########################################################################
set -e
+# set the pipefail option so pipelines fail on first command failure
+set -o pipefail
+
PGRM=$(basename $0)
SYSSHAREDIR=${MONKEYSPHERE_SYSSHAREDIR:-"/usr/share/monkeysphere"}
# datadir for host functions
MHDATADIR="${SYSDATADIR}/host"
+# host pub key files
+HOST_KEY_FILE="${SYSDATADIR}/ssh_host_rsa_key.pub.gpg"
+
# UTC date in ISO 8601 format if needed
DATE=$(date -u '+%FT%T')
Monkeysphere host admin tool.
subcommands:
+ import-key (i) FILE NAME[:PORT] import existing ssh key to gpg
show-key (s) output all host key information
- set-expire (e) EXPIRE set host key expiration
+ publish-key (p) publish host key to keyserver
+ set-expire (e) [EXPIRE] set host key expiration
add-hostname (n+) NAME[:PORT] add hostname user ID to host key
revoke-hostname (n-) NAME[:PORT] revoke hostname user ID
- add-revoker (o) FINGERPRINT add a revoker to the host key
- revoke-key (r) revoke host key
- publish-key (p) publish host key to keyserver
-
- expert <expert-subcommand> run expert command
- expert help expert command help
+ add-revoker (r+) [KEYID|FILE] add a revoker to the host key
+ revoke-key generate and/or publish revocation
+ certificate for host key
version (v) show version number
help (h,?) this help
+See ${PGRM}(8) for more info.
EOF
}
-# function to run command as monkeysphere user
-su_monkeysphere_user() {
- # if the current user is the monkeysphere user, then just eval
- # command
- if [ $(id -un) = "$MONKEYSPHERE_USER" ] ; then
- eval "$@"
-
- # otherwise su command as monkeysphere user
- else
- su "$MONKEYSPHERE_USER" -c "$@"
- fi
-}
-
# function to interact with the gpg keyring
gpg_host() {
- GNUPGHOME="$GNUPGHOME_HOST" gpg "$@"
+ GNUPGHOME="$GNUPGHOME_HOST" gpg --no-greeting --quiet --no-tty "$@"
}
-# command to list the info about the host key, in colon format
+# command to list the info about the host key, in colon format, to
+# stdout
gpg_host_list() {
gpg_host --list-keys --with-colons --fixed-list-mode \
--with-fingerprint --with-fingerprint \
# command for edit key scripts, takes scripts on stdin
gpg_host_edit() {
- gpg_host --quiet --command-fd 0 --edit-key \
- "0x${HOST_FINGERPRINT}!" "$@"
+ gpg_host --command-fd 0 --edit-key "0x${HOST_FINGERPRINT}!" "$@"
}
-# export the host key to stdout
-gpg_host_export() {
+# export the host public key to the monkeysphere gpg pub key file
+update_gpg_pub_file() {
+ log debug "updating openpgp public key file '$HOST_KEY_FILE'..."
gpg_host --export --armor --export-options export-minimal \
- "0x${HOST_FINGERPRINT}!"
+ "0x${HOST_FINGERPRINT}!" > "$HOST_KEY_FILE"
}
-# export the host key to the monkeysphere host file key
-gpg_host_export_to_ssh_file() {
- log debug "exporting openpgp public key..."
- gpg_host_export > "${MHDATADIR}/ssh_host_rsa_key.pub.gpg"
- log info "SSH host public key in OpenPGP form: ${MHDATADIR}/ssh_host_rsa_key.pub.gpg"
+# load the host fingerprint into the fingerprint variable, using the
+# export gpg pub key file
+# FIXME: this seems much less than ideal, with all this temp keyring
+# stuff. is there a way we can do this without having to create temp
+# files? what if we stored the fingerprint in MHDATADIR/fingerprint?
+load_fingerprint() {
+ if [ -f "$HOST_KEY_FILE" ] ; then
+ HOST_FINGERPRINT=$( \
+ (FUBAR=$(mktemp -d) && export GNUPGHOME="$FUBAR" \
+ && gpg --quiet --import \
+ && gpg --quiet --list-keys --with-colons --with-fingerprint \
+ && rm -rf "$FUBAR") <"$HOST_KEY_FILE" \
+ | grep '^fpr:' | cut -d: -f10 )
+ else
+ failure "host key gpg pub file not found."
+ fi
}
-# output just key fingerprint
-fingerprint_host_key() {
- # set the pipefail option so functions fails if can't read sec key
- set -o pipefail
+# load the host fingerprint into the fingerprint variable, using the
+# gpg host secret key
+load_fingerprint_secret() {
+ HOST_FINGERPRINT=$( \
+ gpg_host --list-secret-key --with-colons --with-fingerprint \
+ | grep '^fpr:' | cut -d: -f10 )
+}
- gpg_host --list-secret-keys --fingerprint \
- --with-colons --fixed-list-mode 2> /dev/null | \
- grep '^fpr:' | head -1 | cut -d: -f10 2>/dev/null
+# fail if host key present
+check_host_key() {
+ [ ! -s "$HOST_KEY_FILE" ] \
+ || failure "An OpenPGP host key already exists."
+}
+
+# fail if host key not present
+check_host_no_key() {
+ [ -s "$HOST_KEY_FILE" ] \
+ || failure "You don't appear to have a Monkeysphere host key on this server.
+Please run 'monkeysphere-host import-key...' first."
}
# output the index of a user ID on the host key
fi
}
-# function to check for host secret key
-check_host_fail() {
- [ "$HOST_FINGERPRINT" ] || \
- failure "You don't appear to have a Monkeysphere host key on this server. Please run 'monkeysphere-host expert import-key' first."
-}
-
# show info about the host key
show_key() {
- local fingerprintSSH
-
- # FIXME: should not have to be priviledged user to see this info.
- # should be taken from publicly accessible key files, instead of
- # the keyring.
-
- gpg_host --fingerprint --list-key --list-options show-unusable-uids \
- "0x${HOST_FINGERPRINT}!" 2>/dev/null
+ local GNUPGHOME
+ local TMPSSH
+ local revokers
+
+ # tmp gpghome dir
+ export GNUPGHOME=$(msmktempdir)
+
+ # trap to remove tmp dir if break
+ trap "rm -rf $GNUPGHOME" EXIT
+
+ # import the host key into the tmp dir
+ gpg --quiet --import <"$HOST_KEY_FILE"
+
+ # create the ssh key
+ TMPSSH="$GNUPGHOME"/ssh_host_key_rsa_pub
+ openpgp2ssh <"$HOST_KEY_FILE" 2>/dev/null >"$TMPSSH"
+
+ # get the gpg fingerprint
+ HOST_FINGERPRINT=$(gpg --quiet --list-keys --with-colons --with-fingerprint \
+ | grep '^fpr:' | cut -d: -f10 )
+
+ # list the host key info
+ # FIXME: make no-show-keyring work so we don't have to do the grep'ing
+ # FIXME: can we show uid validity somehow?
+ gpg --list-keys --fingerprint \
+ --list-options show-unusable-uids 2>/dev/null \
+ | grep -v "^${GNUPGHOME}/pubring.gpg$" \
+ | egrep -v '^-+$'
+
+ # list revokers, if there are any
+ revokers=$(gpg --list-keys --with-colons --fixed-list-mode \
+ | awk -F: '/^rvk:/{ print $10 }' )
+ if [ "$revokers" ] ; then
+ echo "The following keys are allowed to revoke this host key:"
+ for key in $revokers ; do
+ echo "revoker: $key"
+ done
+ echo
+ fi
+ # list the pgp fingerprint
echo "OpenPGP fingerprint: $HOST_FINGERPRINT"
- if [ -f "${MHDATADIR}/ssh_host_rsa_key.pub" ] ; then
- fingerprintSSH=$(ssh-keygen -l -f "${MHDATADIR}/ssh_host_rsa_key.pub" | \
- awk '{ print $1, $2, $4 }')
- echo "ssh fingerprint: $fingerprintSSH"
- else
- log info "SSH host key not found."
- fi
+ # list the ssh fingerprint
+ echo -n "ssh fingerprint: "
+ ssh-keygen -l -f "$TMPSSH" | awk '{ print $1, $2, $4 }'
- # FIXME: show expiration date
- # FIXME: other relevant key parameters?
+ # remove the tmp file
+ trap - EXIT
+ rm -rf "$GNUPGHOME"
}
########################################################################
# MAIN
########################################################################
-# unset variables that should be defined only in config file
-unset KEYSERVER
-unset MONKEYSPHERE_USER
-
# load configuration file
-[ -e ${MONKEYSPHERE_HOST_CONFIG:="${SYSCONFIGDIR}/monkeysphere-host.conf"} ] && . "$MONKEYSPHERE_HOST_CONFIG"
+[ -e ${MONKEYSPHERE_HOST_CONFIG:="${SYSCONFIGDIR}/monkeysphere-host.conf"} ] \
+ && . "$MONKEYSPHERE_HOST_CONFIG"
# set empty config variable with ones from the environment, or with
# defaults
-LOG_LEVEL=${MONKEYSPHERE_LOG_LEVEL:=${LOG_LEVEL:="INFO"}}
-KEYSERVER=${MONKEYSPHERE_KEYSERVER:=${KEYSERVER:="pool.sks-keyservers.net"}}
-AUTHORIZED_USER_IDS=${MONKEYSPHERE_AUTHORIZED_USER_IDS:=${AUTHORIZED_USER_IDS:="%h/.monkeysphere/authorized_user_ids"}}
-RAW_AUTHORIZED_KEYS=${MONKEYSPHERE_RAW_AUTHORIZED_KEYS:=${RAW_AUTHORIZED_KEYS:="%h/.ssh/authorized_keys"}}
-MONKEYSPHERE_USER=${MONKEYSPHERE_MONKEYSPHERE_USER:=${MONKEYSPHERE_USER:="monkeysphere"}}
+LOG_LEVEL=${MONKEYSPHERE_LOG_LEVEL:=$LOG_LEVEL}
+KEYSERVER=${MONKEYSPHERE_KEYSERVER:=$KEYSERVER}
+CHECK_KEYSERVER=${MONKEYSPHERE_CHECK_KEYSERVER:=$CHECK_KEYSERVER}
+MONKEYSPHERE_USER=${MONKEYSPHERE_MONKEYSPHERE_USER:=$MONKEYSPHERE_USER}
+PROMPT=${MONKEYSPHERE_PROMPT:=$PROMPT}
# other variables
-CHECK_KEYSERVER=${MONKEYSPHERE_CHECK_KEYSERVER:="true"}
GNUPGHOME_HOST=${MONKEYSPHERE_GNUPGHOME_HOST:="${MHDATADIR}"}
-# host key fingerprint
-HOST_FINGERPRINT=$(fingerprint_host_key)
-
# export variables needed in su invocation
export DATE
-export MODE
export LOG_LEVEL
-export MONKEYSPHERE_USER
export KEYSERVER
+export CHECK_KEYSERVER
+export MONKEYSPHERE_USER
+export PROMPT
export GNUPGHOME_HOST
export GNUPGHOME
export HOST_FINGERPRINT
[ "$COMMAND" ] || failure "Type '$PGRM help' for usage."
shift
-
case $COMMAND in
+ 'import-key'|'i')
+ check_host_key
+ source "${MHSHAREDIR}/import_key"
+ import_key "$@"
+ ;;
+
'show-key'|'show'|'s')
- check_host_keyring
+ check_host_no_key
show_key
;;
'set-expire'|'extend-key'|'e')
- check_host_keyring
+ check_host_no_key
+ load_fingerprint
source "${MHSHAREDIR}/set_expire"
set_expire "$@"
;;
'add-hostname'|'add-name'|'n+')
- check_host_keyring
+ check_host_no_key
+ load_fingerprint
source "${MHSHAREDIR}/add_hostname"
add_hostname "$@"
;;
'revoke-hostname'|'revoke-name'|'n-')
- check_host_keyring
+ check_host_no_key
+ load_fingerprint
source "${MHSHAREDIR}/revoke_hostname"
revoke_hostname "$@"
;;
- 'add-revoker'|'o')
- check_host_keyring
+ 'add-revoker'|'r+')
+ check_host_no_key
+ load_fingerprint
source "${MHSHAREDIR}/add_revoker"
add_revoker "$@"
;;
- 'revoke-key'|'r')
- check_host_keyring
+ 'revoke-key')
+ check_host_no_key
+ load_fingerprint
source "${MHSHAREDIR}/revoke_key"
revoke_key "$@"
;;
'publish-key'|'publish'|'p')
- check_host_keyring
+ check_host_no_key
+ load_fingerprint
source "${MHSHAREDIR}/publish_key"
publish_key
;;
- 'expert')
- SUBCOMMAND="$1"
- shift
- case "$SUBCOMMAND" in
- 'help'|'h'|'?')
- cat <<EOF
-usage: $PGRM expert <subcommand> [options] [args]
-
-expert subcommands:
- import-key (i) [NAME[:PORT]] import existing ssh key to gpg
- gen-key (g) [NAME[:PORT]] generate gpg key for the host
- --length (-l) BITS key length in bits (2048)
- diagnostics (d) monkeysphere host status
-
-EOF
- ;;
-
- 'import-key'|'i')
- source "${MHSHAREDIR}/import_key"
- import_key "$@"
- ;;
-
- 'gen-key'|'g')
- source "${MHSHAREDIR}/gen_key"
- gen_key "$@"
- ;;
-
- 'diagnostics'|'d')
- source "${MHSHAREDIR}/diagnostics"
- diagnostics
- ;;
+ 'diagnostics'|'d')
+ load_fingerprint
+ source "${MHSHAREDIR}/diagnostics"
+ diagnostics
+ ;;
- *)
- failure "Unknown expert subcommand: '$COMMAND'
-Type '$PGRM help' for usage."
- ;;
- esac
+ 'update-gpg-pub-file')
+ load_fingerprint_secret
+ update_gpg_pub_file
;;
'version'|'v')
- echo "$VERSION"
+ version
;;
'--help'|'help'|'-h'|'h'|'?')
projects / monkeysphere.git / blobdiff