diff options
Diffstat (limited to 'src')
| -rw-r--r-- | src/common | 28 | ||||
| -rwxr-xr-x | src/monkeysphere | 20 | ||||
| -rwxr-xr-x | src/monkeysphere-server | 57 | ||||
| -rwxr-xr-x | src/seckey2sshagent | 36 |
4 files changed, 98 insertions, 43 deletions
@@ -103,8 +103,9 @@ translate_ssh_variables() { # get the user's home directory userHome=$(getent passwd "$uname" | cut -d: -f6) - # translate ssh-style path variables + # translate '%u' to user name path=${path/\%u/"$uname"} + # translate '%h' to user home directory path=${path/\%h/"$userHome"} echo "$path" @@ -123,6 +124,17 @@ gpg2ssh() { gpg --export "$keyID" | openpgp2ssh "$keyID" 2> /dev/null } +# output the ssh key for a given secret key ID +gpgsecret2ssh() { + local keyID + + #keyID="$1" #TMP + # only use last 16 characters until openpgp2ssh can take all 40 #TMP + keyID=$(echo "$1" | cut -c 25-) #TMP + + gpg --export-secret-key "$keyID" | openpgp2ssh "$keyID" 2> /dev/null +} + # output known_hosts line from ssh key ssh2known_hosts() { local host @@ -206,8 +218,8 @@ get_key_fingerprint() { keyID="$1" gpg --list-key --with-colons --fixed-list-mode \ - --with-fingerprint "$keyID" | grep "$keyID" | \ - grep '^fpr:' | cut -d: -f10 + --with-fingerprint --with-fingerprint "$keyID" | \ + grep '^fpr:' | grep "$keyID" | cut -d: -f10 } ######################################################################## @@ -522,8 +534,7 @@ process_authorized_keys() { trust_key() { # get the key from the key server if ! gpg --keyserver "$KEYSERVER" --recv-key "$keyID" ; then - log "could not retrieve key '$keyID'" - return 1 + failure "Could not retrieve key '$keyID'." fi # get key fingerprint @@ -537,9 +548,9 @@ trust_key() { # import "full" trust for fingerprint into gpg echo ${fingerprint}:5: | gpg --import-ownertrust if [ $? = 0 ] ; then - log "owner trust updated." + log "Owner trust updated." else - failure "there was a problem changing owner trust." + failure "There was a problem changing owner trust." fi } @@ -555,7 +566,6 @@ publish_server_key() { # dummy command so as not to publish fakes keys during testing # eventually: #gpg --keyserver "$KEYSERVER" --send-keys $(hostname -f) - echo "NOT PUBLISHED (to avoid permanent publication errors during monkeysphere development). + failure "NOT PUBLISHED (to avoid permanent publication errors during monkeysphere development). To publish manually, do: gpg --keyserver $KEYSERVER --send-keys $(hostname -f)" - return 1 } diff --git a/src/monkeysphere b/src/monkeysphere index 58f0fdc..9b315e2 100755 --- a/src/monkeysphere +++ b/src/monkeysphere @@ -54,14 +54,30 @@ gen_subkey(){ gpgOut=$(gpg --quiet --fixed-list-mode --list-keys --with-colons \ "$keyID" 2> /dev/null) - # return 1 if there only "tru" lines are output from gpg + # fail if there only "tru" lines are output from gpg, which + # indicates the key was not found. if [ -z "$(echo "$gpgOut" | grep -v '^tru:')" ] ; then failure "Key ID '$keyID' not found." fi + # fail if multiple pub lines are returned, which means the id given + # is not unique + if [ $(echo "$gpgOut" | grep '^pub:' | wc -l) -gt '1' ] ; then + failure "Key ID '$keyID' is not unique." + fi + + # prompt if an authentication subkey already exists + if echo "$gpgOut" | egrep "^(pub|sub):" | cut -d: -f 12 | grep -q a ; then + echo "An authentication subkey already exists for key '$keyID'." + read -p "Are you sure you would like to generate another one? [y|N]: " OK; OK=${OK:N} + if [ "${OK/y/Y}" != 'Y' ] ; then + failure "aborting." + fi + fi + # set subkey defaults SUBKEY_TYPE=${SUBKEY_TYPE:-"RSA"} - #SUBKEY_LENGTH=${SUBKEY_LENGTH:-"2048"} + SUBKEY_LENGTH=${SUBKEY_LENGTH:-} SUBKEY_USAGE=${SUBKEY_USAGE:-"auth"} SUBKEY_EXPIRE=${SUBKEY_EXPIRE:-"0"} cat <<EOF diff --git a/src/monkeysphere-server b/src/monkeysphere-server index 693c062..40a6b54 100755 --- a/src/monkeysphere-server +++ b/src/monkeysphere-server @@ -46,11 +46,18 @@ gen_key() { local hostName hostName=${1:-$(hostname --fqdn)} + service=${SERVICE:-"ssh"} + userID="${service}://${hostName}" + + if gpg --list-key ="$userID" > /dev/null 2>&1 ; then + failure "Key for '$userID' already exists" + fi # set key defaults KEY_TYPE=${KEY_TYPE:-"RSA"} KEY_LENGTH=${KEY_LENGTH:-"2048"} KEY_USAGE=${KEY_USAGE:-"auth"} + KEY_EXPIRE=${KEY_EXPIRE:-"0"} cat <<EOF Please specify how long the key should be valid. 0 = key does not expire @@ -59,25 +66,22 @@ Please specify how long the key should be valid. <n>m = key expires in n months <n>y = key expires in n years EOF - read -p "Key is valid for? ($EXPIRE) " EXPIRE; EXPIRE=${EXPIRE:-"0"} - - SERVICE=${SERVICE:-"ssh"} - USERID=${USERID:-"$SERVICE"://"$hostName"} + read -p "Key is valid for? ($KEY_EXPIRE) " KEY_EXPIRE; KEY_EXPIRE=${KEY_EXPIRE:-"0"} # set key parameters keyParameters=$(cat <<EOF Key-Type: $KEY_TYPE Key-Length: $KEY_LENGTH Key-Usage: $KEY_USAGE -Name-Real: $USERID -Expire-Date: $EXPIRE +Name-Real: $userID +Expire-Date: $KEY_EXPIRE EOF ) # add the revoker field if requested -# FIXME: the 1: below assumes that $REVOKER's key is an RSA key. why? -# FIXME: why is this marked "sensitive"? how will this signature ever -# be transmitted to the expected revoker? + # FIXME: the "1:" below assumes that $REVOKER's key is an RSA key. why? + # FIXME: why is this marked "sensitive"? how will this signature ever + # be transmitted to the expected revoker? if [ "$REVOKER" ] ; then keyParameters="${keyParameters}"$(cat <<EOF @@ -89,15 +93,11 @@ EOF echo "The following key parameters will be used:" echo "$keyParameters" - read -p "generate key? [Y|n]: " OK; OK=${OK:=Y} + read -p "Generate key? [Y|n]: " OK; OK=${OK:=Y} if [ ${OK/y/Y} != 'Y' ] ; then failure "aborting." fi - if gpg --list-key ="$USERID" > /dev/null 2>&1 ; then - failure "key for '$USERID' already exists" - fi - # add commit command keyParameters="${keyParameters}"$(cat <<EOF @@ -106,14 +106,33 @@ EOF EOF ) - log -n "generating server key... " + log "generating server key... " echo "$keyParameters" | gpg --batch --gen-key - loge "done." - fingerprint_server_key + + # output the server fingerprint + fingerprint_server_key "=${userID}" + + # find the key fingerprint of the server primary key + keyID=$(gpg --list-key --with-colons --with-fingerprint "=${userID}" | \ + grep '^fpr:' | head -1 | cut -d: -f10) + + # write the key to the file + # NOTE: assumes that the primary key is the proper key to use + (umask 077 && gpgsecret2ssh "$keyID" > "${MS_HOME}/ssh_host_rsa_key") + log "Private SSH host key output to file: ${MS_HOME}/ssh_host_rsa_key" } +# gpg output key fingerprint fingerprint_server_key() { - gpg --fingerprint --list-secret-keys =ssh://$(hostname --fqdn) + local ID + + if [ -z "$1" ] ; then + ID="$1" + else + ID="=ssh://$(hostname --fqdn)" + fi + + gpg --fingerprint --list-secret-keys "$ID" } ######################################################################## @@ -214,7 +233,7 @@ case $COMMAND in ;; 'show-fingerprint'|'f') - fingerprint_server_key + fingerprint_server_key "$@" ;; 'publish-key'|'p') diff --git a/src/seckey2sshagent b/src/seckey2sshagent index 4d08c66..1266db5 100755 --- a/src/seckey2sshagent +++ b/src/seckey2sshagent @@ -16,27 +16,37 @@ cleanup() { - echo -n "removing temp gpg home... " + echo -n "removing temp gpg home... " 1>&2 rm -rf $FOO - echo "done." + echo "done." 1>&2 } trap cleanup EXIT -GPGID="$1" - -idchars=$(echo $GPGID | wc -m) -if [ "$idchars" -ne 17 ] ; then - echo "GPGID is not 16 characters ($idchars)." - exit 1 -fi +#GPGID="$1" +GPGID=$(echo "$1" | cut -c 25-) FOO=$(mktemp -d) -gpg --export-secret-key --export-options export-reset-subkey-passwd $GPGID | GNUPGHOME=$FOO gpg --import +gpg --export-secret-key $GPGID | GNUPGHOME="$FOO" gpg --import + +# idea to script the password stuff. not working. +# read -s -p "enter gpg password: " PASSWD; echo +# cmd=$(cat <<EOF +# passwd +# $PASSWD +# \n +# \n +# \n +# yes +# save +# EOF +# ) +# echo -e "$cmd" | GNUPGHOME="$FOO" gpg --command-fd 0 --edit-key $GPGID -GNUPGHOME=$FOO gpg --edit-key $GPGID +GNUPGHOME="$FOO" gpg --edit-key $GPGID -ln -s /dev/stdin $FOO/monkeysphere-key +ln -s /dev/stdin "$FOO"/openpgp -GNUPGHOME=$FOO gpg --export-secret-key $GPGID | openpgp2ssh $GPGID | (cd $FOO && ssh-add -c monkeysphere-key) +GNUPGHOME="$FOO" gpg --export-secret-key $GPGID | \ + openpgp2ssh $GPGID | ssh-add -c "$FOO"/openpgp |