diff options
| author | Daniel Kahn Gillmor <dkg@fifthhorseman.net> | 2008-08-08 09:09:31 -0400 |
|---|---|---|
| committer | Daniel Kahn Gillmor <dkg@fifthhorseman.net> | 2008-08-08 09:09:31 -0400 |
| commit | 26515a1311d364501d562b706660337fbb906011 (patch) | |
| tree | 6bfb82bccddf4e1171a8fc30d6ff1635fb9b6cf7 | |
| parent | 70bce7624684f8b9c8f569b014b2a36264717aa0 (diff) | |
| parent | 21f5859c43fb539b6b4a852bc1d92aa3fbab26a2 (diff) | |
Merge commit 'jrollins/master'
| -rwxr-xr-x | src/monkeysphere | 16 | ||||
| -rwxr-xr-x | src/monkeysphere-server | 4 | ||||
| -rwxr-xr-x | src/seckey2sshagent | 114 |
3 files changed, 86 insertions, 48 deletions
diff --git a/src/monkeysphere b/src/monkeysphere index cd77193..4a611c8 100755 --- a/src/monkeysphere +++ b/src/monkeysphere @@ -32,7 +32,7 @@ umask 077 ######################################################################## usage() { -cat <<EOF + cat <<EOF usage: $PGRM <subcommand> [options] [args] MonkeySphere client tool. @@ -89,9 +89,17 @@ gen_subkey(){ esac done - keyID="$1" - if [ -z "$keyID" ] ; then - failure "You must specify the key ID of your primary key." + if [ -z "$1" ] ; then + # find all secret keys + keyID=$(gpg --with-colons --list-secret-keys | grep ^sec | cut -f5 -d:) + # if multiple sec keys exist, fail + if (( $(echo "$keyID" | wc -l) > 1 )) ; then + echo "Multiple secret keys found:" + echo "$keyID" + failure "Please specify which primary key to use." + fi + else + keyID="$1" fi # get key output, and fail if not found diff --git a/src/monkeysphere-server b/src/monkeysphere-server index a0b7067..7fac3ee 100755 --- a/src/monkeysphere-server +++ b/src/monkeysphere-server @@ -32,7 +32,7 @@ RETURN=0 ######################################################################## usage() { -cat <<EOF + cat <<EOF usage: $PGRM <subcommand> [options] [args] MonkeySphere server admin tool. @@ -475,7 +475,7 @@ diagnostics() { if badhostkeys=$(grep '^HostKey' | grep -q -v "^HostKey ${VARLIB}/ssh_host_rsa_key$") ; then echo "! /etc/sshd_config refers to some non-monkeysphere host keys:" echo "$badhostkeys" - echo "- Recommendation: remove the above HostKey lines from /etc/ssh/sshd_config" + echo " - Recommendation: remove the above HostKey lines from /etc/ssh/sshd_config" fi fi fi diff --git a/src/seckey2sshagent b/src/seckey2sshagent index 4b765dc..a516256 100755 --- a/src/seckey2sshagent +++ b/src/seckey2sshagent @@ -14,17 +14,17 @@ # Authors: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, # Jameson Rollins <jrollins@fifthhorseman.net> - -cleanup() { - echo -n "removing temp gpg home... " 1>&2 - rm -rf "$TMPPRIVATE" - echo "done." 1>&2 -} - explanation() { - echo -n "The basic strategy of seckey2sshagent is to dump your -OpenPGP authentication key(s) into your agent. + cat <<EOF +Usage: $0 [GPGID [FILE]] + +The basic strategy of seckey2sshagent is to dump your OpenPGP +authentication key(s) into your agent or a file. With no arguments, +it will add all secret keys in your keyring to the agent. With one +argument, it adds only the specified key to the agent. With two +arguments, it dumps the specified key to FILE, with the pub key in +FILE.pub. This script is a gross hack at the moment. It is done by creating a new, temporary private keyring, letting the user remove the @@ -51,8 +51,37 @@ You can check on it with: ssh-add -l -" +EOF +} + +cleanup() { + echo -n "removing temp gpg home... " 1>&2 + rm -rf "$TMPPRIVATE" + echo "done." 1>&2 +} + +export_sec_key() { + gpg --export-secret-key "$GPGID" | GNUPGHOME="$TMPPRIVATE" gpg --import + GNUPGHOME="$TMPPRIVATE" gpg --edit-key "$GPGID" + + # idea to script the password stuff. not working. + # read -s -p "enter gpg password: " PASSWD; echo + # cmd=$(cat <<EOF + # passwd + # $PASSWD + # \n + # \n + # \n + # yes + # save + # EOF + # ) + # echo -e "$cmd" | GNUPGHOME="$TMPPRIVATE" gpg --command-fd 0 --edit-key $GPGID + + # export secret key to file + GNUPGHOME="$TMPPRIVATE" gpg --export-secret-keys "$GPGID" | \ + openpgp2ssh "$GPGID" } # if no hex string is supplied, just print an explanation. @@ -62,52 +91,53 @@ if [ "$(echo "$1" | tr -d '0-9a-fA-F')" ]; then exit fi -trap cleanup EXIT +# set the file creation umask +umask 077 GPGIDS="$1" +if [ "$2" -a ! -e "$2" ] ; then + FILE="$2" +fi if [ -z "$GPGIDS" ]; then # hack: we need to get the list of secret keys, because if you # --list-secret-keys with no arguments, GPG fails to print the # capability flags (i've just filed this as # https://bugs.g10code.com/gnupg/issue945) - KEYIDS=$(gpg2 --with-colons --list-secret-keys | grep ^sec | cut -f5 -d:) + KEYIDS=$(gpg --with-colons --list-secret-keys | grep ^sec | cut -f5 -d:) # default to using all fingerprints of authentication-enabled keys - GPGIDS=$(gpg --with-colons --fingerprint --fingerprint --list-secret-keys $KEYIDS | egrep -A1 '^(ssb|sec):.*:[^:]*a[^:]*:$' | grep ^fpr: | cut -d: -f10) + GPGIDS=$(gpg --with-colons --fingerprint --fingerprint --list-secret-keys $KEYIDS | egrep -A1 '^(ssb|sec):.*:[^:]*a[^:]*:$' | grep ^fpr: | cut -d: -f10) fi +trap cleanup EXIT + for GPGID in $GPGIDS; do TMPPRIVATE=$(mktemp -d) - gpg --export-secret-key "$GPGID" | GNUPGHOME="$TMPPRIVATE" gpg --import - -# idea to script the password stuff. not working. -# read -s -p "enter gpg password: " PASSWD; echo -# cmd=$(cat <<EOF -# passwd -# $PASSWD -# \n -# \n -# \n -# yes -# save -# EOF -# ) -# echo -e "$cmd" | GNUPGHOME="$TMPPRIVATE" gpg --command-fd 0 --edit-key $GPGID - - GNUPGHOME="$TMPPRIVATE" gpg --edit-key "$GPGID" - - KEYNAME='MonkeySphere Key '$(echo "$GPGID" | tr -c -d '0-9a-fA-F')'' -# creating this alias so the key is named "monkeysphere-key" in the -# comment stored by the agent, while never being written to disk in -# SSH form: - ln -s /dev/stdin "$TMPPRIVATE/$KEYNAME" - - GNUPGHOME="$TMPPRIVATE" gpg --export-secret-keys "$GPGID" | \ - openpgp2ssh $GPGID | (cd "$TMPPRIVATE" && ssh-add -c "$KEYNAME") + # if specified, write key to fail and passprotect + if [ "$FILE" ] ; then + # export secret key to file + export_sec_key > "$TMPPRIVATE/key" + # passprotect file + ssh-keygen -f "${TMPPRIVATE}/key" -p + # move into place + mv "${TMPPRIVATE}/key" "$FILE" + + # export public key + gpg --export "$GPGID" | openpgp2ssh "$GPGID" > "${FILE}.pub" + + # otherwise add to agent + else + KEYNAME='MonkeySphere Key '$(echo "$GPGID" | tr -c -d '0-9a-fA-F')'' + + # creating this alias so the key is named "monkeysphere-key" in the + # comment stored by the agent, while never being written to disk in + # SSH form: + ln -s /dev/stdin "${TMPPRIVATE}/${KEYNAME}" + + # export secret key to agent + export_sec_key | (cd "$TMPPRIVATE" && ssh-add -c "$KEYNAME") + fi - cleanup done - - |