3 # monkeysphere-server: MonkeySphere server admin tool
5 # The monkeysphere scripts are written by:
6 # Jameson Rollins <jrollins@fifthhorseman.net>
8 # They are Copyright 2008, and are all released under the GPL, version 3
11 ########################################################################
14 SHARE=${SHARE:-"/usr/share/monkeysphere"}
18 VARLIB="/var/lib/monkeysphere"
21 # date in UTF format if needed
22 DATE=$(date -u '+%FT%T')
24 # unset some environment variables that could screw things up
30 ########################################################################
32 ########################################################################
36 usage: $PGRM <subcommand> [args]
37 MonkeySphere server admin tool.
40 update-users (u) [USER]... update users authorized_keys files
41 gen-key (g) [HOSTNAME] generate gpg key for the server
42 show-fingerprint (f) show server's host key fingerprint
43 publish-key (p) publish server's host key to keyserver
44 trust-key (t) KEYID [LEVEL] set owner trust for keyid
50 # generate server gpg key
54 hostName=${1:-$(hostname --fqdn)}
56 SERVICE=${SERVICE:-"ssh"}
57 userID="${SERVICE}://${hostName}"
59 if gpg --list-key ="$userID" > /dev/null 2>&1 ; then
60 failure "Key for '$userID' already exists"
64 KEY_TYPE=${KEY_TYPE:-"RSA"}
65 KEY_LENGTH=${KEY_LENGTH:-"2048"}
66 KEY_USAGE=${KEY_USAGE:-"auth"}
67 KEY_EXPIRE=${KEY_EXPIRE:-"0"}
69 Please specify how long the key should be valid.
70 0 = key does not expire
71 <n> = key expires in n days
72 <n>w = key expires in n weeks
73 <n>m = key expires in n months
74 <n>y = key expires in n years
76 read -p "Key is valid for? ($KEY_EXPIRE) " KEY_EXPIRE; KEY_EXPIRE=${KEY_EXPIRE:-"0"}
79 keyParameters=$(cat <<EOF
81 Key-Length: $KEY_LENGTH
84 Expire-Date: $KEY_EXPIRE
88 # add the revoker field if requested
89 # FIXME: the "1:" below assumes that $REVOKER's key is an RSA key. why?
90 # FIXME: why is this marked "sensitive"? how will this signature ever
91 # be transmitted to the expected revoker?
92 if [ "$REVOKER" ] ; then
93 keyParameters="${keyParameters}"$(cat <<EOF
95 Revoker: 1:$REVOKER sensitive
100 echo "The following key parameters will be used:"
101 echo "$keyParameters"
103 read -p "Generate key? [Y|n]: " OK; OK=${OK:=Y}
104 if [ ${OK/y/Y} != 'Y' ] ; then
109 keyParameters="${keyParameters}"$(cat <<EOF
116 log "generating server key... "
117 echo "$keyParameters" | gpg --batch --gen-key
119 # output the server fingerprint
120 fingerprint_server_key "=${userID}"
122 # find the key fingerprint of the server primary key
123 keyID=$(gpg --list-key --with-colons --with-fingerprint "=${userID}" | \
124 grep '^fpr:' | head -1 | cut -d: -f10)
126 # write the key to the file
127 # NOTE: assumes that the primary key is the proper key to use
128 (umask 077 && gpgsecret2ssh "$keyID" > "${MS_HOME}/ssh_host_rsa_key")
129 log "Private SSH host key output to file: ${MS_HOME}/ssh_host_rsa_key"
132 # gpg output key fingerprint
133 fingerprint_server_key() {
136 if [ -z "$1" ] ; then
139 ID="=ssh://$(hostname --fqdn)"
142 gpg --fingerprint --list-secret-keys "$ID"
145 ########################################################################
147 ########################################################################
150 [ "$COMMAND" ] || failure "Type '$PGRM help' for usage."
153 # set ms home directory
154 MS_HOME=${MS_HOME:-"$ETC"}
156 # load configuration file
157 MS_CONF=${MS_CONF:-"$MS_HOME"/monkeysphere-server.conf}
158 [ -e "$MS_CONF" ] && . "$MS_CONF"
160 # set empty config variable with defaults
161 KEYSERVER=${KEYSERVER:-"subkeys.pgp.net"}
162 CHECK_KEYSERVER=${CHECK_KEYSERVER:="true"}
163 AUTHORIZED_USER_IDS=${AUTHORIZED_USER_IDS:-"%h/.config/monkeysphere/authorized_user_ids"}
164 RAW_AUTHORIZED_KEYS=${RAW_AUTHORIZED_KEYS:-"%h/.ssh/authorized_keys"}
167 REQUIRED_USER_KEY_CAPABILITY=${REQUIRED_USER_KEY_CAPABILITY:-"a"}
168 GNUPGHOME_HOST=${GNUPGHOME_HOST:-"${VARLIB}/gnupg-host"}
169 GNUPGHOME_AUTHENTICATION=${GNUPGHOME_AUTHENTICATION:-"${VARLIB}/gnupg-authentication"}
171 # set default GNUPGHOME, and make sure the directory exists
172 GNUPGHOME="$GNUPGHOME_HOST"
174 mkdir -p -m 0700 "$GNUPGHOME"
177 'update-users'|'update-user'|'u')
179 # get users from command line
182 # or just look at all users if none specified
183 unames=$(getent passwd | cut -d: -f1)
187 MODE="authorized_keys"
189 # make sure the authorized_keys directory exists
190 mkdir -p "${VARLIB}/authorized_keys"
192 # set GNUPGHOME, and make sure the directory exists
193 GNUPGHOME="$GNUPGHOME_AUTHENTICATION"
195 mkdir -p -m 0700 "$GNUPGHOME"
198 for uname in $unames ; do
199 # check all specified users exist
200 if ! getent passwd "$uname" >/dev/null ; then
201 error "----- unknown user '$uname' -----"
205 # set authorized_user_ids and raw authorized_keys variables,
206 # translating ssh-style path variables
207 authorizedUserIDs=$(translate_ssh_variables "$uname" "$AUTHORIZED_USER_IDS")
208 rawAuthorizedKeys=$(translate_ssh_variables "$uname" "$RAW_AUTHORIZED_KEYS")
210 # if neither is found, skip user
211 if [ ! -s "$authorizedUserIDs" -a ! -s "$rawAuthorizedKeys" ] ; then
215 log "----- user: $uname -----"
217 # temporary authorized_keys file
218 AUTHORIZED_KEYS=$(mktemp)
220 # trap to delete file on exit
221 trap "rm -f $AUTHORIZE_KEYS" EXIT
223 # process authorized_user_ids file
224 if [ -s "$authorizedUserIDs" ] ; then
225 log "processing authorized_user_ids file..."
226 process_authorized_user_ids "$authorizedUserIDs"
229 # add user-controlled authorized_keys file path if specified
230 if [ "$RAW_AUTHORIZED_KEYS" != '-' ] ; then
231 if [ -s "$rawAuthorizedKeys" ] ; then
232 log -n "adding raw authorized_keys file... "
233 cat "$rawAuthorizedKeys" >> "$AUTHORIZED_KEYS"
238 # if the resulting authorized_keys file is not empty, move
239 # the temp authorized_keys file into place
240 if [ -s "$AUTHORIZED_KEYS" ] ; then
241 # openssh appears to check the contents of the
242 # authorized_keys file as the user in question, so the
243 # file must be readable by that user at least.
244 # FIXME: is there a better way to do this?
245 chgrp $(getent passwd "$uname" | cut -f4 -d:) "$AUTHORIZED_KEYS"
246 chmod g+r "$AUTHORIZED_KEYS"
248 mv -f "$AUTHORIZED_KEYS" "${VARLIB}/authorized_keys/${uname}"
250 log "authorized_keys file updated."
254 rm -f "$AUTHORIZED_KEYS"
263 'show-fingerprint'|'f')
264 fingerprint_server_key "$@"
271 'trust-key'|'trust-key'|'t')
280 failure "Unknown command: '$COMMAND'
281 Type '$PGRM help' for usage."