From c4f049f6a8dfd1e0e301a6abffafb5c0012ccc0e Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Thu, 12 Feb 2009 13:25:35 -0500 Subject: [PATCH] break out a bunch of common functions in monkeysphere-host: - create_*_*_file to create the key files - load_*fingerprint to load the host fingerprint into an exported variable (HOST_FINGERPRINT) - check_host_*key to check for the presence of a host key modified {import,gen}_key to use these new functions. --- src/monkeysphere-host | 128 +++++++++++++++++++++++++++------------- src/share/mh/gen_key | 28 +++------ src/share/mh/import_key | 13 ++-- 3 files changed, 100 insertions(+), 69 deletions(-) diff --git a/src/monkeysphere-host b/src/monkeysphere-host index be398b1..4aab995 100755 --- a/src/monkeysphere-host +++ b/src/monkeysphere-host @@ -32,6 +32,10 @@ MHSHAREDIR="${SYSSHAREDIR}/mh" # datadir for host functions MHDATADIR="${SYSDATADIR}/host" +# host pub key files +HOST_KEY_PUB="${SYSDATADIR}/ssh_host_rsa_key.pub" +HOST_KEY_PUB_GPG="${SYSDATADIR}/ssh_host_rsa_key.pub.gpg" + # UTC date in ISO 8601 format if needed DATE=$(date -u '+%FT%T') @@ -93,22 +97,71 @@ gpg_host_export() { "0x${HOST_FINGERPRINT}!" } -# export the host key to the monkeysphere host file key -gpg_host_export_to_ssh_file() { - log debug "exporting openpgp public key..." +# export the host secret key to the monkeysphere ssh sec key file +# NOTE: assumes that the primary key is the proper key to use +create_ssh_sec_file() { + log debug "creating ssh secret key file..." + (umask 077 && \ + gpg_host --export-secret-key "$HOST_FINGERPRINT" | \ + openpgp2ssh "$HOST_FINGERPRINT" > "${MHDATADIR}/ssh_host_rsa_key") + log info "SSH host secret key file: ${MHDATADIR}/ssh_host_rsa_key" +} + +# export the host public key to the monkeysphere ssh pub key file +create_ssh_pub_file() { + log debug "creating ssh public key file..." + ssh-keygen -y -f "${MHDATADIR}/ssh_host_rsa_key" > "$HOST_KEY_PUB" + log info "SSH host public key file: $HOST_KEY_PUB" +} +# export the host public key to the monkeysphere gpg pub key file +create_gpg_pub_file() { + log debug "creating openpgp public key file..." gpg_host_export > "$HOST_KEY_PUB_GPG" - log info "SSH host public key in OpenPGP form: $HOST_KEY_PUB_GPG" + log info "GPG host public key file: $HOST_KEY_PUB_GPG" +} + +# load the host fingerprint into the fingerprint variable, using the +# export gpg pub key file +load_fingerprint() { + if [ -f "$HOST_KEY_PUB_GPG" ] ; then + HOST_FINGERPRINT=$( \ + (FUBAR=$(mktemp -d) && export GNUPGHOME="$FUBAR" \ + && gpg --quiet --import \ + && gpg --quiet --list-keys --with-colons --with-fingerprint \ + && rm -rf "$FUBAR") <"$HOST_KEY_PUB_GPG" \ + | grep '^fpr:' | cut -d: -f10 ) + else + HOST_FINGERPRINT= + fi +} + +# load the host fingerprint into the fingerprint variable, using the +# gpg host secret key +load_fingerprint_secret() { + HOST_FINGERPRINT=$( \ + gpg_host --quiet --list-secret-key \ + --with-colons --with-fingerprint \ + | grep '^fpr:' | cut -d: -f10 ) } -# output just key fingerprint -# FIXME: should not have to be priviledged user to get host -# fingerprint. should be taken from publicly accessible key files, -# instead of the keyring. -get_host_fingerprint() { - gpg_host --list-secret-keys --fingerprint \ - --with-colons --fixed-list-mode 2> /dev/null | \ - grep '^fpr:' | head -1 | cut -d: -f10 2>/dev/null || true +# output host key ssh fingerprint +load_ssh_fingerprint() { + [ -f "$HOST_KEY_PUB" ] || return 0 + HOST_FINGERPRINT_SSH=$(ssh-keygen -l -f "$HOST_KEY_PUB" \ + | awk '{ print $1, $2, $4 }') +} + +# fail if host key present +check_host_key() { + [ -z "$HOST_FINGERPRINT" ] \ + || failure "An OpenPGP host key already exists." +} + +# fail if host key not present +check_host_no_key() { + [ "$HOST_FINGERPRINT" ] \ + || failure "You don't appear to have a Monkeysphere host key on this server. Please run 'monkeysphere-host expert import-key' first." } # output the index of a user ID on the host key @@ -135,27 +188,18 @@ find_host_userid() { fi } -# function to check for host secret key -check_host_fail() { - [ "$HOST_FINGERPRINT" ] || \ - failure "You don't appear to have a Monkeysphere host key on this server. Please run 'monkeysphere-host expert import-key' first." -} - # show info about the host key show_key() { - local fingerprintSSH - gpg_host --fingerprint --list-key --list-options show-unusable-uids \ "0x${HOST_FINGERPRINT}!" 2>/dev/null # FIXME: make sure expiration date is shown echo "OpenPGP fingerprint: $HOST_FINGERPRINT" - if [ -f "$HOST_KEY_PUB" ] ; then - fingerprintSSH=$(ssh-keygen -l -f "$HOST_KEY_PUB" | \ - awk '{ print $1, $2, $4 }') + load_ssh_fingerprint - echo "ssh fingerprint: $fingerprintSSH" + if [ "$HOST_FINGERPRINT_SSH" ] ; then + echo "ssh fingerprint: $HOST_FINGERPRINT_SSH" else log error "SSH host key not found." fi @@ -186,13 +230,6 @@ MONKEYSPHERE_USER=${MONKEYSPHERE_MONKEYSPHERE_USER:=${MONKEYSPHERE_USER:="monkey CHECK_KEYSERVER=${MONKEYSPHERE_CHECK_KEYSERVER:="true"} GNUPGHOME_HOST=${MONKEYSPHERE_GNUPGHOME_HOST:="${MHDATADIR}"} -# host key fingerprint -HOST_FINGERPRINT=$(get_host_fingerprint) - -# host pub key files -HOST_KEY_PUB="${SYSDATADIR}/ssh_host_rsa_key.pub" -HOST_KEY_PUB_GPG="${SYSDATADIR}/ssh_host_rsa_key.pub.gpg" - # export variables needed in su invocation export DATE export MODE @@ -201,52 +238,59 @@ export MONKEYSPHERE_USER export KEYSERVER export GNUPGHOME_HOST export GNUPGHOME -export HOST_FINGERPRINT +export HOST_FINGERPRINT= +export HOST_FINGERPRINT_SSH= # get subcommand COMMAND="$1" [ "$COMMAND" ] || failure "Type '$PGRM help' for usage." shift - case $COMMAND in 'show-key'|'show'|'s') - check_host_fail + load_fingerprint + check_host_no_key show_key ;; 'set-expire'|'extend-key'|'e') - check_host_fail + load_fingerprint + check_host_no_key source "${MHSHAREDIR}/set_expire" set_expire "$@" ;; 'add-hostname'|'add-name'|'n+') - check_host_fail + load_fingerprint + check_host_no_key source "${MHSHAREDIR}/add_hostname" add_hostname "$@" ;; 'revoke-hostname'|'revoke-name'|'n-') - check_host_fail + load_fingerprint + check_host_no_key source "${MHSHAREDIR}/revoke_hostname" revoke_hostname "$@" ;; 'add-revoker'|'o') - check_host_fail + load_fingerprint + check_host_no_key source "${MHSHAREDIR}/add_revoker" add_revoker "$@" ;; 'revoke-key'|'r') - check_host_fail + load_fingerprint + check_host_no_key source "${MHSHAREDIR}/revoke_key" revoke_key "$@" ;; 'publish-key'|'publish'|'p') - check_host_fail + load_fingerprint + check_host_no_key source "${MHSHAREDIR}/publish_key" publish_key ;; @@ -269,11 +313,15 @@ EOF ;; 'import-key'|'i') + load_fingerprint + check_host_key source "${MHSHAREDIR}/import_key" import_key "$@" ;; 'gen-key'|'g') + load_fingerprint + check_host_key source "${MHSHAREDIR}/gen_key" gen_key "$@" ;; diff --git a/src/share/mh/gen_key b/src/share/mh/gen_key index 7b427e4..873ed02 100644 --- a/src/share/mh/gen_key +++ b/src/share/mh/gen_key @@ -20,10 +20,6 @@ local keyUsage="auth" local keyExpire="0" local userID -# check for presense of a key -[ "$HOST_FINGERPRINT" ] && \ - failure "An OpenPGP host key already exists." - # get options while true ; do case "$1" in @@ -61,25 +57,17 @@ Expire-Date: $keyExpire EOF -# find the key fingerprint of the newly converted key -HOST_FINGERPRINT=$(get_host_fingerprint) -export HOST_FINGERPRINT +# load the new host fpr into the fpr variable +load_fingerprint_secret -# translate the private key to ssh format, and export to a file -# for sshs usage. -# NOTE: assumes that the primary key is the proper key to use -log debug "exporting ssh secret key..." -(umask 077 && \ - gpg_host --export-secret-key "$HOST_FINGERPRINT" | \ - openpgp2ssh "$HOST_FINGERPRINT" > "${MHDATADIR}/ssh_host_rsa_key") -log info "SSH host private key output to file: ${MHDATADIR}/ssh_host_rsa_key" +# export to ssh secret key file +create_ssh_sec_file -log debug "creating ssh public key..." -ssh-keygen -y -f "${MHDATADIR}/ssh_host_rsa_key" > "$HOST_KEY_PUB" -log info "SSH host public key output to file: $HOST_KEY_PUB" +# export to ssh public key file +create_ssh_pub_file -# export public key to file -gpg_host_export_to_ssh_file +# export to gpg public key to file +create_gpg_pub_file # show info about new key show_key diff --git a/src/share/mh/import_key b/src/share/mh/import_key index 99511a8..9be8dce 100644 --- a/src/share/mh/import_key +++ b/src/share/mh/import_key @@ -16,10 +16,6 @@ import_key() { local hostName local userID -# check for presense of a key -[ "$HOST_FINGERPRINT" ] && \ - failure "An OpenPGP host key already exists." - hostName=${1:-$(hostname -f)} userID="ssh://${hostName}" @@ -33,12 +29,11 @@ log verbose "importing ssh key..." PEM2OPENPGP_USAGE_FLAGS=authenticate pem2openpgp "$userID" | \ gpg_host --import -# find the key fingerprint of the newly converted key -HOST_FINGERPRINT=$(get_host_fingerprint) -export HOST_FINGERPRINT +# load the new host fpr into the fpr variable +load_fingerprint_secret -# export public key to file -gpg_host_export_to_ssh_file +# export to gpg public key to file +create_gpg_pub_file # show info about new key show_key -- 2.25.1