From 28942a1964321154261e5a046d6d5b00f30d60d7 Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Sun, 30 Mar 2008 02:00:11 -0400 Subject: [PATCH] add start of a rhesus authorized_keys generator. start of a monkeysphere.conf file (in bash) --- monkeysphere.conf | 7 ++++ rhesus/README | 7 ++++ rhesus/rhesus | 88 +++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 102 insertions(+) create mode 100644 monkeysphere.conf create mode 100644 rhesus/README create mode 100755 rhesus/rhesus diff --git a/monkeysphere.conf b/monkeysphere.conf new file mode 100644 index 0000000..1e3abf9 --- /dev/null +++ b/monkeysphere.conf @@ -0,0 +1,7 @@ +# monkeysphere configuration file +# this is currently meant to be sourced by bash. +CONF_DIR=/etc/monkeysphere +AUTH_USER_IDS_DIR="$CONF_DIR"/auth_user_ids +KEYRING="$CONF_DIR"/keyring.gpg +KEYSERVER=subkeys.pgp.net +GNUPGHOME="$CONF_DIR"/gnupg diff --git a/rhesus/README b/rhesus/README new file mode 100644 index 0000000..226361c --- /dev/null +++ b/rhesus/README @@ -0,0 +1,7 @@ +rhesus is the monkeysphere authorized_keys generator. + +It's goal is to take a user's auth_user_ids file, which contains gpg +user ids (and possibly authorized_keys options), use gpg to fetch the +keys of the specified users, do a monkeysphere policy check on each +id, and generate authorized_keys lines for verified id. + diff --git a/rhesus/rhesus b/rhesus/rhesus new file mode 100755 index 0000000..7979e41 --- /dev/null +++ b/rhesus/rhesus @@ -0,0 +1,88 @@ +#!/bin/sh + +# rhesus: monkeysphere authorized_keys update script +# +# Written by +# Jameson Rollins +# +# Copyright 2008, released under the GPL, version 3 or later + +################################################## +# load conf file +#. /etc/monkeysphere/monkeysphere.conf +. ~/ms/monkeysphere.conf + +# user name of user to update +USERNAME="$1" + +#AUTH_KEYS_DIR_BASE=/var/lib/monkeysphere/authorized_keys/ +AUTH_KEYS_DIR_BASE=~/ms/authorized_keys + +AUTH_KEYS_DIR="$AUTH_KEYS_DIR_BASE"/"$USERNAME" +AUTH_KEYS_FILE="$AUTH_KEYS_DIR"/authorized_keys + +AUTH_USER_IDS="$AUTH_USER_IDS_DIR"/"$USERNAME" + +export GNUPGHOME +################################################## + +### FUNCTIONS + +failure() { + echo "$1" >&2 + exit ${2:-'1'} +} + +meat() { + grep -v -e "^[[:space:]]*#" -e '^$' "$1" +} + +cutline() { + head --line="$1" | tail -1 +} + +### MAIN + +# make sure the gnupg home exists with proper permissions +mkdir -p "$GNUPGHOME" +chmod 0700 "$GNUPGHOME" + +# find number of user ids in auth_user_ids file +NLINES=$(meat "$AUTH_USER_IDS" | wc -l) + +# clean out keys file and remake keys directory +rm -rf "$AUTH_KEYS_DIR"/keys +mkdir -p "$AUTH_KEYS_DIR"/keys + +# loop through all user ids, and generate ssh keys +for (( N=1; N<=$NLINES; N=N+1 )) ; do + # get user id + USERID=$(meat "$AUTH_USER_IDS" | head --line="$N" | tail -1) + USERID_HASH=$(echo "$USERID" | sha1sum | awk '{ print $1 }') + + # get key id from user id + #KEYID=$(gpguser2key "$USERID") + KEYID="$USERID" + + echo "Receiving keys for: $USERID ($KEYID)..." + + # is primary key revoked && kill + # for all associated keys (primary and sub) + # - type "A" + # - not revoked + # - signed by trusted user + # output ssh key + + # Receive keys into key ring + if gpg --recv-keys --keyserver "$KEYSERVER" "$KEYID" ; then + # convert pgp key to ssh key, and write to cache file + KEYFILE="$AUTH_KEYS_DIR"/keys/"$USERID_HASH" + gpgkey2ssh "$KEYID" | sed -e "s/COMMENT/$USERID/" > "$KEYFILE" + fi +done + +echo "Writing authorized_keys file '$AUTH_KEYS_FILE'..." +cat "$AUTH_KEYS_DIR"/keys/* > "$AUTH_KEYS_FILE" || > "$AUTH_KEYS_FILE" +if [ -s ~"$USERNAME"/.ssh/authorized_keys ] ; then + cat ~"$USERNAME"/.ssh/authorized_keys >> "$AUTH_KEYS_FILE" +fi -- 2.25.1