# write output to stderr
log() {
- echo -n "ms: " >&2
- echo "$@" >&2
-}
+ local level
-loge() {
+ level="$1"
+ shift
+
+ echo -n "ms: " >&2
echo "$@" >&2
}
userID="$1"
- log -n " checking keyserver $KEYSERVER... "
+ log info " checking keyserver $KEYSERVER... "
echo 1,2,3,4,5 | \
gpg --quiet --batch --with-colons \
--command-fd 0 --keyserver "$KEYSERVER" \
--search ="$userID" > /dev/null 2>&1
returnCode="$?"
- loge "done."
# if the user is the monkeysphere user, then update the
# monkeysphere user's trustdb
# (see /usr/share/doc/gnupg/DETAILS.gz)
# output is one line for every found key, in the following format:
#
-# flag:fingerprint
+# flag:sshKey
#
# "flag" is an acceptability flag, 0 = ok, 1 = bad
-# "fingerprint" is the fingerprint of the key
+# "sshKey" is the translated gpg key
+#
+# all log output must go to stderr, as stdout is used to pass the
+# flag:sshKey to the calling function.
#
# expects global variable: "MODE"
process_user_id() {
# if the gpg query return code is not 0, return 1
if [ "$?" -ne 0 ] ; then
- log " no primary keys found."
+ log error " no primary keys found."
return 1
fi
lastKeyOK=
fingerprint=
- log " primary key found: $keyid"
+ log error " primary key found: $keyid"
# if overall key is not valid, skip
if [ "$validity" != 'u' -a "$validity" != 'f' ] ; then
- log " - unacceptable primary key validity ($validity)."
+ log error " - unacceptable primary key validity ($validity)."
continue
fi
# if overall key is disabled, skip
if check_capability "$usage" 'D' ; then
- log " - key disabled."
+ log error " - key disabled."
continue
fi
# if overall key capability is not ok, skip
if ! check_capability "$usage" $requiredPubCapability ; then
- log " - unacceptable primary key capability ($usage)."
+ log error " - unacceptable primary key capability ($usage)."
continue
fi
;;
'uid') # user ids
if [ "$lastKey" != pub ] ; then
- log " - got a user ID after a sub key?! user IDs should only follow primary keys!"
+ log error " - got a user ID after a sub key?! user IDs should only follow primary keys!"
continue
fi
# if an acceptable user ID was already found, skip
# output a line for the primary key
# 0 = ok, 1 = bad
if [ "$keyOK" -a "$uidOK" -a "$lastKeyOK" ] ; then
- log " * acceptable primary key."
+ log error " * acceptable primary key."
if [ -z "$sshKey" ] ; then
- log " ! primary key could not be translated (not RSA or DSA?)."
+ log error " ! primary key could not be translated (not RSA or DSA?)."
else
echo "0:${sshKey}"
fi
else
- log " - unacceptable primary key."
+ log error " - unacceptable primary key."
if [ -z "$sshKey" ] ; then
- log " ! primary key could not be translated (not RSA or DSA?)."
+ log error " ! primary key could not be translated (not RSA or DSA?)."
else
echo "1:${sshKey}"
fi
# output a line for the sub key
# 0 = ok, 1 = bad
if [ "$keyOK" -a "$uidOK" -a "$lastKeyOK" ] ; then
- log " * acceptable sub key."
+ log error " * acceptable sub key."
if [ -z "$sshKey" ] ; then
- log " ! sub key could not be translated (not RSA or DSA?)."
+ log error " ! sub key could not be translated (not RSA or DSA?)."
else
echo "0:${sshKey}"
fi
else
- log " - unacceptable sub key."
+ log error " - unacceptable sub key."
if [ -z "$sshKey" ] ; then
- log " ! sub key could not be translated (not RSA or DSA?)."
+ log error " ! sub key could not be translated (not RSA or DSA?)."
else
echo "1:${sshKey}"
fi
host="$1"
userID="ssh://${host}"
- log "processing: $host"
+ log info "processing: $host"
nKeys=0
nKeysOK=0
# note if the known_hosts file was updated
if [ "$(file_hash "$KNOWN_HOSTS")" != "$fileCheck" ] ; then
- log "known_hosts file updated."
+ log info "known_hosts file updated."
fi
# if an acceptable host was found, return 0
process_known_hosts() {
local hosts
- log "processing known_hosts file..."
+ log info "processing known_hosts file..."
hosts=$(meat "$KNOWN_HOSTS" | cut -d ' ' -f 1 | grep -v '^|.*$' | tr , ' ' | tr '\n' ' ')
if [ -z "$hosts" ] ; then
- log "no hosts to process."
+ log error "no hosts to process."
return
fi
userID="$1"
- log "processing: $userID"
+ log info "processing: $userID"
nKeys=0
nKeysOK=0
# note if the authorized_keys file was updated
if [ "$(file_hash "$AUTHORIZED_KEYS")" != "$fileCheck" ] ; then
- log "authorized_keys file updated."
+ log info "authorized_keys file updated."
fi
# if an acceptable id was found, return 0
authorizedUserIDs="$1"
- log "processing authorized_user_ids file..."
+ log info "processing authorized_user_ids file..."
if ! meat "$authorizedUserIDs" > /dev/null ; then
- log "no user IDs to process."
+ log error "no user IDs to process."
return
fi
########################################################################
usage() {
- cat <<EOF
+ cat <<EOF >&2
usage: $PGRM <subcommand> [options] [args]
MonkeySphere client tool.
EOF
)
- log "generating subkey..."
+ log info "generating subkey..."
fifoDir=$(mktemp -d)
(umask 077 && mkfifo "$fifoDir/pass")
echo "$editCommands" | gpg --passphrase-fd 3 3< "$fifoDir/pass" --expert --command-fd 0 --edit-key "$keyID" &
rm -rf "$fifoDir"
wait
- log "done."
+ log info "done."
}
function subkey_to_ssh_agent() {
# set empty config variables with ones from the environment, or from
# config file, or with defaults
+LOG_LEVEL=${MONKEYSPHERE_LOG_LEVEL:=${LOG_LEVEL:="INFO"}}
GNUPGHOME=${MONKEYSPHERE_GNUPGHOME:=${GNUPGHOME:="${HOME}/.gnupg"}}
KEYSERVER=${MONKEYSPHERE_KEYSERVER:="$KEYSERVER"}
# if keyserver not specified in env or monkeysphere.conf,
# permissions
export GNUPGHOME
mkdir -p -m 0700 "$GNUPGHOME"
+export LOG_LEVEL
# get subcommand
COMMAND="$1"
else
# exit if the known_hosts file does not exist
if [ ! -e "$KNOWN_HOSTS" ] ; then
- log "known_hosts file '$KNOWN_HOSTS' does not exist."
+ log error "known_hosts file '$KNOWN_HOSTS' does not exist."
exit
fi
# exit if the authorized_user_ids file is empty
if [ ! -e "$AUTHORIZED_USER_IDS" ] ; then
- log "authorized_user_ids file '$AUTHORIZED_USER_IDS' does not exist."
+ log error "authorized_user_ids file '$AUTHORIZED_USER_IDS' does not exist."
exit
fi
########################################################################
usage() {
- cat <<EOF
+ cat <<EOF >&2
usage: $PGRM <subcommand> [options] [args]
MonkeySphere server admin tool.
for uname in $unames ; do
# check all specified users exist
if ! getent passwd "$uname" >/dev/null ; then
- log "----- unknown user '$uname' -----"
+ log info "----- unknown user '$uname' -----"
continue
fi
fi
fi
- log "----- user: $uname -----"
+ log info "----- user: $uname -----"
# exit if the authorized_user_ids file is empty
if ! check_key_file_permissions "$uname" "$AUTHORIZED_USER_IDS" ; then
- log "Improper permissions on authorized_user_ids file path."
+ log error "Improper permissions on authorized_user_ids file path."
continue
fi
# check permissions on the authorized_keys file path
if ! check_key_file_permissions "$uname" "$RAW_AUTHORIZED_KEYS" ; then
- log "Improper permissions on authorized_keys file path path."
+ log error "Improper permissions on authorized_keys file path path."
continue
fi
# add user-controlled authorized_keys file path if specified
if [ "$rawAuthorizedKeys" != '-' -a -s "$rawAuthorizedKeys" ] ; then
- log -n "adding raw authorized_keys file... "
+ log info "adding raw authorized_keys file... "
cat "$rawAuthorizedKeys" >> "$AUTHORIZED_KEYS"
- loge "done."
fi
# openssh appears to check the contents of the
EOF
)
- log "generating server key..."
+ log info "generating server key..."
echo "$keyParameters" | gpg_host --batch --gen-key
# output the server fingerprint
fingerprint=$(fingerprint_server_key)
# export host ownertrust to authentication keyring
- log "setting ultimate owner trust for server key..."
+ log info "setting ultimate owner trust for server key..."
echo "${fingerprint}:6:" | gpg_authentication "--import-ownertrust"
# translate the private key to ssh format, and export to a file
(umask 077 && \
gpg_host --export-secret-key "$fingerprint" | \
openpgp2ssh "$fingerprint" > "${VARLIB}/ssh_host_rsa_key")
- log "Private SSH host key output to file: ${VARLIB}/ssh_host_rsa_key"
+ log info "Private SSH host key output to file: ${VARLIB}/ssh_host_rsa_key"
}
# extend the lifetime of a host key:
# set empty config variable with ones from the environment, or with
# defaults
+LOG_LEVEL=${MONKEYSPHERE_LOG_LEVEL:=${LOG_LEVEL:="info"}}
KEYSERVER=${MONKEYSPHERE_KEYSERVER:=${KEYSERVER:="subkeys.pgp.net"}}
AUTHORIZED_USER_IDS=${MONKEYSPHERE_AUTHORIZED_USER_IDS:=${AUTHORIZED_USER_IDS:="%h/.config/monkeysphere/authorized_user_ids"}}
RAW_AUTHORIZED_KEYS=${MONKEYSPHERE_RAW_AUTHORIZED_KEYS:=${RAW_AUTHORIZED_KEYS:="%h/.ssh/authorized_keys"}}
export DATE
export MODE
export MONKEYSPHERE_USER
+export LOG_LEVEL
export KEYSERVER
export CHECK_KEYSERVER
export REQUIRED_USER_KEY_CAPABILITY
# established. Can be added to ~/.ssh/config as follows:
# ProxyCommand monkeysphere-ssh-proxycommand %h %p
+########################################################################
+SHARE=${MONKEYSPHERE_SHARE:-"/usr/share/monkeysphere"}
+. "${SHARE}/common" || exit 1
+
+########################################################################
+
usage() {
cat <<EOF >&2
usage: ssh -o ProxyCommand="$(basename $0) %h %p" ...
EOF
}
-log() {
- echo "$@" >&2
-}
+########################################################################
+
+# export the monkeysphere log level
+export MONKEYSPHERE_LOG_LEVEL
if [ "$1" = '--no-connect' ] ; then
NO_CONNECT='true'
MS_HOME=${MS_HOME:-"${HOME}/.config/monkeysphere"}
if [ -z "$HOST" ] ; then
- log "host must be specified."
+ echo "Host not specified." >&2
usage
- exit 1
+ exit 255
fi
if [ -z "$PORT" ] ; then
PORT=22
elif (which socat 2>/dev/null >/dev/null); then
exec socat STDIO "TCP:$HOST:$PORT"
else
- log "Neither netcat nor socat found -- could not complete monkeysphere-ssh-proxycommand connection to $HOST:$PORT"
- exit 1
+ echo "Neither netcat nor socat found -- could not complete monkeysphere-ssh-proxycommand connection to $HOST:$PORT" >&2
+ exit 255
fi
fi
git clone git://lair.fifthhorseman.net/~jrollins/monkeysphere
-Micah Anderson
+Micah Anderson:
git clone git://labs.riseup.net/~micah/monkeysphere
[[!template id="nav"]]
[[meta title="Documentation"]]
+
## Dependencies ##
Monkeysphere relies on:
"Instructions for adding dkg's key to apt")
Once you've installed the packages, you might want to read up on how
-to get started [as a regular user](/getting-started-user) or [as a
+to get started [as a regular user](/getting-started-user), or [as a
systems administrator](/getting-started-admin).
## Enhancements ##
projects / monkeysphere.git / commitdiff