#!/usr/bin/env bash # monkeysphere-host: Monkeysphere host admin tool # # The monkeysphere scripts are written by: # Jameson Rollins # Jamie McClelland # Daniel Kahn Gillmor # Micah Anderson # # They are Copyright 2008-2009, and are all released under the GPL, # version 3 or later. ######################################################################## set -e # set the pipefail option so pipelines fail on first command failure set -o pipefail PGRM=$(basename $0) SYSSHAREDIR=${MONKEYSPHERE_SYSSHAREDIR:-"/usr/share/monkeysphere"} export SYSSHAREDIR . "${SYSSHAREDIR}/defaultenv" . "${SYSSHAREDIR}/common" SYSDATADIR=${MONKEYSPHERE_SYSDATADIR:-"/var/lib/monkeysphere"} export SYSDATADIR # sharedir for host functions MHSHAREDIR="${SYSSHAREDIR}/mh" # datadir for host functions MHDATADIR="${SYSDATADIR}/host" # host pub key files HOST_KEY_FILE="${SYSDATADIR}/ssh_host_rsa_key.pub.gpg" # UTC date in ISO 8601 format if needed DATE=$(date -u '+%FT%T') # unset some environment variables that could screw things up unset GREP_OPTIONS ######################################################################## # FUNCTIONS ######################################################################## usage() { cat <&2 usage: $PGRM [options] [args] Monkeysphere host admin tool. subcommands: import-key (i) FILE NAME[:PORT] import existing ssh key to gpg show-key (s) output all host key information publish-key (p) publish host key to keyserver set-expire (e) [EXPIRE] set host key expiration add-hostname (n+) NAME[:PORT] add hostname user ID to host key revoke-hostname (n-) NAME[:PORT] revoke hostname user ID add-revoker (r+) KEYID|FILE add a revoker to the host key revoke-key generate and/or publish revocation certificate for host key version (v) show version number help (h,?) this help See ${PGRM}(8) for more info. EOF } # function to interact with the gpg keyring gpg_host() { GNUPGHOME="$GNUPGHOME_HOST" gpg --no-greeting --quiet --no-tty "$@" } # command to list the info about the host key, in colon format, to # stdout gpg_host_list() { gpg_host --list-keys --with-colons --fixed-list-mode \ --with-fingerprint --with-fingerprint \ "0x${HOST_FINGERPRINT}!" } # command for edit key scripts, takes scripts on stdin gpg_host_edit() { gpg_host --command-fd 0 --edit-key "0x${HOST_FINGERPRINT}!" "$@" } # export the host public key to the monkeysphere gpg pub key file update_gpg_pub_file() { log debug "updating openpgp public key file '$HOST_KEY_FILE'..." gpg_host --export --armor --export-options export-minimal \ "0x${HOST_FINGERPRINT}!" > "$HOST_KEY_FILE" } # load the host fingerprint into the fingerprint variable, using the # export gpg pub key file # FIXME: this seems much less than ideal, with all this temp keyring # stuff. is there a way we can do this without having to create temp # files? what if we stored the fingerprint in MHDATADIR/fingerprint? load_fingerprint() { if [ -f "$HOST_KEY_FILE" ] ; then HOST_FINGERPRINT=$( \ (FUBAR=$(msmktempdir) && export GNUPGHOME="$FUBAR" \ && gpg --quiet --import \ && gpg --quiet --list-keys --with-colons --with-fingerprint \ && rm -rf "$FUBAR") <"$HOST_KEY_FILE" \ | grep '^fpr:' | cut -d: -f10 ) else failure "host key gpg pub file not found." fi } # load the host fingerprint into the fingerprint variable, using the # gpg host secret key load_fingerprint_secret() { HOST_FINGERPRINT=$( \ gpg_host --list-secret-key --with-colons --with-fingerprint \ | grep '^fpr:' | cut -d: -f10 ) } # fail if host key present check_host_key() { [ ! -s "$HOST_KEY_FILE" ] \ || failure "An OpenPGP host key already exists." } # fail if host key not present check_host_no_key() { [ -s "$HOST_KEY_FILE" ] \ || failure "You don't appear to have a Monkeysphere host key on this server. Please run 'monkeysphere-host import-key...' first." } # output the index of a user ID on the host key # return 1 if user ID not found find_host_userid() { local userID="$1" local tmpuidMatch local line # match to only "unknown" user IDs (host has no need for ultimate trust) tmpuidMatch="-:$(echo $userID | gpg_escape)" # find the index of the requsted user ID # NOTE: this is based on circumstantial evidence that the order of # this output is the appropriate index line=$(gpg_host_list | egrep '^uid:' | cut -f2,10 -d: | \ grep -n -x -F "$tmpuidMatch" 2>/dev/null) if [ "$line" ] ; then echo ${line%%:*} return 0 else return 1 fi } # show info about the host key show_key() { local GNUPGHOME local TMPSSH local revokers # tmp gpghome dir export GNUPGHOME=$(msmktempdir) # trap to remove tmp dir if break trap "rm -rf $GNUPGHOME" EXIT # import the host key into the tmp dir gpg --quiet --import <"$HOST_KEY_FILE" # create the ssh key TMPSSH="$GNUPGHOME"/ssh_host_key_rsa_pub gpg --export | openpgp2ssh 2>/dev/null >"$TMPSSH" # get the gpg fingerprint HOST_FINGERPRINT=$(gpg --quiet --list-keys --with-colons --with-fingerprint \ | grep '^fpr:' | cut -d: -f10 ) # list the host key info # FIXME: make no-show-keyring work so we don't have to do the grep'ing # FIXME: can we show uid validity somehow? gpg --list-keys --fingerprint \ --list-options show-unusable-uids 2>/dev/null \ | grep -v "^${GNUPGHOME}/pubring.gpg$" \ | egrep -v '^-+$' # list revokers, if there are any revokers=$(gpg --list-keys --with-colons --fixed-list-mode \ | awk -F: '/^rvk:/{ print $10 }' ) if [ "$revokers" ] ; then echo "The following keys are allowed to revoke this host key:" for key in $revokers ; do echo "revoker: $key" done echo fi # list the pgp fingerprint echo "OpenPGP fingerprint: $HOST_FINGERPRINT" # list the ssh fingerprint echo -n "ssh fingerprint: " ssh-keygen -l -f "$TMPSSH" | awk '{ print $1, $2, $4 }' # remove the tmp file trap - EXIT rm -rf "$GNUPGHOME" } ######################################################################## # MAIN ######################################################################## # load configuration file [ -e ${MONKEYSPHERE_HOST_CONFIG:="${SYSCONFIGDIR}/monkeysphere-host.conf"} ] \ && . "$MONKEYSPHERE_HOST_CONFIG" # set empty config variable with ones from the environment, or with # defaults LOG_LEVEL=${MONKEYSPHERE_LOG_LEVEL:=$LOG_LEVEL} KEYSERVER=${MONKEYSPHERE_KEYSERVER:=$KEYSERVER} CHECK_KEYSERVER=${MONKEYSPHERE_CHECK_KEYSERVER:=$CHECK_KEYSERVER} MONKEYSPHERE_USER=${MONKEYSPHERE_MONKEYSPHERE_USER:=$MONKEYSPHERE_USER} MONKEYSPHERE_GROUP=$(get_primary_group "$MONKEYSPHERE_USER") PROMPT=${MONKEYSPHERE_PROMPT:=$PROMPT} # other variables GNUPGHOME_HOST=${MONKEYSPHERE_GNUPGHOME_HOST:="${MHDATADIR}"} LOG_PREFIX=${MONKEYSPHERE_LOG_PREFIX:='ms: '} # export variables needed in su invocation export DATE export LOG_LEVEL export KEYSERVER export CHECK_KEYSERVER export MONKEYSPHERE_USER export MONKEYSPHERE_GROUP export PROMPT export GNUPGHOME_HOST export GNUPGHOME export HOST_FINGERPRINT export LOG_PREFIX # get subcommand COMMAND="$1" [ "$COMMAND" ] || failure "Type '$PGRM help' for usage." shift case $COMMAND in 'import-key'|'i') check_host_key source "${MHSHAREDIR}/import_key" import_key "$@" ;; 'show-key'|'show'|'s') check_host_no_key show_key ;; 'set-expire'|'extend-key'|'e') check_host_no_key load_fingerprint source "${MHSHAREDIR}/set_expire" set_expire "$@" ;; 'add-hostname'|'add-name'|'n+') check_host_no_key load_fingerprint source "${MHSHAREDIR}/add_hostname" add_hostname "$@" ;; 'revoke-hostname'|'revoke-name'|'n-') check_host_no_key load_fingerprint source "${MHSHAREDIR}/revoke_hostname" revoke_hostname "$@" ;; 'add-revoker'|'r+') check_host_no_key load_fingerprint source "${MHSHAREDIR}/add_revoker" add_revoker "$@" ;; 'revoke-key') check_host_no_key load_fingerprint source "${MHSHAREDIR}/revoke_key" revoke_key "$@" ;; 'publish-key'|'publish'|'p') check_host_no_key load_fingerprint source "${MHSHAREDIR}/publish_key" publish_key ;; 'diagnostics'|'d') check_host_no_key load_fingerprint source "${MHSHAREDIR}/diagnostics" diagnostics ;; 'update-gpg-pub-file') load_fingerprint_secret update_gpg_pub_file ;; 'version'|'v') version ;; '--help'|'help'|'-h'|'h'|'?') usage ;; *) failure "Unknown command: '$COMMAND' Type '$PGRM help' for usage." ;; esac