diff options
| -rw-r--r-- | man/man1/monkeysphere.1 | 28 | ||||
| -rw-r--r-- | man/man8/monkeysphere-server.8 | 32 | ||||
| -rw-r--r-- | src/common | 8 | ||||
| -rwxr-xr-x | src/monkeysphere | 12 | ||||
| -rwxr-xr-x | src/monkeysphere-server | 16 |
5 files changed, 70 insertions, 26 deletions
diff --git a/man/man1/monkeysphere.1 b/man/man1/monkeysphere.1 index 07cd3ea..05376d0 100644 --- a/man/man1/monkeysphere.1 +++ b/man/man1/monkeysphere.1 @@ -53,13 +53,37 @@ none were acceptable. `a' may be used in place of .B gen-subkey KEYID Generate an authentication subkey. For the primary key with the specified key ID, generate a subkey with "authentication" capability -that can be used for monkeysphere transactions. `g' may be used in -place of `gen-subkey'. +that can be used for monkeysphere transactions. An expiration length +can be specified with the `-e' or `--expire' option (prompt +otherwise). `g' may be used in place of `gen-subkey'. .TP .B help Output a brief usage summary. `h' or `?' may be used in place of `help'. +.SH ENVIRONMENT + +The following environment variables will override those specified in +the monkeysphere.conf configuration file (defaults in parentheses): +.TP +MONKEYSPHERE_GNUPGHOME, GNUPGHOME +GnuPG home directory (~/.gnupg). +.TP +MONKEYSPHERE_KEYSERVER +OpenPGP keyserver to use (subkeys.pgp.net). +.TP +MONKEYSPHERE_CHECK_KEYSERVER +Whether or not to check keyserver when making gpg queries (`true'). +.TP +MONKEYSPHERE_KNOWN_HOSTS +Path to ssh known_hosts file (~/.ssh/known_hosts). +.TP +MONKEYSPHERE_HASH_KNOWN_HOSTS +Whether or not to hash to the known_hosts file entries (`true'). +.TP +MONKEYSPHERE_AUTHORIZED_KEYS +Path to ssh authorized_keys file (~/.ssh/authorized_keys). + .SH FILES .TP diff --git a/man/man8/monkeysphere-server.8 b/man/man8/monkeysphere-server.8 index f33ffea..0e699b9 100644 --- a/man/man8/monkeysphere-server.8 +++ b/man/man8/monkeysphere-server.8 @@ -38,7 +38,11 @@ used in place of `update-users'. .B gen-key [HOSTNAME] Generate a OpenPGP key pair for the host. If HOSTNAME is not specified, then the system fully-qualified domain name will be user. -`g' may be used in place of `gen-key'. +An alternate key bit length can be specified with the `-l' or +`--length' option (default 2048). An expiration length can be +specified with the `-e' or `--expire' option (prompt otherwise). A +key revoker fingerprint can be specified with the `-r' or `--revoker' +option. `g' may be used in place of `gen-key'. .TP .B show-fingerprint Show the fingerprint for the host's OpenPGP key. `f' may be used in place of @@ -50,7 +54,11 @@ place of `publish-key'. .TP .B add-identity-certifier KEYID Instruct system to trust user identity certifications made by KEYID. -`a' may be used in place of `add-identity-certifier'. +A certifier domain can be specified with the `-n' or `--domain' +option. A certifier trust level can be specified with the `-t' or +`--trust' option (default is `full'). A certifier trust depth can be +specified with the `-d' or `--depth' option (default is 1). `a' may +be used in place of `add-identity-certifier'. .TP .B remove-identity-certifier KEYID Instruct system to ignore user identity certifications made by KEYID. @@ -125,6 +133,26 @@ It is recommended to add "monkeysphere-server update-users" to a system crontab, so that user keys are kept up-to-date, and key revokations and expirations can be processed in a timely manor. +.SH ENVIRONMENT + +The following environment variables will override those specified in +the monkeysphere-server.conf configuration file (defaults in +parentheses): +.TP +MONKEYSPHERE_KEYSERVER +OpenPGP keyserver to use (subkeys.pgp.net). +.TP +MONKEYSPHERE_AUTHORIZED_USER_IDS +Path to user authorized_user_ids file +(%h/.config/monkeysphere/authorized_user_ids). +.TP +MONKEYSPHERE_RAW_AUTHORIZED_KEYS +Path to user-controlled authorized_keys file. `-' means not to add +user-controlled file (%h/.ssh/authorized_keys). +.TP +MONKEYSPHERE_MONKEYSPHERE_USER +User to control authentication keychain (monkeypshere). + .SH FILES .TP @@ -20,14 +20,10 @@ export ETC ######################################################################## ### UTILITY FUNCTIONS -error() { - log "$1" - ERR=${2:-'1'} -} - +# failure function. exits with code 255, unless specified otherwise. failure() { echo "$1" >&2 - exit ${2:-'1'} + exit ${2:-'255'} } # write output to stderr diff --git a/src/monkeysphere b/src/monkeysphere index 59b7e4a..a25fd6a 100755 --- a/src/monkeysphere +++ b/src/monkeysphere @@ -22,7 +22,7 @@ DATE=$(date -u '+%FT%T') unset GREP_OPTIONS # default return code -ERR=0 +RETURN=0 ######################################################################## # FUNCTIONS @@ -30,7 +30,7 @@ ERR=0 usage() { cat <<EOF -usage: $PGRM <subcommand> [args] +usage: $PGRM <subcommand> [options] [args] MonkeySphere client tool. subcommands: @@ -208,7 +208,7 @@ case $COMMAND in # those hosts if [ "$1" ] ; then update_known_hosts "$@" - ERR="$?" + RETURN="$?" # otherwise, if no hosts are specified, process every host # in the user's known_hosts file @@ -218,7 +218,7 @@ case $COMMAND in fi process_known_hosts - ERR="$?" + RETURN="$?" fi ;; @@ -232,7 +232,7 @@ case $COMMAND in # process authorized_user_ids file process_authorized_user_ids "$AUTHORIZED_USER_IDS" - ERR="$?" + RETURN="$?" ;; 'gen-subkey'|'g') @@ -253,4 +253,4 @@ Type '$PGRM help' for usage." ;; esac -exit "$ERR" +exit "$RETURN" diff --git a/src/monkeysphere-server b/src/monkeysphere-server index b7e82d8..9205b1d 100755 --- a/src/monkeysphere-server +++ b/src/monkeysphere-server @@ -25,7 +25,7 @@ DATE=$(date -u '+%FT%T') unset GREP_OPTIONS # default return code -ERR=0 +RETURN=0 ######################################################################## # FUNCTIONS @@ -33,7 +33,7 @@ ERR=0 usage() { cat <<EOF -usage: $PGRM <subcommand> [args] +usage: $PGRM <subcommand> [options] [args] MonkeySphere server admin tool. subcommands: @@ -123,7 +123,7 @@ update_users() { for uname in $unames ; do # check all specified users exist if ! getent passwd "$uname" >/dev/null ; then - error "----- unknown user '$uname' -----" + log "----- unknown user '$uname' -----" continue fi @@ -176,7 +176,7 @@ update_users() { # user su_monkeysphere_user \ ". ${SHARE}/common; process_authorized_user_ids $TMP_AUTHORIZED_USER_IDS" - ERR="$?" + RETURN="$?" fi # add user-controlled authorized_keys file path if specified @@ -332,16 +332,12 @@ add_certifier() { gpg_host --export-ownertrust | gpg_authentication "--import-ownertrust" # get the key from the key server - gpg_authentication "--keyserver $KEYSERVER --recv-key '$keyID'" + gpg_authentication "--keyserver $KEYSERVER --recv-key '$keyID'" || failure # get the full fingerprint of a key ID fingerprint=$(gpg_authentication "--list-key --with-colons --with-fingerprint $keyID" | \ grep '^fpr:' | grep "$keyID" | cut -d: -f10) - if [ -z "$fingerprint" ] ; then - failure "Could not find key \"${keyID}\"." - fi - echo "key found:" gpg_authentication "--fingerprint $fingerprint" @@ -538,4 +534,4 @@ Type '$PGRM help' for usage." ;; esac -exit "$ERR" +exit "$RETURN" |