src/monkeysphere-server

   1 #!/bin/bash
   2
   3 # monkeysphere-server: MonkeySphere server admin tool
   4 #
   5 # The monkeysphere scripts are written by:
   6 # Jameson Rollins <jrollins@fifthhorseman.net>
   7 #
   8 # They are Copyright 2008, and are all released under the GPL, version 3
   9 # or later.
  10
  11 ########################################################################
  12 PGRM=$(basename $0)
  13
  14 SHAREDIR=${SHAREDIR:-"/usr/share/monkeysphere"}
  15 export SHAREDIR
  16 . "${SHAREDIR}/common"
  17
  18 # date in UTF format if needed
  19 DATE=$(date -u '+%FT%T')
  20
  21 # unset some environment variables that could screw things up
  22 GREP_OPTIONS=
  23
  24 # assuming other problems don't crop up, we'll return 0 as success
  25 ERR=0
  26
  27 ########################################################################
  28 # FUNCTIONS
  29 ########################################################################
  30
  31 usage() {
  32 cat <<EOF
  33 usage: $PGRM <subcommand> [args]
  34 MonkeySphere server admin tool.
  35
  36 subcommands:
  37   update-users (u) [USER]...            update users authorized_keys files
  38   gen-key (g) [HOSTNAME]                generate gpg key for the server
  39   show-fingerprint (f)                  show server's host key fingerprint
  40   publish-key (p)                       publish server's host key to keyserver
  41   trust-key (t) KEYID [LEVEL]           set owner trust for keyid
  42   help (h,?)                            this help
  43
  44 EOF
  45 }
  46
  47 # generate server gpg key
  48 gen_key() {
  49     local hostName
  50
  51     hostName=${1:-$(hostname --fqdn)}
  52     service=${SERVICE:-"ssh"}
  53     userID="${service}://${hostName}"
  54
  55     if gpg --list-key ="$userID" > /dev/null 2>&1 ; then
  56         failure "Key for '$userID' already exists"
  57     fi
  58
  59     # set key defaults
  60     KEY_TYPE=${KEY_TYPE:-"RSA"}
  61     KEY_LENGTH=${KEY_LENGTH:-"2048"}
  62     KEY_USAGE=${KEY_USAGE:-"auth"}
  63     KEY_EXPIRE=${KEY_EXPIRE:-"0"}
  64     cat <<EOF
  65 Please specify how long the key should be valid.
  66          0 = key does not expire
  67       <n>  = key expires in n days
  68       <n>w = key expires in n weeks
  69       <n>m = key expires in n months
  70       <n>y = key expires in n years
  71 EOF
  72     read -p "Key is valid for? ($KEY_EXPIRE) " KEY_EXPIRE; KEY_EXPIRE=${KEY_EXPIRE:-"0"}
  73
  74     # set key parameters
  75     keyParameters=$(cat <<EOF
  76 Key-Type: $KEY_TYPE
  77 Key-Length: $KEY_LENGTH
  78 Key-Usage: $KEY_USAGE
  79 Name-Real: $userID
  80 Expire-Date: $KEY_EXPIRE
  81 EOF
  82 )
  83
  84     # add the revoker field if requested
  85     # FIXME: the "1:" below assumes that $REVOKER's key is an RSA key.  why?
  86     # FIXME: why is this marked "sensitive"?  how will this signature ever
  87     # be transmitted to the expected revoker?
  88     if [ "$REVOKER" ] ; then
  89         keyParameters="${keyParameters}"$(cat <<EOF
  90
  91 Revoker: 1:$REVOKER sensitive
  92 EOF
  93 )
  94     fi
  95
  96     echo "The following key parameters will be used:"
  97     echo "$keyParameters"
  98
  99     read -p "Generate key? [Y|n]: " OK; OK=${OK:=Y}
 100     if [ ${OK/y/Y} != 'Y' ] ; then
 101         failure "aborting."
 102     fi
 103
 104     # add commit command
 105     keyParameters="${keyParameters}"$(cat <<EOF
 106
 107 %commit
 108 %echo done
 109 EOF
 110 )
 111
 112     log "generating server key... "
 113     echo "$keyParameters" | gpg --batch --gen-key
 114
 115     # output the server fingerprint
 116     fingerprint_server_key "=${userID}"
 117
 118     # find the key fingerprint of the server primary key
 119     keyID=$(gpg --list-key --with-colons --with-fingerprint "=${userID}" | \
 120         grep '^fpr:' | head -1 | cut -d: -f10)
 121
 122     # write the key to the file
 123     # NOTE: assumes that the primary key is the proper key to use
 124     (umask 077 && gpgsecret2ssh "$keyID" > "${MS_HOME}/ssh_host_rsa_key")
 125     log "Private SSH host key output to file: ${MS_HOME}/ssh_host_rsa_key"
 126 }
 127
 128 # gpg output key fingerprint
 129 fingerprint_server_key() {
 130     local ID
 131
 132     if [ -z "$1" ] ; then
 133         ID="$1"
 134     else
 135         ID="=ssh://$(hostname --fqdn)"
 136     fi
 137
 138     gpg --fingerprint --list-secret-keys "$ID"
 139 }
 140
 141 ########################################################################
 142 # MAIN
 143 ########################################################################
 144
 145 COMMAND="$1"
 146 [ "$COMMAND" ] || failure "Type '$PGRM help' for usage."
 147 shift
 148
 149 # set ms home directory
 150 MS_HOME=${MS_HOME:-"$ETC"}
 151
 152 # load configuration file
 153 MS_CONF=${MS_CONF:-"$MS_HOME"/monkeysphere-server.conf}
 154 [ -e "$MS_CONF" ] && . "$MS_CONF"
 155
 156 # set empty config variable with defaults
 157 GNUPGHOME=${GNUPGHOME:-"${MS_HOME}/gnupg"}
 158 KEYSERVER=${KEYSERVER:-"subkeys.pgp.net"}
 159 CHECK_KEYSERVER=${CHECK_KEYSERVER:="true"}
 160 REQUIRED_USER_KEY_CAPABILITY=${REQUIRED_USER_KEY_CAPABILITY:-"a"}
 161 AUTHORIZED_USER_IDS=${AUTHORIZED_USER_IDS:-"%h/.config/monkeysphere/authorized_user_ids"}
 162 USER_CONTROLLED_AUTHORIZED_KEYS=${USER_CONTROLLED_AUTHORIZED_KEYS:-"%h/.ssh/authorized_keys"}
 163
 164 export GNUPGHOME
 165
 166 # make sure the monkeysphere home directory exists
 167 mkdir -p "${MS_HOME}/authorized_user_ids"
 168 # make sure gpg home exists with proper permissions
 169 mkdir -p -m 0700 "$GNUPGHOME"
 170 # make sure the authorized_keys directory exists
 171 mkdir -p "${CACHE}/authorized_keys"
 172
 173 case $COMMAND in
 174     'update-users'|'update-user'|'u')
 175         if [ "$1" ] ; then
 176             # get users from command line
 177             unames="$@"
 178         else
 179             # or just look at all users if none specified
 180             unames=$(getent passwd | cut -d: -f1)
 181         fi
 182
 183         # loop over users
 184         for uname in $unames ; do
 185             MODE="authorized_keys"
 186
 187             # check all specified users exist
 188             if ! getent passwd "$uname" >/dev/null ; then
 189                 error "----- unknown user '$uname' -----"
 190                 continue
 191             fi
 192
 193             # set authorized_user_ids variable,
 194             # translate ssh-style path variables
 195             authorizedUserIDs=$(translate_ssh_variables "$uname" "$AUTHORIZED_USER_IDS")
 196
 197             # skip user if authorized_user_ids file does not exist
 198             if [ ! -f "$authorizedUserIDs" ] ; then
 199                 #FIXME: what about a user with no authorized_user_ids
 200                 # file, but with an authorized_keys file when
 201                 # USER_CONTROLLED_AUTHORIZED_KEYS is set?
 202                 continue
 203             fi
 204
 205             log "----- user: $uname -----"
 206
 207             # temporary authorized_keys file
 208             AUTHORIZED_KEYS=$(mktemp)
 209
 210             # skip if the user's authorized_user_ids file is empty
 211             if [ ! -s "$authorizedUserIDs" ] ; then
 212                 log "authorized_user_ids file '$authorizedUserIDs' is empty."
 213                 #FIXME: what about a user with an empty
 214                 # authorized_user_ids file, but with an
 215                 # authorized_keys file when
 216                 # USER_CONTROLLED_AUTHORIZED_KEYS is set?
 217                 continue
 218             fi
 219
 220             # process authorized_user_ids file
 221             log "processing authorized_user_ids file..."
 222             process_authorized_user_ids "$authorizedUserIDs"
 223
 224             # add user-controlled authorized_keys file path if specified
 225             if [ "$USER_CONTROLLED_AUTHORIZED_KEYS" != '-' ] ; then
 226                 userAuthorizedKeys=$(translate_ssh_variables "$uname" "$USER_CONTROLLED_AUTHORIZED_KEYS")
 227                 if [ -f "$userAuthorizedKeys" ] ; then
 228                     log -n "adding user's authorized_keys file... "
 229                     cat "$userAuthorizedKeys" >> "$AUTHORIZED_KEYS"
 230                     loge "done."
 231                 fi
 232             fi
 233
 234             # openssh appears to check the contents of the
 235             # authorized_keys file as the user in question, so the file
 236             # must be readable by that user at least.
 237             # FIXME: is there a better way to do this?
 238             chgrp $(getent passwd "$uname" | cut -f4 -d:) "$AUTHORIZED_KEYS"
 239             chmod g+r "$AUTHORIZED_KEYS"
 240
 241             # move the temp authorized_keys file into place
 242             mv -f "$AUTHORIZED_KEYS" "${CACHE}/authorized_keys/${uname}"
 243
 244             log "authorized_keys file updated."
 245         done
 246         ;;
 247
 248     'gen-key'|'g')
 249         gen_key "$1"
 250         ;;
 251
 252     'show-fingerprint'|'f')
 253         fingerprint_server_key "$@"
 254         ;;
 255
 256     'publish-key'|'p')
 257         publish_server_key
 258         ;;
 259
 260     'trust-key'|'trust-key'|'t')
 261         trust_key "$@"
 262         ;;
 263
 264     'help'|'h'|'?')
 265         usage
 266         ;;
 267
 268     *)
 269         failure "Unknown command: '$COMMAND'
 270 Type '$PGRM help' for usage."
 271         ;;
 272 esac
 273
 274 exit "$ERR"