summaryrefslogtreecommitdiff
path: root/src/share/mh
diff options
context:
space:
mode:
Diffstat (limited to 'src/share/mh')
-rw-r--r--src/share/mh/add_hostname73
-rw-r--r--src/share/mh/add_revoker21
-rw-r--r--src/share/mh/diagnostics185
-rw-r--r--src/share/mh/extend_key34
-rw-r--r--src/share/mh/gen_key107
-rw-r--r--src/share/mh/import_key89
-rw-r--r--src/share/mh/publish_key31
-rw-r--r--src/share/mh/revoke_hostname91
-rw-r--r--src/share/mh/revoke_key21
9 files changed, 652 insertions, 0 deletions
diff --git a/src/share/mh/add_hostname b/src/share/mh/add_hostname
new file mode 100644
index 0000000..10d5f58
--- /dev/null
+++ b/src/share/mh/add_hostname
@@ -0,0 +1,73 @@
+# -*-shell-script-*-
+# This should be sourced by bash (though we welcome changes to make it POSIX sh compliant)
+
+# Monkeysphere host add-hostname subcommand
+#
+# The monkeysphere scripts are written by:
+# Jameson Rollins <jrollins@finestructure.net>
+# Jamie McClelland <jm@mayfirst.org>
+# Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+#
+# They are Copyright 2008-2009, and are all released under the GPL,
+# version 3 or later.
+
+# add hostname user ID to server key
+
+add_hostname() {
+
+local userID
+local fingerprint
+local tmpuidMatch
+local line
+local adduidCommand
+
+if [ -z "$1" ] ; then
+ failure "You must specify a hostname to add."
+fi
+
+userID="ssh://${1}"
+
+fingerprint=$(fingerprint_server_key)
+
+# match to only ultimately trusted user IDs
+tmpuidMatch="u:$(echo $userID | gpg_escape)"
+
+# find the index of the requsted user ID
+# NOTE: this is based on circumstantial evidence that the order of
+# this output is the appropriate index
+if line=$(gpg_host --list-keys --with-colons --fixed-list-mode "0x${fingerprint}!" \
+ | egrep '^(uid|uat):' | cut -f2,10 -d: | grep -n -x -F "$tmpuidMatch") ; then
+ failure "Host userID '$userID' already exists."
+fi
+
+echo "The following user ID will be added to the host key:"
+echo " $userID"
+read -p "Are you sure you would like to add this user ID? (y/N) " OK; OK=${OK:=N}
+if [ ${OK/y/Y} != 'Y' ] ; then
+ failure "User ID not added."
+fi
+
+# edit-key script command to add user ID
+adduidCommand=$(cat <<EOF
+adduid
+$userID
+
+
+save
+EOF
+)
+
+# execute edit-key script
+if echo "$adduidCommand" | \
+ gpg_host --quiet --command-fd 0 --edit-key "0x${fingerprint}!" ; then
+
+ show_key
+
+ echo
+ echo "NOTE: User ID added to key, but key not published."
+ echo "Run '$PGRM publish-key' to publish the new user ID."
+else
+ failure "Problem adding user ID."
+fi
+
+}
diff --git a/src/share/mh/add_revoker b/src/share/mh/add_revoker
new file mode 100644
index 0000000..f9d0bb6
--- /dev/null
+++ b/src/share/mh/add_revoker
@@ -0,0 +1,21 @@
+# -*-shell-script-*-
+# This should be sourced by bash (though we welcome changes to make it POSIX sh compliant)
+
+# Monkeysphere host add-revoker subcommand
+#
+# The monkeysphere scripts are written by:
+# Jameson Rollins <jrollins@finestructure.net>
+# Jamie McClelland <jm@mayfirst.org>
+# Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+#
+# They are Copyright 2008, and are all released under the GPL, version 3
+# or later.
+
+# add a revoker to the host key
+
+add_revoker() {
+
+# FIXME: implement!
+failure "not implemented yet!"
+
+}
diff --git a/src/share/mh/diagnostics b/src/share/mh/diagnostics
new file mode 100644
index 0000000..7e76da6
--- /dev/null
+++ b/src/share/mh/diagnostics
@@ -0,0 +1,185 @@
+# -*-shell-script-*-
+# This should be sourced by bash (though we welcome changes to make it POSIX sh compliant)
+
+# Monkeysphere host diagnostics subcommand
+#
+# The monkeysphere scripts are written by:
+# Jameson Rollins <jrollins@finestructure.net>
+# Jamie McClelland <jm@mayfirst.org>
+# Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+#
+# They are Copyright 2008-2009, and are all released under the GPL,
+# version 3 or later.
+
+# check on the status and validity of the key and public certificates
+
+diagnostics() {
+
+local seckey
+local keysfound
+local curdate
+local warnwindow
+local warndate
+local create
+local expire
+local uid
+local fingerprint
+local badhostkeys
+local sshd_config
+local problemsfound=0
+
+# FIXME: what's the correct, cross-platform answer?
+sshd_config=/etc/ssh/sshd_config
+seckey=$(gpg_host --list-secret-keys --fingerprint --with-colons --fixed-list-mode)
+keysfound=$(echo "$seckey" | grep -c ^sec:)
+curdate=$(date +%s)
+# warn when anything is 2 months away from expiration
+warnwindow='2 months'
+warndate=$(advance_date $warnwindow +%s)
+
+if ! id monkeysphere >/dev/null ; then
+ echo "! No monkeysphere user found! Please create a monkeysphere system user with bash as its shell."
+ problemsfound=$(($problemsfound+1))
+fi
+
+if ! [ -d "$SYSDATADIR" ] ; then
+ echo "! no $SYSDATADIR directory found. Please create it."
+ problemsfound=$(($problemsfound+1))
+fi
+
+echo "Checking host GPG key..."
+if (( "$keysfound" < 1 )); then
+ echo "! No host key found."
+ echo " - Recommendation: run 'monkeysphere-server gen-key'"
+ problemsfound=$(($problemsfound+1))
+elif (( "$keysfound" > 1 )); then
+ echo "! More than one host key found?"
+ # FIXME: recommend a way to resolve this
+ problemsfound=$(($problemsfound+1))
+else
+ create=$(echo "$seckey" | grep ^sec: | cut -f6 -d:)
+ expire=$(echo "$seckey" | grep ^sec: | cut -f7 -d:)
+ fingerprint=$(echo "$seckey" | grep ^fpr: | head -n1 | cut -f10 -d:)
+ # check for key expiration:
+ if [ "$expire" ]; then
+ if (( "$expire" < "$curdate" )); then
+ echo "! Host key is expired."
+ echo " - Recommendation: extend lifetime of key with 'monkeysphere-server extend-key'"
+ problemsfound=$(($problemsfound+1))
+ elif (( "$expire" < "$warndate" )); then
+ echo "! Host key expires in less than $warnwindow:" $(advance_date $(( $expire - $curdate )) seconds +%F)
+ echo " - Recommendation: extend lifetime of key with 'monkeysphere-server extend-key'"
+ problemsfound=$(($problemsfound+1))
+ fi
+ fi
+
+ # and weirdnesses:
+ if [ "$create" ] && (( "$create" > "$curdate" )); then
+ echo "! Host key was created in the future(?!). Is your clock correct?"
+ echo " - Recommendation: Check clock ($(date +%F_%T)); use NTP?"
+ problemsfound=$(($problemsfound+1))
+ fi
+
+ # check for UserID expiration:
+ echo "$seckey" | grep ^uid: | cut -d: -f6,7,10 | \
+ while IFS=: read create expire uid ; do
+ # FIXME: should we be doing any checking on the form
+ # of the User ID? Should we be unmangling it somehow?
+
+ if [ "$create" ] && (( "$create" > "$curdate" )); then
+ echo "! User ID '$uid' was created in the future(?!). Is your clock correct?"
+ echo " - Recommendation: Check clock ($(date +%F_%T)); use NTP?"
+ problemsfound=$(($problemsfound+1))
+ fi
+ if [ "$expire" ] ; then
+ if (( "$expire" < "$curdate" )); then
+ echo "! User ID '$uid' is expired."
+ # FIXME: recommend a way to resolve this
+ problemsfound=$(($problemsfound+1))
+ elif (( "$expire" < "$warndate" )); then
+ echo "! User ID '$uid' expires in less than $warnwindow:" $(advance_date $(( $expire - $curdate )) seconds +%F)
+ # FIXME: recommend a way to resolve this
+ problemsfound=$(($problemsfound+1))
+ fi
+ fi
+ done
+
+# FIXME: verify that the host key is properly published to the
+# keyservers (do this with the non-privileged user)
+
+# FIXME: check that there are valid, non-expired certifying signatures
+# attached to the host key after fetching from the public keyserver
+# (do this with the non-privileged user as well)
+
+# FIXME: propose adding a revoker to the host key if none exist (do we
+# have a way to do that after key generation?)
+
+ # Ensure that the ssh_host_rsa_key file is present and non-empty:
+ echo
+ echo "Checking host SSH key..."
+ if [ ! -s "${SYSDATADIR}/ssh_host_rsa_key" ] ; then
+ echo "! The host key as prepared for SSH (${SYSDATADIR}/ssh_host_rsa_key) is missing or empty."
+ problemsfound=$(($problemsfound+1))
+ else
+ if [ $(ls -l "${SYSDATADIR}/ssh_host_rsa_key" | cut -f1 -d\ ) != '-rw-------' ] ; then
+ echo "! Permissions seem wrong for ${SYSDATADIR}/ssh_host_rsa_key -- should be 0600."
+ problemsfound=$(($problemsfound+1))
+ fi
+
+ # propose changes needed for sshd_config (if any)
+ if ! grep -q "^HostKey[[:space:]]\+${SYSDATADIR}/ssh_host_rsa_key$" "$sshd_config"; then
+ echo "! $sshd_config does not point to the monkeysphere host key (${SYSDATADIR}/ssh_host_rsa_key)."
+ echo " - Recommendation: add a line to $sshd_config: 'HostKey ${SYSDATADIR}/ssh_host_rsa_key'"
+ problemsfound=$(($problemsfound+1))
+ fi
+ if badhostkeys=$(grep -i '^HostKey' "$sshd_config" | grep -v "^HostKey[[:space:]]\+${SYSDATADIR}/ssh_host_rsa_key$") ; then
+ echo "! $sshd_config refers to some non-monkeysphere host keys:"
+ echo "$badhostkeys"
+ echo " - Recommendation: remove the above HostKey lines from $sshd_config"
+ problemsfound=$(($problemsfound+1))
+ fi
+
+ # FIXME: test (with ssh-keyscan?) that the running ssh
+ # daemon is actually offering the monkeysphere host key.
+
+ fi
+fi
+
+# FIXME: look at the ownership/privileges of the various keyrings,
+# directories housing them, etc (what should those values be? can
+# we make them as minimal as possible?)
+
+# FIXME: look to see that the ownertrust rules are set properly on the
+# authentication keyring
+
+# FIXME: make sure that at least one identity certifier exists
+
+# FIXME: look at the timestamps on the monkeysphere-generated
+# authorized_keys files -- warn if they seem out-of-date.
+
+# FIXME: check for a cronjob that updates monkeysphere-generated
+# authorized_keys?
+
+echo
+echo "Checking for MonkeySphere-enabled public-key authentication for users ..."
+# Ensure that User ID authentication is enabled:
+if ! grep -q "^AuthorizedKeysFile[[:space:]]\+${SYSDATADIR}/authorized_keys/%u$" "$sshd_config"; then
+ echo "! $sshd_config does not point to monkeysphere authorized keys."
+ echo " - Recommendation: add a line to $sshd_config: 'AuthorizedKeysFile ${SYSDATADIR}/authorized_keys/%u'"
+ problemsfound=$(($problemsfound+1))
+fi
+if badauthorizedkeys=$(grep -i '^AuthorizedKeysFile' "$sshd_config" | grep -v "^AuthorizedKeysFile[[:space:]]\+${SYSDATADIR}/authorized_keys/%u$") ; then
+ echo "! $sshd_config refers to non-monkeysphere authorized_keys files:"
+ echo "$badauthorizedkeys"
+ echo " - Recommendation: remove the above AuthorizedKeysFile lines from $sshd_config"
+ problemsfound=$(($problemsfound+1))
+fi
+
+if [ "$problemsfound" -gt 0 ]; then
+ echo "When the above $problemsfound issue"$(if [ "$problemsfound" -eq 1 ] ; then echo " is" ; else echo "s are" ; fi)" resolved, please re-run:"
+ echo " monkeysphere-server diagnostics"
+else
+ echo "Everything seems to be in order!"
+fi
+
+}
diff --git a/src/share/mh/extend_key b/src/share/mh/extend_key
new file mode 100644
index 0000000..ccbaf0e
--- /dev/null
+++ b/src/share/mh/extend_key
@@ -0,0 +1,34 @@
+# -*-shell-script-*-
+# This should be sourced by bash (though we welcome changes to make it POSIX sh compliant)
+
+# Monkeysphere host extend-key subcommand
+#
+# The monkeysphere scripts are written by:
+# Jameson Rollins <jrollins@finestructure.net>
+# Jamie McClelland <jm@mayfirst.org>
+# Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+#
+# They are Copyright 2008-2009, and are all released under the GPL,
+# version 3 or later.
+
+# extend the lifetime of a host key:
+
+extend_key() {
+
+local fpr=$(fingerprint_server_key)
+local extendTo="$1"
+
+# get the new expiration date
+extendTo=$(get_gpg_expiration "$extendTo")
+
+gpg_host --quiet --command-fd 0 --edit-key "$fpr" <<EOF
+expire
+$extendTo
+save
+EOF
+
+echo
+echo "NOTE: Host key expiration date adjusted, but not yet published."
+echo "Run '$PGRM publish-key' to publish the new expiration date."
+
+}
diff --git a/src/share/mh/gen_key b/src/share/mh/gen_key
new file mode 100644
index 0000000..aad213a
--- /dev/null
+++ b/src/share/mh/gen_key
@@ -0,0 +1,107 @@
+# -*-shell-script-*-
+# This should be sourced by bash (though we welcome changes to make it POSIX sh compliant)
+
+# Monkeysphere host gen-key subcommand
+#
+# The monkeysphere scripts are written by:
+# Jameson Rollins <jrollins@finestructure.net>
+# Jamie McClelland <jm@mayfirst.org>
+# Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+#
+# They are Copyright 2008-2009, and are all released under the GPL,
+# version 3 or later.
+
+gen_key() {
+
+local keyType="RSA"
+local keyLength="2048"
+local keyUsage="auth"
+local keyExpire
+local hostName=$(hostname -f)
+local userID
+local keyParameters
+local fingerprint
+
+# check for presense of secret key
+# FIXME: is this the proper test to be doing here?
+fingerprint_server_key >/dev/null \
+ && failure "An OpenPGP host key already exists."
+
+# get options
+while true ; do
+ case "$1" in
+ -l|--length)
+ keyLength="$2"
+ shift 2
+ ;;
+ -e|--expire)
+ keyExpire="$2"
+ shift 2
+ ;;
+ *)
+ if [ "$(echo "$1" | cut -c 1)" = '-' ] ; then
+ failure "Unknown option '$1'.
+Type '$PGRM help' for usage."
+ fi
+ hostName="$1"
+ shift;
+ break
+ ;;
+ esac
+done
+
+userID="ssh://${hostName}"
+
+# prompt about key expiration if not specified
+keyExpire=$(get_gpg_expiration "$keyExpire")
+
+# set key parameters
+keyParameters=\
+"Key-Type: $keyType
+Key-Length: $keyLength
+Key-Usage: $keyUsage
+Name-Real: $userID
+Expire-Date: $keyExpire"
+
+echo "The following key parameters will be used for the host private key:"
+echo "$keyParameters"
+
+read -p "Generate key? (Y/n) " OK; OK=${OK:=Y}
+if [ ${OK/y/Y} != 'Y' ] ; then
+ failure "aborting."
+fi
+
+# add commit command
+# must include blank line!
+keyParameters=\
+"${keyParameters}
+
+%commit
+%echo done"
+
+log verbose "generating host key..."
+echo "$keyParameters" | gpg_host --batch --gen-key
+
+# find the key fingerprint of the newly generated key
+fingerprint=$(fingerprint_server_key)
+
+# export host ownertrust to authentication keyring
+log verbose "setting ultimate owner trust for host key..."
+echo "${fingerprint}:6:" | gpg_authentication "--import-ownertrust"
+
+# translate the private key to ssh format, and export to a file
+# for sshs usage.
+# NOTE: assumes that the primary key is the proper key to use
+(umask 077 && \
+ gpg_host --export-secret-key "$fingerprint" | \
+ openpgp2ssh "$fingerprint" > "${SYSDATADIR}/ssh_host_rsa_key")
+log info "SSH host private key output to file: ${SYSDATADIR}/ssh_host_rsa_key"
+ssh-keygen -y -f "${SYSDATADIR}/ssh_host_rsa_key" > "${SYSDATADIR}/ssh_host_rsa_key.pub"
+log info "SSH host public key output to file: ${SYSDATADIR}/ssh_host_rsa_key.pub"
+gpg_authentication "--export-options export-minimal --armor --export 0x${fingerprint}\!" > "${SYSDATADIR}/ssh_host_rsa_key.pub.gpg"
+log info "SSH host public key in OpenPGP form: ${SYSDATADIR}/ssh_host_rsa_key.pub.gpg"
+
+# show info about new key
+show_key
+
+}
diff --git a/src/share/mh/import_key b/src/share/mh/import_key
new file mode 100644
index 0000000..386e02d
--- /dev/null
+++ b/src/share/mh/import_key
@@ -0,0 +1,89 @@
+# -*-shell-script-*-
+# This should be sourced by bash (though we welcome changes to make it POSIX sh compliant)
+
+# Monkeysphere host import-key subcommand
+#
+# The monkeysphere scripts are written by:
+# Jameson Rollins <jrollins@finestructure.net>
+# Jamie McClelland <jm@mayfirst.org>
+# Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+#
+# They are Copyright 2008-2009 and are all released under the GPL,
+# version 3 or later.
+
+import_key() {
+
+local hostName=$(hostname -f)
+local keyFile="/etc/ssh/ssh_host_rsa_key"
+local keyExpire
+local userID
+
+# check for presense of secret key
+# FIXME: is this the proper test to be doing here?
+fingerprint_server_key >/dev/null \
+ && failure "An OpenPGP host key already exists."
+
+# get options
+while true ; do
+ case "$1" in
+ -f|--keyfile)
+ keyFile="$2"
+ shift 2
+ ;;
+ -e|--expire)
+ keyExpire="$2"
+ shift 2
+ ;;
+ *)
+ if [ "$(echo "$1" | cut -c 1)" = '-' ] ; then
+ failure "Unknown option '$1'.
+Type '$PGRM help' for usage."
+ fi
+ hostName="$1"
+ shift
+ ;;
+ break
+ ;;
+ esac
+done
+
+if [ ! -f "$keyFile" ] ; then
+ failure "SSH secret key file '$keyFile' not found."
+fi
+
+userID="ssh://${hostName}"
+
+# prompt about key expiration if not specified
+keyExpire=$(get_gpg_expiration "$keyExpire")
+
+echo "The following key parameters will be used for the host private key:"
+echo "Import: $keyFile"
+echo "Name-Real: $userID"
+echo "Expire-Date: $keyExpire"
+
+read -p "Import key? (Y/n) " OK; OK=${OK:=Y}
+if [ ${OK/y/Y} != 'Y' ] ; then
+ failure "aborting."
+fi
+
+log verbose "importing ssh key..."
+# translate ssh key to a private key
+(umask 077 && \
+ pem2openpgp "$userID" "$keyExpire" < "$sshKey" | gpg_host --import)
+
+# find the key fingerprint of the newly converted key
+fingerprint=$(fingerprint_server_key)
+
+# export host ownertrust to authentication keyring
+log verbose "setting ultimate owner trust for host key..."
+echo "${fingerprint}:6:" | gpg_host "--import-ownertrust"
+echo "${fingerprint}:6:" | gpg_authentication "--import-ownertrust"
+
+# export public key to file
+gpg_authentication "--export-options export-minimal --armor --export 0x${fingerprint}\!" > "${SYSDATADIR}/ssh_host_rsa_key.pub.gpg"
+log info "SSH host public key in OpenPGP form: ${SYSDATADIR}/ssh_host_rsa_key.pub.gpg"
+
+# show info about new key
+show_key
+
+}
diff --git a/src/share/mh/publish_key b/src/share/mh/publish_key
new file mode 100644
index 0000000..b7ab01d
--- /dev/null
+++ b/src/share/mh/publish_key
@@ -0,0 +1,31 @@
+# -*-shell-script-*-
+# This should be sourced by bash (though we welcome changes to make it POSIX sh compliant)
+
+# Monkeysphere host publish-key subcommand
+#
+# The monkeysphere scripts are written by:
+# Jameson Rollins <jrollins@finestructure.net>
+# Jamie McClelland <jm@mayfirst.org>
+# Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+#
+# They are Copyright 2008-2009, and are all released under the GPL, version 3
+# or later.
+
+# publish server key to keyserver
+
+publish_key() {
+
+read -p "Really publish host key to $KEYSERVER? (y/N) " OK; OK=${OK:=N}
+if [ ${OK/y/Y} != 'Y' ] ; then
+ failure "key not published."
+fi
+
+# find the key fingerprint
+fingerprint=$(fingerprint_server_key)
+
+# publish host key
+# FIXME: need to define how to do this
+#gpg_authentication "--keyserver $KEYSERVER --send-keys '0x${fingerprint}!'"
+echo "not published!!!"
+
+}
diff --git a/src/share/mh/revoke_hostname b/src/share/mh/revoke_hostname
new file mode 100644
index 0000000..b519cf6
--- /dev/null
+++ b/src/share/mh/revoke_hostname
@@ -0,0 +1,91 @@
+# -*-shell-script-*-
+# This should be sourced by bash (though we welcome changes to make it POSIX sh compliant)
+
+# Monkeysphere host revoke-hostname subcommand
+#
+# The monkeysphere scripts are written by:
+# Jameson Rollins <jrollins@finestructure.net>
+# Jamie McClelland <jm@mayfirst.org>
+# Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+#
+# They are Copyright 2008-2009, and are all released under the GPL,
+# version 3 or later.
+
+# revoke hostname user ID from host key
+
+revoke_hostname() {
+
+local userID
+local fingerprint
+local tmpuidMatch
+local line
+local uidIndex
+local message
+local revuidCommand
+
+if [ -z "$1" ] ; then
+ failure "You must specify a hostname to revoke."
+fi
+
+echo "WARNING: There is a known bug in this function."
+echo "This function has been known to occasionally revoke the wrong user ID."
+echo "Please see the following bug report for more information:"
+echo "http://web.monkeysphere.info/bugs/revoke-hostname-revoking-wrong-userid/"
+read -p "Are you sure you would like to proceed? (y/N) " OK; OK=${OK:=N}
+if [ ${OK/y/Y} != 'Y' ] ; then
+ failure "aborting."
+fi
+
+userID="ssh://${1}"
+
+fingerprint=$(fingerprint_server_key)
+
+# match to only ultimately trusted user IDs
+tmpuidMatch="u:$(echo $userID | gpg_escape)"
+
+# find the index of the requsted user ID
+# NOTE: this is based on circumstantial evidence that the order of
+# this output is the appropriate index
+if line=$(gpg_host --list-keys --with-colons --fixed-list-mode "0x${fingerprint}!" \
+ | egrep '^(uid|uat):' | cut -f2,10 -d: | grep -n -x -F "$tmpuidMatch") ; then
+ uidIndex=${line%%:*}
+else
+ failure "No non-revoked user ID '$userID' is found."
+fi
+
+echo "The following host key user ID will be revoked:"
+echo " $userID"
+read -p "Are you sure you would like to revoke this user ID? (y/N) " OK; OK=${OK:=N}
+if [ ${OK/y/Y} != 'Y' ] ; then
+ failure "User ID not revoked."
+fi
+
+message="Hostname removed by monkeysphere-server $DATE"
+
+# edit-key script command to revoke user ID
+revuidCommand=$(cat <<EOF
+$uidIndex
+revuid
+y
+4
+$message
+
+y
+save
+EOF
+ )
+
+# execute edit-key script
+if echo "$revuidCommand" | \
+ gpg_host --quiet --command-fd 0 --edit-key "0x${fingerprint}!" ; then
+
+ show_key
+
+ echo
+ echo "NOTE: User ID revoked, but revocation not published."
+ echo "Run '$PGRM publish-key' to publish the revocation."
+else
+ failure "Problem revoking user ID."
+fi
+
+}
diff --git a/src/share/mh/revoke_key b/src/share/mh/revoke_key
new file mode 100644
index 0000000..cccdc22
--- /dev/null
+++ b/src/share/mh/revoke_key
@@ -0,0 +1,21 @@
+# -*-shell-script-*-
+# This should be sourced by bash (though we welcome changes to make it POSIX sh compliant)
+
+# Monkeysphere host revoke-key subcommand
+#
+# The monkeysphere scripts are written by:
+# Jameson Rollins <jrollins@finestructure.net>
+# Jamie McClelland <jm@mayfirst.org>
+# Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+#
+# They are Copyright 2008-2009, and are all released under the GPL,
+# version 3 or later.
+
+# revoke host key
+
+revoke_key() {
+
+# FIXME: implement!
+failure "not implemented yet!"
+
+}