diff options
| -rw-r--r-- | debian/changelog | 3 | ||||
| -rw-r--r-- | man/man8/monkeysphere-server.8 | 8 | ||||
| -rw-r--r-- | src/common | 44 | ||||
| -rwxr-xr-x | src/monkeysphere-server | 15 |
4 files changed, 52 insertions, 18 deletions
diff --git a/debian/changelog b/debian/changelog index cec0988..41af80c 100644 --- a/debian/changelog +++ b/debian/changelog @@ -12,8 +12,9 @@ monkeysphere (0.2-1) UNRELEASED; urgency=low * Better handling of unknown users in server update-users * Add file locking when modifying known_hosts or authorized_keys * Better failure/prompting for gen-subkey + * Add ability to set any owner trust level for keys in server keychain. - -- Jameson Graef Rollins <jrollins@phys.columbia.edu> Sat, 21 Jun 2008 16:39:26 -0400 + -- Jameson Graef Rollins <jrollins@phys.columbia.edu> Sun, 22 Jun 2008 11:42:42 -0400 monkeysphere (0.1-1) experimental; urgency=low diff --git a/man/man8/monkeysphere-server.8 b/man/man8/monkeysphere-server.8 index 2b5af5e..e821e63 100644 --- a/man/man8/monkeysphere-server.8 +++ b/man/man8/monkeysphere-server.8 @@ -43,9 +43,11 @@ Show the fingerprint for the host's OpenPGP key. `f' may be used in place of Publish the host's gpg key to the keyserver. `p' may be used in place of `publish-key'. .TP -.B trust-keys KEYID... -Mark key specified with key IDs with full owner trust. `t' may be used -in place of `trust-keys'. +.B trust-key KEYID [LEVEL] +Set owner trust for key. If LEVEL is not specified, then the program +will prompt for an owner trust level to set for KEYID. This function +lsigns the key as well so that it will have a known validity. `t' may +be used in place of `trust-key'. .TP .B help Output a brief usage summary. `h' or `?' may be used in place of @@ -532,6 +532,16 @@ process_authorized_keys() { # retrieve key from web of trust, and set owner trust to "full" # if key is found. trust_key() { + local keyID + local trustLevel + + keyID="$1" + trustLevel="$2" + + if [ -z "$keyID" ] ; then + failure "You must specify key to trust." + fi + # get the key from the key server if ! gpg --keyserver "$KEYSERVER" --recv-key "$keyID" ; then failure "Could not retrieve key '$keyID'." @@ -540,13 +550,41 @@ trust_key() { # get key fingerprint fingerprint=$(get_key_fingerprint "$keyID") + echo "key found:" + gpg --fingerprint "$fingerprint" + + while [ -z "$trustLevel" ] ; do + cat <<EOF +Please decide how far you trust this user to correctly verify other users' keys +(by looking at passports, checking fingerprints from different sources, etc.) + + 1 = I don't know or won't say + 2 = I do NOT trust + 3 = I trust marginally + 4 = I trust fully + 5 = I trust ultimately + +EOF + read -p "Your decision? " trustLevel + if echo "$trustLevel" | grep -v "[1-5]" ; then + echo "Unknown trust level '$trustLevel'." + unset trustLevel + elif [ "$trustLevel" = 'q' ] ; then + failure "Aborting." + fi + done + # attach a "non-exportable" signature to the key # this is required for the key to have any validity at all # the 'y's on stdin indicates "yes, i really want to sign" - echo -e 'y\ny' | gpg --lsign-key --command-fd 0 "$fingerprint" + echo -e 'y\ny' | gpg --quiet --lsign-key --command-fd 0 "$fingerprint" + + # index trustLevel by one to difference between level in ui and level + # internally + trustLevel=$((trustLevel+1)) - # import "full" trust for fingerprint into gpg - echo ${fingerprint}:5: | gpg --import-ownertrust + # import new owner trust level for key + echo "${fingerprint}:${trustLevel}:" | gpg --import-ownertrust if [ $? = 0 ] ; then log "Owner trust updated." else diff --git a/src/monkeysphere-server b/src/monkeysphere-server index 40a6b54..f68f391 100755 --- a/src/monkeysphere-server +++ b/src/monkeysphere-server @@ -34,8 +34,8 @@ subcommands: update-users (s) [USER]... update users authorized_keys files gen-key (g) [HOSTNAME] generate gpg key for the server show-fingerprint (f) show server's host key fingerprint - publish-key (p) publish server key to keyserver - trust-keys (t) KEYID... mark keyids as trusted + publish-key (p) publish server's host key to keyserver + trust-key (t) KEYID [LEVEL] set owner trust for keyid help (h,?) this help EOF @@ -240,15 +240,8 @@ case $COMMAND in publish_server_key ;; - 'trust-keys'|'trust-key'|'t') - if [ -z "$1" ] ; then - failure "You must specify at least one key to trust." - fi - - # process key IDs - for keyID ; do - trust_key "$keyID" - done + 'trust-key'|'trust-key'|'t') + trust_key "$@" ;; 'help'|'h'|'?') |