From 10888c602170f6157ff43a81bad920babdd6a59e Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Fri, 20 Feb 2009 12:27:01 -0500 Subject: monkeysphere-host revoke-key should now be capable of publishing the revocation certificate to the keyservers directly, should the admin want that. It can also run without prompting, if MONKEYSPHERE_PROMPT=false. In the no-prompts case, it never publishes to the keyserver, it indicates that the key was compromised, and it writes a boilerplate description to make it easy to identify this kind of certificate. --- src/share/mh/revoke_key | 66 +++++++++++++++++++++++++++++++++++++++++++------ 1 file changed, 59 insertions(+), 7 deletions(-) (limited to 'src/share/mh') diff --git a/src/share/mh/revoke_key b/src/share/mh/revoke_key index 380236b..271432b 100644 --- a/src/share/mh/revoke_key +++ b/src/share/mh/revoke_key @@ -18,6 +18,28 @@ revoke_key() { # Coming in here, we expect $HOST_FINGERPRINT to be set, and we # believe that there is in fact a key. + if [ "$PROMPT" = "false" ] ; then + publish=N + else + cat <&2 +This will generate a revocation certificate for your host key +(fingerprint: $HOST_FINGERPRINT) and +dump the certificate to standard output. + +It can also directly publish the new revocation certificate +to the public keyservers via $KEYSERVER if you want it to. + +Publishing this certificate will IMMEDIATELY and PERMANENTLY revoke +your host key! + +EOF + read -p "Publish the certificate after generation? (y/n/Q) " publish + + if ! [ "${publish/y/Y}" = 'Y' -o "${publish/n/N}" = 'N' ] ; then + failure "aborting at user request" + fi + fi + # our current implementation is very simple: we just want to # generate the revocation certificate on stdout. This provides # for the two most likely (but hopefully not common) scenarios: @@ -28,18 +50,48 @@ revoke_key() { # transcribe from the terminal. # Alternately, an admin might want to publish the revocation - # certificate immediately. here's a quick way to do this: + # certificate immediately, which we can help them do as well. + if [ "$PROMPT" = 'false' ] ; then + local revoke_commands="y +1 +Monkeysphere host key revocation (no prompting) $(date '+%F_%T') - # tmp=$(mktemp -d) - # export GNUPGHOME="$tmp" - # gpg --import < /var/lib/monkeysphere/ssh_host_rsa_key.pub.gpg - # monkeysphere-host revoke-key | gpg --import - # gpg --keyserver pool.sks-keyservers.net --send $(hostname -f) +y +" + revcert=$(GNUPGHOME="$GNUPGHOME_HOST" gpg_host --command-fd 0 --armor --gen-revoke "0x${HOST_FINGERPRINT}!" <<<"$revoke_commands" ) \ + || failure "Failed to generate revocation certificate!" + + else # note: we're not using the gpg_host function because we actually # want to use gpg's UI in this case, so we want to omit --no-tty + revcert=$(GNUPGHOME="$GNUPGHOME_HOST" gpg --no-greeting --quiet --armor --gen-revoke "0x${HOST_FINGERPRINT}!") \ + || failure "Failed to generate revocation certificate!" + fi + + # if you run gpg --gen-revoke but cancel it or quit in the middle, + # it returns success, but emits no revocation certificate: + if ! [ "$revcert" ] ; then + failure "Revocation canceled." + fi + + ## ok, now we have the revocation certificate. Print it, and + ## offer to publish if originally requested: + printf "%s\n" "$revcert" - GNUPGHOME="$GNUPGHOME_HOST" gpg --no-greeting --quiet --armor --gen-revoke "0x${HOST_FINGERPRINT}!" + if [ "${publish/y/Y}" = 'Y' ] ; then + printf "\n" >&2 + read -p "Really publish this cert to $KEYSERVER ? (Y/n) " really + if [ "${really/n/N}" = 'N' ] ; then + printf "Not publishing.\n" >&2 + else + local newhome=$(mkmstempdir) + GNUPGHOME="$newhome" gpg --no-tty --quiet --import < "$HOST_KEY_FILE" + GNUPGHOME="$newhome" gpg --no-tty --quiet --import <<< "$revcert" + GNUPGHOME="$newhome" gpg --keyserver "$KEYSERVER" --send "0x${HOST_FINGERPRINT}!" + rm -rf "$newhome" + fi + fi } -- cgit v1.2.3 From d7141bd2a46b59e7637aa3c7a750fa4b6a925b64 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Fri, 20 Feb 2009 12:33:14 -0500 Subject: tune automated revocation certificate description; add FIXME to allow it to be set explicitly. --- src/share/mh/revoke_key | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'src/share/mh') diff --git a/src/share/mh/revoke_key b/src/share/mh/revoke_key index 271432b..ad68d5f 100644 --- a/src/share/mh/revoke_key +++ b/src/share/mh/revoke_key @@ -53,9 +53,13 @@ EOF # certificate immediately, which we can help them do as well. if [ "$PROMPT" = 'false' ] ; then + # FIXME: allow the end user to choose something other than + # "key was compromised" (1) and to supply their own revocation + # string. + local revoke_commands="y 1 -Monkeysphere host key revocation (no prompting) $(date '+%F_%T') +Monkeysphere host key revocation (automated) $(date '+%F_%T%z') y -- cgit v1.2.3 From cd4c36070c85283086ed914d8fd6ac77884173bb Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Fri, 20 Feb 2009 14:26:15 -0500 Subject: tweak/cleanup some of the prompts. --- src/share/ma/add_certifier | 4 ++-- src/share/ma/remove_certifier | 2 +- src/share/mh/add_hostname | 6 ++++-- src/share/mh/add_revoker | 4 ++-- src/share/mh/import_key | 15 +++++++++++++++ src/share/mh/revoke_hostname | 8 +++++--- 6 files changed, 29 insertions(+), 10 deletions(-) (limited to 'src/share/mh') diff --git a/src/share/ma/add_certifier b/src/share/ma/add_certifier index f2cadf2..a48db64 100644 --- a/src/share/ma/add_certifier +++ b/src/share/ma/add_certifier @@ -126,8 +126,8 @@ else gpg_sphere "--fingerprint 0x${fingerprint}!" if [ "$PROMPT" = "true" ] ; then - echo "Are you sure you want to add the above key as a" - read -p "certifier of users on this system? (Y/n) " OK; OK=${OK:-Y} + echo "Are you sure you want to add the above key as a certifier" + read -p "of users on this system? (Y/n) " OK; OK=${OK:-Y} if [ "${OK/y/Y}" != 'Y' ] ; then failure "Identity certifier not added." fi diff --git a/src/share/ma/remove_certifier b/src/share/ma/remove_certifier index a9a1451..6c90358 100644 --- a/src/share/ma/remove_certifier +++ b/src/share/ma/remove_certifier @@ -27,7 +27,7 @@ fi gpg_core --list-key --fingerprint "0x${keyID}!" || failure if [ "$PROMPT" = "true" ] ; then - read -p "Really remove the identity certifier above? (Y/n) " OK; OK=${OK:-Y} + read -p "Really remove the above listed identity certifier? (Y/n) " OK; OK=${OK:-Y} if [ "${OK/y/Y}" != 'Y' ] ; then failure "Identity certifier not removed." fi diff --git a/src/share/mh/add_hostname b/src/share/mh/add_hostname index 0da6a06..ec741ee 100644 --- a/src/share/mh/add_hostname +++ b/src/share/mh/add_hostname @@ -32,8 +32,10 @@ find_host_userid > /dev/null && \ failure "Host userID '$userID' already exists." if [ "$PROMPT" = "true" ] ; then - echo "The following user ID will be added to the host key:" - echo " $userID" + cat < Date: Sat, 21 Feb 2009 14:45:14 -0500 Subject: fix failure message in import_key --- src/share/mh/import_key | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src/share/mh') diff --git a/src/share/mh/import_key b/src/share/mh/import_key index 7c11890..c545388 100644 --- a/src/share/mh/import_key +++ b/src/share/mh/import_key @@ -52,7 +52,7 @@ will be generated with the following user ID: EOF read -p "Are you sure you would like to create certificate? [Y/n] " OK; OK=${OK:-Y} if [ "${OK/y/Y}" != 'Y' ] ; then - failure "revoker not added." + failure "ssh key not imported." fi else log debug "importing key without prompting." -- cgit v1.2.3 From bb8f498db80efcfffdf60ef317254d7355ea54ef Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Sat, 21 Feb 2009 15:37:30 -0500 Subject: import-key now requires a hostname be specified, and no longer does any hostname guessing. this is so that we don't have to worry about prompting the user when guessing the hostname. also updated documentation. --- man/man8/monkeysphere-host.8 | 11 +++++------ src/monkeysphere-host | 2 +- src/share/mh/import_key | 30 ++---------------------------- website/getting-started-admin.mdwn | 14 ++++---------- 4 files changed, 12 insertions(+), 45 deletions(-) (limited to 'src/share/mh') diff --git a/man/man8/monkeysphere-host.8 b/man/man8/monkeysphere-host.8 index 0a9fc1b..7909b62 100644 --- a/man/man8/monkeysphere-host.8 +++ b/man/man8/monkeysphere-host.8 @@ -23,14 +23,13 @@ connection authentication. \fBmonkeysphere-host\fP takes various subcommands: .TP -.B import-key FILE [NAME[:PORT]] +.B import-key FILE NAME[:PORT] Import a pem-encoded ssh secret host key from file FILE. If FILE is '-', then the key will be imported from stdin. NAME[:PORT] is used -to specify the hostname (and port) used in the user ID of the new -OpenPGP key. If NAME is not specified, then the system -fully-qualified domain name will be used (ie. `hostname -f'). If PORT -is not specified, the no port is added to the user ID, which means -port 22 is assumed. `i' may be used in place of `import-key'. +to specify the fully-qualified hostname (and port) used in the user ID +of the new OpenPGP key. If PORT is not specified, the no port is +added to the user ID, which means port 22 is assumed. `i' may be used +in place of `import-key'. .TP .B show-key Output information about host's OpenPGP and SSH keys. `s' may be used diff --git a/src/monkeysphere-host b/src/monkeysphere-host index efa48cd..540a8ab 100755 --- a/src/monkeysphere-host +++ b/src/monkeysphere-host @@ -54,7 +54,7 @@ usage: $PGRM [options] [args] Monkeysphere host admin tool. subcommands: - import-key (i) FILE [NAME[:PORT]] import existing ssh key to gpg + import-key (i) FILE NAME[:PORT] import existing ssh key to gpg show-key (s) output all host key information publish-key (p) publish host key to keyserver set-expire (e) [EXPIRE] set host key expiration diff --git a/src/share/mh/import_key b/src/share/mh/import_key index c545388..f7c69c3 100644 --- a/src/share/mh/import_key +++ b/src/share/mh/import_key @@ -26,39 +26,13 @@ if [ -z "$sshKeyFile" ] ; then failure "Must specify ssh key file to import, or specify '-' for stdin." fi -# use the default hostname if not specified +# fail if hostname not specified if [ -z "$hostName" ] ; then - hostName=$(hostname -f) || failure "Could not determine hostname." - # test that the domain is not obviously illegitimate - domain=${foo##*.} - case $domain in - 'local'|'localdomain') - failure "Host domain '$domain' is not legitimate. Aborting key import." - ;; - esac - # test that there are at least two parts - if (( $(echo "$hostName" | tr . ' ' | wc -w) < 2 )) ; then - failure "Host name '$hostName' is not legitimate. Aborting key import." - fi + failure "You must specify a fully-qualified domain name for use in the host certificate user ID." fi userID="ssh://${hostName}" -if [ "$PROMPT" = "true" ] ; then - cat < Date: Sat, 21 Feb 2009 16:16:58 -0500 Subject: add tests to add_revoker and add_certifier that more than one key was not found when adding by using key ID. --- src/share/ma/add_certifier | 12 +++++++++++- src/share/mh/add_revoker | 12 +++++++++++- 2 files changed, 22 insertions(+), 2 deletions(-) (limited to 'src/share/mh') diff --git a/src/share/ma/add_certifier b/src/share/ma/add_certifier index a48db64..eba6893 100644 --- a/src/share/ma/add_certifier +++ b/src/share/ma/add_certifier @@ -120,7 +120,17 @@ else # get the full fingerprint of new certifier key log debug "getting fingerprint of certifier key..." fingerprint=$(gpg_sphere "--list-key --with-colons --with-fingerprint 0x${keyID}!" \ - | grep '^fpr:' | grep "$keyID" | cut -d: -f10) + | grep '^fpr:' | cut -d: -f10) + + # test that there is only a single fingerprint + if (( $(echo "$fingerprint" | wc -l) != 1 )) ; then + cat < Date: Sat, 21 Feb 2009 16:29:35 -0500 Subject: fix output formatting for cases where multiple fingerprints are found, in functions that are doing that sort of thing --- src/monkeysphere | 4 +--- src/share/ma/add_certifier | 2 +- src/share/mh/add_revoker | 2 +- 3 files changed, 3 insertions(+), 5 deletions(-) (limited to 'src/share/mh') diff --git a/src/monkeysphere b/src/monkeysphere index 0d8f4ff..fd96f45 100755 --- a/src/monkeysphere +++ b/src/monkeysphere @@ -87,9 +87,7 @@ check_gpg_sec_key_id() { ;; *) echo "Multiple primary secret keys found:" - for key in $(echo "$gpgSecOut" | cut -d: -f5) ; do - echo " $key" - done + echo "$gpgSecOut" | cut -d: -f5 echo "Please specify which primary key to use." failure ;; diff --git a/src/share/ma/add_certifier b/src/share/ma/add_certifier index eba6893..6f85ecf 100644 --- a/src/share/ma/add_certifier +++ b/src/share/ma/add_certifier @@ -126,7 +126,7 @@ else if (( $(echo "$fingerprint" | wc -l) != 1 )) ; then cat < Date: Sat, 21 Feb 2009 16:48:30 -0500 Subject: make sure all prompt messages are going to stderr --- src/monkeysphere | 2 +- src/share/mh/add_hostname | 6 ++---- src/share/mh/add_revoker | 4 ++-- src/share/mh/revoke_hostname | 6 ++---- 4 files changed, 7 insertions(+), 11 deletions(-) (limited to 'src/share/mh') diff --git a/src/monkeysphere b/src/monkeysphere index fd96f45..371983f 100755 --- a/src/monkeysphere +++ b/src/monkeysphere @@ -122,7 +122,7 @@ check_gpg_authentication_subkey() { fi # if authentication key is valid, prompt to continue if [ "$validity" = 'u' ] ; then - echo "A valid authentication key already exists for primary key '$keyID'." + echo "A valid authentication key already exists for primary key '$keyID'." 1>&2 if [ "$PROMPT" = "true" ] ; then read -p "Are you sure you would like to generate another one? (y/N) " OK; OK=${OK:N} if [ "${OK/y/Y}" != 'Y' ] ; then diff --git a/src/share/mh/add_hostname b/src/share/mh/add_hostname index ec741ee..b08d688 100644 --- a/src/share/mh/add_hostname +++ b/src/share/mh/add_hostname @@ -32,11 +32,9 @@ find_host_userid > /dev/null && \ failure "Host userID '$userID' already exists." if [ "$PROMPT" = "true" ] ; then - cat <