From 9cc92238a9a9b21d37b983932d5a6a012cf80aba Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Sun, 8 Feb 2009 23:55:28 -0500 Subject: Some rearragement/cleanup in the monkeysphere-host: - define exported variable to hold host key fingerprint (HOST_FINGERPRINT) - broke out some common commands into simpler functions - rename the 'extend_key' function to be 'set_expire', since function is more generically offered now. --- src/monkeysphere-host | 76 +++++++++++++++++++++++++++++++++++++-------------- 1 file changed, 55 insertions(+), 21 deletions(-) (limited to 'src/monkeysphere-host') diff --git a/src/monkeysphere-host b/src/monkeysphere-host index a6fa62f..aa764db 100755 --- a/src/monkeysphere-host +++ b/src/monkeysphere-host @@ -80,16 +80,21 @@ su_monkeysphere_user() { # function to interact with the gpg keyring gpg_host() { - local returnCode + GNUPGHOME="$GNUPGHOME_HOST" gpg "$@" +} + +# command to list the info about the host key, in colon format +gpg_host_list() { + gpg_host --list-keys --with-colons --fixed-list-mode \ + --with-fingerprint --with-fingerprint \ + "0x${HOST_FINGERPRINT}!" - GNUPGHOME="$GNUPGHOME_HOST" - export GNUPGHOME +} - # NOTE: we supress this warning because we need the monkeysphere - # user to be able to read the host pubring. we realize this might - # be problematic, but it's the simplest solution, without too much - # loss of security. - gpg "$@" +# command for edit key scripts, takes scripts on stdin +gpg_host_edit() { + gpg_host --quiet --command-fd 0 --edit-key \ + "0x${HOST_FINGERPRINT}!" "$@" } # output just key fingerprint @@ -102,23 +107,48 @@ fingerprint_host_key() { grep '^fpr:' | head -1 | cut -d: -f10 2>/dev/null } +# output the index of a user ID on the host key +# return 1 if user ID not found +find_host_userid() { + local userID="$1" + local tmpuidMatch + local line + + # match to only ultimately trusted user IDs + tmpuidMatch="u:$(echo $userID | gpg_escape)" + + # find the index of the requsted user ID + # NOTE: this is based on circumstantial evidence that the order of + # this output is the appropriate index + line=$(gpg_host_list | egrep '^(uid|uat):' | cut -f2,10 -d: | \ + grep -n -x -F "$tmpuidMatch" 2>/dev/null) + + if [ "$line" ] ; then + echo ${line%%:*} + return 0 + else + return 1 + fi +} + # function to check for host secret key -check_host_keyring() { - fingerprint_host_key >/dev/null \ - || failure "You don't appear to have a Monkeysphere host key on this server. Please run 'monkeysphere-host import-key' first." +check_host_fail() { + [ "$HOST_FINGERPRINT" ] || \ + failure "You don't appear to have a Monkeysphere host key on this server. Please run 'monkeysphere-host expert import-key' first." } # show info about the host key show_key() { - local fingerprintPGP local fingerprintSSH - # FIXME: you shouldn't have to be root to see the host key fingerprint - check_host_keyring - fingerprintPGP=$(fingerprint_host_key) + # FIXME: should not have to be priviledged user to see this info. + # should be taken from publicly accessible key files, instead of + # the keyring. + + gpg_host --fingerprint --list-key --list-options show-unusable-uids \ + "0x${HOST_FINGERPRINT}!" 2>/dev/null - gpg_host --fingerprint --list-key --list-options show-unusable-uids "0x${fingerprintPGP}!" 2>/dev/null - echo "OpenPGP fingerprint: $fingerprintPGP" + echo "OpenPGP fingerprint: $HOST_FINGERPRINT" if [ -f "${MHDATADIR}/ssh_host_rsa_key.pub" ] ; then fingerprintSSH=$(ssh-keygen -l -f "${MHDATADIR}/ssh_host_rsa_key.pub" | \ @@ -155,6 +185,9 @@ MONKEYSPHERE_USER=${MONKEYSPHERE_MONKEYSPHERE_USER:=${MONKEYSPHERE_USER:="monkey CHECK_KEYSERVER=${MONKEYSPHERE_CHECK_KEYSERVER:="true"} GNUPGHOME_HOST=${MONKEYSPHERE_GNUPGHOME_HOST:="${MHDATADIR}"} +# host key fingerprint +HOST_FINGERPRINT=$(fingerprint_host_key) + # export variables needed in su invocation export DATE export MODE @@ -163,23 +196,24 @@ export MONKEYSPHERE_USER export KEYSERVER export GNUPGHOME_HOST export GNUPGHOME +export HOST_FINGERPRINT # get subcommand COMMAND="$1" [ "$COMMAND" ] || failure "Type '$PGRM help' for usage." shift + case $COMMAND in 'show-key'|'show'|'s') check_host_keyring show_key ;; - # FIXME: what should we call this command? 'set-expire'|'extend-key'|'e') check_host_keyring - source "${MHSHAREDIR}/extend_key" - extend_key "$@" + source "${MHSHAREDIR}/set_expire" + set_expire "$@" ;; 'add-hostname'|'add-name'|'n+') @@ -212,7 +246,7 @@ case $COMMAND in publish_key ;; - 'expert'|'e') + 'expert') SUBCOMMAND="$1" shift case "$SUBCOMMAND" in -- cgit v1.2.3 From f728df69bbb04ed21a437832c486590cc5a83684 Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Mon, 9 Feb 2009 00:21:40 -0500 Subject: Break out host export commands into gpg_host_export and gpg_host_export_to_ssh_file functions, and update the {gen,import}_key functions accordingly. --- src/monkeysphere-host | 13 +++++++++++++ src/share/mh/gen_key | 12 ++++++------ src/share/mh/import_key | 10 +++++----- 3 files changed, 24 insertions(+), 11 deletions(-) (limited to 'src/monkeysphere-host') diff --git a/src/monkeysphere-host b/src/monkeysphere-host index aa764db..bcb570b 100755 --- a/src/monkeysphere-host +++ b/src/monkeysphere-host @@ -97,6 +97,19 @@ gpg_host_edit() { "0x${HOST_FINGERPRINT}!" "$@" } +# export the host key to stdout +gpg_host_export() { + gpg_host --export --armor --export-options export-minimal \ + "0x${HOST_FINGERPRINT}!" +} + +# export the host key to the monkeysphere host file key +gpg_host_export_to_ssh_file() { + log debug "exporting openpgp public key..." + gpg_host_export > "${MHDATADIR}/ssh_host_rsa_key.pub.gpg" + log info "SSH host public key in OpenPGP form: ${MHDATADIR}/ssh_host_rsa_key.pub.gpg" +} + # output just key fingerprint fingerprint_host_key() { # set the pipefail option so functions fails if can't read sec key diff --git a/src/share/mh/gen_key b/src/share/mh/gen_key index eb951cf..c75ad65 100644 --- a/src/share/mh/gen_key +++ b/src/share/mh/gen_key @@ -79,15 +79,16 @@ chmod 700 "$GNUPGHOME_HOST" log verbose "generating host key..." echo "$keyParameters" | gpg_host --batch --gen-key -# find the key fingerprint of the newly generated key -fingerprint=$(fingerprint_host_key) +# find the key fingerprint of the newly converted key +HOST_FINGERPRINT=$(fingerprint_host_key) +export HOST_FINGERPRINT # translate the private key to ssh format, and export to a file # for sshs usage. # NOTE: assumes that the primary key is the proper key to use log debug "exporting new secret key to ssh format..." (umask 077 && \ - gpg_host --export-secret-key "$fingerprint" | \ + gpg_host --export-secret-key "$HOST_FINGERPRINT" | \ openpgp2ssh "$fingerprint" > "${MHDATADIR}/ssh_host_rsa_key") log info "SSH host private key output to file: ${MHDATADIR}/ssh_host_rsa_key" @@ -95,9 +96,8 @@ log debug "creating ssh public key..." ssh-keygen -y -f "${MHDATADIR}/ssh_host_rsa_key" > "${MHDATADIR}/ssh_host_rsa_key.pub" log info "SSH host public key output to file: ${MHDATADIR}/ssh_host_rsa_key.pub" -log debug "exporting openpgp public key..." -gpg_host --export-options export-minimal --armor --export "0x${fingerprint}!" > "${MHDATADIR}/ssh_host_rsa_key.pub.gpg" -log info "SSH host public key in OpenPGP form: ${MHDATADIR}/ssh_host_rsa_key.pub.gpg" +# export public key to file +gpg_host_export_to_ssh_file # show info about new key show_key diff --git a/src/share/mh/import_key b/src/share/mh/import_key index 93afb0a..6a897b6 100644 --- a/src/share/mh/import_key +++ b/src/share/mh/import_key @@ -32,15 +32,15 @@ chmod 700 "$GNUPGHOME_HOST" log verbose "importing ssh key..." # translate ssh key to a private key -PEM2OPENPGP_USAGE_FLAGS=authenticate pem2openpgp "$userID" | gpg_host --import +PEM2OPENPGP_USAGE_FLAGS=authenticate pem2openpgp "$userID" | \ + gpg_host --import # find the key fingerprint of the newly converted key -fingerprint=$(fingerprint_host_key) +HOST_FINGERPRINT=$(fingerprint_host_key) +export HOST_FINGERPRINT # export public key to file -log debug "exporting openpgp public key..." -gpg_host --export-options export-minimal --armor --export "0x${fingerprint}!" > "${MHDATADIR}/ssh_host_rsa_key.pub.gpg" -log info "SSH host public key in OpenPGP form: ${MHDATADIR}/ssh_host_rsa_key.pub.gpg" +gpg_host_export_to_ssh_file # show info about new key show_key -- cgit v1.2.3 From 69354c87864076343793fb270b296ccb89bf3759 Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Mon, 9 Feb 2009 00:42:16 -0500 Subject: define variable for public key files (HOST_KEY_PUB, HOST_KEY_PUB_GPG). also, fix some function calls to check_host_fail function. --- src/monkeysphere-host | 36 +++++++++++++++++++++--------------- src/share/mh/gen_key | 4 ++-- 2 files changed, 23 insertions(+), 17 deletions(-) (limited to 'src/monkeysphere-host') diff --git a/src/monkeysphere-host b/src/monkeysphere-host index bcb570b..3c2e3ee 100755 --- a/src/monkeysphere-host +++ b/src/monkeysphere-host @@ -14,6 +14,9 @@ ######################################################################## set -e +# set the pipefail option so pipelines fail on first command failure +set -o pipefail + PGRM=$(basename $0) SYSSHAREDIR=${MONKEYSPHERE_SYSSHAREDIR:-"/usr/share/monkeysphere"} @@ -106,15 +109,13 @@ gpg_host_export() { # export the host key to the monkeysphere host file key gpg_host_export_to_ssh_file() { log debug "exporting openpgp public key..." - gpg_host_export > "${MHDATADIR}/ssh_host_rsa_key.pub.gpg" - log info "SSH host public key in OpenPGP form: ${MHDATADIR}/ssh_host_rsa_key.pub.gpg" + + gpg_host_export > "$HOST_KEY_PUB_GPG" + log info "SSH host public key in OpenPGP form: $HOST_KEY_PUB_GPG" } # output just key fingerprint fingerprint_host_key() { - # set the pipefail option so functions fails if can't read sec key - set -o pipefail - gpg_host --list-secret-keys --fingerprint \ --with-colons --fixed-list-mode 2> /dev/null | \ grep '^fpr:' | head -1 | cut -d: -f10 2>/dev/null @@ -163,12 +164,13 @@ show_key() { echo "OpenPGP fingerprint: $HOST_FINGERPRINT" - if [ -f "${MHDATADIR}/ssh_host_rsa_key.pub" ] ; then - fingerprintSSH=$(ssh-keygen -l -f "${MHDATADIR}/ssh_host_rsa_key.pub" | \ + if [ -f "$HOST_KEY_PUB" ] ; then + fingerprintSSH=$(ssh-keygen -l -f "$HOST_KEY_PUB" | \ awk '{ print $1, $2, $4 }') + echo "ssh fingerprint: $fingerprintSSH" else - log info "SSH host key not found." + log error "SSH host key not found." fi # FIXME: show expiration date @@ -201,6 +203,10 @@ GNUPGHOME_HOST=${MONKEYSPHERE_GNUPGHOME_HOST:="${MHDATADIR}"} # host key fingerprint HOST_FINGERPRINT=$(fingerprint_host_key) +# host pub key files +HOST_KEY_PUB="${SYSDATADIR}/ssh_host_rsa_key.pub" +HOST_KEY_PUB_GPG="${SYSDATADIR}/ssh_host_rsa_key.pub.gpg" + # export variables needed in su invocation export DATE export MODE @@ -219,42 +225,42 @@ shift case $COMMAND in 'show-key'|'show'|'s') - check_host_keyring + check_host_fail show_key ;; 'set-expire'|'extend-key'|'e') - check_host_keyring + check_host_fail source "${MHSHAREDIR}/set_expire" set_expire "$@" ;; 'add-hostname'|'add-name'|'n+') - check_host_keyring + check_host_fail source "${MHSHAREDIR}/add_hostname" add_hostname "$@" ;; 'revoke-hostname'|'revoke-name'|'n-') - check_host_keyring + check_host_fail source "${MHSHAREDIR}/revoke_hostname" revoke_hostname "$@" ;; 'add-revoker'|'o') - check_host_keyring + check_host_fail source "${MHSHAREDIR}/add_revoker" add_revoker "$@" ;; 'revoke-key'|'r') - check_host_keyring + check_host_fail source "${MHSHAREDIR}/revoke_key" revoke_key "$@" ;; 'publish-key'|'publish'|'p') - check_host_keyring + check_host_fail source "${MHSHAREDIR}/publish_key" publish_key ;; diff --git a/src/share/mh/gen_key b/src/share/mh/gen_key index 1f8e97e..44109bb 100644 --- a/src/share/mh/gen_key +++ b/src/share/mh/gen_key @@ -75,8 +75,8 @@ log debug "exporting ssh secret key..." log info "SSH host private key output to file: ${MHDATADIR}/ssh_host_rsa_key" log debug "creating ssh public key..." -ssh-keygen -y -f "${MHDATADIR}/ssh_host_rsa_key" > "${SYSDATADIR}/ssh_host_rsa_key.pub" -log info "SSH host public key output to file: ${SYSDATADIR}/ssh_host_rsa_key.pub" +ssh-keygen -y -f "${MHDATADIR}/ssh_host_rsa_key" > "$HOST_KEY_PUB" +log info "SSH host public key output to file: $HOST_KEY_PUB" # export public key to file gpg_host_export_to_ssh_file -- cgit v1.2.3 From 55369617d8c00de548fabfbad02ba444f701be43 Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Mon, 9 Feb 2009 00:47:17 -0500 Subject: break su_monkeysphere_user into common function, since it will likely be needed by both m-host and m-auth for communicating with keyservers. --- src/monkeysphere-authentication | 15 +-------------- src/monkeysphere-host | 13 ------------- src/share/common | 13 +++++++++++++ 3 files changed, 14 insertions(+), 27 deletions(-) (limited to 'src/monkeysphere-host') diff --git a/src/monkeysphere-authentication b/src/monkeysphere-authentication index 4485bd4..6d2e72c 100755 --- a/src/monkeysphere-authentication +++ b/src/monkeysphere-authentication @@ -70,19 +70,6 @@ subcommands: EOF } -# function to run command as monkeysphere user -su_monkeysphere_user() { - # if the current user is the monkeysphere user, then just eval - # command - if [ $(id -un) = "$MONKEYSPHERE_USER" ] ; then - eval "$@" - - # otherwise su command as monkeysphere user - else - su "$MONKEYSPHERE_USER" -c "$@" - fi -} - # function to interact with the gpg core keyring gpg_core() { GNUPGHOME="$GNUPGHOME_CORE" @@ -184,7 +171,7 @@ case $COMMAND in list_certifiers "$@" ;; - 'expert'|'e') + 'expert') SUBCOMMAND="$1" shift case "$SUBCOMMAND" in diff --git a/src/monkeysphere-host b/src/monkeysphere-host index 3c2e3ee..506dcf9 100755 --- a/src/monkeysphere-host +++ b/src/monkeysphere-host @@ -68,19 +68,6 @@ subcommands: EOF } -# function to run command as monkeysphere user -su_monkeysphere_user() { - # if the current user is the monkeysphere user, then just eval - # command - if [ $(id -un) = "$MONKEYSPHERE_USER" ] ; then - eval "$@" - - # otherwise su command as monkeysphere user - else - su "$MONKEYSPHERE_USER" -c "$@" - fi -} - # function to interact with the gpg keyring gpg_host() { GNUPGHOME="$GNUPGHOME_HOST" gpg "$@" diff --git a/src/share/common b/src/share/common index 00a1008..2a20c1c 100644 --- a/src/share/common +++ b/src/share/common @@ -90,6 +90,19 @@ log() { done } +# run command as monkeysphere user +su_monkeysphere_user() { + # if the current user is the monkeysphere user, then just eval + # command + if [ $(id -un) = "$MONKEYSPHERE_USER" ] ; then + eval "$@" + + # otherwise su command as monkeysphere user + else + su "$MONKEYSPHERE_USER" -c "$@" + fi +} + # cut out all comments(#) and blank lines from standard input meat() { grep -v -e "^[[:space:]]*#" -e '^$' "$1" -- cgit v1.2.3 From 563800612b54203d5cd68aedfd9d482215d9289d Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Mon, 9 Feb 2009 01:41:30 -0500 Subject: rename function to get the host fingerprint, and fix some HOST_FINGERPRINT variables. --- src/monkeysphere-host | 15 +++++++-------- src/share/mh/gen_key | 4 ++-- src/share/mh/import_key | 4 ++-- 3 files changed, 11 insertions(+), 12 deletions(-) (limited to 'src/monkeysphere-host') diff --git a/src/monkeysphere-host b/src/monkeysphere-host index 506dcf9..be398b1 100755 --- a/src/monkeysphere-host +++ b/src/monkeysphere-host @@ -102,10 +102,13 @@ gpg_host_export_to_ssh_file() { } # output just key fingerprint -fingerprint_host_key() { +# FIXME: should not have to be priviledged user to get host +# fingerprint. should be taken from publicly accessible key files, +# instead of the keyring. +get_host_fingerprint() { gpg_host --list-secret-keys --fingerprint \ --with-colons --fixed-list-mode 2> /dev/null | \ - grep '^fpr:' | head -1 | cut -d: -f10 2>/dev/null + grep '^fpr:' | head -1 | cut -d: -f10 2>/dev/null || true } # output the index of a user ID on the host key @@ -142,12 +145,9 @@ check_host_fail() { show_key() { local fingerprintSSH - # FIXME: should not have to be priviledged user to see this info. - # should be taken from publicly accessible key files, instead of - # the keyring. - gpg_host --fingerprint --list-key --list-options show-unusable-uids \ "0x${HOST_FINGERPRINT}!" 2>/dev/null + # FIXME: make sure expiration date is shown echo "OpenPGP fingerprint: $HOST_FINGERPRINT" @@ -160,7 +160,6 @@ show_key() { log error "SSH host key not found." fi - # FIXME: show expiration date # FIXME: other relevant key parameters? } @@ -188,7 +187,7 @@ CHECK_KEYSERVER=${MONKEYSPHERE_CHECK_KEYSERVER:="true"} GNUPGHOME_HOST=${MONKEYSPHERE_GNUPGHOME_HOST:="${MHDATADIR}"} # host key fingerprint -HOST_FINGERPRINT=$(fingerprint_host_key) +HOST_FINGERPRINT=$(get_host_fingerprint) # host pub key files HOST_KEY_PUB="${SYSDATADIR}/ssh_host_rsa_key.pub" diff --git a/src/share/mh/gen_key b/src/share/mh/gen_key index 44109bb..7b427e4 100644 --- a/src/share/mh/gen_key +++ b/src/share/mh/gen_key @@ -21,7 +21,7 @@ local keyExpire="0" local userID # check for presense of a key -[ "$FINGERPRINT" ] && \ +[ "$HOST_FINGERPRINT" ] && \ failure "An OpenPGP host key already exists." # get options @@ -62,7 +62,7 @@ Expire-Date: $keyExpire EOF # find the key fingerprint of the newly converted key -HOST_FINGERPRINT=$(fingerprint_host_key) +HOST_FINGERPRINT=$(get_host_fingerprint) export HOST_FINGERPRINT # translate the private key to ssh format, and export to a file diff --git a/src/share/mh/import_key b/src/share/mh/import_key index 1efb1ac..99511a8 100644 --- a/src/share/mh/import_key +++ b/src/share/mh/import_key @@ -17,7 +17,7 @@ local hostName local userID # check for presense of a key -[ "$FINGERPRINT" ] && \ +[ "$HOST_FINGERPRINT" ] && \ failure "An OpenPGP host key already exists." hostName=${1:-$(hostname -f)} @@ -34,7 +34,7 @@ PEM2OPENPGP_USAGE_FLAGS=authenticate pem2openpgp "$userID" | \ gpg_host --import # find the key fingerprint of the newly converted key -HOST_FINGERPRINT=$(fingerprint_host_key) +HOST_FINGERPRINT=$(get_host_fingerprint) export HOST_FINGERPRINT # export public key to file -- cgit v1.2.3