diff options
Diffstat (limited to 'src/monkeysphere-host')
| -rwxr-xr-x | src/monkeysphere-host | 828 |
1 files changed, 828 insertions, 0 deletions
diff --git a/src/monkeysphere-host b/src/monkeysphere-host new file mode 100755 index 0000000..9eed3ac --- /dev/null +++ b/src/monkeysphere-host @@ -0,0 +1,828 @@ +#!/usr/bin/env bash + +# monkeysphere-host: Monkeysphere host admin tool +# +# The monkeysphere scripts are written by: +# Jameson Rollins <jrollins@fifthhorseman.net> +# Jamie McClelland <jm@mayfirst.org> +# Daniel Kahn Gillmor <dkg@fifthhorseman.net> +# +# They are Copyright 2008, and are all released under the GPL, version 3 +# or later. + +######################################################################## +PGRM=$(basename $0) + +SYSSHAREDIR=${MONKEYSPHERE_SYSSHAREDIR:-"/usr/share/monkeysphere"} +export SYSSHAREDIR +. "${SYSSHAREDIR}/common" || exit 1 + +SYSDATADIR=${MONKEYSPHERE_SYSDATADIR:-"/var/lib/monkeysphere/host"} +export SYSDATADIR + +# monkeysphere temp directory, in sysdatadir to enable atomic moves of +# authorized_keys files +MSTMPDIR="${SYSDATADIR}/tmp" +export MSTMPDIR + +# UTC date in ISO 8601 format if needed +DATE=$(date -u '+%FT%T') + +# unset some environment variables that could screw things up +unset GREP_OPTIONS + +# default return code +RETURN=0 + +######################################################################## +# FUNCTIONS +######################################################################## + +usage() { + cat <<EOF >&2 +usage: $PGRM <subcommand> [options] [args] +Monkeysphere host admin tool. + +subcommands: + show-key (s) output all host key information + extend-key (e) EXPIRE extend host key expiration + add-hostname (n+) NAME[:PORT] add hostname user ID to host key + revoke-hostname (n-) NAME[:PORT] revoke hostname user ID + add-revoker (o) FINGERPRINT add a revoker to the host key + revoke-key (r) revoke host key + publish-key (p) publish server host key to keyserver + + expert + import-key (i) import existing ssh key to gpg + --hostname (-h) NAME[:PORT] hostname for key user ID + --keyfile (-f) FILE key file to import + --expire (-e) EXPIRE date to expire + gen-key (g) generate gpg key for the host + --hostname (-h) NAME[:PORT] hostname for key user ID + --length (-l) BITS key length in bits (2048) + --expire (-e) EXPIRE date to expire + --revoker (-r) FINGERPRINT add a revoker + diagnostics (d) monkeysphere host status + + version (v) show version number + help (h,?) this help + +EOF +} + +# function to run command as monkeysphere user +su_monkeysphere_user() { + # if the current user is the monkeysphere user, then just eval + # command + if [ $(id -un) = "$MONKEYSPHERE_USER" ] ; then + eval "$@" + + # otherwise su command as monkeysphere user + else + su "$MONKEYSPHERE_USER" -c "$@" + fi +} + +# function to interact with the host gnupg keyring +gpg_host() { + local returnCode + + GNUPGHOME="$GNUPGHOME_HOST" + export GNUPGHOME + + # NOTE: we supress this warning because we need the monkeysphere + # user to be able to read the host pubring. we realize this might + # be problematic, but it's the simplest solution, without too much + # loss of security. + gpg --no-permission-warning "$@" + returnCode="$?" + + # always reset the permissions on the host pubring so that the + # monkeysphere user can read the trust signatures + chgrp "$MONKEYSPHERE_USER" "${GNUPGHOME_HOST}/pubring.gpg" + chmod g+r "${GNUPGHOME_HOST}/pubring.gpg" + + return "$returnCode" +} + +# check if user is root +is_root() { + [ $(id -u 2>/dev/null) = '0' ] +} + +# check that user is root, for functions that require root access +check_user() { + is_root || failure "You must be root to run this command." +} + +# output just key fingerprint +fingerprint_server_key() { + # set the pipefail option so functions fails if can't read sec key + set -o pipefail + + gpg_host --list-secret-keys --fingerprint \ + --with-colons --fixed-list-mode 2> /dev/null | \ + grep '^fpr:' | head -1 | cut -d: -f10 2>/dev/null +} + +# function to check for host secret key +check_host_keyring() { + fingerprint_server_key >/dev/null \ + || failure "You don't appear to have a Monkeysphere host key on this server. Please run 'monkeysphere-server gen-key' first." +} + +# output key information +show_server_key() { + local fingerprintPGP + local fingerprintSSH + local ret=0 + + # FIXME: you shouldn't have to be root to see the host key fingerprint + if is_root ; then + check_host_keyring + fingerprintPGP=$(fingerprint_server_key) + gpg_authentication "--fingerprint --list-key --list-options show-unusable-uids $fingerprintPGP" 2>/dev/null + echo "OpenPGP fingerprint: $fingerprintPGP" + else + log info "You must be root to see host OpenPGP fingerprint." + ret='1' + fi + + if [ -f "${SYSDATADIR}/ssh_host_rsa_key.pub" ] ; then + fingerprintSSH=$(ssh-keygen -l -f "${SYSDATADIR}/ssh_host_rsa_key.pub" | \ + awk '{ print $1, $2, $4 }') + echo "ssh fingerprint: $fingerprintSSH" + else + log info "SSH host key not found." + ret='1' + fi + + return $ret +} + +# import an existing ssh key to a gpg key +import_key() { + local hostName=$(hostname -f) + local keyFile="/etc/ssh/ssh_host_rsa_key" + local keyExpire + local userID + + # check for presense of secret key + # FIXME: is this the proper test to be doing here? + fingerprint_server_key >/dev/null \ + && failure "An OpenPGP host key already exists." + + # get options + while true ; do + case "$1" in + -h|--hostname) + hostName="$2" + shift 2 + ;; + -f|--keyfile) + keyFile="$2" + shift 2 + ;; + -e|--expire) + keyExpire="$2" + shift 2 + ;; + *) + if [ "$(echo "$1" | cut -c 1)" = '-' ] ; then + failure "Unknown option '$1'. +Type '$PGRM help' for usage." + fi + break + ;; + esac + done + + if [ ! -f "$keyFile" ] ; then + failure "SSH secret key file '$keyFile' not found." + fi + + userID="ssh://${hostName}" + + # prompt about key expiration if not specified + keyExpire=$(get_gpg_expiration "$keyExpire") + + echo "The following key parameters will be used for the host private key:" + echo "Import: $keyFile" + echo "Name-Real: $userID" + echo "Expire-Date: $keyExpire" + + read -p "Import key? (Y/n) " OK; OK=${OK:=Y} + if [ ${OK/y/Y} != 'Y' ] ; then + failure "aborting." + fi + + log verbose "importing ssh key..." + # translate ssh key to a private key + (umask 077 && \ + pem2openpgp "$userID" "$keyExpire" < "$sshKey" | gpg_host --import) + + # find the key fingerprint of the newly converted key + fingerprint=$(fingerprint_server_key) + + # export host ownertrust to authentication keyring + log verbose "setting ultimate owner trust for host key..." + echo "${fingerprint}:6:" | gpg_host "--import-ownertrust" + echo "${fingerprint}:6:" | gpg_authentication "--import-ownertrust" + + # export public key to file + gpg_authentication "--export-options export-minimal --armor --export 0x${fingerprint}\!" > "${SYSDATADIR}/ssh_host_rsa_key.pub.gpg" + log info "SSH host public key in OpenPGP form: ${SYSDATADIR}/ssh_host_rsa_key.pub.gpg" + + # show info about new key + show_server_key +} + +# generate server gpg key +gen_key() { + local keyType="RSA" + local keyLength="2048" + local keyUsage="auth" + local keyExpire + local revoker + local hostName=$(hostname -f) + local userID + local keyParameters + local fingerprint + + # check for presense of secret key + # FIXME: is this the proper test to be doing here? + fingerprint_server_key >/dev/null \ + && failure "An OpenPGP host key already exists." + + # get options + while true ; do + case "$1" in + -h|--hostname) + hostName="$2" + shift 2 + ;; + -l|--length) + keyLength="$2" + shift 2 + ;; + -e|--expire) + keyExpire="$2" + shift 2 + ;; + -r|--revoker) + revoker="$2" + shift 2 + ;; + *) + if [ "$(echo "$1" | cut -c 1)" = '-' ] ; then + failure "Unknown option '$1'. +Type '$PGRM help' for usage." + fi + break + ;; + esac + done + + userID="ssh://${hostName}" + + # prompt about key expiration if not specified + keyExpire=$(get_gpg_expiration "$keyExpire") + + # set key parameters + keyParameters=\ +"Key-Type: $keyType +Key-Length: $keyLength +Key-Usage: $keyUsage +Name-Real: $userID +Expire-Date: $keyExpire" + + # add the revoker field if specified + # FIXME: the "1:" below assumes that $REVOKER's key is an RSA key. + # FIXME: key is marked "sensitive"? is this appropriate? + if [ "$revoker" ] ; then + keyParameters=\ +"${keyParameters} +Revoker: 1:${revoker} sensitive" + fi + + echo "The following key parameters will be used for the host private key:" + echo "$keyParameters" + + read -p "Generate key? (Y/n) " OK; OK=${OK:=Y} + if [ ${OK/y/Y} != 'Y' ] ; then + failure "aborting." + fi + + # add commit command + # must include blank line! + keyParameters=\ +"${keyParameters} + +%commit +%echo done" + + log verbose "generating host key..." + echo "$keyParameters" | gpg_host --batch --gen-key + + # find the key fingerprint of the newly generated key + fingerprint=$(fingerprint_server_key) + + # export host ownertrust to authentication keyring + log verbose "setting ultimate owner trust for host key..." + echo "${fingerprint}:6:" | gpg_authentication "--import-ownertrust" + + # translate the private key to ssh format, and export to a file + # for sshs usage. + # NOTE: assumes that the primary key is the proper key to use + (umask 077 && \ + gpg_host --export-secret-key "$fingerprint" | \ + openpgp2ssh "$fingerprint" > "${SYSDATADIR}/ssh_host_rsa_key") + log info "SSH host private key output to file: ${SYSDATADIR}/ssh_host_rsa_key" + ssh-keygen -y -f "${SYSDATADIR}/ssh_host_rsa_key" > "${SYSDATADIR}/ssh_host_rsa_key.pub" + log info "SSH host public key output to file: ${SYSDATADIR}/ssh_host_rsa_key.pub" + gpg_authentication "--export-options export-minimal --armor --export 0x${fingerprint}\!" > "${SYSDATADIR}/ssh_host_rsa_key.pub.gpg" + log info "SSH host public key in OpenPGP form: ${SYSDATADIR}/ssh_host_rsa_key.pub.gpg" + + # show info about new key + show_server_key +} + +# extend the lifetime of a host key: +extend_key() { + local fpr=$(fingerprint_server_key) + local extendTo="$1" + + # get the new expiration date + extendTo=$(get_gpg_expiration "$extendTo") + + gpg_host --quiet --command-fd 0 --edit-key "$fpr" <<EOF +expire +$extendTo +save +EOF + + echo + echo "NOTE: Host key expiration date adjusted, but not yet published." + echo "Run '$PGRM publish-key' to publish the new expiration date." +} + +# add hostname user ID to server key +add_hostname() { + local userID + local fingerprint + local tmpuidMatch + local line + local adduidCommand + + if [ -z "$1" ] ; then + failure "You must specify a hostname to add." + fi + + userID="ssh://${1}" + + fingerprint=$(fingerprint_server_key) + + # match to only ultimately trusted user IDs + tmpuidMatch="u:$(echo $userID | gpg_escape)" + + # find the index of the requsted user ID + # NOTE: this is based on circumstantial evidence that the order of + # this output is the appropriate index + if line=$(gpg_host --list-keys --with-colons --fixed-list-mode "0x${fingerprint}!" \ + | egrep '^(uid|uat):' | cut -f2,10 -d: | grep -n -x -F "$tmpuidMatch") ; then + failure "Host userID '$userID' already exists." + fi + + echo "The following user ID will be added to the host key:" + echo " $userID" + read -p "Are you sure you would like to add this user ID? (y/N) " OK; OK=${OK:=N} + if [ ${OK/y/Y} != 'Y' ] ; then + failure "User ID not added." + fi + + # edit-key script command to add user ID + adduidCommand=$(cat <<EOF +adduid +$userID + + +save +EOF +) + + # execute edit-key script + if echo "$adduidCommand" | \ + gpg_host --quiet --command-fd 0 --edit-key "0x${fingerprint}!" ; then + + # update the trustdb for the authentication keyring + gpg_authentication "--check-trustdb" + + show_server_key + + echo + echo "NOTE: User ID added to key, but key not published." + echo "Run '$PGRM publish-key' to publish the new user ID." + else + failure "Problem adding user ID." + fi +} + +# revoke hostname user ID to server key +revoke_hostname() { + local userID + local fingerprint + local tmpuidMatch + local line + local uidIndex + local message + local revuidCommand + + if [ -z "$1" ] ; then + failure "You must specify a hostname to revoke." + fi + + echo "WARNING: There is a known bug in this function." + echo "This function has been known to occasionally revoke the wrong user ID." + echo "Please see the following bug report for more information:" + echo "http://web.monkeysphere.info/bugs/revoke-hostname-revoking-wrong-userid/" + read -p "Are you sure you would like to proceed? (y/N) " OK; OK=${OK:=N} + if [ ${OK/y/Y} != 'Y' ] ; then + failure "aborting." + fi + + userID="ssh://${1}" + + fingerprint=$(fingerprint_server_key) + + # match to only ultimately trusted user IDs + tmpuidMatch="u:$(echo $userID | gpg_escape)" + + # find the index of the requsted user ID + # NOTE: this is based on circumstantial evidence that the order of + # this output is the appropriate index + if line=$(gpg_host --list-keys --with-colons --fixed-list-mode "0x${fingerprint}!" \ + | egrep '^(uid|uat):' | cut -f2,10 -d: | grep -n -x -F "$tmpuidMatch") ; then + uidIndex=${line%%:*} + else + failure "No non-revoked user ID '$userID' is found." + fi + + echo "The following host key user ID will be revoked:" + echo " $userID" + read -p "Are you sure you would like to revoke this user ID? (y/N) " OK; OK=${OK:=N} + if [ ${OK/y/Y} != 'Y' ] ; then + failure "User ID not revoked." + fi + + message="Hostname removed by monkeysphere-server $DATE" + + # edit-key script command to revoke user ID + revuidCommand=$(cat <<EOF +$uidIndex +revuid +y +4 +$message + +y +save +EOF + ) + + # execute edit-key script + if echo "$revuidCommand" | \ + gpg_host --quiet --command-fd 0 --edit-key "0x${fingerprint}!" ; then + + # update the trustdb for the authentication keyring + gpg_authentication "--check-trustdb" + + show_server_key + + echo + echo "NOTE: User ID revoked, but revocation not published." + echo "Run '$PGRM publish-key' to publish the revocation." + else + failure "Problem revoking user ID." + fi +} + +# add a revoker to the host key +add_revoker() { + # FIXME: implement! + failure "not implemented yet!" +} + +# revoke the host key +revoke_key() { + # FIXME: implement! + failure "not implemented yet!" +} + +# publish server key to keyserver +publish_server_key() { + read -p "Really publish host key to $KEYSERVER? (y/N) " OK; OK=${OK:=N} + if [ ${OK/y/Y} != 'Y' ] ; then + failure "key not published." + fi + + # find the key fingerprint + fingerprint=$(fingerprint_server_key) + + # publish host key + gpg_authentication "--keyserver $KEYSERVER --send-keys '0x${fingerprint}!'" +} + +diagnostics() { +# * check on the status and validity of the key and public certificates + local seckey + local keysfound + local curdate + local warnwindow + local warndate + local create + local expire + local uid + local fingerprint + local badhostkeys + local sshd_config + local problemsfound=0 + + # FIXME: what's the correct, cross-platform answer? + sshd_config=/etc/ssh/sshd_config + seckey=$(gpg_host --list-secret-keys --fingerprint --with-colons --fixed-list-mode) + keysfound=$(echo "$seckey" | grep -c ^sec:) + curdate=$(date +%s) + # warn when anything is 2 months away from expiration + warnwindow='2 months' + warndate=$(advance_date $warnwindow +%s) + + if ! id monkeysphere >/dev/null ; then + echo "! No monkeysphere user found! Please create a monkeysphere system user with bash as its shell." + problemsfound=$(($problemsfound+1)) + fi + + if ! [ -d "$SYSDATADIR" ] ; then + echo "! no $SYSDATADIR directory found. Please create it." + problemsfound=$(($problemsfound+1)) + fi + + echo "Checking host GPG key..." + if (( "$keysfound" < 1 )); then + echo "! No host key found." + echo " - Recommendation: run 'monkeysphere-server gen-key'" + problemsfound=$(($problemsfound+1)) + elif (( "$keysfound" > 1 )); then + echo "! More than one host key found?" + # FIXME: recommend a way to resolve this + problemsfound=$(($problemsfound+1)) + else + create=$(echo "$seckey" | grep ^sec: | cut -f6 -d:) + expire=$(echo "$seckey" | grep ^sec: | cut -f7 -d:) + fingerprint=$(echo "$seckey" | grep ^fpr: | head -n1 | cut -f10 -d:) + # check for key expiration: + if [ "$expire" ]; then + if (( "$expire" < "$curdate" )); then + echo "! Host key is expired." + echo " - Recommendation: extend lifetime of key with 'monkeysphere-server extend-key'" + problemsfound=$(($problemsfound+1)) + elif (( "$expire" < "$warndate" )); then + echo "! Host key expires in less than $warnwindow:" $(advance_date $(( $expire - $curdate )) seconds +%F) + echo " - Recommendation: extend lifetime of key with 'monkeysphere-server extend-key'" + problemsfound=$(($problemsfound+1)) + fi + fi + + # and weirdnesses: + if [ "$create" ] && (( "$create" > "$curdate" )); then + echo "! Host key was created in the future(?!). Is your clock correct?" + echo " - Recommendation: Check clock ($(date +%F_%T)); use NTP?" + problemsfound=$(($problemsfound+1)) + fi + + # check for UserID expiration: + echo "$seckey" | grep ^uid: | cut -d: -f6,7,10 | \ + while IFS=: read create expire uid ; do + # FIXME: should we be doing any checking on the form + # of the User ID? Should we be unmangling it somehow? + + if [ "$create" ] && (( "$create" > "$curdate" )); then + echo "! User ID '$uid' was created in the future(?!). Is your clock correct?" + echo " - Recommendation: Check clock ($(date +%F_%T)); use NTP?" + problemsfound=$(($problemsfound+1)) + fi + if [ "$expire" ] ; then + if (( "$expire" < "$curdate" )); then + echo "! User ID '$uid' is expired." + # FIXME: recommend a way to resolve this + problemsfound=$(($problemsfound+1)) + elif (( "$expire" < "$warndate" )); then + echo "! User ID '$uid' expires in less than $warnwindow:" $(advance_date $(( $expire - $curdate )) seconds +%F) + # FIXME: recommend a way to resolve this + problemsfound=$(($problemsfound+1)) + fi + fi + done + +# FIXME: verify that the host key is properly published to the +# keyservers (do this with the non-privileged user) + +# FIXME: check that there are valid, non-expired certifying signatures +# attached to the host key after fetching from the public keyserver +# (do this with the non-privileged user as well) + +# FIXME: propose adding a revoker to the host key if none exist (do we +# have a way to do that after key generation?) + + # Ensure that the ssh_host_rsa_key file is present and non-empty: + echo + echo "Checking host SSH key..." + if [ ! -s "${SYSDATADIR}/ssh_host_rsa_key" ] ; then + echo "! The host key as prepared for SSH (${SYSDATADIR}/ssh_host_rsa_key) is missing or empty." + problemsfound=$(($problemsfound+1)) + else + if [ $(ls -l "${SYSDATADIR}/ssh_host_rsa_key" | cut -f1 -d\ ) != '-rw-------' ] ; then + echo "! Permissions seem wrong for ${SYSDATADIR}/ssh_host_rsa_key -- should be 0600." + problemsfound=$(($problemsfound+1)) + fi + + # propose changes needed for sshd_config (if any) + if ! grep -q "^HostKey[[:space:]]\+${SYSDATADIR}/ssh_host_rsa_key$" "$sshd_config"; then + echo "! $sshd_config does not point to the monkeysphere host key (${SYSDATADIR}/ssh_host_rsa_key)." + echo " - Recommendation: add a line to $sshd_config: 'HostKey ${SYSDATADIR}/ssh_host_rsa_key'" + problemsfound=$(($problemsfound+1)) + fi + if badhostkeys=$(grep -i '^HostKey' "$sshd_config" | grep -v "^HostKey[[:space:]]\+${SYSDATADIR}/ssh_host_rsa_key$") ; then + echo "! $sshd_config refers to some non-monkeysphere host keys:" + echo "$badhostkeys" + echo " - Recommendation: remove the above HostKey lines from $sshd_config" + problemsfound=$(($problemsfound+1)) + fi + + # FIXME: test (with ssh-keyscan?) that the running ssh + # daemon is actually offering the monkeysphere host key. + + fi + fi + +# FIXME: look at the ownership/privileges of the various keyrings, +# directories housing them, etc (what should those values be? can +# we make them as minimal as possible?) + +# FIXME: look to see that the ownertrust rules are set properly on the +# authentication keyring + +# FIXME: make sure that at least one identity certifier exists + +# FIXME: look at the timestamps on the monkeysphere-generated +# authorized_keys files -- warn if they seem out-of-date. + +# FIXME: check for a cronjob that updates monkeysphere-generated +# authorized_keys? + + echo + echo "Checking for MonkeySphere-enabled public-key authentication for users ..." + # Ensure that User ID authentication is enabled: + if ! grep -q "^AuthorizedKeysFile[[:space:]]\+${SYSDATADIR}/authorized_keys/%u$" "$sshd_config"; then + echo "! $sshd_config does not point to monkeysphere authorized keys." + echo " - Recommendation: add a line to $sshd_config: 'AuthorizedKeysFile ${SYSDATADIR}/authorized_keys/%u'" + problemsfound=$(($problemsfound+1)) + fi + if badauthorizedkeys=$(grep -i '^AuthorizedKeysFile' "$sshd_config" | grep -v "^AuthorizedKeysFile[[:space:]]\+${SYSDATADIR}/authorized_keys/%u$") ; then + echo "! $sshd_config refers to non-monkeysphere authorized_keys files:" + echo "$badauthorizedkeys" + echo " - Recommendation: remove the above AuthorizedKeysFile lines from $sshd_config" + problemsfound=$(($problemsfound+1)) + fi + + if [ "$problemsfound" -gt 0 ]; then + echo "When the above $problemsfound issue"$(if [ "$problemsfound" -eq 1 ] ; then echo " is" ; else echo "s are" ; fi)" resolved, please re-run:" + echo " monkeysphere-server diagnostics" + else + echo "Everything seems to be in order!" + fi +} + +######################################################################## +# MAIN +######################################################################## + +# unset variables that should be defined only in config file +unset KEYSERVER +unset AUTHORIZED_USER_IDS +unset RAW_AUTHORIZED_KEYS +unset MONKEYSPHERE_USER + +# load configuration file +[ -e ${MONKEYSPHERE_SERVER_CONFIG:="${SYSCONFIGDIR}/monkeysphere-server.conf"} ] && . "$MONKEYSPHERE_SERVER_CONFIG" + +# set empty config variable with ones from the environment, or with +# defaults +LOG_LEVEL=${MONKEYSPHERE_LOG_LEVEL:=${LOG_LEVEL:="INFO"}} +KEYSERVER=${MONKEYSPHERE_KEYSERVER:=${KEYSERVER:="pool.sks-keyservers.net"}} +AUTHORIZED_USER_IDS=${MONKEYSPHERE_AUTHORIZED_USER_IDS:=${AUTHORIZED_USER_IDS:="%h/.monkeysphere/authorized_user_ids"}} +RAW_AUTHORIZED_KEYS=${MONKEYSPHERE_RAW_AUTHORIZED_KEYS:=${RAW_AUTHORIZED_KEYS:="%h/.ssh/authorized_keys"}} +MONKEYSPHERE_USER=${MONKEYSPHERE_MONKEYSPHERE_USER:=${MONKEYSPHERE_USER:="monkeysphere"}} + +# other variables +CHECK_KEYSERVER=${MONKEYSPHERE_CHECK_KEYSERVER:="true"} +REQUIRED_USER_KEY_CAPABILITY=${MONKEYSPHERE_REQUIRED_USER_KEY_CAPABILITY:="a"} +GNUPGHOME_HOST=${MONKEYSPHERE_GNUPGHOME_HOST:="${SYSDATADIR}/gnupg-host"} +GNUPGHOME_AUTHENTICATION=${MONKEYSPHERE_GNUPGHOME_AUTHENTICATION:="${SYSDATADIR}/gnupg-authentication"} + +# export variables needed in su invocation +export DATE +export MODE +export MONKEYSPHERE_USER +export LOG_LEVEL +export KEYSERVER +export CHECK_KEYSERVER +export REQUIRED_USER_KEY_CAPABILITY +export GNUPGHOME_HOST +export GNUPGHOME_AUTHENTICATION +export GNUPGHOME + +# get subcommand +COMMAND="$1" +[ "$COMMAND" ] || failure "Type '$PGRM help' for usage." +shift + +case $COMMAND in + 'show-key'|'show'|'s') + show_server_key + ;; + + 'extend-key'|'e') + check_user + check_host_keyring + extend_key "$@" + ;; + + 'add-hostname'|'add-name'|'n+') + check_user + check_host_keyring + add_hostname "$@" + ;; + + 'revoke-hostname'|'revoke-name'|'n-') + check_user + check_host_keyring + revoke_hostname "$@" + ;; + + 'add-revoker'|'o') + check_user + check_host_keyring + add_revoker "$@" + ;; + + 'revoke-key'|'r') + check_user + check_host_keyring + revoke_key "$@" + ;; + + 'publish-key'|'publish'|'p') + check_user + check_host_keyring + publish_server_key + ;; + + 'expert'|'e') + check_user + SUBCOMMAND="$1" + shift + case "$SUBCOMMAND" in + 'import-key'|'i') + import_key "$@" + ;; + + 'gen-key'|'g') + gen_key "$@" + ;; + + 'diagnostics'|'d') + diagnostics + ;; + + *) + failure "Unknown expert subcommand: '$COMMAND' +Type '$PGRM help' for usage." + ;; + esac + ;; + + 'version'|'v') + echo "$VERSION" + ;; + + '--help'|'help'|'-h'|'h'|'?') + usage + ;; + + *) + failure "Unknown command: '$COMMAND' +Type '$PGRM help' for usage." + ;; +esac + +exit "$RETURN" |