From: Jameson Graef Rollins Date: Sun, 22 Jun 2008 00:32:33 +0000 (-0400) Subject: Improved gen-key function for server. X-Git-Tag: monkeysphere_0.2-1~12^2 X-Git-Url: https://codewiz.org/gitweb?a=commitdiff_plain;h=d263f30d4fe03d1976ecd899ba2482cb870c2a4d;p=monkeysphere.git Improved gen-key function for server. Update TODO. --- diff --git a/doc/TODO b/doc/TODO index 71b9582..4f32bb0 100644 --- a/doc/TODO +++ b/doc/TODO @@ -113,3 +113,12 @@ File bug against seahorse about how, when creating new primary keys, key. File bug against enigmail about lack of ability to create subkeys. + +Priviledge separation: monkeysphere user to handle authn keyring and + generate authorized_keys file (which would be moved into place by + root). Host keyring would be owned by root. + +Check permissions of authorized_user_ids file to be writable only by + user and root (same as authorized_keys) + +Improve function that sets owner trust for keys in server keychain. diff --git a/man/man8/monkeysphere-server.8 b/man/man8/monkeysphere-server.8 index 3073adc..2b5af5e 100644 --- a/man/man8/monkeysphere-server.8 +++ b/man/man8/monkeysphere-server.8 @@ -51,6 +51,25 @@ in place of `trust-keys'. Output a brief usage summary. `h' or `?' may be used in place of `help'. +.SH SETUP + +In order to start using the monkeysphere, there are a couple of things +you need to do first. The first is to generate an OpenPGP key for the +server and convert that key to an ssh key that can be used by ssh for +host authentication. To do this, run the "gen-key" subcommand. Once +that is done, publish the key to a keyserver with "publish-key" +subcommand. Finally, you need to modify the sshd_config to tell sshd +where the new server host key: + +HostKey /etc/monkeysphere/ssh_host_rsa_key + +If the server will also handle user authentication through +monkeysphere-generated authorized_keys files, set the following: + +AuthorizedKeysFile /var/cache/monkeysphere/authorized_keys/%u + +Once those changes are made, restart the ssh server. + .SH FILES .TP @@ -63,6 +82,9 @@ System-wide monkeysphere config file. /etc/monkeysphere/gnupg Monkeysphere GNUPG home directory. .TP +/etc/monkeysphere/ssh_host_rsa_key +Copy of the host's private key in ssh format, suitable for use by sshd. +.TP /etc/monkeysphere/authorized_user_ids/USER Server maintained authorized_user_ids files for users. .TP diff --git a/src/common b/src/common index c90fdd0..b220150 100644 --- a/src/common +++ b/src/common @@ -124,6 +124,17 @@ gpg2ssh() { gpg --export "$keyID" | openpgp2ssh "$keyID" 2> /dev/null } +# output the ssh key for a given secret key ID +gpgsecret2ssh() { + local keyID + + #keyID="$1" #TMP + # only use last 16 characters until openpgp2ssh can take all 40 #TMP + keyID=$(echo "$1" | cut -c 25-) #TMP + + gpg --export-secret-key "$keyID" | openpgp2ssh "$keyID" 2> /dev/null +} + # output known_hosts line from ssh key ssh2known_hosts() { local host @@ -207,8 +218,8 @@ get_key_fingerprint() { keyID="$1" gpg --list-key --with-colons --fixed-list-mode \ - --with-fingerprint "$keyID" | grep "$keyID" | \ - grep '^fpr:' | cut -d: -f10 + --with-fingerprint --with-fingerprint "$keyID" | \ + grep '^fpr:' | grep "$keyID" | cut -d: -f10 } ######################################################################## @@ -523,8 +534,7 @@ process_authorized_keys() { trust_key() { # get the key from the key server if ! gpg --keyserver "$KEYSERVER" --recv-key "$keyID" ; then - log "could not retrieve key '$keyID'" - return 1 + failure "Could not retrieve key '$keyID'." fi # get key fingerprint @@ -538,9 +548,9 @@ trust_key() { # import "full" trust for fingerprint into gpg echo ${fingerprint}:5: | gpg --import-ownertrust if [ $? = 0 ] ; then - log "owner trust updated." + log "Owner trust updated." else - failure "there was a problem changing owner trust." + failure "There was a problem changing owner trust." fi } @@ -556,7 +566,6 @@ publish_server_key() { # dummy command so as not to publish fakes keys during testing # eventually: #gpg --keyserver "$KEYSERVER" --send-keys $(hostname -f) - echo "NOT PUBLISHED (to avoid permanent publication errors during monkeysphere development). + failure "NOT PUBLISHED (to avoid permanent publication errors during monkeysphere development). To publish manually, do: gpg --keyserver $KEYSERVER --send-keys $(hostname -f)" - return 1 } diff --git a/src/monkeysphere b/src/monkeysphere index e111d8e..9b315e2 100755 --- a/src/monkeysphere +++ b/src/monkeysphere @@ -77,7 +77,7 @@ gen_subkey(){ # set subkey defaults SUBKEY_TYPE=${SUBKEY_TYPE:-"RSA"} - #SUBKEY_LENGTH=${SUBKEY_LENGTH:-"2048"} + SUBKEY_LENGTH=${SUBKEY_LENGTH:-} SUBKEY_USAGE=${SUBKEY_USAGE:-"auth"} SUBKEY_EXPIRE=${SUBKEY_EXPIRE:-"0"} cat < /dev/null 2>&1 ; then + failure "Key for '$userID' already exists" + fi # set key defaults KEY_TYPE=${KEY_TYPE:-"RSA"} KEY_LENGTH=${KEY_LENGTH:-"2048"} KEY_USAGE=${KEY_USAGE:-"auth"} + KEY_EXPIRE=${KEY_EXPIRE:-"0"} cat <m = key expires in n months y = key expires in n years EOF - read -p "Key is valid for? ($EXPIRE) " EXPIRE; EXPIRE=${EXPIRE:-"0"} - - SERVICE=${SERVICE:-"ssh"} - USERID=${USERID:-"$SERVICE"://"$hostName"} + read -p "Key is valid for? ($KEY_EXPIRE) " KEY_EXPIRE; KEY_EXPIRE=${KEY_EXPIRE:-"0"} # set key parameters keyParameters=$(cat < /dev/null 2>&1 ; then - failure "key for '$USERID' already exists" - fi - # add commit command keyParameters="${keyParameters}"$(cat < "${MS_HOME}/ssh_host_rsa_key") + log "Private SSH host key output to file: ${MS_HOME}/ssh_host_rsa_key" } +# gpg output key fingerprint fingerprint_server_key() { - gpg --fingerprint --list-secret-keys =ssh://$(hostname --fqdn) + local ID + + if [ -z "$1" ] ; then + ID="$1" + else + ID="=ssh://$(hostname --fqdn)" + fi + + gpg --fingerprint --list-secret-keys "$ID" } ######################################################################## @@ -214,7 +233,7 @@ case $COMMAND in ;; 'show-fingerprint'|'f') - fingerprint_server_key + fingerprint_server_key "$@" ;; 'publish-key'|'p') diff --git a/src/seckey2sshagent b/src/seckey2sshagent index aff323f..1266db5 100755 --- a/src/seckey2sshagent +++ b/src/seckey2sshagent @@ -16,9 +16,9 @@ cleanup() { - echo -n "removing temp gpg home... " + echo -n "removing temp gpg home... " 1>&2 rm -rf $FOO - echo "done." + echo "done." 1>&2 } trap cleanup EXIT @@ -46,6 +46,7 @@ gpg --export-secret-key $GPGID | GNUPGHOME="$FOO" gpg --import GNUPGHOME="$FOO" gpg --edit-key $GPGID -ln -s /dev/stdin "$FOO"/monkeysphere-key +ln -s /dev/stdin "$FOO"/openpgp -GNUPGHOME="$FOO" gpg --export-secret-key $GPGID | openpgp2ssh $GPGID | ssh-add -c /dev/stdin +GNUPGHOME="$FOO" gpg --export-secret-key $GPGID | \ + openpgp2ssh $GPGID | ssh-add -c "$FOO"/openpgp