From 10888c602170f6157ff43a81bad920babdd6a59e Mon Sep 17 00:00:00 2001
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Date: Fri, 20 Feb 2009 12:27:01 -0500
Subject: monkeysphere-host revoke-key should now be capable of publishing the
 revocation certificate to the keyservers directly, should the admin want
 that.

It can also run without prompting, if MONKEYSPHERE_PROMPT=false.  In
the no-prompts case, it never publishes to the keyserver, it indicates
that the key was compromised, and it writes a boilerplate description
to make it easy to identify this kind of certificate.
---
 man/man8/monkeysphere-host.8 | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

(limited to 'man/man8/monkeysphere-host.8')

diff --git a/man/man8/monkeysphere-host.8 b/man/man8/monkeysphere-host.8
index 2ccaaec..0a9fc1b 100644
--- a/man/man8/monkeysphere-host.8
+++ b/man/man8/monkeysphere-host.8
@@ -62,15 +62,17 @@ in place of `revoke-hostname'.
 Add a revoker to the host's OpenPGP key.  The key ID will be loaded
 from the keyserver.  A file may be loaded instead of pulling the key
 from the keyserver by specifying the path to the file as the argument,
-or by specifying `-` to load from stdin.  `o' may be be used in place
+or by specifying `-` to load from stdin.  `r+' may be be used in place
 of `add-revoker'.
 .TP
 .B revoke-key
-Revoke the host's OpenPGP key.  This will ask you a series of
-questions, and then generate a key revocation certificate on standard
-out.  If you publish this revocation certificate to the public
-keyservers, your host key will be permanently revoked.  `r' may be
-used in place of `revoke-key'.
+Generate (with the option to publish) a revocation certificate for the
+host's OpenPGP key.  If such a certificate is published, your host key
+will be permanently revoked.  This subcommand will ask you a series of
+questions, and then generate a key revocation certificate, sending it
+to stdout.  If you explicitly tell it to publish the revocation
+certificate immediately, it will send it to the public keyservers.
+USE WITH CAUTION!
 .TP
 .B publish-key
 Publish the host's OpenPGP key to the keyserver.  `p' may be used in
-- 
cgit v1.2.3


From bb8f498db80efcfffdf60ef317254d7355ea54ef Mon Sep 17 00:00:00 2001
From: Jameson Graef Rollins <jrollins@finestructure.net>
Date: Sat, 21 Feb 2009 15:37:30 -0500
Subject: import-key now requires a hostname be specified, and no longer does
 any hostname guessing.  this is so that we don't have to worry about
 prompting the user when guessing the hostname.  also updated documentation.

---
 man/man8/monkeysphere-host.8       | 11 +++++------
 src/monkeysphere-host              |  2 +-
 src/share/mh/import_key            | 30 ++----------------------------
 website/getting-started-admin.mdwn | 14 ++++----------
 4 files changed, 12 insertions(+), 45 deletions(-)

(limited to 'man/man8/monkeysphere-host.8')

diff --git a/man/man8/monkeysphere-host.8 b/man/man8/monkeysphere-host.8
index 0a9fc1b..7909b62 100644
--- a/man/man8/monkeysphere-host.8
+++ b/man/man8/monkeysphere-host.8
@@ -23,14 +23,13 @@ connection authentication.
 
 \fBmonkeysphere-host\fP takes various subcommands:
 .TP
-.B import-key FILE [NAME[:PORT]]
+.B import-key FILE NAME[:PORT]
 Import a pem-encoded ssh secret host key from file FILE.  If FILE
 is '-', then the key will be imported from stdin.  NAME[:PORT] is used
-to specify the hostname (and port) used in the user ID of the new
-OpenPGP key.  If NAME is not specified, then the system
-fully-qualified domain name will be used (ie. `hostname -f').  If PORT
-is not specified, the no port is added to the user ID, which means
-port 22 is assumed.  `i' may be used in place of `import-key'.
+to specify the fully-qualified hostname (and port) used in the user ID
+of the new OpenPGP key.  If PORT is not specified, the no port is
+added to the user ID, which means port 22 is assumed.  `i' may be used
+in place of `import-key'.
 .TP
 .B show-key
 Output information about host's OpenPGP and SSH keys.  `s' may be used
diff --git a/src/monkeysphere-host b/src/monkeysphere-host
index efa48cd..540a8ab 100755
--- a/src/monkeysphere-host
+++ b/src/monkeysphere-host
@@ -54,7 +54,7 @@ usage: $PGRM <subcommand> [options] [args]
 Monkeysphere host admin tool.
 
 subcommands:
- import-key (i) FILE [NAME[:PORT]]   import existing ssh key to gpg
+ import-key (i) FILE NAME[:PORT]     import existing ssh key to gpg
  show-key (s)                        output all host key information
  publish-key (p)                     publish host key to keyserver
  set-expire (e) [EXPIRE]             set host key expiration
diff --git a/src/share/mh/import_key b/src/share/mh/import_key
index c545388..f7c69c3 100644
--- a/src/share/mh/import_key
+++ b/src/share/mh/import_key
@@ -26,39 +26,13 @@ if [ -z "$sshKeyFile" ] ; then
     failure "Must specify ssh key file to import, or specify '-' for stdin."
 fi
 
-# use the default hostname if not specified
+# fail if hostname not specified
 if [ -z "$hostName" ] ; then
-    hostName=$(hostname -f) || failure "Could not determine hostname."
-    # test that the domain is not obviously illegitimate
-    domain=${foo##*.}
-    case $domain in
-	'local'|'localdomain')
-	    failure "Host domain '$domain' is not legitimate.  Aborting key import."
-	    ;;
-    esac
-    # test that there are at least two parts
-    if (( $(echo "$hostName" | tr . ' ' | wc -w) < 2 )) ; then
-	failure "Host name '$hostName' is not legitimate.  Aborting key import."
-    fi
+    failure "You must specify a fully-qualified domain name for use in the host certificate user ID."
 fi
 
 userID="ssh://${hostName}"
 
-if [ "$PROMPT" = "true" ] ; then
-    cat <<EOF
-The ssh key will be imported and an OpenPGP certificate for this host
-will be generated with the following user ID:
-  $userID
-EOF
-    read -p "Are you sure you would like to create certificate? [Y/n] " OK; OK=${OK:-Y}
-    if [ "${OK/y/Y}" != 'Y' ] ; then
-	failure "ssh key not imported."
-    fi
-else
-    log debug "importing key without prompting."
-fi
-
-
 # create host home
 mkdir -p "${MHDATADIR}"
 mkdir -p "${GNUPGHOME_HOST}"
diff --git a/website/getting-started-admin.mdwn b/website/getting-started-admin.mdwn
index c4c2e64..d76d783 100644
--- a/website/getting-started-admin.mdwn
+++ b/website/getting-started-admin.mdwn
@@ -22,19 +22,13 @@ To begin, you must first import an ssh host key.  This assumes that
 you have the ssh server installed, and that you have generated a host
 RSA key.  Once that has been done, import the key:
 
-	# monkeysphere-host import-key /etc/ssh/ssh_host_rsa_key
+	# monkeysphere-host import-key /etc/ssh/ssh_host_rsa_key server.example.net
 
 This will generate an OpenPGP certificate for server.  The primary
 user ID for this certificate will be the ssh service URI for the host,
-which by default is based on the output of `hostname -f`
-(eg. `ssh://server.example.net`).  If the name determined from
-`hostname -f` is not the name you want to have in the service URI,
-then you can enter one manually:
-
-	# monkeysphere-host import-key /etc/ssh/ssh_host_rsa_key host.example.net
-
-Remember that the name you provide here must be a fully qualified
-domain name for the host in order for the monkeysphere to work.
+(eg. `ssh://server.example.net`).  Remember that the name you provide
+here must be a fully qualified domain name for the host in order for
+the monkeysphere to work.
 
 Now you can display information about the host key's certificate with
 the 'show-key' command:
-- 
cgit v1.2.3