3 ########################################################################
6 SHAREDIR=${SHAREDIR:-"/usr/share/monkeysphere"}
10 # date in UTF format if needed
11 DATE=$(date -u '+%FT%T')
13 # unset some environment variables that could screw things up
16 ########################################################################
18 ########################################################################
22 usage: $PGRM <subcommand> [args]
23 Monkeysphere server admin tool.
26 update-users (s) [USER]... update authorized_keys file
27 gen-key (g) generate gpg key for the host
28 publish-key (p) publish host gpg to keyserver
29 trust-key (t) KEYID [KEYID]... mark keyid as trusted
30 update-user-userid (u) USER UID [UID]... add/update userid for user
36 # generate server gpg key
38 KEY_TYPE=${KEY_TYPE:-RSA}
39 KEY_LENGTH=${KEY_LENGTH:-2048}
40 KEY_USAGE=${KEY_USAGE:-encrypt,auth}
41 SERVICE=${SERVICE:-ssh}
42 HOSTNAME_FQDN=${HOSTNAME_FQDN:-$(hostname -f)}
44 USERID=${USERID:-"$SERVICE"://"$HOSTNAME_FQDN"}
46 echo "key parameters:"
49 Key-Length: $KEY_LENGTH
54 read -p "generate key? [Y|n]: " OK; OK=${OK:=Y}
55 if [ ${OK/y/Y} != 'Y' ] ; then
59 if gpg --list-key ="$USERID" > /dev/null 2>&1 ; then
60 failure "key for '$USERID' already exists"
63 echo "generating server key..."
64 gpg --batch --gen-key <<EOF
66 Key-Length: $KEY_LENGTH
73 # publish server key to keyserver
75 read -p "publish key to $KEYSERVER? [Y|n]: " OK; OK=${OK:=Y}
76 if [ ${OK/y/Y} != 'Y' ] ; then
80 keyID=$(gpg --list-key --with-colons ="$USERID" 2> /dev/null | grep '^pub:' | cut -d: -f5)
82 # dummy command so as not to publish fakes keys during testing
84 #gpg --send-keys --keyserver "$KEYSERVER" "$keyID"
85 echo "gpg --send-keys --keyserver $KEYSERVER $keyID"
91 # get the key from the key server
92 gpg --keyserver "$KEYSERVER" --recv-key "$keyID" || failure "could not retrieve key '$keyID'"
94 # edit the key to change trust
95 # FIXME: need to figure out how to automate this,
96 # in a batch mode or something.
97 gpg --edit-key "$keyID"
101 ########################################################################
103 ########################################################################
106 [ "$COMMAND" ] || failure "Type '$PGRM help' for usage."
109 # set ms home directory
110 MS_HOME=${MS_HOME:-"$ETC"}
112 # load configuration file
113 MS_CONF=${MS_CONF:-"$MS_HOME"/monkeysphere-server.conf}
114 [ -e "$MS_CONF" ] && . "$MS_CONF"
116 # set empty config variable with defaults
117 GNUPGHOME=${GNUPGHOME:-"$MS_HOME"/gnupg}
118 KEYSERVER=${KEYSERVER:-subkeys.pgp.net}
119 REQUIRED_KEY_CAPABILITY=${REQUIRED_KEY_CAPABILITY:-"e a"}
120 USER_CONTROLLED_AUTHORIZED_KEYS=${USER_CONTROLLED_AUTHORIZED_KEYS:-%h/.ssh/authorized_keys}
121 STAGING_AREA=${STAGING_AREA:-"$LIB"/stage}
125 # make sure gpg home exists with proper permissions
126 mkdir -p -m 0700 "$GNUPGHOME"
133 unames=$(ls -1 "$MS_HOME"/authorized_user_ids)
136 for uname in $unames ; do
137 MODE="authorized_keys"
138 authorizedUserIDs="$MS_HOME"/authorized_user_ids/"$uname"
139 cacheDir="$STAGING_AREA"/"$uname"/user_keys
140 msAuthorizedKeys="$STAGING_AREA"/"$uname"/authorized_keys
142 # make sure authorized_user_ids file exists
143 if [ ! -s "$authorizedUserIDs" ] ; then
144 log "authorized_user_ids file for '$uname' is empty or does not exist."
148 log "processing authorized_keys for user '$uname'..."
150 process_authorized_ids "$authorizedUserIDs" "$cacheDir"
152 # write output key file
153 log "writing monkeysphere authorized_keys file... "
154 touch "$msAuthorizedKeys"
155 if [ "$(ls "$cacheDir")" ] ; then
156 log -n "adding gpg keys... "
157 cat "$cacheDir"/* > "$msAuthorizedKeys"
160 log "no gpg keys to add."
162 if [ "$USER_CONTROLLED_AUTHORIZED_KEYS" ] ; then
163 userHome=$(getent passwd "$uname" | cut -d: -f6)
164 userAuthorizedKeys=${USER_CONTROLLED_AUTHORIZED_KEYS/\%h/"$userHome"}
165 if [ -s "$userAuthorizedKeys" ] ; then
166 log -n "adding user authorized_keys file... "
167 cat "$userAuthorizedKeys" >> "$msAuthorizedKeys"
171 log "monkeysphere authorized_keys file generated:"
172 log "$msAuthorizedKeys"
185 if [ -z "$1" ] ; then
186 failure "you must specify at least one key to trust."
191 'update-user-userid'|'u')
194 if [ -z "$uname" ] ; then
195 failure "you must specify user."
197 if [ -z "$1" ] ; then
198 failure "you must specify at least one userid."
201 AUTHORIZED_USER_IDS="$MS_HOME"/authorized_user_ids/"$uname"
202 if ! grep -q "^${userID}\$" "$AUTHORIZED_USER_IDS" ; then
203 log "userid '$userID' not in authorized_user_ids file."
206 log "processing user id: '$userID'"
207 process_user_id "$userID" "$userKeysCacheDir" > /dev/null
216 failure "Unknown command: '$COMMAND'
217 Type 'cereal-admin help' for usage."