From: Jameson Graef Rollins Date: Sun, 25 May 2008 19:59:54 +0000 (-0400) Subject: expand howler to handle general gpg maintenence tasks for server X-Git-Tag: monkeysphere_0.1-1~17^2~7 X-Git-Url: https://codewiz.org/gitweb?a=commitdiff_plain;h=4eba4e7e66fc7febb1e7255a649f6b6ad240d653;p=monkeysphere.git expand howler to handle general gpg maintenence tasks for server - add "gen-key", "publish-key", and "trust-uids" functions small tweak to rhesus. update README and MonkeySpec --- diff --git a/doc/MonkeySpec b/doc/MonkeySpec index 45d6cf6..3b565db 100644 --- a/doc/MonkeySpec +++ b/doc/MonkeySpec @@ -38,7 +38,10 @@ common components server-side components ---------------------- -* "howler": service gpg key generator/publisher +* "howler": server gpg maintainer + - generates gpg keys for the server + - publishes server gpg keys + - used to specify userids to trust for user authentication * "tamarin": script to trigger rhesus during attempt to initiate connection from client diff --git a/doc/README b/doc/README index 9dc8753..9034519 100644 --- a/doc/README +++ b/doc/README @@ -1,19 +1,22 @@ Monkeysphere README -------------------- +=================== -Default file locations: +Default files locations (by variable): MS_HOME=~/.config/monkeysphere -STAGING_AREA=$MS_HOME +MS_CONF=$MS_HOME/monkeysphere.conf +AUTH_HOST_FILE=$MS_HOME/auth_host_ids +AUTH_USER_FILE=$MS_HOME/auth_user_ids GNUPGHOME=~/.gnupg -$MS_HOME/monkeysphere.conf -$MS_HOME/auth_host_ids -$MS_HOME/auth_user_ids +STAGING_AREA=$MS_HOME + $STAGING_AREA/host_keys/KEYHASH $STAGING_AREA/known_hosts $STAGING_AREA/user_keys/KEYHASH $STAGING_AREA/authorized_keys +user usage +---------- For a user to update their ms known_hosts file: $ rhesus --known_hosts @@ -22,6 +25,23 @@ For a user to update their ms authorized_keys file: $ rhesus --authorized_keys +server service publication +-------------------------- +To publish a server host key use the "howler" component: + +# howler gen-key +# howler publish-key + +This will generate the key for server with the service URI +(ssh://server.hostname). The server admin should now sign the server +key so that people in the admin's web of trust can authenticate the +server without manual host key checking: + +$ gpg --search ='ssh://server.hostname' +$ gpg --sign-key 'ssh://server.hostname' + +server authorized_keys maintenance +---------------------------------- A system can maintain ms authorized_keys files for it's users. Some different variables need to be defined to help manage this. The way this is done is by first defining a new MS_HOME: @@ -35,10 +55,24 @@ AUTH_USER_FILE="$MS_HOME"/auth_user_ids/"$USER" STAGING_AREA=/var/lib/monkeysphere/stage/$USER GNUPGHOME=$MS_HOME/gnupg -To update the ms authorized_keys file for user "foo", the system would +For each user account on the server, the userids of people authorized +to log into that account would be placed in the AUTH_USER_FILE for +that user. However, in order for users to become authenticated, the +server must determine that the user keys have "full" validity. This +means that the server must fully trust at least one person whose +signature on the connecting users key would validate the user. This +would generally be the server admin. If the server admin's userid is + +"Alice " + +then the server would run: + +# howler trust-uids "Alice " + +To update the ms authorized_keys file for user "bob", the system would then run the following: -# USER=foo MS_HOME=/etc/monkeysphere rhesus --authorized_keys +# USER=bob MS_HOME=/etc/monkeysphere rhesus --authorized_keys To update the ms authorized_keys file for all users on the the system: diff --git a/howler/howler b/howler/howler index 7e33471..d0bb13d 100755 --- a/howler/howler +++ b/howler/howler @@ -1,78 +1,128 @@ #!/bin/sh -# howler: server gpg key generator/publisher +# howler: monkeysphere server gpg generator/publisher/maintainer # # Written by # Jameson Rollins # # Copyright 2008, released under the GPL, version 3 or later -CMD=$(basename $0) +PGRM=$(basename $0) ######################################################################## # FUNCTIONS ######################################################################## +usage() { +cat <&2 exit ${2:-'1'} } -######################################################################## -# MAIN -######################################################################## - -MS_HOME=${MS_HOME:-/etc/monkeysphere} - -. "$MS_HOME"/monkeysphere.conf - -export GNUPGHOME - -KEY_TYPE=${KEY_TYPE:-RSA} -KEY_LENGTH=${KEY_LENGTH:-2048} -KEY_USAGE=${KEY_USAGE:-encrypt,auth} -SERVICE=${SERVICE:-ssh} -HOSTNAME=${HOSTNAME:-$(hostname -f)} +# generate server gpg key +gen_key() { + KEY_TYPE=${KEY_TYPE:-RSA} + KEY_LENGTH=${KEY_LENGTH:-2048} + KEY_USAGE=${KEY_USAGE:-encrypt,auth} + SERVICE=${SERVICE:-ssh} + HOSTNAME_FQDN=${HOSTNAME_FQDN:-$(hostname -f)} -USERID=${USERID:-"$SERVICE"://"$HOSTNAME"} + USERID=${USERID:-"$SERVICE"://"$HOSTNAME_FQDN"} -echo "key parameters:" -cat < /dev/null 2>&1 ; then - failure "key for '$USERID' already exists" -fi + if gpg --list-key ="$USERID" > /dev/null 2>&1 ; then + failure "key for '$USERID' already exists" + fi -echo "generating server key..." -gpg --batch --gen-key < /dev/null | grep '^pub:' | cut -d: -f5) + keyID=$(gpg --list-key --with-colons ="$USERID" 2> /dev/null | grep '^pub:' | cut -d: -f5) -# dummy command so as not to publish fakes keys during testing -# eventually: -#gpg --send-keys --keyserver "$KEYSERVER" "$keyID" -echo "gpg --send-keys --keyserver $KEYSERVER $keyID" + # dummy command so as not to publish fakes keys during testing + # eventually: + #gpg --send-keys --keyserver "$KEYSERVER" "$keyID" + echo "gpg --send-keys --keyserver $KEYSERVER $keyID" +} -echo "done." +# FIXME: need to figure out how to automate this, in a batch mode +# or something. +trust_uids() { + for userID ; do + gpg --keyserver "$KEYSERVER" --search ="$userID" + gpg --edit-key "$userID" + done +} + +######################################################################## +# MAIN +######################################################################## + +# set ms home directory +MS_HOME=${MS_HOME:-/etc/monkeysphere} + +# load configuration file +MS_CONF=${MS_CONF:-"$MS_HOME"/monkeysphere.conf} +[ -e "$MS_CONF" ] && . "$MS_CONF" + +GNUPGHOME=${GNUPGHOME:-"$MS_HOME"/gnupg} +export GNUPGHOME +KEYSERVER=${KEYSERVER:-subkeys.pgp.net} +export KEYSERVER + +COMMAND="$1" +[ "$COMMAND" ] || failure "Type '$PGRM help' for usage." +shift 1 + +case $COMMAND in + 'gen-key') + gen_key + ;; + 'publish-key') + publish_key + ;; + 'trust-uids') + trust_uids "$@" + ;; + 'help') + usage + exit + ;; + *) + failure "Unknown command: '$COMMAND' +Type '$PGRM help' for usage." + ;; +esac diff --git a/rhesus/rhesus b/rhesus/rhesus index dec24a2..7a43fca 100755 --- a/rhesus/rhesus +++ b/rhesus/rhesus @@ -7,7 +7,7 @@ # # Copyright 2008, released under the GPL, version 3 or later -CMD=$(basename $0) +PGRM=$(basename $0) ######################################################################## # FUNCTIONS @@ -15,8 +15,8 @@ CMD=$(basename $0) usage() { cat <