diff options
Diffstat (limited to 'src')
| -rw-r--r-- | src/common | 25 | ||||
| -rwxr-xr-x | src/monkeysphere | 2 | ||||
| -rwxr-xr-x | src/monkeysphere-server | 57 | ||||
| -rwxr-xr-x | src/seckey2sshagent | 9 |
4 files changed, 61 insertions, 32 deletions
@@ -124,6 +124,17 @@ gpg2ssh() { gpg --export "$keyID" | openpgp2ssh "$keyID" 2> /dev/null } +# output the ssh key for a given secret key ID +gpgsecret2ssh() { + local keyID + + #keyID="$1" #TMP + # only use last 16 characters until openpgp2ssh can take all 40 #TMP + keyID=$(echo "$1" | cut -c 25-) #TMP + + gpg --export-secret-key "$keyID" | openpgp2ssh "$keyID" 2> /dev/null +} + # output known_hosts line from ssh key ssh2known_hosts() { local host @@ -207,8 +218,8 @@ get_key_fingerprint() { keyID="$1" gpg --list-key --with-colons --fixed-list-mode \ - --with-fingerprint "$keyID" | grep "$keyID" | \ - grep '^fpr:' | cut -d: -f10 + --with-fingerprint --with-fingerprint "$keyID" | \ + grep '^fpr:' | grep "$keyID" | cut -d: -f10 } ######################################################################## @@ -523,8 +534,7 @@ process_authorized_keys() { trust_key() { # get the key from the key server if ! gpg --keyserver "$KEYSERVER" --recv-key "$keyID" ; then - log "could not retrieve key '$keyID'" - return 1 + failure "Could not retrieve key '$keyID'." fi # get key fingerprint @@ -538,9 +548,9 @@ trust_key() { # import "full" trust for fingerprint into gpg echo ${fingerprint}:5: | gpg --import-ownertrust if [ $? = 0 ] ; then - log "owner trust updated." + log "Owner trust updated." else - failure "there was a problem changing owner trust." + failure "There was a problem changing owner trust." fi } @@ -556,7 +566,6 @@ publish_server_key() { # dummy command so as not to publish fakes keys during testing # eventually: #gpg --keyserver "$KEYSERVER" --send-keys $(hostname -f) - echo "NOT PUBLISHED (to avoid permanent publication errors during monkeysphere development). + failure "NOT PUBLISHED (to avoid permanent publication errors during monkeysphere development). To publish manually, do: gpg --keyserver $KEYSERVER --send-keys $(hostname -f)" - return 1 } diff --git a/src/monkeysphere b/src/monkeysphere index e111d8e..9b315e2 100755 --- a/src/monkeysphere +++ b/src/monkeysphere @@ -77,7 +77,7 @@ gen_subkey(){ # set subkey defaults SUBKEY_TYPE=${SUBKEY_TYPE:-"RSA"} - #SUBKEY_LENGTH=${SUBKEY_LENGTH:-"2048"} + SUBKEY_LENGTH=${SUBKEY_LENGTH:-} SUBKEY_USAGE=${SUBKEY_USAGE:-"auth"} SUBKEY_EXPIRE=${SUBKEY_EXPIRE:-"0"} cat <<EOF diff --git a/src/monkeysphere-server b/src/monkeysphere-server index 693c062..40a6b54 100755 --- a/src/monkeysphere-server +++ b/src/monkeysphere-server @@ -46,11 +46,18 @@ gen_key() { local hostName hostName=${1:-$(hostname --fqdn)} + service=${SERVICE:-"ssh"} + userID="${service}://${hostName}" + + if gpg --list-key ="$userID" > /dev/null 2>&1 ; then + failure "Key for '$userID' already exists" + fi # set key defaults KEY_TYPE=${KEY_TYPE:-"RSA"} KEY_LENGTH=${KEY_LENGTH:-"2048"} KEY_USAGE=${KEY_USAGE:-"auth"} + KEY_EXPIRE=${KEY_EXPIRE:-"0"} cat <<EOF Please specify how long the key should be valid. 0 = key does not expire @@ -59,25 +66,22 @@ Please specify how long the key should be valid. <n>m = key expires in n months <n>y = key expires in n years EOF - read -p "Key is valid for? ($EXPIRE) " EXPIRE; EXPIRE=${EXPIRE:-"0"} - - SERVICE=${SERVICE:-"ssh"} - USERID=${USERID:-"$SERVICE"://"$hostName"} + read -p "Key is valid for? ($KEY_EXPIRE) " KEY_EXPIRE; KEY_EXPIRE=${KEY_EXPIRE:-"0"} # set key parameters keyParameters=$(cat <<EOF Key-Type: $KEY_TYPE Key-Length: $KEY_LENGTH Key-Usage: $KEY_USAGE -Name-Real: $USERID -Expire-Date: $EXPIRE +Name-Real: $userID +Expire-Date: $KEY_EXPIRE EOF ) # add the revoker field if requested -# FIXME: the 1: below assumes that $REVOKER's key is an RSA key. why? -# FIXME: why is this marked "sensitive"? how will this signature ever -# be transmitted to the expected revoker? + # FIXME: the "1:" below assumes that $REVOKER's key is an RSA key. why? + # FIXME: why is this marked "sensitive"? how will this signature ever + # be transmitted to the expected revoker? if [ "$REVOKER" ] ; then keyParameters="${keyParameters}"$(cat <<EOF @@ -89,15 +93,11 @@ EOF echo "The following key parameters will be used:" echo "$keyParameters" - read -p "generate key? [Y|n]: " OK; OK=${OK:=Y} + read -p "Generate key? [Y|n]: " OK; OK=${OK:=Y} if [ ${OK/y/Y} != 'Y' ] ; then failure "aborting." fi - if gpg --list-key ="$USERID" > /dev/null 2>&1 ; then - failure "key for '$USERID' already exists" - fi - # add commit command keyParameters="${keyParameters}"$(cat <<EOF @@ -106,14 +106,33 @@ EOF EOF ) - log -n "generating server key... " + log "generating server key... " echo "$keyParameters" | gpg --batch --gen-key - loge "done." - fingerprint_server_key + + # output the server fingerprint + fingerprint_server_key "=${userID}" + + # find the key fingerprint of the server primary key + keyID=$(gpg --list-key --with-colons --with-fingerprint "=${userID}" | \ + grep '^fpr:' | head -1 | cut -d: -f10) + + # write the key to the file + # NOTE: assumes that the primary key is the proper key to use + (umask 077 && gpgsecret2ssh "$keyID" > "${MS_HOME}/ssh_host_rsa_key") + log "Private SSH host key output to file: ${MS_HOME}/ssh_host_rsa_key" } +# gpg output key fingerprint fingerprint_server_key() { - gpg --fingerprint --list-secret-keys =ssh://$(hostname --fqdn) + local ID + + if [ -z "$1" ] ; then + ID="$1" + else + ID="=ssh://$(hostname --fqdn)" + fi + + gpg --fingerprint --list-secret-keys "$ID" } ######################################################################## @@ -214,7 +233,7 @@ case $COMMAND in ;; 'show-fingerprint'|'f') - fingerprint_server_key + fingerprint_server_key "$@" ;; 'publish-key'|'p') diff --git a/src/seckey2sshagent b/src/seckey2sshagent index aff323f..1266db5 100755 --- a/src/seckey2sshagent +++ b/src/seckey2sshagent @@ -16,9 +16,9 @@ cleanup() { - echo -n "removing temp gpg home... " + echo -n "removing temp gpg home... " 1>&2 rm -rf $FOO - echo "done." + echo "done." 1>&2 } trap cleanup EXIT @@ -46,6 +46,7 @@ gpg --export-secret-key $GPGID | GNUPGHOME="$FOO" gpg --import GNUPGHOME="$FOO" gpg --edit-key $GPGID -ln -s /dev/stdin "$FOO"/monkeysphere-key +ln -s /dev/stdin "$FOO"/openpgp -GNUPGHOME="$FOO" gpg --export-secret-key $GPGID | openpgp2ssh $GPGID | ssh-add -c /dev/stdin +GNUPGHOME="$FOO" gpg --export-secret-key $GPGID | \ + openpgp2ssh $GPGID | ssh-add -c "$FOO"/openpgp |