.B gen-subkey KEYID
Generate an authentication subkey. For the primary key with the
specified key ID, generate a subkey with "authentication" capability
-that can be used for monkeysphere transactions. `g' may be used in
-place of `gen-subkey'.
+that can be used for monkeysphere transactions. An expiration length
+can be specified with the `-e' or `--expire' option (prompt
+otherwise). `g' may be used in place of `gen-subkey'.
.TP
.B help
Output a brief usage summary. `h' or `?' may be used in place of
`help'.
+.SH ENVIRONMENT
+
+The following environment variables will override those specified in
+the monkeysphere.conf configuration file (defaults in parentheses):
+.TP
+MONKEYSPHERE_GNUPGHOME, GNUPGHOME
+GnuPG home directory (~/.gnupg).
+.TP
+MONKEYSPHERE_KEYSERVER
+OpenPGP keyserver to use (subkeys.pgp.net).
+.TP
+MONKEYSPHERE_CHECK_KEYSERVER
+Whether or not to check keyserver when making gpg queries (`true').
+.TP
+MONKEYSPHERE_KNOWN_HOSTS
+Path to ssh known_hosts file (~/.ssh/known_hosts).
+.TP
+MONKEYSPHERE_HASH_KNOWN_HOSTS
+Whether or not to hash to the known_hosts file entries (`true').
+.TP
+MONKEYSPHERE_AUTHORIZED_KEYS
+Path to ssh authorized_keys file (~/.ssh/authorized_keys).
+
.SH FILES
.TP
.B gen-key [HOSTNAME]
Generate a OpenPGP key pair for the host. If HOSTNAME is not
specified, then the system fully-qualified domain name will be user.
-`g' may be used in place of `gen-key'.
+An alternate key bit length can be specified with the `-l' or
+`--length' option (default 2048). An expiration length can be
+specified with the `-e' or `--expire' option (prompt otherwise). A
+key revoker fingerprint can be specified with the `-r' or `--revoker'
+option. `g' may be used in place of `gen-key'.
.TP
.B show-fingerprint
Show the fingerprint for the host's OpenPGP key. `f' may be used in place of
.TP
.B add-identity-certifier KEYID
Instruct system to trust user identity certifications made by KEYID.
-`a' may be used in place of `add-identity-certifier'.
+A certifier domain can be specified with the `-n' or `--domain'
+option. A certifier trust level can be specified with the `-t' or
+`--trust' option (default is `full'). A certifier trust depth can be
+specified with the `-d' or `--depth' option (default is 1). `a' may
+be used in place of `add-identity-certifier'.
.TP
.B remove-identity-certifier KEYID
Instruct system to ignore user identity certifications made by KEYID.
system crontab, so that user keys are kept up-to-date, and key
revokations and expirations can be processed in a timely manor.
+.SH ENVIRONMENT
+
+The following environment variables will override those specified in
+the monkeysphere-server.conf configuration file (defaults in
+parentheses):
+.TP
+MONKEYSPHERE_KEYSERVER
+OpenPGP keyserver to use (subkeys.pgp.net).
+.TP
+MONKEYSPHERE_AUTHORIZED_USER_IDS
+Path to user authorized_user_ids file
+(%h/.config/monkeysphere/authorized_user_ids).
+.TP
+MONKEYSPHERE_RAW_AUTHORIZED_KEYS
+Path to user-controlled authorized_keys file. `-' means not to add
+user-controlled file (%h/.ssh/authorized_keys).
+.TP
+MONKEYSPHERE_MONKEYSPHERE_USER
+User to control authentication keychain (monkeypshere).
+
.SH FILES
.TP
########################################################################
### UTILITY FUNCTIONS
-error() {
- log "$1"
- ERR=${2:-'1'}
-}
-
+# failure function. exits with code 255, unless specified otherwise.
failure() {
echo "$1" >&2
- exit ${2:-'1'}
+ exit ${2:-'255'}
}
# write output to stderr
unset GREP_OPTIONS
# default return code
-ERR=0
+RETURN=0
########################################################################
# FUNCTIONS
usage() {
cat <<EOF
-usage: $PGRM <subcommand> [args]
+usage: $PGRM <subcommand> [options] [args]
MonkeySphere client tool.
subcommands:
# those hosts
if [ "$1" ] ; then
update_known_hosts "$@"
- ERR="$?"
+ RETURN="$?"
# otherwise, if no hosts are specified, process every host
# in the user's known_hosts file
fi
process_known_hosts
- ERR="$?"
+ RETURN="$?"
fi
;;
# process authorized_user_ids file
process_authorized_user_ids "$AUTHORIZED_USER_IDS"
- ERR="$?"
+ RETURN="$?"
;;
'gen-subkey'|'g')
;;
esac
-exit "$ERR"
+exit "$RETURN"
unset GREP_OPTIONS
# default return code
-ERR=0
+RETURN=0
########################################################################
# FUNCTIONS
usage() {
cat <<EOF
-usage: $PGRM <subcommand> [args]
+usage: $PGRM <subcommand> [options] [args]
MonkeySphere server admin tool.
subcommands:
for uname in $unames ; do
# check all specified users exist
if ! getent passwd "$uname" >/dev/null ; then
- error "----- unknown user '$uname' -----"
+ log "----- unknown user '$uname' -----"
continue
fi
# user
su_monkeysphere_user \
". ${SHARE}/common; process_authorized_user_ids $TMP_AUTHORIZED_USER_IDS"
- ERR="$?"
+ RETURN="$?"
fi
# add user-controlled authorized_keys file path if specified
gpg_host --export-ownertrust | gpg_authentication "--import-ownertrust"
# get the key from the key server
- gpg_authentication "--keyserver $KEYSERVER --recv-key '$keyID'"
+ gpg_authentication "--keyserver $KEYSERVER --recv-key '$keyID'" || failure
# get the full fingerprint of a key ID
fingerprint=$(gpg_authentication "--list-key --with-colons --with-fingerprint $keyID" | \
grep '^fpr:' | grep "$keyID" | cut -d: -f10)
- if [ -z "$fingerprint" ] ; then
- failure "Could not find key \"${keyID}\"."
- fi
-
echo "key found:"
gpg_authentication "--fingerprint $fingerprint"
;;
esac
-exit "$ERR"
+exit "$RETURN"