From c4f049f6a8dfd1e0e301a6abffafb5c0012ccc0e Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Thu, 12 Feb 2009 13:25:35 -0500 Subject: break out a bunch of common functions in monkeysphere-host: - create_*_*_file to create the key files - load_*fingerprint to load the host fingerprint into an exported variable (HOST_FINGERPRINT) - check_host_*key to check for the presence of a host key modified {import,gen}_key to use these new functions. --- src/share/mh/gen_key | 28 ++++++++-------------------- 1 file changed, 8 insertions(+), 20 deletions(-) (limited to 'src/share/mh/gen_key') diff --git a/src/share/mh/gen_key b/src/share/mh/gen_key index 7b427e4..873ed02 100644 --- a/src/share/mh/gen_key +++ b/src/share/mh/gen_key @@ -20,10 +20,6 @@ local keyUsage="auth" local keyExpire="0" local userID -# check for presense of a key -[ "$HOST_FINGERPRINT" ] && \ - failure "An OpenPGP host key already exists." - # get options while true ; do case "$1" in @@ -61,25 +57,17 @@ Expire-Date: $keyExpire EOF -# find the key fingerprint of the newly converted key -HOST_FINGERPRINT=$(get_host_fingerprint) -export HOST_FINGERPRINT +# load the new host fpr into the fpr variable +load_fingerprint_secret -# translate the private key to ssh format, and export to a file -# for sshs usage. -# NOTE: assumes that the primary key is the proper key to use -log debug "exporting ssh secret key..." -(umask 077 && \ - gpg_host --export-secret-key "$HOST_FINGERPRINT" | \ - openpgp2ssh "$HOST_FINGERPRINT" > "${MHDATADIR}/ssh_host_rsa_key") -log info "SSH host private key output to file: ${MHDATADIR}/ssh_host_rsa_key" +# export to ssh secret key file +create_ssh_sec_file -log debug "creating ssh public key..." -ssh-keygen -y -f "${MHDATADIR}/ssh_host_rsa_key" > "$HOST_KEY_PUB" -log info "SSH host public key output to file: $HOST_KEY_PUB" +# export to ssh public key file +create_ssh_pub_file -# export public key to file -gpg_host_export_to_ssh_file +# export to gpg public key to file +create_gpg_pub_file # show info about new key show_key -- cgit v1.2.3 From ea4d25a641c19dc66c6066f46070065e22d46d91 Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Sun, 15 Feb 2009 23:27:12 -0500 Subject: unbreakout some functions that were broken out earlier for handling creating ssh key files, since they are actually done in different ways under different circumstances. --- src/monkeysphere-host | 21 ++------------------- src/share/mh/gen_key | 19 +++++++++++++------ 2 files changed, 15 insertions(+), 25 deletions(-) (limited to 'src/share/mh/gen_key') diff --git a/src/monkeysphere-host b/src/monkeysphere-host index f79c2bb..32d843b 100755 --- a/src/monkeysphere-host +++ b/src/monkeysphere-host @@ -97,23 +97,6 @@ gpg_host_export() { "0x${HOST_FINGERPRINT}!" } -# export the host secret key to the monkeysphere ssh sec key file -# NOTE: assumes that the primary key is the proper key to use -create_ssh_sec_file() { - log debug "creating ssh secret key file..." - (umask 077 && \ - gpg_host --export-secret-key "$HOST_FINGERPRINT" | \ - openpgp2ssh "$HOST_FINGERPRINT" > "${MHDATADIR}/ssh_host_rsa_key") - log info "SSH host secret key file: ${MHDATADIR}/ssh_host_rsa_key" -} - -# export the host public key to the monkeysphere ssh pub key file -create_ssh_pub_file() { - log debug "creating ssh public key file..." - ssh-keygen -y -f "${MHDATADIR}/ssh_host_rsa_key" > "$HOST_KEY_PUB" - log info "SSH host public key file: $HOST_KEY_PUB" -} - # export the host public key to the monkeysphere gpg pub key file create_gpg_pub_file() { log debug "creating openpgp public key file..." @@ -194,7 +177,7 @@ find_host_userid() { # show info about the host key show_key() { gpg_host --fingerprint --list-key --list-options show-unusable-uids \ - "0x${HOST_FINGERPRINT}!" 2>/dev/null + "0x${HOST_FINGERPRINT}!" 2>/dev/null || true # FIXME: make sure expiration date is shown echo "OpenPGP fingerprint: $HOST_FINGERPRINT" @@ -307,7 +290,7 @@ case $COMMAND in usage: $PGRM expert [options] [args] expert subcommands: - import-key (i) [NAME[:PORT]] import existing ssh key to gpg + import-key (i) FILE [NAME[:PORT]] import existing ssh key to gpg gen-key (g) [NAME[:PORT]] generate gpg key for the host --length (-l) BITS key length in bits (2048) diagnostics (d) monkeysphere host status diff --git a/src/share/mh/gen_key b/src/share/mh/gen_key index 873ed02..3b9a269 100644 --- a/src/share/mh/gen_key +++ b/src/share/mh/gen_key @@ -13,7 +13,7 @@ gen_key() { -local hostName=$(hostname -f) +local hostName local keyType="RSA" local keyLength="2048" local keyUsage="auth" @@ -37,7 +37,7 @@ Type '$PGRM help' for usage." esac done -hostName="$1" +hostName=${1:-$(hostname -f)} userID="ssh://${hostName}" # create host home @@ -60,11 +60,18 @@ EOF # load the new host fpr into the fpr variable load_fingerprint_secret -# export to ssh secret key file -create_ssh_sec_file +# export the host secret key to the monkeysphere ssh sec key file +# NOTE: assumes that the primary key is the proper key to use +log debug "creating ssh secret key file..." +(umask 077 && \ + gpg_host --export-secret-key "$HOST_FINGERPRINT" | \ + openpgp2ssh "$HOST_FINGERPRINT" > "${MHDATADIR}/ssh_host_rsa_key") +log info "SSH host secret key file: ${MHDATADIR}/ssh_host_rsa_key" -# export to ssh public key file -create_ssh_pub_file +# export the host public key to the monkeysphere ssh pub key file +log debug "creating ssh public key file..." +ssh-keygen -y -f "${MHDATADIR}/ssh_host_rsa_key" > "$HOST_KEY_PUB" +log info "SSH host public key file: $HOST_KEY_PUB" # export to gpg public key to file create_gpg_pub_file -- cgit v1.2.3 From b55981fb8aa689aede58ed7ab4d8692c52b5c472 Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Mon, 16 Feb 2009 01:08:28 -0500 Subject: make sure MHTMPDIR is defined and created --- src/monkeysphere-host | 4 ++++ src/share/mh/add_revoker | 2 +- src/share/mh/gen_key | 6 ++++-- src/share/mh/import_key | 6 ++++-- 4 files changed, 13 insertions(+), 5 deletions(-) (limited to 'src/share/mh/gen_key') diff --git a/src/monkeysphere-host b/src/monkeysphere-host index 32d843b..d6e4c68 100755 --- a/src/monkeysphere-host +++ b/src/monkeysphere-host @@ -32,6 +32,10 @@ MHSHAREDIR="${SYSSHAREDIR}/mh" # datadir for host functions MHDATADIR="${SYSDATADIR}/host" +# temp directory for temp gnupghome directories for add_revoker +MHTMPDIR="${MHDATADIR}/tmp" +export MHTMPDIR + # host pub key files HOST_KEY_PUB="${SYSDATADIR}/ssh_host_rsa_key.pub" HOST_KEY_PUB_GPG="${SYSDATADIR}/ssh_host_rsa_key.pub.gpg" diff --git a/src/share/mh/add_revoker b/src/share/mh/add_revoker index 8d160a8..5b637a5 100644 --- a/src/share/mh/add_revoker +++ b/src/share/mh/add_revoker @@ -53,7 +53,7 @@ if [ -f "$keyID" ] ; then fi else # create a temporary directory for storing the downloaded key - TMPLOC=$(mktemp -d ${MHTMPDIR}/tmp.XXXXXXXXXX) || failure "Could not create temporary directory!" + TMPLOC=$(mktemp -d "${MHTMPDIR}"/tmp.XXXXXXXXXX) || failure "Could not create temporary directory!" # download the key from the keyserver as the monkeysphere user su_monkeysphere_user \ diff --git a/src/share/mh/gen_key b/src/share/mh/gen_key index 3b9a269..96053bc 100644 --- a/src/share/mh/gen_key +++ b/src/share/mh/gen_key @@ -41,8 +41,10 @@ hostName=${1:-$(hostname -f)} userID="ssh://${hostName}" # create host home -mkdir -p "$GNUPGHOME_HOST" -chmod 700 "$GNUPGHOME_HOST" +mkdir -p "${MHDATADIR}" +mkdir -p "${MHTMPDIR}" +mkdir -p "${GNUPGHOME_HOST}" +chmod 700 "${GNUPGHOME_HOST}" log debug "generating host key..." gpg_host --batch --gen-key < Date: Mon, 16 Feb 2009 21:28:32 -0500 Subject: REMOVE GEN_KEY. The gen_key function is entirely removed. Decided this was OK now that import_key works, and we can't really see a reason to keep it around. We can resurect it down the line if need be. Also, removed "expert" subcommand, after promting import_key, since it may be need semi-regularly. The other "expert" commands are now just not listed in the usage. --- man/man8/monkeysphere-authentication.8 | 27 +++++------ man/man8/monkeysphere-host.8 | 46 ++++++------------- src/monkeysphere-authentication | 38 +++------------ src/monkeysphere-host | 53 +++++---------------- src/share/mh/gen_key | 84 ---------------------------------- 5 files changed, 43 insertions(+), 205 deletions(-) delete mode 100644 src/share/mh/gen_key (limited to 'src/share/mh/gen_key') diff --git a/man/man8/monkeysphere-authentication.8 b/man/man8/monkeysphere-authentication.8 index 2b0091e..4187c70 100644 --- a/man/man8/monkeysphere-authentication.8 +++ b/man/man8/monkeysphere-authentication.8 @@ -60,6 +60,17 @@ Instruct system to ignore user identity certifications made by KEYID. List key IDs trusted by the system to certify user identities. `c' may be used in place of `list-id-certifiers'. .TP +.B diagnostics +Review the state of the server with respect to authentication. `d' +may be used in place of `diagnostics'. +.TP +.B gpg-cmd +Execute a gpg command, as the monkeysphere user, on the monkeysphere +authentication "sphere" keyring. This takes a single argument +(multiple gpg arguments need to be quoted). Use this command with +caution, as modifying the authentication sphere keyring can affect ssh +user authentication. +.TP .B help Output a brief usage summary. `h' or `?' may be used in place of `help'. @@ -67,22 +78,6 @@ Output a brief usage summary. `h' or `?' may be used in place of .B version show version number -.SH "EXPERT" SUBCOMMANDS - -Some commands are very unlikely to be needed by most administrators. -These commands must prefaced by the word `expert'. -.TP -.B diagnostics -Review the state of the server with respect to authentication. `d' -may be used in place of `diagnostics'. -.TP -.B gpg-cmd -Execute a gpg command on the gnupg-authentication keyring as the -monkeysphere user. This takes a single command (multiple gpg -arguments need to be quoted). Use this command with caution, as -modifying the gnupg-authentication keyring can affect ssh user -authentication. - .SH SETUP USER AUTHENTICATION If the server will handle user authentication through diff --git a/man/man8/monkeysphere-host.8 b/man/man8/monkeysphere-host.8 index 78b6b4a..062f0aa 100644 --- a/man/man8/monkeysphere-host.8 +++ b/man/man8/monkeysphere-host.8 @@ -61,33 +61,13 @@ Revoke the host's OpenPGP key. `r' may be used in place of Publish the host's OpenPGP key to the keyserver. `p' may be used in place of `publish-key'. .TP -.B help -Output a brief usage summary. `h' or `?' may be used in place of -`help'. -.TP -.B version -show version number - -.SH "EXPERT" SUBCOMMANDS - -Some commands are very unlikely to be needed by most administrators. -These commands must prefaced by the word `expert'. -.TP -.B gen-key [HOSTNAME] -Generate a OpenPGP key for the host. If HOSTNAME is not specified, -then the system fully-qualified domain name will be user. An -alternate key bit length can be specified with the `-l' or `--length' -option (default 2048). An expiration length can be specified with the -`-e' or `--expire' option (prompt otherwise). The expiration format -is the same as that of \fBextend-key\fP, below. `g' may be used in -place of `gen-key'. -.TP -.B import-key -FIXME: - import-key (i) import existing ssh key to gpg - --hostname (-h) NAME[:PORT] hostname for key user ID - --keyfile (-f) FILE key file to import - --expire (-e) EXPIRE date to expire +.B import-key [NAME[:PORT]] +Import a pem-encoded ssh secret host key, from stdin. NAME[:PORT] is +used to specify the hostname (and port) used in the user ID of the new +OpenPGP key. If NAME is not specified, then the system +fully-qualified domain name will be used (ie. `hostname -f'). If PORT +is not specified, the no port is added to the user ID, which means +port 22 is assumed. `i' may be used in place of `import-key'. .TP .B diagnostics Review the state of the monkeysphere server host key and report on @@ -95,6 +75,13 @@ suggested changes. Among other checks, this includes making sure there is a valid host key, that the key is published, that the sshd configuration points to the right place, etc. `d' may be used in place of `diagnostics'. +.TP +.B help +Output a brief usage summary. `h' or `?' may be used in place of +`help'. +.TP +.B version +show version number .SH SETUP HOST AUTHENTICATION @@ -104,11 +91,6 @@ publish the host key to the keyservers, run the following command: $ monkeysphere-host publish-key -You must also modify the sshd_config on the server to tell sshd where -the new server host key is located: - -HostKey /var/lib/monkeysphere/host/ssh_host_rsa_key - In order for users logging into the system to be able to identify the host via the monkeysphere, at least one person (e.g. a server admin) will need to sign the host's key. This is done using standard OpenPGP diff --git a/src/monkeysphere-authentication b/src/monkeysphere-authentication index 2d6079f..4a09527 100755 --- a/src/monkeysphere-authentication +++ b/src/monkeysphere-authentication @@ -61,12 +61,10 @@ subcommands: remove-id-certifier (c-) KEYID remove a certification key list-id-certifiers (c) list certification keys - expert run expert command - expert help expert command help - version (v) show version number help (h,?) this help +See ${PGRM}(8) for more info. EOF } @@ -176,35 +174,13 @@ case $COMMAND in list_certifiers "$@" ;; - 'expert') - SUBCOMMAND="$1" - shift - case "$SUBCOMMAND" in - 'help'|'h'|'?') - cat < [options] [args] - -expert subcommands: - diagnostics (d) monkeysphere authentication status - gpg-cmd CMD execute gpg command - -EOF - ;; - - 'diagnostics'|'d') - source "${MASHAREDIR}/diagnostics" - diagnostics - ;; - - 'gpg-cmd') - gpg_sphere "$@" - ;; + 'diagnostics'|'d') + source "${MASHAREDIR}/diagnostics" + diagnostics + ;; - *) - failure "Unknown expert subcommand: '$COMMAND' -Type '$PGRM help' for usage." - ;; - esac + 'gpg-cmd') + gpg_sphere "$@" ;; 'version'|'v') diff --git a/src/monkeysphere-host b/src/monkeysphere-host index 64023e0..2e69d41 100755 --- a/src/monkeysphere-host +++ b/src/monkeysphere-host @@ -66,12 +66,12 @@ subcommands: revoke-key (r) revoke host key publish-key (p) publish host key to keyserver - expert run expert command - expert help expert command help + import-key (i) [NAME[:PORT]] import existing ssh key to gpg version (v) show version number help (h,?) this help +See ${PGRM}(8) for more info. EOF } @@ -269,47 +269,16 @@ case $COMMAND in publish_key ;; - 'expert') - SUBCOMMAND="$1" - shift - case "$SUBCOMMAND" in - 'help'|'h'|'?') - cat < [options] [args] - -expert subcommands: - import-key (i) [NAME[:PORT]] import existing ssh key to gpg - gen-key (g) [NAME[:PORT]] generate gpg key for the host - --length (-l) BITS key length in bits (2048) - diagnostics (d) monkeysphere host status + 'import-key'|'i') + load_fingerprint + check_host_key + source "${MHSHAREDIR}/import_key" + import_key "$@" + ;; -EOF - ;; - - 'import-key'|'i') - load_fingerprint - check_host_key - source "${MHSHAREDIR}/import_key" - import_key "$@" - ;; - - 'gen-key'|'g') - load_fingerprint - check_host_key - source "${MHSHAREDIR}/gen_key" - gen_key "$@" - ;; - - 'diagnostics'|'d') - source "${MHSHAREDIR}/diagnostics" - diagnostics - ;; - - *) - failure "Unknown expert subcommand: '$COMMAND' -Type '$PGRM help' for usage." - ;; - esac + 'diagnostics'|'d') + source "${MHSHAREDIR}/diagnostics" + diagnostics ;; 'version'|'v') diff --git a/src/share/mh/gen_key b/src/share/mh/gen_key deleted file mode 100644 index 96053bc..0000000 --- a/src/share/mh/gen_key +++ /dev/null @@ -1,84 +0,0 @@ -# -*-shell-script-*- -# This should be sourced by bash (though we welcome changes to make it POSIX sh compliant) - -# Monkeysphere host gen-key subcommand -# -# The monkeysphere scripts are written by: -# Jameson Rollins -# Jamie McClelland -# Daniel Kahn Gillmor -# -# They are Copyright 2008-2009, and are all released under the GPL, -# version 3 or later. - -gen_key() { - -local hostName -local keyType="RSA" -local keyLength="2048" -local keyUsage="auth" -local keyExpire="0" -local userID - -# get options -while true ; do - case "$1" in - -l|--length) - keyLength="$2" - shift 2 - ;; - *) - if [ "$(echo "$1" | cut -c 1)" = '-' ] ; then - failure "Unknown option '$1'. -Type '$PGRM help' for usage." - fi - break - ;; - esac -done - -hostName=${1:-$(hostname -f)} -userID="ssh://${hostName}" - -# create host home -mkdir -p "${MHDATADIR}" -mkdir -p "${MHTMPDIR}" -mkdir -p "${GNUPGHOME_HOST}" -chmod 700 "${GNUPGHOME_HOST}" - -log debug "generating host key..." -gpg_host --batch --gen-key < "${MHDATADIR}/ssh_host_rsa_key") -log info "SSH host secret key file: ${MHDATADIR}/ssh_host_rsa_key" - -# export the host public key to the monkeysphere ssh pub key file -log debug "creating ssh public key file..." -ssh-keygen -y -f "${MHDATADIR}/ssh_host_rsa_key" > "$HOST_KEY_PUB" -log info "SSH host public key file: $HOST_KEY_PUB" - -# export to gpg public key to file -create_gpg_pub_file - -# show info about new key -show_key - -} -- cgit v1.2.3