src/monkeysphere-server

   1 #!/bin/bash
   2
   3 # monkeysphere-server: MonkeySphere server admin tool
   4 #
   5 # The monkeysphere scripts are written by:
   6 # Jameson Rollins <jrollins@fifthhorseman.net>
   7 #
   8 # They are Copyright 2008, and are all released under the GPL, version 3
   9 # or later.
  10
  11 ########################################################################
  12 PGRM=$(basename $0)
  13
  14 SHARE=${SHARE:-"/usr/share/monkeysphere"}
  15 export SHARE
  16 . "${SHARE}/common"
  17
  18 VARLIB="/var/lib/monkeysphere"
  19 export VARLIB
  20
  21 # date in UTF format if needed
  22 DATE=$(date -u '+%FT%T')
  23
  24 # unset some environment variables that could screw things up
  25 GREP_OPTIONS=
  26
  27 # default return code
  28 ERR=0
  29
  30 ########################################################################
  31 # FUNCTIONS
  32 ########################################################################
  33
  34 usage() {
  35 cat <<EOF
  36 usage: $PGRM <subcommand> [args]
  37 MonkeySphere server admin tool.
  38
  39 subcommands:
  40   update-users (u) [USER]...            update users authorized_keys files
  41   gen-key (g) [HOSTNAME]                generate gpg key for the server
  42   show-fingerprint (f)                  show server's host key fingerprint
  43   publish-key (p)                       publish server's host key to keyserver
  44   trust-key (t) KEYID [LEVEL]           set owner trust for keyid
  45   help (h,?)                            this help
  46
  47 EOF
  48 }
  49
  50 # generate server gpg key
  51 gen_key() {
  52     local hostName
  53
  54     hostName=${1:-$(hostname --fqdn)}
  55
  56     SERVICE=${SERVICE:-"ssh"}
  57     userID="${SERVICE}://${hostName}"
  58
  59     if gpg --list-key ="$userID" > /dev/null 2>&1 ; then
  60         failure "Key for '$userID' already exists"
  61     fi
  62
  63     # set key defaults
  64     KEY_TYPE=${KEY_TYPE:-"RSA"}
  65     KEY_LENGTH=${KEY_LENGTH:-"2048"}
  66     KEY_USAGE=${KEY_USAGE:-"auth"}
  67     KEY_EXPIRE=${KEY_EXPIRE:-"0"}
  68     cat <<EOF
  69 Please specify how long the key should be valid.
  70          0 = key does not expire
  71       <n>  = key expires in n days
  72       <n>w = key expires in n weeks
  73       <n>m = key expires in n months
  74       <n>y = key expires in n years
  75 EOF
  76     read -p "Key is valid for? ($KEY_EXPIRE) " KEY_EXPIRE; KEY_EXPIRE=${KEY_EXPIRE:-"0"}
  77
  78     # set key parameters
  79     keyParameters=$(cat <<EOF
  80 Key-Type: $KEY_TYPE
  81 Key-Length: $KEY_LENGTH
  82 Key-Usage: $KEY_USAGE
  83 Name-Real: $userID
  84 Expire-Date: $KEY_EXPIRE
  85 EOF
  86 )
  87
  88     # add the revoker field if requested
  89     # FIXME: the "1:" below assumes that $REVOKER's key is an RSA key.  why?
  90     # FIXME: why is this marked "sensitive"?  how will this signature ever
  91     # be transmitted to the expected revoker?
  92     if [ "$REVOKER" ] ; then
  93         keyParameters="${keyParameters}"$(cat <<EOF
  94
  95 Revoker: 1:$REVOKER sensitive
  96 EOF
  97 )
  98     fi
  99
 100     echo "The following key parameters will be used:"
 101     echo "$keyParameters"
 102
 103     read -p "Generate key? [Y|n]: " OK; OK=${OK:=Y}
 104     if [ ${OK/y/Y} != 'Y' ] ; then
 105         failure "aborting."
 106     fi
 107
 108     # add commit command
 109     keyParameters="${keyParameters}"$(cat <<EOF
 110
 111 %commit
 112 %echo done
 113 EOF
 114 )
 115
 116     log "generating server key... "
 117     echo "$keyParameters" | gpg --batch --gen-key
 118
 119     # output the server fingerprint
 120     fingerprint_server_key "=${userID}"
 121
 122     # find the key fingerprint of the server primary key
 123     keyID=$(gpg --list-key --with-colons --with-fingerprint "=${userID}" | \
 124         grep '^fpr:' | head -1 | cut -d: -f10)
 125
 126     # write the key to the file
 127     # NOTE: assumes that the primary key is the proper key to use
 128     (umask 077 && gpgsecret2ssh "$keyID" > "${MS_HOME}/ssh_host_rsa_key")
 129     log "Private SSH host key output to file: ${MS_HOME}/ssh_host_rsa_key"
 130 }
 131
 132 # gpg output key fingerprint
 133 fingerprint_server_key() {
 134     local ID
 135
 136     if [ -z "$1" ] ; then
 137         ID="$1"
 138     else
 139         ID="=ssh://$(hostname --fqdn)"
 140     fi
 141
 142     gpg --fingerprint --list-secret-keys "$ID"
 143 }
 144
 145 ########################################################################
 146 # MAIN
 147 ########################################################################
 148
 149 COMMAND="$1"
 150 [ "$COMMAND" ] || failure "Type '$PGRM help' for usage."
 151 shift
 152
 153 # set ms home directory
 154 MS_HOME=${MS_HOME:-"$ETC"}
 155
 156 # load configuration file
 157 MS_CONF=${MS_CONF:-"$MS_HOME"/monkeysphere-server.conf}
 158 [ -e "$MS_CONF" ] && . "$MS_CONF"
 159
 160 # set empty config variable with defaults
 161 KEYSERVER=${KEYSERVER:-"subkeys.pgp.net"}
 162 CHECK_KEYSERVER=${CHECK_KEYSERVER:="true"}
 163 AUTHORIZED_USER_IDS=${AUTHORIZED_USER_IDS:-"%h/.config/monkeysphere/authorized_user_ids"}
 164 RAW_AUTHORIZED_KEYS=${RAW_AUTHORIZED_KEYS:-"%h/.ssh/authorized_keys"}
 165
 166 # other variables
 167 REQUIRED_USER_KEY_CAPABILITY=${REQUIRED_USER_KEY_CAPABILITY:-"a"}
 168 GNUPGHOME_HOST=${GNUPGHOME_HOST:-"${VARLIB}/gnupg-host"}
 169 GNUPGHOME_AUTHENTICATION=${GNUPGHOME_AUTHENTICATION:-"${VARLIB}/gnupg-authentication"}
 170
 171 # set default GNUPGHOME, and make sure the directory exists
 172 GNUPGHOME="$GNUPGHOME_HOST"
 173 export GNUPGHOME
 174 mkdir -p -m 0700 "$GNUPGHOME"
 175
 176 case $COMMAND in
 177     'update-users'|'update-user'|'u')
 178         if [ "$1" ] ; then
 179             # get users from command line
 180             unames="$@"
 181         else
 182             # or just look at all users if none specified
 183             unames=$(getent passwd | cut -d: -f1)
 184         fi
 185
 186         # set mode
 187         MODE="authorized_keys"
 188
 189         # make sure the authorized_keys directory exists
 190         mkdir -p "${VARLIB}/authorized_keys"
 191
 192         # set GNUPGHOME, and make sure the directory exists
 193         GNUPGHOME="$GNUPGHOME_AUTHENTICATION"
 194         export GNUPGHOME
 195         mkdir -p -m 0700 "$GNUPGHOME"
 196
 197         # loop over users
 198         for uname in $unames ; do
 199             # check all specified users exist
 200             if ! getent passwd "$uname" >/dev/null ; then
 201                 error "----- unknown user '$uname' -----"
 202                 continue
 203             fi
 204
 205             # set authorized_user_ids and raw authorized_keys variables,
 206             # translating ssh-style path variables
 207             authorizedUserIDs=$(translate_ssh_variables "$uname" "$AUTHORIZED_USER_IDS")
 208             rawAuthorizedKeys=$(translate_ssh_variables "$uname" "$RAW_AUTHORIZED_KEYS")
 209
 210             # if neither is found, skip user
 211             if [ ! -s "$authorizedUserIDs" -a ! -s "$rawAuthorizedKeys" ] ; then
 212                 continue
 213             fi
 214
 215             log "----- user: $uname -----"
 216
 217             # temporary authorized_keys file
 218             AUTHORIZED_KEYS=$(mktemp)
 219
 220             # trap to delete file on exit
 221             trap "rm -f $AUTHORIZE_KEYS" EXIT
 222
 223             # process authorized_user_ids file
 224             if [ -s "$authorizedUserIDs" ] ; then
 225                 log "processing authorized_user_ids file..."
 226                 process_authorized_user_ids "$authorizedUserIDs"
 227             fi
 228
 229             # add user-controlled authorized_keys file path if specified
 230             if [ "$RAW_AUTHORIZED_KEYS" != '-' ] ; then
 231                 if [ -s "$rawAuthorizedKeys" ] ; then
 232                     log -n "adding raw authorized_keys file... "
 233                     cat "$rawAuthorizedKeys" >> "$AUTHORIZED_KEYS"
 234                     loge "done."
 235                 fi
 236             fi
 237
 238             # if the resulting authorized_keys file is not empty, move
 239             # the temp authorized_keys file into place
 240             if [ -s "$AUTHORIZED_KEYS" ] ; then
 241                 # openssh appears to check the contents of the
 242                 # authorized_keys file as the user in question, so the
 243                 # file must be readable by that user at least.
 244                 # FIXME: is there a better way to do this?
 245                 chgrp $(getent passwd "$uname" | cut -f4 -d:) "$AUTHORIZED_KEYS"
 246                 chmod g+r "$AUTHORIZED_KEYS"
 247
 248                 mv -f "$AUTHORIZED_KEYS" "${VARLIB}/authorized_keys/${uname}"
 249
 250                 log "authorized_keys file updated."
 251
 252             # else destroy it
 253             else
 254                 rm -f "$AUTHORIZED_KEYS"
 255             fi
 256         done
 257         ;;
 258
 259     'gen-key'|'g')
 260         gen_key "$1"
 261         ;;
 262
 263     'show-fingerprint'|'f')
 264         fingerprint_server_key "$@"
 265         ;;
 266
 267     'publish-key'|'p')
 268         publish_server_key
 269         ;;
 270
 271     'trust-key'|'trust-key'|'t')
 272         trust_key "$@"
 273         ;;
 274
 275     'help'|'h'|'?')
 276         usage
 277         ;;
 278
 279     *)
 280         failure "Unknown command: '$COMMAND'
 281 Type '$PGRM help' for usage."
 282         ;;
 283 esac
 284
 285 exit "$ERR"