH
$STAGING_AREA/known_hosts
$STAGING_AREA/user_keys/KEYHASH
$STAGING_AREA/authorized_keys
+user usage
+----------
For a user to update their ms known_hosts file:
$ rhesus --known_hosts
$ rhesus --authorized_keys
+server service publication
+--------------------------
+To publish a server host key use the "howler" component:
+
+# howler gen-key
+# howler publish-key
+
+This will generate the key for server with the service URI
+(ssh://server.hostname). The server admin should now sign the server
+key so that people in the admin's web of trust can authenticate the
+server without manual host key checking:
+
+$ gpg --search ='ssh://server.hostname'
+$ gpg --sign-key 'ssh://server.hostname'
+
+server authorized_keys maintenance
+----------------------------------
A system can maintain ms authorized_keys files for it's users. Some
different variables need to be defined to help manage this. The way
this is done is by first defining a new MS_HOME:
STAGING_AREA=/var/lib/monkeysphere/stage/$USER
GNUPGHOME=$MS_HOME/gnupg
-To update the ms authorized_keys file for user "foo", the system would
+For each user account on the server, the userids of people authorized
+to log into that account would be placed in the AUTH_USER_FILE for
+that user. However, in order for users to become authenticated, the
+server must determine that the user keys have "full" validity. This
+means that the server must fully trust at least one person whose
+signature on the connecting users key would validate the user. This
+would generally be the server admin. If the server admin's userid is
+
+"Alice <alice@foo.com>"
+
+then the server would run:
+
+# howler trust-uids "Alice <alice@foo.com>"
+
+To update the ms authorized_keys file for user "bob", the system would
then run the following:
-# USER=foo MS_HOME=/etc/monkeysphere rhesus --authorized_keys
+# USER=bob MS_HOME=/etc/monkeysphere rhesus --authorized_keys
To update the ms authorized_keys file for all users on the the system:
#!/bin/sh
-# howler: server gpg key generator/publisher
+# howler: monkeysphere server gpg generator/publisher/maintainer
#
# Written by
# Jameson Rollins <jrollins@fifthhorseman.net>
#
# Copyright 2008, released under the GPL, version 3 or later
-CMD=$(basename $0)
+PGRM=$(basename $0)
########################################################################
# FUNCTIONS
########################################################################
+usage() {
+cat <<EOF
+usage: $PGRM gen-key
+ $PGRM publish-key
+ $PGRM trust-uids USERID [USERID...]
+ $PGRM help
+EOF
+}
+
failure() {
echo "$1" >&2
exit ${2:-'1'}
}
-########################################################################
-# MAIN
-########################################################################
-
-MS_HOME=${MS_HOME:-/etc/monkeysphere}
-
-. "$MS_HOME"/monkeysphere.conf
-
-export GNUPGHOME
-
-KEY_TYPE=${KEY_TYPE:-RSA}
-KEY_LENGTH=${KEY_LENGTH:-2048}
-KEY_USAGE=${KEY_USAGE:-encrypt,auth}
-SERVICE=${SERVICE:-ssh}
-HOSTNAME=${HOSTNAME:-$(hostname -f)}
+# generate server gpg key
+gen_key() {
+ KEY_TYPE=${KEY_TYPE:-RSA}
+ KEY_LENGTH=${KEY_LENGTH:-2048}
+ KEY_USAGE=${KEY_USAGE:-encrypt,auth}
+ SERVICE=${SERVICE:-ssh}
+ HOSTNAME_FQDN=${HOSTNAME_FQDN:-$(hostname -f)}
-USERID=${USERID:-"$SERVICE"://"$HOSTNAME"}
+ USERID=${USERID:-"$SERVICE"://"$HOSTNAME_FQDN"}
-echo "key parameters:"
-cat <<EOF
+ echo "key parameters:"
+ cat <<EOF
Key-Type: $KEY_TYPE
Key-Length: $KEY_LENGTH
Key-Usage: $KEY_USAGE
Name-Real: $USERID
EOF
-read -p "generate key? [Y|n]: " OK; OK=${OK:=Y}
-if [ ${OK/y/Y} != 'Y' ] ; then
- failure "aborting."
-fi
+ read -p "generate key? [Y|n]: " OK; OK=${OK:=Y}
+ if [ ${OK/y/Y} != 'Y' ] ; then
+ failure "aborting."
+ fi
-if gpg --list-key ="$USERID" > /dev/null 2>&1 ; then
- failure "key for '$USERID' already exists"
-fi
+ if gpg --list-key ="$USERID" > /dev/null 2>&1 ; then
+ failure "key for '$USERID' already exists"
+ fi
-echo "generating server key..."
-gpg --batch --gen-key <<EOF
+ echo "generating server key..."
+ gpg --batch --gen-key <<EOF
Key-Type: $KEY_TYPE
Key-Length: $KEY_LENGTH
Key-Usage: $KEY_USAGE
Name-Real: $USERID
%commit
EOF
+}
-read -p "publish key to $KEY_SERVER? [Y|n]: " OK; OK=${OK:=Y}
-if [ ${OK/y/Y} != 'Y' ] ; then
- failure "aborting."
-fi
+publish_key() {
+ read -p "publish key to $KEYSERVER? [Y|n]: " OK; OK=${OK:=Y}
+ if [ ${OK/y/Y} != 'Y' ] ; then
+ failure "aborting."
+ fi
-echo "sending key to keyserver '$KEYSERVER'..."
-keyID=$(gpg --list-key --with-colons ="$USERID" 2> /dev/null | grep '^pub:' | cut -d: -f5)
+ keyID=$(gpg --list-key --with-colons ="$USERID" 2> /dev/null | grep '^pub:' | cut -d: -f5)
-# dummy command so as not to publish fakes keys during testing
-# eventually:
-#gpg --send-keys --keyserver "$KEYSERVER" "$keyID"
-echo "gpg --send-keys --keyserver $KEYSERVER $keyID"
+ # dummy command so as not to publish fakes keys during testing
+ # eventually:
+ #gpg --send-keys --keyserver "$KEYSERVER" "$keyID"
+ echo "gpg --send-keys --keyserver $KEYSERVER $keyID"
+}
-echo "done."
+# FIXME: need to figure out how to automate this, in a batch mode
+# or something.
+trust_uids() {
+ for userID ; do
+ gpg --keyserver "$KEYSERVER" --search ="$userID"
+ gpg --edit-key "$userID"
+ done
+}
+
+########################################################################
+# MAIN
+########################################################################
+
+# set ms home directory
+MS_HOME=${MS_HOME:-/etc/monkeysphere}
+
+# load configuration file
+MS_CONF=${MS_CONF:-"$MS_HOME"/monkeysphere.conf}
+[ -e "$MS_CONF" ] && . "$MS_CONF"
+
+GNUPGHOME=${GNUPGHOME:-"$MS_HOME"/gnupg}
+export GNUPGHOME
+KEYSERVER=${KEYSERVER:-subkeys.pgp.net}
+export KEYSERVER
+
+COMMAND="$1"
+[ "$COMMAND" ] || failure "Type '$PGRM help' for usage."
+shift 1
+
+case $COMMAND in
+ 'gen-key')
+ gen_key
+ ;;
+ 'publish-key')
+ publish_key
+ ;;
+ 'trust-uids')
+ trust_uids "$@"
+ ;;
+ 'help')
+ usage
+ exit
+ ;;
+ *)
+ failure "Unknown command: '$COMMAND'
+Type '$PGRM help' for usage."
+ ;;
+esac
#
# Copyright 2008, released under the GPL, version 3 or later
-CMD=$(basename $0)
+PGRM=$(basename $0)
########################################################################
# FUNCTIONS
usage() {
cat <<EOF
-usage: $CMD k|known_hosts [userid...]
- $CMD a|authorized_keys [userid...]
+usage: $PGRM k|known_hosts [userid...]
+ $PGRM a|authorized_keys [userid...]
Monkeysphere update of known_hosts or authorized_keys file.
If userids are specified, only specified userids will be processed
(userids must be included in the appropriate auth_*_ids file).
# set user home directory
HOME=$(getent passwd "$USER" | cut -d: -f6)
-# get ms home directory
+# set ms home directory
MS_HOME=${MS_HOME:-"$HOME"/.config/monkeysphere}
# load configuration file