src/monkeysphere-server

   1 #!/bin/bash
   2
   3 # monkeysphere-server: MonkeySphere server admin tool
   4 #
   5 # The monkeysphere scripts are written by:
   6 # Jameson Rollins <jrollins@fifthhorseman.net>
   7 #
   8 # They are Copyright 2008, and are all released under the GPL, version 3
   9 # or later.
  10
  11 ########################################################################
  12 PGRM=$(basename $0)
  13
  14 SHAREDIR=${SHAREDIR:-"/usr/share/monkeysphere"}
  15 export SHAREDIR
  16 . "${SHAREDIR}/common"
  17
  18 # date in UTF format if needed
  19 DATE=$(date -u '+%FT%T')
  20
  21 # unset some environment variables that could screw things up
  22 GREP_OPTIONS=
  23
  24 ########################################################################
  25 # FUNCTIONS
  26 ########################################################################
  27
  28 usage() {
  29 cat <<EOF
  30 usage: $PGRM <subcommand> [args]
  31 MonkeySphere server admin tool.
  32
  33 subcommands:
  34   update-users (s) [USER]...            update users authorized_keys files
  35   gen-key (g) [HOSTNAME]                generate gpg key for the server
  36   show-fingerprint (f)                  show server's host key fingerprint
  37   publish-key (p)                       publish server key to keyserver
  38   trust-keys (t) KEYID...               mark keyids as trusted
  39   help (h,?)                            this help
  40
  41 EOF
  42 }
  43
  44 # generate server gpg key
  45 gen_key() {
  46     local hostName
  47
  48     hostName=${1:-$(hostname --fqdn)}
  49
  50     # set key defaults
  51     KEY_TYPE=${KEY_TYPE:-"RSA"}
  52     KEY_LENGTH=${KEY_LENGTH:-"2048"}
  53     KEY_USAGE=${KEY_USAGE:-"auth"}
  54     cat <<EOF
  55 Please specify how long the key should be valid.
  56          0 = key does not expire
  57       <n>  = key expires in n days
  58       <n>w = key expires in n weeks
  59       <n>m = key expires in n months
  60       <n>y = key expires in n years
  61 EOF
  62     read -p "Key is valid for? ($EXPIRE) " EXPIRE; EXPIRE=${EXPIRE:-"0"}
  63
  64     SERVICE=${SERVICE:-"ssh"}
  65     USERID=${USERID:-"$SERVICE"://"$hostName"}
  66
  67     # set key parameters
  68     keyParameters=$(cat <<EOF
  69 Key-Type: $KEY_TYPE
  70 Key-Length: $KEY_LENGTH
  71 Key-Usage: $KEY_USAGE
  72 Name-Real: $USERID
  73 Expire-Date: $EXPIRE
  74 EOF
  75 )
  76
  77     # add the revoker field if requested
  78 # FIXME: the 1: below assumes that $REVOKER's key is an RSA key.  why?
  79 # FIXME: why is this marked "sensitive"?  how will this signature ever
  80 # be transmitted to the expected revoker?
  81     if [ "$REVOKER" ] ; then
  82         keyParameters="${keyParameters}"$(cat <<EOF
  83
  84 Revoker: 1:$REVOKER sensitive
  85 EOF
  86 )
  87     fi
  88
  89     echo "The following key parameters will be used:"
  90     echo "$keyParameters"
  91
  92     read -p "generate key? [Y|n]: " OK; OK=${OK:=Y}
  93     if [ ${OK/y/Y} != 'Y' ] ; then
  94         failure "aborting."
  95     fi
  96
  97     if gpg --list-key ="$USERID" > /dev/null 2>&1 ; then
  98         failure "key for '$USERID' already exists"
  99     fi
 100
 101     # add commit command
 102     keyParameters="${keyParameters}"$(cat <<EOF
 103
 104 %commit
 105 %echo done
 106 EOF
 107 )
 108
 109     log -n "generating server key... "
 110     echo "$keyParameters" | gpg --batch --gen-key
 111     loge "done."
 112     fingerprint_server_key
 113 }
 114
 115 fingerprint_server_key() {
 116     gpg --fingerprint --list-secret-keys =ssh://$(hostname --fqdn)
 117 }
 118
 119 ########################################################################
 120 # MAIN
 121 ########################################################################
 122
 123 COMMAND="$1"
 124 [ "$COMMAND" ] || failure "Type '$PGRM help' for usage."
 125 shift
 126
 127 # set ms home directory
 128 MS_HOME=${MS_HOME:-"$ETC"}
 129
 130 # load configuration file
 131 MS_CONF=${MS_CONF:-"$MS_HOME"/monkeysphere-server.conf}
 132 [ -e "$MS_CONF" ] && . "$MS_CONF"
 133
 134 # set empty config variable with defaults
 135 GNUPGHOME=${GNUPGHOME:-"${MS_HOME}/gnupg"}
 136 KEYSERVER=${KEYSERVER:-"subkeys.pgp.net"}
 137 CHECK_KEYSERVER=${CHECK_KEYSERVER:="true"}
 138 REQUIRED_USER_KEY_CAPABILITY=${REQUIRED_USER_KEY_CAPABILITY:-"a"}
 139 AUTHORIZED_USER_IDS=${AUTHORIZED_USER_IDS:-"%h/.config/monkeysphere/authorized_user_ids"}
 140 USER_CONTROLLED_AUTHORIZED_KEYS=${USER_CONTROLLED_AUTHORIZED_KEYS:-"%h/.ssh/authorized_keys"}
 141
 142 export GNUPGHOME
 143
 144 # make sure the monkeysphere home directory exists
 145 mkdir -p "${MS_HOME}/authorized_user_ids"
 146 # make sure gpg home exists with proper permissions
 147 mkdir -p -m 0700 "$GNUPGHOME"
 148 # make sure the authorized_keys directory exists
 149 mkdir -p "${CACHE}/authorized_keys"
 150
 151 case $COMMAND in
 152     'update-users'|'update-user'|'s')
 153         if [ "$1" ] ; then
 154             # get users from command line
 155             unames="$@"
 156         else
 157             # or just look at all users if none specified
 158             unames=$(getent passwd | cut -d: -f1)
 159         fi
 160
 161         # loop over users
 162         for uname in $unames ; do
 163             MODE="authorized_keys"
 164
 165             # check all specified users exist
 166             if ! getent passwd "$uname" >/dev/null ; then
 167                 error "----- unknown user '$uname' -----"
 168                 continue
 169             fi
 170
 171             # set authorized_user_ids variable,
 172             # translate ssh-style path variables
 173             authorizedUserIDs=$(translate_ssh_variables "$uname" "$AUTHORIZED_USER_IDS")
 174
 175             # skip user if authorized_user_ids file does not exist
 176             if [ ! -f "$authorizedUserIDs" ] ; then
 177                 continue
 178             fi
 179
 180             log "----- user: $uname -----"
 181
 182             # temporary authorized_keys file
 183             AUTHORIZED_KEYS=$(mktemp)
 184
 185             # skip if the user's authorized_user_ids file is empty
 186             if [ ! -s "$authorizedUserIDs" ] ; then
 187                 log "authorized_user_ids file '$authorizedUserIDs' is empty."
 188                 continue
 189             fi
 190
 191             # process authorized_user_ids file
 192             log "processing authorized_user_ids file..."
 193             process_authorized_user_ids "$authorizedUserIDs"
 194
 195             # add user-controlled authorized_keys file path if specified
 196             if [ "$USER_CONTROLLED_AUTHORIZED_KEYS" != '-' ] ; then
 197                 userAuthorizedKeys=$(translate_ssh_variables "$uname" "$USER_CONTROLLED_AUTHORIZED_KEYS")
 198                 if [ -f "$userAuthorizedKeys" ] ; then
 199                     log -n "adding user's authorized_keys file... "
 200                     cat "$userAuthorizedKeys" >> "$AUTHORIZED_KEYS"
 201                     loge "done."
 202                 fi
 203             fi
 204
 205             # move the temp authorized_keys file into place
 206             mv -f "$AUTHORIZED_KEYS" "${CACHE}/authorized_keys/${uname}"
 207
 208             log "authorized_keys file updated."
 209         done
 210         ;;
 211
 212     'gen-key'|'g')
 213         gen_key "$1"
 214         ;;
 215
 216     'show-fingerprint'|'f')
 217         fingerprint_server_key
 218         ;;
 219
 220     'publish-key'|'p')
 221         publish_server_key
 222         ;;
 223
 224     'trust-keys'|'trust-key'|'t')
 225         if [ -z "$1" ] ; then
 226             failure "You must specify at least one key to trust."
 227         fi
 228
 229         # process key IDs
 230         for keyID ; do
 231             trust_key "$keyID"
 232         done
 233         ;;
 234
 235     'help'|'h'|'?')
 236         usage
 237         ;;
 238
 239     *)
 240         failure "Unknown command: '$COMMAND'
 241 Type '$PGRM help' for usage."
 242         ;;
 243 esac
 244
 245 exit "$ERR"