src/monkeysphere-server

   1 #!/bin/bash
   2
   3 # monkeysphere-server: MonkeySphere server admin tool
   4 #
   5 # The monkeysphere scripts are written by:
   6 # Jameson Rollins <jrollins@fifthhorseman.net>
   7 #
   8 # They are Copyright 2008, and are all released under the GPL, version 3
   9 # or later.
  10
  11 ########################################################################
  12 PGRM=$(basename $0)
  13
  14 SHAREDIR=${SHAREDIR:-"/usr/share/monkeysphere"}
  15 export SHAREDIR
  16 . "${SHAREDIR}/common"
  17
  18 # date in UTF format if needed
  19 DATE=$(date -u '+%FT%T')
  20
  21 # unset some environment variables that could screw things up
  22 GREP_OPTIONS=
  23
  24 ########################################################################
  25 # FUNCTIONS
  26 ########################################################################
  27
  28 usage() {
  29 cat <<EOF
  30 usage: $PGRM <subcommand> [args]
  31 MonkeySphere server admin tool.
  32
  33 subcommands:
  34   update-users (s) [USER]...            update users authorized_keys files
  35   gen-key (g)                           generate gpg key for the server
  36   publish-key (p)                       publish server key to keyserver
  37   trust-keys (t) KEYID...               mark keyids as trusted
  38   update-user-userids (u) USER UID...   add/update user IDs for a user
  39   remove-user-userids (r) USER UID...   remove user IDs for a user
  40   help (h,?)                            this help
  41
  42 EOF
  43 }
  44
  45 # generate server gpg key
  46 gen_key() {
  47     # set key defaults
  48     KEY_TYPE=${KEY_TYPE:-"RSA"}
  49     KEY_LENGTH=${KEY_LENGTH:-"2048"}
  50     KEY_USAGE=${KEY_USAGE:-"auth,encrypt"}
  51     SERVICE=${SERVICE:-"ssh"}
  52     HOSTNAME_FQDN=${HOSTNAME_FQDN:-$(hostname -f)}
  53
  54     USERID=${USERID:-"$SERVICE"://"$HOSTNAME_FQDN"}
  55
  56     # set key parameters
  57     keyParameters=$(cat <<EOF
  58 Key-Type: $KEY_TYPE
  59 Key-Length: $KEY_LENGTH
  60 Key-Usage: $KEY_USAGE
  61 Name-Real: $USERID
  62 EOF
  63 )
  64
  65     # add the revoker field if requested
  66     if [ "$REVOKER" ] ; then
  67         keyParameters="${keyParameters}"$(cat <<EOF
  68
  69 Revoker: 1:$REVOKER sensitive
  70 EOF
  71 )
  72     fi
  73
  74     echo "The following key parameters will be used:"
  75     echo "$keyParameters"
  76
  77     read -p "generate key? [Y|n]: " OK; OK=${OK:=Y}
  78     if [ ${OK/y/Y} != 'Y' ] ; then
  79         failure "aborting."
  80     fi
  81
  82     if gpg --list-key ="$USERID" > /dev/null 2>&1 ; then
  83         failure "key for '$USERID' already exists"
  84     fi
  85
  86     # add commit command
  87     keyParameters="${keyParameters}"$(cat <<EOF
  88
  89 %commit
  90 %echo done
  91 EOF
  92 )
  93
  94     log "generating server key..."
  95     echo "$keyParameters" | gpg --batch --gen-key
  96 }
  97
  98 ########################################################################
  99 # MAIN
 100 ########################################################################
 101
 102 COMMAND="$1"
 103 [ "$COMMAND" ] || failure "Type '$PGRM help' for usage."
 104 shift
 105
 106 # set ms home directory
 107 MS_HOME=${MS_HOME:-"$ETC"}
 108
 109 # load configuration file
 110 MS_CONF=${MS_CONF:-"$MS_HOME"/monkeysphere-server.conf}
 111 [ -e "$MS_CONF" ] && . "$MS_CONF"
 112
 113 # set empty config variable with defaults
 114 GNUPGHOME=${GNUPGHOME:-"$MS_HOME"/gnupg}
 115 KEYSERVER=${KEYSERVER:-subkeys.pgp.net}
 116 REQUIRED_USER_KEY_CAPABILITY=${REQUIRED_USER_KEY_CAPABILITY:-"a"}
 117 USER_CONTROLLED_AUTHORIZED_KEYS=${USER_CONTROLLED_AUTHORIZED_KEYS:-%h/.ssh/authorized_keys}
 118
 119 export GNUPGHOME
 120
 121 # make sure gpg home exists with proper permissions
 122 mkdir -p -m 0700 "$GNUPGHOME"
 123
 124 case $COMMAND in
 125     'update-users'|'update-user'|'s')
 126         if [ "$1" ] ; then
 127             unames="$@"
 128         else
 129             unames=$(ls -1 "$MS_HOME"/authorized_user_ids)
 130         fi
 131
 132         for uname in $unames ; do
 133             MODE="authorized_keys"
 134
 135             log "----- user: $uname -----"
 136
 137             # set variables for the user
 138             AUTHORIZED_USER_IDS="$MS_HOME"/authorized_user_ids/"$uname"
 139             msAuthorizedKeys="$CACHE"/"$uname"/authorized_keys
 140             cacheDir="$CACHE"/"$uname"/user_keys
 141
 142             # make sure user's authorized_user_ids file exists
 143             touch "$AUTHORIZED_USER_IDS"
 144
 145             # skip if the user's authorized_user_ids file is empty
 146             if [ ! -s "$AUTHORIZED_USER_IDS" ] ; then
 147                 log "authorized_user_ids file for '$uname' is empty."
 148                 continue
 149             fi
 150
 151             # set user-controlled authorized_keys file path
 152             if [ "$USER_CONTROLLED_AUTHORIZED_KEYS" ] ; then
 153                 userHome=$(getent passwd "$uname" | cut -d: -f6)
 154                 userAuthorizedKeys=${USER_CONTROLLED_AUTHORIZED_KEYS/\%h/"$userHome"}
 155             fi
 156
 157             # update authorized_keys
 158             update_authorized_keys "$msAuthorizedKeys" "$userAuthorizedKeys" "$cacheDir"
 159         done
 160
 161         log "----- done. -----"
 162         ;;
 163
 164     'gen-key'|'g')
 165         gen_key
 166         ;;
 167
 168     'publish-key'|'p')
 169         publish_server_key
 170         ;;
 171
 172     'trust-keys'|'trust-key'|'t')
 173         if [ -z "$1" ] ; then
 174             failure "You must specify at least one key to trust."
 175         fi
 176
 177         # process key IDs
 178         for keyID ; do
 179             trust_key "$keyID"
 180         done
 181         ;;
 182
 183     'update-user-userids'|'update-user-userid'|'u')
 184         uname="$1"
 185         shift
 186         if [ -z "$uname" ] ; then
 187             failure "You must specify user."
 188         fi
 189         if [ -z "$1" ] ; then
 190             failure "You must specify at least one user ID."
 191         fi
 192
 193         # set variables for the user
 194         AUTHORIZED_USER_IDS="$MS_HOME"/authorized_user_ids/"$uname"
 195         cacheDir="$CACHE"/"$uname"/user_keys
 196
 197         # make sure user's authorized_user_ids file exists
 198         touch "$AUTHORIZED_USER_IDS"
 199
 200         # process the user IDs
 201         for userID ; do
 202             update_userid "$userID" "$cacheDir"
 203         done
 204
 205         log "Run the following to update user's authorized_keys file:"
 206         log "$PGRM update-users $uname"
 207         ;;
 208
 209     'remove-user-userids'|'remove-user-userid'|'r')
 210         uname="$1"
 211         shift
 212         if [ -z "$uname" ] ; then
 213             failure "You must specify user."
 214         fi
 215         if [ -z "$1" ] ; then
 216             failure "You must specify at least one user ID."
 217         fi
 218
 219         # set variables for the user
 220         AUTHORIZED_USER_IDS="$MS_HOME"/authorized_user_ids/"$uname"
 221
 222         # make sure user's authorized_user_ids file exists
 223         touch "$AUTHORIZED_USER_IDS"
 224
 225         # process the user IDs
 226         for userID ; do
 227             remove_userid "$userID"
 228         done
 229
 230         log "Run the following to update user's authorized_keys file:"
 231         log "$PGRM update-users $uname"
 232         ;;
 233
 234     'help'|'h'|'?')
 235         usage
 236         ;;
 237
 238     *)
 239         failure "Unknown command: '$COMMAND'
 240 Type '$PGRM help' for usage."
 241         ;;
 242 esac