# MAIN
########################################################################
-# unset variables that should be defined only in config file
+# unset variables that should be defined only in config file of in
+# MONKEYSPHERE_ variables
+unset LOG_LEVEL
unset KEYSERVER
unset AUTHORIZED_USER_IDS
unset RAW_AUTHORIZED_KEYS
unset MONKEYSPHERE_USER
+unset PROMPT
# load configuration file
[ -e ${MONKEYSPHERE_AUTHENTICATION_CONFIG:="${SYSCONFIGDIR}/monkeysphere-authentication.conf"} ] && . "$MONKEYSPHERE_AUTHENTICATION_CONFIG"
AUTHORIZED_USER_IDS=${MONKEYSPHERE_AUTHORIZED_USER_IDS:=${AUTHORIZED_USER_IDS:="%h/.monkeysphere/authorized_user_ids"}}
RAW_AUTHORIZED_KEYS=${MONKEYSPHERE_RAW_AUTHORIZED_KEYS:=${RAW_AUTHORIZED_KEYS:="%h/.ssh/authorized_keys"}}
MONKEYSPHERE_USER=${MONKEYSPHERE_MONKEYSPHERE_USER:=${MONKEYSPHERE_USER:="monkeysphere"}}
+PROMPT=${MONKEYSPHERE_PROMPT:=${PROMPT:="true"}}
# other variables
CHECK_KEYSERVER=${MONKEYSPHERE_CHECK_KEYSERVER:="true"}
export DATE
export MODE
export LOG_LEVEL
-export MONKEYSPHERE_USER
export KEYSERVER
+export MONKEYSPHERE_USER
+export PROMPT
export CHECK_KEYSERVER
export REQUIRED_USER_KEY_CAPABILITY
export GNUPGHOME_CORE
# trap to remove tmp dir if break
trap "rm -rf $GNUPGHOME" EXIT
+ # import the host key into the tmp dir
gpg --quiet --import <"$HOST_KEY_FILE"
HOST_FINGERPRINT=$(gpg --quiet --list-keys --with-colons --with-fingerprint \
# MAIN
########################################################################
-# unset variables that should be defined only in config file
+# unset variables that should be defined only in config file of in
+# MONKEYSPHERE_ variables
+unset LOG_LEVEL
unset KEYSERVER
unset MONKEYSPHERE_USER
+unset PROMPT
# load configuration file
[ -e ${MONKEYSPHERE_HOST_CONFIG:="${SYSCONFIGDIR}/monkeysphere-host.conf"} ] && . "$MONKEYSPHERE_HOST_CONFIG"
# defaults
LOG_LEVEL=${MONKEYSPHERE_LOG_LEVEL:=${LOG_LEVEL:="INFO"}}
KEYSERVER=${MONKEYSPHERE_KEYSERVER:=${KEYSERVER:="pool.sks-keyservers.net"}}
-AUTHORIZED_USER_IDS=${MONKEYSPHERE_AUTHORIZED_USER_IDS:=${AUTHORIZED_USER_IDS:="%h/.monkeysphere/authorized_user_ids"}}
-RAW_AUTHORIZED_KEYS=${MONKEYSPHERE_RAW_AUTHORIZED_KEYS:=${RAW_AUTHORIZED_KEYS:="%h/.ssh/authorized_keys"}}
MONKEYSPHERE_USER=${MONKEYSPHERE_MONKEYSPHERE_USER:=${MONKEYSPHERE_USER:="monkeysphere"}}
+PROMPT=${MONKEYSPHERE_PROMPT:=${PROMPT:="true"}}
# other variables
CHECK_KEYSERVER=${MONKEYSPHERE_CHECK_KEYSERVER:="true"}
export DATE
export MODE
export LOG_LEVEL
-export MONKEYSPHERE_USER
export KEYSERVER
+export MONKEYSPHERE_USER
+export PROMPT
+export CHECK_KEYSERVER
export GNUPGHOME_HOST
export GNUPGHOME
export HOST_FINGERPRINT=
local ltsignCommand
local trustval
-PROMPT=true
-
# get options
while true ; do
case "$1" in
depth="$2"
shift 2
;;
- -y)
- PROMPT=false
- shift 1
- ;;
*)
if [ "$(echo "$1" | cut -c 1)" = '-' ] ; then
failure "Unknown option '$1'.
log info "key found:"
gpg_sphere "--fingerprint 0x${fingerprint}!"
-if [ "$PROMPT" = true ] ; then
+if [ "$PROMPT" = "true" ] ; then
echo "Are you sure you want to add the above key as a"
read -p "certifier of users on this system? (y/N) " OK; OK=${OK:-N}
if [ "${OK/y/Y}" != 'Y' ] ; then
failure "You must specify the key ID of a key to remove."
fi
-if gpg_sphere "--list-key --fingerprint 0x${keyID}!" ; then
+# FIXME: should we be doing a fancier list_certifier output here?
+gpg_core --list-key --fingerprint "0x${keyID}!" || failure
+
+if [ "$PROMPT" = "true" ] ; then
read -p "Really remove above listed identity certifier? (y/N) " OK; OK=${OK:-N}
if [ "${OK/y/Y}" != 'Y' ] ; then
failure "Identity certifier not removed."
fi
else
- failure
+ log debug "certifier removed without prompting."
fi
# delete the requested key from the sphere keyring
find_host_userid > /dev/null && \
failure "Host userID '$userID' already exists."
-echo "The following user ID will be added to the host key:"
-echo " $userID"
-read -p "Are you sure you would like to add this user ID? (y/N) " OK; OK=${OK:=N}
-if [ ${OK/y/Y} != 'Y' ] ; then
- failure "User ID not added."
+if [ "$PROMPT" = "true" ] ; then
+ echo "The following user ID will be added to the host key:"
+ echo " $userID"
+ read -p "Are you sure you would like to add this user ID? (y/N) " OK; OK=${OK:=N}
+ if [ ${OK/y/Y} != 'Y' ] ; then
+ failure "User ID not added."
+ fi
+else
+ log debug "adding user ID without prompting."
fi
# edit-key script command to add user ID
log info "key found:"
gpg_host --fingerprint "0x${fingerprint}!"
-echo "Are you sure you want to add the above key as a"
-read -p "revoker of the host key? (y/N) " OK; OK=${OK:-N}
-if [ "${OK/y/Y}" != 'Y' ] ; then
- failure "Revoker not added."
+if [ "$PROMPT" = "true" ] ; then
+ echo "Are you sure you want to add the above key as a"
+ read -p "revoker of the host key? (y/N) " OK; OK=${OK:-N}
+ if [ "${OK/y/Y}" != 'Y' ] ; then
+ failure "revoker not added."
+ fi
+else
+ log debug "adding revoker without prompting."
fi
# edit-key script to add revoker
publish_key() {
-read -p "Really publish host key to $KEYSERVER? (y/N) " OK; OK=${OK:=N}
-if [ ${OK/y/Y} != 'Y' ] ; then
- failure "key not published."
+local GNUPGHOME
+
+if [ "$PROMPT" = "true" ] ; then
+ read -p "Really publish host key to $KEYSERVER? (y/N) " OK; OK=${OK:=N}
+ if [ ${OK/y/Y} != 'Y' ] ; then
+ failure "key not published."
+ fi
+else
+ log debug "publishing key without prompting."
fi
+# create a temporary gnupg directory from which to publish the key
+export GNUPGHOME=$(mktemp -d)
+
+# trap to remove tmp dir if break
+trap "rm -rf $GNUPGHOME" EXIT
+
+# import the host key into the tmp dir
+su_monkeysphere_user \
+ "gpg --quiet --import" <"$HOST_KEY_FILE"
+
# publish host key
-gpg_sphere "--keyserver $KEYSERVER --send-keys '0x${HOST_FINGERPRINT}!'"
+su_monkeysphere_user \
+ "gpg --keyserver $KEYSERVER --send-keys '0x${HOST_FINGERPRINT}!'"
+
+# remove the tmp file
+trap - EXIT
+rm -rf "$GNUPGHOME"
}
uidIndex=$(find_host_userid) || \
failure "No non-revoked user ID found matching '$userID'."
-echo "The following host key user ID will be revoked:"
-echo " $userID"
-read -p "Are you sure you would like to revoke this user ID? (y/N) " OK; OK=${OK:=N}
-if [ ${OK/y/Y} != 'Y' ] ; then
- failure "User ID not revoked."
+if [ "$PROMPT" = "true" ] ; then
+ echo "The following host key user ID will be revoked:"
+ echo " $userID"
+ read -p "Are you sure you would like to revoke this user ID? (y/N) " OK; OK=${OK:=N}
+ if [ ${OK/y/Y} != 'Y' ] ; then
+ failure "User ID not revoked."
+ fi
+else
+ log debug "revoking user ID without prompting."
fi
# edit-key script command to revoke user ID
# get the new expiration date
extendTo=$(get_gpg_expiration "$1")
+if [ "$PROMPT" = "true" ] ; then
+ read -p "Are you sure you want to change the expiration on the host key to '$extendTo'? (y/N) " OK; OK=${OK:-N}
+ if [ "${OK/y/Y}" != 'Y' ] ; then
+ failure "expiration not set."
+ fi
+else
+ log debug "extending without prompting."
+fi
+
log info "setting host key expiration to ${extendTo}:"
log debug "executing host expire script..."
echo "##################################################"
echo "### update server authorized_keys file for this testuser..."
monkeysphere-authentication update-users $(whoami)
-# FIXME: NOT FAILING PROPERLY FOR:
+# FIXME: this is maybe not failing properly for:
# ms: improper group or other writability on path '/tmp'.