diff options
Diffstat (limited to 'src/share/mh')
| -rw-r--r-- | src/share/mh/add_hostname | 16 | ||||
| -rw-r--r-- | src/share/mh/add_revoker | 21 | ||||
| -rw-r--r-- | src/share/mh/diagnostics | 2 | ||||
| -rw-r--r-- | src/share/mh/gen_key | 87 | ||||
| -rw-r--r-- | src/share/mh/import_key | 45 | ||||
| -rw-r--r-- | src/share/mh/publish_key | 32 | ||||
| -rw-r--r-- | src/share/mh/revoke_hostname | 18 | ||||
| -rw-r--r-- | src/share/mh/set_expire | 14 |
8 files changed, 106 insertions, 129 deletions
diff --git a/src/share/mh/add_hostname b/src/share/mh/add_hostname index 46326bb..70bbec3 100644 --- a/src/share/mh/add_hostname +++ b/src/share/mh/add_hostname @@ -31,11 +31,15 @@ userID="ssh://${1}" find_host_userid > /dev/null && \ failure "Host userID '$userID' already exists." -echo "The following user ID will be added to the host key:" -echo " $userID" -read -p "Are you sure you would like to add this user ID? (y/N) " OK; OK=${OK:=N} -if [ ${OK/y/Y} != 'Y' ] ; then - failure "User ID not added." +if [ "$PROMPT" = "true" ] ; then + echo "The following user ID will be added to the host key:" + echo " $userID" + read -p "Are you sure you would like to add this user ID? (y/N) " OK; OK=${OK:=N} + if [ ${OK/y/Y} != 'Y' ] ; then + failure "User ID not added." + fi +else + log debug "adding user ID without prompting." fi # edit-key script command to add user ID @@ -51,6 +55,8 @@ EOF # execute edit-key script if echo "$adduidCommand" | gpg_host_edit ; then + update_gpg_pub_file + show_key echo diff --git a/src/share/mh/add_revoker b/src/share/mh/add_revoker index 39dfaca..b4113df 100644 --- a/src/share/mh/add_revoker +++ b/src/share/mh/add_revoker @@ -53,7 +53,7 @@ if [ -f "$keyID" ] ; then fi else # create a temporary directory for storing the downloaded key - TMPLOC=$(mktemp -d ${MHTMPDIR}/tmp.XXXXXXXXXX) || failure "Could not create temporary directory!" + TMPLOC=$(mktemp -d "${MHTMPDIR}"/tmp.XXXXXXXXXX) || failure "Could not create temporary directory!" # download the key from the keyserver as the monkeysphere user su_monkeysphere_user \ @@ -74,17 +74,20 @@ if [ -z "$fingerprint" ] ; then failure "Key '$keyID' not found." fi -log info -e "\nkey found:" +log info "key found:" gpg_host --fingerprint "0x${fingerprint}!" -echo "Are you sure you want to add the above key as a" -read -p "revoker of the host key? (y/N) " OK; OK=${OK:-N} -if [ "${OK/y/Y}" != 'Y' ] ; then - failure "Revoker not added." +if [ "$PROMPT" = "true" ] ; then + echo "Are you sure you want to add the above key as a" + read -p "revoker of the host key? (y/N) " OK; OK=${OK:-N} + if [ "${OK/y/Y}" != 'Y' ] ; then + failure "revoker not added." + fi +else + log debug "adding revoker without prompting." fi # edit-key script to add revoker -# NOTE: *all* user IDs will be ltsigned addrevokerCommand=$(cat <<EOF addrevoker @@ -98,7 +101,9 @@ failure "not implemented yet!" if echo "$addrevokerCommand" | \ gpg_core_edit ; then - log info -e "\nRevoker added." + update_gpg_pub_file + + log info "Revoker added." else failure "Problem adding revoker." fi diff --git a/src/share/mh/diagnostics b/src/share/mh/diagnostics index 96065e6..d774723 100644 --- a/src/share/mh/diagnostics +++ b/src/share/mh/diagnostics @@ -152,7 +152,7 @@ fi if [ "$problemsfound" -gt 0 ]; then echo "When the above $problemsfound issue"$(if [ "$problemsfound" -eq 1 ] ; then echo " is" ; else echo "s are" ; fi)" resolved, please re-run:" - echo " monkeysphere-host expert diagnostics" + echo " monkeysphere-host diagnostics" else echo "Everything seems to be in order!" fi diff --git a/src/share/mh/gen_key b/src/share/mh/gen_key deleted file mode 100644 index 7b427e4..0000000 --- a/src/share/mh/gen_key +++ /dev/null @@ -1,87 +0,0 @@ -# -*-shell-script-*- -# This should be sourced by bash (though we welcome changes to make it POSIX sh compliant) - -# Monkeysphere host gen-key subcommand -# -# The monkeysphere scripts are written by: -# Jameson Rollins <jrollins@finestructure.net> -# Jamie McClelland <jm@mayfirst.org> -# Daniel Kahn Gillmor <dkg@fifthhorseman.net> -# -# They are Copyright 2008-2009, and are all released under the GPL, -# version 3 or later. - -gen_key() { - -local hostName=$(hostname -f) -local keyType="RSA" -local keyLength="2048" -local keyUsage="auth" -local keyExpire="0" -local userID - -# check for presense of a key -[ "$HOST_FINGERPRINT" ] && \ - failure "An OpenPGP host key already exists." - -# get options -while true ; do - case "$1" in - -l|--length) - keyLength="$2" - shift 2 - ;; - *) - if [ "$(echo "$1" | cut -c 1)" = '-' ] ; then - failure "Unknown option '$1'. -Type '$PGRM help' for usage." - fi - break - ;; - esac -done - -hostName="$1" -userID="ssh://${hostName}" - -# create host home -mkdir -p "$GNUPGHOME_HOST" -chmod 700 "$GNUPGHOME_HOST" - -log debug "generating host key..." -gpg_host --batch --gen-key <<EOF -Key-Type: $keyType -Key-Length: $keyLength -Key-Usage: $keyUsage -Name-Real: $userID -Expire-Date: $keyExpire - -%commit -%echo done - -EOF - -# find the key fingerprint of the newly converted key -HOST_FINGERPRINT=$(get_host_fingerprint) -export HOST_FINGERPRINT - -# translate the private key to ssh format, and export to a file -# for sshs usage. -# NOTE: assumes that the primary key is the proper key to use -log debug "exporting ssh secret key..." -(umask 077 && \ - gpg_host --export-secret-key "$HOST_FINGERPRINT" | \ - openpgp2ssh "$HOST_FINGERPRINT" > "${MHDATADIR}/ssh_host_rsa_key") -log info "SSH host private key output to file: ${MHDATADIR}/ssh_host_rsa_key" - -log debug "creating ssh public key..." -ssh-keygen -y -f "${MHDATADIR}/ssh_host_rsa_key" > "$HOST_KEY_PUB" -log info "SSH host public key output to file: $HOST_KEY_PUB" - -# export public key to file -gpg_host_export_to_ssh_file - -# show info about new key -show_key - -} diff --git a/src/share/mh/import_key b/src/share/mh/import_key index 99511a8..d14fc13 100644 --- a/src/share/mh/import_key +++ b/src/share/mh/import_key @@ -14,31 +14,48 @@ import_key() { local hostName +local domain local userID -# check for presense of a key -[ "$HOST_FINGERPRINT" ] && \ - failure "An OpenPGP host key already exists." - -hostName=${1:-$(hostname -f)} +hostName="$1" + +# use the default hostname if not specified +if [ -z "$hostName" ] ; then + hostName=$(hostname -f) + # test that the domain is not obviously illegitimate + domain=${foo##*.} + case $domain in + 'local'|'localdomain') + failure "Host domain '$domain' is not legitimate. Aborting key import." + ;; + esac + # test that there are at least two parts + if (( $(echo "$hostName" | tr . ' ' | wc -w) < 2 )) ; then + failure "Host name '$hostName' is not legitimate. Aborting key import." + fi +fi userID="ssh://${hostName}" # create host home -mkdir -p "$GNUPGHOME_HOST" -chmod 700 "$GNUPGHOME_HOST" +mkdir -p "${MHDATADIR}" +mkdir -p "${MHTMPDIR}" +mkdir -p "${GNUPGHOME_HOST}" +chmod 700 "${GNUPGHOME_HOST}" log verbose "importing ssh key..." # translate ssh key to a private key -PEM2OPENPGP_USAGE_FLAGS=authenticate pem2openpgp "$userID" | \ - gpg_host --import +PEM2OPENPGP_USAGE_FLAGS=authenticate pem2openpgp "$userID" \ + | gpg_host --import -# find the key fingerprint of the newly converted key -HOST_FINGERPRINT=$(get_host_fingerprint) -export HOST_FINGERPRINT +# load the new host fpr into the fpr variable. this is so we can +# create the gpg pub key file. we have to do this from the secret key +# ring since we obviously don't have the gpg pub key file yet, since +# that's what we're trying to produce (see below). +load_fingerprint_secret -# export public key to file -gpg_host_export_to_ssh_file +# export to gpg public key to file +update_gpg_pub_file # show info about new key show_key diff --git a/src/share/mh/publish_key b/src/share/mh/publish_key index 988b450..b433ad7 100644 --- a/src/share/mh/publish_key +++ b/src/share/mh/publish_key @@ -15,17 +15,33 @@ publish_key() { -read -p "Really publish host key to $KEYSERVER? (y/N) " OK; OK=${OK:=N} -if [ ${OK/y/Y} != 'Y' ] ; then - failure "key not published." +local GNUPGHOME + +if [ "$PROMPT" = "true" ] ; then + read -p "Really publish host key to $KEYSERVER? (y/N) " OK; OK=${OK:=N} + if [ ${OK/y/Y} != 'Y' ] ; then + failure "key not published." + fi +else + log debug "publishing key without prompting." fi -# find the key fingerprint -fingerprint=$(fingerprint_host_key) +# create a temporary gnupg directory from which to publish the key +export GNUPGHOME=$(mktemp -d) + +# trap to remove tmp dir if break +trap "rm -rf $GNUPGHOME" EXIT + +# import the host key into the tmp dir +su_monkeysphere_user \ + "gpg --quiet --import" <"$HOST_KEY_FILE" # publish host key -# FIXME: need to define how to do this -#gpg_authentication "--keyserver $KEYSERVER --send-keys '0x${fingerprint}!'" -echo "not published!!!" +su_monkeysphere_user \ + "gpg --keyserver $KEYSERVER --send-keys '0x${HOST_FINGERPRINT}!'" + +# remove the tmp file +trap - EXIT +rm -rf "$GNUPGHOME" } diff --git a/src/share/mh/revoke_hostname b/src/share/mh/revoke_hostname index 940b5f4..77f1f0d 100644 --- a/src/share/mh/revoke_hostname +++ b/src/share/mh/revoke_hostname @@ -30,7 +30,7 @@ fi echo "WARNING: There is a known bug in this function." echo "This function has been known to occasionally revoke the wrong user ID." echo "Please see the following bug report for more information:" -echo "http://web.monkeysphere.info/bugs/revoke-hostname-revoking-wrong-userid/" +echo "https://labs.riseup.net/code/issues/show/422" read -p "Are you sure you would like to proceed? (y/N) " OK; OK=${OK:=N} if [ ${OK/y/Y} != 'Y' ] ; then failure "aborting." @@ -42,11 +42,15 @@ userID="ssh://${1}" uidIndex=$(find_host_userid) || \ failure "No non-revoked user ID found matching '$userID'." -echo "The following host key user ID will be revoked:" -echo " $userID" -read -p "Are you sure you would like to revoke this user ID? (y/N) " OK; OK=${OK:=N} -if [ ${OK/y/Y} != 'Y' ] ; then - failure "User ID not revoked." +if [ "$PROMPT" = "true" ] ; then + echo "The following host key user ID will be revoked:" + echo " $userID" + read -p "Are you sure you would like to revoke this user ID? (y/N) " OK; OK=${OK:=N} + if [ ${OK/y/Y} != 'Y' ] ; then + failure "User ID not revoked." + fi +else + log debug "revoking user ID without prompting." fi # edit-key script command to revoke user ID @@ -65,6 +69,8 @@ EOF # execute edit-key script if echo "$revuidCommand" | gpg_host_edit ; then + update_gpg_pub_file + show_key echo diff --git a/src/share/mh/set_expire b/src/share/mh/set_expire index 653149f..14d2501 100644 --- a/src/share/mh/set_expire +++ b/src/share/mh/set_expire @@ -21,11 +21,25 @@ local extendTo # get the new expiration date extendTo=$(get_gpg_expiration "$1") +if [ "$PROMPT" = "true" ] ; then + read -p "Are you sure you want to change the expiration on the host key to '$extendTo'? (y/N) " OK; OK=${OK:-N} + if [ "${OK/y/Y}" != 'Y' ] ; then + failure "expiration not set." + fi +else + log debug "extending without prompting." +fi + +log info "setting host key expiration to ${extendTo}:" + +log debug "executing host expire script..." gpg_host_edit expire <<EOF $extendTo save EOF +update_gpg_pub_file + cat <<EOF | log info NOTE: Host key expiration date adjusted, but not yet published. Run '$PGRM publish-key' to publish the new expiration date. |