diff options
Diffstat (limited to 'src')
| -rwxr-xr-x | src/monkeysphere | 32 | ||||
| -rwxr-xr-x | src/monkeysphere-authentication | 15 | ||||
| -rwxr-xr-x | src/monkeysphere-host | 330 | ||||
| -rw-r--r-- | src/share/common | 116 | ||||
| -rwxr-xr-x | src/share/keytrans | 44 | ||||
| -rw-r--r-- | src/share/m/gen_subkey | 21 | ||||
| -rw-r--r-- | src/share/ma/add_certifier | 2 | ||||
| -rw-r--r-- | src/share/ma/remove_certifier | 2 | ||||
| -rw-r--r-- | src/share/ma/update_users | 3 | ||||
| -rw-r--r-- | src/share/mh/add_hostname | 62 | ||||
| -rw-r--r-- | src/share/mh/add_name | 71 | ||||
| -rw-r--r-- | src/share/mh/add_revoker | 53 | ||||
| -rw-r--r-- | src/share/mh/diagnostics | 189 | ||||
| -rw-r--r-- | src/share/mh/import_key | 51 | ||||
| -rw-r--r-- | src/share/mh/publish_key | 19 | ||||
| -rw-r--r-- | src/share/mh/revoke_hostname | 68 | ||||
| -rw-r--r-- | src/share/mh/revoke_key | 18 | ||||
| -rw-r--r-- | src/share/mh/revoke_name | 72 | ||||
| -rw-r--r-- | src/share/mh/set_expire | 38 | ||||
| -rwxr-xr-x | src/transitions/0.28 | 25 |
20 files changed, 793 insertions, 438 deletions
diff --git a/src/monkeysphere b/src/monkeysphere index 14d2bf0..648f5e9 100755 --- a/src/monkeysphere +++ b/src/monkeysphere @@ -45,12 +45,15 @@ Monkeysphere client tool. subcommands: update-known_hosts (k) [HOST]... update known_hosts file update-authorized_keys (a) update authorized_keys file - gen-subkey (g) [KEYID] generate an authentication subkey - --length (-l) BITS key length in bits (2048) ssh-proxycommand HOST [PORT] monkeysphere ssh ProxyCommand --no-connect do not make TCP connection to host subkey-to-ssh-agent (s) store authentication subkey in ssh-agent sshfpr (f) KEYID output ssh fingerprint of gpg key + + keys-for-userid (u) USERID output valid keys for user id literal + gen-subkey (g) [KEYID] generate an authentication subkey + --length (-l) BITS key length in bits (2048) + version (v) show version number help (h,?) this help @@ -143,7 +146,7 @@ check_gpg_authentication_subkey() { # if authentication key is valid, prompt to continue if [ "$validity" = 'u' ] ; then echo "A valid authentication key already exists for primary key '$keyID'." 1>&2 - if [ "$PROMPT" = "true" ] ; then + if [ "$PROMPT" != "false" ] ; then printf "Are you sure you would like to generate another one? (y/N) " >&2 read OK; OK=${OK:N} if [ "${OK/y/Y}" != 'Y' ] ; then @@ -214,9 +217,13 @@ mkdir -p -m 0700 "$GNUPGHOME" export LOG_LEVEL export LOG_PREFIX +if [ "$#" -eq 0 ] ; then + usage + failure "Please supply a subcommand." +fi + # get subcommand COMMAND="$1" -[ "$COMMAND" ] || $PGRM help shift case $COMMAND in @@ -244,7 +251,7 @@ case $COMMAND in process_authorized_user_ids "$AUTHORIZED_USER_IDS" ;; - 'import-subkey'|'i') + 'import-subkey'|'import'|'i') source "${MSHAREDIR}/import_subkey" import_subkey "$@" ;; @@ -268,16 +275,25 @@ case $COMMAND in gpg_ssh_fingerprint "$@" ;; - 'version'|'v') + 'keys-for-userid'|'u') + keys_for_userid "$@" + ;; + + 'keys-from-userid') + echo "Warning: 'keys-from-userid' is deprecated. Please use 'keys-for-userid' instead." >&2 + keys_for_userid "$@" + ;; + + 'version'|'--version'|'v') version ;; - '--help'|'help'|'-h'|'h'|'?') + 'help'|'--help'|'-h'|'h'|'?') usage ;; *) failure "Unknown command: '$COMMAND' -Type '$PGRM help' for usage." +Try '$PGRM help' for usage." ;; esac diff --git a/src/monkeysphere-authentication b/src/monkeysphere-authentication index 057d14e..8c58645 100755 --- a/src/monkeysphere-authentication +++ b/src/monkeysphere-authentication @@ -136,7 +136,6 @@ LOG_PREFIX=${MONKEYSPHERE_LOG_PREFIX:='ms: '} # export variables needed in su invocation export DATE -export MODE export LOG_LEVEL export KEYSERVER export MONKEYSPHERE_USER @@ -150,9 +149,13 @@ export GNUPGHOME export CORE_KEYLENGTH export LOG_PREFIX +if [ "$#" -eq 0 ] ; then + usage + failure "Please supply a subcommand." +fi + # get subcommand COMMAND="$1" -[ "$COMMAND" ] || $PGRM help shift case $COMMAND in @@ -161,14 +164,14 @@ case $COMMAND in setup ;; - 'update-users'|'update-user'|'u') + 'update-users'|'update-user'|'update'|'u') source "${MASHAREDIR}/setup" setup source "${MASHAREDIR}/update_users" update_users "$@" ;; - 'refresh-keys'|'r') + 'refresh-keys'|'refresh'|'r') source "${MASHAREDIR}/setup" setup gpg_sphere "--keyserver $KEYSERVER --refresh-keys" @@ -208,7 +211,7 @@ case $COMMAND in gpg_sphere "$@" ;; - 'version'|'v') + 'version'|'--version'|'v') version ;; @@ -218,6 +221,6 @@ case $COMMAND in *) failure "Unknown command: '$COMMAND' -Type '$PGRM help' for usage." +Try '$PGRM help' for usage." ;; esac diff --git a/src/monkeysphere-host b/src/monkeysphere-host index 52a4373..6145c30 100755 --- a/src/monkeysphere-host +++ b/src/monkeysphere-host @@ -8,7 +8,7 @@ # Daniel Kahn Gillmor <dkg@fifthhorseman.net> # Micah Anderson <micah@riseup.net> # -# They are Copyright 2008-2009, and are all released under the GPL, +# They are Copyright 2008-2010, and are all released under the GPL, # version 3 or later. ######################################################################## @@ -34,7 +34,7 @@ MHSHAREDIR="${SYSSHAREDIR}/mh" MHDATADIR="${SYSDATADIR}/host" # host pub key files -HOST_KEY_FILE="${SYSDATADIR}/ssh_host_rsa_key.pub.gpg" +HOST_KEY_FILE="${SYSDATADIR}/host_keys.pub.pgp" # UTC date in ISO 8601 format if needed DATE=$(date -u '+%FT%T') @@ -52,18 +52,21 @@ usage: $PGRM <subcommand> [options] [args] Monkeysphere host admin tool. subcommands: - import-key (i) FILE NAME[:PORT] import existing ssh key to gpg - show-key (s) output all host key information - publish-key (p) publish host key to keyserver - set-expire (e) [EXPIRE] set host key expiration - add-hostname (n+) NAME[:PORT] add hostname user ID to host key - revoke-hostname (n-) NAME[:PORT] revoke hostname user ID - add-revoker (r+) KEYID|FILE add a revoker to the host key - revoke-key generate and/or publish revocation - certificate for host key - - version (v) show version number - help (h,?) this help + import-key (i) FILE SERVICENAME import PEM-encoded key from file + show-keys (s) [KEYID ...] output host key information + publish-keys (p) [KEYID ...] publish key(s) to keyserver + set-expire (e) EXPIRE [KEYID] set key expiration + add-servicename (n+) SERVICENAME [KEYID] + add a service name to key + revoke-servicename (n-) SERVICENAME [KEYID] + revoke a service name from key + add-revoker (r+) REVOKER_KEYID|FILE [KEYID] + add a revoker to key + revoke-key [KEYID] generate and/or publish revocation + certificate for key + + version (v) show version number + help (h,?) this help See ${PGRM}(8) for more info. EOF @@ -74,84 +77,209 @@ gpg_host() { GNUPGHOME="$GNUPGHOME_HOST" gpg --no-greeting --quiet --no-tty "$@" } -# command to list the info about the host key, in colon format, to -# stdout -gpg_host_list() { - gpg_host --list-keys --with-colons --fixed-list-mode \ - --with-fingerprint --with-fingerprint \ - "0x${HOST_FINGERPRINT}!" - +# list the info about the a key, in colon format, to stdout +gpg_host_list_keys() { + if [ "$1" ] ; then + gpg_host --list-keys --with-colons --fixed-list-mode \ + --with-fingerprint --with-fingerprint \ + "$1" + else + gpg_host --list-keys --with-colons --fixed-list-mode \ + --with-fingerprint --with-fingerprint + fi } -# command for edit key scripts, takes scripts on stdin +# edit key scripts, takes scripts on stdin, and keyID as first input gpg_host_edit() { - gpg_host --command-fd 0 --edit-key "0x${HOST_FINGERPRINT}!" "$@" + gpg_host --command-fd 0 --edit-key "$@" } -# export the host public key to the monkeysphere gpg pub key file -update_gpg_pub_file() { +# export the monkeysphere OpenPGP pub key file +update_pgp_pub_file() { log debug "updating openpgp public key file '$HOST_KEY_FILE'..." gpg_host --export --armor --export-options export-minimal \ - "0x${HOST_FINGERPRINT}!" > "$HOST_KEY_FILE" + $(gpg_host --list-secret-keys --with-colons --fingerprint | grep ^fpr | cut -f10 -d:) \ + > "$HOST_KEY_FILE" } -# load the host fingerprint into the fingerprint variable, using the -# export gpg pub key file -# FIXME: this seems much less than ideal, with all this temp keyring -# stuff. is there a way we can do this without having to create temp -# files? what if we stored the fingerprint in MHDATADIR/fingerprint? -load_fingerprint() { - if [ -f "$HOST_KEY_FILE" ] ; then - HOST_FINGERPRINT=$( \ - (FUBAR=$(msmktempdir) && export GNUPGHOME="$FUBAR" \ - && gpg --quiet --import \ - && gpg --quiet --list-keys --with-colons --with-fingerprint \ - && rm -rf "$FUBAR") <"$HOST_KEY_FILE" \ - | grep '^fpr:' | cut -d: -f10 ) - else - failure "host key gpg pub file not found." +# check that the service name is well formed. we assume that the +# service name refers to a host; DNS labels for host names are limited +# to a very small range of characters (see RFC 1912, section 2.1). + +# FIXME: i'm failing to check here for label components that are +# all-number (e.g. ssh://666.666), which are technically not allowed +# (though some exist on the 'net, apparently) + +# FIXME: this will probably misbehave if raw IP addresses are provided, +# either IPv4 or IPv6 using the bracket notation. + +# FIXME: this doesn't address the use of hashed User IDs. + +check_service_name() { + local name="$1" + local errs="" + local scheme + local port + local assigned_ports + + [ -n "$name" ] || \ + failure "You must supply a service name to check" + + printf '%s' "$name" | perl -n -e '($str = $_) =~ s/\s//g ; exit !(lc($str) eq $_);' || \ + failure "Not a valid service name: '$name' + +Service names should be canonicalized to all lower-case, +with no whitespace" + + [[ "$name" =~ ^[a-z0-9./:-]+$ ]] || \ + failure "Not a valid service name: '$name' + +Service names should contain only lower-case ASCII letters +numbers, dots (.), hyphens (-), slashes (/), and a colon (:). +If you are using non-ASCII characters (e.g. IDN), you should +use the canonicalized ASCII (NAMEPREP -> Punycode) representation +(see RFC 3490)." + + [[ "$name" =~ \. ]] || \ + failure "Not a valid service name: '$name' + +Service names should use fully-qualified domain names (FQDN), but the +domain name you chose appears to only have the local part. For +example: don't use 'ssh://foo' ; use 'ssh://foo.example.com' instead." + + [[ "$name" =~ ^[a-z]([a-z0-9-]*[a-z0-9])?://[a-z0-9]([a-z0-9-]*[a-z0-9])?(\.|((\.[a-z0-9]([a-z0-9-]*[a-z0-9])?)+))(:[1-9][0-9]{0,4})?$ ]] || \ + failure "Not a valid service name: '$name' + +Service names look like <scheme>://full.example.com[:<portnumber>], +where <scheme> is something like ssh or https, and <portnumber> is +a decimal number (supplied only if the service is on a non-standard +port)." + + scheme=$(cut -f1 -d: <<<"$name") + port=$(cut -f3 -d: <<<"$name") + + # check that the scheme name is found in the system services + # database + available_=$(get_port_for_service "$scheme") || \ + log error "Error looking up service scheme named '%s'" "$scheme" + + # FIXME: if the service isn't found, or does not have a port, what + # should we do? at the moment, we're just warning. + + if [ -n "$port" ]; then + # check that the port number is a legitimate port number (> 0, < 65536) + [ "$port" -gt 0 ] && [ "$port" -lt 65536 ] || \ + failure "The given port number should be greater than 0 and +less than 65536. '$port' is not OK" + + # if the port number is given, and the scheme is in the services + # database, check that the port number does *not* match the + # default port. + if (printf '%s' "$assigned_ports" | grep -q -F -x "$port" ) ; then + failure $(printf "The scheme %s uses port number %d by default. +You should leave off the port number if it is the default" "$scheme" "$port") + fi fi -} - -# load the host fingerprint into the fingerprint variable, using the -# gpg host secret key -load_fingerprint_secret() { - HOST_FINGERPRINT=$( \ - gpg_host --list-secret-key --with-colons --with-fingerprint \ - | grep '^fpr:' | cut -d: -f10 ) -} -# fail if host key present -check_host_key() { - [ ! -s "$HOST_KEY_FILE" ] \ - || failure "An OpenPGP host key already exists." } # fail if host key not present -check_host_no_key() { +check_no_keys() { [ -s "$HOST_KEY_FILE" ] \ || failure "You don't appear to have a Monkeysphere host key on this server. -Please run 'monkeysphere-host import-key...' first." +Please run 'monkeysphere-host import-key' import a key." +} + +# key input to functions, outputs full fingerprint of specified key if +# found +check_key_input() { + local keyID="$1" + # array of fingerprints + local fprs=($(list_primary_fingerprints <"$HOST_KEY_FILE")) + + case ${#fprs[@]} in + 0) + failure "You don't appear to have any Monkeysphere host keys. +Please run 'monkeysphere-host import-key' to import a key." + ;; + 1) + : + ;; + *) + if [ -z "$keyID" ] ; then + failure "Your host keyring contains multiple keys. +Please specify one to act on (see 'monkeysphere-host show-keys')." + fi + ;; + esac + printf '%s\n' "${fprs[@]}" | grep "${keyID}$" \ + || failure "Host key '$keyID' not found." } # return 0 if user ID was found. # return 1 if user ID not found. -find_host_userid() { - local userID="$1" +check_key_userid() { + local keyID="$1" + local userID="$2" local tmpuidMatch # match to only "unknown" user IDs (host has no need for ultimate trust) tmpuidMatch="uid:-:$(echo $userID | gpg_escape)" # See whether the requsted user ID is present - gpg_host_list | cut -f1,2,10 -d: | \ + gpg_host_list_keys "$keyID" | cut -f1,2,10 -d: | \ grep -q -x -F "$tmpuidMatch" 2>/dev/null } -# show info about the host key +prompt_userid_exists() { + local userID="$1" + local gpgOut + local fingerprint + + if gpgOut=$(gpg_host_list_keys "=${userID}" 2>/dev/null) ; then + fingerprint=$(echo "$gpgOut" | grep '^fpr:' | cut -d: -f10) + if [ "$PROMPT" != "false" ] ; then + printf "Service name '%s' is already being used by key '%s'.\nAre you sure you want to use it again? (y/N) " "$fingerprint" "$userID" >&2 + read OK; OK=${OK:=N} + if [ "${OK/y/Y}" != 'Y' ] ; then + failure "Service name not added." + fi + else + log info "Key '%s' is already using the service name '%s'." "$fingerprint" "$userID" >&2 + fi + fi +} + +# run command looped over keys +multi_key() { + local cmd="$1" + shift + local keys=$@ + local i=0 + local key + + check_no_keys + + local fprs=($(list_primary_fingerprints <"$HOST_KEY_FILE")) + + if [[ -z "$1" || "$1" == '--all' ]] ; then + keys="${fprs[@]}" + fi + + for key in $keys ; do + if (( i++ > 0 )) ; then + echo "##############################" + fi + "$cmd" "$key" + done +} + +# show info about the a key show_key() { + local id="$1" local GNUPGHOME - local TMPSSH + local fingerprint + local tmpssh local revokers # tmp gpghome dir @@ -163,24 +291,29 @@ show_key() { # import the host key into the tmp dir gpg --quiet --import <"$HOST_KEY_FILE" - # create the ssh key - TMPSSH="$GNUPGHOME"/ssh_host_key_rsa_pub - gpg --export | openpgp2ssh 2>/dev/null >"$TMPSSH" - # get the gpg fingerprint - HOST_FINGERPRINT=$(gpg --quiet --list-keys --with-colons --with-fingerprint \ - | grep '^fpr:' | cut -d: -f10 ) + if gpg --quiet --list-keys \ + --with-colons --with-fingerprint "$id" \ + | grep '^fpr:' | cut -d: -f10 > "$GNUPGHOME"/fingerprint ; then + fingerprint=$(cat "$GNUPGHOME"/fingerprint) + else + failure "ID '$id' not found." + fi + + # create the ssh key + tmpssh="$GNUPGHOME"/ssh_host_key_rsa_pub + gpg --export "$fingerprint" 2>/dev/null \ + | openpgp2ssh 2>/dev/null >"$tmpssh" # list the host key info # FIXME: make no-show-keyring work so we don't have to do the grep'ing # FIXME: can we show uid validity somehow? - gpg --list-keys --fingerprint \ - --list-options show-unusable-uids 2>/dev/null \ + gpg --list-keys --list-options show-unusable-uids "$fingerprint" 2>/dev/null \ | grep -v "^${GNUPGHOME}/pubring.gpg$" \ | egrep -v '^-+$' # list revokers, if there are any - revokers=$(gpg --list-keys --with-colons --fixed-list-mode \ + revokers=$(gpg --list-keys --with-colons --fixed-list-mode "$fingerprint" \ | awk -F: '/^rvk:/{ print $10 }' ) if [ "$revokers" ] ; then echo "The following keys are allowed to revoke this host key:" @@ -191,11 +324,11 @@ show_key() { fi # list the pgp fingerprint - echo "OpenPGP fingerprint: $HOST_FINGERPRINT" + echo "OpenPGP fingerprint: $fingerprint" # list the ssh fingerprint echo -n "ssh fingerprint: " - ssh-keygen -l -f "$TMPSSH" | awk '{ print $1, $2, $4 }' + ssh-keygen -l -f "$tmpssh" | awk '{ print $1, $2, $4 }' # remove the tmp file trap - EXIT @@ -236,63 +369,53 @@ export GNUPGHOME export HOST_FINGERPRINT export LOG_PREFIX +if [ "$#" -eq 0 ] ; then + usage + failure "Please supply a subcommand." +fi + # get subcommand COMMAND="$1" -[ "$COMMAND" ] || $PGRM help shift case $COMMAND in - 'import-key'|'i') - check_host_key + 'import-key'|'import'|'i') source "${MHSHAREDIR}/import_key" import_key "$@" ;; - 'show-key'|'show'|'s') - check_host_no_key - show_key + 'show-keys'|'show-key'|'show'|'s') + multi_key show_key "$@" ;; - 'set-expire'|'extend-key'|'e') - check_host_no_key - load_fingerprint + 'set-expire'|'extend-key'|'extend'|'e') source "${MHSHAREDIR}/set_expire" set_expire "$@" ;; - 'add-hostname'|'add-name'|'n+') - check_host_no_key - load_fingerprint - source "${MHSHAREDIR}/add_hostname" - add_hostname "$@" + 'add-servicename'|'add-hostname'|'add-name'|'n+') + source "${MHSHAREDIR}/add_name" + add_name "$@" ;; - 'revoke-hostname'|'revoke-name'|'n-') - check_host_no_key - load_fingerprint - source "${MHSHAREDIR}/revoke_hostname" - revoke_hostname "$@" + 'revoke-servicename'|'revoke-hostname'|'revoke-name'|'n-') + source "${MHSHAREDIR}/revoke_name" + revoke_name "$@" ;; 'add-revoker'|'r+') - check_host_no_key - load_fingerprint source "${MHSHAREDIR}/add_revoker" add_revoker "$@" ;; 'revoke-key') - check_host_no_key - load_fingerprint source "${MHSHAREDIR}/revoke_key" revoke_key "$@" ;; - 'publish-key'|'publish'|'p') - check_host_no_key - load_fingerprint + 'publish-keys'|'publish-key'|'publish'|'p') source "${MHSHAREDIR}/publish_key" - publish_key + multi_key publish_key "$@" ;; 'diagnostics'|'d') @@ -300,12 +423,11 @@ case $COMMAND in diagnostics ;; - 'update-gpg-pub-file') - load_fingerprint_secret - update_gpg_pub_file + 'update-pgp-pub-file') + update_pgp_pub_file ;; - 'version'|'v') + 'version'|'--version'|'v') version ;; @@ -315,6 +437,6 @@ case $COMMAND in *) failure "Unknown command: '$COMMAND' -Type '$PGRM help' for usage." +Try '$PGRM help' for usage." ;; esac diff --git a/src/share/common b/src/share/common index 4aa3f7c..e735319 100644 --- a/src/share/common +++ b/src/share/common @@ -281,7 +281,7 @@ get_gpg_expiration() { keyExpire="$1" - if [ -z "$keyExpire" -a "$PROMPT" = 'true' ]; then + if [ -z "$keyExpire" -a "$PROMPT" != 'false' ]; then cat >&2 <<EOF Please specify how long the key should be valid. 0 = key does not expire @@ -436,6 +436,28 @@ list_users() { fi } +# take one argument, a service name. in response, print a series of +# lines, each with a unique numeric port number that might be +# associated with that service name. (e.g. in: "https", out: "443") +# if nothing is found, print nothing, and return 0. +# +# return 1 if there was an error in the search somehow +get_port_for_service() { + + [[ "$1" =~ ^[a-z0-9]([a-z0-9-]*[a-z0-9])?$ ]] || \ + failure $(printf "This is not a valid service name: '%s'" "$1") + if type getent &>/dev/null ; then + # for linux and FreeBSD systems (getent returns 2 if not found, 0 on success, 1 or 3 on various failures) + (getent services "$service" || if [ "$?" -eq 2 ] ; then true ; else false; fi) | awk '{ print $2 }' | cut -f1 -d/ | sort -u + elif [ -r /etc/services ] ; then + # fall back to /etc/services for systems that don't have getent (MacOS?) + # FIXME: doesn't handle aliases like "null" (or "http"?), which don't show up at the beginning of the line. + awk $(printf '/^%s[[:space:]]/{ print $2 }' "$1") /etc/services | cut -f1 -d/ | sort -u + else + return 1 + fi +} + # return the path to the home directory of a user get_homedir() { local uname=${1:-`whoami`} @@ -530,6 +552,15 @@ gpg2authorized_keys() { ### GPG UTILITIES +# script to determine if gpg version is equal to or greater than specified version +is_gpg_version_greater_equal() { + local gpgVersion=$(gpg --version | head -1 | awk '{ print $3 }') + local latest=$(printf '%s\n%s\n' "$1" "$gpgVersion" \ + | tr '.' ' ' | sort -g -k1 -k2 -k3 \ + | tail -1 | tr ' ' '.') + [[ "$gpgVersion" == "$latest" ]] +} + # retrieve all keys with given user id from keyserver # FIXME: need to figure out how to retrieve all matching keys # (not just first N (5 in this case)) @@ -559,7 +590,7 @@ gpg_fetch_userid() { # userid and key policy checking # the following checks policy on the returned keys # - checks that full key has appropriate valididy (u|f) -# - checks key has specified capability (REQUIRED_*_KEY_CAPABILITY) +# - checks key has specified capability (REQUIRED_KEY_CAPABILITY) # - checks that requested user ID has appropriate validity # (see /usr/share/doc/gnupg/DETAILS.gz) # output is one line for every found key, in the following format: @@ -571,8 +602,6 @@ gpg_fetch_userid() { # # all log output must go to stderr, as stdout is used to pass the # flag:sshKey to the calling function. -# -# expects global variable: "MODE" process_user_id() { local returnCode=0 local userID @@ -593,11 +622,7 @@ process_user_id() { userID="$1" # set the required key capability based on the mode - if [ "$MODE" = 'known_hosts' ] ; then - requiredCapability="$REQUIRED_HOST_KEY_CAPABILITY" - elif [ "$MODE" = 'authorized_keys' ] ; then - requiredCapability="$REQUIRED_USER_KEY_CAPABILITY" - fi + requiredCapability=${REQUIRED_KEY_CAPABILITY:="a"} requiredPubCapability=$(echo "$requiredCapability" | tr "[:lower:]" "[:upper:]") # fetch the user ID if necessary/requested @@ -758,6 +783,59 @@ process_user_id() { # being processed in the key files over "bad" keys (key flag '1') } +# output all valid keys for specified user ID literal +keys_for_userid() { + local userID + local noKey= + local nKeys + local nKeysOK + local ok + local sshKey + local tmpfile + + userID="$1" + + log verbose "processing: $userID" + + nKeys=0 + nKeysOK=0 + + IFS=$'\n' + for line in $(process_user_id "${userID}") ; do + # note that key was found + nKeys=$((nKeys+1)) + + ok=$(echo "$line" | cut -d: -f1) + sshKey=$(echo "$line" | cut -d: -f2) + + if [ -z "$sshKey" ] ; then + continue + fi + + # if key OK, output key to stdout + if [ "$ok" -eq '0' ] ; then + # note that key was found ok + nKeysOK=$((nKeysOK+1)) + + printf '%s\n' "$sshKey" + fi + done + + # if at least one key was found... + if [ "$nKeys" -gt 0 ] ; then + # if ok keys were found, return 0 + if [ "$nKeysOK" -gt 0 ] ; then + return 0 + # else return 2 + else + return 2 + fi + # if no keys were found, return 1 + else + return 1 + fi +} + # process a single host in the known_host file process_host_known_hosts() { local host @@ -770,7 +848,7 @@ process_host_known_hosts() { local tmpfile # set the key processing mode - export MODE='known_hosts' + export REQUIRED_KEY_CAPABILITY="$REQUIRED_HOST_KEY_CAPABILITY" host="$1" userID="ssh://${host}" @@ -954,7 +1032,7 @@ process_uid_authorized_keys() { local sshKey # set the key processing mode - export MODE='authorized_keys' + export REQUIRED_KEY_CAPABILITY="$REQUIRED_USER_KEY_CAPABILITY" userID="$1" @@ -1121,9 +1199,23 @@ process_authorized_user_ids() { # fingerprints, one per line: list_primary_fingerprints() { local fake=$(msmktempdir) - GNUPGHOME="$fake" gpg --no-tty --quiet --import + trap "rm -rf $fake" EXIT + GNUPGHOME="$fake" gpg --no-tty --quiet --import --ignore-time-conflict 2>/dev/null GNUPGHOME="$fake" gpg --with-colons --fingerprint --list-keys | \ awk -F: '/^fpr:/{ print $10 }' + trap - EXIT + rm -rf "$fake" +} + +# takes an OpenPGP key or set of keys on stdin, a fingerprint or other +# key identifier as $1, and outputs the gpg-formatted information for +# the requested keys from the material on stdin +get_cert_info() { + local fake=$(msmktempdir) + trap "rm -rf $fake" EXIT + GNUPGHOME="$fake" gpg --no-tty --quiet --import --ignore-time-conflict 2>/dev/null + GNUPGHOME="$fake" gpg --with-colons --fingerprint --fixed-list-mode --list-keys "$1" + trap - EXIT rm -rf "$fake" } diff --git a/src/share/keytrans b/src/share/keytrans index ae4fb09..255a271 100755 --- a/src/share/keytrans +++ b/src/share/keytrans @@ -722,6 +722,7 @@ sub findkey { my $foundfprstr = Crypt::OpenSSL::Bignum->new_from_bin($foundfpr)->to_hex(); # left-pad with 0's to bring up to full 40-char (160-bit) fingerprint: $foundfprstr = sprintf("%040s", $foundfprstr); + my $matched = 0; # is this a match? if ((!defined($data->{target}->{fpr})) || @@ -731,6 +732,7 @@ sub findkey { } $data->{key} = { 'rsa' => $pubkey, 'timestamp' => $key_timestamp }; + $matched = 1; } if ($tag != $packet_types->{seckey} && @@ -740,7 +742,7 @@ sub findkey { } return; } - if (!defined($data->{key})) { + if (!$matched) { # we don't think the public part of this key matches if ($readbytes < $packetlen) { read($instr, $dummy, $packetlen - $readbytes) or die "Could not skip past this packet.\n"; @@ -810,6 +812,40 @@ sub openpgp2rsa { return $data->{key}->{rsa}; } +sub findkeyfprs { + my $data = shift; + my $instr = shift; + my $tag = shift; + my $packetlen = shift; + + findkey($data, $instr, $tag, $packetlen); + if (defined($data->{key})) { + if (defined($data->{key}->{rsa}) && defined($data->{key}->{timestamp})) { + $data->{keys}->{fingerprint($data->{key}->{rsa}, $data->{key}->{timestamp})} = $data->{key}; + } else { + die "should have found some key here"; + } + undef($data->{key}); + } +}; + +sub getallprimarykeys { + my $instr = shift; + + my $subs = { $packet_types->{pubkey} => \&findkeyfprs, + $packet_types->{seckey} => \&findkeyfprs, + }; + my $data = {target => { } }; + + packetwalk($instr, $subs, $data); + + if (defined $data->{keys}) { + return $data->{keys}; + } else { + return {}; + } +} + sub adduserid { my $instr = shift; my $fpr = shift; @@ -1102,6 +1138,12 @@ for (basename($0)) { }); print $newuid; + } elsif (/^listfprs$/) { + my $instream; + open($instream,'-'); + binmode($instream, ":bytes"); + my $keys = getallprimarykeys($instream); + printf("%s\n", join("\n", map { uc(unpack('H*', $_)) } keys(%{$keys}))); } else { die "Unrecognized subcommand. keytrans subcommands are not a stable interface!\n"; } diff --git a/src/share/m/gen_subkey b/src/share/m/gen_subkey index a90c618..cf1ed0c 100644 --- a/src/share/m/gen_subkey +++ b/src/share/m/gen_subkey @@ -19,6 +19,7 @@ gen_subkey(){ local keyID local editCommands local fifoDir + local keyType # get options while true ; do @@ -43,9 +44,27 @@ Type '$PGRM help' for usage." # check that an authentication subkey does not already exist check_gpg_authentication_subkey "$keyID" + # determine which keyType to use from gpg version + keyType=7 + case $(gpg --version | head -1 | awk '{ print $3 }' | cut -d. -f1) in + 1) + if is_gpg_version_greater_equal 1.4.10 ; then + keyType=8 + fi + ;; + 2) + if is_gpg_version_greater_equal 2.0.13 ; then + keyType=8 + fi + ;; + *) + keyType=8 + ;; + esac + # generate the list of commands that will be passed to edit-key editCommands="addkey -8 +$keyType S E A diff --git a/src/share/ma/add_certifier b/src/share/ma/add_certifier index 1601997..bd38190 100644 --- a/src/share/ma/add_certifier +++ b/src/share/ma/add_certifier @@ -135,7 +135,7 @@ EOF log info "key found:" gpg_sphere "--fingerprint 0x${fingerprint}!" - if [ "$PROMPT" = "true" ] ; then + if [ "$PROMPT" != "false" ] ; then printf "Are you sure you want to add the above key as a certifier\nof users on this system? (Y/n) " >&2 read OK; OK=${OK:-Y} if [ "${OK/y/Y}" != 'Y' ] ; then diff --git a/src/share/ma/remove_certifier b/src/share/ma/remove_certifier index 79f1cda..51c7ee7 100644 --- a/src/share/ma/remove_certifier +++ b/src/share/ma/remove_certifier @@ -26,7 +26,7 @@ fi # FIXME: should we be doing a fancier list_certifier output here? gpg_core --list-key --fingerprint "0x${keyID}!" || failure -if [ "$PROMPT" = "true" ] ; then +if [ "$PROMPT" != "false" ] ; then printf "Really remove the above listed identity certifier? (Y/n) " >&2 read OK; OK=${OK:-Y} if [ "${OK/y/Y}" != 'Y' ] ; then diff --git a/src/share/ma/update_users b/src/share/ma/update_users index 31b53bf..0086cd3 100644 --- a/src/share/ma/update_users +++ b/src/share/ma/update_users @@ -27,9 +27,6 @@ else unames=$(list_users) fi -# set mode -MODE="authorized_keys" - # set gnupg home GNUPGHOME="$GNUPGHOME_SPHERE" diff --git a/src/share/mh/add_hostname b/src/share/mh/add_hostname deleted file mode 100644 index c1b32a9..0000000 --- a/src/share/mh/add_hostname +++ /dev/null @@ -1,62 +0,0 @@ -# -*-shell-script-*- -# This should be sourced by bash (though we welcome changes to make it POSIX sh compliant) - -# Monkeysphere host add-hostname subcommand -# -# The monkeysphere scripts are written by: -# Jameson Rollins <jrollins@finestructure.net> -# Jamie McClelland <jm@mayfirst.org> -# Daniel Kahn Gillmor <dkg@fifthhorseman.net> -# -# They are Copyright 2008-2009, and are all released under the GPL, -# version 3 or later. - -# add hostname user ID to server key - -add_hostname() { - -local userID -local fingerprint -local tmpuidMatch -local line -local adduidCommand - -if [ -z "$1" ] ; then - failure "You must specify a hostname to add." -fi - -userID="ssh://${1}" - -# test that the desired user ID does not already exist -find_host_userid "$userID" && \ - failure "Host userID '$userID' already exists." - -if [ "$PROMPT" = "true" ] ; then - printf "The following user ID will be added to the host key:\n %s\nAre you sure you would like to add this user ID? (Y/n) " "$userID" >&2 - read OK; OK=${OK:=Y} - if [ "${OK/y/Y}" != 'Y' ] ; then - failure "User ID not added." - fi -else - log debug "adding user ID without prompting." -fi - -# execute edit-key script -if PEM2OPENPGP_USAGE_FLAGS=authenticate \ - <"$GNUPGHOME_HOST/secring.gpg" \ - "$SYSSHAREDIR/keytrans" adduserid \ - "$HOST_FINGERPRINT" "$userID" | gpg_host --import ; then - gpg_host --check-trustdb - - update_gpg_pub_file - - show_key - - echo - echo "NOTE: User ID added to key, but key not published." - echo "Run '$PGRM publish-key' to publish the new user ID." -else - failure "Problem adding user ID." -fi - -} diff --git a/src/share/mh/add_name b/src/share/mh/add_name new file mode 100644 index 0000000..39ebace --- /dev/null +++ b/src/share/mh/add_name @@ -0,0 +1,71 @@ +# -*-shell-script-*- +# This should be sourced by bash (though we welcome changes to make it POSIX sh compliant) + +# Monkeysphere host add-hostname subcommand +# +# The monkeysphere scripts are written by: +# Jameson Rollins <jrollins@finestructure.net> +# Jamie McClelland <jm@mayfirst.org> +# Daniel Kahn Gillmor <dkg@fifthhorseman.net> +# +# They are Copyright 2008-2010, and are all released under the GPL, +# version 3 or later. + +# add servicename user ID to server key + +add_name() { + +local serviceName +local keyID +local fingerprint +local tmpuidMatch +local line +local adduidCommand + +if [ -z "$1" ] ; then + failure "You must specify a service name to add." +fi +serviceName="$1" +shift + +keyID=$(check_key_input "$@") + +# test that the desired user ID does not already exist +check_key_userid "$keyID" "$serviceName" && \ + failure "Service name '$serviceName' already exists on key '$keyID'." + +# test that a key with that user ID does not already exist +prompt_userid_exists "$serviceName" + +check_service_name "$serviceName" + +if [ "$PROMPT" != "false" ] ; then + printf "The following service name will be added to key '$keyID':\n %s\nAre you sure you would like to add this service name? (Y/n) " "$serviceName" >&2 + read OK; OK=${OK:=Y} + if [ "${OK/y/Y}" != 'Y' ] ; then + failure "Service name not added." + fi +else + log debug "adding service name without prompting." +fi + +# execute edit-key script +if PEM2OPENPGP_USAGE_FLAGS=authenticate \ + <"$GNUPGHOME_HOST/secring.gpg" \ + "$SYSSHAREDIR/keytrans" adduserid "$keyID" "$serviceName" \ + | gpg_host --import ; then + + gpg_host --check-trustdb + + update_pgp_pub_file + + show_key "$keyID" + + echo + echo "NOTE: Service name added to key, but key not published." + echo "Run '$PGRM publish-key' to publish the new service name." +else + failure "Problem adding service name." +fi + +} diff --git a/src/share/mh/add_revoker b/src/share/mh/add_revoker index 89e6fcf..41cf090 100644 --- a/src/share/mh/add_revoker +++ b/src/share/mh/add_revoker @@ -8,24 +8,27 @@ # Jamie McClelland <jm@mayfirst.org> # Daniel Kahn Gillmor <dkg@fifthhorseman.net> # -# They are Copyright 2008, and are all released under the GPL, version 3 -# or later. +# They are Copyright 2008-2010, and are all released under the GPL, +# version 3 or later. # add a revoker to the host key add_revoker() { +local revokerKeyID local keyID local tmpDir local fingerprint local addrevokerCommand -keyID="$1" - # check that key ID or file is specified -if [ -z "$keyID" ] ; then +if [ -z "$1" ] ; then failure "You must specify the key ID of a revoker key, or specify a file to read the key from." fi +revokerKeyID="$1" +shift + +keyID=$(check_key_input "$@") # make a temporary directory for storing keys during import, and set # the trap to delete it on exit @@ -33,33 +36,33 @@ tmpDir=$(msmktempdir) trap "rm -rf $tmpDir" EXIT # if file is specified -if [ -f "$keyID" -o "$keyID" = '-' ] ; then +if [ -f "$revokerKeyID" -o "$revokerKeyID" = '-' ] ; then # load the key from stdin - if [ "$keyID" = '-' ] ; then + if [ "$revokerKeyID" = '-' ] ; then # make a temporary file to hold the key from stdin - keyID="$tmpDir"/importkey - log verbose "reading key from stdin..." - cat > "$keyID" + revokerKeyID="$tmpDir"/importkey + log verbose "reading revoker key from stdin..." + cat > "$revokerKeyID" # load the key from the file - elif [ -f "$keyID" ] ; then - log verbose "reading key from file '$keyID'..." + elif [ -f "$revokerKeyID" ] ; then + log verbose "reading revoker key from file '$revokerKeyID'..." fi # check the key is ok as monkeysphere user before loading log debug "checking keys in file..." fingerprint=$(su_monkeysphere_user \ - ". ${SYSSHAREDIR}/common; list_primary_fingerprints" < "$keyID") + ". ${SYSSHAREDIR}/common; list_primary_fingerprints" < "$revokerKeyID") if [ $(printf "%s" "$fingerprint" | egrep -c '^[A-F0-9]{40}$') -ne 1 ] ; then failure "There was not exactly one gpg key in the file." fi # load the key - gpg_host --import <"$keyID" \ - || failure "could not read key from '$keyID'" + gpg_host --import <"$revokerKeyID" \ + || failure "could not read revoker key from '$revokerKeyID'" -# else, get the key from the keyserver +# else, get the revoker key from the keyserver else # fix permissions and ownership on temporary directory which will # be used by monkeysphere user for storing the downloaded key @@ -67,13 +70,13 @@ else chown "$MONKEYSPHERE_USER":"$MONKEYSPHERE_GROUP" "$tmpDir" # download the key from the keyserver as the monkeysphere user - log verbose "searching keyserver $KEYSERVER for keyID $keyID..." - su_monkeysphere_user "GNUPGHOME=$tmpDir gpg --quiet --keyserver $KEYSERVER --recv-key 0x${keyID}!" \ - || failure "Could not receive a key with this ID from the '$KEYSERVER' keyserver." + log verbose "searching keyserver $KEYSERVER for revoker keyID $revokerKeyID..." + su_monkeysphere_user "GNUPGHOME=$tmpDir gpg --quiet --keyserver $KEYSERVER --recv-key 0x${revokerKeyID}!" \ + || failure "Could not receive a key with this ID from keyserver '$KEYSERVER'." # get the full fingerprint of new revoker key log debug "getting fingerprint of revoker key..." - fingerprint=$(su_monkeysphere_user "GNUPGHOME=$tmpDir gpg --list-key --with-colons --with-fingerprint 0x${keyID}!" \ + fingerprint=$(su_monkeysphere_user "GNUPGHOME=$tmpDir gpg --list-key --with-colons --with-fingerprint ${revokerKeyID}" \ | grep '^fpr:' | cut -d: -f10) # test that there is only a single fingerprint @@ -86,11 +89,11 @@ EOF failure fi - log info "key found:" + log info "revoker key found:" su_monkeysphere_user "GNUPGHOME=$tmpDir gpg --fingerprint 0x${fingerprint}!" if [ "$PROMPT" = "true" ] ; then - printf "Are you sure you want to add the above key as a revoker\nof the host key? (Y/n) " >&2 + printf "Are you sure you want to add the above key as a revoker\nof the key '$keyID'? (Y/n) " >&2 read OK; OK=${OK:-Y} if [ "${OK/y/Y}" != 'Y' ] ; then failure "revoker not added." @@ -100,7 +103,7 @@ EOF fi # export the new key to the host keyring - log debug "loading key into host keyring..." + log debug "loading revoker key into host keyring..." su_monkeysphere_user "GNUPGHOME=$tmpDir gpg --quiet --export 0x${fingerprint}!" \ | gpg_host --import fi @@ -115,9 +118,9 @@ save # core ltsigns the newly imported revoker key log debug "executing add revoker script..." -if echo "$addrevokerCommand" | gpg_host_edit ; then +if echo "$addrevokerCommand" | gpg_host_edit "0x${keyID}!" ; then - update_gpg_pub_file + update_pgp_pub_file log info "Revoker added." else diff --git a/src/share/mh/diagnostics b/src/share/mh/diagnostics index b92d729..9409f1d 100644 --- a/src/share/mh/diagnostics +++ b/src/share/mh/diagnostics @@ -8,107 +8,88 @@ # Jamie McClelland <jm@mayfirst.org> # Daniel Kahn Gillmor <dkg@fifthhorseman.net> # -# They are Copyright 2008-2009, and are all released under the GPL, +# They are Copyright 2008-2010, and are all released under the GPL, # version 3 or later. -# check on the status and validity of the key and public certificates +# check on the status and validity of the host's public certificates (and keys?) -diagnostics() { - -local seckey -local keysfound -local curdate -local warnwindow -local warndate -local create -local expire -local uid -local fingerprint -local badhostkeys -local problemsfound=0 - -if ! [ -d "$SYSDATADIR" ] ; then - echo "! no $SYSDATADIR directory found. Please create it." - exit -fi - -if ! [ -f "$HOST_KEY_FILE" ] ; then - echo "No host key gpg pub file found!" - echo " - Recommendation: run 'monkeysphere-host import-key'" - exit -fi +# global vars for communicating between functions: -# load the host key fingerprint -load_fingerprint - -seckey=$(gpg_host --list-secret-keys --fingerprint --with-colons --fixed-list-mode) -keysfound=$(echo "$seckey" | grep -c ^sec:) -curdate=$(date +%s) +MHD_CURDATE=$(date +%s) # warn when anything is 2 months away from expiration -warnwindow='2 months' -warndate=$(advance_date $warnwindow +%s) - -if ! id monkeysphere >/dev/null ; then - echo "! No monkeysphere user found! Please create a monkeysphere system user with bash as its shell." - problemsfound=$(($problemsfound+1)) -fi +MHD_WARNWINDOW='2 months' +MHD_WARNDATE=$(advance_date $MHD_WARNWINDOW +%s) +MHD_PROBLEMSFOUND=0 + + +diagnose_key() { + local fpr="$1" + local certinfo + local create + local expire + local uid + local keysfound + local uiderrs + local errcount + + printf "Checking OpenPGP Certificate for key 0x%s\n" "$fpr" + + certinfo=$(get_cert_info "0x$fpr" <"$HOST_KEY_FILE") + keysfound=$(grep -c ^pub: <<<"$certinfo") + + if [ "$keysfound" -lt 1 ] ; then + printf "! Could not find key with fingerprint 0x%s\n" "$fpr" + # FIXME: recommend a way to resolve this! + MHD_PROBLEMSFOUND=$(($MHD_PROBLEMSFOUND+1)) + fi -echo "Checking host GPG key..." -if (( "$keysfound" < 1 )); then - echo "! No host key found. The monkeysphere-host data directory is corrupt?!?!" - echo " - Recommendation: purge the MHDATADIR ($MHDATADIR) and rerun 'monkeysphere-host import-key'" - problemsfound=$(($problemsfound+1)) -elif (( "$keysfound" > 1 )); then - echo "! More than one host key found?" - # FIXME: recommend a way to resolve this - problemsfound=$(($problemsfound+1)) -else - create=$(echo "$seckey" | grep ^sec: | cut -f6 -d:) - expire=$(echo "$seckey" | grep ^sec: | cut -f7 -d:) - fingerprint=$(echo "$seckey" | grep ^fpr: | head -n1 | cut -f10 -d:) + create=$(echo "$certinfo" | grep ^pub: | cut -f6 -d:) + expire=$(echo "$certinfo" | grep ^pub: | cut -f7 -d:) # check for key expiration: if [ "$expire" ]; then - if (( "$expire" < "$curdate" )); then - echo "! Host key is expired." - echo " - Recommendation: extend lifetime of key with 'monkeysphere-host set-expire'" - problemsfound=$(($problemsfound+1)) - elif (( "$expire" < "$warndate" )); then - echo "! Host key expires in less than $warnwindow:" $(advance_date $(( $expire - $curdate )) seconds +%F) - echo " - Recommendation: extend lifetime of key with 'monkeysphere-host set-expire'" - problemsfound=$(($problemsfound+1)) + if (( "$expire" < "$MHD_CURDATE" )); then + printf "! Host key 0x%s is expired.\n" "$fpr" + printf " - Recommendation: extend lifetime of key with 'monkeysphere-host set-expire 0x%s'\n" "$fpr" + MHD_PROBLEMSFOUND=$(($MHD_PROBLEMSFOUND+1)) + elif (( "$expire" < "$MHD_WARNDATE" )); then + printf "! Host key 0x%s expires in less than %s: %s\n" "$fpr" "$MHD_WARNWINDOW" $(advance_date $(( $expire - $MHD_CURDATE )) seconds +%F) + printf " - Recommendation: extend lifetime of key with 'monkeysphere-host set-expire %s'\n" "$fpr" + MHD_PROBLEMSFOUND=$(($MHD_PROBLEMSFOUND+1)) fi fi # and weirdnesses: - if [ "$create" ] && (( "$create" > "$curdate" )); then - echo "! Host key was created in the future(?!). Is your clock correct?" - echo " - Recommendation: Check clock ($(date +%F_%T)); use NTP?" - problemsfound=$(($problemsfound+1)) + if [ "$create" ] && (( "$create" > "$MHD_CURDATE" )); then + printf "! Host key 0x%s was created in the future(?!): %s. Is your clock correct?\n" "$fpr" $(date -d "1970-01-01 + $create seconds" +%F) + printf " - Recommendation: Check your clock (is it really %s?); use NTP?\n" $(date +%F_%T) + MHD_PROBLEMSFOUND=$(($MHD_PROBLEMSFOUND+1)) fi # check for UserID expiration: - echo "$seckey" | grep ^uid: | cut -d: -f6,7,10 | \ - while IFS=: read create expire uid ; do - # FIXME: should we be doing any checking on the form - # of the User ID? Should we be unmangling it somehow? - - if [ "$create" ] && (( "$create" > "$curdate" )); then - echo "! User ID '$uid' was created in the future(?!). Is your clock correct?" - echo " - Recommendation: Check clock ($(date +%F_%T)); use NTP?" - problemsfound=$(($problemsfound+1)) - fi - if [ "$expire" ] ; then - if (( "$expire" < "$curdate" )); then - echo "! User ID '$uid' is expired." + uiderrs=$(printf '%s\n' "$certinfo" | grep ^uid: | cut -d: -f6,7,10 | \ + while IFS=: read -r create expire uid ; do + uid=$(gpg_unescape <<<"$uid") + + check_service_name "$uid" + if [ "$create" ] && (( "$create" > "$MHD_CURDATE" )); then + printf "! The latest self-sig on User ID '%s' was created in the future(?!): %s.\n - Is your clock correct?\n" "$uid" $(date -d "1970-01-01 + $create seconds" +%F) + printf " - Recommendation: Check your clock (is it really %s ?); use NTP?\n" $(date +%F_%T) + fi + if [ "$expire" ] ; then + if (( "$expire" < "$MHD_CURDATE" )); then + printf "! User ID '%s' is expired.\n" "$uid" # FIXME: recommend a way to resolve this - problemsfound=$(($problemsfound+1)) - elif (( "$expire" < "$warndate" )); then - echo "! User ID '$uid' expires in less than $warnwindow:" $(advance_date $(( $expire - $curdate )) seconds +%F) + elif (( "$expire" < "$MHD_WARNDATE" )); then + printf "! User ID '%s' expires in less than %s: %s\n" "%s" "$MHD_WARNWINDOW" $(advance_date $(( $expire - $MHD_CURDATE )) seconds +%F) # FIXME: recommend a way to resolve this - problemsfound=$(($problemsfound+1)) + fi fi - fi - done + done) + errcount=$(grep -c '^!' <<<"$uiderrs") || \ + MHD_PROBLEMSFOUND=$(($MHD_PROBLEMSFOUND+ $errcount )) + printf '%s\n' "$uiderrs" + + # FIXME: verify that the host key is properly published to the # keyservers (do this with the non-privileged user) @@ -120,11 +101,45 @@ else # FIXME: propose adding a revoker to the host key if none exist (do we # have a way to do that after key generation?) -# FIXME: test (with ssh-keyscan?) that the running ssh -# daemon is actually offering the monkeysphere host key. +# FIXME: test (with ssh-keyscan?) that any running ssh daemon is +# actually offering the monkeysphere host key, if such a key is +# loaded. + +# FIXME: scan /proc/net/tcp and /proc/net/tcp6 to see what +# known-crypto ports (ssh, https, imaps?, ldaps?, etc) are in use +# locally. Propose bringing them into the monkeysphere. + +# FIXME: ensure that the key is of a reasonable size + +# FIXME: ensure that the cert has the right key usage flags + +# FIXME: ensure that the key doesn't match any known blacklist +} + +diagnostics() { + +MHD_PROBLEMSFOUND=0 + + +if ! [ -d "$SYSDATADIR" ] ; then + echo "! no $SYSDATADIR directory found. Please create it." + exit +fi +if ! [ -f "$HOST_KEY_FILE" ] ; then + echo "No host OpenPGP certificates file found!" + echo " - Recommendation: run 'monkeysphere-host import-key' with a service key" + exit fi +if ! id monkeysphere >/dev/null ; then + echo "! No monkeysphere user found! Please create a monkeysphere system user with bash as its shell." + MHD_PROBLEMSFOUND=$(($MHD_PROBLEMSFOUND+1)) +fi + +echo "Checking host OpenPGP certificates..." +multi_key diagnose_key + # FIXME: look at the ownership/privileges of the various keyrings, # directories housing them, etc (what should those values be? can # we make them as minimal as possible?) @@ -132,8 +147,8 @@ fi # report on any cruft from old monkeysphere version report_cruft -if [ "$problemsfound" -gt 0 ]; then - echo "When the above $problemsfound issue"$(if [ "$problemsfound" -eq 1 ] ; then echo " is" ; else echo "s are" ; fi)" resolved, please re-run:" +if [ "$MHD_PROBLEMSFOUND" -gt 0 ]; then + echo "When the above $MHD_PROBLEMSFOUND issue"$(if [ "$MHD_PROBLEMSFOUND" -eq 1 ] ; then echo " is" ; else echo "s are" ; fi)" resolved, please re-run:" echo " monkeysphere-host diagnostics" else echo "Everything seems to be in order!" diff --git a/src/share/mh/import_key b/src/share/mh/import_key index f7c69c3..0f362b8 100644 --- a/src/share/mh/import_key +++ b/src/share/mh/import_key @@ -8,60 +8,53 @@ # Jamie McClelland <jm@mayfirst.org> # Daniel Kahn Gillmor <dkg@fifthhorseman.net> # -# They are Copyright 2008-2009 and are all released under the GPL, +# They are Copyright 2008-2010 and are all released under the GPL, # version 3 or later. import_key() { -local sshKeyFile -local hostName -local domain -local userID - -sshKeyFile="$1" -hostName="$2" +local keyFile="$1" +local serviceName="$2" # check that key file specified -if [ -z "$sshKeyFile" ] ; then - failure "Must specify ssh key file to import, or specify '-' for stdin." +if [ -z "$keyFile" ] ; then + failure "Must specify PEM-encoded key file to import, or specify '-' for stdin." fi # fail if hostname not specified -if [ -z "$hostName" ] ; then - failure "You must specify a fully-qualified domain name for use in the host certificate user ID." +if [ -z "$serviceName" ] ; then + failure "You must specify a service name for use in the OpenPGP certificate user ID." fi -userID="ssh://${hostName}" +# test that a key with that user ID does not already exist +prompt_userid_exists "$serviceName" + +# check that the service name is well formatted +check_service_name "$serviceName" # create host home mkdir -p "${MHDATADIR}" mkdir -p "${GNUPGHOME_HOST}" chmod 700 "${GNUPGHOME_HOST}" -# import ssh key to a private key -if [ "$sshKeyFile" = '-' ] ; then - log verbose "importing ssh key from stdin..." - PEM2OPENPGP_USAGE_FLAGS=authenticate pem2openpgp "$userID" \ +# import pem-encoded key to an OpenPGP private key +if [ "$keyFile" = '-' ] ; then + log verbose "importing key from stdin..." + PEM2OPENPGP_USAGE_FLAGS=authenticate pem2openpgp "$serviceName" \ | gpg_host --import else - log verbose "importing ssh key from file '$sshKeyFile'..." - PEM2OPENPGP_USAGE_FLAGS=authenticate pem2openpgp "$userID" \ - <"$sshKeyFile" \ + log verbose "importing key from file '$keyFile'..." + PEM2OPENPGP_USAGE_FLAGS=authenticate pem2openpgp "$serviceName" \ + <"$keyFile" \ | gpg_host --import fi -# load the new host fpr into the fpr variable. this is so we can -# create the gpg pub key file. we have to do this from the secret key -# ring since we obviously don't have the gpg pub key file yet, since -# that's what we're trying to produce (see below). -load_fingerprint_secret - -# export to gpg public key to file -update_gpg_pub_file +# export to OpenPGP public key to file +update_pgp_pub_file log info "host key imported:" # show info about new key -show_key +show_key "$serviceName" } diff --git a/src/share/mh/publish_key b/src/share/mh/publish_key index 48e4cbb..f1c1723 100644 --- a/src/share/mh/publish_key +++ b/src/share/mh/publish_key @@ -8,23 +8,24 @@ # Jamie McClelland <jm@mayfirst.org> # Daniel Kahn Gillmor <dkg@fifthhorseman.net> # -# They are Copyright 2008-2009, and are all released under the GPL, version 3 -# or later. +# They are Copyright 2008-2010, and are all released under the GPL, +# version 3 or later. -# publish server key to keyserver +# publish keys to keyserver publish_key() { +local keyID="$1" local GNUPGHOME -if [ "$PROMPT" = "true" ] ; then - printf "Really publish host key to $KEYSERVER? (Y/n) " >&2 +if [ "$PROMPT" != "false" ] ; then + printf "Really publish key '$keyID' to $KEYSERVER? (Y/n) " >&2 read OK; OK=${OK:=Y} if [ "${OK/y/Y}" != 'Y' ] ; then failure "key not published." fi else - log debug "publishing key without prompting." + log debug "publishing key '$keyID' without prompting." fi # create a temporary gnupg directory from which to publish the key @@ -35,13 +36,13 @@ chown "$MONKEYSPHERE_USER":"$MONKEYSPHERE_GROUP" "$GNUPGHOME" # trap to remove tmp dir if break trap "rm -rf $GNUPGHOME" EXIT -# import the host key into the tmp dir +# import the key into the tmp dir su_monkeysphere_user \ "gpg --quiet --import" <"$HOST_KEY_FILE" -# publish host key +# publish key su_monkeysphere_user \ - "gpg --keyserver $KEYSERVER --send-keys '0x${HOST_FINGERPRINT}!'" + "gpg --keyserver $KEYSERVER --send-keys '0x${keyID}!'" # remove the tmp file trap - EXIT diff --git a/src/share/mh/revoke_hostname b/src/share/mh/revoke_hostname deleted file mode 100644 index 6b80802..0000000 --- a/src/share/mh/revoke_hostname +++ /dev/null @@ -1,68 +0,0 @@ -# -*-shell-script-*- -# This should be sourced by bash (though we welcome changes to make it POSIX sh compliant) - -# Monkeysphere host revoke-hostname subcommand -# -# The monkeysphere scripts are written by: -# Jameson Rollins <jrollins@finestructure.net> -# Jamie McClelland <jm@mayfirst.org> -# Daniel Kahn Gillmor <dkg@fifthhorseman.net> -# -# They are Copyright 2008-2009, and are all released under the GPL, -# version 3 or later. - -# revoke hostname user ID from host key - -revoke_hostname() { - -local userID -local fingerprint -local tmpuidMatch -local line -local message -local revuidCommand - -if [ -z "$1" ] ; then - failure "You must specify a hostname to revoke." -fi - -userID="ssh://${1}" - -# make sure the user ID to revoke -find_host_userid "$userID" || \ - failure "No non-revoked user ID found matching '$userID'." - -if [ "$PROMPT" = "true" ] ; then - printf "The following host key user ID will be revoked:\n %s\nAre you sure you would like to revoke this user ID? (Y/n) " "$userID" >&2 - read OK; OK=${OK:=Y} - if [ "${OK/y/Y}" != 'Y' ] ; then - failure "User ID not revoked." - fi -else - log debug "revoking user ID without prompting." -fi - -# actually revoke: - -# the gpg secring might not contain the host key we are trying to -# revoke (let alone any selfsig over that host key), but the plain -# --export won't contain the secret key. "keytrans revokeuserid" -# needs access to both pieces, so we feed it both of them. - -if (cat "$GNUPGHOME_HOST/secring.gpg" && gpg_host --export "$HOST_FINGERPRINT") | \ - "$SYSSHAREDIR/keytrans" revokeuserid \ - "$HOST_FINGERPRINT" "$userID" | gpg_host --import ; then - gpg_host --check-trustdb - - update_gpg_pub_file - - show_key - - echo - echo "NOTE: User ID revoked, but revocation not published." - echo "Run '$PGRM publish-key' to publish the revocation." -else - failure "Problem revoking user ID." -fi - -} diff --git a/src/share/mh/revoke_key b/src/share/mh/revoke_key index 5460e51..5a013e0 100644 --- a/src/share/mh/revoke_key +++ b/src/share/mh/revoke_key @@ -8,23 +8,24 @@ # Jamie McClelland <jm@mayfirst.org> # Daniel Kahn Gillmor <dkg@fifthhorseman.net> # -# They are Copyright 2008-2009, and are all released under the GPL, +# They are Copyright 2008-2010, and are all released under the GPL, # version 3 or later. # revoke host key revoke_key() { -# Coming in here, we expect $HOST_FINGERPRINT to be set, and we -# believe that there is in fact a key. + local keyID + local publish + + keyID=$(check_key_input "$@") if [ "$PROMPT" = "false" ] ; then publish=N else cat <<EOF >&2 -This will generate a revocation certificate for your host key -(fingerprint: $HOST_FINGERPRINT) and -dump the certificate to standard output. +This will generate a revocation certificate for key $keyID +and dump the certificate to standard output. It can also directly publish the new revocation certificate to the public keyservers via $KEYSERVER if you want it to. @@ -65,14 +66,13 @@ Monkeysphere host key revocation (automated) $(date '+%F_%T%z') y " - revcert=$(GNUPGHOME="$GNUPGHOME_HOST" gpg_host --command-fd 0 --armor --gen-revoke "0x${HOST_FINGERPRINT}!" <<<"$revoke_commands" ) \ + revcert=$(GNUPGHOME="$GNUPGHOME_HOST" gpg_host --command-fd 0 --armor --gen-revoke "0x${keyID}!" <<<"$revoke_commands" ) \ || failure "Failed to generate revocation certificate!" - else # note: we're not using the gpg_host function because we actually # want to use gpg's UI in this case, so we want to omit --no-tty - revcert=$(GNUPGHOME="$GNUPGHOME_HOST" gpg --no-greeting --quiet --armor --gen-revoke "0x${HOST_FINGERPRINT}!") \ + revcert=$(GNUPGHOME="$GNUPGHOME_HOST" gpg --no-greeting --quiet --armor --gen-revoke "0x${keyID}!") \ || failure "Failed to generate revocation certificate!" fi diff --git a/src/share/mh/revoke_name b/src/share/mh/revoke_name new file mode 100644 index 0000000..532cb30 --- /dev/null +++ b/src/share/mh/revoke_name @@ -0,0 +1,72 @@ +# -*-shell-script-*- +# This should be sourced by bash (though we welcome changes to make it POSIX sh compliant) + +# Monkeysphere host revoke-hostname subcommand +# +# The monkeysphere scripts are written by: +# Jameson Rollins <jrollins@finestructure.net> +# Jamie McClelland <jm@mayfirst.org> +# Daniel Kahn Gillmor <dkg@fifthhorseman.net> +# +# They are Copyright 2008-2010, and are all released under the GPL, +# version 3 or later. + +# revoke service name user ID from host key + +revoke_name() { + +local serviceName +local keyID +local fingerprint +local tmpuidMatch +local line +local message +local revuidCommand + +if [ -z "$1" ] ; then + failure "You must specify a service name to revoke." +fi +serviceName="$1" +shift + +keyID=$(check_key_input "$@") + +# make sure the user ID to revoke exists +check_key_userid "$keyID" "$serviceName" || \ + failure "No non-revoked service name found matching '$serviceName'." + +if [ "$PROMPT" != "false" ] ; then + printf "The following service name on key '$keyID' will be revoked:\n %s\nAre you sure you would like to revoke this service name? (Y/n) " "$serviceName" >&2 + read OK; OK=${OK:=Y} + if [ "${OK/y/Y}" != 'Y' ] ; then + failure "User ID not revoked." + fi +else + log debug "revoking service name without prompting." +fi + +# actually revoke: + +# the gpg secring might not contain the host key we are trying to +# revoke (let alone any selfsig over that host key), but the plain +# --export won't contain the secret key. "keytrans revokeuserid" +# needs access to both pieces, so we feed it both of them. + +if (cat "$GNUPGHOME_HOST/secring.gpg" && gpg_host --export "$keyID") \ + | "$SYSSHAREDIR/keytrans" revokeuserid "$keyID" "$serviceName" \ + | gpg_host --import ; then + + gpg_host --check-trustdb + + update_pgp_pub_file + + show_key "$keyID" + + echo + echo "NOTE: Service name revoked, but revocation not published." + echo "Run '$PGRM publish-key' to publish the revocation." +else + failure "Problem revoking service name." +fi + +} diff --git a/src/share/mh/set_expire b/src/share/mh/set_expire index 9889e76..68a8dfd 100644 --- a/src/share/mh/set_expire +++ b/src/share/mh/set_expire @@ -11,18 +11,32 @@ # Jamie McClelland <jm@mayfirst.org> # Daniel Kahn Gillmor <dkg@fifthhorseman.net> # -# They are Copyright 2008-2009, and are all released under the GPL, +# They are Copyright 2008-2010, and are all released under the GPL, # version 3 or later. set_expire() { -local extendTo +local extendBy +local keyID + +if [ -z "$1" ] ; then + cat <<EOF >&2 +Must specify expiration. The possibilities are: + 0 = key does not expire + <n> = key expires in n days + <n>w = key expires in n weeks + <n>m = key expires in n months + <n>y = key expires in n years +EOF + failure +fi +extendBy="$1" +shift -# get the new expiration date -extendTo=$(get_gpg_expiration "$1") +keyID=$(check_key_input "$@") -if [ "$PROMPT" = "true" ] ; then - printf "Are you sure you want to change the expiration on the host key to '%s'? (Y/n) " "$extendTo" >&2 +if [ "$PROMPT" != "false" ] ; then + printf "Are you sure you want to change the expiration on key '$keyID' by '%s'? (Y/n) " "$extendBy" >&2 read OK; OK=${OK:-Y} if [ "${OK/y/Y}" != 'Y' ] ; then failure "expiration not set." @@ -31,18 +45,18 @@ else log debug "extending without prompting." fi -log info "setting host key expiration to ${extendTo}." +log info "setting key expiration to ${extendBy}." -log debug "executing host expire script..." -gpg_host_edit expire <<EOF -$extendTo +log debug "executing key expire script..." +gpg_host_edit "0x${keyID}!" expire <<EOF +$extendBy save EOF -update_gpg_pub_file +update_pgp_pub_file log info <<EOF -NOTE: Host key expiration date adjusted, but not yet published. +NOTE: Key expiration date adjusted, but not yet published. Run '$PGRM publish-key' to publish the new expiration date. EOF diff --git a/src/transitions/0.28 b/src/transitions/0.28 new file mode 100755 index 0000000..5da6ab1 --- /dev/null +++ b/src/transitions/0.28 @@ -0,0 +1,25 @@ +#!/bin/bash + +# This is a post-install script for monkeysphere, to transition an old +# (<0.28) setup to the new (>=0.28) setup. + +# You should be able to run this script after any version >= 0.23 is +# installed. This script should be well-behaved, even if it is run +# repeatedly. + +# Written by +# Jameson Rollins <jrollins@finestructure.net> +# Daniel Kahn Gillmor <dkg@fifthhorseman.net> +# +# Copyright 2010, released under the GPL, version 3 or later + +# any unexpected errors should cause this script to bail: +set -e + +SYSDATADIR=${MONKEYSPHERE_SYSDATADIR:-"/var/lib/monkeysphere"} + +OLD_HOST_KEY_FILE="$SYSDATADIR"/ssh_host_rsa_key.pub.gpg +if [ -f "$OLD_HOST_KEY_FILE" ] ; then + monkeysphere-host update-pgp-pub-file + rm -f "$OLD_HOST_KEY_FILE" +fi |