#!/usr/bin/env bash # monkeysphere-host: Monkeysphere host admin tool # # The monkeysphere scripts are written by: # Jameson Rollins # Jamie McClelland # Daniel Kahn Gillmor # Micah Anderson # # They are Copyright 2008-2009, and are all released under the GPL, # version 3 or later. ######################################################################## set -e # set the pipefail option so pipelines fail on first command failure set -o pipefail PGRM=$(basename $0) SYSSHAREDIR=${MONKEYSPHERE_SYSSHAREDIR:-"/usr/share/monkeysphere"} export SYSSHAREDIR . "${SYSSHAREDIR}/common" || exit 1 SYSDATADIR=${MONKEYSPHERE_SYSDATADIR:-"/var/lib/monkeysphere"} export SYSDATADIR # sharedir for host functions MHSHAREDIR="${SYSSHAREDIR}/mh" # datadir for host functions MHDATADIR="${SYSDATADIR}/host" # temp directory for temp gnupghome directories for add_revoker MHTMPDIR="${MHDATADIR}/tmp" export MHTMPDIR # host pub key files HOST_KEY_FILE="${SYSDATADIR}/ssh_host_rsa_key.pub.gpg" # UTC date in ISO 8601 format if needed DATE=$(date -u '+%FT%T') # unset some environment variables that could screw things up unset GREP_OPTIONS # default return code RETURN=0 ######################################################################## # FUNCTIONS ######################################################################## usage() { cat <&2 usage: $PGRM [options] [args] Monkeysphere host admin tool. subcommands: show-key (s) output all host key information set-expire (e) EXPIRE set host key expiration add-hostname (n+) NAME[:PORT] add hostname user ID to host key revoke-hostname (n-) NAME[:PORT] revoke hostname user ID add-revoker (o) FINGERPRINT add a revoker to the host key revoke-key (r) revoke host key publish-key (p) publish host key to keyserver import-key (i) [NAME[:PORT]] import existing ssh key to gpg version (v) show version number help (h,?) this help See ${PGRM}(8) for more info. EOF } # function to interact with the gpg keyring gpg_host() { GNUPGHOME="$GNUPGHOME_HOST" gpg "$@" } # command to list the info about the host key, in colon format gpg_host_list() { gpg_host --list-keys --with-colons --fixed-list-mode \ --with-fingerprint --with-fingerprint \ "0x${HOST_FINGERPRINT}!" } # command for edit key scripts, takes scripts on stdin # FIXME: should we supress all the edit script spew? or pipe it # through log debug? gpg_host_edit() { gpg_host --quiet --command-fd 0 --edit-key \ "0x${HOST_FINGERPRINT}!" "$@" } # export the host public key to the monkeysphere gpg pub key file update_gpg_pub_file() { log debug "updating openpgp public key file '$HOST_KEY_FILE'..." gpg_host --export --armor --export-options export-minimal \ "0x${HOST_FINGERPRINT}!" > "$HOST_KEY_FILE" } # load the host fingerprint into the fingerprint variable, using the # export gpg pub key file # FIXME: this seems much less than ideal, with all this temp keyring # stuff. is there a way we can do this without having to create temp # files? what if we stored the fingerprint in MHDATADIR/fingerprint? load_fingerprint() { if [ -f "$HOST_KEY_FILE" ] ; then HOST_FINGERPRINT=$( \ (FUBAR=$(mktemp -d) && export GNUPGHOME="$FUBAR" \ && gpg --quiet --import \ && gpg --quiet --list-keys --with-colons --with-fingerprint \ && rm -rf "$FUBAR") <"$HOST_KEY_FILE" \ | grep '^fpr:' | cut -d: -f10 ) else HOST_FINGERPRINT= fi } # load the host fingerprint into the fingerprint variable, using the # gpg host secret key load_fingerprint_secret() { HOST_FINGERPRINT=$( \ gpg_host --quiet --list-secret-key \ --with-colons --with-fingerprint \ | grep '^fpr:' | cut -d: -f10 ) } # fail if host key present check_host_key() { [ ! -s "$HOST_KEY_FILE" ] \ || failure "An OpenPGP host key already exists." } # fail if host key not present check_host_no_key() { [ -s "$HOST_KEY_FILE" ] \ || failure "You don't appear to have a Monkeysphere host key on this server. Please run 'monkeysphere-host import-key' first." } # output the index of a user ID on the host key # return 1 if user ID not found find_host_userid() { local userID="$1" local tmpuidMatch local line # match to only ultimately trusted user IDs tmpuidMatch="u:$(echo $userID | gpg_escape)" # find the index of the requsted user ID # NOTE: this is based on circumstantial evidence that the order of # this output is the appropriate index line=$(gpg_host_list | egrep '^(uid|uat):' | cut -f2,10 -d: | \ grep -n -x -F "$tmpuidMatch" 2>/dev/null) if [ "$line" ] ; then echo ${line%%:*} return 0 else return 1 fi } # show info about the host key show_key() { local GNUPGHOME # tmp gpghome dir export GNUPGHOME=$(mktemp -d) # trap to remove tmp dir if break trap "rm -rf $GNUPGHOME" EXIT gpg --quiet --import <"$HOST_KEY_FILE" HOST_FINGERPRINT=$(gpg --quiet --list-keys --with-colons --with-fingerprint \ | grep '^fpr:' | cut -d: -f10 ) # list the host key info # FIXME: make no-show-keyring work so we don't have to do the grep'ing # FIXME: can we show uid validity somehow? gpg --list-keys --fingerprint \ --list-options show-unusable-uids 2>/dev/null \ | grep -v "^${GNUPGHOME}/pubring.gpg$" \ | egrep -v '^-+$' # list the pgp fingerprint echo "OpenPGP fingerprint: $HOST_FINGERPRINT" # list the ssh fingerprint echo -n "ssh fingerprint: " ssh-keygen -l -f /dev/stdin \ <<<$(openpgp2ssh <"$HOST_KEY_FILE" 2>/dev/null) \ | awk '{ print $1, $2, $4 }' # remove the tmp file trap - EXIT rm -rf "$GNUPGHOME" } ######################################################################## # MAIN ######################################################################## # unset variables that should be defined only in config file unset KEYSERVER unset MONKEYSPHERE_USER # load configuration file [ -e ${MONKEYSPHERE_HOST_CONFIG:="${SYSCONFIGDIR}/monkeysphere-host.conf"} ] && . "$MONKEYSPHERE_HOST_CONFIG" # set empty config variable with ones from the environment, or with # defaults LOG_LEVEL=${MONKEYSPHERE_LOG_LEVEL:=${LOG_LEVEL:="INFO"}} KEYSERVER=${MONKEYSPHERE_KEYSERVER:=${KEYSERVER:="pool.sks-keyservers.net"}} AUTHORIZED_USER_IDS=${MONKEYSPHERE_AUTHORIZED_USER_IDS:=${AUTHORIZED_USER_IDS:="%h/.monkeysphere/authorized_user_ids"}} RAW_AUTHORIZED_KEYS=${MONKEYSPHERE_RAW_AUTHORIZED_KEYS:=${RAW_AUTHORIZED_KEYS:="%h/.ssh/authorized_keys"}} MONKEYSPHERE_USER=${MONKEYSPHERE_MONKEYSPHERE_USER:=${MONKEYSPHERE_USER:="monkeysphere"}} # other variables CHECK_KEYSERVER=${MONKEYSPHERE_CHECK_KEYSERVER:="true"} GNUPGHOME_HOST=${MONKEYSPHERE_GNUPGHOME_HOST:="${MHDATADIR}"} # export variables needed in su invocation export DATE export MODE export LOG_LEVEL export MONKEYSPHERE_USER export KEYSERVER export GNUPGHOME_HOST export GNUPGHOME export HOST_FINGERPRINT= # get subcommand COMMAND="$1" [ "$COMMAND" ] || failure "Type '$PGRM help' for usage." shift case $COMMAND in 'show-key'|'show'|'s') check_host_no_key show_key ;; 'set-expire'|'extend-key'|'e') check_host_no_key load_fingerprint source "${MHSHAREDIR}/set_expire" set_expire "$@" ;; 'add-hostname'|'add-name'|'n+') check_host_no_key load_fingerprint source "${MHSHAREDIR}/add_hostname" add_hostname "$@" ;; 'revoke-hostname'|'revoke-name'|'n-') check_host_no_key load_fingerprint source "${MHSHAREDIR}/revoke_hostname" revoke_hostname "$@" ;; 'add-revoker'|'o') check_host_no_key load_fingerprint source "${MHSHAREDIR}/add_revoker" add_revoker "$@" ;; 'revoke-key'|'r') check_host_no_key load_fingerprint source "${MHSHAREDIR}/revoke_key" revoke_key "$@" ;; 'publish-key'|'publish'|'p') check_host_no_key load_fingerprint source "${MHSHAREDIR}/publish_key" publish_key ;; 'import-key'|'i') check_host_key source "${MHSHAREDIR}/import_key" import_key "$@" ;; 'diagnostics'|'d') load_fingerprint source "${MHSHAREDIR}/diagnostics" diagnostics ;; 'version'|'v') echo "$VERSION" ;; '--help'|'help'|'-h'|'h'|'?') usage ;; *) failure "Unknown command: '$COMMAND' Type '$PGRM help' for usage." ;; esac exit "$RETURN"