src/monkeysphere-server

   1 #!/bin/bash
   2
   3 # monkeysphere-server: MonkeySphere server admin tool
   4 #
   5 # The monkeysphere scripts are written by:
   6 # Jameson Rollins <jrollins@fifthhorseman.net>
   7 #
   8 # They are Copyright 2008, and are all released under the GPL, version 3
   9 # or later.
  10
  11 ########################################################################
  12 PGRM=$(basename $0)
  13
  14 SHARE=${SHARE:-"/usr/share/monkeysphere"}
  15 export SHARE
  16 . "${SHARE}/common"
  17
  18 VARLIB="/var/lib/monkeysphere"
  19 export VARLIB
  20
  21 # date in UTF format if needed
  22 DATE=$(date -u '+%FT%T')
  23
  24 # unset some environment variables that could screw things up
  25 GREP_OPTIONS=
  26
  27 # default return code
  28 ERR=0
  29
  30 ########################################################################
  31 # FUNCTIONS
  32 ########################################################################
  33
  34 usage() {
  35 cat <<EOF
  36 usage: $PGRM <subcommand> [args]
  37 MonkeySphere server admin tool.
  38
  39 subcommands:
  40   update-users (u) [USER]...            update users authorized_keys files
  41   gen-key (g) [HOSTNAME]                generate gpg key for the server
  42   show-fingerprint (f)                  show server's host key fingerprint
  43   publish-key (p)                       publish server's host key to keyserver
  44   trust-key (t) KEYID [LEVEL]           set owner trust for keyid
  45   help (h,?)                            this help
  46
  47 EOF
  48 }
  49
  50 # generate server gpg key
  51 gen_key() {
  52     local hostName
  53
  54     hostName=${1:-$(hostname --fqdn)}
  55
  56     SERVICE=${SERVICE:-"ssh"}
  57     userID="${SERVICE}://${hostName}"
  58
  59     if gpg --list-key ="$userID" > /dev/null 2>&1 ; then
  60         failure "Key for '$userID' already exists"
  61     fi
  62
  63     # set key defaults
  64     KEY_TYPE=${KEY_TYPE:-"RSA"}
  65     KEY_LENGTH=${KEY_LENGTH:-"2048"}
  66     KEY_USAGE=${KEY_USAGE:-"auth"}
  67     KEY_EXPIRE=${KEY_EXPIRE:-"0"}
  68     cat <<EOF
  69 Please specify how long the key should be valid.
  70          0 = key does not expire
  71       <n>  = key expires in n days
  72       <n>w = key expires in n weeks
  73       <n>m = key expires in n months
  74       <n>y = key expires in n years
  75 EOF
  76     read -p "Key is valid for? ($KEY_EXPIRE) " KEY_EXPIRE; KEY_EXPIRE=${KEY_EXPIRE:-"0"}
  77
  78     # set key parameters
  79     keyParameters=$(cat <<EOF
  80 Key-Type: $KEY_TYPE
  81 Key-Length: $KEY_LENGTH
  82 Key-Usage: $KEY_USAGE
  83 Name-Real: $userID
  84 Expire-Date: $KEY_EXPIRE
  85 EOF
  86 )
  87
  88     # add the revoker field if requested
  89     # FIXME: the "1:" below assumes that $REVOKER's key is an RSA key.  why?
  90     # FIXME: why is this marked "sensitive"?  how will this signature ever
  91     # be transmitted to the expected revoker?
  92     if [ "$REVOKER" ] ; then
  93         keyParameters="${keyParameters}"$(cat <<EOF
  94
  95 Revoker: 1:$REVOKER sensitive
  96 EOF
  97 )
  98     fi
  99
 100     echo "The following key parameters will be used:"
 101     echo "$keyParameters"
 102
 103     read -p "Generate key? [Y|n]: " OK; OK=${OK:=Y}
 104     if [ ${OK/y/Y} != 'Y' ] ; then
 105         failure "aborting."
 106     fi
 107
 108     # add commit command
 109     keyParameters="${keyParameters}"$(cat <<EOF
 110
 111 %commit
 112 %echo done
 113 EOF
 114 )
 115
 116     log "generating server key... "
 117     echo "$keyParameters" | gpg --batch --gen-key
 118
 119     # output the server fingerprint
 120     fingerprint_server_key "=${userID}"
 121
 122     # find the key fingerprint of the server primary key
 123     keyID=$(gpg --list-key --with-colons --with-fingerprint "=${userID}" | \
 124         grep '^fpr:' | head -1 | cut -d: -f10)
 125
 126     # write the key to the file
 127     # NOTE: assumes that the primary key is the proper key to use
 128     (umask 077 && gpgsecret2ssh "$keyID" > "${VARLIB}/ssh_host_rsa_key")
 129     log "Private SSH host key output to file: ${VARLIB}/ssh_host_rsa_key"
 130 }
 131
 132 # gpg output key fingerprint
 133 fingerprint_server_key() {
 134     local ID
 135
 136     if [ -z "$1" ] ; then
 137         ID="$1"
 138     else
 139         ID="=ssh://$(hostname --fqdn)"
 140     fi
 141
 142     gpg --fingerprint --list-secret-keys "$ID"
 143 }
 144
 145 ########################################################################
 146 # MAIN
 147 ########################################################################
 148
 149 COMMAND="$1"
 150 [ "$COMMAND" ] || failure "Type '$PGRM help' for usage."
 151 shift
 152
 153 # set ms home directory
 154 MS_HOME=${MS_HOME:-"$ETC"}
 155
 156 # load configuration file
 157 MS_CONF=${MS_CONF:-"$MS_HOME"/monkeysphere-server.conf}
 158 [ -e "$MS_CONF" ] && . "$MS_CONF"
 159
 160 # set empty config variable with defaults
 161 MONKEYSPHERE_USER=${MONKEYSPHERE_USER:-"monkeysphere"}
 162 KEYSERVER=${KEYSERVER:-"subkeys.pgp.net"}
 163 CHECK_KEYSERVER=${CHECK_KEYSERVER:="true"}
 164 AUTHORIZED_USER_IDS=${AUTHORIZED_USER_IDS:-"%h/.config/monkeysphere/authorized_user_ids"}
 165 RAW_AUTHORIZED_KEYS=${RAW_AUTHORIZED_KEYS:-"%h/.ssh/authorized_keys"}
 166
 167 # other variables
 168 REQUIRED_USER_KEY_CAPABILITY=${REQUIRED_USER_KEY_CAPABILITY:-"a"}
 169 GNUPGHOME_HOST=${GNUPGHOME_HOST:-"${VARLIB}/gnupg-host"}
 170 GNUPGHOME_AUTHENTICATION=${GNUPGHOME_AUTHENTICATION:-"${VARLIB}/gnupg-authentication"}
 171
 172 # set default GNUPGHOME, and make sure the directory exists.  this is
 173 # true for all functions expect user authentication
 174 # (ie. update-users).
 175 GNUPGHOME="$GNUPGHOME_HOST"
 176 export GNUPGHOME
 177 mkdir -p -m 0700 "$GNUPGHOME"
 178
 179 case $COMMAND in
 180     'update-users'|'update-user'|'u')
 181         if [ "$1" ] ; then
 182             # get users from command line
 183             unames="$@"
 184         else
 185             # or just look at all users if none specified
 186             unames=$(getent passwd | cut -d: -f1)
 187         fi
 188
 189         # set mode
 190         MODE="authorized_keys"
 191
 192         # make sure the authorized_keys directory exists
 193         mkdir -p "${VARLIB}/authorized_keys"
 194
 195         # set GNUPGHOME, and make sure the directory exists
 196         GNUPGHOME="$GNUPGHOME_AUTHENTICATION"
 197         export GNUPGHOME
 198         mkdir -p -m 0700 "$GNUPGHOME"
 199
 200         # loop over users
 201         for uname in $unames ; do
 202             # check all specified users exist
 203             if ! getent passwd "$uname" >/dev/null ; then
 204                 error "----- unknown user '$uname' -----"
 205                 continue
 206             fi
 207
 208             # set authorized_user_ids and raw authorized_keys variables,
 209             # translating ssh-style path variables
 210             authorizedUserIDs=$(translate_ssh_variables "$uname" "$AUTHORIZED_USER_IDS")
 211             rawAuthorizedKeys=$(translate_ssh_variables "$uname" "$RAW_AUTHORIZED_KEYS")
 212
 213             # if neither is found, skip user
 214             if [ ! -s "$authorizedUserIDs" -a ! -s "$rawAuthorizedKeys" ] ; then
 215                 continue
 216             fi
 217
 218             log "----- user: $uname -----"
 219
 220             # temporary authorized_keys file
 221             AUTHORIZED_KEYS=$(mktemp)
 222
 223             # trap to delete file on exit
 224             trap "rm -f $AUTHORIZE_KEYS" EXIT
 225
 226             # process authorized_user_ids file
 227             if [ -s "$authorizedUserIDs" ] ; then
 228                 log "processing authorized_user_ids file..."
 229                 process_authorized_user_ids "$authorizedUserIDs"
 230             fi
 231
 232             # add user-controlled authorized_keys file path if specified
 233             if [ "$RAW_AUTHORIZED_KEYS" != '-' ] ; then
 234                 if [ -s "$rawAuthorizedKeys" ] ; then
 235                     log -n "adding raw authorized_keys file... "
 236                     cat "$rawAuthorizedKeys" >> "$AUTHORIZED_KEYS"
 237                     loge "done."
 238                 fi
 239             fi
 240
 241             # if the resulting authorized_keys file is not empty, move
 242             # the temp authorized_keys file into place
 243             if [ -s "$AUTHORIZED_KEYS" ] ; then
 244                 # openssh appears to check the contents of the
 245                 # authorized_keys file as the user in question, so the
 246                 # file must be readable by that user at least.
 247                 # FIXME: is there a better way to do this?
 248                 chgrp $(getent passwd "$uname" | cut -f4 -d:) "$AUTHORIZED_KEYS"
 249                 chmod g+r "$AUTHORIZED_KEYS"
 250
 251                 mv -f "$AUTHORIZED_KEYS" "${VARLIB}/authorized_keys/${uname}"
 252
 253                 log "authorized_keys file updated."
 254
 255             # else destroy it
 256             else
 257                 rm -f "$AUTHORIZED_KEYS"
 258             fi
 259         done
 260         ;;
 261
 262     'gen-key'|'g')
 263         gen_key "$1"
 264         ;;
 265
 266     'show-fingerprint'|'f')
 267         fingerprint_server_key "$@"
 268         ;;
 269
 270     'publish-key'|'p')
 271         publish_server_key
 272         ;;
 273
 274     'trust-key'|'trust-key'|'t')
 275         trust_key "$@"
 276         ;;
 277
 278     'help'|'h'|'?')
 279         usage
 280         ;;
 281
 282     *)
 283         failure "Unknown command: '$COMMAND'
 284 Type '$PGRM help' for usage."
 285         ;;
 286 esac
 287
 288 exit "$ERR"