diff options
-rw-r--r-- | debian/changelog | 3 | ||||
-rw-r--r-- | src/common | 20 | ||||
-rwxr-xr-x | src/monkeysphere-server | 114 |
3 files changed, 96 insertions, 41 deletions
diff --git a/debian/changelog b/debian/changelog index 59aea1e..b39ba44 100644 --- a/debian/changelog +++ b/debian/changelog @@ -14,8 +14,9 @@ monkeysphere (0.8-1) UNRELEASED; urgency=low be removed from key files. * enabled host key publication. * added checking of gpg.conf for keyserver + * new functions to add/revoke host key user IDs - -- Jameson Graef Rollins <jrollins@phys.columbia.edu> Fri, 15 Aug 2008 10:46:23 -0700 + -- Jameson Graef Rollins <jrollins@phys.columbia.edu> Fri, 15 Aug 2008 15:02:48 -0700 monkeysphere (0.7-1) experimental; urgency=low @@ -69,20 +69,20 @@ file_hash() { md5sum "$1" 2> /dev/null } -# convert escaped characters from gpg output back into original -# character -# FIXME: undo all escape character translation in with-colons gpg output -unescape() { - echo "$1" | sed 's/\\x3a/:/g' +# convert escaped characters in pipeline from gpg output back into +# original character +# FIXME: undo all escape character translation in with-colons gpg +# output +gpg_unescape() { + sed 's/\\x3a/:/g' } -# convert nasty chars into gpg-friendly form +# convert nasty chars into gpg-friendly form in pipeline # FIXME: escape everything, not just colons! -escape() { - echo "$1" | sed 's/:/\\x3a/g' +gpg_escape() { + sed 's/:/\\x3a/g' } - # remove all lines with specified string from specified file remove_line() { local file @@ -405,7 +405,7 @@ process_user_id() { continue fi # if the user ID does not match, skip - if [ "$(unescape "$uidfpr")" != "$userID" ] ; then + if [ "$(echo "$uidfpr" | gpg_unescape)" != "$userID" ] ; then continue fi # if the user ID validity is not ok, skip diff --git a/src/monkeysphere-server b/src/monkeysphere-server index 2b9b744..4fb8265 100755 --- a/src/monkeysphere-server +++ b/src/monkeysphere-server @@ -100,17 +100,19 @@ gpg_authentication() { su_monkeysphere_user "gpg $@" } -# output key information -show_server_key() { - gpg_host --list-secret-keys --fingerprint -} - # output just key fingerprint fingerprint_server_key() { gpg_host --list-secret-keys --fingerprint --with-colons --fixed-list-mode | \ grep '^fpr:' | head -1 | cut -d: -f10 } +# output key information +show_server_key() { + local fingerprint + fingerprint=$(fingerprint_server_key) + gpg_host --fingerprint --list-secret-key "$fingerprint" +} + # update authorized_keys for users update_users() { if [ "$1" ] ; then @@ -371,82 +373,134 @@ EOF # add hostname user ID to server key add_hostname() { + local userID + local fingerprint + local tmpuidMatch + local line + local adduidCommand + if [ -z "$1" ] ; then failure "You must specify a hostname to add." fi userID="ssh://${1}" - if [ "$(gpg_host --list-key "=${userID}")" ] ; then + fingerprint=$(fingerprint_server_key) + + # match to only ultimately trusted user IDs + tmpuidMatch="u:$(echo $userID | gpg_escape)" + + # find the index of the requsted user ID + # NOTE: this is based on circumstantial evidence that the order of + # this output is the appropriate index + if line=$(gpg_host --list-keys --with-colons --fixed-list-mode "0x${fingerprint}"\! \ + | egrep '^(uid|uat):' | cut -f2,10 -d: | grep -n -x -F "$tmpuidMatch") ; then failure "Host userID '$userID' already exists." fi - fingerprint=$(fingerprint_server_key) + echo "The following user ID will be added to the host key:" + echo " $userID" + read -p "Are you sure you would like to add this user ID? (y/N) " OK; OK=${OK:=N} + if [ ${OK/y/Y} != 'Y' ] ; then + failure "user ID not added." + fi + # edit-key script command to add user ID adduidCommand=$(cat <<EOF adduid $userID -O save EOF ) - # add uid - echo "$adduidCommand" | gpg_host --quiet --command-fd 0 --edit-key "$fingerprint" + # execute edit-key script + if echo "$adduidCommand" | gpg_host --quiet --command-fd 0 --edit-key "0x${fingerprint}"\! ; then + # update trust db + gpg_host --check-trustdb - echo "NOTE: new host userID has not been published." - echo "Use '$PGRM publish-key' to publish these changes." + show_server_key + + echo "NOTE: User ID added but key not published." + echo "Run '$PGRM publish-key' to publish the key" + else + failure "Problem adding user ID." + fi } # revoke hostname user ID to server key revoke_hostname() { - local msg - local uidNum + local userID + local fingerprint local tmpuidMatch - local fpr - local linenum + local line + local uidIndex + local message + local revuidCommand if [ -z "$1" ] ; then failure "You must specify a hostname to revoke." fi - fpr=$(fingerprint_server_key) - tmpuidMatch="u:$(escape "ssh://$1")" + userID="ssh://${1}" + + fingerprint=$(fingerprint_server_key) + + # match to only ultimately trusted user IDs + tmpuidMatch="u:$(echo $userID | gpg_escape)" - if linenum=$(gpg_host --list-keys --with-colons --fixed-list-mode "0x$fpr"\! | egrep '^(uid|uat):' | cut -f2,10 -d: | grep -n -x -F "$tmpuidMatch") ; then - uidNum=${linenum%%:*} + # find the index of the requsted user ID + # NOTE: this is based on circumstantial evidence that the order of + # this output is the appropriate index + if line=$(gpg_host --list-keys --with-colons --fixed-list-mode "0x${fingerprint}"\! \ + | egrep '^(uid|uat):' | cut -f2,10 -d: | grep -n -x -F "$tmpuidMatch") ; then + uidIndex=${line%%:*} else - failure "no non-revoked hostname '$1' is listed." + failure "No non-revoked user ID '$userID' is found." fi - msg="hostname removed by monkeysphere-server on $(date +%F)" - + echo "The following user ID will be revoked from the host key:" + echo " $userID" + read -p "Are you sure you would like to revoke this user ID? (y/N) " OK; OK=${OK:=N} + if [ ${OK/y/Y} != 'Y' ] ; then + failure "user ID not revoked." + fi + message="Hostname removed by monkeysphere-server $DATE" + + # edit-key script command to revoke user ID revuidCommand=$(cat <<EOF -$uidNum +$uidIndex revuid y 4 -$msg +$message y save EOF -) + ) - echo "$revuidCommand" | gpg_host --quiet --command-fd 0 --edit-key "0x$fpr"\! + # execute edit-key script + if echo "$revuidCommand" | gpg_host --quiet --command-fd 0 --edit-key "0x${fingerprint}"\! ; then + # update trust db + gpg_host --check-trustdb - echo "NOTE: host userID revokation has not been published." - echo "Use '$PGRM publish-key' to publish these changes." + show_server_key + + echo "NOTE: User ID revoked but key not published." + echo "Run '$PGRM publish-key' to publish the key" + else + failure "Problem revoking user ID." + fi } # publish server key to keyserver publish_server_key() { read -p "Really publish host key to $KEYSERVER? (y/N) " OK; OK=${OK:=N} if [ ${OK/y/Y} != 'Y' ] ; then - failure "aborting." + failure "key not published." fi # find the key fingerprint |