Merge commit 'jrollins/master'

[monkeysphere.git] / src / monkeysphere

#!/usr/bin/env bash

# monkeysphere: MonkeySphere client tool
#
# The monkeysphere scripts are written by:
# Jameson Rollins <jrollins@fifthhorseman.net>
# Jamie McClelland <jm@mayfirst.org>
# Daniel Kahn Gillmor <dkg@fifthhorseman.net>
#
# They are Copyright 2008, and are all released under the GPL, version 3
# or later.

########################################################################
PGRM=$(basename $0)

SYSSHAREDIR=${MONKEYSPHERE_SYSSHAREDIR:-"/usr/share/monkeysphere"}
export SYSSHAREDIR
. "${SYSSHAREDIR}/common" || exit 1

# UTC date in ISO 8601 format if needed
DATE=$(date -u '+%FT%T')

# unset some environment variables that could screw things up
unset GREP_OPTIONS

# default return code
RETURN=0

# set the file creation mask to be only owner rw
umask 077

########################################################################
# FUNCTIONS
########################################################################

usage() {
    cat <<EOF >&2
usage: $PGRM <subcommand> [options] [args]
Monkeysphere client tool.

subcommands:
 update-known_hosts (k) [HOST]...    update known_hosts file
 update-authorized_keys (a)          update authorized_keys file
 import-subkey (i)                   import existing ssh key as gpg subkey
   --keyfile (-f) FILE                 key file to import
   --expire (-e) EXPIRE                date to expire
 gen-subkey (g) [KEYID]              generate an authentication subkey
   --length (-l) BITS                  key length in bits (2048)
   --expire (-e) EXPIRE                date to expire
 ssh-proxycommand                    ssh proxycommand
 subkey-to-ssh-agent (s)             store authentication subkey in ssh-agent
 version (v)                         show version number
 help (h,?)                          this help

EOF
}

# import an existing ssh key as a gpg subkey
import_subkey() {
    local keyFile="~/.ssh/id_rsa"
    local keyExpire
    local keyID
    local gpgOut
    local userID

    # get options
    while true ; do
        case "$1" in
            -f|--keyfile)
                keyFile="$2"
                shift 2
                ;;
            -e|--expire)
                keyExpire="$2"
                shift 2
                ;;
            *)
                if [ "$(echo "$1" | cut -c 1)" = '-' ] ; then
                    failure "Unknown option '$1'.
Type '$PGRM help' for usage."
                fi
                break
                ;;
        esac
    done

    log verbose "importing ssh key..."
    fifoDir=$(mktemp -d ${TMPDIR:-/tmp}/tmp.XXXXXXXXXX)
    (umask 077 && mkfifo "$fifoDir/pass")
    ssh2openpgp | gpg --passphrase-fd 3 3< "$fifoDir/pass" --expert --command-fd 0 --import &

    passphrase_prompt  "Please enter your passphrase for $keyID: " "$fifoDir/pass"

    rm -rf "$fifoDir"
    wait
    log verbose "done."
}

# generate a subkey with the 'a' usage flags set
gen_subkey(){
    local keyLength
    local keyExpire
    local keyID
    local gpgOut
    local userID

    # get options
    while true ; do
        case "$1" in
            -l|--length)
                keyLength="$2"
                shift 2
                ;;
            -e|--expire)
                keyExpire="$2"
                shift 2
                ;;
            *)
                if [ "$(echo "$1" | cut -c 1)" = '-' ] ; then
                    failure "Unknown option '$1'.
Type '$PGRM help' for usage."
                fi
                break
                ;;
        esac
    done

    case "$#" in
        0)
            gpgSecOut=$(gpg --quiet --fixed-list-mode --list-secret-keys --with-colons 2>/dev/null | egrep '^sec:')
            ;;
        1)
            gpgSecOut=$(gpg --quiet --fixed-list-mode --list-secret-keys --with-colons "$1" | egrep '^sec:') || failure
            ;;
        *)
            failure "You must specify only a single primary key ID."
            ;;
    esac

    # check that only a single secret key was found
    case $(echo "$gpgSecOut" | grep -c '^sec:') in
        0)
            failure "No secret keys found.  Create an OpenPGP key with the following command:
 gpg --gen-key"
            ;;
        1)
            keyID=$(echo "$gpgSecOut" | cut -d: -f5)
            ;;
        *)
            echo "Multiple primary secret keys found:"
            echo "$gpgSecOut" | cut -d: -f5
            failure "Please specify which primary key to use."
            ;;
    esac

    # check that a valid authentication key does not already exist
    IFS=$'\n'
    for line in $(gpg --quiet --fixed-list-mode --list-keys --with-colons "$keyID") ; do
        type=$(echo "$line" | cut -d: -f1)
        validity=$(echo "$line" | cut -d: -f2)
        usage=$(echo "$line" | cut -d: -f12)

        # look at keys only
        if [ "$type" != 'pub' -a "$type" != 'sub' ] ; then
            continue
        fi
        # check for authentication capability
        if ! check_capability "$usage" 'a' ; then
            continue
        fi
        # if authentication key is valid, prompt to continue
        if [ "$validity" = 'u' ] ; then
            echo "A valid authentication key already exists for primary key '$keyID'."
            read -p "Are you sure you would like to generate another one? (y/N) " OK; OK=${OK:N}
            if [ "${OK/y/Y}" != 'Y' ] ; then
                failure "aborting."
            fi
            break
        fi
    done

    # set subkey defaults
    # prompt about key expiration if not specified
    keyExpire=$(get_gpg_expiration "$keyExpire")

    # generate the list of commands that will be passed to edit-key
    editCommands=$(cat <<EOF
addkey
7
S
E
A
Q
$keyLength
$keyExpire
save
EOF
)

    log verbose "generating subkey..."
    fifoDir=$(mktemp -d ${TMPDIR:-/tmp}/tmp.XXXXXXXXXX)
    (umask 077 && mkfifo "$fifoDir/pass")
    echo "$editCommands" | gpg --passphrase-fd 3 3< "$fifoDir/pass" --expert --command-fd 0 --edit-key "$keyID" &

    # FIXME: this needs to fail more gracefully if the passphrase is incorrect
    passphrase_prompt  "Please enter your passphrase for $keyID: " "$fifoDir/pass"

    rm -rf "$fifoDir"
    wait
    log verbose "done."
}

subkey_to_ssh_agent() {
    # try to add all authentication subkeys to the agent:

    local sshaddresponse
    local secretkeys
    local authsubkeys
    local workingdir
    local keysuccess
    local subkey
    local publine
    local kname

    if ! test_gnu_dummy_s2k_extension ; then
        failure "Your version of GnuTLS does not seem capable of using with gpg's exported subkeys.
You may want to consider patching or upgrading to GnuTLS 2.6 or later.

For more details, see:
 http://lists.gnu.org/archive/html/gnutls-devel/2008-08/msg00005.html"
    fi

    # if there's no agent running, don't bother:
    if [ -z "$SSH_AUTH_SOCK" ] || ! which ssh-add >/dev/null ; then
        failure "No ssh-agent available."
    fi

    # and if it looks like it's running, but we can't actually talk to
    # it, bail out:
    ssh-add -l >/dev/null
    sshaddresponse="$?"
    if [ "$sshaddresponse" = "2" ]; then
        failure "Could not connect to ssh-agent"
    fi
    
    # get list of secret keys (to work around https://bugs.g10code.com/gnupg/issue945):
    secretkeys=$(gpg --list-secret-keys --with-colons --fixed-list-mode --fingerprint | \
        grep '^fpr:' | cut -f10 -d: | awk '{ print "0x" $1 "!" }')

    if [ -z "$secretkeys" ]; then
        failure "You have no secret keys in your keyring!
You might want to run 'gpg --gen-key'."
    fi
    
    authsubkeys=$(gpg --list-secret-keys --with-colons --fixed-list-mode \
        --fingerprint --fingerprint $secretkeys | \
        cut -f1,5,10,12 -d: | grep -A1 '^ssb:[^:]*::[^:]*a[^:]*$' | \
        grep '^fpr::' | cut -f3 -d: | sort -u)

    if [ -z "$authsubkeys" ]; then
        failure "no authentication-capable subkeys available.
You might want to 'monkeysphere gen-subkey'"
    fi

    workingdir=$(mktemp -d ${TMPDIR:-/tmp}/tmp.XXXXXXXXXX)
    umask 077
    mkfifo "$workingdir/passphrase"
    keysuccess=1

    # FIXME: we're currently allowing any other options to get passed
    # through to ssh-add.  should we limit it to known ones?  For
    # example: -d or -c and/or -t <lifetime> 

    for subkey in $authsubkeys; do 
        # choose a label by which this key will be known in the agent:
        # we are labelling the key by User ID instead of by
        # fingerprint, but filtering out all / characters to make sure
        # the filename is legit.

        primaryuid=$(gpg --with-colons --list-key "0x${subkey}!" | grep '^pub:' | cut -f10 -d: | tr -d /)

        #kname="[monkeysphere] $primaryuid"
        kname="$primaryuid"

        if [ "$1" = '-d' ]; then
            # we're removing the subkey:
            gpg --export "0x${subkey}!" | openpgp2ssh "$subkey" > "$workingdir/$kname"
            (cd "$workingdir" && ssh-add -d "$kname")
        else
            # we're adding the subkey:
            mkfifo "$workingdir/$kname"
            gpg --quiet --passphrase-fd 3 3<"$workingdir/passphrase" \
                --export-options export-reset-subkey-passwd,export-minimal,no-export-attributes \
                --export-secret-subkeys "0x${subkey}!" | openpgp2ssh "$subkey" > "$workingdir/$kname" &
            (cd "$workingdir" && DISPLAY=nosuchdisplay SSH_ASKPASS=/bin/false ssh-add "$@" "$kname" </dev/null )&

            passphrase_prompt "Enter passphrase for key $kname: " "$workingdir/passphrase"
            wait %2
        fi
        keysuccess="$?"

        rm -f "$workingdir/$kname"
    done

    rm -rf "$workingdir"

    # FIXME: sort out the return values: we're just returning the
    # success or failure of the final authentication subkey in this
    # case.  What if earlier ones failed?
    exit "$keysuccess"
}

########################################################################
# MAIN
########################################################################

# unset variables that should be defined only in config file
unset KEYSERVER
unset CHECK_KEYSERVER
unset KNOWN_HOSTS
unset HASH_KNOWN_HOSTS
unset AUTHORIZED_KEYS

# load global config
[ -r "${SYSCONFIGDIR}/monkeysphere.conf" ] && . "${SYSCONFIGDIR}/monkeysphere.conf"

# set monkeysphere home directory
MONKEYSPHERE_HOME=${MONKEYSPHERE_HOME:="${HOME}/.monkeysphere"}
mkdir -p -m 0700 "$MONKEYSPHERE_HOME"

# load local config
[ -e ${MONKEYSPHERE_CONFIG:="${MONKEYSPHERE_HOME}/monkeysphere.conf"} ] && . "$MONKEYSPHERE_CONFIG"

# set empty config variables with ones from the environment, or from
# config file, or with defaults
LOG_LEVEL=${MONKEYSPHERE_LOG_LEVEL:=${LOG_LEVEL:="INFO"}}
GNUPGHOME=${MONKEYSPHERE_GNUPGHOME:=${GNUPGHOME:="${HOME}/.gnupg"}}
KEYSERVER=${MONKEYSPHERE_KEYSERVER:="$KEYSERVER"}
# if keyserver not specified in env or monkeysphere.conf,
# look in gpg.conf
if [ -z "$KEYSERVER" ] ; then
    if [ -f "${GNUPGHOME}/gpg.conf" ] ; then
        KEYSERVER=$(grep -e "^[[:space:]]*keyserver " "${GNUPGHOME}/gpg.conf" | tail -1 | awk '{ print $2 }')
    fi
fi
# if it's still not specified, use the default
KEYSERVER=${KEYSERVER:="subkeys.pgp.net"}
CHECK_KEYSERVER=${MONKEYSPHERE_CHECK_KEYSERVER:=${CHECK_KEYSERVER:="true"}}
KNOWN_HOSTS=${MONKEYSPHERE_KNOWN_HOSTS:=${KNOWN_HOSTS:="${HOME}/.ssh/known_hosts"}}
HASH_KNOWN_HOSTS=${MONKEYSPHERE_HASH_KNOWN_HOSTS:=${HASH_KNOWN_HOSTS:="true"}}
AUTHORIZED_KEYS=${MONKEYSPHERE_AUTHORIZED_KEYS:=${AUTHORIZED_KEYS:="${HOME}/.ssh/authorized_keys"}}

# other variables not in config file
AUTHORIZED_USER_IDS=${MONKEYSPHERE_AUTHORIZED_USER_IDS:="${MONKEYSPHERE_HOME}/authorized_user_ids"}
REQUIRED_HOST_KEY_CAPABILITY=${MONKEYSPHERE_REQUIRED_HOST_KEY_CAPABILITY:="a"}
REQUIRED_USER_KEY_CAPABILITY=${MONKEYSPHERE_REQUIRED_USER_KEY_CAPABILITY:="a"}

# export GNUPGHOME and make sure gpg home exists with proper
# permissions
export GNUPGHOME
mkdir -p -m 0700 "$GNUPGHOME"
export LOG_LEVEL

# get subcommand
COMMAND="$1"
[ "$COMMAND" ] || failure "Type '$PGRM help' for usage."
shift

case $COMMAND in
    'update-known_hosts'|'update-known-hosts'|'k')
        MODE='known_hosts'

        # touch the known_hosts file so that the file permission check
        # below won't fail upon not finding the file
        (umask 0022 && touch "$KNOWN_HOSTS")

        # check permissions on the known_hosts file path
        check_key_file_permissions "$USER" "$KNOWN_HOSTS" || failure

        # if hosts are specified on the command line, process just
        # those hosts
        if [ "$1" ] ; then
            update_known_hosts "$@"
            RETURN="$?"

        # otherwise, if no hosts are specified, process every host
        # in the user's known_hosts file
        else
            # exit if the known_hosts file does not exist
            if [ ! -e "$KNOWN_HOSTS" ] ; then
                log error "known_hosts file '$KNOWN_HOSTS' does not exist."
                exit
            fi

            process_known_hosts
            RETURN="$?"
        fi
        ;;

    'update-authorized_keys'|'update-authorized-keys'|'a')
        MODE='authorized_keys'

        # check permissions on the authorized_user_ids file path
        check_key_file_permissions "$USER" "$AUTHORIZED_USER_IDS" || failure

        # check permissions on the authorized_keys file path
        check_key_file_permissions "$USER" "$AUTHORIZED_KEYS" || failure

        # exit if the authorized_user_ids file is empty
        if [ ! -e "$AUTHORIZED_USER_IDS" ] ; then
            log error "authorized_user_ids file '$AUTHORIZED_USER_IDS' does not exist."
            exit
        fi

        # process authorized_user_ids file
        process_authorized_user_ids "$AUTHORIZED_USER_IDS"
        RETURN="$?"
        ;;

    'import-subkey'|'i')
        import_key "$@"
        ;;

    'gen-subkey'|'g')
        gen_subkey "$@"
        ;;

    'ssh-proxycommand'|'p')
        ssh-proxycommand "$@"
        ;;

    'subkey-to-ssh-agent'|'s')
        subkey_to_ssh_agent "$@"
        ;;

    'version'|'v')
        echo "$VERSION"
        ;;

    '--help'|'help'|'-h'|'h'|'?')
        usage
        ;;

    *)
        failure "Unknown command: '$COMMAND'
Type '$PGRM help' for usage."
        ;;
esac

exit "$RETURN"