diff options
Diffstat (limited to 'src/monkeysphere-server')
| -rwxr-xr-x | src/monkeysphere-server | 57 |
1 files changed, 38 insertions, 19 deletions
diff --git a/src/monkeysphere-server b/src/monkeysphere-server index 693c062..40a6b54 100755 --- a/src/monkeysphere-server +++ b/src/monkeysphere-server @@ -46,11 +46,18 @@ gen_key() { local hostName hostName=${1:-$(hostname --fqdn)} + service=${SERVICE:-"ssh"} + userID="${service}://${hostName}" + + if gpg --list-key ="$userID" > /dev/null 2>&1 ; then + failure "Key for '$userID' already exists" + fi # set key defaults KEY_TYPE=${KEY_TYPE:-"RSA"} KEY_LENGTH=${KEY_LENGTH:-"2048"} KEY_USAGE=${KEY_USAGE:-"auth"} + KEY_EXPIRE=${KEY_EXPIRE:-"0"} cat <<EOF Please specify how long the key should be valid. 0 = key does not expire @@ -59,25 +66,22 @@ Please specify how long the key should be valid. <n>m = key expires in n months <n>y = key expires in n years EOF - read -p "Key is valid for? ($EXPIRE) " EXPIRE; EXPIRE=${EXPIRE:-"0"} - - SERVICE=${SERVICE:-"ssh"} - USERID=${USERID:-"$SERVICE"://"$hostName"} + read -p "Key is valid for? ($KEY_EXPIRE) " KEY_EXPIRE; KEY_EXPIRE=${KEY_EXPIRE:-"0"} # set key parameters keyParameters=$(cat <<EOF Key-Type: $KEY_TYPE Key-Length: $KEY_LENGTH Key-Usage: $KEY_USAGE -Name-Real: $USERID -Expire-Date: $EXPIRE +Name-Real: $userID +Expire-Date: $KEY_EXPIRE EOF ) # add the revoker field if requested -# FIXME: the 1: below assumes that $REVOKER's key is an RSA key. why? -# FIXME: why is this marked "sensitive"? how will this signature ever -# be transmitted to the expected revoker? + # FIXME: the "1:" below assumes that $REVOKER's key is an RSA key. why? + # FIXME: why is this marked "sensitive"? how will this signature ever + # be transmitted to the expected revoker? if [ "$REVOKER" ] ; then keyParameters="${keyParameters}"$(cat <<EOF @@ -89,15 +93,11 @@ EOF echo "The following key parameters will be used:" echo "$keyParameters" - read -p "generate key? [Y|n]: " OK; OK=${OK:=Y} + read -p "Generate key? [Y|n]: " OK; OK=${OK:=Y} if [ ${OK/y/Y} != 'Y' ] ; then failure "aborting." fi - if gpg --list-key ="$USERID" > /dev/null 2>&1 ; then - failure "key for '$USERID' already exists" - fi - # add commit command keyParameters="${keyParameters}"$(cat <<EOF @@ -106,14 +106,33 @@ EOF EOF ) - log -n "generating server key... " + log "generating server key... " echo "$keyParameters" | gpg --batch --gen-key - loge "done." - fingerprint_server_key + + # output the server fingerprint + fingerprint_server_key "=${userID}" + + # find the key fingerprint of the server primary key + keyID=$(gpg --list-key --with-colons --with-fingerprint "=${userID}" | \ + grep '^fpr:' | head -1 | cut -d: -f10) + + # write the key to the file + # NOTE: assumes that the primary key is the proper key to use + (umask 077 && gpgsecret2ssh "$keyID" > "${MS_HOME}/ssh_host_rsa_key") + log "Private SSH host key output to file: ${MS_HOME}/ssh_host_rsa_key" } +# gpg output key fingerprint fingerprint_server_key() { - gpg --fingerprint --list-secret-keys =ssh://$(hostname --fqdn) + local ID + + if [ -z "$1" ] ; then + ID="$1" + else + ID="=ssh://$(hostname --fqdn)" + fi + + gpg --fingerprint --list-secret-keys "$ID" } ######################################################################## @@ -214,7 +233,7 @@ case $COMMAND in ;; 'show-fingerprint'|'f') - fingerprint_server_key + fingerprint_server_key "$@" ;; 'publish-key'|'p') |