diff options
-rwxr-xr-x | src/common | 91 | ||||
-rwxr-xr-x | src/monkeysphere | 100 | ||||
-rwxr-xr-x | src/monkeysphere-server | 80 |
3 files changed, 172 insertions, 99 deletions
@@ -88,11 +88,11 @@ gpg2ssh_tmp() { local userID local host - keyID="$2" - userID="$3" + keyID="$1" + userID="$2" - if [ "$mode" = 'authorized_keys' ] ; then - gpgkey2ssh "$keyID" | sed -e "s/COMMENT/${userID}/" + if [ "$MODE" = 'authorized_keys' ] ; then + gpgkey2ssh "$keyID" | sed -e "s/COMMENT/MonkeySphere userID: ${userID}/" # NOTE: it seems that ssh-keygen -R removes all comment fields from # all lines in the known_hosts file. why? @@ -294,10 +294,65 @@ process_known_hosts() { done } -# process authorized_keys file +# update an authorized_keys file after first processing the +# authorized_user_ids file +update_authorized_keys() { + local cacheDir + local msAuthorizedKeys + local userAuthorizedKeys + + cacheDir="$1" + msAuthorizedKeys="$2" + userAuthorizedKeys="$3" + + process_authorized_ids "$AUTHORIZED_USER_IDS" "$cacheDir" + + # write output key file + log "writing monkeysphere authorized_keys file... " + touch "$msAuthorizedKeys" + if [ "$(ls "$cacheDir")" ] ; then + log -n "adding gpg keys... " + cat "$cacheDir"/* > "$msAuthorizedKeys" + echo "done." + else + log "no gpg keys to add." + fi + if [ "$userAuthorizedKeys" -a -s "$userAuthorizedKeys" ] ; then + log -n "adding user authorized_keys file... " + cat "$userAuthorizedKeys" >> "$msAuthorizedKeys" + echo "done." + fi + log "monkeysphere authorized_keys file generated: $msAuthorizedKeys" +} + +# process an authorized_*_ids file +# go through line-by-line, extract each userid, and process +process_authorized_ids() { + local authorizedIDs + local cacheDir + local userID + + authorizedIDs="$1" + cacheDir="$2" + + # clean out keys file and remake keys directory + rm -rf "$cacheDir" + mkdir -p "$cacheDir" + + # loop through all user ids in file + # FIXME: needs to handle authorized_keys options + cat "$authorizedIDs" | meat | \ + while read -r userID ; do + # process the userid + log "processing userid: '$userID'" + process_user_id "$userID" "$cacheDir" > /dev/null + done +} + +# EXPERIMENTAL (unused) process userids found in authorized_keys file # go through line-by-line, extract monkeysphere userids from comment # fields, and process each userid -process_authorized_keys() { +process_userids_from_authorized_keys() { local authorizedKeys local cacheDir local userID @@ -328,30 +383,6 @@ process_authorized_keys() { done } -# process an authorized_*_ids file -# go through line-by-line, extract each userid, and process -process_authorized_ids() { - local authorizedIDs - local cacheDir - local userID - - authorizedIDs="$1" - cacheDir="$2" - - # clean out keys file and remake keys directory - rm -rf "$cacheDir" - mkdir -p "$cacheDir" - - # loop through all user ids in file - # FIXME: needs to handle authorized_keys options - cat "$authorizedIDs" | meat | \ - while read -r userID ; do - # process the userid - log "processing userid: '$userID'" - process_user_id "$userID" "$cacheDir" > /dev/null - done -} - # update the cache for userid, and prompt to add file to # authorized_user_ids file if the userid is found in gpg # and not already in file. diff --git a/src/monkeysphere b/src/monkeysphere index d652ab3..c417625 100755 --- a/src/monkeysphere +++ b/src/monkeysphere @@ -34,15 +34,70 @@ usage: $PGRM <subcommand> [args] Monkeysphere client tool. subcommands: - update-known-hosts (k) [HOST]... update known_hosts file - update-authorized-keys (a) update authorized_keys file + update-known_hosts (k) [HOST]... update known_hosts file + update-authorized_keys (a) update authorized_keys file update-userids (u) [USERID]... add/update userid - gen-ae-subkey (g) generate an 'ae' capable subkey + gen-ae-subkey (g) KEYID generate an 'ae' capable subkey help (h,?) this help EOF } +# generate a subkey with the 'a' and 'e' usage flags set +gen_ae_subkey(){ + local keyID + local gpgOut + local userID + + log "warning: this function is still not working." + + keyID="$1" + + # set subkey defaults + SUBKEY_TYPE=${KEY_TYPE:-RSA} + SUBKEY_LENGTH=${KEY_LENGTH:-1024} + SUBKEY_USAGE=${KEY_USAGE:-encrypt,auth} + + gpgOut=$(gpg --fixed-list-mode --list-keys --with-colons \ + "$keyID" 2> /dev/null) + + # return 1 if there only "tru" lines are output from gpg + if [ -z "$(echo "$gpgOut" | grep -v '^tru:')" ] ; then + loge " key not found." + return 1 + fi + + userID=$(echo "$gpgOut" | grep "^uid:" | cut -d: -f10) + + # set key parameters + keyParameters=$(cat <<EOF +Subkey-Type: $SUBKEY_TYPE +Subkey-Length: $SUBKEY_LENGTH +Subkey-Usage: $SUBKEY_USAGE +Name-Real: $userID +EOF +) + + log "The following key parameters will be used:" + echo "$keyParameters" + + read -p "generate key? [Y|n]: " OK; OK=${OK:=Y} + if [ ${OK/y/Y} != 'Y' ] ; then + failure "aborting." + fi + + # add commit command + keyParameters="${keyParameters}"$(cat <<EOF + +%commit +%echo done +EOF +) + + echo "generating subkey..." + echo "$keyParameters" | gpg --batch --gen-key +} + ######################################################################## # MAIN ######################################################################## @@ -78,7 +133,7 @@ msAuthorizedKeys="$MS_HOME"/authorized_keys mkdir -p -m 0700 "$GNUPGHOME" case $COMMAND in - 'update-known-hosts'|'k') + 'update-known_hosts'|'update-known-hosts'|'k') MODE='known_hosts' # touch the known_hosts file to make sure it exists @@ -102,39 +157,20 @@ case $COMMAND in fi ;; - 'update-authorized-keys'|'a') + 'update-authorized_keys'|'update-authorized-keys'|'a') MODE='authorized_keys' - log "processing authorized_user_ids file..." - # make sure authorized_user_ids file exists if [ ! -s "$AUTHORIZED_USER_IDS" ] ; then log "authorized_user_ids file is empty or does not exist." exit fi - process_authorized_ids "$AUTHORIZED_USER_IDS" "$userKeysCacheDir" + # set user-controlled authorized_keys file path + userAuthorizedKeys=${USER_CONTROLLED_AUTHORIZED_KEYS/\%h/"$HOME"} - # write output key file - log "writing monkeysphere authorized_keys file... " - touch "$msAuthorizedKeys" - if [ "$(ls "$userKeysCacheDir")" ] ; then - log -n "adding gpg keys... " - cat "$userKeysCacheDir"/* > "$msAuthorizedKeys" - echo "done." - else - log "no gpg keys to add." - fi - if [ "$USER_CONTROLLED_AUTHORIZED_KEYS" ] ; then - userAuthorizedKeys=${USER_CONTROLLED_AUTHORIZED_KEYS/\%h/"$HOME"} - if [ -s "$userAuthorizedKeys" ] ; then - log -n "adding user authorized_keys file... " - cat "$userAuthorizedKeys" >> "$msAuthorizedKeys" - echo "done." - fi - fi - log "monkeysphere authorized_keys file generated:" - log "$msAuthorizedKeys" + # update authorized_keys + update_authorized_keys "$userKeysCacheDir" "$msAuthorizedKeys" "$userAuthorizedKeys" ;; 'update-userids'|'u') @@ -146,8 +182,12 @@ case $COMMAND in done ;; - 'gen-ae-subkey'|) - failure "function not implemented yet." + 'gen-ae-subkey'|'g') + keyID="$1" + if [ -z "$keyID" ] ; then + failure "you must specify keyid of primary key." + fi + gen_ae_subkey "$keyID" ;; 'help'|'h'|'?') diff --git a/src/monkeysphere-server b/src/monkeysphere-server index fd7b583..6eeb702 100755 --- a/src/monkeysphere-server +++ b/src/monkeysphere-server @@ -31,18 +31,19 @@ usage: $PGRM <subcommand> [args] Monkeysphere server admin tool. subcommands: - update-users (s) [USER]... update user authorized_keys file - gen-key (g) generate gpg key for the server - publish-key (p) publish server gpg to keyserver - trust-key (t) KEYID [KEYID]... mark keyid as trusted - update-user-userids (u) USER UID [UID]... add/update userid for user - help (h,?) this help + update-users (s) [USER]... update users authorized_keys files + gen-key (g) generate gpg key for the server + publish-key (p) publish server key to keyserver + trust-keys (t) KEYID... mark keyids as trusted + update-user-userids (u) USER UID... add/update userids for a user + help (h,?) this help EOF } # generate server gpg key gen_key() { + # set key defaults KEY_TYPE=${KEY_TYPE:-RSA} KEY_LENGTH=${KEY_LENGTH:-2048} KEY_USAGE=${KEY_USAGE:-encrypt,auth} @@ -51,13 +52,26 @@ gen_key() { USERID=${USERID:-"$SERVICE"://"$HOSTNAME_FQDN"} - echo "key parameters:" - cat <<EOF + # set key parameters + keyParameters=$(cat <<EOF Key-Type: $KEY_TYPE Key-Length: $KEY_LENGTH Key-Usage: $KEY_USAGE Name-Real: $USERID EOF +) + + # add the revoker field if requested + if [ "$REVOKER" ] ; then + keyParameters="${keyParameters}"$(cat <<EOF + +Revoker: 1:$REVOKER sensitive +EOF +) + fi + + log "The following key parameters will be used:" + echo "$keyParameters" read -p "generate key? [Y|n]: " OK; OK=${OK:=Y} if [ ${OK/y/Y} != 'Y' ] ; then @@ -68,14 +82,16 @@ EOF failure "key for '$USERID' already exists" fi - echo "generating server key..." - gpg --batch --gen-key <<EOF -Key-Type: $KEY_TYPE -Key-Length: $KEY_LENGTH -Key-Usage: $KEY_USAGE -Name-Real: $USERID + # add commit command + keyParameters="${keyParameters}"$(cat <<EOF + %commit +%echo done EOF +) + + echo "generating server key..." + echo "$keyParameters" | gpg --batch --gen-key } # publish server key to keyserver @@ -90,7 +106,7 @@ publish_key() { # dummy command so as not to publish fakes keys during testing # eventually: #gpg --send-keys --keyserver "$KEYSERVER" "$keyID" - echo "gpg --send-keys --keyserver $KEYSERVER $keyID" + echo "NOT PUBLISHED: gpg --send-keys --keyserver $KEYSERVER $keyID" } ######################################################################## @@ -129,43 +145,29 @@ case $COMMAND in fi for uname in $unames ; do + log "----- user: $uname -----" + MODE="authorized_keys" - authorizedUserIDs="$MS_HOME"/authorized_user_ids/"$uname" + AUTHORIZED_USER_IDS="$MS_HOME"/authorized_user_ids/"$uname" cacheDir="$STAGING_AREA"/"$uname"/user_keys msAuthorizedKeys="$STAGING_AREA"/"$uname"/authorized_keys # make sure authorized_user_ids file exists - if [ ! -s "$authorizedUserIDs" ] ; then + if [ ! -s "$AUTHORIZED_USER_IDS" ] ; then log "authorized_user_ids file for '$uname' is empty or does not exist." continue fi - log "processing authorized_keys for user '$uname'..." - - process_authorized_ids "$authorizedUserIDs" "$cacheDir" - - # write output key file - log "writing monkeysphere authorized_keys file... " - touch "$msAuthorizedKeys" - if [ "$(ls "$cacheDir")" ] ; then - log -n "adding gpg keys... " - cat "$cacheDir"/* > "$msAuthorizedKeys" - echo "done." - else - log "no gpg keys to add." - fi + # set user-controlled authorized_keys file path if [ "$USER_CONTROLLED_AUTHORIZED_KEYS" ] ; then userHome=$(getent passwd "$uname" | cut -d: -f6) userAuthorizedKeys=${USER_CONTROLLED_AUTHORIZED_KEYS/\%h/"$userHome"} - if [ -s "$userAuthorizedKeys" ] ; then - log -n "adding user authorized_keys file... " - cat "$userAuthorizedKeys" >> "$msAuthorizedKeys" - echo "done." - fi fi - log "monkeysphere authorized_keys file generated:" - log "$msAuthorizedKeys" + + # update authorized_keys + update_authorized_keys "$cacheDir" "$msAuthorizedKeys" "$userAuthorizedKeys" done + log "----- done. -----" ;; 'gen-key'|'g') @@ -176,7 +178,7 @@ case $COMMAND in publish_key ;; - 'trust-key'|'t') + 'trust-keys'|'t') if [ -z "$1" ] ; then failure "you must specify at least one key to trust." fi |