From 4793624c65673268128fb0146cd9bd1b3cfeb6c4 Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Tue, 10 Jun 2008 17:17:51 -0400 Subject: New client/server components: - broke out all common functions to "common" file - put all client commands into "monkeysphere" script - put all server commands into "monkeysphere-server" script - moved all code into src directory to clean things up a bit - this effectively makes obsolete rhesus and howler - added proposed monkeysphere-ssh-proxycommand script that can be called to update known_hosts from ssh ProxyCommand - updated monkeysphere.conf to work as global client config - added monkeysphere-server.conf for server config --- src/common | 353 +++++++++++++++++++++++++++++ src/gpg2ssh/Makefile | 18 ++ src/gpg2ssh/gnutls-helpers.c | 364 +++++++++++++++++++++++++++++ src/gpg2ssh/gnutls-helpers.h | 72 ++++++ src/gpg2ssh/gpg2ssh.c | 293 ++++++++++++++++++++++++ src/gpg2ssh/main.c | 271 ++++++++++++++++++++++ src/gpg2ssh/ssh2gpg.c | 171 ++++++++++++++ src/howler/howler | 134 +++++++++++ src/monkeysphere | 154 +++++++++++++ src/monkeysphere-server | 219 ++++++++++++++++++ src/monkeysphere-ssh-proxycommand | 16 ++ src/rhesus/README | 30 +++ src/rhesus/rhesus | 466 ++++++++++++++++++++++++++++++++++++++ 13 files changed, 2561 insertions(+) create mode 100755 src/common create mode 100644 src/gpg2ssh/Makefile create mode 100644 src/gpg2ssh/gnutls-helpers.c create mode 100644 src/gpg2ssh/gnutls-helpers.h create mode 100644 src/gpg2ssh/gpg2ssh.c create mode 100644 src/gpg2ssh/main.c create mode 100644 src/gpg2ssh/ssh2gpg.c create mode 100755 src/howler/howler create mode 100755 src/monkeysphere create mode 100755 src/monkeysphere-server create mode 100755 src/monkeysphere-ssh-proxycommand create mode 100644 src/rhesus/README create mode 100755 src/rhesus/rhesus (limited to 'src') diff --git a/src/common b/src/common new file mode 100755 index 0000000..8643080 --- /dev/null +++ b/src/common @@ -0,0 +1,353 @@ +# -*-shell-script-*- + +# Shared bash functions for the monkeysphere +# +# Written by +# Jameson Rollins +# +# Copyright 2008, released under the GPL, version 3 or later + +# all caps variables are meant to be user supplied (ie. from config +# file) and are considered global + +######################################################################## +# managed directories +ETC="/etc/monkeysphere" +export ETC +LIB="/var/lib/monkeysphere" +export LIB +######################################################################## + +failure() { + echo "$1" >&2 + exit ${2:-'1'} +} + +# write output to stdout +log() { + echo -n "ms: " + echo "$@" +} + +# write output to stderr +loge() { + echo -n "ms: " 1>&2 + echo "$@" 1>&2 +} + +# cut out all comments(#) and blank lines from standard input +meat() { + grep -v -e "^[[:space:]]*#" -e '^$' +} + +# cut a specified line from standard input +cutline() { + head --line="$1" | tail -1 +} + +# retrieve all keys with given user id from keyserver +# FIXME: need to figure out how to retrieve all matching keys +# (not just first 5) +gpg_fetch_keys() { + local id + id="$1" + echo 1,2,3,4,5 | \ + gpg --quiet --batch --command-fd 0 --with-colons \ + --keyserver "$KEYSERVER" \ + --search ="$id" >/dev/null 2>&1 +} + +# check that characters are in a string (in an AND fashion). +# used for checking key capability +# check_capability capability a [b...] +check_capability() { + local capability + local capcheck + + capability="$1" + shift 1 + + for capcheck ; do + if echo "$capability" | grep -q -v "$capcheck" ; then + return 1 + fi + done + return 0 +} + +# convert escaped characters from gpg output back into original +# character +# FIXME: undo all escape character translation in with-colons gpg output +unescape() { + echo "$1" | sed 's/\\x3a/:/' +} + +# stand in until we get dkg's gpg2ssh program +gpg2ssh_tmp() { + local keyID + local userID + local host + + keyID="$2" + userID="$3" + + if [ "$mode" = 'authorized_keys' ] ; then + gpgkey2ssh "$keyID" | sed -e "s/COMMENT/${userID}/" + + # NOTE: it seems that ssh-keygen -R removes all comment fields from + # all lines in the known_hosts file. why? + # NOTE: just in case, the COMMENT can be matched with the + # following regexp: + # '^MonkeySphere[[:digit:]]{4}(-[[:digit:]]{2}){2}T[[:digit:]]{2}(:[[:digit:]]{2}){2}$' + elif [ "$MODE" = 'known_hosts' ] ; then + host=$(echo "$userID" | sed -e "s|ssh://||") + echo -n "$host "; gpgkey2ssh "$keyID" | sed -e "s/COMMENT/MonkeySphere${DATE}/" + fi +} + +# userid and key policy checking +# the following checks policy on the returned keys +# - checks that full key has appropriate valididy (u|f) +# - checks key has specified capability (REQUIRED_KEY_CAPABILITY) +# - checks that particular desired user id has appropriate validity +# see /usr/share/doc/gnupg/DETAILS.gz +# expects global variable: "MODE" +process_user_id() { + local userID + local cacheDir + local requiredPubCapability + local gpgOut + local line + local type + local validity + local keyid + local uidfpr + local capability + local keyOK + local pubKeyID + local uidOK + local keyIDs + local userIDHash + local keyID + + userID="$1" + cacheDir="$2" + + requiredPubCapability=$(echo "$REQUIRED_KEY_CAPABILITY" | tr "[:lower:]" "[:upper:]") + + # fetch keys from keyserver, return 1 if none found + gpg_fetch_keys "$userID" || return 1 + + # output gpg info for (exact) userid and store + gpgOut=$(gpg --fixed-list-mode --list-key --with-colons \ + ="$userID" 2> /dev/null) + + # return 1 if there only "tru" lines are output from gpg + if [ -z "$(echo "$gpgOut" | grep -v '^tru:')" ] ; then + loge " key not found." + return 1 + fi + + # loop over all lines in the gpg output and process. + # need to do it this way (as opposed to "while read...") so that + # variables set in loop will be visible outside of loop + for line in $(seq 1 $(echo "$gpgOut" | wc -l)) ; do + + # read the contents of the line + type=$(echo "$gpgOut" | cutline "$line" | cut -d: -f1) + validity=$(echo "$gpgOut" | cutline "$line" | cut -d: -f2) + keyid=$(echo "$gpgOut" | cutline "$line" | cut -d: -f5) + uidfpr=$(echo "$gpgOut" | cutline "$line" | cut -d: -f10) + capability=$(echo "$gpgOut" | cutline "$line" | cut -d: -f12) + + # process based on record type + case $type in + 'pub') # primary keys + # new key, wipe the slate + keyOK= + pubKeyID= + uidOK= + keyIDs= + + pubKeyID="$keyid" + + # check primary key validity + if [ "$validity" != 'u' -a "$validity" != 'f' ] ; then + loge " unacceptable primary key validity ($validity)." + continue + fi + # check capability is not Disabled... + if check_capability "$capability" 'D' ; then + loge " key disabled." + continue + fi + # check overall key capability + # must be Encryption and Authentication + if ! check_capability "$capability" $requiredPubCapability ; then + loge " unacceptable primary key capability ($capability)." + continue + fi + + # mark if primary key is acceptable + keyOK=true + + # add primary key ID to key list if it has required capability + if check_capability "$capability" $REQUIRED_KEY_CAPABILITY ; then + keyIDs[${#keyIDs[*]}]="$keyid" + fi + ;; + 'uid') # user ids + # check key ok and we have key fingerprint + if [ -z "$keyOK" ] ; then + continue + fi + # check key validity + if [ "$validity" != 'u' -a "$validity" != 'f' ] ; then + continue + fi + # check the uid matches + if [ "$(unescape "$uidfpr")" != "$userID" ] ; then + continue + fi + + # mark if uid acceptable + uidOK=true + ;; + 'sub') # sub keys + # add sub key ID to key list if it has required capability + if check_capability "$capability" $REQUIRED_KEY_CAPABILITY ; then + keyIDs[${#keyIDs[*]}]="$keyid" + fi + ;; + esac + done + + # hash userid for cache file name + userIDHash=$(echo "$userID" | sha1sum | awk '{ print $1 }') + + # touch/clear key cache file + # (will be left empty if there are noacceptable keys) + > "$cacheDir"/"$userIDHash"."$pubKeyID" + + # for each acceptable key, write an ssh key line to the + # key cache file + if [ "$keyOK" -a "$uidOK" -a "${keyIDs[*]}" ] ; then + for keyID in ${keyIDs[@]} ; do + loge " acceptable key/uid found." + + # export the key with gpg2ssh + # FIXME: needs to apply extra options for authorized_keys + # lines if specified + gpg2ssh_tmp "$keyID" "$userID" >> "$cacheDir"/"$userIDHash"."$pubKeyID" + + # hash the cache file if specified + if [ "$MODE" = 'known_hosts' -a "$HASH_KNOWN_HOSTS" ] ; then + ssh-keygen -H -f "$cacheDir"/"$userIDHash"."$pubKeyID" > /dev/null 2>&1 + rm "$cacheDir"/"$userIDHash"."$pubKeyID".old + fi + done + fi + + # echo the path to the key cache file + echo "$cacheDir"/"$userIDHash"."$pubKeyID" +} + +# process a host for addition to a known_host file +process_host() { + local host + local cacheDir + local hostKeyCachePath + + host="$1" + cacheDir="$2" + + log "processing host: '$host'" + + hostKeyCachePath=$(process_user_id "ssh://${host}" "$cacheDir") + if [ $? = 0 ] ; then + ssh-keygen -R "$host" -f "$USER_KNOWN_HOSTS" + cat "$hostKeyCachePath" >> "$USER_KNOWN_HOSTS" + fi +} + +# process known_hosts file +# go through line-by-line, extract each host, and process with the +# host processing function +process_known_hosts() { + local knownHosts + local cacheDir + local hosts + local host + + knownHosts="$1" + cacheDir="$2" + + # take all the hosts from the known_hosts file (first field), + # grep out all the hashed hosts (lines starting with '|') + cut -d ' ' -f 1 "$knownHosts" | \ + grep -v '^|.*$' | \ + while IFS=, read -r -a hosts ; do + # process each host + for host in ${hosts[*]} ; do + process_host "$host" "$cacheDir" + done + done +} + +# process authorized_keys file +# go through line-by-line, extract monkeysphere userids from comment +# fields, and process each userid +process_authorized_keys() { + local authorizedKeys + local cacheDir + local userID + + authorizedKeys="$1" + cacheDir="$2" + + # take all the monkeysphere userids from the authorized_keys file + # comment field (third field) that starts with "MonkeySphere uid:" + # FIXME: needs to handle authorized_keys options (field 0) + cat "$authorizedKeys" | \ + while read -r options keytype key comment ; do + # if the comment field is empty, assume the third field was + # the comment + if [ -z "$comment" ] ; then + comment="$key" + fi + if ! echo "$comment" | grep '^MonkeySphere userID:.*$' ; then + continue + fi + userID=$(echo "$comment" | sed -e "/^MonkeySphere userID://") + if [ -z "$userID" ] ; then + continue + fi + # process the userid + log "processing userid: '$userID'" + process_user_id "$userID" "$cacheDir" > /dev/null + done +} + +# process an authorized_*_ids file +# go through line-by-line, extract each userid, and process +process_authorized_ids() { + local authorizedIDs + local cacheDir + local userID + + authorizedIDs="$1" + cacheDir="$2" + + # clean out keys file and remake keys directory + rm -rf "$cacheDir" + mkdir -p "$cacheDir" + + # loop through all user ids in file + # FIXME: needs to handle authorized_keys options + cat "$authorizedIDs" | meat | \ + while read -r userID ; do + # process the userid + log "processing userid: '$userID'" + process_user_id "$userID" "$cacheDir" > /dev/null + done +} diff --git a/src/gpg2ssh/Makefile b/src/gpg2ssh/Makefile new file mode 100644 index 0000000..a0b7241 --- /dev/null +++ b/src/gpg2ssh/Makefile @@ -0,0 +1,18 @@ +all: monkeysphere gpg2ssh + +monkeysphere: main.c gnutls-helpers.o + gcc -g -Wall --pedantic -o monkeysphere main.c `libgnutls-config --libs --cflags` -lgnutls-extra gnutls-helpers.o + +gpg2ssh: gpg2ssh.c gnutls-helpers.o + gcc -g -Wall --pedantic -o gpg2ssh gpg2ssh.c `libgnutls-config --libs --cflags` -lgnutls-extra gnutls-helpers.o + +ssh2gpg: ssh2gpg.c gnutls-helpers.o + gcc -g -Wall --pedantic -o ssh2gpg ssh2gpg.c `libgnutls-config --libs --cflags` -lgnutls-extra gnutls-helpers.o + +%.o: %.c + gcc -g -Wall --pedantic -o $@ -c $< + +clean: + rm -f monkeysphere gpg2ssh *.o + +.PHONY: clean all diff --git a/src/gpg2ssh/gnutls-helpers.c b/src/gpg2ssh/gnutls-helpers.c new file mode 100644 index 0000000..6eae29e --- /dev/null +++ b/src/gpg2ssh/gnutls-helpers.c @@ -0,0 +1,364 @@ +/* Author: Daniel Kahn Gillmor */ +/* Date: Fri, 04 Apr 2008 19:31:16 -0400 */ +/* License: GPL v3 or later */ + +#include "gnutls-helpers.h" +/* for htonl() */ +#include + +/* for setlocale() */ +#include + +/* for isalnum() */ +#include + +int loglevel = 0; + + +void err(const char* fmt, ...) { + va_list ap; + va_start(ap, fmt); + vfprintf(stderr, fmt, ap); + va_end(ap); + fflush(stderr); +} + +void logfunc(int level, const char* string) { + fprintf(stderr, "GnuTLS Logging (%d): %s\n", level, string); +} + +void init_keyid(gnutls_openpgp_keyid_t keyid) { + memset(keyid, 'x', sizeof(gnutls_openpgp_keyid_t)); +} + + + +void make_keyid_printable(printable_keyid out, gnutls_openpgp_keyid_t keyid) +{ + static const char hex[16] = "0123456789ABCDEF"; + unsigned int kix = 0, outix = 0; + + while (kix < sizeof(gnutls_openpgp_keyid_t)) { + out[outix] = hex[(keyid[kix] >> 4) & 0x0f]; + out[outix + 1] = hex[keyid[kix] & 0x0f]; + kix++; + outix += 2; + } +} + + +int init_gnutls() { + const char* version = NULL; + const char* debug_string = NULL; + int ret; + + if (ret = gnutls_global_init(), ret) { + err("Failed to do gnutls_global_init() (error: %d)\n", ret); + return 1; + } + + version = gnutls_check_version(NULL); + + if (version) + err("gnutls version: %s\n", version); + else { + err("no version found!\n"); + return 1; + } + + if (debug_string = getenv("MONKEYSPHERE_DEBUG"), debug_string) { + loglevel = atoi(debug_string); + gnutls_global_set_log_function(logfunc); + + gnutls_global_set_log_level(loglevel); + err("set log level to %d\n", loglevel); + } + return 0; +} + +void init_datum(gnutls_datum_t* d) { + d->data = NULL; + d->size = 0; +} +void copy_datum(gnutls_datum_t* dest, const gnutls_datum_t* src) { + dest->data = gnutls_realloc(dest->data, src->size); + dest->size = src->size; + memcpy(dest->data, src->data, src->size); +} +int compare_data(const gnutls_datum_t* a, const gnutls_datum_t* b) { + if (a->size > b->size) { + err("a is larger\n"); + return 1; + } + if (a->size < b->size) { + err("b is larger\n"); + return -1; + } + return memcmp(a->data, b->data, a->size); +} +void free_datum(gnutls_datum_t* d) { + gnutls_free(d->data); + d->data = NULL; + d->size = 0; +} + +/* read the passed-in string, store in a single datum */ +int set_datum_string(gnutls_datum_t* d, const char* s) { + unsigned int x = strlen(s)+1; + unsigned char* c = NULL; + + c = gnutls_realloc(d->data, x); + if (NULL == c) + return -1; + d->data = c; + d->size = x; + memcpy(d->data, s, x); + return 0; +} + +/* read the passed-in file descriptor until EOF, store in a single + datum */ +int set_datum_fd(gnutls_datum_t* d, int fd) { + unsigned int bufsize = 1024; + unsigned int len = 0; + + FILE* f = fdopen(fd, "r"); + if (bufsize > d->size) { + bufsize = 1024; + d->data = gnutls_realloc(d->data, bufsize); + if (d->data == NULL) { + err("out of memory!\n"); + return -1; + } + d->size = bufsize; + } else { + bufsize = d->size; + } + f = fdopen(fd, "r"); + if (NULL == f) { + err("could not fdopen FD %d\n", fd); + } + clearerr(f); + while (!feof(f) && !ferror(f)) { + if (len == bufsize) { + /* allocate more space by doubling: */ + bufsize *= 2; + d->data = gnutls_realloc(d->data, bufsize); + if (d->data == NULL) { + err("out of memory!\n"); + return -1; + }; + d->size = bufsize; + } + len += fread(d->data + len, 1, bufsize - len, f); + /* err("read %d bytes\n", len); */ + } + if (ferror(f)) { + err("Error reading from fd %d (error: %d) (error: %d '%s')\n", fd, ferror(f), errno, strerror(errno)); + return -1; + } + + /* touch up buffer size to match reality: */ + d->data = gnutls_realloc(d->data, len); + d->size = len; + return 0; +} + +/* read the file indicated (by name) in the fname parameter. store + its entire contents in a single datum. */ +int set_datum_file(gnutls_datum_t* d, const char* fname) { + struct stat sbuf; + unsigned char* c = NULL; + FILE* file = NULL; + size_t x = 0; + + if (0 != stat(fname, &sbuf)) { + err("failed to stat '%s'\n", fname); + return -1; + } + + c = gnutls_realloc(d->data, sbuf.st_size); + if (NULL == c) { + err("failed to allocate %d bytes for '%s'\n", sbuf.st_size, fname); + return -1; + } + + d->data = c; + d->size = sbuf.st_size; + file = fopen(fname, "r"); + if (NULL == file) { + err("failed to open '%s' for reading\n", fname); + return -1; + } + + x = fread(d->data, d->size, 1, file); + if (x != 1) { + err("tried to read %d bytes, read %d instead from '%s'\n", d->size, x, fname); + fclose(file); + return -1; + } + fclose(file); + return 0; +} + +int write_datum_fd(int fd, const gnutls_datum_t* d) { + if (d->size != write(fd, d->data, d->size)) { + err("failed to write body of datum.\n"); + return -1; + } + return 0; +} + + +int write_datum_fd_with_length(int fd, const gnutls_datum_t* d) { + uint32_t len; + int looks_negative = (d->data[0] & 0x80); + unsigned char zero = 0; + + /* if the first bit is 1, then the datum will appear negative in the + MPI encoding style used by OpenSSH. In that case, we'll increase + the length by one, and dump out one more byte */ + + if (looks_negative) { + len = htonl(d->size + 1); + } else { + len = htonl(d->size); + } + if (write(fd, &len, sizeof(len)) != sizeof(len)) { + err("failed to write size of datum.\n"); + return -2; + } + if (looks_negative) { + if (write(fd, &zero, 1) != 1) { + err("failed to write padding byte for MPI.\n"); + return -2; + } + } + return write_datum_fd(fd, d); +} + +int write_data_fd_with_length(int fd, const gnutls_datum_t** d, unsigned int num) { + unsigned int i; + int ret; + + for (i = 0; i < num; i++) + if (ret = write_datum_fd_with_length(fd, d[i]), ret != 0) + return ret; + + return 0; +} + + +int datum_from_string(gnutls_datum_t* d, const char* str) { + d->size = strlen(str); + d->data = gnutls_realloc(d->data, d->size); + if (d->data == 0) + return ENOMEM; + memcpy(d->data, str, d->size); + return 0; +} + + +int create_writing_pipe(pid_t* pid, const char* path, char* const argv[]) { + int p[2]; + int ret; + + if (pid == NULL) { + err("bad pointer passed to create_writing_pipe()\n"); + return -1; + } + + if (ret = pipe(p), ret == -1) { + err("failed to create a pipe (error: %d \"%s\")\n", errno, strerror(errno)); + return -1; + } + + *pid = fork(); + if (*pid == -1) { + err("Failed to fork (error: %d \"%s\")\n", errno, strerror(errno)); + return -1; + } + if (*pid == 0) { /* this is the child */ + close(p[1]); /* close unused write end */ + + if (0 != dup2(p[0], 0)) { /* map the reading end into stdin */ + err("Failed to transfer reading file descriptor to stdin (error: %d \"%s\")\n", errno, strerror(errno)); + exit(1); + } + execv(path, argv); + err("exec %s failed (error: %d \"%s\")\n", path, errno, strerror(errno)); + /* close the open file descriptors */ + close(p[0]); + close(0); + + exit(1); + } else { /* this is the parent */ + close(p[0]); /* close unused read end */ + return p[1]; + } +} + +int validate_ssh_host_userid(const char* userid) { + char* oldlocale = setlocale(LC_ALL, "C"); + + /* choke if userid does not match the expected format + ("ssh://fully.qualified.domain.name") */ + if (strncmp("ssh://", userid, strlen("ssh://")) != 0) { + err("The user ID should start with ssh:// for a host key\n"); + goto fail; + } + /* so that isalnum will work properly */ + userid += strlen("ssh://"); + while (0 != (*userid)) { + if (!isalnum(*userid)) { + err("label did not start with a letter or a digit! (%s)\n", userid); + goto fail; + } + userid++; + while (isalnum(*userid) || ('-' == (*userid))) + userid++; + if (('.' == (*userid)) || (0 == (*userid))) { /* clean end of label: + check last char + isalnum */ + if (!isalnum(*(userid - 1))) { + err("label did not end with a letter or a digit!\n"); + goto fail; + } + if ('.' == (*userid)) /* advance to the start of the next label */ + userid++; + } else { + err("invalid character in domain name: %c\n", *userid); + goto fail; + } + } + /* ensure that the last character is valid: */ + if (!isalnum(*(userid - 1))) { + err("hostname did not end with a letter or a digit!\n"); + goto fail; + } + /* FIXME: fqdn's can be unicode now, thanks to RFC 3490 -- how do we + make sure that we've got an OK string? */ + + return 0; + + fail: + setlocale(LC_ALL, oldlocale); + return 1; +} + +/* http://tools.ietf.org/html/rfc4880#section-5.5.2 */ +size_t get_openpgp_mpi_size(gnutls_datum_t* d) { + return 2 + d->size; +} + +int write_openpgp_mpi_to_fd(int fd, gnutls_datum_t* d) { + uint16_t x; + + x = d->size * 8; + x = htons(x); + + write(fd, &x, sizeof(x)); + write(fd, d->data, d->size); + + return 0; +} diff --git a/src/gpg2ssh/gnutls-helpers.h b/src/gpg2ssh/gnutls-helpers.h new file mode 100644 index 0000000..9ea22a3 --- /dev/null +++ b/src/gpg2ssh/gnutls-helpers.h @@ -0,0 +1,72 @@ +/* Author: Daniel Kahn Gillmor */ +/* Date: Fri, 04 Apr 2008 19:31:16 -0400 */ +/* License: GPL v3 or later */ + + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +/* Functions to help dealing with GnuTLS for monkeysphere key + translation projects: */ + +/* set everything up, including logging levels. Return 0 on + success */ +int init_gnutls(); + +/* logging and output functions: */ + +void err(const char* fmt, ...); +void logfunc(int level, const char* string); + +/* basic datum manipulations: */ + +void init_datum(gnutls_datum_t* d); +void copy_datum(gnutls_datum_t* dest, const gnutls_datum_t* src); +int compare_data(const gnutls_datum_t* a, const gnutls_datum_t* b); +void free_datum(gnutls_datum_t* d); +int write_datum_fd(int fd, const gnutls_datum_t* d); +int write_datum_fd_with_length(int fd, const gnutls_datum_t* d); +int write_data_fd_with_length(int fd, const gnutls_datum_t** d, unsigned int num); + +/* set up a datum from a null-terminated string */ +int datum_from_string(gnutls_datum_t* d, const char* str); + +/* keyid manipulations: */ +typedef unsigned char printable_keyid[16]; + +void init_keyid(gnutls_openpgp_keyid_t keyid); +void make_keyid_printable(printable_keyid out, gnutls_openpgp_keyid_t keyid); + +/* functions to get data into datum objects: */ + +/* read the passed-in string, store in a single datum */ +int set_datum_string(gnutls_datum_t* d, const char* s); + +/* read the passed-in file descriptor until EOF, store in a single + datum */ +int set_datum_fd(gnutls_datum_t* d, int fd); + +/* read the file indicated (by name) in the fname parameter. store + its entire contents in a single datum. */ +int set_datum_file(gnutls_datum_t* d, const char* fname); + +/* set up file descriptor pipe for writing (child process pid gets + stored in pid, fd is returned)*/ +int create_writing_pipe(pid_t* pid, const char* path, char* const argv[]); + +/* return 0 if userid matches the monkeysphere spec for ssh host user IDs */ +int validate_ssh_host_userid(const char* userid); + +/* how many bytes will it take to write out this datum in OpenPGP MPI form? */ +size_t get_openpgp_mpi_size(gnutls_datum_t* d); + +/* write the MPI stored in gnutls_datum_t to file descriptor fd: */ +int write_openpgp_mpi_to_fd(int fd, gnutls_datum_t* d); diff --git a/src/gpg2ssh/gpg2ssh.c b/src/gpg2ssh/gpg2ssh.c new file mode 100644 index 0000000..c99f03f --- /dev/null +++ b/src/gpg2ssh/gpg2ssh.c @@ -0,0 +1,293 @@ +#include "gnutls-helpers.h" + +#include +#include + +/* for waitpid() */ +#include +#include + +/* + Author: Daniel Kahn Gillmor + Date: Tue, 08 Apr 2008 + License: GPL v3 or later + + monkeysphere public key translator: execute this with an GPG + certificate (public key(s) + userid(s)) on stdin. It currently + only works with RSA keys. + + It will spit out a version of the first key capable of being used + for authentication on stdout. The output format should be suitable + for appending a known_hosts file. + + Requirements: I've only built this so far with GnuTLS v2.3.4 -- + version 2.2.0 does not contain the appropriate pieces. + + */ + +int main(int argc, char* argv[]) { + gnutls_datum_t data; + int ret; + gnutls_openpgp_crt_t openpgp_crt; + gnutls_openpgp_keyid_t keyid; + printable_keyid p_keyid; + unsigned int keyidx; + unsigned int usage, bits; + gnutls_pk_algorithm_t algo; + + gnutls_datum_t m, e, p, q, g, y; + gnutls_datum_t algolabel; + + char output_data[10240]; + char userid[10240]; + size_t uidsz = sizeof(userid); + + const gnutls_datum_t* all[5]; + int pipefd; + pid_t child_pid; + char* const args[] = {"/usr/bin/base64", "--wrap=0", NULL}; + const char* algoname; + int mpicount; + int pipestatus; + + init_gnutls(); + + init_datum(&data); + + init_datum(&m); + init_datum(&e); + init_datum(&p); + init_datum(&q); + init_datum(&g); + init_datum(&y); + + init_datum(&algolabel); + + init_keyid(keyid); + + /* slurp in the private key from stdin */ + if (ret = set_datum_fd(&data, 0), ret) { + err("didn't read file descriptor 0\n"); + return 1; + } + + + if (ret = gnutls_openpgp_crt_init(&openpgp_crt), ret) { + err("Failed to initialize OpenPGP certificate (error: %d)\n", ret); + return 1; + } + + /* format could be either: GNUTLS_OPENPGP_FMT_RAW, + GNUTLS_OPENPGP_FMT_BASE64; if MONKEYSPHERE_RAW is set, use RAW, + otherwise, use BASE64: */ + + /* FIXME: we should be auto-detecting the input format, and + translating it as needed. */ + + if (getenv("MONKEYSPHERE_RAW")) { + err("assuming RAW formatted certificate\n"); + if (ret = gnutls_openpgp_crt_import(openpgp_crt, &data, GNUTLS_OPENPGP_FMT_RAW), ret) { + err("failed to import the OpenPGP certificate in RAW format (error: %d)\n", ret); + return ret; + } + } else { + err("assuming BASE64 formatted certificate\n"); + if (ret = gnutls_openpgp_crt_import (openpgp_crt, &data, GNUTLS_OPENPGP_FMT_BASE64), ret) { + err("failed to import the OpenPGP certificate in BASE64 format (error: %d)\n", ret); + return ret; + } + } + + if (gnutls_openpgp_crt_get_revoked_status(openpgp_crt)) { + err("the primary key was revoked!\n"); + return 1; + } + + /* FIXME: We're currently looking at the primary key or maybe the + first authentication-capable subkey. + + Instead, we should be iterating through the primary key and all + subkeys: for each one with the authentication usage flag set of a + algorithm we can handle, we should output matching UserIDs and + the SSH version of the key. */ + + + if (ret = gnutls_openpgp_crt_get_key_usage(openpgp_crt, &usage), ret) { + err("failed to get the usage flags for the primary key (error: %d)\n", ret); + return ret; + } + if (usage & GNUTLS_KEY_KEY_AGREEMENT && + usage & GNUTLS_KEY_KEY_ENCIPHERMENT) { + err("the primary key can be used for authentication and communication encryption!\n"); + + algo = gnutls_openpgp_crt_get_pk_algorithm(openpgp_crt, &bits); + if (algo < 0) { + err("failed to get the algorithm of the OpenPGP public key (error: %d)\n", algo); + return algo; + } else if (algo == GNUTLS_PK_RSA) { + + err("OpenPGP RSA certificate, with %d bits\n", bits); + ret = gnutls_openpgp_crt_get_pk_rsa_raw(openpgp_crt, &m, &e); + if (GNUTLS_E_SUCCESS != ret) { + err ("failed to export RSA key parameters (error: %d)\n", ret); + return 1; + } + } else if (algo == GNUTLS_PK_DSA) { + err("OpenPGP DSA Key, with %d bits\n", bits); + ret = gnutls_openpgp_crt_get_pk_dsa_raw(openpgp_crt, &p, &q, &g, &y); + if (GNUTLS_E_SUCCESS != ret) { + err ("failed to export DSA key parameters (error: %d)\n", ret); + return 1; + } + } else { + err("OpenPGP Key was not RSA or DSA -- can't deal! (actual algorithm was: %d)\n", algo); + return 1; + } + + } else { + err("primary key is not good for authentication and communication encryption. Trying subkeys...\n"); + + if (ret = gnutls_openpgp_crt_get_auth_subkey(openpgp_crt, keyid, 0), ret) { + err("failed to find a subkey capable of authentication and communication encryption (error: %d)\n", ret); + return ret; + } + make_keyid_printable(p_keyid, keyid); + err("found authentication subkey %.16s\n", p_keyid); + + ret = gnutls_openpgp_crt_get_subkey_idx(openpgp_crt, keyid); + if (ret < 0) { + err("could not get the index of subkey %.16s (error: %d)\n", ret); + return ret; + } + keyidx = ret; + + if (gnutls_openpgp_crt_get_subkey_revoked_status(openpgp_crt, keyidx)) { + err("The authentication subkey was revoked!\n"); + return 1; + } + + if (ret = gnutls_openpgp_crt_get_subkey_usage(openpgp_crt, keyidx, &usage), ret) { + err("could not figure out usage of subkey %.16s (error: %d)\n", p_keyid, ret); + return ret; + } + if ((usage & GNUTLS_KEY_KEY_AGREEMENT) == 0 && + usage & GNUTLS_KEY_KEY_ENCIPHERMENT) { + err("could not find a subkey with authentication and communication encryption.\n"); + return 1; + } + + /* switch, based on the algorithm in question, to extract the MPI + components: */ + + algo = gnutls_openpgp_crt_get_subkey_pk_algorithm(openpgp_crt, keyidx, &bits); + if (algo < 0) { + err("failed to get the algorithm of the authentication subkey (error: %d)\n", algo); + return algo; + } else if (algo == GNUTLS_PK_RSA) { + + err("OpenPGP RSA subkey, with %d bits\n", bits); + ret = gnutls_openpgp_crt_get_subkey_pk_rsa_raw(openpgp_crt, keyidx, &m, &e); + if (GNUTLS_E_SUCCESS != ret) { + err ("failed to export RSA subkey parameters (error: %d)\n", ret); + return 1; + } + } else if (algo == GNUTLS_PK_DSA) { + err("OpenPGP DSA subkey, with %d bits\n", bits); + ret = gnutls_openpgp_crt_get_subkey_pk_dsa_raw(openpgp_crt, keyidx, &p, &q, &g, &y); + if (GNUTLS_E_SUCCESS != ret) { + err ("failed to export DSA subkey parameters (error: %d)\n", ret); + return 1; + } + } else { + err("OpenPGP subkey was not RSA or DSA -- can't deal! (actual algorithm was: %d)\n", algo); + return 1; + } + } + + /* make sure userid is NULL-terminated */ + userid[sizeof(userid) - 1] = 0; + uidsz--; + + /* FIXME: we're just choosing the first UserID from the certificate: + instead, we should be selecting every User ID that is adequately + signed and matches the spec, and aggregating them with commas for + known_hosts output */ + + if (ret = gnutls_openpgp_crt_get_name(openpgp_crt, 0, userid, &uidsz), ret) { + err("Failed to fetch the first UserID (error: %d)\n", ret); + return ret; + } + + if (ret = validate_ssh_host_userid(userid), ret) { + err("bad userid: not a valid ssh host.\n"); + return ret; + } + + /* remove ssh:// from the beginning of userid */ + memmove(userid, userid + strlen("ssh://"), 1 + strlen(userid) - strlen("ssh://")); + + + /* now we have algo, and the various MPI data are set. Can we + export them cleanly? */ + + /* for the moment, we'll just dump the info raw, and pipe it + externally through coreutils' /usr/bin/base64 */ + + if (algo == GNUTLS_PK_RSA) { + algoname = "ssh-rsa"; + mpicount = 3; + + all[0] = &algolabel; + all[1] = &e; + all[2] = &m; + } else if (algo == GNUTLS_PK_DSA) { + algoname = "ssh-dss"; + mpicount = 5; + + all[0] = &algolabel; + all[1] = &p; + all[2] = &q; + all[3] = &g; + all[4] = &y; + } else { + err("no idea what this algorithm is: %d\n", algo); + return 1; + } + + if (ret = datum_from_string(&algolabel, algoname), ret) { + err("couldn't label string (error: %d)\n", ret); + return ret; + } + + snprintf(output_data, sizeof(output_data), "%s %s ", userid, algoname); + + pipefd = create_writing_pipe(&child_pid, args[0], args); + if (pipefd < 0) { + err("failed to create a writing pipe (returned %d)\n", pipefd); + return pipefd; + } + + write(1, output_data, strlen(output_data)); + + if (0 != write_data_fd_with_length(pipefd, all, mpicount)) { + err("was not able to write out RSA key data\n"); + return 1; + } + close(pipefd); + if (child_pid != waitpid(child_pid, &pipestatus, 0)) { + err("could not wait for child process to return for some reason.\n"); + return 1; + } + if (pipestatus != 0) { + err("base64 pipe died with return code %d\n", pipestatus); + return pipestatus; + } + + write(1, "\n", 1); + + + + gnutls_openpgp_crt_deinit(openpgp_crt); + gnutls_global_deinit(); + return 0; +} diff --git a/src/gpg2ssh/main.c b/src/gpg2ssh/main.c new file mode 100644 index 0000000..d6bac68 --- /dev/null +++ b/src/gpg2ssh/main.c @@ -0,0 +1,271 @@ +#include "gnutls-helpers.h" + +#include +#include + +/* + Author: Daniel Kahn Gillmor + Date: Tue, 01 Apr 2008 + License: GPL v3 or later + + monkeysphere private key translator: execute this with an GPG + secret key on stdin (at the moment, only passphraseless RSA keys + work). + + It will spit out a PEM-encoded version of the key on stdout, which + can be fed into ssh-add like this: + + gpg --export-secret-keys $KEYID | monkeysphere | ssh-add -c /dev/stdin + + Requirements: I've only built this so far with GnuTLS v2.3.4 -- + version 2.2.0 does not contain the appropriate pieces. + + Notes: gpgkey2ssh doesn't seem to provide the same public + keys. Mighty weird! + +0 wt215@squeak:~/monkeysphere$ gpg --export-secret-keys 1DCDF89F | ~dkg/src/monkeysphere/monkeysphere | ssh-add -c /dev/stdin +gnutls version: 2.3.4 +OpenPGP RSA Key, with 1024 bits +Identity added: /dev/stdin (/dev/stdin) +The user has to confirm each use of the key +0 wt215@squeak:~/monkeysphere$ ssh-add -L +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQC9gWQqfrnhQKDQnND/3eOexpddE64J+1zp9fcyCje7H5LKclb6DBV2HS6WgW32PJhIzvP+fYZM3dzXea3fpv14y1SicXiRBDgF9SnsNA1qWn2RyzkLcKy7PmM0PDYtU1oiLTcQj/xkWcqW2sLKHT/WW+vZP5XP7RMGN/yWNMfE2Q== /dev/stdin +0 wt215@squeak:~/monkeysphere$ gpgkey2ssh 1DCDF89F +ssh-rsa AAAAB3NzaC1yc2EAAACBAL2BZCp+ueFAoNCc0P/d457Gl10Trgn7XOn19zIKN7sfkspyVvoMFXYdLpaBbfY8mEjO8/59hkzd3Nd5rd+m/XjLVKJxeJEEOAX1Kew0DWpafZHLOQtwrLs+YzQ8Ni1TWiItNxCP/GRZypbawsodP9Zb69k/lc/tEwY3/JY0x8TZAAAAAwEAAQ== COMMENT +0 wt215@squeak:~/monkeysphere$ + + */ + + +int convert_pgp_to_x509(gnutls_x509_privkey_t* output, gnutls_datum_t* input) { + gnutls_openpgp_privkey_t pgp_privkey; + gnutls_datum_t m, e, d, p, q, u, g, y, x; + gnutls_pk_algorithm_t pgp_algo; + unsigned int pgp_bits; + int ret; + + init_datum(&m); + init_datum(&e); + init_datum(&d); + init_datum(&p); + init_datum(&q); + init_datum(&u); + init_datum(&g); + init_datum(&y); + init_datum(&x); + + if (ret = gnutls_openpgp_privkey_init(&pgp_privkey), ret) { + err("Failed to initialized OpenPGP private key (error: %d)\n", ret); + return 1; + } + + + /* format could be either: GNUTLS_OPENPGP_FMT_RAW, + GNUTLS_OPENPGP_FMT_BASE64; if MONKEYSPHERE_RAW is set, use RAW, + otherwise, use BASE64: */ + + if (getenv("MONKEYSPHERE_RAW")) { + err("assuming RAW formatted private keys\n"); + if (ret = gnutls_openpgp_privkey_import(pgp_privkey, input, GNUTLS_OPENPGP_FMT_RAW, NULL, 0), ret) + err("failed to import the OpenPGP private key in RAW format (error: %d)\n", ret); + } else { + err("assuming BASE64 formatted private keys\n"); + if (ret = gnutls_openpgp_privkey_import (pgp_privkey, input, GNUTLS_OPENPGP_FMT_BASE64, NULL, 0), ret) + err("failed to import the OpenPGP private key in BASE64 format (error: %d)\n", ret); + } + + pgp_algo = gnutls_openpgp_privkey_get_pk_algorithm(pgp_privkey, &pgp_bits); + if (pgp_algo < 0) { + err("failed to get OpenPGP key algorithm (error: %d)\n", pgp_algo); + return 1; + } + if (pgp_algo == GNUTLS_PK_RSA) { + err("OpenPGP RSA Key, with %d bits\n", pgp_bits); + ret = gnutls_openpgp_privkey_export_rsa_raw(pgp_privkey, &m, &e, &d, &p, &q, &u); + if (GNUTLS_E_SUCCESS != ret) { + err ("failed to export RSA key parameters (error: %d)\n", ret); + return 1; + } + + ret = gnutls_x509_privkey_import_rsa_raw (*output, &m, &e, &d, &p, &q, &u); + if (GNUTLS_E_SUCCESS != ret) { + err ("failed to import RSA key parameters (error: %d)\n", ret); + return 1; + } + } else if (pgp_algo == GNUTLS_PK_DSA) { + err("OpenPGP DSA Key, with %d bits\n", pgp_bits); + ret = gnutls_openpgp_privkey_export_dsa_raw(pgp_privkey, &p, &q, &g, &y, &x); + if (GNUTLS_E_SUCCESS != ret) { + err ("failed to export DSA key parameters (error: %d)\n", ret); + return 1; + } + + ret = gnutls_x509_privkey_import_dsa_raw (*output, &p, &q, &g, &y, &x); + if (GNUTLS_E_SUCCESS != ret) { + err ("failed to import DSA key parameters (error: %d)\n", ret); + return 1; + } + } else { + err("OpenPGP Key was not RSA or DSA -- can't deal! (actual algorithm was: %d)\n", pgp_algo); + return 1; + } + + ret = gnutls_x509_privkey_fix(*output); + if (ret != 0) { + err("failed to fix up the private key in X.509 format (error: %d)\n", ret); + return 1; + } + + gnutls_openpgp_privkey_deinit(pgp_privkey); + return 0; +} + +int convert_x509_to_pgp(gnutls_openpgp_privkey_t* output, gnutls_datum_t* input) { + gnutls_x509_privkey_t x509_privkey; + gnutls_datum_t m, e, d, p, q, u, g, y, x; + gnutls_pk_algorithm_t x509_algo; + int ret; + + init_datum(&m); + init_datum(&e); + init_datum(&d); + init_datum(&p); + init_datum(&q); + init_datum(&u); + init_datum(&g); + init_datum(&y); + init_datum(&x); + + if (ret = gnutls_x509_privkey_init(&x509_privkey), ret) { + err("Failed to initialized X.509 private key (error: %d)\n", ret); + return 1; + } + + + /* format could be either: GNUTLS_X509_FMT_DER, + GNUTLS_X509_FMT_PEM; if MONKEYSPHERE_DER is set, use DER, + otherwise, use PEM: */ + + if (getenv("MONKEYSPHERE_DER")) { + err("assuming DER formatted private keys\n"); + if (ret = gnutls_x509_privkey_import(x509_privkey, input, GNUTLS_X509_FMT_DER), ret) + err("failed to import the X.509 private key in DER format (error: %d)\n", ret); + } else { + err("assuming PEM formatted private keys\n"); + if (ret = gnutls_x509_privkey_import (x509_privkey, input, GNUTLS_X509_FMT_PEM), ret) + err("failed to import the X.509 private key in PEM format (error: %d)\n", ret); + } + + x509_algo = gnutls_x509_privkey_get_pk_algorithm(x509_privkey); + if (x509_algo < 0) { + err("failed to get X.509 key algorithm (error: %d)\n", x509_algo); + return 1; + } + if (x509_algo == GNUTLS_PK_RSA) { + err("X.509 RSA Key\n"); + ret = gnutls_x509_privkey_export_rsa_raw(x509_privkey, &m, &e, &d, &p, &q, &u); + if (GNUTLS_E_SUCCESS != ret) { + err ("failed to export RSA key parameters (error: %d)\n", ret); + return 1; + } + + /* ret = gnutls_openpgp_privkey_import_rsa_raw (*output, &m, &e, &d, &p, &q, &u); */ + ret = GNUTLS_E_UNIMPLEMENTED_FEATURE; + if (GNUTLS_E_SUCCESS != ret) { + err ("failed to import RSA key parameters (error: %d)\n", ret); + return 1; + } + } else if (x509_algo == GNUTLS_PK_DSA) { + err("X.509 DSA Key\n"); + ret = gnutls_x509_privkey_export_dsa_raw(x509_privkey, &p, &q, &g, &y, &x); + if (GNUTLS_E_SUCCESS != ret) { + err ("failed to export DSA key parameters (error: %d)\n", ret); + return 1; + } + + /* ret = gnutls_openpgp_privkey_import_dsa_raw (*output, &p, &q, &g, &y, &x); */ + ret = GNUTLS_E_UNIMPLEMENTED_FEATURE; + if (GNUTLS_E_SUCCESS != ret) { + err ("failed to import DSA key parameters (error: %d)\n", ret); + return 1; + } + } else { + err("OpenPGP Key was not RSA or DSA -- can't deal! (actual algorithm was: %d)\n", x509_algo); + return 1; + } + + gnutls_x509_privkey_deinit(x509_privkey); + return 0; +} + + +int main(int argc, char* argv[]) { + gnutls_datum_t data; + int ret; + gnutls_x509_privkey_t x509_privkey; + + char output_data[10240]; + size_t ods = sizeof(output_data); + + init_gnutls(); + + init_datum(&data); + + /* slurp in the private key from stdin */ + if (ret = set_datum_fd(&data, 0), ret) { + err("didn't read file descriptor 0\n"); + return 1; + } + + + + /* Or, instead, read in key from a file name: + if (ret = set_datum_file(&data, argv[1]), ret) { + err("didn't read file '%s'\n", argv[1]); + return 1; + } +*/ + + /* treat the passed file as an X.509 private key, and extract its + component values: */ + +/* if (ret = gnutls_x509_privkey_import(x509_privkey, &data, GNUTLS_X509_FMT_PEM), ret) { */ +/* err("Failed to import the X.509 key (error: %d)\n", ret); */ +/* return 1; */ +/* } */ +/* gnutls_x509_privkey_export_rsa_raw(x509_privkey, &m, &e, &d, &p, &q, &u); */ + + /* try to print the PEM-encoded private key: */ +/* ret = gnutls_x509_privkey_export (x509_privkey, */ +/* GNUTLS_X509_FMT_PEM, */ +/* output_data, */ +/* &ods); */ +/* printf("ret: %u; ods: %u;\n", ret, ods); */ +/* if (ret == 0) { */ +/* write(0, output_data, ods); */ +/* } */ + + + if (ret = gnutls_x509_privkey_init(&x509_privkey), ret) { + err("Failed to initialize X.509 private key (error: %d)\n", ret); + return 1; + } + + if (ret = convert_pgp_to_x509(&x509_privkey, &data), ret) { + return ret; + } + + ret = gnutls_x509_privkey_export (x509_privkey, + GNUTLS_X509_FMT_PEM, + output_data, + &ods); + printf("ret: %u; ods: %u;\n", ret, ods); + if (ret == 0) { + write(1, output_data, ods); + } + + + gnutls_x509_privkey_deinit(x509_privkey); + gnutls_global_deinit(); + return 0; +} diff --git a/src/gpg2ssh/ssh2gpg.c b/src/gpg2ssh/ssh2gpg.c new file mode 100644 index 0000000..b14a540 --- /dev/null +++ b/src/gpg2ssh/ssh2gpg.c @@ -0,0 +1,171 @@ +#include "gnutls-helpers.h" + +#include +#include + +/* for waitpid() */ +#include +#include + +/* for time() */ +#include + +/* for htons() */ +#include + + +/* + Author: Daniel Kahn Gillmor + Date: Sun, 2008-04-20 + License: GPL v3 or later + + monkeysphere public key translator: execute this with an ssh + private key on stdin. It currently only works with RSA keys. + + it should eventually work with OpenSSH-style public keys instead of + the full private key, but it was easier to do this way. + + It shoud spit out a version of the public key suitable for acting + as an OpenPGP public sub key packet. + + */ + +int main(int argc, char* argv[]) { + gnutls_datum_t data; + int ret; + gnutls_x509_privkey_t x509_privkey; + gnutls_openpgp_crt_t openpgp_crt; + gnutls_openpgp_keyid_t keyid; + printable_keyid p_keyid; + unsigned int keyidx; + unsigned int usage, bits; + gnutls_pk_algorithm_t algo; + + unsigned char packettag; + unsigned char openpgpversion; + time_t timestamp; + uint32_t clunkytime; + unsigned char openpgpalgo; + unsigned int packetlen; + uint16_t plen; + + gnutls_datum_t m, e, d, p, q, u, g, y; + gnutls_datum_t algolabel; + + char output_data[10240]; + char userid[10240]; + size_t uidsz = sizeof(userid); + + const gnutls_datum_t* all[5]; + int pipefd; + pid_t child_pid; + char* const args[] = {"/usr/bin/base64", "--wrap=0", NULL}; + const char* algoname; + int mpicount; + int pipestatus; + + init_gnutls(); + + init_datum(&data); + + init_datum(&m); + init_datum(&e); + init_datum(&d); + init_datum(&p); + init_datum(&q); + init_datum(&u); + init_datum(&g); + init_datum(&y); + + init_datum(&algolabel); + + init_keyid(keyid); + + /* slurp in the private key from stdin */ + if (ret = set_datum_fd(&data, 0), ret) { + err("didn't read file descriptor 0\n"); + return 1; + } + + + if (ret = gnutls_x509_privkey_init(&x509_privkey), ret) { + err("Failed to initialize private key structure (error: %d)\n", ret); + return 1; + } + + err("assuming PEM formatted private key\n"); + if (ret = gnutls_x509_privkey_import(x509_privkey, &data, GNUTLS_X509_FMT_PEM), ret) { + err("failed to import the PEM-encoded private key (error: %d)\n", ret); + return ret; + } + + algo = gnutls_x509_privkey_get_pk_algorithm(x509_privkey); + if (algo < 0) { + err("failed to get the algorithm of the PEM-encoded public key (error: %d)\n", algo); + return algo; + } else if (algo == GNUTLS_PK_RSA) { + err("RSA private key\n"); + ret = gnutls_x509_privkey_export_rsa_raw(x509_privkey, &m, &e, &d, &p, &q, &u); + if (GNUTLS_E_SUCCESS != ret) { + err ("failed to export RSA key parameters (error: %d)\n", ret); + return 1; + } + err("Modulus size %d, exponent size %d\n", m.size, e.size); + } else if (algo == GNUTLS_PK_DSA) { + err("DSA Key, not implemented!!\n", bits); + return 1; + } else { + err("Key was not RSA or DSA -- can't deal! (actual algorithm was: %d)\n", algo); + return 1; + } + + /* now we have algo, and the various MPI data are set. Can we + export them as a public subkey packet? */ + + /* this packet should be tagged 14, and should contain: + + 1 octet: version (4) + 4 octets: time of generation (seconds since 1970) + 1 octet: algo (http://tools.ietf.org/html/rfc4880#section-5.5.2 implies 1 for RSA) + + MPI: modulus + MPI: exponent + */ + + packetlen = 1 + 4 + 1; + /* FIXME: this is RSA only. for DSA, there'll be more: */ + packetlen += get_openpgp_mpi_size(&m) + get_openpgp_mpi_size(&e); + + /* FIXME: we should generate this bound more cleanly -- i just + happen to know that 65535 is 2^16-1: */ + if (packetlen > 65535) { + err("packet length is too long (%d)\n", packetlen); + return 1; + } + + /* we're going to emit an old-style packet, with tag 14 (public + subkey), with a two-octet packet length */ + packettag = 0x80 | (14 << 2) | 1; + + write(1, &packettag, sizeof(packettag)); + plen = htons(packetlen); + write(1, &plen, sizeof(plen)); + + openpgpversion = 4; + write(1, &openpgpversion, 1); + + timestamp = time(NULL); + clunkytime = htonl(timestamp); + write(1, &clunkytime, 4); + + /* FIXME: handle things other than RSA */ + openpgpalgo = 1; + write(1, &openpgpalgo, 1); + + write_openpgp_mpi_to_fd(1, &m); + write_openpgp_mpi_to_fd(1, &e); + + gnutls_x509_privkey_deinit(x509_privkey); + gnutls_global_deinit(); + return 0; +} diff --git a/src/howler/howler b/src/howler/howler new file mode 100755 index 0000000..0b67c02 --- /dev/null +++ b/src/howler/howler @@ -0,0 +1,134 @@ +#!/bin/sh + +# howler: monkeysphere server gpg generator/publisher/maintainer +# +# Written by +# Jameson Rollins +# +# Copyright 2008, released under the GPL, version 3 or later + +PGRM=$(basename $0) + +######################################################################## +# FUNCTIONS +######################################################################## + +usage() { +cat <&2 + exit ${2:-'1'} +} + +# generate server gpg key +gen_key() { + KEY_TYPE=${KEY_TYPE:-RSA} + KEY_LENGTH=${KEY_LENGTH:-2048} + KEY_USAGE=${KEY_USAGE:-encrypt,auth} + SERVICE=${SERVICE:-ssh} + HOSTNAME_FQDN=${HOSTNAME_FQDN:-$(hostname -f)} + + USERID=${USERID:-"$SERVICE"://"$HOSTNAME_FQDN"} + + echo "key parameters:" + cat < /dev/null 2>&1 ; then + failure "key for '$USERID' already exists" + fi + + echo "generating server key..." + gpg --batch --gen-key < /dev/null | grep '^pub:' | cut -d: -f5) + + # dummy command so as not to publish fakes keys during testing + # eventually: + #gpg --send-keys --keyserver "$KEYSERVER" "$keyID" + echo "gpg --send-keys --keyserver $KEYSERVER $keyID" +} + +trust_key() { + for keyID ; do + # get the key from the key server + gpg --keyserver "$KEYSERVER" --recv-key "$keyID" || failure "could not retrieve key '$keyID'" + + # edit the key to change trust + # FIXME: need to figure out how to automate this, + # in a batch mode or something. + gpg --edit-key "$keyID" + done +} + +######################################################################## +# MAIN +######################################################################## + +# set ms home directory +MS_HOME=${MS_HOME:-/etc/monkeysphere} + +# load configuration file +MS_CONF=${MS_CONF:-"$MS_HOME"/monkeysphere.conf} +[ -e "$MS_CONF" ] && . "$MS_CONF" + +GNUPGHOME=${GNUPGHOME:-"$MS_HOME"/gnupg} +export GNUPGHOME +KEYSERVER=${KEYSERVER:-subkeys.pgp.net} +export KEYSERVER + +COMMAND="$1" +[ "$COMMAND" ] || failure "Type '$PGRM help' for usage." +shift 1 + +case $COMMAND in + 'gen-key') + gen_key + ;; + 'publish-key') + publish_key + ;; + 'trust-key') + if [ -z "$1" ] ; then + failure "you must specify at least one key to trust." + fi + trust_key "$@" + ;; + 'help') + usage + exit + ;; + *) + failure "Unknown command: '$COMMAND' +Type '$PGRM help' for usage." + ;; +esac diff --git a/src/monkeysphere b/src/monkeysphere new file mode 100755 index 0000000..f279d86 --- /dev/null +++ b/src/monkeysphere @@ -0,0 +1,154 @@ +#!/bin/sh + +######################################################################## +PGRM=$(basename $0) + +SHAREDIR=${SHAREDIR:-"/usr/share/monkeysphere"} +export SHAREDIR +. "${SHAREDIR}/common" + +GLOBAL_CONFIG=${GLOBAL_CONFIG:-"${ETC}"/monkeysphere.conf} +[ -r "$GLOBAL_CONFIG" ] && . "$GLOBAL_CONFIG" + +# date in UTF format if needed +DATE=$(date -u '+%FT%T') + +# unset some environment variables that could screw things up +GREP_OPTIONS= + +######################################################################## +# FUNCTIONS +######################################################################## + +usage() { +cat < [args] +Monkeysphere client tool. + +subcommands: + update-known-hosts (k) [HOST]... update known_hosts file + update-authorized-keys (a) update authorized_keys file + update-userid (u) [USERID]... add/update userid to + authorized_user_ids + help (h,?) this help + +EOF +} + +######################################################################## +# MAIN +######################################################################## + +COMMAND="$1" +[ "$COMMAND" ] || failure "Type '$PGRM help' for usage." +shift + +# set ms home directory +MS_HOME=${MS_HOME:-"$HOME"/.config/monkeysphere} + +# load configuration file +MS_CONF=${MS_CONF:-"$MS_HOME"/monkeysphere.conf} +[ -e "$MS_CONF" ] && . "$MS_CONF" + +# set empty config variable with defaults +AUTHORIZED_USER_IDS=${AUTHORIZED_USER_IDS:-"$MS_HOME"/authorized_user_ids} +GNUPGHOME=${GNUPGHOME:-"$HOME"/.gnupg} +KEYSERVER=${KEYSERVER:-subkeys.pgp.net} +REQUIRED_KEY_CAPABILITY=${REQUIRED_KEY_CAPABILITY:-"e a"} +USER_CONTROLLED_AUTHORIZED_KEYS=${USER_CONTROLLED_AUTHORIZED_KEYS:-%h/.ssh/authorized_keys} +USER_KNOWN_HOSTS=${USER_KNOWN_HOSTS:-"$HOME"/.ssh/known_hosts} +HASH_KNOWN_HOSTS=${HASH_KNOWN_HOSTS:-} + +export GNUPGHOME + +# stagging locations +hostKeysCacheDir="$MS_HOME"/host_keys +userKeysCacheDir="$MS_HOME"/user_keys +msAuthorizedKeys="$MS_HOME"/authorized_keys + +# make sure gpg home exists with proper permissions +mkdir -p -m 0700 "$GNUPGHOME" + +case $COMMAND in + 'update-known-hosts'|'k') + MODE='known_hosts' + + # touch the known_hosts file to make sure it exists + touch "$USER_KNOWN_HOSTS" + + # if hosts are specified on the command line, process just + # those hosts + if [ "$1" ] ; then + for host ; do + process_host "$host" "$hostKeysCacheDir" + done + + # otherwise, if no hosts are specified, process the user + # known_hosts file + else + if [ ! -s "$USER_KNOWN_HOSTS" ] ; then + failure "known_hosts file '$USER_KNOWN_HOSTS' is empty." + fi + log "processing known_hosts file..." + process_known_hosts "$USER_KNOWN_HOSTS" "$hostKeysCacheDir" + fi + ;; + + 'update-authorized-keys'|'a') + MODE='authorized_keys' + + log "processing authorized_user_ids file..." + + # make sure authorized_user_ids file exists + if [ ! -s "$AUTHORIZED_USER_IDS" ] ; then + log "authorized_user_ids file is empty or does not exist." + exit + fi + + process_authorized_ids "$AUTHORIZED_USER_IDS" "$userKeysCacheDir" + + # write output key file + log "writing monkeysphere authorized_keys file... " + touch "$msAuthorizedKeys" + if [ "$(ls "$userKeysCacheDir")" ] ; then + log -n "adding gpg keys... " + cat "$userKeysCacheDir"/* > "$msAuthorizedKeys" + echo "done." + else + log "no gpg keys to add." + fi + if [ "$USER_CONTROLLED_AUTHORIZED_KEYS" ] ; then + userAuthorizedKeys=${USER_CONTROLLED_AUTHORIZED_KEYS/\%h/"$HOME"} + if [ -s "$userAuthorizedKeys" ] ; then + log -n "adding user authorized_keys file... " + cat "$userAuthorizedKeys" >> "$msAuthorizedKeys" + echo "done." + fi + fi + log "monkeysphere authorized_keys file generated:" + log "$msAuthorizedKeys" + ;; + + 'update-userid'|'u') + if [ -z "$1" ] ; then + failure "you must specify at least one userid." + fi + for userID ; do + if ! grep -q "^${userID}\$" "$AUTHORIZED_USER_IDS" ; then + log "userid '$userID' not in authorized_user_ids file." + continue + fi + log "processing user id: '$userID'" + process_user_id "$userID" "$userKeysCacheDir" > /dev/null + done + ;; + + 'help'|'h'|'?') + usage + ;; + + *) + failure "Unknown command: '$COMMAND' +Type 'cereal-admin help' for usage." + ;; +esac diff --git a/src/monkeysphere-server b/src/monkeysphere-server new file mode 100755 index 0000000..f1b4892 --- /dev/null +++ b/src/monkeysphere-server @@ -0,0 +1,219 @@ +#!/bin/sh + +######################################################################## +PGRM=$(basename $0) + +SHAREDIR=${SHAREDIR:-"/usr/share/monkeysphere"} +export SHAREDIR +. "${SHAREDIR}/common" + +# date in UTF format if needed +DATE=$(date -u '+%FT%T') + +# unset some environment variables that could screw things up +GREP_OPTIONS= + +######################################################################## +# FUNCTIONS +######################################################################## + +usage() { +cat < [args] +Monkeysphere server admin tool. + +subcommands: + update-users (s) [USER]... update authorized_keys file + gen-key (g) generate gpg key for the host + publish-key (p) publish host gpg to keyserver + trust-key (t) KEYID [KEYID]... mark keyid as trusted + update-user-userid (u) USER UID [UID]... add/update userid for user + help (h,?) this help + +EOF +} + +# generate server gpg key +gen_key() { + KEY_TYPE=${KEY_TYPE:-RSA} + KEY_LENGTH=${KEY_LENGTH:-2048} + KEY_USAGE=${KEY_USAGE:-encrypt,auth} + SERVICE=${SERVICE:-ssh} + HOSTNAME_FQDN=${HOSTNAME_FQDN:-$(hostname -f)} + + USERID=${USERID:-"$SERVICE"://"$HOSTNAME_FQDN"} + + echo "key parameters:" + cat < /dev/null 2>&1 ; then + failure "key for '$USERID' already exists" + fi + + echo "generating server key..." + gpg --batch --gen-key < /dev/null | grep '^pub:' | cut -d: -f5) + + # dummy command so as not to publish fakes keys during testing + # eventually: + #gpg --send-keys --keyserver "$KEYSERVER" "$keyID" + echo "gpg --send-keys --keyserver $KEYSERVER $keyID" +} + +# trust key +trust_key() { + for keyID ; do + # get the key from the key server + gpg --keyserver "$KEYSERVER" --recv-key "$keyID" || failure "could not retrieve key '$keyID'" + + # edit the key to change trust + # FIXME: need to figure out how to automate this, + # in a batch mode or something. + gpg --edit-key "$keyID" + done +} + +######################################################################## +# MAIN +######################################################################## + +COMMAND="$1" +[ "$COMMAND" ] || failure "Type '$PGRM help' for usage." +shift + +# set ms home directory +MS_HOME=${MS_HOME:-"$ETC"} + +# load configuration file +MS_CONF=${MS_CONF:-"$MS_HOME"/monkeysphere-server.conf} +[ -e "$MS_CONF" ] && . "$MS_CONF" + +# set empty config variable with defaults +GNUPGHOME=${GNUPGHOME:-"$MS_HOME"/gnupg} +KEYSERVER=${KEYSERVER:-subkeys.pgp.net} +REQUIRED_KEY_CAPABILITY=${REQUIRED_KEY_CAPABILITY:-"e a"} +USER_CONTROLLED_AUTHORIZED_KEYS=${USER_CONTROLLED_AUTHORIZED_KEYS:-%h/.ssh/authorized_keys} +STAGING_AREA=${STAGING_AREA:-"$LIB"/stage} + +export GNUPGHOME + +# make sure gpg home exists with proper permissions +mkdir -p -m 0700 "$GNUPGHOME" + +case $COMMAND in + 'update-users'|'s') + if [ "$1" ] ; then + unames="$@" + else + unames=$(ls -1 "$MS_HOME"/authorized_user_ids) + fi + + for uname in $unames ; do + MODE="authorized_keys" + authorizedUserIDs="$MS_HOME"/authorized_user_ids/"$uname" + cacheDir="$STAGING_AREA"/"$uname"/user_keys + msAuthorizedKeys="$STAGING_AREA"/"$uname"/authorized_keys + + # make sure authorized_user_ids file exists + if [ ! -s "$authorizedUserIDs" ] ; then + log "authorized_user_ids file for '$uname' is empty or does not exist." + continue + fi + + log "processing authorized_keys for user '$uname'..." + + process_authorized_ids "$authorizedUserIDs" "$cacheDir" + + # write output key file + log "writing monkeysphere authorized_keys file... " + touch "$msAuthorizedKeys" + if [ "$(ls "$cacheDir")" ] ; then + log -n "adding gpg keys... " + cat "$cacheDir"/* > "$msAuthorizedKeys" + echo "done." + else + log "no gpg keys to add." + fi + if [ "$USER_CONTROLLED_AUTHORIZED_KEYS" ] ; then + userHome=$(getent passwd "$uname" | cut -d: -f6) + userAuthorizedKeys=${USER_CONTROLLED_AUTHORIZED_KEYS/\%h/"$userHome"} + if [ -s "$userAuthorizedKeys" ] ; then + log -n "adding user authorized_keys file... " + cat "$userAuthorizedKeys" >> "$msAuthorizedKeys" + echo "done." + fi + fi + log "monkeysphere authorized_keys file generated:" + log "$msAuthorizedKeys" + done + ;; + + 'gen-key'|'g') + gen_key + ;; + + 'publish-key'|'p') + publish_key + ;; + + 'trust-key'|'t') + if [ -z "$1" ] ; then + failure "you must specify at least one key to trust." + fi + trust_key "$@" + ;; + + 'update-user-userid'|'u') + uname="$1" + shift + if [ -z "$uname" ] ; then + failure "you must specify user." + fi + if [ -z "$1" ] ; then + failure "you must specify at least one userid." + fi + for userID ; do + AUTHORIZED_USER_IDS="$MS_HOME"/authorized_user_ids/"$uname" + if ! grep -q "^${userID}\$" "$AUTHORIZED_USER_IDS" ; then + log "userid '$userID' not in authorized_user_ids file." + continue + fi + log "processing user id: '$userID'" + process_user_id "$userID" "$userKeysCacheDir" > /dev/null + done + ;; + + 'help'|'h'|'?') + usage + ;; + + *) + failure "Unknown command: '$COMMAND' +Type 'cereal-admin help' for usage." + ;; +esac diff --git a/src/monkeysphere-ssh-proxycommand b/src/monkeysphere-ssh-proxycommand new file mode 100755 index 0000000..1724966 --- /dev/null +++ b/src/monkeysphere-ssh-proxycommand @@ -0,0 +1,16 @@ +#!/bin/sh -e + +# MonkeySphere ssh ProxyCommand hook +# Proxy command script to initiate a monkeysphere known_hosts update +# before an ssh connection to host is established. +# Can be added to ~/.ssh/config as follows: +# ProxyCommand monkeysphere-ssh-proxycommand %h %p + +HOST="$1" +PORT="$2" + +# update the known_hosts file for the host +monkeysphere update-known-hosts "$HOST" + +# make a netcat connection to host for the ssh connection +exec nc "$HOST" "$PORT" diff --git a/src/rhesus/README b/src/rhesus/README new file mode 100644 index 0000000..4d383d5 --- /dev/null +++ b/src/rhesus/README @@ -0,0 +1,30 @@ +rhesus is the monkeysphere authorized_keys/known_hosts generator. + +In authorized_keys mode, rhesus takes an auth_user_ids file, which +contains gpg user ids, uses gpg to fetch the keys of the specified +users, does a monkeysphere policy check on each id, and uses gpg2ssh +to generate authorized_keys lines for each verified id. The lines are +then combined with a user's traditional authorized_keys file to create +a new authorized_keys file. + +In known_hosts mode, rhesus takes an auth_host_ids file, which +contains gpg user ids of the form ssh://URL, uses gpg to fetch the +keys of the specified hosts, does a monkeysphere policy check on each +id, and uses gpg2ssh to generate a known_hosts lines for each verified +id. The lines are then combined with a user's traditional known_hosts +file to create a new known_hosts file. + +When run as a normal user, no special configuration is needed. + +When run as an administrator to update system-maintained +authorized_keys files for each user, the following environment +variables should be defined first: + + MS_CONF=/etc/monkeysphere/monkeysphere.conf + USER=foo + +For example, the command might be run like this: + + for USER in $(ls -1 /home) ; do + MS_CONF=/etc/monkeysphere/monkeysphere.conf rhesus --authorized_keys + done diff --git a/src/rhesus/rhesus b/src/rhesus/rhesus new file mode 100755 index 0000000..f607f0b --- /dev/null +++ b/src/rhesus/rhesus @@ -0,0 +1,466 @@ +#!/bin/sh + +# rhesus: monkeysphere authorized_keys/known_hosts generating script +# +# Written by +# Jameson Rollins +# +# Copyright 2008, released under the GPL, version 3 or later + +# all caps variables are meant to be user supplied (ie. from config +# file) and are considered global + +PGRM=$(basename $0) + +# date in UTF format if needed +DATE=$(date -u '+%FT%T') + +# unset some environment variables that could screw things up +GREP_OPTIONS= + +######################################################################## +# FUNCTIONS +######################################################################## + +usage() { +cat <&2 + exit ${2:-'1'} +} + +# write output to stdout +log() { + echo -n "ms: " + echo "$@" +} + +# write output to stderr +loge() { + echo -n "ms: " 1>&2 + echo "$@" 1>&2 +} + +# cut out all comments(#) and blank lines from standard input +meat() { + grep -v -e "^[[:space:]]*#" -e '^$' +} + +# cut a specified line from standard input +cutline() { + head --line="$1" | tail -1 +} + +# retrieve all keys with given user id from keyserver +# FIXME: need to figure out how to retrieve all matching keys +# (not just first 5) +gpg_fetch_keys() { + local id + id="$1" + echo 1,2,3,4,5 | \ + gpg --quiet --batch --command-fd 0 --with-colons \ + --keyserver "$KEYSERVER" \ + --search ="$id" >/dev/null 2>&1 +} + +# check that characters are in a string (in an AND fashion). +# used for checking key capability +# check_capability capability a [b...] +check_capability() { + local capability + local capcheck + + capability="$1" + shift 1 + + for capcheck ; do + if echo "$capability" | grep -q -v "$capcheck" ; then + return 1 + fi + done + return 0 +} + +# convert escaped characters from gpg output back into original +# character +# FIXME: undo all escape character translation in with-colons gpg output +unescape() { + echo "$1" | sed 's/\\x3a/:/' +} + +# stand in until we get dkg's gpg2ssh program +gpg2ssh_tmp() { + local mode + local keyID + local userID + local host + + mode="$1" + keyID="$2" + userID="$3" + + if [ "$mode" = 'authorized_keys' ] ; then + gpgkey2ssh "$keyID" | sed -e "s/COMMENT/${userID}/" + + # NOTE: it seems that ssh-keygen -R removes all comment fields from + # all lines in the known_hosts file. why? + # NOTE: just in case, the COMMENT can be matched with the + # following regexp: + # '^MonkeySphere[[:digit:]]{4}(-[[:digit:]]{2}){2}T[[:digit:]]{2}(:[[:digit:]]{2}){2}$' + elif [ "$mode" = 'known_hosts' ] ; then + host=$(echo "$userID" | sed -e "s|ssh://||") + echo -n "$host "; gpgkey2ssh "$keyID" | sed -e "s/COMMENT/MonkeySphere${DATE}/" + fi +} + +# userid and key policy checking +# the following checks policy on the returned keys +# - checks that full key has appropriate valididy (u|f) +# - checks key has specified capability (REQUIRED_KEY_CAPABILITY) +# - checks that particular desired user id has appropriate validity +# see /usr/share/doc/gnupg/DETAILS.gz +# expects global variable: "mode" +process_user_id() { + local userID + local cacheDir + local requiredPubCapability + local gpgOut + local line + local type + local validity + local keyid + local uidfpr + local capability + local keyOK + local pubKeyID + local uidOK + local keyIDs + local userIDHash + local keyID + + userID="$1" + cacheDir="$2" + + requiredPubCapability=$(echo "$REQUIRED_KEY_CAPABILITY" | tr "[:lower:]" "[:upper:]") + + # fetch keys from keyserver, return 1 if none found + gpg_fetch_keys "$userID" || return 1 + + # output gpg info for (exact) userid and store + gpgOut=$(gpg --fixed-list-mode --list-key --with-colons \ + ="$userID" 2> /dev/null) + + # return 1 if there only "tru" lines are output from gpg + if [ -z "$(echo "$gpgOut" | grep -v '^tru:')" ] ; then + return 1 + fi + + # loop over all lines in the gpg output and process. + # need to do it this way (as opposed to "while read...") so that + # variables set in loop will be visible outside of loop + for line in $(seq 1 $(echo "$gpgOut" | wc -l)) ; do + + # read the contents of the line + type=$(echo "$gpgOut" | cutline "$line" | cut -d: -f1) + validity=$(echo "$gpgOut" | cutline "$line" | cut -d: -f2) + keyid=$(echo "$gpgOut" | cutline "$line" | cut -d: -f5) + uidfpr=$(echo "$gpgOut" | cutline "$line" | cut -d: -f10) + capability=$(echo "$gpgOut" | cutline "$line" | cut -d: -f12) + + # process based on record type + case $type in + 'pub') # primary keys + # new key, wipe the slate + keyOK= + pubKeyID= + uidOK= + keyIDs= + + pubKeyID="$keyid" + + # check primary key validity + if [ "$validity" != 'u' -a "$validity" != 'f' ] ; then + loge " unacceptable primary key validity ($validity)." + continue + fi + # check capability is not Disabled... + if check_capability "$capability" 'D' ; then + loge " key disabled." + continue + fi + # check overall key capability + # must be Encryption and Authentication + if ! check_capability "$capability" $requiredPubCapability ; then + loge " unacceptable primary key capability ($capability)." + continue + fi + + # mark if primary key is acceptable + keyOK=true + + # add primary key ID to key list if it has required capability + if check_capability "$capability" $REQUIRED_KEY_CAPABILITY ; then + keyIDs[${#keyIDs[*]}]="$keyid" + fi + ;; + 'uid') # user ids + # check key ok and we have key fingerprint + if [ -z "$keyOK" ] ; then + continue + fi + # check key validity + if [ "$validity" != 'u' -a "$validity" != 'f' ] ; then + continue + fi + # check the uid matches + if [ "$(unescape "$uidfpr")" != "$userID" ] ; then + continue + fi + + # mark if uid acceptable + uidOK=true + ;; + 'sub') # sub keys + # add sub key ID to key list if it has required capability + if check_capability "$capability" $REQUIRED_KEY_CAPABILITY ; then + keyIDs[${#keyIDs[*]}]="$keyid" + fi + ;; + esac + done + + # hash userid for cache file name + userIDHash=$(echo "$userID" | sha1sum | awk '{ print $1 }') + + # touch/clear key cache file + # (will be left empty if there are noacceptable keys) + > "$cacheDir"/"$userIDHash"."$pubKeyID" + + # for each acceptable key, write an ssh key line to the + # key cache file + if [ "$keyOK" -a "$uidOK" -a "${keyIDs[*]}" ] ; then + for keyID in ${keyIDs[@]} ; do + # export the key with gpg2ssh + # FIXME: needs to apply extra options for authorized_keys + # lines if specified + gpg2ssh_tmp "$mode" "$keyID" "$userID" >> "$cacheDir"/"$userIDHash"."$pubKeyID" + + # hash the cache file if specified + if [ "$mode" = 'known_hosts' -a "$HASH_KNOWN_HOSTS" ] ; then + ssh-keygen -H -f "$cacheDir"/"$userIDHash"."$pubKeyID" > /dev/null 2>&1 + rm "$cacheDir"/"$userIDHash"."$pubKeyID".old + fi + done + fi + + # echo the path to the key cache file + echo "$cacheDir"/"$userIDHash"."$pubKeyID" +} + +# process a host for addition to a known_host file +process_host() { + local host + local cacheDir + local hostKeyCachePath + + host="$1" + cacheDir="$2" + + log "processing host: '$host'" + + hostKeyCachePath=$(process_user_id "ssh://${host}" "$cacheDir") + if [ $? = 0 ] ; then + ssh-keygen -R "$host" -f "$USER_KNOWN_HOSTS" + cat "$hostKeyCachePath" >> "$USER_KNOWN_HOSTS" + fi +} + +# process known_hosts file +# go through line-by-line, extract each host, and process with the +# host processing function +process_known_hosts() { + local cacheDir + local userID + + cacheDir="$1" + + # take all the hosts from the known_hosts file (first field), + # grep out all the hashed hosts (lines starting with '|') + cut -d ' ' -f 1 "$USER_KNOWN_HOSTS" | \ + grep -v '^|.*$' | \ + while IFS=, read -r -a hosts ; do + # process each host + for host in ${hosts[*]} ; do + process_host "$host" "$cacheDir" + done + done +} + +# process an authorized_*_ids file +# go through line-by-line, extract each userid, and process +process_authorized_ids() { + local authorizedIDsFile + local cacheDir + local userID + local userKeyCachePath + + authorizedIDsFile="$1" + cacheDir="$2" + + # clean out keys file and remake keys directory + rm -rf "$cacheDir" + mkdir -p "$cacheDir" + + # loop through all user ids in file + # FIXME: needs to handle extra options if necessary + cat "$authorizedIDsFile" | meat | \ + while read -r userID ; do + # process the userid + log "processing userid: '$userID'" + userKeyCachePath=$(process_user_id "$userID" "$cacheDir") + if [ -s "$userKeyCachePath" ] ; then + loge " acceptable key/uid found." + fi + done +} + +######################################################################## +# MAIN +######################################################################## + +if [ -z "$1" ] ; then + usage + exit 1 +fi + +# mode given in first variable +mode="$1" +shift 1 + +# check user +if ! id -u "$USER" > /dev/null 2>&1 ; then + failure "invalid user '$USER'." +fi + +# set user home directory +HOME=$(getent passwd "$USER" | cut -d: -f6) + +# set ms home directory +MS_HOME=${MS_HOME:-"$HOME"/.config/monkeysphere} + +# load configuration file +MS_CONF=${MS_CONF:-"$MS_HOME"/monkeysphere.conf} +[ -e "$MS_CONF" ] && . "$MS_CONF" + +# set config variable defaults +STAGING_AREA=${STAGING_AREA:-"$MS_HOME"} +AUTHORIZED_USER_IDS=${AUTHORIZED_USER_IDS:-"$MS_HOME"/authorized_user_ids} +GNUPGHOME=${GNUPGHOME:-"$HOME"/.gnupg} +KEYSERVER=${KEYSERVER:-subkeys.pgp.net} +REQUIRED_KEY_CAPABILITY=${REQUIRED_KEY_CAPABILITY:-"e a"} +USER_CONTROLLED_AUTHORIZED_KEYS=${USER_CONTROLLED_AUTHORIZED_KEYS:-"$HOME"/.ssh/authorized_keys} +USER_KNOWN_HOSTS=${USER_KNOWN_HOSTS:-"$HOME"/.ssh/known_hosts} +HASH_KNOWN_HOSTS=${HASH_KNOWN_HOSTS:-} + +# export USER and GNUPGHOME variables, since they are used by gpg +export USER +export GNUPGHOME + +# stagging locations +hostKeysCacheDir="$STAGING_AREA"/host_keys +userKeysCacheDir="$STAGING_AREA"/user_keys +msKnownHosts="$STAGING_AREA"/known_hosts +msAuthorizedKeys="$STAGING_AREA"/authorized_keys + +# make sure gpg home exists with proper permissions +mkdir -p -m 0700 "$GNUPGHOME" + +## KNOWN_HOST MODE +if [ "$mode" = 'known_hosts' -o "$mode" = 'k' ] ; then + mode='known_hosts' + + cacheDir="$hostKeysCacheDir" + + log "user '$USER': monkeysphere known_hosts processing" + + # touch the known_hosts file to make sure it exists + touch "$USER_KNOWN_HOSTS" + + # if hosts are specified on the command line, process just + # those hosts + if [ "$1" ] ; then + for host ; do + process_host "$host" "$cacheDir" + done + + # otherwise, if no hosts are specified, process the user + # known_hosts file + else + if [ ! -s "$USER_KNOWN_HOSTS" ] ; then + failure "known_hosts file '$USER_KNOWN_HOSTS' is empty." + fi + process_known_hosts "$cacheDir" + fi + +## AUTHORIZED_KEYS MODE +elif [ "$mode" = 'authorized_keys' -o "$mode" = 'a' ] ; then + mode='authorized_keys' + + cacheDir="$userKeysCacheDir" + + # check auth ids file + if [ ! -s "$AUTHORIZED_USER_IDS" ] ; then + log "authorized_user_ids file is empty or does not exist." + exit + fi + + log "user '$USER': monkeysphere authorized_keys processing" + + # if userids are specified on the command line, process just + # those userids + if [ "$1" ] ; then + for userID ; do + if ! grep -q "$userID" "$AUTHORIZED_USER_IDS" ; then + log "userid '$userID' not in authorized_user_ids file." + continue + fi + log "processing user id: '$userID'" + process_user_id "$userID" "$cacheDir" > /dev/null + done + + # otherwise, if no userids are specified, process the entire + # authorized_user_ids file + else + process_authorized_ids "$AUTHORIZED_USER_IDS" "$cacheDir" + fi + + # write output key file + log "writing monkeysphere authorized_keys file... " + touch "$msAuthorizedKeys" + if [ "$(ls "$cacheDir")" ] ; then + log -n "adding gpg keys... " + cat "$cacheDir"/* > "$msAuthorizedKeys" + echo "done." + else + log "no gpg keys to add." + fi + if [ "$USER_CONTROLLED_AUTHORIZED_KEYS" ] ; then + if [ -s "$USER_CONTROLLED_AUTHORIZED_KEYS" ] ; then + log -n "adding user authorized_keys file... " + cat "$USER_CONTROLLED_AUTHORIZED_KEYS" >> "$msAuthorizedKeys" + echo "done." + fi + fi + log "monkeysphere authorized_keys file generated:" + log "$msAuthorizedKeys" + +else + failure "unknown command '$mode'." +fi -- cgit v1.2.3 From be186e427ac34812e2b2a55489ae55fe2341f6a0 Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Tue, 10 Jun 2008 18:38:46 -0400 Subject: Cleaned/fix up update-userid function. also some general cleanup. --- src/common | 40 ++++++++++++++++++++++++++++++++ src/monkeysphere | 31 +++++++++++++++---------- src/monkeysphere-server | 49 +++++++++++++++++---------------------- src/monkeysphere-ssh-proxycommand | 19 ++++++++++----- 4 files changed, 93 insertions(+), 46 deletions(-) (limited to 'src') diff --git a/src/common b/src/common index 8643080..073b8af 100755 --- a/src/common +++ b/src/common @@ -351,3 +351,43 @@ process_authorized_ids() { process_user_id "$userID" "$cacheDir" > /dev/null done } + +# update the cache for userid, and prompt to add file to +# authorized_user_ids file if the userid is found in gpg +# and not already in file. +update_userid() { + local userID + local cacheDir + local userIDKeyCache + + userID="$1" + cacheDir="$2" + + log "processing userid: '$userID'" + userIDKeyCache=$(process_user_id "$userID" "$cacheDir") + if [ -z "$userIDKeyCache" ] ; then + return 1 + fi + if ! grep -q "^${userID}\$" "$AUTHORIZED_USER_IDS" ; then + echo "the following userid is not in the authorized_user_ids file:" + echo " $userID" + read -p "would you like to add? [Y|n]: " OK; OK=${OK:=Y} + if [ ${OK/y/Y} = 'Y' ] ; then + log -n " adding userid to authorized_user_ids file... " + echo "$userID" >> "$AUTHORIZED_USER_IDS" + echo "done." + fi + fi +} + +# retrieve key from web of trust, and set owner trust to "full" +# if key is found. +trust_key() { + # get the key from the key server + gpg --keyserver "$KEYSERVER" --recv-key "$keyID" || failure "could not retrieve key '$keyID'" + + # edit the key to change trust + # FIXME: need to figure out how to automate this, + # in a batch mode or something. + gpg --edit-key "$keyID" +} diff --git a/src/monkeysphere b/src/monkeysphere index f279d86..d652ab3 100755 --- a/src/monkeysphere +++ b/src/monkeysphere @@ -1,5 +1,13 @@ #!/bin/sh +# monkeysphere: MonkeySphere client tool +# +# The monkeysphere scripts are written by: +# Jameson Rollins +# +# They are Copyright 2008, and are all released under the GPL, version 3 +# or later. + ######################################################################## PGRM=$(basename $0) @@ -26,11 +34,11 @@ usage: $PGRM [args] Monkeysphere client tool. subcommands: - update-known-hosts (k) [HOST]... update known_hosts file - update-authorized-keys (a) update authorized_keys file - update-userid (u) [USERID]... add/update userid to - authorized_user_ids - help (h,?) this help + update-known-hosts (k) [HOST]... update known_hosts file + update-authorized-keys (a) update authorized_keys file + update-userids (u) [USERID]... add/update userid + gen-ae-subkey (g) generate an 'ae' capable subkey + help (h,?) this help EOF } @@ -129,20 +137,19 @@ case $COMMAND in log "$msAuthorizedKeys" ;; - 'update-userid'|'u') + 'update-userids'|'u') if [ -z "$1" ] ; then failure "you must specify at least one userid." fi for userID ; do - if ! grep -q "^${userID}\$" "$AUTHORIZED_USER_IDS" ; then - log "userid '$userID' not in authorized_user_ids file." - continue - fi - log "processing user id: '$userID'" - process_user_id "$userID" "$userKeysCacheDir" > /dev/null + update_userid "$userID" "$userKeysCacheDir" done ;; + 'gen-ae-subkey'|) + failure "function not implemented yet." + ;; + 'help'|'h'|'?') usage ;; diff --git a/src/monkeysphere-server b/src/monkeysphere-server index f1b4892..fd7b583 100755 --- a/src/monkeysphere-server +++ b/src/monkeysphere-server @@ -1,5 +1,13 @@ #!/bin/sh +# monkeysphere-server: MonkeySphere server admin tool +# +# The monkeysphere scripts are written by: +# Jameson Rollins +# +# They are Copyright 2008, and are all released under the GPL, version 3 +# or later. + ######################################################################## PGRM=$(basename $0) @@ -23,12 +31,12 @@ usage: $PGRM [args] Monkeysphere server admin tool. subcommands: - update-users (s) [USER]... update authorized_keys file - gen-key (g) generate gpg key for the host - publish-key (p) publish host gpg to keyserver - trust-key (t) KEYID [KEYID]... mark keyid as trusted - update-user-userid (u) USER UID [UID]... add/update userid for user - help (h,?) this help + update-users (s) [USER]... update user authorized_keys file + gen-key (g) generate gpg key for the server + publish-key (p) publish server gpg to keyserver + trust-key (t) KEYID [KEYID]... mark keyid as trusted + update-user-userids (u) USER UID [UID]... add/update userid for user + help (h,?) this help EOF } @@ -85,19 +93,6 @@ publish_key() { echo "gpg --send-keys --keyserver $KEYSERVER $keyID" } -# trust key -trust_key() { - for keyID ; do - # get the key from the key server - gpg --keyserver "$KEYSERVER" --recv-key "$keyID" || failure "could not retrieve key '$keyID'" - - # edit the key to change trust - # FIXME: need to figure out how to automate this, - # in a batch mode or something. - gpg --edit-key "$keyID" - done -} - ######################################################################## # MAIN ######################################################################## @@ -185,10 +180,12 @@ case $COMMAND in if [ -z "$1" ] ; then failure "you must specify at least one key to trust." fi - trust_key "$@" + for keyID ; do + trust_key "$keyID" + done ;; - 'update-user-userid'|'u') + 'update-user-userids'|'u') uname="$1" shift if [ -z "$uname" ] ; then @@ -197,14 +194,10 @@ case $COMMAND in if [ -z "$1" ] ; then failure "you must specify at least one userid." fi + AUTHORIZED_USER_IDS="$MS_HOME"/authorized_user_ids/"$uname" + userKeysCacheDir="$STAGING_AREA"/"$uname"/user_keys for userID ; do - AUTHORIZED_USER_IDS="$MS_HOME"/authorized_user_ids/"$uname" - if ! grep -q "^${userID}\$" "$AUTHORIZED_USER_IDS" ; then - log "userid '$userID' not in authorized_user_ids file." - continue - fi - log "processing user id: '$userID'" - process_user_id "$userID" "$userKeysCacheDir" > /dev/null + update_userid "$userID" "$userKeysCacheDir" done ;; diff --git a/src/monkeysphere-ssh-proxycommand b/src/monkeysphere-ssh-proxycommand index 1724966..417d013 100755 --- a/src/monkeysphere-ssh-proxycommand +++ b/src/monkeysphere-ssh-proxycommand @@ -1,10 +1,17 @@ #!/bin/sh -e -# MonkeySphere ssh ProxyCommand hook -# Proxy command script to initiate a monkeysphere known_hosts update -# before an ssh connection to host is established. -# Can be added to ~/.ssh/config as follows: -# ProxyCommand monkeysphere-ssh-proxycommand %h %p +# monkeysphere-ssh-proxycommand: MonkeySphere ssh ProxyCommand hook +# +# The monkeysphere scripts are written by: +# Jameson Rollins +# +# They are Copyright 2008, and are all released under the GPL, version 3 +# or later. + +# This is meant to be run as an ssh ProxyCommand to initiate a +# monkeysphere known_hosts update before an ssh connection to host is +# established. Can be added to ~/.ssh/config as follows: +# ProxyCommand monkeysphere-ssh-proxycommand %h %p HOST="$1" PORT="$2" @@ -12,5 +19,5 @@ PORT="$2" # update the known_hosts file for the host monkeysphere update-known-hosts "$HOST" -# make a netcat connection to host for the ssh connection +# exec a netcat passthrough to host for the ssh connection exec nc "$HOST" "$PORT" -- cgit v1.2.3 From 6a278713cc9fd475acae6bb131a44fc9b26ddac6 Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Tue, 10 Jun 2008 22:25:32 -0400 Subject: More cleanup of scripts - fixed bug in gpg2ssh_tmp call - broke out update_authorized_keys function - cleaned up gen_key function for server - added possible "Revoker:" parameter we might use - started gen_ae_subkey function that for some reason isn't working yet. --- src/common | 91 ++++++++++++++++++++++++++++--------------- src/monkeysphere | 100 +++++++++++++++++++++++++++++++++--------------- src/monkeysphere-server | 80 +++++++++++++++++++------------------- 3 files changed, 172 insertions(+), 99 deletions(-) (limited to 'src') diff --git a/src/common b/src/common index 073b8af..ff6ba59 100755 --- a/src/common +++ b/src/common @@ -88,11 +88,11 @@ gpg2ssh_tmp() { local userID local host - keyID="$2" - userID="$3" + keyID="$1" + userID="$2" - if [ "$mode" = 'authorized_keys' ] ; then - gpgkey2ssh "$keyID" | sed -e "s/COMMENT/${userID}/" + if [ "$MODE" = 'authorized_keys' ] ; then + gpgkey2ssh "$keyID" | sed -e "s/COMMENT/MonkeySphere userID: ${userID}/" # NOTE: it seems that ssh-keygen -R removes all comment fields from # all lines in the known_hosts file. why? @@ -294,10 +294,65 @@ process_known_hosts() { done } -# process authorized_keys file +# update an authorized_keys file after first processing the +# authorized_user_ids file +update_authorized_keys() { + local cacheDir + local msAuthorizedKeys + local userAuthorizedKeys + + cacheDir="$1" + msAuthorizedKeys="$2" + userAuthorizedKeys="$3" + + process_authorized_ids "$AUTHORIZED_USER_IDS" "$cacheDir" + + # write output key file + log "writing monkeysphere authorized_keys file... " + touch "$msAuthorizedKeys" + if [ "$(ls "$cacheDir")" ] ; then + log -n "adding gpg keys... " + cat "$cacheDir"/* > "$msAuthorizedKeys" + echo "done." + else + log "no gpg keys to add." + fi + if [ "$userAuthorizedKeys" -a -s "$userAuthorizedKeys" ] ; then + log -n "adding user authorized_keys file... " + cat "$userAuthorizedKeys" >> "$msAuthorizedKeys" + echo "done." + fi + log "monkeysphere authorized_keys file generated: $msAuthorizedKeys" +} + +# process an authorized_*_ids file +# go through line-by-line, extract each userid, and process +process_authorized_ids() { + local authorizedIDs + local cacheDir + local userID + + authorizedIDs="$1" + cacheDir="$2" + + # clean out keys file and remake keys directory + rm -rf "$cacheDir" + mkdir -p "$cacheDir" + + # loop through all user ids in file + # FIXME: needs to handle authorized_keys options + cat "$authorizedIDs" | meat | \ + while read -r userID ; do + # process the userid + log "processing userid: '$userID'" + process_user_id "$userID" "$cacheDir" > /dev/null + done +} + +# EXPERIMENTAL (unused) process userids found in authorized_keys file # go through line-by-line, extract monkeysphere userids from comment # fields, and process each userid -process_authorized_keys() { +process_userids_from_authorized_keys() { local authorizedKeys local cacheDir local userID @@ -328,30 +383,6 @@ process_authorized_keys() { done } -# process an authorized_*_ids file -# go through line-by-line, extract each userid, and process -process_authorized_ids() { - local authorizedIDs - local cacheDir - local userID - - authorizedIDs="$1" - cacheDir="$2" - - # clean out keys file and remake keys directory - rm -rf "$cacheDir" - mkdir -p "$cacheDir" - - # loop through all user ids in file - # FIXME: needs to handle authorized_keys options - cat "$authorizedIDs" | meat | \ - while read -r userID ; do - # process the userid - log "processing userid: '$userID'" - process_user_id "$userID" "$cacheDir" > /dev/null - done -} - # update the cache for userid, and prompt to add file to # authorized_user_ids file if the userid is found in gpg # and not already in file. diff --git a/src/monkeysphere b/src/monkeysphere index d652ab3..c417625 100755 --- a/src/monkeysphere +++ b/src/monkeysphere @@ -34,15 +34,70 @@ usage: $PGRM [args] Monkeysphere client tool. subcommands: - update-known-hosts (k) [HOST]... update known_hosts file - update-authorized-keys (a) update authorized_keys file + update-known_hosts (k) [HOST]... update known_hosts file + update-authorized_keys (a) update authorized_keys file update-userids (u) [USERID]... add/update userid - gen-ae-subkey (g) generate an 'ae' capable subkey + gen-ae-subkey (g) KEYID generate an 'ae' capable subkey help (h,?) this help EOF } +# generate a subkey with the 'a' and 'e' usage flags set +gen_ae_subkey(){ + local keyID + local gpgOut + local userID + + log "warning: this function is still not working." + + keyID="$1" + + # set subkey defaults + SUBKEY_TYPE=${KEY_TYPE:-RSA} + SUBKEY_LENGTH=${KEY_LENGTH:-1024} + SUBKEY_USAGE=${KEY_USAGE:-encrypt,auth} + + gpgOut=$(gpg --fixed-list-mode --list-keys --with-colons \ + "$keyID" 2> /dev/null) + + # return 1 if there only "tru" lines are output from gpg + if [ -z "$(echo "$gpgOut" | grep -v '^tru:')" ] ; then + loge " key not found." + return 1 + fi + + userID=$(echo "$gpgOut" | grep "^uid:" | cut -d: -f10) + + # set key parameters + keyParameters=$(cat < "$msAuthorizedKeys" - echo "done." - else - log "no gpg keys to add." - fi - if [ "$USER_CONTROLLED_AUTHORIZED_KEYS" ] ; then - userAuthorizedKeys=${USER_CONTROLLED_AUTHORIZED_KEYS/\%h/"$HOME"} - if [ -s "$userAuthorizedKeys" ] ; then - log -n "adding user authorized_keys file... " - cat "$userAuthorizedKeys" >> "$msAuthorizedKeys" - echo "done." - fi - fi - log "monkeysphere authorized_keys file generated:" - log "$msAuthorizedKeys" + # update authorized_keys + update_authorized_keys "$userKeysCacheDir" "$msAuthorizedKeys" "$userAuthorizedKeys" ;; 'update-userids'|'u') @@ -146,8 +182,12 @@ case $COMMAND in done ;; - 'gen-ae-subkey'|) - failure "function not implemented yet." + 'gen-ae-subkey'|'g') + keyID="$1" + if [ -z "$keyID" ] ; then + failure "you must specify keyid of primary key." + fi + gen_ae_subkey "$keyID" ;; 'help'|'h'|'?') diff --git a/src/monkeysphere-server b/src/monkeysphere-server index fd7b583..6eeb702 100755 --- a/src/monkeysphere-server +++ b/src/monkeysphere-server @@ -31,18 +31,19 @@ usage: $PGRM [args] Monkeysphere server admin tool. subcommands: - update-users (s) [USER]... update user authorized_keys file - gen-key (g) generate gpg key for the server - publish-key (p) publish server gpg to keyserver - trust-key (t) KEYID [KEYID]... mark keyid as trusted - update-user-userids (u) USER UID [UID]... add/update userid for user - help (h,?) this help + update-users (s) [USER]... update users authorized_keys files + gen-key (g) generate gpg key for the server + publish-key (p) publish server key to keyserver + trust-keys (t) KEYID... mark keyids as trusted + update-user-userids (u) USER UID... add/update userids for a user + help (h,?) this help EOF } # generate server gpg key gen_key() { + # set key defaults KEY_TYPE=${KEY_TYPE:-RSA} KEY_LENGTH=${KEY_LENGTH:-2048} KEY_USAGE=${KEY_USAGE:-encrypt,auth} @@ -51,13 +52,26 @@ gen_key() { USERID=${USERID:-"$SERVICE"://"$HOSTNAME_FQDN"} - echo "key parameters:" - cat < "$msAuthorizedKeys" - echo "done." - else - log "no gpg keys to add." - fi + # set user-controlled authorized_keys file path if [ "$USER_CONTROLLED_AUTHORIZED_KEYS" ] ; then userHome=$(getent passwd "$uname" | cut -d: -f6) userAuthorizedKeys=${USER_CONTROLLED_AUTHORIZED_KEYS/\%h/"$userHome"} - if [ -s "$userAuthorizedKeys" ] ; then - log -n "adding user authorized_keys file... " - cat "$userAuthorizedKeys" >> "$msAuthorizedKeys" - echo "done." - fi fi - log "monkeysphere authorized_keys file generated:" - log "$msAuthorizedKeys" + + # update authorized_keys + update_authorized_keys "$cacheDir" "$msAuthorizedKeys" "$userAuthorizedKeys" done + log "----- done. -----" ;; 'gen-key'|'g') @@ -176,7 +178,7 @@ case $COMMAND in publish_key ;; - 'trust-key'|'t') + 'trust-keys'|'t') if [ -z "$1" ] ; then failure "you must specify at least one key to trust." fi -- cgit v1.2.3 From 3250fce7979ada7e94782430801f5fb76fecbc90 Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Wed, 11 Jun 2008 14:08:29 -0400 Subject: Updates to use the new openpgp2ssh program that dkg wrote. --- man/man8/monkeysphere-server.8 | 1 - src/common | 55 +++++++++++++++++++++++++++--------------- src/monkeysphere-server | 4 ++- 3 files changed, 38 insertions(+), 22 deletions(-) (limited to 'src') diff --git a/man/man8/monkeysphere-server.8 b/man/man8/monkeysphere-server.8 index 39a8e5c..7a12e17 100644 --- a/man/man8/monkeysphere-server.8 +++ b/man/man8/monkeysphere-server.8 @@ -57,4 +57,3 @@ extent permitted by law. .BR monkeysphere (1), .BR gpg (1), .BR ssh (1) - diff --git a/src/common b/src/common index ff6ba59..d7caefd 100755 --- a/src/common +++ b/src/common @@ -82,27 +82,36 @@ unescape() { echo "$1" | sed 's/\\x3a/:/' } -# stand in until we get dkg's gpg2ssh program -gpg2ssh_tmp() { +# convert key from gpg to ssh known_hosts format +gpg2known_hosts() { local keyID - local userID local host keyID="$1" - userID="$2" - - if [ "$MODE" = 'authorized_keys' ] ; then - gpgkey2ssh "$keyID" | sed -e "s/COMMENT/MonkeySphere userID: ${userID}/" + host=$(echo "$2" | sed -e "s|ssh://||") # NOTE: it seems that ssh-keygen -R removes all comment fields from # all lines in the known_hosts file. why? # NOTE: just in case, the COMMENT can be matched with the # following regexp: # '^MonkeySphere[[:digit:]]{4}(-[[:digit:]]{2}){2}T[[:digit:]]{2}(:[[:digit:]]{2}){2}$' - elif [ "$MODE" = 'known_hosts' ] ; then - host=$(echo "$userID" | sed -e "s|ssh://||") - echo -n "$host "; gpgkey2ssh "$keyID" | sed -e "s/COMMENT/MonkeySphere${DATE}/" - fi + echo -n "$host " + gpg --export "$keyID" | \ + openpgp2ssh "$keyID" | tr -d '\n' + echo "MonkeySphere${DATE}" +} + +# convert key from gpg to ssh authorized_keys format +gpg2authorized_keys() { + local keyID + local userID + + keyID="$1" + userID="$2" + + echo -n "MonkeySphere${DATE}:${userID}" + gpg --export "$keyID" | \ + openpgp2ssh "$keyID" } # userid and key policy checking @@ -235,15 +244,21 @@ process_user_id() { for keyID in ${keyIDs[@]} ; do loge " acceptable key/uid found." - # export the key with gpg2ssh - # FIXME: needs to apply extra options for authorized_keys - # lines if specified - gpg2ssh_tmp "$keyID" "$userID" >> "$cacheDir"/"$userIDHash"."$pubKeyID" - - # hash the cache file if specified - if [ "$MODE" = 'known_hosts' -a "$HASH_KNOWN_HOSTS" ] ; then - ssh-keygen -H -f "$cacheDir"/"$userIDHash"."$pubKeyID" > /dev/null 2>&1 - rm "$cacheDir"/"$userIDHash"."$pubKeyID".old + if [ "$MODE" = 'known_hosts' ] ; then + # export the key + gpg2known_hosts "$keyID" "$userID" >> \ + "$cacheDir"/"$userIDHash"."$pubKeyID" + # hash the cache file if specified + if [ "$HASH_KNOWN_HOSTS" ] ; then + ssh-keygen -H -f "$cacheDir"/"$userIDHash"."$pubKeyID" > /dev/null 2>&1 + rm "$cacheDir"/"$userIDHash"."$pubKeyID".old + fi + elif [ "$MODE" = 'authorized_keys' ] ; then + # export the key + # FIXME: needs to apply extra options for authorized_keys + # lines if specified + gpg2authorized_keys "$keyID" "$userID" >> \ + "$cacheDir"/"$userIDHash"."$pubKeyID" fi done fi diff --git a/src/monkeysphere-server b/src/monkeysphere-server index 6eeb702..34239b6 100755 --- a/src/monkeysphere-server +++ b/src/monkeysphere-server @@ -145,9 +145,10 @@ case $COMMAND in fi for uname in $unames ; do + MODE="authorized_keys" + log "----- user: $uname -----" - MODE="authorized_keys" AUTHORIZED_USER_IDS="$MS_HOME"/authorized_user_ids/"$uname" cacheDir="$STAGING_AREA"/"$uname"/user_keys msAuthorizedKeys="$STAGING_AREA"/"$uname"/authorized_keys @@ -167,6 +168,7 @@ case $COMMAND in # update authorized_keys update_authorized_keys "$cacheDir" "$msAuthorizedKeys" "$userAuthorizedKeys" done + log "----- done. -----" ;; -- cgit v1.2.3 From b676fea4a45dce7ccd8049ca27e7a5612b343d28 Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Wed, 11 Jun 2008 15:50:08 -0400 Subject: removing old rhesus and howler components as they have been made defunct by the new monkeysphere and monkeysphere-server tools (I probably could have figured out a way to transition from them smoother, but I didn't. oh well.). --- src/howler/howler | 134 ---------------- src/rhesus/README | 30 ---- src/rhesus/rhesus | 466 ------------------------------------------------------ 3 files changed, 630 deletions(-) delete mode 100755 src/howler/howler delete mode 100644 src/rhesus/README delete mode 100755 src/rhesus/rhesus (limited to 'src') diff --git a/src/howler/howler b/src/howler/howler deleted file mode 100755 index 0b67c02..0000000 --- a/src/howler/howler +++ /dev/null @@ -1,134 +0,0 @@ -#!/bin/sh - -# howler: monkeysphere server gpg generator/publisher/maintainer -# -# Written by -# Jameson Rollins -# -# Copyright 2008, released under the GPL, version 3 or later - -PGRM=$(basename $0) - -######################################################################## -# FUNCTIONS -######################################################################## - -usage() { -cat <&2 - exit ${2:-'1'} -} - -# generate server gpg key -gen_key() { - KEY_TYPE=${KEY_TYPE:-RSA} - KEY_LENGTH=${KEY_LENGTH:-2048} - KEY_USAGE=${KEY_USAGE:-encrypt,auth} - SERVICE=${SERVICE:-ssh} - HOSTNAME_FQDN=${HOSTNAME_FQDN:-$(hostname -f)} - - USERID=${USERID:-"$SERVICE"://"$HOSTNAME_FQDN"} - - echo "key parameters:" - cat < /dev/null 2>&1 ; then - failure "key for '$USERID' already exists" - fi - - echo "generating server key..." - gpg --batch --gen-key < /dev/null | grep '^pub:' | cut -d: -f5) - - # dummy command so as not to publish fakes keys during testing - # eventually: - #gpg --send-keys --keyserver "$KEYSERVER" "$keyID" - echo "gpg --send-keys --keyserver $KEYSERVER $keyID" -} - -trust_key() { - for keyID ; do - # get the key from the key server - gpg --keyserver "$KEYSERVER" --recv-key "$keyID" || failure "could not retrieve key '$keyID'" - - # edit the key to change trust - # FIXME: need to figure out how to automate this, - # in a batch mode or something. - gpg --edit-key "$keyID" - done -} - -######################################################################## -# MAIN -######################################################################## - -# set ms home directory -MS_HOME=${MS_HOME:-/etc/monkeysphere} - -# load configuration file -MS_CONF=${MS_CONF:-"$MS_HOME"/monkeysphere.conf} -[ -e "$MS_CONF" ] && . "$MS_CONF" - -GNUPGHOME=${GNUPGHOME:-"$MS_HOME"/gnupg} -export GNUPGHOME -KEYSERVER=${KEYSERVER:-subkeys.pgp.net} -export KEYSERVER - -COMMAND="$1" -[ "$COMMAND" ] || failure "Type '$PGRM help' for usage." -shift 1 - -case $COMMAND in - 'gen-key') - gen_key - ;; - 'publish-key') - publish_key - ;; - 'trust-key') - if [ -z "$1" ] ; then - failure "you must specify at least one key to trust." - fi - trust_key "$@" - ;; - 'help') - usage - exit - ;; - *) - failure "Unknown command: '$COMMAND' -Type '$PGRM help' for usage." - ;; -esac diff --git a/src/rhesus/README b/src/rhesus/README deleted file mode 100644 index 4d383d5..0000000 --- a/src/rhesus/README +++ /dev/null @@ -1,30 +0,0 @@ -rhesus is the monkeysphere authorized_keys/known_hosts generator. - -In authorized_keys mode, rhesus takes an auth_user_ids file, which -contains gpg user ids, uses gpg to fetch the keys of the specified -users, does a monkeysphere policy check on each id, and uses gpg2ssh -to generate authorized_keys lines for each verified id. The lines are -then combined with a user's traditional authorized_keys file to create -a new authorized_keys file. - -In known_hosts mode, rhesus takes an auth_host_ids file, which -contains gpg user ids of the form ssh://URL, uses gpg to fetch the -keys of the specified hosts, does a monkeysphere policy check on each -id, and uses gpg2ssh to generate a known_hosts lines for each verified -id. The lines are then combined with a user's traditional known_hosts -file to create a new known_hosts file. - -When run as a normal user, no special configuration is needed. - -When run as an administrator to update system-maintained -authorized_keys files for each user, the following environment -variables should be defined first: - - MS_CONF=/etc/monkeysphere/monkeysphere.conf - USER=foo - -For example, the command might be run like this: - - for USER in $(ls -1 /home) ; do - MS_CONF=/etc/monkeysphere/monkeysphere.conf rhesus --authorized_keys - done diff --git a/src/rhesus/rhesus b/src/rhesus/rhesus deleted file mode 100755 index f607f0b..0000000 --- a/src/rhesus/rhesus +++ /dev/null @@ -1,466 +0,0 @@ -#!/bin/sh - -# rhesus: monkeysphere authorized_keys/known_hosts generating script -# -# Written by -# Jameson Rollins -# -# Copyright 2008, released under the GPL, version 3 or later - -# all caps variables are meant to be user supplied (ie. from config -# file) and are considered global - -PGRM=$(basename $0) - -# date in UTF format if needed -DATE=$(date -u '+%FT%T') - -# unset some environment variables that could screw things up -GREP_OPTIONS= - -######################################################################## -# FUNCTIONS -######################################################################## - -usage() { -cat <&2 - exit ${2:-'1'} -} - -# write output to stdout -log() { - echo -n "ms: " - echo "$@" -} - -# write output to stderr -loge() { - echo -n "ms: " 1>&2 - echo "$@" 1>&2 -} - -# cut out all comments(#) and blank lines from standard input -meat() { - grep -v -e "^[[:space:]]*#" -e '^$' -} - -# cut a specified line from standard input -cutline() { - head --line="$1" | tail -1 -} - -# retrieve all keys with given user id from keyserver -# FIXME: need to figure out how to retrieve all matching keys -# (not just first 5) -gpg_fetch_keys() { - local id - id="$1" - echo 1,2,3,4,5 | \ - gpg --quiet --batch --command-fd 0 --with-colons \ - --keyserver "$KEYSERVER" \ - --search ="$id" >/dev/null 2>&1 -} - -# check that characters are in a string (in an AND fashion). -# used for checking key capability -# check_capability capability a [b...] -check_capability() { - local capability - local capcheck - - capability="$1" - shift 1 - - for capcheck ; do - if echo "$capability" | grep -q -v "$capcheck" ; then - return 1 - fi - done - return 0 -} - -# convert escaped characters from gpg output back into original -# character -# FIXME: undo all escape character translation in with-colons gpg output -unescape() { - echo "$1" | sed 's/\\x3a/:/' -} - -# stand in until we get dkg's gpg2ssh program -gpg2ssh_tmp() { - local mode - local keyID - local userID - local host - - mode="$1" - keyID="$2" - userID="$3" - - if [ "$mode" = 'authorized_keys' ] ; then - gpgkey2ssh "$keyID" | sed -e "s/COMMENT/${userID}/" - - # NOTE: it seems that ssh-keygen -R removes all comment fields from - # all lines in the known_hosts file. why? - # NOTE: just in case, the COMMENT can be matched with the - # following regexp: - # '^MonkeySphere[[:digit:]]{4}(-[[:digit:]]{2}){2}T[[:digit:]]{2}(:[[:digit:]]{2}){2}$' - elif [ "$mode" = 'known_hosts' ] ; then - host=$(echo "$userID" | sed -e "s|ssh://||") - echo -n "$host "; gpgkey2ssh "$keyID" | sed -e "s/COMMENT/MonkeySphere${DATE}/" - fi -} - -# userid and key policy checking -# the following checks policy on the returned keys -# - checks that full key has appropriate valididy (u|f) -# - checks key has specified capability (REQUIRED_KEY_CAPABILITY) -# - checks that particular desired user id has appropriate validity -# see /usr/share/doc/gnupg/DETAILS.gz -# expects global variable: "mode" -process_user_id() { - local userID - local cacheDir - local requiredPubCapability - local gpgOut - local line - local type - local validity - local keyid - local uidfpr - local capability - local keyOK - local pubKeyID - local uidOK - local keyIDs - local userIDHash - local keyID - - userID="$1" - cacheDir="$2" - - requiredPubCapability=$(echo "$REQUIRED_KEY_CAPABILITY" | tr "[:lower:]" "[:upper:]") - - # fetch keys from keyserver, return 1 if none found - gpg_fetch_keys "$userID" || return 1 - - # output gpg info for (exact) userid and store - gpgOut=$(gpg --fixed-list-mode --list-key --with-colons \ - ="$userID" 2> /dev/null) - - # return 1 if there only "tru" lines are output from gpg - if [ -z "$(echo "$gpgOut" | grep -v '^tru:')" ] ; then - return 1 - fi - - # loop over all lines in the gpg output and process. - # need to do it this way (as opposed to "while read...") so that - # variables set in loop will be visible outside of loop - for line in $(seq 1 $(echo "$gpgOut" | wc -l)) ; do - - # read the contents of the line - type=$(echo "$gpgOut" | cutline "$line" | cut -d: -f1) - validity=$(echo "$gpgOut" | cutline "$line" | cut -d: -f2) - keyid=$(echo "$gpgOut" | cutline "$line" | cut -d: -f5) - uidfpr=$(echo "$gpgOut" | cutline "$line" | cut -d: -f10) - capability=$(echo "$gpgOut" | cutline "$line" | cut -d: -f12) - - # process based on record type - case $type in - 'pub') # primary keys - # new key, wipe the slate - keyOK= - pubKeyID= - uidOK= - keyIDs= - - pubKeyID="$keyid" - - # check primary key validity - if [ "$validity" != 'u' -a "$validity" != 'f' ] ; then - loge " unacceptable primary key validity ($validity)." - continue - fi - # check capability is not Disabled... - if check_capability "$capability" 'D' ; then - loge " key disabled." - continue - fi - # check overall key capability - # must be Encryption and Authentication - if ! check_capability "$capability" $requiredPubCapability ; then - loge " unacceptable primary key capability ($capability)." - continue - fi - - # mark if primary key is acceptable - keyOK=true - - # add primary key ID to key list if it has required capability - if check_capability "$capability" $REQUIRED_KEY_CAPABILITY ; then - keyIDs[${#keyIDs[*]}]="$keyid" - fi - ;; - 'uid') # user ids - # check key ok and we have key fingerprint - if [ -z "$keyOK" ] ; then - continue - fi - # check key validity - if [ "$validity" != 'u' -a "$validity" != 'f' ] ; then - continue - fi - # check the uid matches - if [ "$(unescape "$uidfpr")" != "$userID" ] ; then - continue - fi - - # mark if uid acceptable - uidOK=true - ;; - 'sub') # sub keys - # add sub key ID to key list if it has required capability - if check_capability "$capability" $REQUIRED_KEY_CAPABILITY ; then - keyIDs[${#keyIDs[*]}]="$keyid" - fi - ;; - esac - done - - # hash userid for cache file name - userIDHash=$(echo "$userID" | sha1sum | awk '{ print $1 }') - - # touch/clear key cache file - # (will be left empty if there are noacceptable keys) - > "$cacheDir"/"$userIDHash"."$pubKeyID" - - # for each acceptable key, write an ssh key line to the - # key cache file - if [ "$keyOK" -a "$uidOK" -a "${keyIDs[*]}" ] ; then - for keyID in ${keyIDs[@]} ; do - # export the key with gpg2ssh - # FIXME: needs to apply extra options for authorized_keys - # lines if specified - gpg2ssh_tmp "$mode" "$keyID" "$userID" >> "$cacheDir"/"$userIDHash"."$pubKeyID" - - # hash the cache file if specified - if [ "$mode" = 'known_hosts' -a "$HASH_KNOWN_HOSTS" ] ; then - ssh-keygen -H -f "$cacheDir"/"$userIDHash"."$pubKeyID" > /dev/null 2>&1 - rm "$cacheDir"/"$userIDHash"."$pubKeyID".old - fi - done - fi - - # echo the path to the key cache file - echo "$cacheDir"/"$userIDHash"."$pubKeyID" -} - -# process a host for addition to a known_host file -process_host() { - local host - local cacheDir - local hostKeyCachePath - - host="$1" - cacheDir="$2" - - log "processing host: '$host'" - - hostKeyCachePath=$(process_user_id "ssh://${host}" "$cacheDir") - if [ $? = 0 ] ; then - ssh-keygen -R "$host" -f "$USER_KNOWN_HOSTS" - cat "$hostKeyCachePath" >> "$USER_KNOWN_HOSTS" - fi -} - -# process known_hosts file -# go through line-by-line, extract each host, and process with the -# host processing function -process_known_hosts() { - local cacheDir - local userID - - cacheDir="$1" - - # take all the hosts from the known_hosts file (first field), - # grep out all the hashed hosts (lines starting with '|') - cut -d ' ' -f 1 "$USER_KNOWN_HOSTS" | \ - grep -v '^|.*$' | \ - while IFS=, read -r -a hosts ; do - # process each host - for host in ${hosts[*]} ; do - process_host "$host" "$cacheDir" - done - done -} - -# process an authorized_*_ids file -# go through line-by-line, extract each userid, and process -process_authorized_ids() { - local authorizedIDsFile - local cacheDir - local userID - local userKeyCachePath - - authorizedIDsFile="$1" - cacheDir="$2" - - # clean out keys file and remake keys directory - rm -rf "$cacheDir" - mkdir -p "$cacheDir" - - # loop through all user ids in file - # FIXME: needs to handle extra options if necessary - cat "$authorizedIDsFile" | meat | \ - while read -r userID ; do - # process the userid - log "processing userid: '$userID'" - userKeyCachePath=$(process_user_id "$userID" "$cacheDir") - if [ -s "$userKeyCachePath" ] ; then - loge " acceptable key/uid found." - fi - done -} - -######################################################################## -# MAIN -######################################################################## - -if [ -z "$1" ] ; then - usage - exit 1 -fi - -# mode given in first variable -mode="$1" -shift 1 - -# check user -if ! id -u "$USER" > /dev/null 2>&1 ; then - failure "invalid user '$USER'." -fi - -# set user home directory -HOME=$(getent passwd "$USER" | cut -d: -f6) - -# set ms home directory -MS_HOME=${MS_HOME:-"$HOME"/.config/monkeysphere} - -# load configuration file -MS_CONF=${MS_CONF:-"$MS_HOME"/monkeysphere.conf} -[ -e "$MS_CONF" ] && . "$MS_CONF" - -# set config variable defaults -STAGING_AREA=${STAGING_AREA:-"$MS_HOME"} -AUTHORIZED_USER_IDS=${AUTHORIZED_USER_IDS:-"$MS_HOME"/authorized_user_ids} -GNUPGHOME=${GNUPGHOME:-"$HOME"/.gnupg} -KEYSERVER=${KEYSERVER:-subkeys.pgp.net} -REQUIRED_KEY_CAPABILITY=${REQUIRED_KEY_CAPABILITY:-"e a"} -USER_CONTROLLED_AUTHORIZED_KEYS=${USER_CONTROLLED_AUTHORIZED_KEYS:-"$HOME"/.ssh/authorized_keys} -USER_KNOWN_HOSTS=${USER_KNOWN_HOSTS:-"$HOME"/.ssh/known_hosts} -HASH_KNOWN_HOSTS=${HASH_KNOWN_HOSTS:-} - -# export USER and GNUPGHOME variables, since they are used by gpg -export USER -export GNUPGHOME - -# stagging locations -hostKeysCacheDir="$STAGING_AREA"/host_keys -userKeysCacheDir="$STAGING_AREA"/user_keys -msKnownHosts="$STAGING_AREA"/known_hosts -msAuthorizedKeys="$STAGING_AREA"/authorized_keys - -# make sure gpg home exists with proper permissions -mkdir -p -m 0700 "$GNUPGHOME" - -## KNOWN_HOST MODE -if [ "$mode" = 'known_hosts' -o "$mode" = 'k' ] ; then - mode='known_hosts' - - cacheDir="$hostKeysCacheDir" - - log "user '$USER': monkeysphere known_hosts processing" - - # touch the known_hosts file to make sure it exists - touch "$USER_KNOWN_HOSTS" - - # if hosts are specified on the command line, process just - # those hosts - if [ "$1" ] ; then - for host ; do - process_host "$host" "$cacheDir" - done - - # otherwise, if no hosts are specified, process the user - # known_hosts file - else - if [ ! -s "$USER_KNOWN_HOSTS" ] ; then - failure "known_hosts file '$USER_KNOWN_HOSTS' is empty." - fi - process_known_hosts "$cacheDir" - fi - -## AUTHORIZED_KEYS MODE -elif [ "$mode" = 'authorized_keys' -o "$mode" = 'a' ] ; then - mode='authorized_keys' - - cacheDir="$userKeysCacheDir" - - # check auth ids file - if [ ! -s "$AUTHORIZED_USER_IDS" ] ; then - log "authorized_user_ids file is empty or does not exist." - exit - fi - - log "user '$USER': monkeysphere authorized_keys processing" - - # if userids are specified on the command line, process just - # those userids - if [ "$1" ] ; then - for userID ; do - if ! grep -q "$userID" "$AUTHORIZED_USER_IDS" ; then - log "userid '$userID' not in authorized_user_ids file." - continue - fi - log "processing user id: '$userID'" - process_user_id "$userID" "$cacheDir" > /dev/null - done - - # otherwise, if no userids are specified, process the entire - # authorized_user_ids file - else - process_authorized_ids "$AUTHORIZED_USER_IDS" "$cacheDir" - fi - - # write output key file - log "writing monkeysphere authorized_keys file... " - touch "$msAuthorizedKeys" - if [ "$(ls "$cacheDir")" ] ; then - log -n "adding gpg keys... " - cat "$cacheDir"/* > "$msAuthorizedKeys" - echo "done." - else - log "no gpg keys to add." - fi - if [ "$USER_CONTROLLED_AUTHORIZED_KEYS" ] ; then - if [ -s "$USER_CONTROLLED_AUTHORIZED_KEYS" ] ; then - log -n "adding user authorized_keys file... " - cat "$USER_CONTROLLED_AUTHORIZED_KEYS" >> "$msAuthorizedKeys" - echo "done." - fi - fi - log "monkeysphere authorized_keys file generated:" - log "$msAuthorizedKeys" - -else - failure "unknown command '$mode'." -fi -- cgit v1.2.3 From 8dd86c4d70611a65e8a23ae3f6fa155e8c272be9 Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Wed, 11 Jun 2008 17:05:26 -0400 Subject: quote some strings to not confuse checkbashisms --- src/monkeysphere | 6 +++--- src/monkeysphere-server | 8 ++++---- 2 files changed, 7 insertions(+), 7 deletions(-) (limited to 'src') diff --git a/src/monkeysphere b/src/monkeysphere index c417625..aaeda11 100755 --- a/src/monkeysphere +++ b/src/monkeysphere @@ -54,9 +54,9 @@ gen_ae_subkey(){ keyID="$1" # set subkey defaults - SUBKEY_TYPE=${KEY_TYPE:-RSA} - SUBKEY_LENGTH=${KEY_LENGTH:-1024} - SUBKEY_USAGE=${KEY_USAGE:-encrypt,auth} + SUBKEY_TYPE=${KEY_TYPE:-"RSA"} + SUBKEY_LENGTH=${KEY_LENGTH:-"1024"} + SUBKEY_USAGE=${KEY_USAGE:-"encrypt,auth"} gpgOut=$(gpg --fixed-list-mode --list-keys --with-colons \ "$keyID" 2> /dev/null) diff --git a/src/monkeysphere-server b/src/monkeysphere-server index 34239b6..a109cf5 100755 --- a/src/monkeysphere-server +++ b/src/monkeysphere-server @@ -44,10 +44,10 @@ EOF # generate server gpg key gen_key() { # set key defaults - KEY_TYPE=${KEY_TYPE:-RSA} - KEY_LENGTH=${KEY_LENGTH:-2048} - KEY_USAGE=${KEY_USAGE:-encrypt,auth} - SERVICE=${SERVICE:-ssh} + KEY_TYPE=${KEY_TYPE:-"RSA"} + KEY_LENGTH=${KEY_LENGTH:-"2048"} + KEY_USAGE=${KEY_USAGE:-"encrypt,auth"} + SERVICE=${SERVICE:-"ssh"} HOSTNAME_FQDN=${HOSTNAME_FQDN:-$(hostname -f)} USERID=${USERID:-"$SERVICE"://"$HOSTNAME_FQDN"} -- cgit v1.2.3 From 35a6f7cf8c455318078c7f94951dbc964bb41006 Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Thu, 12 Jun 2008 00:22:02 -0400 Subject: Man page work. - flesh out more of the man pages for monkeysphere and monkeysphere-server - move the server cache directory to /var/cache, where it should be. --- debian/dirs | 3 +- etc/monkeysphere-server.conf | 3 -- man/man1/monkeysphere.1 | 83 +++++++++++++++++++++++++++--------------- man/man8/monkeysphere-server.8 | 35 ++++++++++-------- src/common | 12 +++--- src/monkeysphere | 4 +- src/monkeysphere-server | 11 +++--- 7 files changed, 87 insertions(+), 64 deletions(-) (limited to 'src') diff --git a/debian/dirs b/debian/dirs index 277c0b5..bdf0fe0 100644 --- a/debian/dirs +++ b/debian/dirs @@ -1,5 +1,4 @@ -var/lib/monkeysphere -var/lib/monkeysphere/stage +var/cache/monkeysphere usr/bin usr/sbin usr/share diff --git a/etc/monkeysphere-server.conf b/etc/monkeysphere-server.conf index bed5c09..3c16c5f 100644 --- a/etc/monkeysphere-server.conf +++ b/etc/monkeysphere-server.conf @@ -18,6 +18,3 @@ # monkeysphere-generated authorized_keys file. Should be path to file # where '%h' will be substituted for the user's home directory. #USER_CONTROLLED_AUTHORIZED_KEYS=%h/.ssh/authorized_keys - -# where to cache user authorized_keys lines -#STAGING_AREA=/var/lib/monkeysphere/stage diff --git a/man/man1/monkeysphere.1 b/man/man1/monkeysphere.1 index f9a6af4..410a5d7 100644 --- a/man/man1/monkeysphere.1 +++ b/man/man1/monkeysphere.1 @@ -1,34 +1,53 @@ .TH MONKEYSPHERE "1" "June 2008" "monkeysphere 0.1" "User Commands" .SH NAME -monkeysphere \- monkeysphere client user interface +monkeysphere \- MonkeySphere client user interface .SH SYNOPSIS .B monkeysphere \fIcommand\fP [\fIargs\fP] .SH DESCRIPTION .PP -\fBmonkeysphere\fP is the client monkeysphere tool. +MonkeySphere is a system to leverage the OpenPGP Web of Trust for ssh +authentication and encryption. OpenPGP keys are tracked via GnuPG, +and added to the ssh authorized_keys and known_hosts files to be used +for authentication and encryption of ssh connection. + +\fBmonkeysphere\fP is the MonkeySphere client utility. +.PD .SH SUBCOMMANDS \fBmonkeysphere\fP takes various subcommands: -.PD .TP .B update-known_hosts [HOST]... -Update the known_hosts file. For every host listed, search for a gpg -key for the host in the Web of Trust. If a key is found, any ssh keys -for the host are removed from the known_hosts file. If the found key -is acceptable (see KEY ACCEPTABILITY), then the gpg key is converted -to an ssh key and added to the known_hosts file. If no gpg key is -found for the host, then nothing is done. If no hosts are specified, -all hosts listed in the known_hosts file will be processed. If they - -`k' may be used in place of `update-known_hosts'. -.TP -.B update-authorized_keys -Update the authorized_keys file. +Update the known_hosts file. For each specified host, gpg will be +queried for a key associated with the host URI (see HOST URIs), +querying a keyserver if none is found in the user's keychain. search +for a gpg key for the host in the Web of Trust. If a key is found, it +will be added to the host_keys cache (see KEY CACHES) and any ssh keys +for the host will be removed from the user's known_hosts file. If the +found key is acceptable (see KEY ACCEPTABILITY), then the host's gpg +key will be added to the known_hosts file. If no gpg key is found for +the host, then nothing is done. If no hosts are specified, all hosts +listed in the known_hosts file will be processed. `k' may be used in +place of `update-known_hosts'. .TP .B update-userids [USERID]... -Update userid +Add/update a userid in the authorized_user_ids file. The user IDs +specified should be exact matches to OpenPGP user IDs. For each +specified user ID, gpg will be queried for a key associated with that +user ID, querying a keyserver if none is found in the user's keychain. +If a key is found, it will be added to the user_keys cache (see KEY +CACHES) and the user ID will be added to the user's +authorized_user_ids file (if it wasn't already present). +.TP +.B update-authorized_keys +Update the monkeysphere authorized_keys file. The monkeysphere +authorized_keys file will be regenerated from the valid keys in the +user_key cache, and the user's independently controlled +authorized_keys file (usually ~/.ssh/authorized_keys). .TP .B gen-ae-subkey KEYID -Generate an `ae` capable subkey +Generate an `ae` capable subkey. For the primary key with the +specified key ID, generate a subkey with "authentication" and +"encryption" capability that can be used for MonkeySphere +transactions. .TP .B help Output a brief usage summary. `h' or `?' may be used in place of @@ -45,6 +64,20 @@ flags. .B validity The key must be "fully" valid, and must not be expired or revoked. .PD +.SH KEY CACHES +Monkeysphere keeps track of keys in key cache directories. The files +in the cache are named with the format "USERID_HASH.PUB_KEY_ID", where +USERID_HASH is a hash of the exact OpenPGP user ID, and PUB_KEY_ID is +the key ID of the primary key. If the user/key ID combo exists in the +Web of Trust but is not acceptable, then the file is empty. If the +primary key has at least one acceptable sub key, then an ssh-style +key, converted from the OpenPGP key, of all acceptable subkeys will be +stored in the cache file, one per line. known_hosts style key lines +will be stored in the host_keys cache files, and authorized_keys style +key lines will be stored in the user_keys cache files. OpenPGP keys +are converted to ssh-style keys with the openpgp2ssh utility (see `man +openpgp2ssh'). +.PD .SH FILES .PD 1 .TP @@ -55,7 +88,8 @@ User monkeysphere config file. System-wide monkeysphere config file. .TP ~/.config/monkeysphere/authorized_user_ids -GPG user IDs to validate for addition to the authorized_keys file. +GPG user IDs associated with keys that will be checked for addition to +the authorized_keys file. .TP ~/.config/monkeysphere/authorized_keys Monkeysphere generated authorized_keys file. @@ -67,17 +101,8 @@ User keys cache directory. Host keys cache directory. .PD .SH AUTHOR -Written by Jameson Rollins -.SH "REPORTING BUGS" -Report bugs to . -.SH COPYRIGHT -Copyright \(co 2008 Jameson Graef Rollins and Daniel Kahn Gillmor -.br -This is free software. You may redistribute copies of it under the -terms of the GNU General Public License -. There is NO WARRANTY, to the -extent permitted by law. -.SH "SEE ALSO" +Written by Jameson Rollins +.SH SEE ALSO .BR ssh (1), .BR gpg (1), .BR monkeysphere-server (8) diff --git a/man/man8/monkeysphere-server.8 b/man/man8/monkeysphere-server.8 index 7a12e17..cc07077 100644 --- a/man/man8/monkeysphere-server.8 +++ b/man/man8/monkeysphere-server.8 @@ -5,20 +5,32 @@ monkeysphere-server \- monkeysphere server admin user interface .B monkeysphere-server \fIcommand\fP [\fIargs\fP] .SH DESCRIPTION .PP -\fBmonkeysphere-server\fP is the server admin monkeysphere tool. +\fBMonkeySphere\fP is a system to leverage the OpenPGP Web of Trust +for ssh authentication and encryption. OpenPGP keys are tracked via +GnuPG, and added to the ssh authorized_keys and known_hosts files to +be used for authentication and encryption of ssh connection. + +\fBmonkeysphere-server\fP is the MonkeySphere server admin utility. +.PD .SH SUBCOMMANDS \fBmonkeysphere-server\fP takes various subcommands: -.PD .TP -.B update-users [HOST]... +.B update-users [USER]... +Update the admin-controlled authorized_keys files for user. For each +user specified, update the user's authorized_keys file in +/var/cache/monkeysphere/USER. See `man monkeysphere' for more info. .TP .B gen-key +Generate a gpg key for the host. .TP .B publish-key +Publish the host's gpg key to a keyserver. .TP .B trust-keys KEYID... +Mark key specified with KEYID with full owner trust. .TP .B update-user-userids USER USERID... +Add/update a userid in the authorized_user_ids file for USER. .TP .B help Output a brief usage summary. `h' or `?' may be used in place of @@ -39,21 +51,12 @@ Monkeysphere GNUPG home directory. /etc/monkeysphere/authorized_user_ids/USER Server maintained authorized_user_ids files for users. .TP -/var/lib/monkeysphere/stage/USER -Staging directory for user key caches. +/var/cachemonkeysphere/USER +User keys cache directories. .PD .SH AUTHOR -Written by Jameson Rollins -.SH "REPORTING BUGS" -Report bugs to . -.SH COPYRIGHT -Copyright \(co 2008 Jameson Graef Rollins and Daniel Kahn Gillmor -.br -This is free software. You may redistribute copies of it under the -terms of the GNU General Public License -. There is NO WARRANTY, to the -extent permitted by law. -.SH "SEE ALSO" +Written by Jameson Rollins +.SH SEE ALSO .BR monkeysphere (1), .BR gpg (1), .BR ssh (1) diff --git a/src/common b/src/common index d7caefd..914c800 100755 --- a/src/common +++ b/src/common @@ -14,8 +14,8 @@ # managed directories ETC="/etc/monkeysphere" export ETC -LIB="/var/lib/monkeysphere" -export LIB +CACHE="/var/cache/monkeysphere" +export CACHE ######################################################################## failure() { @@ -312,13 +312,13 @@ process_known_hosts() { # update an authorized_keys file after first processing the # authorized_user_ids file update_authorized_keys() { - local cacheDir local msAuthorizedKeys local userAuthorizedKeys + local cacheDir - cacheDir="$1" - msAuthorizedKeys="$2" - userAuthorizedKeys="$3" + msAuthorizedKeys="$1" + userAuthorizedKeys="$2" + cacheDir="$3" process_authorized_ids "$AUTHORIZED_USER_IDS" "$cacheDir" diff --git a/src/monkeysphere b/src/monkeysphere index aaeda11..5d865c9 100755 --- a/src/monkeysphere +++ b/src/monkeysphere @@ -35,8 +35,8 @@ Monkeysphere client tool. subcommands: update-known_hosts (k) [HOST]... update known_hosts file - update-authorized_keys (a) update authorized_keys file update-userids (u) [USERID]... add/update userid + update-authorized_keys (a) update authorized_keys file gen-ae-subkey (g) KEYID generate an 'ae' capable subkey help (h,?) this help @@ -170,7 +170,7 @@ case $COMMAND in userAuthorizedKeys=${USER_CONTROLLED_AUTHORIZED_KEYS/\%h/"$HOME"} # update authorized_keys - update_authorized_keys "$userKeysCacheDir" "$msAuthorizedKeys" "$userAuthorizedKeys" + update_authorized_keys "$msAuthorizedKeys" "$userAuthorizedKeys" "$userKeysCacheDir" ;; 'update-userids'|'u') diff --git a/src/monkeysphere-server b/src/monkeysphere-server index a109cf5..0ff06af 100755 --- a/src/monkeysphere-server +++ b/src/monkeysphere-server @@ -129,7 +129,6 @@ GNUPGHOME=${GNUPGHOME:-"$MS_HOME"/gnupg} KEYSERVER=${KEYSERVER:-subkeys.pgp.net} REQUIRED_KEY_CAPABILITY=${REQUIRED_KEY_CAPABILITY:-"e a"} USER_CONTROLLED_AUTHORIZED_KEYS=${USER_CONTROLLED_AUTHORIZED_KEYS:-%h/.ssh/authorized_keys} -STAGING_AREA=${STAGING_AREA:-"$LIB"/stage} export GNUPGHOME @@ -150,8 +149,8 @@ case $COMMAND in log "----- user: $uname -----" AUTHORIZED_USER_IDS="$MS_HOME"/authorized_user_ids/"$uname" - cacheDir="$STAGING_AREA"/"$uname"/user_keys - msAuthorizedKeys="$STAGING_AREA"/"$uname"/authorized_keys + msAuthorizedKeys="$CACHE"/"$uname"/authorized_keys + cacheDir="$CACHE"/"$uname"/user_keys # make sure authorized_user_ids file exists if [ ! -s "$AUTHORIZED_USER_IDS" ] ; then @@ -166,7 +165,7 @@ case $COMMAND in fi # update authorized_keys - update_authorized_keys "$cacheDir" "$msAuthorizedKeys" "$userAuthorizedKeys" + update_authorized_keys "$msAuthorizedKeys" "$userAuthorizedKeys" "$cacheDir" done log "----- done. -----" @@ -199,9 +198,9 @@ case $COMMAND in failure "you must specify at least one userid." fi AUTHORIZED_USER_IDS="$MS_HOME"/authorized_user_ids/"$uname" - userKeysCacheDir="$STAGING_AREA"/"$uname"/user_keys + cacheDir="$CACHE"/"$uname"/user_keys for userID ; do - update_userid "$userID" "$userKeysCacheDir" + update_userid "$userID" "$cacheDir" done ;; -- cgit v1.2.3 From e4ce2240a682a57680e3d4d2d07757e631887d33 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Thu, 12 Jun 2008 10:30:05 -0400 Subject: added ssh2gpg to Makefile --- src/gpg2ssh/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'src') diff --git a/src/gpg2ssh/Makefile b/src/gpg2ssh/Makefile index a0b7241..65a5f0f 100644 --- a/src/gpg2ssh/Makefile +++ b/src/gpg2ssh/Makefile @@ -1,4 +1,4 @@ -all: monkeysphere gpg2ssh +all: monkeysphere gpg2ssh ssh2gpg monkeysphere: main.c gnutls-helpers.o gcc -g -Wall --pedantic -o monkeysphere main.c `libgnutls-config --libs --cflags` -lgnutls-extra gnutls-helpers.o @@ -13,6 +13,6 @@ ssh2gpg: ssh2gpg.c gnutls-helpers.o gcc -g -Wall --pedantic -o $@ -c $< clean: - rm -f monkeysphere gpg2ssh *.o + rm -f monkeysphere gpg2ssh ssh2gpg *.o .PHONY: clean all -- cgit v1.2.3 From 00719770b7608af0c37dfd6c14a04eb7ebc4cad0 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Thu, 12 Jun 2008 13:31:13 -0400 Subject: reorganizing to prepare for transition to openpgp2ssh. --- src/gpg2ssh/Makefile | 18 --- src/gpg2ssh/gnutls-helpers.c | 364 ------------------------------------------ src/gpg2ssh/gnutls-helpers.h | 72 --------- src/gpg2ssh/gpg2ssh.c | 293 ---------------------------------- src/gpg2ssh/main.c | 271 ------------------------------- src/gpg2ssh/ssh2gpg.c | 171 -------------------- src/keytrans/Makefile | 19 +++ src/keytrans/gnutls-helpers.c | 364 ++++++++++++++++++++++++++++++++++++++++++ src/keytrans/gnutls-helpers.h | 72 +++++++++ src/keytrans/gpg2ssh.c | 293 ++++++++++++++++++++++++++++++++++ src/keytrans/openpgp2ssh.c | 271 +++++++++++++++++++++++++++++++ src/keytrans/ssh2gpg.c | 171 ++++++++++++++++++++ 12 files changed, 1190 insertions(+), 1189 deletions(-) delete mode 100644 src/gpg2ssh/Makefile delete mode 100644 src/gpg2ssh/gnutls-helpers.c delete mode 100644 src/gpg2ssh/gnutls-helpers.h delete mode 100644 src/gpg2ssh/gpg2ssh.c delete mode 100644 src/gpg2ssh/main.c delete mode 100644 src/gpg2ssh/ssh2gpg.c create mode 100644 src/keytrans/Makefile create mode 100644 src/keytrans/gnutls-helpers.c create mode 100644 src/keytrans/gnutls-helpers.h create mode 100644 src/keytrans/gpg2ssh.c create mode 100644 src/keytrans/openpgp2ssh.c create mode 100644 src/keytrans/ssh2gpg.c (limited to 'src') diff --git a/src/gpg2ssh/Makefile b/src/gpg2ssh/Makefile deleted file mode 100644 index 65a5f0f..0000000 --- a/src/gpg2ssh/Makefile +++ /dev/null @@ -1,18 +0,0 @@ -all: monkeysphere gpg2ssh ssh2gpg - -monkeysphere: main.c gnutls-helpers.o - gcc -g -Wall --pedantic -o monkeysphere main.c `libgnutls-config --libs --cflags` -lgnutls-extra gnutls-helpers.o - -gpg2ssh: gpg2ssh.c gnutls-helpers.o - gcc -g -Wall --pedantic -o gpg2ssh gpg2ssh.c `libgnutls-config --libs --cflags` -lgnutls-extra gnutls-helpers.o - -ssh2gpg: ssh2gpg.c gnutls-helpers.o - gcc -g -Wall --pedantic -o ssh2gpg ssh2gpg.c `libgnutls-config --libs --cflags` -lgnutls-extra gnutls-helpers.o - -%.o: %.c - gcc -g -Wall --pedantic -o $@ -c $< - -clean: - rm -f monkeysphere gpg2ssh ssh2gpg *.o - -.PHONY: clean all diff --git a/src/gpg2ssh/gnutls-helpers.c b/src/gpg2ssh/gnutls-helpers.c deleted file mode 100644 index 6eae29e..0000000 --- a/src/gpg2ssh/gnutls-helpers.c +++ /dev/null @@ -1,364 +0,0 @@ -/* Author: Daniel Kahn Gillmor */ -/* Date: Fri, 04 Apr 2008 19:31:16 -0400 */ -/* License: GPL v3 or later */ - -#include "gnutls-helpers.h" -/* for htonl() */ -#include - -/* for setlocale() */ -#include - -/* for isalnum() */ -#include - -int loglevel = 0; - - -void err(const char* fmt, ...) { - va_list ap; - va_start(ap, fmt); - vfprintf(stderr, fmt, ap); - va_end(ap); - fflush(stderr); -} - -void logfunc(int level, const char* string) { - fprintf(stderr, "GnuTLS Logging (%d): %s\n", level, string); -} - -void init_keyid(gnutls_openpgp_keyid_t keyid) { - memset(keyid, 'x', sizeof(gnutls_openpgp_keyid_t)); -} - - - -void make_keyid_printable(printable_keyid out, gnutls_openpgp_keyid_t keyid) -{ - static const char hex[16] = "0123456789ABCDEF"; - unsigned int kix = 0, outix = 0; - - while (kix < sizeof(gnutls_openpgp_keyid_t)) { - out[outix] = hex[(keyid[kix] >> 4) & 0x0f]; - out[outix + 1] = hex[keyid[kix] & 0x0f]; - kix++; - outix += 2; - } -} - - -int init_gnutls() { - const char* version = NULL; - const char* debug_string = NULL; - int ret; - - if (ret = gnutls_global_init(), ret) { - err("Failed to do gnutls_global_init() (error: %d)\n", ret); - return 1; - } - - version = gnutls_check_version(NULL); - - if (version) - err("gnutls version: %s\n", version); - else { - err("no version found!\n"); - return 1; - } - - if (debug_string = getenv("MONKEYSPHERE_DEBUG"), debug_string) { - loglevel = atoi(debug_string); - gnutls_global_set_log_function(logfunc); - - gnutls_global_set_log_level(loglevel); - err("set log level to %d\n", loglevel); - } - return 0; -} - -void init_datum(gnutls_datum_t* d) { - d->data = NULL; - d->size = 0; -} -void copy_datum(gnutls_datum_t* dest, const gnutls_datum_t* src) { - dest->data = gnutls_realloc(dest->data, src->size); - dest->size = src->size; - memcpy(dest->data, src->data, src->size); -} -int compare_data(const gnutls_datum_t* a, const gnutls_datum_t* b) { - if (a->size > b->size) { - err("a is larger\n"); - return 1; - } - if (a->size < b->size) { - err("b is larger\n"); - return -1; - } - return memcmp(a->data, b->data, a->size); -} -void free_datum(gnutls_datum_t* d) { - gnutls_free(d->data); - d->data = NULL; - d->size = 0; -} - -/* read the passed-in string, store in a single datum */ -int set_datum_string(gnutls_datum_t* d, const char* s) { - unsigned int x = strlen(s)+1; - unsigned char* c = NULL; - - c = gnutls_realloc(d->data, x); - if (NULL == c) - return -1; - d->data = c; - d->size = x; - memcpy(d->data, s, x); - return 0; -} - -/* read the passed-in file descriptor until EOF, store in a single - datum */ -int set_datum_fd(gnutls_datum_t* d, int fd) { - unsigned int bufsize = 1024; - unsigned int len = 0; - - FILE* f = fdopen(fd, "r"); - if (bufsize > d->size) { - bufsize = 1024; - d->data = gnutls_realloc(d->data, bufsize); - if (d->data == NULL) { - err("out of memory!\n"); - return -1; - } - d->size = bufsize; - } else { - bufsize = d->size; - } - f = fdopen(fd, "r"); - if (NULL == f) { - err("could not fdopen FD %d\n", fd); - } - clearerr(f); - while (!feof(f) && !ferror(f)) { - if (len == bufsize) { - /* allocate more space by doubling: */ - bufsize *= 2; - d->data = gnutls_realloc(d->data, bufsize); - if (d->data == NULL) { - err("out of memory!\n"); - return -1; - }; - d->size = bufsize; - } - len += fread(d->data + len, 1, bufsize - len, f); - /* err("read %d bytes\n", len); */ - } - if (ferror(f)) { - err("Error reading from fd %d (error: %d) (error: %d '%s')\n", fd, ferror(f), errno, strerror(errno)); - return -1; - } - - /* touch up buffer size to match reality: */ - d->data = gnutls_realloc(d->data, len); - d->size = len; - return 0; -} - -/* read the file indicated (by name) in the fname parameter. store - its entire contents in a single datum. */ -int set_datum_file(gnutls_datum_t* d, const char* fname) { - struct stat sbuf; - unsigned char* c = NULL; - FILE* file = NULL; - size_t x = 0; - - if (0 != stat(fname, &sbuf)) { - err("failed to stat '%s'\n", fname); - return -1; - } - - c = gnutls_realloc(d->data, sbuf.st_size); - if (NULL == c) { - err("failed to allocate %d bytes for '%s'\n", sbuf.st_size, fname); - return -1; - } - - d->data = c; - d->size = sbuf.st_size; - file = fopen(fname, "r"); - if (NULL == file) { - err("failed to open '%s' for reading\n", fname); - return -1; - } - - x = fread(d->data, d->size, 1, file); - if (x != 1) { - err("tried to read %d bytes, read %d instead from '%s'\n", d->size, x, fname); - fclose(file); - return -1; - } - fclose(file); - return 0; -} - -int write_datum_fd(int fd, const gnutls_datum_t* d) { - if (d->size != write(fd, d->data, d->size)) { - err("failed to write body of datum.\n"); - return -1; - } - return 0; -} - - -int write_datum_fd_with_length(int fd, const gnutls_datum_t* d) { - uint32_t len; - int looks_negative = (d->data[0] & 0x80); - unsigned char zero = 0; - - /* if the first bit is 1, then the datum will appear negative in the - MPI encoding style used by OpenSSH. In that case, we'll increase - the length by one, and dump out one more byte */ - - if (looks_negative) { - len = htonl(d->size + 1); - } else { - len = htonl(d->size); - } - if (write(fd, &len, sizeof(len)) != sizeof(len)) { - err("failed to write size of datum.\n"); - return -2; - } - if (looks_negative) { - if (write(fd, &zero, 1) != 1) { - err("failed to write padding byte for MPI.\n"); - return -2; - } - } - return write_datum_fd(fd, d); -} - -int write_data_fd_with_length(int fd, const gnutls_datum_t** d, unsigned int num) { - unsigned int i; - int ret; - - for (i = 0; i < num; i++) - if (ret = write_datum_fd_with_length(fd, d[i]), ret != 0) - return ret; - - return 0; -} - - -int datum_from_string(gnutls_datum_t* d, const char* str) { - d->size = strlen(str); - d->data = gnutls_realloc(d->data, d->size); - if (d->data == 0) - return ENOMEM; - memcpy(d->data, str, d->size); - return 0; -} - - -int create_writing_pipe(pid_t* pid, const char* path, char* const argv[]) { - int p[2]; - int ret; - - if (pid == NULL) { - err("bad pointer passed to create_writing_pipe()\n"); - return -1; - } - - if (ret = pipe(p), ret == -1) { - err("failed to create a pipe (error: %d \"%s\")\n", errno, strerror(errno)); - return -1; - } - - *pid = fork(); - if (*pid == -1) { - err("Failed to fork (error: %d \"%s\")\n", errno, strerror(errno)); - return -1; - } - if (*pid == 0) { /* this is the child */ - close(p[1]); /* close unused write end */ - - if (0 != dup2(p[0], 0)) { /* map the reading end into stdin */ - err("Failed to transfer reading file descriptor to stdin (error: %d \"%s\")\n", errno, strerror(errno)); - exit(1); - } - execv(path, argv); - err("exec %s failed (error: %d \"%s\")\n", path, errno, strerror(errno)); - /* close the open file descriptors */ - close(p[0]); - close(0); - - exit(1); - } else { /* this is the parent */ - close(p[0]); /* close unused read end */ - return p[1]; - } -} - -int validate_ssh_host_userid(const char* userid) { - char* oldlocale = setlocale(LC_ALL, "C"); - - /* choke if userid does not match the expected format - ("ssh://fully.qualified.domain.name") */ - if (strncmp("ssh://", userid, strlen("ssh://")) != 0) { - err("The user ID should start with ssh:// for a host key\n"); - goto fail; - } - /* so that isalnum will work properly */ - userid += strlen("ssh://"); - while (0 != (*userid)) { - if (!isalnum(*userid)) { - err("label did not start with a letter or a digit! (%s)\n", userid); - goto fail; - } - userid++; - while (isalnum(*userid) || ('-' == (*userid))) - userid++; - if (('.' == (*userid)) || (0 == (*userid))) { /* clean end of label: - check last char - isalnum */ - if (!isalnum(*(userid - 1))) { - err("label did not end with a letter or a digit!\n"); - goto fail; - } - if ('.' == (*userid)) /* advance to the start of the next label */ - userid++; - } else { - err("invalid character in domain name: %c\n", *userid); - goto fail; - } - } - /* ensure that the last character is valid: */ - if (!isalnum(*(userid - 1))) { - err("hostname did not end with a letter or a digit!\n"); - goto fail; - } - /* FIXME: fqdn's can be unicode now, thanks to RFC 3490 -- how do we - make sure that we've got an OK string? */ - - return 0; - - fail: - setlocale(LC_ALL, oldlocale); - return 1; -} - -/* http://tools.ietf.org/html/rfc4880#section-5.5.2 */ -size_t get_openpgp_mpi_size(gnutls_datum_t* d) { - return 2 + d->size; -} - -int write_openpgp_mpi_to_fd(int fd, gnutls_datum_t* d) { - uint16_t x; - - x = d->size * 8; - x = htons(x); - - write(fd, &x, sizeof(x)); - write(fd, d->data, d->size); - - return 0; -} diff --git a/src/gpg2ssh/gnutls-helpers.h b/src/gpg2ssh/gnutls-helpers.h deleted file mode 100644 index 9ea22a3..0000000 --- a/src/gpg2ssh/gnutls-helpers.h +++ /dev/null @@ -1,72 +0,0 @@ -/* Author: Daniel Kahn Gillmor */ -/* Date: Fri, 04 Apr 2008 19:31:16 -0400 */ -/* License: GPL v3 or later */ - - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -/* Functions to help dealing with GnuTLS for monkeysphere key - translation projects: */ - -/* set everything up, including logging levels. Return 0 on - success */ -int init_gnutls(); - -/* logging and output functions: */ - -void err(const char* fmt, ...); -void logfunc(int level, const char* string); - -/* basic datum manipulations: */ - -void init_datum(gnutls_datum_t* d); -void copy_datum(gnutls_datum_t* dest, const gnutls_datum_t* src); -int compare_data(const gnutls_datum_t* a, const gnutls_datum_t* b); -void free_datum(gnutls_datum_t* d); -int write_datum_fd(int fd, const gnutls_datum_t* d); -int write_datum_fd_with_length(int fd, const gnutls_datum_t* d); -int write_data_fd_with_length(int fd, const gnutls_datum_t** d, unsigned int num); - -/* set up a datum from a null-terminated string */ -int datum_from_string(gnutls_datum_t* d, const char* str); - -/* keyid manipulations: */ -typedef unsigned char printable_keyid[16]; - -void init_keyid(gnutls_openpgp_keyid_t keyid); -void make_keyid_printable(printable_keyid out, gnutls_openpgp_keyid_t keyid); - -/* functions to get data into datum objects: */ - -/* read the passed-in string, store in a single datum */ -int set_datum_string(gnutls_datum_t* d, const char* s); - -/* read the passed-in file descriptor until EOF, store in a single - datum */ -int set_datum_fd(gnutls_datum_t* d, int fd); - -/* read the file indicated (by name) in the fname parameter. store - its entire contents in a single datum. */ -int set_datum_file(gnutls_datum_t* d, const char* fname); - -/* set up file descriptor pipe for writing (child process pid gets - stored in pid, fd is returned)*/ -int create_writing_pipe(pid_t* pid, const char* path, char* const argv[]); - -/* return 0 if userid matches the monkeysphere spec for ssh host user IDs */ -int validate_ssh_host_userid(const char* userid); - -/* how many bytes will it take to write out this datum in OpenPGP MPI form? */ -size_t get_openpgp_mpi_size(gnutls_datum_t* d); - -/* write the MPI stored in gnutls_datum_t to file descriptor fd: */ -int write_openpgp_mpi_to_fd(int fd, gnutls_datum_t* d); diff --git a/src/gpg2ssh/gpg2ssh.c b/src/gpg2ssh/gpg2ssh.c deleted file mode 100644 index c99f03f..0000000 --- a/src/gpg2ssh/gpg2ssh.c +++ /dev/null @@ -1,293 +0,0 @@ -#include "gnutls-helpers.h" - -#include -#include - -/* for waitpid() */ -#include -#include - -/* - Author: Daniel Kahn Gillmor - Date: Tue, 08 Apr 2008 - License: GPL v3 or later - - monkeysphere public key translator: execute this with an GPG - certificate (public key(s) + userid(s)) on stdin. It currently - only works with RSA keys. - - It will spit out a version of the first key capable of being used - for authentication on stdout. The output format should be suitable - for appending a known_hosts file. - - Requirements: I've only built this so far with GnuTLS v2.3.4 -- - version 2.2.0 does not contain the appropriate pieces. - - */ - -int main(int argc, char* argv[]) { - gnutls_datum_t data; - int ret; - gnutls_openpgp_crt_t openpgp_crt; - gnutls_openpgp_keyid_t keyid; - printable_keyid p_keyid; - unsigned int keyidx; - unsigned int usage, bits; - gnutls_pk_algorithm_t algo; - - gnutls_datum_t m, e, p, q, g, y; - gnutls_datum_t algolabel; - - char output_data[10240]; - char userid[10240]; - size_t uidsz = sizeof(userid); - - const gnutls_datum_t* all[5]; - int pipefd; - pid_t child_pid; - char* const args[] = {"/usr/bin/base64", "--wrap=0", NULL}; - const char* algoname; - int mpicount; - int pipestatus; - - init_gnutls(); - - init_datum(&data); - - init_datum(&m); - init_datum(&e); - init_datum(&p); - init_datum(&q); - init_datum(&g); - init_datum(&y); - - init_datum(&algolabel); - - init_keyid(keyid); - - /* slurp in the private key from stdin */ - if (ret = set_datum_fd(&data, 0), ret) { - err("didn't read file descriptor 0\n"); - return 1; - } - - - if (ret = gnutls_openpgp_crt_init(&openpgp_crt), ret) { - err("Failed to initialize OpenPGP certificate (error: %d)\n", ret); - return 1; - } - - /* format could be either: GNUTLS_OPENPGP_FMT_RAW, - GNUTLS_OPENPGP_FMT_BASE64; if MONKEYSPHERE_RAW is set, use RAW, - otherwise, use BASE64: */ - - /* FIXME: we should be auto-detecting the input format, and - translating it as needed. */ - - if (getenv("MONKEYSPHERE_RAW")) { - err("assuming RAW formatted certificate\n"); - if (ret = gnutls_openpgp_crt_import(openpgp_crt, &data, GNUTLS_OPENPGP_FMT_RAW), ret) { - err("failed to import the OpenPGP certificate in RAW format (error: %d)\n", ret); - return ret; - } - } else { - err("assuming BASE64 formatted certificate\n"); - if (ret = gnutls_openpgp_crt_import (openpgp_crt, &data, GNUTLS_OPENPGP_FMT_BASE64), ret) { - err("failed to import the OpenPGP certificate in BASE64 format (error: %d)\n", ret); - return ret; - } - } - - if (gnutls_openpgp_crt_get_revoked_status(openpgp_crt)) { - err("the primary key was revoked!\n"); - return 1; - } - - /* FIXME: We're currently looking at the primary key or maybe the - first authentication-capable subkey. - - Instead, we should be iterating through the primary key and all - subkeys: for each one with the authentication usage flag set of a - algorithm we can handle, we should output matching UserIDs and - the SSH version of the key. */ - - - if (ret = gnutls_openpgp_crt_get_key_usage(openpgp_crt, &usage), ret) { - err("failed to get the usage flags for the primary key (error: %d)\n", ret); - return ret; - } - if (usage & GNUTLS_KEY_KEY_AGREEMENT && - usage & GNUTLS_KEY_KEY_ENCIPHERMENT) { - err("the primary key can be used for authentication and communication encryption!\n"); - - algo = gnutls_openpgp_crt_get_pk_algorithm(openpgp_crt, &bits); - if (algo < 0) { - err("failed to get the algorithm of the OpenPGP public key (error: %d)\n", algo); - return algo; - } else if (algo == GNUTLS_PK_RSA) { - - err("OpenPGP RSA certificate, with %d bits\n", bits); - ret = gnutls_openpgp_crt_get_pk_rsa_raw(openpgp_crt, &m, &e); - if (GNUTLS_E_SUCCESS != ret) { - err ("failed to export RSA key parameters (error: %d)\n", ret); - return 1; - } - } else if (algo == GNUTLS_PK_DSA) { - err("OpenPGP DSA Key, with %d bits\n", bits); - ret = gnutls_openpgp_crt_get_pk_dsa_raw(openpgp_crt, &p, &q, &g, &y); - if (GNUTLS_E_SUCCESS != ret) { - err ("failed to export DSA key parameters (error: %d)\n", ret); - return 1; - } - } else { - err("OpenPGP Key was not RSA or DSA -- can't deal! (actual algorithm was: %d)\n", algo); - return 1; - } - - } else { - err("primary key is not good for authentication and communication encryption. Trying subkeys...\n"); - - if (ret = gnutls_openpgp_crt_get_auth_subkey(openpgp_crt, keyid, 0), ret) { - err("failed to find a subkey capable of authentication and communication encryption (error: %d)\n", ret); - return ret; - } - make_keyid_printable(p_keyid, keyid); - err("found authentication subkey %.16s\n", p_keyid); - - ret = gnutls_openpgp_crt_get_subkey_idx(openpgp_crt, keyid); - if (ret < 0) { - err("could not get the index of subkey %.16s (error: %d)\n", ret); - return ret; - } - keyidx = ret; - - if (gnutls_openpgp_crt_get_subkey_revoked_status(openpgp_crt, keyidx)) { - err("The authentication subkey was revoked!\n"); - return 1; - } - - if (ret = gnutls_openpgp_crt_get_subkey_usage(openpgp_crt, keyidx, &usage), ret) { - err("could not figure out usage of subkey %.16s (error: %d)\n", p_keyid, ret); - return ret; - } - if ((usage & GNUTLS_KEY_KEY_AGREEMENT) == 0 && - usage & GNUTLS_KEY_KEY_ENCIPHERMENT) { - err("could not find a subkey with authentication and communication encryption.\n"); - return 1; - } - - /* switch, based on the algorithm in question, to extract the MPI - components: */ - - algo = gnutls_openpgp_crt_get_subkey_pk_algorithm(openpgp_crt, keyidx, &bits); - if (algo < 0) { - err("failed to get the algorithm of the authentication subkey (error: %d)\n", algo); - return algo; - } else if (algo == GNUTLS_PK_RSA) { - - err("OpenPGP RSA subkey, with %d bits\n", bits); - ret = gnutls_openpgp_crt_get_subkey_pk_rsa_raw(openpgp_crt, keyidx, &m, &e); - if (GNUTLS_E_SUCCESS != ret) { - err ("failed to export RSA subkey parameters (error: %d)\n", ret); - return 1; - } - } else if (algo == GNUTLS_PK_DSA) { - err("OpenPGP DSA subkey, with %d bits\n", bits); - ret = gnutls_openpgp_crt_get_subkey_pk_dsa_raw(openpgp_crt, keyidx, &p, &q, &g, &y); - if (GNUTLS_E_SUCCESS != ret) { - err ("failed to export DSA subkey parameters (error: %d)\n", ret); - return 1; - } - } else { - err("OpenPGP subkey was not RSA or DSA -- can't deal! (actual algorithm was: %d)\n", algo); - return 1; - } - } - - /* make sure userid is NULL-terminated */ - userid[sizeof(userid) - 1] = 0; - uidsz--; - - /* FIXME: we're just choosing the first UserID from the certificate: - instead, we should be selecting every User ID that is adequately - signed and matches the spec, and aggregating them with commas for - known_hosts output */ - - if (ret = gnutls_openpgp_crt_get_name(openpgp_crt, 0, userid, &uidsz), ret) { - err("Failed to fetch the first UserID (error: %d)\n", ret); - return ret; - } - - if (ret = validate_ssh_host_userid(userid), ret) { - err("bad userid: not a valid ssh host.\n"); - return ret; - } - - /* remove ssh:// from the beginning of userid */ - memmove(userid, userid + strlen("ssh://"), 1 + strlen(userid) - strlen("ssh://")); - - - /* now we have algo, and the various MPI data are set. Can we - export them cleanly? */ - - /* for the moment, we'll just dump the info raw, and pipe it - externally through coreutils' /usr/bin/base64 */ - - if (algo == GNUTLS_PK_RSA) { - algoname = "ssh-rsa"; - mpicount = 3; - - all[0] = &algolabel; - all[1] = &e; - all[2] = &m; - } else if (algo == GNUTLS_PK_DSA) { - algoname = "ssh-dss"; - mpicount = 5; - - all[0] = &algolabel; - all[1] = &p; - all[2] = &q; - all[3] = &g; - all[4] = &y; - } else { - err("no idea what this algorithm is: %d\n", algo); - return 1; - } - - if (ret = datum_from_string(&algolabel, algoname), ret) { - err("couldn't label string (error: %d)\n", ret); - return ret; - } - - snprintf(output_data, sizeof(output_data), "%s %s ", userid, algoname); - - pipefd = create_writing_pipe(&child_pid, args[0], args); - if (pipefd < 0) { - err("failed to create a writing pipe (returned %d)\n", pipefd); - return pipefd; - } - - write(1, output_data, strlen(output_data)); - - if (0 != write_data_fd_with_length(pipefd, all, mpicount)) { - err("was not able to write out RSA key data\n"); - return 1; - } - close(pipefd); - if (child_pid != waitpid(child_pid, &pipestatus, 0)) { - err("could not wait for child process to return for some reason.\n"); - return 1; - } - if (pipestatus != 0) { - err("base64 pipe died with return code %d\n", pipestatus); - return pipestatus; - } - - write(1, "\n", 1); - - - - gnutls_openpgp_crt_deinit(openpgp_crt); - gnutls_global_deinit(); - return 0; -} diff --git a/src/gpg2ssh/main.c b/src/gpg2ssh/main.c deleted file mode 100644 index d6bac68..0000000 --- a/src/gpg2ssh/main.c +++ /dev/null @@ -1,271 +0,0 @@ -#include "gnutls-helpers.h" - -#include -#include - -/* - Author: Daniel Kahn Gillmor - Date: Tue, 01 Apr 2008 - License: GPL v3 or later - - monkeysphere private key translator: execute this with an GPG - secret key on stdin (at the moment, only passphraseless RSA keys - work). - - It will spit out a PEM-encoded version of the key on stdout, which - can be fed into ssh-add like this: - - gpg --export-secret-keys $KEYID | monkeysphere | ssh-add -c /dev/stdin - - Requirements: I've only built this so far with GnuTLS v2.3.4 -- - version 2.2.0 does not contain the appropriate pieces. - - Notes: gpgkey2ssh doesn't seem to provide the same public - keys. Mighty weird! - -0 wt215@squeak:~/monkeysphere$ gpg --export-secret-keys 1DCDF89F | ~dkg/src/monkeysphere/monkeysphere | ssh-add -c /dev/stdin -gnutls version: 2.3.4 -OpenPGP RSA Key, with 1024 bits -Identity added: /dev/stdin (/dev/stdin) -The user has to confirm each use of the key -0 wt215@squeak:~/monkeysphere$ ssh-add -L -ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQC9gWQqfrnhQKDQnND/3eOexpddE64J+1zp9fcyCje7H5LKclb6DBV2HS6WgW32PJhIzvP+fYZM3dzXea3fpv14y1SicXiRBDgF9SnsNA1qWn2RyzkLcKy7PmM0PDYtU1oiLTcQj/xkWcqW2sLKHT/WW+vZP5XP7RMGN/yWNMfE2Q== /dev/stdin -0 wt215@squeak:~/monkeysphere$ gpgkey2ssh 1DCDF89F -ssh-rsa AAAAB3NzaC1yc2EAAACBAL2BZCp+ueFAoNCc0P/d457Gl10Trgn7XOn19zIKN7sfkspyVvoMFXYdLpaBbfY8mEjO8/59hkzd3Nd5rd+m/XjLVKJxeJEEOAX1Kew0DWpafZHLOQtwrLs+YzQ8Ni1TWiItNxCP/GRZypbawsodP9Zb69k/lc/tEwY3/JY0x8TZAAAAAwEAAQ== COMMENT -0 wt215@squeak:~/monkeysphere$ - - */ - - -int convert_pgp_to_x509(gnutls_x509_privkey_t* output, gnutls_datum_t* input) { - gnutls_openpgp_privkey_t pgp_privkey; - gnutls_datum_t m, e, d, p, q, u, g, y, x; - gnutls_pk_algorithm_t pgp_algo; - unsigned int pgp_bits; - int ret; - - init_datum(&m); - init_datum(&e); - init_datum(&d); - init_datum(&p); - init_datum(&q); - init_datum(&u); - init_datum(&g); - init_datum(&y); - init_datum(&x); - - if (ret = gnutls_openpgp_privkey_init(&pgp_privkey), ret) { - err("Failed to initialized OpenPGP private key (error: %d)\n", ret); - return 1; - } - - - /* format could be either: GNUTLS_OPENPGP_FMT_RAW, - GNUTLS_OPENPGP_FMT_BASE64; if MONKEYSPHERE_RAW is set, use RAW, - otherwise, use BASE64: */ - - if (getenv("MONKEYSPHERE_RAW")) { - err("assuming RAW formatted private keys\n"); - if (ret = gnutls_openpgp_privkey_import(pgp_privkey, input, GNUTLS_OPENPGP_FMT_RAW, NULL, 0), ret) - err("failed to import the OpenPGP private key in RAW format (error: %d)\n", ret); - } else { - err("assuming BASE64 formatted private keys\n"); - if (ret = gnutls_openpgp_privkey_import (pgp_privkey, input, GNUTLS_OPENPGP_FMT_BASE64, NULL, 0), ret) - err("failed to import the OpenPGP private key in BASE64 format (error: %d)\n", ret); - } - - pgp_algo = gnutls_openpgp_privkey_get_pk_algorithm(pgp_privkey, &pgp_bits); - if (pgp_algo < 0) { - err("failed to get OpenPGP key algorithm (error: %d)\n", pgp_algo); - return 1; - } - if (pgp_algo == GNUTLS_PK_RSA) { - err("OpenPGP RSA Key, with %d bits\n", pgp_bits); - ret = gnutls_openpgp_privkey_export_rsa_raw(pgp_privkey, &m, &e, &d, &p, &q, &u); - if (GNUTLS_E_SUCCESS != ret) { - err ("failed to export RSA key parameters (error: %d)\n", ret); - return 1; - } - - ret = gnutls_x509_privkey_import_rsa_raw (*output, &m, &e, &d, &p, &q, &u); - if (GNUTLS_E_SUCCESS != ret) { - err ("failed to import RSA key parameters (error: %d)\n", ret); - return 1; - } - } else if (pgp_algo == GNUTLS_PK_DSA) { - err("OpenPGP DSA Key, with %d bits\n", pgp_bits); - ret = gnutls_openpgp_privkey_export_dsa_raw(pgp_privkey, &p, &q, &g, &y, &x); - if (GNUTLS_E_SUCCESS != ret) { - err ("failed to export DSA key parameters (error: %d)\n", ret); - return 1; - } - - ret = gnutls_x509_privkey_import_dsa_raw (*output, &p, &q, &g, &y, &x); - if (GNUTLS_E_SUCCESS != ret) { - err ("failed to import DSA key parameters (error: %d)\n", ret); - return 1; - } - } else { - err("OpenPGP Key was not RSA or DSA -- can't deal! (actual algorithm was: %d)\n", pgp_algo); - return 1; - } - - ret = gnutls_x509_privkey_fix(*output); - if (ret != 0) { - err("failed to fix up the private key in X.509 format (error: %d)\n", ret); - return 1; - } - - gnutls_openpgp_privkey_deinit(pgp_privkey); - return 0; -} - -int convert_x509_to_pgp(gnutls_openpgp_privkey_t* output, gnutls_datum_t* input) { - gnutls_x509_privkey_t x509_privkey; - gnutls_datum_t m, e, d, p, q, u, g, y, x; - gnutls_pk_algorithm_t x509_algo; - int ret; - - init_datum(&m); - init_datum(&e); - init_datum(&d); - init_datum(&p); - init_datum(&q); - init_datum(&u); - init_datum(&g); - init_datum(&y); - init_datum(&x); - - if (ret = gnutls_x509_privkey_init(&x509_privkey), ret) { - err("Failed to initialized X.509 private key (error: %d)\n", ret); - return 1; - } - - - /* format could be either: GNUTLS_X509_FMT_DER, - GNUTLS_X509_FMT_PEM; if MONKEYSPHERE_DER is set, use DER, - otherwise, use PEM: */ - - if (getenv("MONKEYSPHERE_DER")) { - err("assuming DER formatted private keys\n"); - if (ret = gnutls_x509_privkey_import(x509_privkey, input, GNUTLS_X509_FMT_DER), ret) - err("failed to import the X.509 private key in DER format (error: %d)\n", ret); - } else { - err("assuming PEM formatted private keys\n"); - if (ret = gnutls_x509_privkey_import (x509_privkey, input, GNUTLS_X509_FMT_PEM), ret) - err("failed to import the X.509 private key in PEM format (error: %d)\n", ret); - } - - x509_algo = gnutls_x509_privkey_get_pk_algorithm(x509_privkey); - if (x509_algo < 0) { - err("failed to get X.509 key algorithm (error: %d)\n", x509_algo); - return 1; - } - if (x509_algo == GNUTLS_PK_RSA) { - err("X.509 RSA Key\n"); - ret = gnutls_x509_privkey_export_rsa_raw(x509_privkey, &m, &e, &d, &p, &q, &u); - if (GNUTLS_E_SUCCESS != ret) { - err ("failed to export RSA key parameters (error: %d)\n", ret); - return 1; - } - - /* ret = gnutls_openpgp_privkey_import_rsa_raw (*output, &m, &e, &d, &p, &q, &u); */ - ret = GNUTLS_E_UNIMPLEMENTED_FEATURE; - if (GNUTLS_E_SUCCESS != ret) { - err ("failed to import RSA key parameters (error: %d)\n", ret); - return 1; - } - } else if (x509_algo == GNUTLS_PK_DSA) { - err("X.509 DSA Key\n"); - ret = gnutls_x509_privkey_export_dsa_raw(x509_privkey, &p, &q, &g, &y, &x); - if (GNUTLS_E_SUCCESS != ret) { - err ("failed to export DSA key parameters (error: %d)\n", ret); - return 1; - } - - /* ret = gnutls_openpgp_privkey_import_dsa_raw (*output, &p, &q, &g, &y, &x); */ - ret = GNUTLS_E_UNIMPLEMENTED_FEATURE; - if (GNUTLS_E_SUCCESS != ret) { - err ("failed to import DSA key parameters (error: %d)\n", ret); - return 1; - } - } else { - err("OpenPGP Key was not RSA or DSA -- can't deal! (actual algorithm was: %d)\n", x509_algo); - return 1; - } - - gnutls_x509_privkey_deinit(x509_privkey); - return 0; -} - - -int main(int argc, char* argv[]) { - gnutls_datum_t data; - int ret; - gnutls_x509_privkey_t x509_privkey; - - char output_data[10240]; - size_t ods = sizeof(output_data); - - init_gnutls(); - - init_datum(&data); - - /* slurp in the private key from stdin */ - if (ret = set_datum_fd(&data, 0), ret) { - err("didn't read file descriptor 0\n"); - return 1; - } - - - - /* Or, instead, read in key from a file name: - if (ret = set_datum_file(&data, argv[1]), ret) { - err("didn't read file '%s'\n", argv[1]); - return 1; - } -*/ - - /* treat the passed file as an X.509 private key, and extract its - component values: */ - -/* if (ret = gnutls_x509_privkey_import(x509_privkey, &data, GNUTLS_X509_FMT_PEM), ret) { */ -/* err("Failed to import the X.509 key (error: %d)\n", ret); */ -/* return 1; */ -/* } */ -/* gnutls_x509_privkey_export_rsa_raw(x509_privkey, &m, &e, &d, &p, &q, &u); */ - - /* try to print the PEM-encoded private key: */ -/* ret = gnutls_x509_privkey_export (x509_privkey, */ -/* GNUTLS_X509_FMT_PEM, */ -/* output_data, */ -/* &ods); */ -/* printf("ret: %u; ods: %u;\n", ret, ods); */ -/* if (ret == 0) { */ -/* write(0, output_data, ods); */ -/* } */ - - - if (ret = gnutls_x509_privkey_init(&x509_privkey), ret) { - err("Failed to initialize X.509 private key (error: %d)\n", ret); - return 1; - } - - if (ret = convert_pgp_to_x509(&x509_privkey, &data), ret) { - return ret; - } - - ret = gnutls_x509_privkey_export (x509_privkey, - GNUTLS_X509_FMT_PEM, - output_data, - &ods); - printf("ret: %u; ods: %u;\n", ret, ods); - if (ret == 0) { - write(1, output_data, ods); - } - - - gnutls_x509_privkey_deinit(x509_privkey); - gnutls_global_deinit(); - return 0; -} diff --git a/src/gpg2ssh/ssh2gpg.c b/src/gpg2ssh/ssh2gpg.c deleted file mode 100644 index b14a540..0000000 --- a/src/gpg2ssh/ssh2gpg.c +++ /dev/null @@ -1,171 +0,0 @@ -#include "gnutls-helpers.h" - -#include -#include - -/* for waitpid() */ -#include -#include - -/* for time() */ -#include - -/* for htons() */ -#include - - -/* - Author: Daniel Kahn Gillmor - Date: Sun, 2008-04-20 - License: GPL v3 or later - - monkeysphere public key translator: execute this with an ssh - private key on stdin. It currently only works with RSA keys. - - it should eventually work with OpenSSH-style public keys instead of - the full private key, but it was easier to do this way. - - It shoud spit out a version of the public key suitable for acting - as an OpenPGP public sub key packet. - - */ - -int main(int argc, char* argv[]) { - gnutls_datum_t data; - int ret; - gnutls_x509_privkey_t x509_privkey; - gnutls_openpgp_crt_t openpgp_crt; - gnutls_openpgp_keyid_t keyid; - printable_keyid p_keyid; - unsigned int keyidx; - unsigned int usage, bits; - gnutls_pk_algorithm_t algo; - - unsigned char packettag; - unsigned char openpgpversion; - time_t timestamp; - uint32_t clunkytime; - unsigned char openpgpalgo; - unsigned int packetlen; - uint16_t plen; - - gnutls_datum_t m, e, d, p, q, u, g, y; - gnutls_datum_t algolabel; - - char output_data[10240]; - char userid[10240]; - size_t uidsz = sizeof(userid); - - const gnutls_datum_t* all[5]; - int pipefd; - pid_t child_pid; - char* const args[] = {"/usr/bin/base64", "--wrap=0", NULL}; - const char* algoname; - int mpicount; - int pipestatus; - - init_gnutls(); - - init_datum(&data); - - init_datum(&m); - init_datum(&e); - init_datum(&d); - init_datum(&p); - init_datum(&q); - init_datum(&u); - init_datum(&g); - init_datum(&y); - - init_datum(&algolabel); - - init_keyid(keyid); - - /* slurp in the private key from stdin */ - if (ret = set_datum_fd(&data, 0), ret) { - err("didn't read file descriptor 0\n"); - return 1; - } - - - if (ret = gnutls_x509_privkey_init(&x509_privkey), ret) { - err("Failed to initialize private key structure (error: %d)\n", ret); - return 1; - } - - err("assuming PEM formatted private key\n"); - if (ret = gnutls_x509_privkey_import(x509_privkey, &data, GNUTLS_X509_FMT_PEM), ret) { - err("failed to import the PEM-encoded private key (error: %d)\n", ret); - return ret; - } - - algo = gnutls_x509_privkey_get_pk_algorithm(x509_privkey); - if (algo < 0) { - err("failed to get the algorithm of the PEM-encoded public key (error: %d)\n", algo); - return algo; - } else if (algo == GNUTLS_PK_RSA) { - err("RSA private key\n"); - ret = gnutls_x509_privkey_export_rsa_raw(x509_privkey, &m, &e, &d, &p, &q, &u); - if (GNUTLS_E_SUCCESS != ret) { - err ("failed to export RSA key parameters (error: %d)\n", ret); - return 1; - } - err("Modulus size %d, exponent size %d\n", m.size, e.size); - } else if (algo == GNUTLS_PK_DSA) { - err("DSA Key, not implemented!!\n", bits); - return 1; - } else { - err("Key was not RSA or DSA -- can't deal! (actual algorithm was: %d)\n", algo); - return 1; - } - - /* now we have algo, and the various MPI data are set. Can we - export them as a public subkey packet? */ - - /* this packet should be tagged 14, and should contain: - - 1 octet: version (4) - 4 octets: time of generation (seconds since 1970) - 1 octet: algo (http://tools.ietf.org/html/rfc4880#section-5.5.2 implies 1 for RSA) - - MPI: modulus - MPI: exponent - */ - - packetlen = 1 + 4 + 1; - /* FIXME: this is RSA only. for DSA, there'll be more: */ - packetlen += get_openpgp_mpi_size(&m) + get_openpgp_mpi_size(&e); - - /* FIXME: we should generate this bound more cleanly -- i just - happen to know that 65535 is 2^16-1: */ - if (packetlen > 65535) { - err("packet length is too long (%d)\n", packetlen); - return 1; - } - - /* we're going to emit an old-style packet, with tag 14 (public - subkey), with a two-octet packet length */ - packettag = 0x80 | (14 << 2) | 1; - - write(1, &packettag, sizeof(packettag)); - plen = htons(packetlen); - write(1, &plen, sizeof(plen)); - - openpgpversion = 4; - write(1, &openpgpversion, 1); - - timestamp = time(NULL); - clunkytime = htonl(timestamp); - write(1, &clunkytime, 4); - - /* FIXME: handle things other than RSA */ - openpgpalgo = 1; - write(1, &openpgpalgo, 1); - - write_openpgp_mpi_to_fd(1, &m); - write_openpgp_mpi_to_fd(1, &e); - - gnutls_x509_privkey_deinit(x509_privkey); - gnutls_global_deinit(); - return 0; -} diff --git a/src/keytrans/Makefile b/src/keytrans/Makefile new file mode 100644 index 0000000..fdd4ccd --- /dev/null +++ b/src/keytrans/Makefile @@ -0,0 +1,19 @@ +all: openpgp2ssh + +openpgp2ssh: openpgp2ssh.c gnutls-helpers.o + gcc -g -Wall --pedantic -o openpgp2ssh openpgp2ssh.c `libgnutls-config --libs --cflags` -lgnutls-extra gnutls-helpers.o + +%.o: %.c + gcc -g -Wall --pedantic -o $@ -c $< + +clean: + rm -f openpgp2ssh gpg2ssh ssh2gpg *.o + +# deprecated: +gpg2ssh: gpg2ssh.c gnutls-helpers.o + gcc -g -Wall --pedantic -o gpg2ssh gpg2ssh.c `libgnutls-config --libs --cflags` -lgnutls-extra gnutls-helpers.o + +ssh2gpg: ssh2gpg.c gnutls-helpers.o + gcc -g -Wall --pedantic -o ssh2gpg ssh2gpg.c `libgnutls-config --libs --cflags` -lgnutls-extra gnutls-helpers.o + +.PHONY: clean all diff --git a/src/keytrans/gnutls-helpers.c b/src/keytrans/gnutls-helpers.c new file mode 100644 index 0000000..6eae29e --- /dev/null +++ b/src/keytrans/gnutls-helpers.c @@ -0,0 +1,364 @@ +/* Author: Daniel Kahn Gillmor */ +/* Date: Fri, 04 Apr 2008 19:31:16 -0400 */ +/* License: GPL v3 or later */ + +#include "gnutls-helpers.h" +/* for htonl() */ +#include + +/* for setlocale() */ +#include + +/* for isalnum() */ +#include + +int loglevel = 0; + + +void err(const char* fmt, ...) { + va_list ap; + va_start(ap, fmt); + vfprintf(stderr, fmt, ap); + va_end(ap); + fflush(stderr); +} + +void logfunc(int level, const char* string) { + fprintf(stderr, "GnuTLS Logging (%d): %s\n", level, string); +} + +void init_keyid(gnutls_openpgp_keyid_t keyid) { + memset(keyid, 'x', sizeof(gnutls_openpgp_keyid_t)); +} + + + +void make_keyid_printable(printable_keyid out, gnutls_openpgp_keyid_t keyid) +{ + static const char hex[16] = "0123456789ABCDEF"; + unsigned int kix = 0, outix = 0; + + while (kix < sizeof(gnutls_openpgp_keyid_t)) { + out[outix] = hex[(keyid[kix] >> 4) & 0x0f]; + out[outix + 1] = hex[keyid[kix] & 0x0f]; + kix++; + outix += 2; + } +} + + +int init_gnutls() { + const char* version = NULL; + const char* debug_string = NULL; + int ret; + + if (ret = gnutls_global_init(), ret) { + err("Failed to do gnutls_global_init() (error: %d)\n", ret); + return 1; + } + + version = gnutls_check_version(NULL); + + if (version) + err("gnutls version: %s\n", version); + else { + err("no version found!\n"); + return 1; + } + + if (debug_string = getenv("MONKEYSPHERE_DEBUG"), debug_string) { + loglevel = atoi(debug_string); + gnutls_global_set_log_function(logfunc); + + gnutls_global_set_log_level(loglevel); + err("set log level to %d\n", loglevel); + } + return 0; +} + +void init_datum(gnutls_datum_t* d) { + d->data = NULL; + d->size = 0; +} +void copy_datum(gnutls_datum_t* dest, const gnutls_datum_t* src) { + dest->data = gnutls_realloc(dest->data, src->size); + dest->size = src->size; + memcpy(dest->data, src->data, src->size); +} +int compare_data(const gnutls_datum_t* a, const gnutls_datum_t* b) { + if (a->size > b->size) { + err("a is larger\n"); + return 1; + } + if (a->size < b->size) { + err("b is larger\n"); + return -1; + } + return memcmp(a->data, b->data, a->size); +} +void free_datum(gnutls_datum_t* d) { + gnutls_free(d->data); + d->data = NULL; + d->size = 0; +} + +/* read the passed-in string, store in a single datum */ +int set_datum_string(gnutls_datum_t* d, const char* s) { + unsigned int x = strlen(s)+1; + unsigned char* c = NULL; + + c = gnutls_realloc(d->data, x); + if (NULL == c) + return -1; + d->data = c; + d->size = x; + memcpy(d->data, s, x); + return 0; +} + +/* read the passed-in file descriptor until EOF, store in a single + datum */ +int set_datum_fd(gnutls_datum_t* d, int fd) { + unsigned int bufsize = 1024; + unsigned int len = 0; + + FILE* f = fdopen(fd, "r"); + if (bufsize > d->size) { + bufsize = 1024; + d->data = gnutls_realloc(d->data, bufsize); + if (d->data == NULL) { + err("out of memory!\n"); + return -1; + } + d->size = bufsize; + } else { + bufsize = d->size; + } + f = fdopen(fd, "r"); + if (NULL == f) { + err("could not fdopen FD %d\n", fd); + } + clearerr(f); + while (!feof(f) && !ferror(f)) { + if (len == bufsize) { + /* allocate more space by doubling: */ + bufsize *= 2; + d->data = gnutls_realloc(d->data, bufsize); + if (d->data == NULL) { + err("out of memory!\n"); + return -1; + }; + d->size = bufsize; + } + len += fread(d->data + len, 1, bufsize - len, f); + /* err("read %d bytes\n", len); */ + } + if (ferror(f)) { + err("Error reading from fd %d (error: %d) (error: %d '%s')\n", fd, ferror(f), errno, strerror(errno)); + return -1; + } + + /* touch up buffer size to match reality: */ + d->data = gnutls_realloc(d->data, len); + d->size = len; + return 0; +} + +/* read the file indicated (by name) in the fname parameter. store + its entire contents in a single datum. */ +int set_datum_file(gnutls_datum_t* d, const char* fname) { + struct stat sbuf; + unsigned char* c = NULL; + FILE* file = NULL; + size_t x = 0; + + if (0 != stat(fname, &sbuf)) { + err("failed to stat '%s'\n", fname); + return -1; + } + + c = gnutls_realloc(d->data, sbuf.st_size); + if (NULL == c) { + err("failed to allocate %d bytes for '%s'\n", sbuf.st_size, fname); + return -1; + } + + d->data = c; + d->size = sbuf.st_size; + file = fopen(fname, "r"); + if (NULL == file) { + err("failed to open '%s' for reading\n", fname); + return -1; + } + + x = fread(d->data, d->size, 1, file); + if (x != 1) { + err("tried to read %d bytes, read %d instead from '%s'\n", d->size, x, fname); + fclose(file); + return -1; + } + fclose(file); + return 0; +} + +int write_datum_fd(int fd, const gnutls_datum_t* d) { + if (d->size != write(fd, d->data, d->size)) { + err("failed to write body of datum.\n"); + return -1; + } + return 0; +} + + +int write_datum_fd_with_length(int fd, const gnutls_datum_t* d) { + uint32_t len; + int looks_negative = (d->data[0] & 0x80); + unsigned char zero = 0; + + /* if the first bit is 1, then the datum will appear negative in the + MPI encoding style used by OpenSSH. In that case, we'll increase + the length by one, and dump out one more byte */ + + if (looks_negative) { + len = htonl(d->size + 1); + } else { + len = htonl(d->size); + } + if (write(fd, &len, sizeof(len)) != sizeof(len)) { + err("failed to write size of datum.\n"); + return -2; + } + if (looks_negative) { + if (write(fd, &zero, 1) != 1) { + err("failed to write padding byte for MPI.\n"); + return -2; + } + } + return write_datum_fd(fd, d); +} + +int write_data_fd_with_length(int fd, const gnutls_datum_t** d, unsigned int num) { + unsigned int i; + int ret; + + for (i = 0; i < num; i++) + if (ret = write_datum_fd_with_length(fd, d[i]), ret != 0) + return ret; + + return 0; +} + + +int datum_from_string(gnutls_datum_t* d, const char* str) { + d->size = strlen(str); + d->data = gnutls_realloc(d->data, d->size); + if (d->data == 0) + return ENOMEM; + memcpy(d->data, str, d->size); + return 0; +} + + +int create_writing_pipe(pid_t* pid, const char* path, char* const argv[]) { + int p[2]; + int ret; + + if (pid == NULL) { + err("bad pointer passed to create_writing_pipe()\n"); + return -1; + } + + if (ret = pipe(p), ret == -1) { + err("failed to create a pipe (error: %d \"%s\")\n", errno, strerror(errno)); + return -1; + } + + *pid = fork(); + if (*pid == -1) { + err("Failed to fork (error: %d \"%s\")\n", errno, strerror(errno)); + return -1; + } + if (*pid == 0) { /* this is the child */ + close(p[1]); /* close unused write end */ + + if (0 != dup2(p[0], 0)) { /* map the reading end into stdin */ + err("Failed to transfer reading file descriptor to stdin (error: %d \"%s\")\n", errno, strerror(errno)); + exit(1); + } + execv(path, argv); + err("exec %s failed (error: %d \"%s\")\n", path, errno, strerror(errno)); + /* close the open file descriptors */ + close(p[0]); + close(0); + + exit(1); + } else { /* this is the parent */ + close(p[0]); /* close unused read end */ + return p[1]; + } +} + +int validate_ssh_host_userid(const char* userid) { + char* oldlocale = setlocale(LC_ALL, "C"); + + /* choke if userid does not match the expected format + ("ssh://fully.qualified.domain.name") */ + if (strncmp("ssh://", userid, strlen("ssh://")) != 0) { + err("The user ID should start with ssh:// for a host key\n"); + goto fail; + } + /* so that isalnum will work properly */ + userid += strlen("ssh://"); + while (0 != (*userid)) { + if (!isalnum(*userid)) { + err("label did not start with a letter or a digit! (%s)\n", userid); + goto fail; + } + userid++; + while (isalnum(*userid) || ('-' == (*userid))) + userid++; + if (('.' == (*userid)) || (0 == (*userid))) { /* clean end of label: + check last char + isalnum */ + if (!isalnum(*(userid - 1))) { + err("label did not end with a letter or a digit!\n"); + goto fail; + } + if ('.' == (*userid)) /* advance to the start of the next label */ + userid++; + } else { + err("invalid character in domain name: %c\n", *userid); + goto fail; + } + } + /* ensure that the last character is valid: */ + if (!isalnum(*(userid - 1))) { + err("hostname did not end with a letter or a digit!\n"); + goto fail; + } + /* FIXME: fqdn's can be unicode now, thanks to RFC 3490 -- how do we + make sure that we've got an OK string? */ + + return 0; + + fail: + setlocale(LC_ALL, oldlocale); + return 1; +} + +/* http://tools.ietf.org/html/rfc4880#section-5.5.2 */ +size_t get_openpgp_mpi_size(gnutls_datum_t* d) { + return 2 + d->size; +} + +int write_openpgp_mpi_to_fd(int fd, gnutls_datum_t* d) { + uint16_t x; + + x = d->size * 8; + x = htons(x); + + write(fd, &x, sizeof(x)); + write(fd, d->data, d->size); + + return 0; +} diff --git a/src/keytrans/gnutls-helpers.h b/src/keytrans/gnutls-helpers.h new file mode 100644 index 0000000..9ea22a3 --- /dev/null +++ b/src/keytrans/gnutls-helpers.h @@ -0,0 +1,72 @@ +/* Author: Daniel Kahn Gillmor */ +/* Date: Fri, 04 Apr 2008 19:31:16 -0400 */ +/* License: GPL v3 or later */ + + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +/* Functions to help dealing with GnuTLS for monkeysphere key + translation projects: */ + +/* set everything up, including logging levels. Return 0 on + success */ +int init_gnutls(); + +/* logging and output functions: */ + +void err(const char* fmt, ...); +void logfunc(int level, const char* string); + +/* basic datum manipulations: */ + +void init_datum(gnutls_datum_t* d); +void copy_datum(gnutls_datum_t* dest, const gnutls_datum_t* src); +int compare_data(const gnutls_datum_t* a, const gnutls_datum_t* b); +void free_datum(gnutls_datum_t* d); +int write_datum_fd(int fd, const gnutls_datum_t* d); +int write_datum_fd_with_length(int fd, const gnutls_datum_t* d); +int write_data_fd_with_length(int fd, const gnutls_datum_t** d, unsigned int num); + +/* set up a datum from a null-terminated string */ +int datum_from_string(gnutls_datum_t* d, const char* str); + +/* keyid manipulations: */ +typedef unsigned char printable_keyid[16]; + +void init_keyid(gnutls_openpgp_keyid_t keyid); +void make_keyid_printable(printable_keyid out, gnutls_openpgp_keyid_t keyid); + +/* functions to get data into datum objects: */ + +/* read the passed-in string, store in a single datum */ +int set_datum_string(gnutls_datum_t* d, const char* s); + +/* read the passed-in file descriptor until EOF, store in a single + datum */ +int set_datum_fd(gnutls_datum_t* d, int fd); + +/* read the file indicated (by name) in the fname parameter. store + its entire contents in a single datum. */ +int set_datum_file(gnutls_datum_t* d, const char* fname); + +/* set up file descriptor pipe for writing (child process pid gets + stored in pid, fd is returned)*/ +int create_writing_pipe(pid_t* pid, const char* path, char* const argv[]); + +/* return 0 if userid matches the monkeysphere spec for ssh host user IDs */ +int validate_ssh_host_userid(const char* userid); + +/* how many bytes will it take to write out this datum in OpenPGP MPI form? */ +size_t get_openpgp_mpi_size(gnutls_datum_t* d); + +/* write the MPI stored in gnutls_datum_t to file descriptor fd: */ +int write_openpgp_mpi_to_fd(int fd, gnutls_datum_t* d); diff --git a/src/keytrans/gpg2ssh.c b/src/keytrans/gpg2ssh.c new file mode 100644 index 0000000..c99f03f --- /dev/null +++ b/src/keytrans/gpg2ssh.c @@ -0,0 +1,293 @@ +#include "gnutls-helpers.h" + +#include +#include + +/* for waitpid() */ +#include +#include + +/* + Author: Daniel Kahn Gillmor + Date: Tue, 08 Apr 2008 + License: GPL v3 or later + + monkeysphere public key translator: execute this with an GPG + certificate (public key(s) + userid(s)) on stdin. It currently + only works with RSA keys. + + It will spit out a version of the first key capable of being used + for authentication on stdout. The output format should be suitable + for appending a known_hosts file. + + Requirements: I've only built this so far with GnuTLS v2.3.4 -- + version 2.2.0 does not contain the appropriate pieces. + + */ + +int main(int argc, char* argv[]) { + gnutls_datum_t data; + int ret; + gnutls_openpgp_crt_t openpgp_crt; + gnutls_openpgp_keyid_t keyid; + printable_keyid p_keyid; + unsigned int keyidx; + unsigned int usage, bits; + gnutls_pk_algorithm_t algo; + + gnutls_datum_t m, e, p, q, g, y; + gnutls_datum_t algolabel; + + char output_data[10240]; + char userid[10240]; + size_t uidsz = sizeof(userid); + + const gnutls_datum_t* all[5]; + int pipefd; + pid_t child_pid; + char* const args[] = {"/usr/bin/base64", "--wrap=0", NULL}; + const char* algoname; + int mpicount; + int pipestatus; + + init_gnutls(); + + init_datum(&data); + + init_datum(&m); + init_datum(&e); + init_datum(&p); + init_datum(&q); + init_datum(&g); + init_datum(&y); + + init_datum(&algolabel); + + init_keyid(keyid); + + /* slurp in the private key from stdin */ + if (ret = set_datum_fd(&data, 0), ret) { + err("didn't read file descriptor 0\n"); + return 1; + } + + + if (ret = gnutls_openpgp_crt_init(&openpgp_crt), ret) { + err("Failed to initialize OpenPGP certificate (error: %d)\n", ret); + return 1; + } + + /* format could be either: GNUTLS_OPENPGP_FMT_RAW, + GNUTLS_OPENPGP_FMT_BASE64; if MONKEYSPHERE_RAW is set, use RAW, + otherwise, use BASE64: */ + + /* FIXME: we should be auto-detecting the input format, and + translating it as needed. */ + + if (getenv("MONKEYSPHERE_RAW")) { + err("assuming RAW formatted certificate\n"); + if (ret = gnutls_openpgp_crt_import(openpgp_crt, &data, GNUTLS_OPENPGP_FMT_RAW), ret) { + err("failed to import the OpenPGP certificate in RAW format (error: %d)\n", ret); + return ret; + } + } else { + err("assuming BASE64 formatted certificate\n"); + if (ret = gnutls_openpgp_crt_import (openpgp_crt, &data, GNUTLS_OPENPGP_FMT_BASE64), ret) { + err("failed to import the OpenPGP certificate in BASE64 format (error: %d)\n", ret); + return ret; + } + } + + if (gnutls_openpgp_crt_get_revoked_status(openpgp_crt)) { + err("the primary key was revoked!\n"); + return 1; + } + + /* FIXME: We're currently looking at the primary key or maybe the + first authentication-capable subkey. + + Instead, we should be iterating through the primary key and all + subkeys: for each one with the authentication usage flag set of a + algorithm we can handle, we should output matching UserIDs and + the SSH version of the key. */ + + + if (ret = gnutls_openpgp_crt_get_key_usage(openpgp_crt, &usage), ret) { + err("failed to get the usage flags for the primary key (error: %d)\n", ret); + return ret; + } + if (usage & GNUTLS_KEY_KEY_AGREEMENT && + usage & GNUTLS_KEY_KEY_ENCIPHERMENT) { + err("the primary key can be used for authentication and communication encryption!\n"); + + algo = gnutls_openpgp_crt_get_pk_algorithm(openpgp_crt, &bits); + if (algo < 0) { + err("failed to get the algorithm of the OpenPGP public key (error: %d)\n", algo); + return algo; + } else if (algo == GNUTLS_PK_RSA) { + + err("OpenPGP RSA certificate, with %d bits\n", bits); + ret = gnutls_openpgp_crt_get_pk_rsa_raw(openpgp_crt, &m, &e); + if (GNUTLS_E_SUCCESS != ret) { + err ("failed to export RSA key parameters (error: %d)\n", ret); + return 1; + } + } else if (algo == GNUTLS_PK_DSA) { + err("OpenPGP DSA Key, with %d bits\n", bits); + ret = gnutls_openpgp_crt_get_pk_dsa_raw(openpgp_crt, &p, &q, &g, &y); + if (GNUTLS_E_SUCCESS != ret) { + err ("failed to export DSA key parameters (error: %d)\n", ret); + return 1; + } + } else { + err("OpenPGP Key was not RSA or DSA -- can't deal! (actual algorithm was: %d)\n", algo); + return 1; + } + + } else { + err("primary key is not good for authentication and communication encryption. Trying subkeys...\n"); + + if (ret = gnutls_openpgp_crt_get_auth_subkey(openpgp_crt, keyid, 0), ret) { + err("failed to find a subkey capable of authentication and communication encryption (error: %d)\n", ret); + return ret; + } + make_keyid_printable(p_keyid, keyid); + err("found authentication subkey %.16s\n", p_keyid); + + ret = gnutls_openpgp_crt_get_subkey_idx(openpgp_crt, keyid); + if (ret < 0) { + err("could not get the index of subkey %.16s (error: %d)\n", ret); + return ret; + } + keyidx = ret; + + if (gnutls_openpgp_crt_get_subkey_revoked_status(openpgp_crt, keyidx)) { + err("The authentication subkey was revoked!\n"); + return 1; + } + + if (ret = gnutls_openpgp_crt_get_subkey_usage(openpgp_crt, keyidx, &usage), ret) { + err("could not figure out usage of subkey %.16s (error: %d)\n", p_keyid, ret); + return ret; + } + if ((usage & GNUTLS_KEY_KEY_AGREEMENT) == 0 && + usage & GNUTLS_KEY_KEY_ENCIPHERMENT) { + err("could not find a subkey with authentication and communication encryption.\n"); + return 1; + } + + /* switch, based on the algorithm in question, to extract the MPI + components: */ + + algo = gnutls_openpgp_crt_get_subkey_pk_algorithm(openpgp_crt, keyidx, &bits); + if (algo < 0) { + err("failed to get the algorithm of the authentication subkey (error: %d)\n", algo); + return algo; + } else if (algo == GNUTLS_PK_RSA) { + + err("OpenPGP RSA subkey, with %d bits\n", bits); + ret = gnutls_openpgp_crt_get_subkey_pk_rsa_raw(openpgp_crt, keyidx, &m, &e); + if (GNUTLS_E_SUCCESS != ret) { + err ("failed to export RSA subkey parameters (error: %d)\n", ret); + return 1; + } + } else if (algo == GNUTLS_PK_DSA) { + err("OpenPGP DSA subkey, with %d bits\n", bits); + ret = gnutls_openpgp_crt_get_subkey_pk_dsa_raw(openpgp_crt, keyidx, &p, &q, &g, &y); + if (GNUTLS_E_SUCCESS != ret) { + err ("failed to export DSA subkey parameters (error: %d)\n", ret); + return 1; + } + } else { + err("OpenPGP subkey was not RSA or DSA -- can't deal! (actual algorithm was: %d)\n", algo); + return 1; + } + } + + /* make sure userid is NULL-terminated */ + userid[sizeof(userid) - 1] = 0; + uidsz--; + + /* FIXME: we're just choosing the first UserID from the certificate: + instead, we should be selecting every User ID that is adequately + signed and matches the spec, and aggregating them with commas for + known_hosts output */ + + if (ret = gnutls_openpgp_crt_get_name(openpgp_crt, 0, userid, &uidsz), ret) { + err("Failed to fetch the first UserID (error: %d)\n", ret); + return ret; + } + + if (ret = validate_ssh_host_userid(userid), ret) { + err("bad userid: not a valid ssh host.\n"); + return ret; + } + + /* remove ssh:// from the beginning of userid */ + memmove(userid, userid + strlen("ssh://"), 1 + strlen(userid) - strlen("ssh://")); + + + /* now we have algo, and the various MPI data are set. Can we + export them cleanly? */ + + /* for the moment, we'll just dump the info raw, and pipe it + externally through coreutils' /usr/bin/base64 */ + + if (algo == GNUTLS_PK_RSA) { + algoname = "ssh-rsa"; + mpicount = 3; + + all[0] = &algolabel; + all[1] = &e; + all[2] = &m; + } else if (algo == GNUTLS_PK_DSA) { + algoname = "ssh-dss"; + mpicount = 5; + + all[0] = &algolabel; + all[1] = &p; + all[2] = &q; + all[3] = &g; + all[4] = &y; + } else { + err("no idea what this algorithm is: %d\n", algo); + return 1; + } + + if (ret = datum_from_string(&algolabel, algoname), ret) { + err("couldn't label string (error: %d)\n", ret); + return ret; + } + + snprintf(output_data, sizeof(output_data), "%s %s ", userid, algoname); + + pipefd = create_writing_pipe(&child_pid, args[0], args); + if (pipefd < 0) { + err("failed to create a writing pipe (returned %d)\n", pipefd); + return pipefd; + } + + write(1, output_data, strlen(output_data)); + + if (0 != write_data_fd_with_length(pipefd, all, mpicount)) { + err("was not able to write out RSA key data\n"); + return 1; + } + close(pipefd); + if (child_pid != waitpid(child_pid, &pipestatus, 0)) { + err("could not wait for child process to return for some reason.\n"); + return 1; + } + if (pipestatus != 0) { + err("base64 pipe died with return code %d\n", pipestatus); + return pipestatus; + } + + write(1, "\n", 1); + + + + gnutls_openpgp_crt_deinit(openpgp_crt); + gnutls_global_deinit(); + return 0; +} diff --git a/src/keytrans/openpgp2ssh.c b/src/keytrans/openpgp2ssh.c new file mode 100644 index 0000000..d6bac68 --- /dev/null +++ b/src/keytrans/openpgp2ssh.c @@ -0,0 +1,271 @@ +#include "gnutls-helpers.h" + +#include +#include + +/* + Author: Daniel Kahn Gillmor + Date: Tue, 01 Apr 2008 + License: GPL v3 or later + + monkeysphere private key translator: execute this with an GPG + secret key on stdin (at the moment, only passphraseless RSA keys + work). + + It will spit out a PEM-encoded version of the key on stdout, which + can be fed into ssh-add like this: + + gpg --export-secret-keys $KEYID | monkeysphere | ssh-add -c /dev/stdin + + Requirements: I've only built this so far with GnuTLS v2.3.4 -- + version 2.2.0 does not contain the appropriate pieces. + + Notes: gpgkey2ssh doesn't seem to provide the same public + keys. Mighty weird! + +0 wt215@squeak:~/monkeysphere$ gpg --export-secret-keys 1DCDF89F | ~dkg/src/monkeysphere/monkeysphere | ssh-add -c /dev/stdin +gnutls version: 2.3.4 +OpenPGP RSA Key, with 1024 bits +Identity added: /dev/stdin (/dev/stdin) +The user has to confirm each use of the key +0 wt215@squeak:~/monkeysphere$ ssh-add -L +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQC9gWQqfrnhQKDQnND/3eOexpddE64J+1zp9fcyCje7H5LKclb6DBV2HS6WgW32PJhIzvP+fYZM3dzXea3fpv14y1SicXiRBDgF9SnsNA1qWn2RyzkLcKy7PmM0PDYtU1oiLTcQj/xkWcqW2sLKHT/WW+vZP5XP7RMGN/yWNMfE2Q== /dev/stdin +0 wt215@squeak:~/monkeysphere$ gpgkey2ssh 1DCDF89F +ssh-rsa AAAAB3NzaC1yc2EAAACBAL2BZCp+ueFAoNCc0P/d457Gl10Trgn7XOn19zIKN7sfkspyVvoMFXYdLpaBbfY8mEjO8/59hkzd3Nd5rd+m/XjLVKJxeJEEOAX1Kew0DWpafZHLOQtwrLs+YzQ8Ni1TWiItNxCP/GRZypbawsodP9Zb69k/lc/tEwY3/JY0x8TZAAAAAwEAAQ== COMMENT +0 wt215@squeak:~/monkeysphere$ + + */ + + +int convert_pgp_to_x509(gnutls_x509_privkey_t* output, gnutls_datum_t* input) { + gnutls_openpgp_privkey_t pgp_privkey; + gnutls_datum_t m, e, d, p, q, u, g, y, x; + gnutls_pk_algorithm_t pgp_algo; + unsigned int pgp_bits; + int ret; + + init_datum(&m); + init_datum(&e); + init_datum(&d); + init_datum(&p); + init_datum(&q); + init_datum(&u); + init_datum(&g); + init_datum(&y); + init_datum(&x); + + if (ret = gnutls_openpgp_privkey_init(&pgp_privkey), ret) { + err("Failed to initialized OpenPGP private key (error: %d)\n", ret); + return 1; + } + + + /* format could be either: GNUTLS_OPENPGP_FMT_RAW, + GNUTLS_OPENPGP_FMT_BASE64; if MONKEYSPHERE_RAW is set, use RAW, + otherwise, use BASE64: */ + + if (getenv("MONKEYSPHERE_RAW")) { + err("assuming RAW formatted private keys\n"); + if (ret = gnutls_openpgp_privkey_import(pgp_privkey, input, GNUTLS_OPENPGP_FMT_RAW, NULL, 0), ret) + err("failed to import the OpenPGP private key in RAW format (error: %d)\n", ret); + } else { + err("assuming BASE64 formatted private keys\n"); + if (ret = gnutls_openpgp_privkey_import (pgp_privkey, input, GNUTLS_OPENPGP_FMT_BASE64, NULL, 0), ret) + err("failed to import the OpenPGP private key in BASE64 format (error: %d)\n", ret); + } + + pgp_algo = gnutls_openpgp_privkey_get_pk_algorithm(pgp_privkey, &pgp_bits); + if (pgp_algo < 0) { + err("failed to get OpenPGP key algorithm (error: %d)\n", pgp_algo); + return 1; + } + if (pgp_algo == GNUTLS_PK_RSA) { + err("OpenPGP RSA Key, with %d bits\n", pgp_bits); + ret = gnutls_openpgp_privkey_export_rsa_raw(pgp_privkey, &m, &e, &d, &p, &q, &u); + if (GNUTLS_E_SUCCESS != ret) { + err ("failed to export RSA key parameters (error: %d)\n", ret); + return 1; + } + + ret = gnutls_x509_privkey_import_rsa_raw (*output, &m, &e, &d, &p, &q, &u); + if (GNUTLS_E_SUCCESS != ret) { + err ("failed to import RSA key parameters (error: %d)\n", ret); + return 1; + } + } else if (pgp_algo == GNUTLS_PK_DSA) { + err("OpenPGP DSA Key, with %d bits\n", pgp_bits); + ret = gnutls_openpgp_privkey_export_dsa_raw(pgp_privkey, &p, &q, &g, &y, &x); + if (GNUTLS_E_SUCCESS != ret) { + err ("failed to export DSA key parameters (error: %d)\n", ret); + return 1; + } + + ret = gnutls_x509_privkey_import_dsa_raw (*output, &p, &q, &g, &y, &x); + if (GNUTLS_E_SUCCESS != ret) { + err ("failed to import DSA key parameters (error: %d)\n", ret); + return 1; + } + } else { + err("OpenPGP Key was not RSA or DSA -- can't deal! (actual algorithm was: %d)\n", pgp_algo); + return 1; + } + + ret = gnutls_x509_privkey_fix(*output); + if (ret != 0) { + err("failed to fix up the private key in X.509 format (error: %d)\n", ret); + return 1; + } + + gnutls_openpgp_privkey_deinit(pgp_privkey); + return 0; +} + +int convert_x509_to_pgp(gnutls_openpgp_privkey_t* output, gnutls_datum_t* input) { + gnutls_x509_privkey_t x509_privkey; + gnutls_datum_t m, e, d, p, q, u, g, y, x; + gnutls_pk_algorithm_t x509_algo; + int ret; + + init_datum(&m); + init_datum(&e); + init_datum(&d); + init_datum(&p); + init_datum(&q); + init_datum(&u); + init_datum(&g); + init_datum(&y); + init_datum(&x); + + if (ret = gnutls_x509_privkey_init(&x509_privkey), ret) { + err("Failed to initialized X.509 private key (error: %d)\n", ret); + return 1; + } + + + /* format could be either: GNUTLS_X509_FMT_DER, + GNUTLS_X509_FMT_PEM; if MONKEYSPHERE_DER is set, use DER, + otherwise, use PEM: */ + + if (getenv("MONKEYSPHERE_DER")) { + err("assuming DER formatted private keys\n"); + if (ret = gnutls_x509_privkey_import(x509_privkey, input, GNUTLS_X509_FMT_DER), ret) + err("failed to import the X.509 private key in DER format (error: %d)\n", ret); + } else { + err("assuming PEM formatted private keys\n"); + if (ret = gnutls_x509_privkey_import (x509_privkey, input, GNUTLS_X509_FMT_PEM), ret) + err("failed to import the X.509 private key in PEM format (error: %d)\n", ret); + } + + x509_algo = gnutls_x509_privkey_get_pk_algorithm(x509_privkey); + if (x509_algo < 0) { + err("failed to get X.509 key algorithm (error: %d)\n", x509_algo); + return 1; + } + if (x509_algo == GNUTLS_PK_RSA) { + err("X.509 RSA Key\n"); + ret = gnutls_x509_privkey_export_rsa_raw(x509_privkey, &m, &e, &d, &p, &q, &u); + if (GNUTLS_E_SUCCESS != ret) { + err ("failed to export RSA key parameters (error: %d)\n", ret); + return 1; + } + + /* ret = gnutls_openpgp_privkey_import_rsa_raw (*output, &m, &e, &d, &p, &q, &u); */ + ret = GNUTLS_E_UNIMPLEMENTED_FEATURE; + if (GNUTLS_E_SUCCESS != ret) { + err ("failed to import RSA key parameters (error: %d)\n", ret); + return 1; + } + } else if (x509_algo == GNUTLS_PK_DSA) { + err("X.509 DSA Key\n"); + ret = gnutls_x509_privkey_export_dsa_raw(x509_privkey, &p, &q, &g, &y, &x); + if (GNUTLS_E_SUCCESS != ret) { + err ("failed to export DSA key parameters (error: %d)\n", ret); + return 1; + } + + /* ret = gnutls_openpgp_privkey_import_dsa_raw (*output, &p, &q, &g, &y, &x); */ + ret = GNUTLS_E_UNIMPLEMENTED_FEATURE; + if (GNUTLS_E_SUCCESS != ret) { + err ("failed to import DSA key parameters (error: %d)\n", ret); + return 1; + } + } else { + err("OpenPGP Key was not RSA or DSA -- can't deal! (actual algorithm was: %d)\n", x509_algo); + return 1; + } + + gnutls_x509_privkey_deinit(x509_privkey); + return 0; +} + + +int main(int argc, char* argv[]) { + gnutls_datum_t data; + int ret; + gnutls_x509_privkey_t x509_privkey; + + char output_data[10240]; + size_t ods = sizeof(output_data); + + init_gnutls(); + + init_datum(&data); + + /* slurp in the private key from stdin */ + if (ret = set_datum_fd(&data, 0), ret) { + err("didn't read file descriptor 0\n"); + return 1; + } + + + + /* Or, instead, read in key from a file name: + if (ret = set_datum_file(&data, argv[1]), ret) { + err("didn't read file '%s'\n", argv[1]); + return 1; + } +*/ + + /* treat the passed file as an X.509 private key, and extract its + component values: */ + +/* if (ret = gnutls_x509_privkey_import(x509_privkey, &data, GNUTLS_X509_FMT_PEM), ret) { */ +/* err("Failed to import the X.509 key (error: %d)\n", ret); */ +/* return 1; */ +/* } */ +/* gnutls_x509_privkey_export_rsa_raw(x509_privkey, &m, &e, &d, &p, &q, &u); */ + + /* try to print the PEM-encoded private key: */ +/* ret = gnutls_x509_privkey_export (x509_privkey, */ +/* GNUTLS_X509_FMT_PEM, */ +/* output_data, */ +/* &ods); */ +/* printf("ret: %u; ods: %u;\n", ret, ods); */ +/* if (ret == 0) { */ +/* write(0, output_data, ods); */ +/* } */ + + + if (ret = gnutls_x509_privkey_init(&x509_privkey), ret) { + err("Failed to initialize X.509 private key (error: %d)\n", ret); + return 1; + } + + if (ret = convert_pgp_to_x509(&x509_privkey, &data), ret) { + return ret; + } + + ret = gnutls_x509_privkey_export (x509_privkey, + GNUTLS_X509_FMT_PEM, + output_data, + &ods); + printf("ret: %u; ods: %u;\n", ret, ods); + if (ret == 0) { + write(1, output_data, ods); + } + + + gnutls_x509_privkey_deinit(x509_privkey); + gnutls_global_deinit(); + return 0; +} diff --git a/src/keytrans/ssh2gpg.c b/src/keytrans/ssh2gpg.c new file mode 100644 index 0000000..b14a540 --- /dev/null +++ b/src/keytrans/ssh2gpg.c @@ -0,0 +1,171 @@ +#include "gnutls-helpers.h" + +#include +#include + +/* for waitpid() */ +#include +#include + +/* for time() */ +#include + +/* for htons() */ +#include + + +/* + Author: Daniel Kahn Gillmor + Date: Sun, 2008-04-20 + License: GPL v3 or later + + monkeysphere public key translator: execute this with an ssh + private key on stdin. It currently only works with RSA keys. + + it should eventually work with OpenSSH-style public keys instead of + the full private key, but it was easier to do this way. + + It shoud spit out a version of the public key suitable for acting + as an OpenPGP public sub key packet. + + */ + +int main(int argc, char* argv[]) { + gnutls_datum_t data; + int ret; + gnutls_x509_privkey_t x509_privkey; + gnutls_openpgp_crt_t openpgp_crt; + gnutls_openpgp_keyid_t keyid; + printable_keyid p_keyid; + unsigned int keyidx; + unsigned int usage, bits; + gnutls_pk_algorithm_t algo; + + unsigned char packettag; + unsigned char openpgpversion; + time_t timestamp; + uint32_t clunkytime; + unsigned char openpgpalgo; + unsigned int packetlen; + uint16_t plen; + + gnutls_datum_t m, e, d, p, q, u, g, y; + gnutls_datum_t algolabel; + + char output_data[10240]; + char userid[10240]; + size_t uidsz = sizeof(userid); + + const gnutls_datum_t* all[5]; + int pipefd; + pid_t child_pid; + char* const args[] = {"/usr/bin/base64", "--wrap=0", NULL}; + const char* algoname; + int mpicount; + int pipestatus; + + init_gnutls(); + + init_datum(&data); + + init_datum(&m); + init_datum(&e); + init_datum(&d); + init_datum(&p); + init_datum(&q); + init_datum(&u); + init_datum(&g); + init_datum(&y); + + init_datum(&algolabel); + + init_keyid(keyid); + + /* slurp in the private key from stdin */ + if (ret = set_datum_fd(&data, 0), ret) { + err("didn't read file descriptor 0\n"); + return 1; + } + + + if (ret = gnutls_x509_privkey_init(&x509_privkey), ret) { + err("Failed to initialize private key structure (error: %d)\n", ret); + return 1; + } + + err("assuming PEM formatted private key\n"); + if (ret = gnutls_x509_privkey_import(x509_privkey, &data, GNUTLS_X509_FMT_PEM), ret) { + err("failed to import the PEM-encoded private key (error: %d)\n", ret); + return ret; + } + + algo = gnutls_x509_privkey_get_pk_algorithm(x509_privkey); + if (algo < 0) { + err("failed to get the algorithm of the PEM-encoded public key (error: %d)\n", algo); + return algo; + } else if (algo == GNUTLS_PK_RSA) { + err("RSA private key\n"); + ret = gnutls_x509_privkey_export_rsa_raw(x509_privkey, &m, &e, &d, &p, &q, &u); + if (GNUTLS_E_SUCCESS != ret) { + err ("failed to export RSA key parameters (error: %d)\n", ret); + return 1; + } + err("Modulus size %d, exponent size %d\n", m.size, e.size); + } else if (algo == GNUTLS_PK_DSA) { + err("DSA Key, not implemented!!\n", bits); + return 1; + } else { + err("Key was not RSA or DSA -- can't deal! (actual algorithm was: %d)\n", algo); + return 1; + } + + /* now we have algo, and the various MPI data are set. Can we + export them as a public subkey packet? */ + + /* this packet should be tagged 14, and should contain: + + 1 octet: version (4) + 4 octets: time of generation (seconds since 1970) + 1 octet: algo (http://tools.ietf.org/html/rfc4880#section-5.5.2 implies 1 for RSA) + + MPI: modulus + MPI: exponent + */ + + packetlen = 1 + 4 + 1; + /* FIXME: this is RSA only. for DSA, there'll be more: */ + packetlen += get_openpgp_mpi_size(&m) + get_openpgp_mpi_size(&e); + + /* FIXME: we should generate this bound more cleanly -- i just + happen to know that 65535 is 2^16-1: */ + if (packetlen > 65535) { + err("packet length is too long (%d)\n", packetlen); + return 1; + } + + /* we're going to emit an old-style packet, with tag 14 (public + subkey), with a two-octet packet length */ + packettag = 0x80 | (14 << 2) | 1; + + write(1, &packettag, sizeof(packettag)); + plen = htons(packetlen); + write(1, &plen, sizeof(plen)); + + openpgpversion = 4; + write(1, &openpgpversion, 1); + + timestamp = time(NULL); + clunkytime = htonl(timestamp); + write(1, &clunkytime, 4); + + /* FIXME: handle things other than RSA */ + openpgpalgo = 1; + write(1, &openpgpalgo, 1); + + write_openpgp_mpi_to_fd(1, &m); + write_openpgp_mpi_to_fd(1, &e); + + gnutls_x509_privkey_deinit(x509_privkey); + gnutls_global_deinit(); + return 0; +} -- cgit v1.2.3 From 6f2d6f78cd11231d6f7ffd6361812b1bd49a4c34 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Thu, 12 Jun 2008 17:25:55 -0400 Subject: Major openpgp2ssh overhaul. It's an unforgiving and brittle tool, but it should do what we expect it to do, and its major limitations should be documented in the man page. --- man/man1/openpgp2ssh.1 | 47 ++++-- src/keytrans/gnutls-helpers.c | 68 ++++++++ src/keytrans/gnutls-helpers.h | 4 + src/keytrans/openpgp2ssh.c | 357 +++++++++++++++++++++++++++++++----------- 4 files changed, 371 insertions(+), 105 deletions(-) (limited to 'src') diff --git a/man/man1/openpgp2ssh.1 b/man/man1/openpgp2ssh.1 index 6267141..1a02b38 100644 --- a/man/man1/openpgp2ssh.1 +++ b/man/man1/openpgp2ssh.1 @@ -12,16 +12,16 @@ openpgp2ssh .Nm gpg --export-secret-key $KEYID | openpgp2ssh $KEYID .Sh DESCRIPTION -openpgp2ssh takes OpenPGP-formatted RSA and DSA keys on standard -input, and spits out the requested equivalent SSH-style key on -standard output. +openpgp2ssh takes an OpenPGP-formatted primary key and associated +subkeys on standard input, and spits out the requested equivalent +SSH-style key on standard output. -If the data on standard input contains only a single key, you can -invoke openpgp2ssh without arguments. If the data on standard input -contains multiple keys (e.g. a primary key and associated subkeys), -you must specify a specific OpenPGP keyid (e.g. CCD2ED94D21739E9) or +If the data on standard input contains no subkeys, you can invoke +openpgp2ssh without arguments. If the data on standard input contains +multiple keys (e.g. a primary key and associated subkeys), you must +specify a specific OpenPGP keyid (e.g. CCD2ED94D21739E9) or fingerprint as the first argument to indicate which key to export. -The keyid must be at least 8 hex characters. +The keyid must be exactly 16 hex characters. If the input contains an OpenPGP RSA or DSA public key, it will be converted to the OpenSSH-style single-line keystring, prefixed with @@ -31,20 +31,29 @@ insertion into known_hosts files and authorized_keys files. If the input contains an OpenPGP RSA or DSA secret key, it will be converted to the equivalent PEM-encoded private key. -Note that the keys produced by this process are stripped of all -identifying information, including certifications, self-signatures, -etc. - openpgp2ssh is part of the .Xr monkeysphere 1 framework for providing a PKI for SSH. +.Sh CAVEATS +The keys produced by this process are stripped of all identifying +information, including certifications, self-signatures, etc. This is +intentional, since ssh attaches no inherent significance to these +features. + +openpgp2ssh only works with RSA or DSA keys, because those are the +only ones which work with ssh. + +Assuming a valid key type, though, openpgp2ssh will produce output for +any requested key. This means, among other things, that it will +happily export revoked keys, unverifiable keys, expired keys, etc. +Make sure you do your own key validation before using this tool! .Sh EXAMPLES .Nm gpg --export-secret-key $KEYID | openpgp2ssh $KEYID | ssh-add -c /dev/stdin This pushes the secret key into the active .Xr ssh-agent 1 . -Tools (such as -.Xr ssh 1 ) +Tools such as +.Xr ssh 1 which know how to talk to the .Xr ssh-agent 1 can now rely on the key. @@ -58,8 +67,14 @@ lsh(1) and putty(1). Secret key output is currently not passphrase-protected. -This program is not yet implemented, and this man page currently only -describes expected functionality. +openpgp2ssh currently cannot handle passphrase-protected secret keys on input. + +It would be nice to be able to use keyids shorter or longer than 16 +hex characters. + +openpgp2ssh only acts on keys associated with the first primary key +passed in. If you send it more than one primary key, it will silently +ignore later ones. .Sh SEE ALSO .Xr monkeysphere 1 , .Xr ssh 1 , diff --git a/src/keytrans/gnutls-helpers.c b/src/keytrans/gnutls-helpers.c index 6eae29e..7c342bb 100644 --- a/src/keytrans/gnutls-helpers.c +++ b/src/keytrans/gnutls-helpers.c @@ -12,6 +12,9 @@ /* for isalnum() */ #include +/* for exit() */ +#include + int loglevel = 0; @@ -46,6 +49,71 @@ void make_keyid_printable(printable_keyid out, gnutls_openpgp_keyid_t keyid) } } +unsigned char hex2bin(unsigned char x) { + if ((x >= '0') && (x <= '9')) + return x - '0'; + if ((x >= 'A') && (x <= 'F')) + return 10 + x - 'A'; + if ((x >= 'a') && (x <= 'f')) + return 10 + x - 'a'; + return 0xff; +} + +void collapse_printable_keyid(gnutls_openpgp_keyid_t out, printable_keyid in) { + unsigned int pkix = 0, outkix = 0; + + while (pkix < sizeof(printable_keyid)) { + unsigned hi = hex2bin(in[pkix]); + unsigned lo = hex2bin(in[pkix + 1]); + if (hi == 0xff) { + err("character '%c' is not a hex char\n", in[pkix]); + exit(1); + } + if (lo == 0xff) { + err("character '%c' is not a hex char\n", in[pkix + 1]); + exit(1); + } + out[outkix] = lo | (hi << 4); + + pkix += 2; + outkix++; + } +} + +int convert_string_to_keyid(gnutls_openpgp_keyid_t out, const char* str) { + printable_keyid p; + int ret; + + ret = convert_string_to_printable_keyid(p, str); + if (ret == 0) + collapse_printable_keyid(out, p); + return ret; +} +int convert_string_to_printable_keyid(printable_keyid pkeyid, const char* str) { + int arglen, x; + arglen = 0; + x = 0; + while ((arglen <= sizeof(printable_keyid)) && + (str[x] != '\0')) { + if (isxdigit(str[x])) { + if (arglen == sizeof(printable_keyid)) { + err("There are more than %d hex digits in the keyid '%s'\n", sizeof(printable_keyid), str); + return 1; + } + pkeyid[arglen] = str[x]; + arglen++; + } + x++; + } + + if (arglen != sizeof(printable_keyid)) { + err("keyid '%s' is not %d hex digits in length\n", str, sizeof(printable_keyid)); + return 1; + } + return 0; +} + + int init_gnutls() { const char* version = NULL; diff --git a/src/keytrans/gnutls-helpers.h b/src/keytrans/gnutls-helpers.h index 9ea22a3..00cdec7 100644 --- a/src/keytrans/gnutls-helpers.h +++ b/src/keytrans/gnutls-helpers.h @@ -44,6 +44,10 @@ typedef unsigned char printable_keyid[16]; void init_keyid(gnutls_openpgp_keyid_t keyid); void make_keyid_printable(printable_keyid out, gnutls_openpgp_keyid_t keyid); +void collapse_printable_keyid(gnutls_openpgp_keyid_t out, printable_keyid in); +int convert_string_to_keyid(gnutls_openpgp_keyid_t out, const char* str); +int convert_string_to_printable_keyid(printable_keyid out, const char* str); + /* functions to get data into datum objects: */ diff --git a/src/keytrans/openpgp2ssh.c b/src/keytrans/openpgp2ssh.c index d6bac68..30e19d5 100644 --- a/src/keytrans/openpgp2ssh.c +++ b/src/keytrans/openpgp2ssh.c @@ -3,47 +3,47 @@ #include #include +/* for waitpid() */ +#include +#include + /* Author: Daniel Kahn Gillmor - Date: Tue, 01 Apr 2008 + Date: 2008-06-12 13:47:41-0400 License: GPL v3 or later - monkeysphere private key translator: execute this with an GPG - secret key on stdin (at the moment, only passphraseless RSA keys - work). + monkeysphere key translator: execute this with an OpenPGP key on + stdin, (please indicate the specific keyid that you want as the + first argument if there are subkeys). At the moment, only public + keys and passphraseless secret keys work. - It will spit out a PEM-encoded version of the key on stdout, which - can be fed into ssh-add like this: + For secret keys, it will spit out a PEM-encoded version of the key + on stdout, which can be fed into ssh-add like this: - gpg --export-secret-keys $KEYID | monkeysphere | ssh-add -c /dev/stdin + gpg --export-secret-keys $KEYID | openpgp2ssh $KEYID | ssh-add -c /dev/stdin - Requirements: I've only built this so far with GnuTLS v2.3.4 -- - version 2.2.0 does not contain the appropriate pieces. + For public keys, it will spit out a single line of text that can + (with some massaging) be used in an openssh known_hosts or + authorized_keys file. For example: - Notes: gpgkey2ssh doesn't seem to provide the same public - keys. Mighty weird! + echo server.example.org $(gpg --export $KEYID | openpgp2ssh $KEYID) >> ~/.ssh/known_hosts -0 wt215@squeak:~/monkeysphere$ gpg --export-secret-keys 1DCDF89F | ~dkg/src/monkeysphere/monkeysphere | ssh-add -c /dev/stdin -gnutls version: 2.3.4 -OpenPGP RSA Key, with 1024 bits -Identity added: /dev/stdin (/dev/stdin) -The user has to confirm each use of the key -0 wt215@squeak:~/monkeysphere$ ssh-add -L -ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQC9gWQqfrnhQKDQnND/3eOexpddE64J+1zp9fcyCje7H5LKclb6DBV2HS6WgW32PJhIzvP+fYZM3dzXea3fpv14y1SicXiRBDgF9SnsNA1qWn2RyzkLcKy7PmM0PDYtU1oiLTcQj/xkWcqW2sLKHT/WW+vZP5XP7RMGN/yWNMfE2Q== /dev/stdin -0 wt215@squeak:~/monkeysphere$ gpgkey2ssh 1DCDF89F -ssh-rsa AAAAB3NzaC1yc2EAAACBAL2BZCp+ueFAoNCc0P/d457Gl10Trgn7XOn19zIKN7sfkspyVvoMFXYdLpaBbfY8mEjO8/59hkzd3Nd5rd+m/XjLVKJxeJEEOAX1Kew0DWpafZHLOQtwrLs+YzQ8Ni1TWiItNxCP/GRZypbawsodP9Zb69k/lc/tEwY3/JY0x8TZAAAAAwEAAQ== COMMENT -0 wt215@squeak:~/monkeysphere$ + Requirements: I've only built this so far with GnuTLS v2.3.x. + GnuTLS 2.2.x does not contain the appropriate functionality. */ -int convert_pgp_to_x509(gnutls_x509_privkey_t* output, gnutls_datum_t* input) { - gnutls_openpgp_privkey_t pgp_privkey; +/* FIXME: keyid should be const as well */ +int convert_private_pgp_to_x509(gnutls_x509_privkey_t* output, const gnutls_openpgp_privkey_t* pgp_privkey, gnutls_openpgp_keyid_t* keyid) { gnutls_datum_t m, e, d, p, q, u, g, y, x; gnutls_pk_algorithm_t pgp_algo; unsigned int pgp_bits; int ret; +/* FIXME: actually respect keyid argument. At the moment, we just + emit the primary key. */ + init_datum(&m); init_datum(&e); init_datum(&d); @@ -54,34 +54,14 @@ int convert_pgp_to_x509(gnutls_x509_privkey_t* output, gnutls_datum_t* input) { init_datum(&y); init_datum(&x); - if (ret = gnutls_openpgp_privkey_init(&pgp_privkey), ret) { - err("Failed to initialized OpenPGP private key (error: %d)\n", ret); - return 1; - } - - - /* format could be either: GNUTLS_OPENPGP_FMT_RAW, - GNUTLS_OPENPGP_FMT_BASE64; if MONKEYSPHERE_RAW is set, use RAW, - otherwise, use BASE64: */ - - if (getenv("MONKEYSPHERE_RAW")) { - err("assuming RAW formatted private keys\n"); - if (ret = gnutls_openpgp_privkey_import(pgp_privkey, input, GNUTLS_OPENPGP_FMT_RAW, NULL, 0), ret) - err("failed to import the OpenPGP private key in RAW format (error: %d)\n", ret); - } else { - err("assuming BASE64 formatted private keys\n"); - if (ret = gnutls_openpgp_privkey_import (pgp_privkey, input, GNUTLS_OPENPGP_FMT_BASE64, NULL, 0), ret) - err("failed to import the OpenPGP private key in BASE64 format (error: %d)\n", ret); - } - - pgp_algo = gnutls_openpgp_privkey_get_pk_algorithm(pgp_privkey, &pgp_bits); + pgp_algo = gnutls_openpgp_privkey_get_pk_algorithm(*pgp_privkey, &pgp_bits); if (pgp_algo < 0) { err("failed to get OpenPGP key algorithm (error: %d)\n", pgp_algo); return 1; } if (pgp_algo == GNUTLS_PK_RSA) { err("OpenPGP RSA Key, with %d bits\n", pgp_bits); - ret = gnutls_openpgp_privkey_export_rsa_raw(pgp_privkey, &m, &e, &d, &p, &q, &u); + ret = gnutls_openpgp_privkey_export_rsa_raw(*pgp_privkey, &m, &e, &d, &p, &q, &u); if (GNUTLS_E_SUCCESS != ret) { err ("failed to export RSA key parameters (error: %d)\n", ret); return 1; @@ -94,7 +74,7 @@ int convert_pgp_to_x509(gnutls_x509_privkey_t* output, gnutls_datum_t* input) { } } else if (pgp_algo == GNUTLS_PK_DSA) { err("OpenPGP DSA Key, with %d bits\n", pgp_bits); - ret = gnutls_openpgp_privkey_export_dsa_raw(pgp_privkey, &p, &q, &g, &y, &x); + ret = gnutls_openpgp_privkey_export_dsa_raw(*pgp_privkey, &p, &q, &g, &y, &x); if (GNUTLS_E_SUCCESS != ret) { err ("failed to export DSA key parameters (error: %d)\n", ret); return 1; @@ -116,10 +96,190 @@ int convert_pgp_to_x509(gnutls_x509_privkey_t* output, gnutls_datum_t* input) { return 1; } - gnutls_openpgp_privkey_deinit(pgp_privkey); return 0; } +/* FIXME: keyid should be const also */ +int emit_public_openssh_from_pgp(const gnutls_openpgp_crt_t* pgp_crt, gnutls_openpgp_keyid_t* keyid) { + gnutls_openpgp_keyid_t curkeyid; + int ret; + int subkeyidx; + int subkeycount; + int found = 0; + gnutls_datum_t m, e, p, q, g, y, algolabel; + unsigned int bits; + gnutls_pk_algorithm_t algo; + const gnutls_datum_t* all[5]; + const char* algoname; + int mpicount; + /* output_data must be at least 2 chars longer than the maximum possible + algorithm name: */ + char output_data[20]; + + /* variables for the output conversion: */ + int pipestatus; + int pipefd, child_pid; + char* const b64args[] = {"/usr/bin/base64", "--wrap=0", NULL}; + + init_datum(&m); + init_datum(&e); + init_datum(&p); + init_datum(&q); + init_datum(&g); + init_datum(&algolabel); + + + /* figure out if we've got the right thing: */ + subkeycount = gnutls_openpgp_crt_get_subkey_count(*pgp_crt); + if (subkeycount < 0) { + err("Could not determine subkey count (got value %d)\n", subkeycount); + return 1; + } + + if ((keyid == NULL) && + (subkeycount > 0)) { + err("No keyid passed in, but there were %d keys to choose from\n", subkeycount + 1); + return 1; + } + + if (keyid != NULL) { + ret = gnutls_openpgp_crt_get_key_id(*pgp_crt, curkeyid); + if (ret) { + err("Could not get keyid (error: %d)\n", ret); + return 1; + } + } + if ((keyid == NULL) || (memcmp(*keyid, curkeyid, sizeof(gnutls_openpgp_keyid_t)) == 0)) { + /* we want to export the primary key: */ + err("exporting primary key\n"); + + /* FIXME: this is almost identical to the block below for subkeys. + This clumsiness seems inherent in the gnutls OpenPGP API, + though. ugh. */ + algo = gnutls_openpgp_crt_get_pk_algorithm(*pgp_crt, &bits); + if (algo < 0) { + err("failed to get the algorithm of the OpenPGP public key (error: %d)\n", algo); + return algo; + } else if (algo == GNUTLS_PK_RSA) { + err("OpenPGP RSA certificate, with %d bits\n", bits); + ret = gnutls_openpgp_crt_get_pk_rsa_raw(*pgp_crt, &m, &e); + if (GNUTLS_E_SUCCESS != ret) { + err ("failed to export RSA key parameters (error: %d)\n", ret); + return 1; + } + } else if (algo == GNUTLS_PK_DSA) { + err("OpenPGP DSA Key, with %d bits\n", bits); + ret = gnutls_openpgp_crt_get_pk_dsa_raw(*pgp_crt, &p, &q, &g, &y); + if (GNUTLS_E_SUCCESS != ret) { + err ("failed to export DSA key parameters (error: %d)\n", ret); + return 1; + } + } + found = 1; + + } else { + /* lets trawl through the subkeys until we find the one we want: */ + for (subkeyidx = 0; (subkeyidx < subkeycount) && !found; subkeyidx++) { + ret = gnutls_openpgp_crt_get_subkey_id(*pgp_crt, subkeyidx, curkeyid); + if (ret) { + err("Could not get keyid of subkey with index %d (error: %d)\n", subkeyidx, ret); + return 1; + } + if (memcmp(*keyid, curkeyid, sizeof(gnutls_openpgp_keyid_t)) == 0) { + err("exporting subkey index %d\n", subkeyidx); + + /* FIXME: this is almost identical to the block above for the + primary key. */ + algo = gnutls_openpgp_crt_get_subkey_pk_algorithm(*pgp_crt, subkeyidx, &bits); + if (algo < 0) { + err("failed to get the algorithm of the OpenPGP public key (error: %d)\n", algo); + return algo; + } else if (algo == GNUTLS_PK_RSA) { + err("OpenPGP RSA certificate, with %d bits\n", bits); + ret = gnutls_openpgp_crt_get_subkey_pk_rsa_raw(*pgp_crt, subkeyidx, &m, &e); + if (GNUTLS_E_SUCCESS != ret) { + err ("failed to export RSA key parameters (error: %d)\n", ret); + return 1; + } + } else if (algo == GNUTLS_PK_DSA) { + err("OpenPGP DSA Key, with %d bits\n", bits); + ret = gnutls_openpgp_crt_get_subkey_pk_dsa_raw(*pgp_crt, subkeyidx, &p, &q, &g, &y); + if (GNUTLS_E_SUCCESS != ret) { + err ("failed to export DSA key parameters (error: %d)\n", ret); + return 1; + } + } + found = 1; + + } + } + } + + if (!found) { + err("Could not find key in input\n"); + return 1; + } + + /* if we made it this far, we've got MPIs, and we've got the + algorithm, so we just need to emit the info */ + if (algo == GNUTLS_PK_RSA) { + algoname = "ssh-rsa"; + mpicount = 3; + + all[0] = &algolabel; + all[1] = &e; + all[2] = &m; + } else if (algo == GNUTLS_PK_DSA) { + algoname = "ssh-dss"; + mpicount = 5; + + all[0] = &algolabel; + all[1] = &p; + all[2] = &q; + all[3] = &g; + all[4] = &y; + } else { + err("Key algorithm was neither DSA nor RSA (it was %d). Can't deal. Sorry!\n", algo); + return 1; + } + + if (ret = datum_from_string(&algolabel, algoname), ret) { + err("couldn't label string (error: %d)\n", ret); + return ret; + } + + snprintf(output_data, sizeof(output_data), "%s ", algoname); + + pipefd = create_writing_pipe(&child_pid, b64args[0], b64args); + if (pipefd < 0) { + err("failed to create a writing pipe (returned %d)\n", pipefd); + return pipefd; + } + + write(1, output_data, strlen(output_data)); + + if (0 != write_data_fd_with_length(pipefd, all, mpicount)) { + err("was not able to write out RSA key data\n"); + return 1; + } + close(pipefd); + if (child_pid != waitpid(child_pid, &pipestatus, 0)) { + err("could not wait for child process to return for some reason.\n"); + return 1; + } + if (pipestatus != 0) { + err("base64 pipe died with return code %d\n", pipestatus); + return pipestatus; + } + + write(1, "\n", 1); + + + return 0; +} + + + int convert_x509_to_pgp(gnutls_openpgp_privkey_t* output, gnutls_datum_t* input) { gnutls_x509_privkey_t x509_privkey; gnutls_datum_t m, e, d, p, q, u, g, y, x; @@ -203,69 +363,88 @@ int main(int argc, char* argv[]) { gnutls_datum_t data; int ret; gnutls_x509_privkey_t x509_privkey; + gnutls_openpgp_privkey_t pgp_privkey; + gnutls_openpgp_crt_t pgp_crt; char output_data[10240]; size_t ods = sizeof(output_data); + + gnutls_openpgp_keyid_t keyid; + gnutls_openpgp_keyid_t* use_keyid; init_gnutls(); + + /* figure out what keyid we should be looking for: */ + use_keyid = NULL; + if (argv[1] != NULL) { + ret = convert_string_to_keyid(keyid, argv[1]); + if (ret != 0) + return ret; + use_keyid = &keyid; + } + init_datum(&data); - /* slurp in the private key from stdin */ + /* slurp in the key from stdin */ if (ret = set_datum_fd(&data, 0), ret) { err("didn't read file descriptor 0\n"); return 1; } - - /* Or, instead, read in key from a file name: - if (ret = set_datum_file(&data, argv[1]), ret) { - err("didn't read file '%s'\n", argv[1]); + if (ret = gnutls_openpgp_privkey_init(&pgp_privkey), ret) { + err("Failed to initialized OpenPGP private key (error: %d)\n", ret); return 1; } -*/ - - /* treat the passed file as an X.509 private key, and extract its - component values: */ - -/* if (ret = gnutls_x509_privkey_import(x509_privkey, &data, GNUTLS_X509_FMT_PEM), ret) { */ -/* err("Failed to import the X.509 key (error: %d)\n", ret); */ -/* return 1; */ -/* } */ -/* gnutls_x509_privkey_export_rsa_raw(x509_privkey, &m, &e, &d, &p, &q, &u); */ - - /* try to print the PEM-encoded private key: */ -/* ret = gnutls_x509_privkey_export (x509_privkey, */ -/* GNUTLS_X509_FMT_PEM, */ -/* output_data, */ -/* &ods); */ -/* printf("ret: %u; ods: %u;\n", ret, ods); */ -/* if (ret == 0) { */ -/* write(0, output_data, ods); */ -/* } */ - - - if (ret = gnutls_x509_privkey_init(&x509_privkey), ret) { - err("Failed to initialize X.509 private key (error: %d)\n", ret); - return 1; + /* check whether it's a private key or a public key, by trying them: */ + if ((gnutls_openpgp_privkey_import(pgp_privkey, &data, GNUTLS_OPENPGP_FMT_RAW, NULL, 0) == 0) || + (gnutls_openpgp_privkey_import(pgp_privkey, &data, GNUTLS_OPENPGP_FMT_BASE64, NULL, 0) == 0)) { + /* we're dealing with a private key */ + err("Translating private key\n"); + if (ret = gnutls_x509_privkey_init(&x509_privkey), ret) { + err("Failed to initialize X.509 private key for output (error: %d)\n", ret); + return 1; + } + + ret = convert_private_pgp_to_x509(&x509_privkey, &pgp_privkey, use_keyid); + + gnutls_openpgp_privkey_deinit(pgp_privkey); + if (ret) + return ret; + + ret = gnutls_x509_privkey_export (x509_privkey, + GNUTLS_X509_FMT_PEM, + output_data, + &ods); + if (ret == 0) { + write(1, output_data, ods); + } + gnutls_x509_privkey_deinit(x509_privkey); + + } else { + if (ret = gnutls_openpgp_crt_init(&pgp_crt), ret) { + err("Failed to initialized OpenPGP certificate (error: %d)\n", ret); + return 1; + } + + if ((gnutls_openpgp_crt_import(pgp_crt, &data, GNUTLS_OPENPGP_FMT_RAW) == 0) || + (gnutls_openpgp_crt_import(pgp_crt, &data, GNUTLS_OPENPGP_FMT_BASE64) == 0)) { + /* we're dealing with a public key */ + err("Translating public key\n"); + + ret = emit_public_openssh_from_pgp(&pgp_crt, use_keyid); + + } else { + /* we have no idea what kind of key this is at all anyway! */ + err("Input does contain any form of OpenPGP key I recognize."); + return 1; + } } - if (ret = convert_pgp_to_x509(&x509_privkey, &data), ret) { - return ret; - } - ret = gnutls_x509_privkey_export (x509_privkey, - GNUTLS_X509_FMT_PEM, - output_data, - &ods); - printf("ret: %u; ods: %u;\n", ret, ods); - if (ret == 0) { - write(1, output_data, ods); - } - gnutls_x509_privkey_deinit(x509_privkey); gnutls_global_deinit(); return 0; } -- cgit v1.2.3 From 8042f93c695f373542356739b0812e628f7b8b1d Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Fri, 13 Jun 2008 09:34:16 -0400 Subject: keytrans cleanup: getting rid of unimplemented/useless code. --- src/keytrans/Makefile | 9 +- src/keytrans/gpg2ssh.c | 293 --------------------------------------------- src/keytrans/openpgp2ssh.c | 81 ------------- src/keytrans/ssh2gpg.c | 171 -------------------------- 4 files changed, 1 insertion(+), 553 deletions(-) delete mode 100644 src/keytrans/gpg2ssh.c delete mode 100644 src/keytrans/ssh2gpg.c (limited to 'src') diff --git a/src/keytrans/Makefile b/src/keytrans/Makefile index fdd4ccd..53fa5dc 100644 --- a/src/keytrans/Makefile +++ b/src/keytrans/Makefile @@ -7,13 +7,6 @@ openpgp2ssh: openpgp2ssh.c gnutls-helpers.o gcc -g -Wall --pedantic -o $@ -c $< clean: - rm -f openpgp2ssh gpg2ssh ssh2gpg *.o - -# deprecated: -gpg2ssh: gpg2ssh.c gnutls-helpers.o - gcc -g -Wall --pedantic -o gpg2ssh gpg2ssh.c `libgnutls-config --libs --cflags` -lgnutls-extra gnutls-helpers.o - -ssh2gpg: ssh2gpg.c gnutls-helpers.o - gcc -g -Wall --pedantic -o ssh2gpg ssh2gpg.c `libgnutls-config --libs --cflags` -lgnutls-extra gnutls-helpers.o + rm -f openpgp2ssh *.o .PHONY: clean all diff --git a/src/keytrans/gpg2ssh.c b/src/keytrans/gpg2ssh.c deleted file mode 100644 index c99f03f..0000000 --- a/src/keytrans/gpg2ssh.c +++ /dev/null @@ -1,293 +0,0 @@ -#include "gnutls-helpers.h" - -#include -#include - -/* for waitpid() */ -#include -#include - -/* - Author: Daniel Kahn Gillmor - Date: Tue, 08 Apr 2008 - License: GPL v3 or later - - monkeysphere public key translator: execute this with an GPG - certificate (public key(s) + userid(s)) on stdin. It currently - only works with RSA keys. - - It will spit out a version of the first key capable of being used - for authentication on stdout. The output format should be suitable - for appending a known_hosts file. - - Requirements: I've only built this so far with GnuTLS v2.3.4 -- - version 2.2.0 does not contain the appropriate pieces. - - */ - -int main(int argc, char* argv[]) { - gnutls_datum_t data; - int ret; - gnutls_openpgp_crt_t openpgp_crt; - gnutls_openpgp_keyid_t keyid; - printable_keyid p_keyid; - unsigned int keyidx; - unsigned int usage, bits; - gnutls_pk_algorithm_t algo; - - gnutls_datum_t m, e, p, q, g, y; - gnutls_datum_t algolabel; - - char output_data[10240]; - char userid[10240]; - size_t uidsz = sizeof(userid); - - const gnutls_datum_t* all[5]; - int pipefd; - pid_t child_pid; - char* const args[] = {"/usr/bin/base64", "--wrap=0", NULL}; - const char* algoname; - int mpicount; - int pipestatus; - - init_gnutls(); - - init_datum(&data); - - init_datum(&m); - init_datum(&e); - init_datum(&p); - init_datum(&q); - init_datum(&g); - init_datum(&y); - - init_datum(&algolabel); - - init_keyid(keyid); - - /* slurp in the private key from stdin */ - if (ret = set_datum_fd(&data, 0), ret) { - err("didn't read file descriptor 0\n"); - return 1; - } - - - if (ret = gnutls_openpgp_crt_init(&openpgp_crt), ret) { - err("Failed to initialize OpenPGP certificate (error: %d)\n", ret); - return 1; - } - - /* format could be either: GNUTLS_OPENPGP_FMT_RAW, - GNUTLS_OPENPGP_FMT_BASE64; if MONKEYSPHERE_RAW is set, use RAW, - otherwise, use BASE64: */ - - /* FIXME: we should be auto-detecting the input format, and - translating it as needed. */ - - if (getenv("MONKEYSPHERE_RAW")) { - err("assuming RAW formatted certificate\n"); - if (ret = gnutls_openpgp_crt_import(openpgp_crt, &data, GNUTLS_OPENPGP_FMT_RAW), ret) { - err("failed to import the OpenPGP certificate in RAW format (error: %d)\n", ret); - return ret; - } - } else { - err("assuming BASE64 formatted certificate\n"); - if (ret = gnutls_openpgp_crt_import (openpgp_crt, &data, GNUTLS_OPENPGP_FMT_BASE64), ret) { - err("failed to import the OpenPGP certificate in BASE64 format (error: %d)\n", ret); - return ret; - } - } - - if (gnutls_openpgp_crt_get_revoked_status(openpgp_crt)) { - err("the primary key was revoked!\n"); - return 1; - } - - /* FIXME: We're currently looking at the primary key or maybe the - first authentication-capable subkey. - - Instead, we should be iterating through the primary key and all - subkeys: for each one with the authentication usage flag set of a - algorithm we can handle, we should output matching UserIDs and - the SSH version of the key. */ - - - if (ret = gnutls_openpgp_crt_get_key_usage(openpgp_crt, &usage), ret) { - err("failed to get the usage flags for the primary key (error: %d)\n", ret); - return ret; - } - if (usage & GNUTLS_KEY_KEY_AGREEMENT && - usage & GNUTLS_KEY_KEY_ENCIPHERMENT) { - err("the primary key can be used for authentication and communication encryption!\n"); - - algo = gnutls_openpgp_crt_get_pk_algorithm(openpgp_crt, &bits); - if (algo < 0) { - err("failed to get the algorithm of the OpenPGP public key (error: %d)\n", algo); - return algo; - } else if (algo == GNUTLS_PK_RSA) { - - err("OpenPGP RSA certificate, with %d bits\n", bits); - ret = gnutls_openpgp_crt_get_pk_rsa_raw(openpgp_crt, &m, &e); - if (GNUTLS_E_SUCCESS != ret) { - err ("failed to export RSA key parameters (error: %d)\n", ret); - return 1; - } - } else if (algo == GNUTLS_PK_DSA) { - err("OpenPGP DSA Key, with %d bits\n", bits); - ret = gnutls_openpgp_crt_get_pk_dsa_raw(openpgp_crt, &p, &q, &g, &y); - if (GNUTLS_E_SUCCESS != ret) { - err ("failed to export DSA key parameters (error: %d)\n", ret); - return 1; - } - } else { - err("OpenPGP Key was not RSA or DSA -- can't deal! (actual algorithm was: %d)\n", algo); - return 1; - } - - } else { - err("primary key is not good for authentication and communication encryption. Trying subkeys...\n"); - - if (ret = gnutls_openpgp_crt_get_auth_subkey(openpgp_crt, keyid, 0), ret) { - err("failed to find a subkey capable of authentication and communication encryption (error: %d)\n", ret); - return ret; - } - make_keyid_printable(p_keyid, keyid); - err("found authentication subkey %.16s\n", p_keyid); - - ret = gnutls_openpgp_crt_get_subkey_idx(openpgp_crt, keyid); - if (ret < 0) { - err("could not get the index of subkey %.16s (error: %d)\n", ret); - return ret; - } - keyidx = ret; - - if (gnutls_openpgp_crt_get_subkey_revoked_status(openpgp_crt, keyidx)) { - err("The authentication subkey was revoked!\n"); - return 1; - } - - if (ret = gnutls_openpgp_crt_get_subkey_usage(openpgp_crt, keyidx, &usage), ret) { - err("could not figure out usage of subkey %.16s (error: %d)\n", p_keyid, ret); - return ret; - } - if ((usage & GNUTLS_KEY_KEY_AGREEMENT) == 0 && - usage & GNUTLS_KEY_KEY_ENCIPHERMENT) { - err("could not find a subkey with authentication and communication encryption.\n"); - return 1; - } - - /* switch, based on the algorithm in question, to extract the MPI - components: */ - - algo = gnutls_openpgp_crt_get_subkey_pk_algorithm(openpgp_crt, keyidx, &bits); - if (algo < 0) { - err("failed to get the algorithm of the authentication subkey (error: %d)\n", algo); - return algo; - } else if (algo == GNUTLS_PK_RSA) { - - err("OpenPGP RSA subkey, with %d bits\n", bits); - ret = gnutls_openpgp_crt_get_subkey_pk_rsa_raw(openpgp_crt, keyidx, &m, &e); - if (GNUTLS_E_SUCCESS != ret) { - err ("failed to export RSA subkey parameters (error: %d)\n", ret); - return 1; - } - } else if (algo == GNUTLS_PK_DSA) { - err("OpenPGP DSA subkey, with %d bits\n", bits); - ret = gnutls_openpgp_crt_get_subkey_pk_dsa_raw(openpgp_crt, keyidx, &p, &q, &g, &y); - if (GNUTLS_E_SUCCESS != ret) { - err ("failed to export DSA subkey parameters (error: %d)\n", ret); - return 1; - } - } else { - err("OpenPGP subkey was not RSA or DSA -- can't deal! (actual algorithm was: %d)\n", algo); - return 1; - } - } - - /* make sure userid is NULL-terminated */ - userid[sizeof(userid) - 1] = 0; - uidsz--; - - /* FIXME: we're just choosing the first UserID from the certificate: - instead, we should be selecting every User ID that is adequately - signed and matches the spec, and aggregating them with commas for - known_hosts output */ - - if (ret = gnutls_openpgp_crt_get_name(openpgp_crt, 0, userid, &uidsz), ret) { - err("Failed to fetch the first UserID (error: %d)\n", ret); - return ret; - } - - if (ret = validate_ssh_host_userid(userid), ret) { - err("bad userid: not a valid ssh host.\n"); - return ret; - } - - /* remove ssh:// from the beginning of userid */ - memmove(userid, userid + strlen("ssh://"), 1 + strlen(userid) - strlen("ssh://")); - - - /* now we have algo, and the various MPI data are set. Can we - export them cleanly? */ - - /* for the moment, we'll just dump the info raw, and pipe it - externally through coreutils' /usr/bin/base64 */ - - if (algo == GNUTLS_PK_RSA) { - algoname = "ssh-rsa"; - mpicount = 3; - - all[0] = &algolabel; - all[1] = &e; - all[2] = &m; - } else if (algo == GNUTLS_PK_DSA) { - algoname = "ssh-dss"; - mpicount = 5; - - all[0] = &algolabel; - all[1] = &p; - all[2] = &q; - all[3] = &g; - all[4] = &y; - } else { - err("no idea what this algorithm is: %d\n", algo); - return 1; - } - - if (ret = datum_from_string(&algolabel, algoname), ret) { - err("couldn't label string (error: %d)\n", ret); - return ret; - } - - snprintf(output_data, sizeof(output_data), "%s %s ", userid, algoname); - - pipefd = create_writing_pipe(&child_pid, args[0], args); - if (pipefd < 0) { - err("failed to create a writing pipe (returned %d)\n", pipefd); - return pipefd; - } - - write(1, output_data, strlen(output_data)); - - if (0 != write_data_fd_with_length(pipefd, all, mpicount)) { - err("was not able to write out RSA key data\n"); - return 1; - } - close(pipefd); - if (child_pid != waitpid(child_pid, &pipestatus, 0)) { - err("could not wait for child process to return for some reason.\n"); - return 1; - } - if (pipestatus != 0) { - err("base64 pipe died with return code %d\n", pipestatus); - return pipestatus; - } - - write(1, "\n", 1); - - - - gnutls_openpgp_crt_deinit(openpgp_crt); - gnutls_global_deinit(); - return 0; -} diff --git a/src/keytrans/openpgp2ssh.c b/src/keytrans/openpgp2ssh.c index 30e19d5..10351e6 100644 --- a/src/keytrans/openpgp2ssh.c +++ b/src/keytrans/openpgp2ssh.c @@ -278,87 +278,6 @@ int emit_public_openssh_from_pgp(const gnutls_openpgp_crt_t* pgp_crt, gnutls_ope return 0; } - - -int convert_x509_to_pgp(gnutls_openpgp_privkey_t* output, gnutls_datum_t* input) { - gnutls_x509_privkey_t x509_privkey; - gnutls_datum_t m, e, d, p, q, u, g, y, x; - gnutls_pk_algorithm_t x509_algo; - int ret; - - init_datum(&m); - init_datum(&e); - init_datum(&d); - init_datum(&p); - init_datum(&q); - init_datum(&u); - init_datum(&g); - init_datum(&y); - init_datum(&x); - - if (ret = gnutls_x509_privkey_init(&x509_privkey), ret) { - err("Failed to initialized X.509 private key (error: %d)\n", ret); - return 1; - } - - - /* format could be either: GNUTLS_X509_FMT_DER, - GNUTLS_X509_FMT_PEM; if MONKEYSPHERE_DER is set, use DER, - otherwise, use PEM: */ - - if (getenv("MONKEYSPHERE_DER")) { - err("assuming DER formatted private keys\n"); - if (ret = gnutls_x509_privkey_import(x509_privkey, input, GNUTLS_X509_FMT_DER), ret) - err("failed to import the X.509 private key in DER format (error: %d)\n", ret); - } else { - err("assuming PEM formatted private keys\n"); - if (ret = gnutls_x509_privkey_import (x509_privkey, input, GNUTLS_X509_FMT_PEM), ret) - err("failed to import the X.509 private key in PEM format (error: %d)\n", ret); - } - - x509_algo = gnutls_x509_privkey_get_pk_algorithm(x509_privkey); - if (x509_algo < 0) { - err("failed to get X.509 key algorithm (error: %d)\n", x509_algo); - return 1; - } - if (x509_algo == GNUTLS_PK_RSA) { - err("X.509 RSA Key\n"); - ret = gnutls_x509_privkey_export_rsa_raw(x509_privkey, &m, &e, &d, &p, &q, &u); - if (GNUTLS_E_SUCCESS != ret) { - err ("failed to export RSA key parameters (error: %d)\n", ret); - return 1; - } - - /* ret = gnutls_openpgp_privkey_import_rsa_raw (*output, &m, &e, &d, &p, &q, &u); */ - ret = GNUTLS_E_UNIMPLEMENTED_FEATURE; - if (GNUTLS_E_SUCCESS != ret) { - err ("failed to import RSA key parameters (error: %d)\n", ret); - return 1; - } - } else if (x509_algo == GNUTLS_PK_DSA) { - err("X.509 DSA Key\n"); - ret = gnutls_x509_privkey_export_dsa_raw(x509_privkey, &p, &q, &g, &y, &x); - if (GNUTLS_E_SUCCESS != ret) { - err ("failed to export DSA key parameters (error: %d)\n", ret); - return 1; - } - - /* ret = gnutls_openpgp_privkey_import_dsa_raw (*output, &p, &q, &g, &y, &x); */ - ret = GNUTLS_E_UNIMPLEMENTED_FEATURE; - if (GNUTLS_E_SUCCESS != ret) { - err ("failed to import DSA key parameters (error: %d)\n", ret); - return 1; - } - } else { - err("OpenPGP Key was not RSA or DSA -- can't deal! (actual algorithm was: %d)\n", x509_algo); - return 1; - } - - gnutls_x509_privkey_deinit(x509_privkey); - return 0; -} - - int main(int argc, char* argv[]) { gnutls_datum_t data; int ret; diff --git a/src/keytrans/ssh2gpg.c b/src/keytrans/ssh2gpg.c deleted file mode 100644 index b14a540..0000000 --- a/src/keytrans/ssh2gpg.c +++ /dev/null @@ -1,171 +0,0 @@ -#include "gnutls-helpers.h" - -#include -#include - -/* for waitpid() */ -#include -#include - -/* for time() */ -#include - -/* for htons() */ -#include - - -/* - Author: Daniel Kahn Gillmor - Date: Sun, 2008-04-20 - License: GPL v3 or later - - monkeysphere public key translator: execute this with an ssh - private key on stdin. It currently only works with RSA keys. - - it should eventually work with OpenSSH-style public keys instead of - the full private key, but it was easier to do this way. - - It shoud spit out a version of the public key suitable for acting - as an OpenPGP public sub key packet. - - */ - -int main(int argc, char* argv[]) { - gnutls_datum_t data; - int ret; - gnutls_x509_privkey_t x509_privkey; - gnutls_openpgp_crt_t openpgp_crt; - gnutls_openpgp_keyid_t keyid; - printable_keyid p_keyid; - unsigned int keyidx; - unsigned int usage, bits; - gnutls_pk_algorithm_t algo; - - unsigned char packettag; - unsigned char openpgpversion; - time_t timestamp; - uint32_t clunkytime; - unsigned char openpgpalgo; - unsigned int packetlen; - uint16_t plen; - - gnutls_datum_t m, e, d, p, q, u, g, y; - gnutls_datum_t algolabel; - - char output_data[10240]; - char userid[10240]; - size_t uidsz = sizeof(userid); - - const gnutls_datum_t* all[5]; - int pipefd; - pid_t child_pid; - char* const args[] = {"/usr/bin/base64", "--wrap=0", NULL}; - const char* algoname; - int mpicount; - int pipestatus; - - init_gnutls(); - - init_datum(&data); - - init_datum(&m); - init_datum(&e); - init_datum(&d); - init_datum(&p); - init_datum(&q); - init_datum(&u); - init_datum(&g); - init_datum(&y); - - init_datum(&algolabel); - - init_keyid(keyid); - - /* slurp in the private key from stdin */ - if (ret = set_datum_fd(&data, 0), ret) { - err("didn't read file descriptor 0\n"); - return 1; - } - - - if (ret = gnutls_x509_privkey_init(&x509_privkey), ret) { - err("Failed to initialize private key structure (error: %d)\n", ret); - return 1; - } - - err("assuming PEM formatted private key\n"); - if (ret = gnutls_x509_privkey_import(x509_privkey, &data, GNUTLS_X509_FMT_PEM), ret) { - err("failed to import the PEM-encoded private key (error: %d)\n", ret); - return ret; - } - - algo = gnutls_x509_privkey_get_pk_algorithm(x509_privkey); - if (algo < 0) { - err("failed to get the algorithm of the PEM-encoded public key (error: %d)\n", algo); - return algo; - } else if (algo == GNUTLS_PK_RSA) { - err("RSA private key\n"); - ret = gnutls_x509_privkey_export_rsa_raw(x509_privkey, &m, &e, &d, &p, &q, &u); - if (GNUTLS_E_SUCCESS != ret) { - err ("failed to export RSA key parameters (error: %d)\n", ret); - return 1; - } - err("Modulus size %d, exponent size %d\n", m.size, e.size); - } else if (algo == GNUTLS_PK_DSA) { - err("DSA Key, not implemented!!\n", bits); - return 1; - } else { - err("Key was not RSA or DSA -- can't deal! (actual algorithm was: %d)\n", algo); - return 1; - } - - /* now we have algo, and the various MPI data are set. Can we - export them as a public subkey packet? */ - - /* this packet should be tagged 14, and should contain: - - 1 octet: version (4) - 4 octets: time of generation (seconds since 1970) - 1 octet: algo (http://tools.ietf.org/html/rfc4880#section-5.5.2 implies 1 for RSA) - - MPI: modulus - MPI: exponent - */ - - packetlen = 1 + 4 + 1; - /* FIXME: this is RSA only. for DSA, there'll be more: */ - packetlen += get_openpgp_mpi_size(&m) + get_openpgp_mpi_size(&e); - - /* FIXME: we should generate this bound more cleanly -- i just - happen to know that 65535 is 2^16-1: */ - if (packetlen > 65535) { - err("packet length is too long (%d)\n", packetlen); - return 1; - } - - /* we're going to emit an old-style packet, with tag 14 (public - subkey), with a two-octet packet length */ - packettag = 0x80 | (14 << 2) | 1; - - write(1, &packettag, sizeof(packettag)); - plen = htons(packetlen); - write(1, &plen, sizeof(plen)); - - openpgpversion = 4; - write(1, &openpgpversion, 1); - - timestamp = time(NULL); - clunkytime = htonl(timestamp); - write(1, &clunkytime, 4); - - /* FIXME: handle things other than RSA */ - openpgpalgo = 1; - write(1, &openpgpalgo, 1); - - write_openpgp_mpi_to_fd(1, &m); - write_openpgp_mpi_to_fd(1, &e); - - gnutls_x509_privkey_deinit(x509_privkey); - gnutls_global_deinit(); - return 0; -} -- cgit v1.2.3 From e983d61545f58db81429d82a356dfadafd491dd0 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Fri, 13 Jun 2008 09:41:16 -0400 Subject: added top-level Makefile for ease of building with debhelper. stupid whitespace cleanup in openpgp2ssh.c --- Makefile | 9 +++++++++ src/keytrans/openpgp2ssh.c | 1 - 2 files changed, 9 insertions(+), 1 deletion(-) create mode 100644 Makefile (limited to 'src') diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..b28e54e --- /dev/null +++ b/Makefile @@ -0,0 +1,9 @@ +all: keytrans + +keytrans: + $(MAKE) -C src/keytrans + +clean: + $(MAKE) -C src/keytrans clean + +.PHONY: all clean diff --git a/src/keytrans/openpgp2ssh.c b/src/keytrans/openpgp2ssh.c index 10351e6..4593b33 100644 --- a/src/keytrans/openpgp2ssh.c +++ b/src/keytrans/openpgp2ssh.c @@ -273,7 +273,6 @@ int emit_public_openssh_from_pgp(const gnutls_openpgp_crt_t* pgp_crt, gnutls_ope } write(1, "\n", 1); - return 0; } -- cgit v1.2.3 From c998145c57c19e026e5f6c8f400fb66a3f52e8d4 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Fri, 13 Jun 2008 10:32:09 -0400 Subject: further debianization work. (also, made src/common non-executable, since it is sourced, not executed). --- debian/control | 11 +++++++++-- debian/copyright | 16 ++++++++++++++++ debian/monkeysphere.dirs | 1 + debian/monkeysphere.docs | 2 ++ debian/monkeysphere.install | 5 +++++ debian/monkeysphere.manpages | 3 +++ debian/rules | 3 +++ src/common | 0 8 files changed, 39 insertions(+), 2 deletions(-) create mode 100644 debian/copyright create mode 100644 debian/monkeysphere.dirs create mode 100644 debian/monkeysphere.docs create mode 100644 debian/monkeysphere.install create mode 100644 debian/monkeysphere.manpages create mode 100755 debian/rules mode change 100755 => 100644 src/common (limited to 'src') diff --git a/debian/control b/debian/control index 00c6aeb..e190ae0 100644 --- a/debian/control +++ b/debian/control @@ -1,7 +1,7 @@ Source: monkeysphere Section: net Priority: extra -Maintainer: Daniel Kahn Gillmor +Maintainer: Daniel Kahn Gillmor Uploaders: Jameson Rollins Build-Depends: debhelper (>= 7.0), libgnutls-dev (>= 2.3.14) Standards-Version: 3.8.0.1 @@ -10,6 +10,13 @@ Enhances: openssh-client, openssh-server Dm-Upload-Allowed: yes Package: monkeysphere -Architecture: all +Architecture: any Depends: openssh-client, gnupg | gnupg2, coreutils (>= 6) +Recommends: netcat Description: use the OpenPGP web of trust to verify ssh connections + SSH key-based authentication is tried-and-true, but it lacks a true + Public Key Infrastructure for key certification, revocation and + expiration. MonkeySphere is a framework that uses the OpenPGP web of + trust for these PKI functions. It can be used in both directions: + for users to get validated host keys, and for hosts to manage user + permissions. diff --git a/debian/copyright b/debian/copyright new file mode 100644 index 0000000..413f60f --- /dev/null +++ b/debian/copyright @@ -0,0 +1,16 @@ +Format-Specification: http://wiki.debian.org/Proposals/CopyrightFormat +Debianized-By: Daniel Kahn Gillmor +Debianized-Date: Fri Jun 13 10:19:16 EDT 2008 +Original-Source: http://lair.fifthhorseman.net/~dkg/git/monkeysphere.git/ + +Files: * +Copyright: Jameson Rollins , + Daniel Kahn Gillmor +License: GPL-3+ + This package is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + . + On Debian systems, the complete text of the GNU General Public License + can be found in file "/usr/share/common-licenses/GPL". diff --git a/debian/monkeysphere.dirs b/debian/monkeysphere.dirs new file mode 100644 index 0000000..5089e73 --- /dev/null +++ b/debian/monkeysphere.dirs @@ -0,0 +1 @@ +usr/share/monkeysphere diff --git a/debian/monkeysphere.docs b/debian/monkeysphere.docs new file mode 100644 index 0000000..4b8144e --- /dev/null +++ b/debian/monkeysphere.docs @@ -0,0 +1,2 @@ +doc/README +doc/MonkeySpec diff --git a/debian/monkeysphere.install b/debian/monkeysphere.install new file mode 100644 index 0000000..a614937 --- /dev/null +++ b/debian/monkeysphere.install @@ -0,0 +1,5 @@ +src/keytrans/openpgp2ssh usr/bin +src/monkeysphere usr/bin +src/monkeysphere-server usr/sbin +src/monkeysphere-ssh-proxycommand usr/bin +src/common usr/share/monkeysphere diff --git a/debian/monkeysphere.manpages b/debian/monkeysphere.manpages new file mode 100644 index 0000000..6e2cb92 --- /dev/null +++ b/debian/monkeysphere.manpages @@ -0,0 +1,3 @@ +man/man1/monkeysphere.1 +man/man1/openpgp2ssh.1 +man/man8/monkeysphere-server.8 diff --git a/debian/rules b/debian/rules new file mode 100755 index 0000000..cbe925d --- /dev/null +++ b/debian/rules @@ -0,0 +1,3 @@ +#!/usr/bin/make -f +%: + dh $@ diff --git a/src/common b/src/common old mode 100755 new mode 100644 -- cgit v1.2.3 From 03cc847e6fc901ab4c1920324910126158655e37 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Fri, 13 Jun 2008 11:18:00 -0400 Subject: monkeysphere debianization. Package can now be cleanly built with minimal lintian warnings. --- COPYING | 6 +++--- Makefile | 5 ++++- debian/changelog | 5 +++-- debian/control | 6 +++--- debian/copyright | 9 +++++++-- man/man1/openpgp2ssh.1 | 54 ++++++++++++++++++++++++++++++-------------------- src/keytrans/Makefile | 2 +- test.key | 27 ------------------------- 8 files changed, 53 insertions(+), 61 deletions(-) delete mode 100644 test.key (limited to 'src') diff --git a/COPYING b/COPYING index ab8788d..c920a0e 100644 --- a/COPYING +++ b/COPYING @@ -1,13 +1,13 @@ MonkeySphere is a system to use the OpenPGP web-of-trust to authenticate and encrypt ssh connections. -It is free software, written by: +It is free software, developed by: Jameson Rollins - Daniel Kahn Gillmor -with much help from: + Daniel Kahn Gillmor Jamie McClelland Micah Anderson Matthew Goins + Mike Castleman MonkeySphere is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of diff --git a/Makefile b/Makefile index b28e54e..64e6cbe 100644 --- a/Makefile +++ b/Makefile @@ -3,7 +3,10 @@ all: keytrans keytrans: $(MAKE) -C src/keytrans +release: clean + tar c COPYING doc etc Makefile man src | gzip -n > ../monkeysphere_`head -n1 debian/changelog | sed 's/.*(\([^-]*\)-.*/\1/'`.orig.tar.gz + clean: $(MAKE) -C src/keytrans clean -.PHONY: all clean +.PHONY: all clean release diff --git a/debian/changelog b/debian/changelog index 2b68de6..ec744e1 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,6 +1,7 @@ monkeysphere (0.1-1) unstable; urgency=low - * to be first release... + * First release of debian package for monkeysphere. + * This is experimental -- please report bugs! - -- Jameson Graef Rollins Tue, 10 Jun 2008 17:20:16 -0400 + -- Daniel Kahn Gillmor Fri, 13 Jun 2008 10:53:43 -0400 diff --git a/debian/control b/debian/control index e190ae0..afd5bfa 100644 --- a/debian/control +++ b/debian/control @@ -1,18 +1,18 @@ Source: monkeysphere Section: net Priority: extra -Maintainer: Daniel Kahn Gillmor +Maintainer: Daniel Kahn Gillmor Uploaders: Jameson Rollins Build-Depends: debhelper (>= 7.0), libgnutls-dev (>= 2.3.14) Standards-Version: 3.8.0.1 Homepage: http://cmrg.fifthhorseman.net/wiki/OpenPGPandSSH -Enhances: openssh-client, openssh-server Dm-Upload-Allowed: yes Package: monkeysphere Architecture: any -Depends: openssh-client, gnupg | gnupg2, coreutils (>= 6) +Depends: openssh-client, gnupg | gnupg2, coreutils (>= 6), ${shlibs:Depends} Recommends: netcat +Enhances: openssh-client, openssh-server Description: use the OpenPGP web of trust to verify ssh connections SSH key-based authentication is tried-and-true, but it lacks a true Public Key Infrastructure for key certification, revocation and diff --git a/debian/copyright b/debian/copyright index 413f60f..11abe8b 100644 --- a/debian/copyright +++ b/debian/copyright @@ -4,8 +4,13 @@ Debianized-Date: Fri Jun 13 10:19:16 EDT 2008 Original-Source: http://lair.fifthhorseman.net/~dkg/git/monkeysphere.git/ Files: * -Copyright: Jameson Rollins , - Daniel Kahn Gillmor +Copyright: 2008 Jameson Rollins , + Daniel Kahn Gillmor , + Jamie McClelland , + Micah Anderson , + Matthew Goins , + Mike Castleman + License: GPL-3+ This package is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by diff --git a/man/man1/openpgp2ssh.1 b/man/man1/openpgp2ssh.1 index 1a02b38..83b6154 100644 --- a/man/man1/openpgp2ssh.1 +++ b/man/man1/openpgp2ssh.1 @@ -7,31 +7,34 @@ openpgp2ssh .Nd translate OpenPGP keys to SSH keys .Sh SYNOPSIS .Nm openpgp2ssh < mykey.gpg - +.Pp .Nm gpg --export $KEYID | openpgp2ssh $KEYID - +.Pp .Nm gpg --export-secret-key $KEYID | openpgp2ssh $KEYID .Sh DESCRIPTION -openpgp2ssh takes an OpenPGP-formatted primary key and associated +.Nm +takes an OpenPGP-formatted primary key and associated subkeys on standard input, and spits out the requested equivalent SSH-style key on standard output. - +.Pp If the data on standard input contains no subkeys, you can invoke -openpgp2ssh without arguments. If the data on standard input contains +.Nm +without arguments. If the data on standard input contains multiple keys (e.g. a primary key and associated subkeys), you must specify a specific OpenPGP keyid (e.g. CCD2ED94D21739E9) or fingerprint as the first argument to indicate which key to export. The keyid must be exactly 16 hex characters. - +.Pp If the input contains an OpenPGP RSA or DSA public key, it will be converted to the OpenSSH-style single-line keystring, prefixed with the key type. This format is suitable (with minor alterations) for insertion into known_hosts files and authorized_keys files. - +.Pp If the input contains an OpenPGP RSA or DSA secret key, it will be converted to the equivalent PEM-encoded private key. - -openpgp2ssh is part of the +.Pp +.Nm +is part of the .Xr monkeysphere 1 framework for providing a PKI for SSH. .Sh CAVEATS @@ -39,17 +42,20 @@ The keys produced by this process are stripped of all identifying information, including certifications, self-signatures, etc. This is intentional, since ssh attaches no inherent significance to these features. - -openpgp2ssh only works with RSA or DSA keys, because those are the +.Pp +.Nm +only works with RSA or DSA keys, because those are the only ones which work with ssh. - -Assuming a valid key type, though, openpgp2ssh will produce output for +.Pp +Assuming a valid key type, though, +.Nm +will produce output for any requested key. This means, among other things, that it will happily export revoked keys, unverifiable keys, expired keys, etc. Make sure you do your own key validation before using this tool! .Sh EXAMPLES .Nm gpg --export-secret-key $KEYID | openpgp2ssh $KEYID | ssh-add -c /dev/stdin - +.Pp This pushes the secret key into the active .Xr ssh-agent 1 . Tools such as @@ -58,21 +64,25 @@ which know how to talk to the .Xr ssh-agent 1 can now rely on the key. .Sh AUTHOR -openpgp2ssh and this man page were written by Daniel Kahn Gillmor +.Nm +and this man page were written by Daniel Kahn Gillmor . .Sh BUGS -openpgp2ssh currently only exports into formats used by the OpenSSH. +.Nm +currently only exports into formats used by the OpenSSH. It should support other key output formats, such as those used by lsh(1) and putty(1). - +.Pp Secret key output is currently not passphrase-protected. - -openpgp2ssh currently cannot handle passphrase-protected secret keys on input. - +.Pp +.Nm +currently cannot handle passphrase-protected secret keys on input. +.Pp It would be nice to be able to use keyids shorter or longer than 16 hex characters. - -openpgp2ssh only acts on keys associated with the first primary key +.Pp +.Nm +only acts on keys associated with the first primary key passed in. If you send it more than one primary key, it will silently ignore later ones. .Sh SEE ALSO diff --git a/src/keytrans/Makefile b/src/keytrans/Makefile index 53fa5dc..79602ef 100644 --- a/src/keytrans/Makefile +++ b/src/keytrans/Makefile @@ -1,7 +1,7 @@ all: openpgp2ssh openpgp2ssh: openpgp2ssh.c gnutls-helpers.o - gcc -g -Wall --pedantic -o openpgp2ssh openpgp2ssh.c `libgnutls-config --libs --cflags` -lgnutls-extra gnutls-helpers.o + gcc -g -Wall --pedantic -o openpgp2ssh openpgp2ssh.c `libgnutls-config --libs --cflags` gnutls-helpers.o %.o: %.c gcc -g -Wall --pedantic -o $@ -c $< diff --git a/test.key b/test.key deleted file mode 100644 index 4e05880..0000000 --- a/test.key +++ /dev/null @@ -1,27 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIIEogIBAAKCAQEAxMv33LvWBZnKtahorHGYdBZqVxrNUQcVNrgxp4bf/FvgvSLG -kBrw6wHFdVYvWWViD5efrJugqA4+pKp16LEWlc7JZICrou4vEJGkvoqBIJC/4cVN -xcwV1a8jo9ZOYjt0JIyuHrEDGW/edQYWI41XO/H+QdMDsdI+oOmfPV/V4eMyjGKH -vRJ+xDae5izhUb3Lb00YnxpP2n/zhvHpn7weu+bzvwb3pMMo9336Ft7m5ulGPJzN -+3l595LW+lUSDUlUJbACp4Nyn+i9ODPV6xzghzirsh7rnD8jD2kaqIVkcvEhusoB -JN3daPXt9t6m5cfsCWu31BXdbpTWiLIZRUxDzQIBIwKCAQEAl9CMAg0+s90KFxuD -8r4H5IZSCK5GnZe/6GI07vMEj3oTxRrTsP7XG7DoyDsr1z+UyjMjZ+XFE+27S9P0 -ju8Cy1Zg2ICEZ78OXT0nUSkEhtYQXbV2gqTAYwNzQ9/WEUPOn9o9LZ5+u9n0wKzs -gdNvLj5WbUsC2aIwUD8xswDJkP5cA4RfKo8Mz40aXbK6b+S/bOKEkXRFvOor46pl -A8GHxUVcUPUG7LAXCm1FWrDob6FTlv3yW8DeVTCYwt6HdrTmc9b+yOinwMR6ZvUz -R6AESGG7czCvA6rpkCcprfCPx0gfntuzLiGRtl54GvbYWWtPDlxnPwcw1zcSALvM -pJNpawKBgQD/zze04kYZBNDTxolBrZltpPXtPpOrG2Otp8CHreOKn0TifCFPDnCb -ewUhxuDRA+L9KPLT311DtHfIzXJ8/RD6K/QE72ny39h2X2Pn2hWSgb9+iysHBDNc -jb136QFoKQcpqUpLEfTvA71Yqvuk6gsYiuWnIN5KJwy/AhwFQnK/WQKBgQDE8X87 -C+0JSg2ybUopOQVSrvildJEa8CWbM1SAL1j3E24U2fPh+zVmIxqa2m4X/PxFBBTv -WVGayzFkmJK2Dgt7F7hBqi5HelP0B38dXtkPlK6idTALNHoS/7HCDXISgHmDOhcQ -LHGQUuQMkTq6H4cOMwTNO5aM2zc5E9uF/hptlQKBgEHHkftQIKdZAn+Zc8Bud+j+ -iGGTv5JmIPIj0mwIJJFcJ6f0CJCr8RIJsNzMvXeTSP9FCz3LuOWGLW4mM2H37mw3 -MB6GtNgNrLC5cXYiIs3m2XhPq/p9bEr/4ENnzSlposGR7ohVExjjtFig/uFDfzIy -WE+MG+cunOCoxWBwLCKTAoGBALQP/0vtpYTV/eT2NS0A7uyCt3Kzt94dZDYgTUH/ -Z0hMR2OFcUOj2Qzs5R/dpnxVA+dUMGXOAXeVNHk7CcsFhtbxHX3dbCQYEj4yvVyu -fVAS6M8MDqsoqh//uHbnuMB1dmlZrq+zmwecPjdgNbF76TGNuz9MbGOGmOO6Yk6f -LhsLAoGAJoK+yRDaEFDwrjdvGazEy/d1CtknkGY2r4vb8giEodFJcQQhtVtjnYPl -gDIpbcpeT0GDiZd0pxAxpibbKM63pYz8PKtlq0B/qXgArRgJnbku01Jc4iLVWPqK -qitRgsz1HdN2tIqa8oQE0iuvyoq+r6+pqcQJd7sc6lKlk0gO0Mo= ------END RSA PRIVATE KEY----- -- cgit v1.2.3 From 455b0264180abd0fde9d4129696ec0e4753418d7 Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Fri, 13 Jun 2008 12:07:59 -0400 Subject: fix bug if user monkeysphere home directory didn't exist. --- src/monkeysphere | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'src') diff --git a/src/monkeysphere b/src/monkeysphere index 5d865c9..6e71765 100755 --- a/src/monkeysphere +++ b/src/monkeysphere @@ -132,6 +132,11 @@ msAuthorizedKeys="$MS_HOME"/authorized_keys # make sure gpg home exists with proper permissions mkdir -p -m 0700 "$GNUPGHOME" +# make sure the user monkeysphere home directory exists +mkdir -p -m 0700 "$MS_HOME" +mkdir -p "$hostKeysCacheDir" +mkdir -p "$userKeysCacheDir" + case $COMMAND in 'update-known_hosts'|'update-known-hosts'|'k') MODE='known_hosts' -- cgit v1.2.3 From 220a0fb50691a6cf3db9624275d46a6f730f55c6 Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Fri, 13 Jun 2008 12:37:08 -0400 Subject: fix bugs in ssh key export functions --- man/man1/monkeysphere.1 | 1 + src/common | 6 +++--- 2 files changed, 4 insertions(+), 3 deletions(-) (limited to 'src') diff --git a/man/man1/monkeysphere.1 b/man/man1/monkeysphere.1 index 636adcb..d00a9db 100644 --- a/man/man1/monkeysphere.1 +++ b/man/man1/monkeysphere.1 @@ -107,5 +107,6 @@ Written by Jameson Rollins .PD .SH SEE ALSO .BR ssh (1), +.BR monkeysphere-ssh-proxycommand (1), .BR gpg (1), .BR monkeysphere-server (8) diff --git a/src/common b/src/common index 914c800..8b0f41a 100644 --- a/src/common +++ b/src/common @@ -98,7 +98,7 @@ gpg2known_hosts() { echo -n "$host " gpg --export "$keyID" | \ openpgp2ssh "$keyID" | tr -d '\n' - echo "MonkeySphere${DATE}" + echo " MonkeySphere${DATE}" } # convert key from gpg to ssh authorized_keys format @@ -109,9 +109,9 @@ gpg2authorized_keys() { keyID="$1" userID="$2" - echo -n "MonkeySphere${DATE}:${userID}" gpg --export "$keyID" | \ - openpgp2ssh "$keyID" + openpgp2ssh "$keyID" | tr -d '\n' + echo " MonkeySphere${DATE}:${userID}" } # userid and key policy checking -- cgit v1.2.3 From 1fe3ced39fb67b32b1cce11cd692e492221da930 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Fri, 13 Jun 2008 13:05:42 -0400 Subject: making openpgp2ssh less verbose. --- src/keytrans/gnutls-helpers.c | 85 ++++++++++++++++++++++--------------------- src/keytrans/gnutls-helpers.h | 2 +- src/keytrans/openpgp2ssh.c | 78 +++++++++++++++++++-------------------- 3 files changed, 84 insertions(+), 81 deletions(-) (limited to 'src') diff --git a/src/keytrans/gnutls-helpers.c b/src/keytrans/gnutls-helpers.c index 7c342bb..c6e4979 100644 --- a/src/keytrans/gnutls-helpers.c +++ b/src/keytrans/gnutls-helpers.c @@ -15,11 +15,12 @@ /* for exit() */ #include -int loglevel = 0; +static int loglevel = 0; - -void err(const char* fmt, ...) { +void err(int level, const char* fmt, ...) { va_list ap; + if (level < loglevel) + return; va_start(ap, fmt); vfprintf(stderr, fmt, ap); va_end(ap); @@ -66,11 +67,11 @@ void collapse_printable_keyid(gnutls_openpgp_keyid_t out, printable_keyid in) { unsigned hi = hex2bin(in[pkix]); unsigned lo = hex2bin(in[pkix + 1]); if (hi == 0xff) { - err("character '%c' is not a hex char\n", in[pkix]); + err(0, "character '%c' is not a hex char\n", in[pkix]); exit(1); } if (lo == 0xff) { - err("character '%c' is not a hex char\n", in[pkix + 1]); + err(0, "character '%c' is not a hex char\n", in[pkix + 1]); exit(1); } out[outkix] = lo | (hi << 4); @@ -97,7 +98,7 @@ int convert_string_to_printable_keyid(printable_keyid pkeyid, const char* str) { (str[x] != '\0')) { if (isxdigit(str[x])) { if (arglen == sizeof(printable_keyid)) { - err("There are more than %d hex digits in the keyid '%s'\n", sizeof(printable_keyid), str); + err(0, "There are more than %d hex digits in the keyid '%s'\n", sizeof(printable_keyid), str); return 1; } pkeyid[arglen] = str[x]; @@ -107,7 +108,7 @@ int convert_string_to_printable_keyid(printable_keyid pkeyid, const char* str) { } if (arglen != sizeof(printable_keyid)) { - err("keyid '%s' is not %d hex digits in length\n", str, sizeof(printable_keyid)); + err(0, "Keyid '%s' is not %d hex digits in length\n", str, sizeof(printable_keyid)); return 1; } return 0; @@ -120,27 +121,29 @@ int init_gnutls() { const char* debug_string = NULL; int ret; + if (debug_string = getenv("MONKEYSPHERE_DEBUG"), debug_string) { + loglevel = atoi(debug_string); + } + if (ret = gnutls_global_init(), ret) { - err("Failed to do gnutls_global_init() (error: %d)\n", ret); + err(0, "Failed to do gnutls_global_init() (error: %d)\n", ret); return 1; } version = gnutls_check_version(NULL); if (version) - err("gnutls version: %s\n", version); + err(1, "gnutls version: %s\n", version); else { - err("no version found!\n"); + err(0, "no gnutls version found!\n"); return 1; } - if (debug_string = getenv("MONKEYSPHERE_DEBUG"), debug_string) { - loglevel = atoi(debug_string); - gnutls_global_set_log_function(logfunc); - - gnutls_global_set_log_level(loglevel); - err("set log level to %d\n", loglevel); - } + gnutls_global_set_log_function(logfunc); + + gnutls_global_set_log_level(loglevel); + err(1, "set log level to %d\n", loglevel); + return 0; } @@ -155,11 +158,11 @@ void copy_datum(gnutls_datum_t* dest, const gnutls_datum_t* src) { } int compare_data(const gnutls_datum_t* a, const gnutls_datum_t* b) { if (a->size > b->size) { - err("a is larger\n"); + err(0,"a is larger\n"); return 1; } if (a->size < b->size) { - err("b is larger\n"); + err(0,"b is larger\n"); return -1; } return memcmp(a->data, b->data, a->size); @@ -195,7 +198,7 @@ int set_datum_fd(gnutls_datum_t* d, int fd) { bufsize = 1024; d->data = gnutls_realloc(d->data, bufsize); if (d->data == NULL) { - err("out of memory!\n"); + err(0,"out of memory!\n"); return -1; } d->size = bufsize; @@ -204,7 +207,7 @@ int set_datum_fd(gnutls_datum_t* d, int fd) { } f = fdopen(fd, "r"); if (NULL == f) { - err("could not fdopen FD %d\n", fd); + err(0,"could not fdopen FD %d\n", fd); } clearerr(f); while (!feof(f) && !ferror(f)) { @@ -213,16 +216,16 @@ int set_datum_fd(gnutls_datum_t* d, int fd) { bufsize *= 2; d->data = gnutls_realloc(d->data, bufsize); if (d->data == NULL) { - err("out of memory!\n"); + err(0,"out of memory!\n"); return -1; }; d->size = bufsize; } len += fread(d->data + len, 1, bufsize - len, f); - /* err("read %d bytes\n", len); */ + /* err(0,"read %d bytes\n", len); */ } if (ferror(f)) { - err("Error reading from fd %d (error: %d) (error: %d '%s')\n", fd, ferror(f), errno, strerror(errno)); + err(0,"Error reading from fd %d (error: %d) (error: %d '%s')\n", fd, ferror(f), errno, strerror(errno)); return -1; } @@ -241,13 +244,13 @@ int set_datum_file(gnutls_datum_t* d, const char* fname) { size_t x = 0; if (0 != stat(fname, &sbuf)) { - err("failed to stat '%s'\n", fname); + err(0,"failed to stat '%s'\n", fname); return -1; } c = gnutls_realloc(d->data, sbuf.st_size); if (NULL == c) { - err("failed to allocate %d bytes for '%s'\n", sbuf.st_size, fname); + err(0,"failed to allocate %d bytes for '%s'\n", sbuf.st_size, fname); return -1; } @@ -255,13 +258,13 @@ int set_datum_file(gnutls_datum_t* d, const char* fname) { d->size = sbuf.st_size; file = fopen(fname, "r"); if (NULL == file) { - err("failed to open '%s' for reading\n", fname); + err(0,"failed to open '%s' for reading\n", fname); return -1; } x = fread(d->data, d->size, 1, file); if (x != 1) { - err("tried to read %d bytes, read %d instead from '%s'\n", d->size, x, fname); + err(0,"tried to read %d bytes, read %d instead from '%s'\n", d->size, x, fname); fclose(file); return -1; } @@ -271,7 +274,7 @@ int set_datum_file(gnutls_datum_t* d, const char* fname) { int write_datum_fd(int fd, const gnutls_datum_t* d) { if (d->size != write(fd, d->data, d->size)) { - err("failed to write body of datum.\n"); + err(0,"failed to write body of datum.\n"); return -1; } return 0; @@ -293,12 +296,12 @@ int write_datum_fd_with_length(int fd, const gnutls_datum_t* d) { len = htonl(d->size); } if (write(fd, &len, sizeof(len)) != sizeof(len)) { - err("failed to write size of datum.\n"); + err(0,"failed to write size of datum.\n"); return -2; } if (looks_negative) { if (write(fd, &zero, 1) != 1) { - err("failed to write padding byte for MPI.\n"); + err(0,"failed to write padding byte for MPI.\n"); return -2; } } @@ -332,29 +335,29 @@ int create_writing_pipe(pid_t* pid, const char* path, char* const argv[]) { int ret; if (pid == NULL) { - err("bad pointer passed to create_writing_pipe()\n"); + err(0,"bad pointer passed to create_writing_pipe()\n"); return -1; } if (ret = pipe(p), ret == -1) { - err("failed to create a pipe (error: %d \"%s\")\n", errno, strerror(errno)); + err(0,"failed to create a pipe (error: %d \"%s\")\n", errno, strerror(errno)); return -1; } *pid = fork(); if (*pid == -1) { - err("Failed to fork (error: %d \"%s\")\n", errno, strerror(errno)); + err(0,"Failed to fork (error: %d \"%s\")\n", errno, strerror(errno)); return -1; } if (*pid == 0) { /* this is the child */ close(p[1]); /* close unused write end */ if (0 != dup2(p[0], 0)) { /* map the reading end into stdin */ - err("Failed to transfer reading file descriptor to stdin (error: %d \"%s\")\n", errno, strerror(errno)); + err(0,"Failed to transfer reading file descriptor to stdin (error: %d \"%s\")\n", errno, strerror(errno)); exit(1); } execv(path, argv); - err("exec %s failed (error: %d \"%s\")\n", path, errno, strerror(errno)); + err(0,"exec %s failed (error: %d \"%s\")\n", path, errno, strerror(errno)); /* close the open file descriptors */ close(p[0]); close(0); @@ -372,14 +375,14 @@ int validate_ssh_host_userid(const char* userid) { /* choke if userid does not match the expected format ("ssh://fully.qualified.domain.name") */ if (strncmp("ssh://", userid, strlen("ssh://")) != 0) { - err("The user ID should start with ssh:// for a host key\n"); + err(0,"The user ID should start with ssh:// for a host key\n"); goto fail; } /* so that isalnum will work properly */ userid += strlen("ssh://"); while (0 != (*userid)) { if (!isalnum(*userid)) { - err("label did not start with a letter or a digit! (%s)\n", userid); + err(0,"label did not start with a letter or a digit! (%s)\n", userid); goto fail; } userid++; @@ -389,19 +392,19 @@ int validate_ssh_host_userid(const char* userid) { check last char isalnum */ if (!isalnum(*(userid - 1))) { - err("label did not end with a letter or a digit!\n"); + err(0,"label did not end with a letter or a digit!\n"); goto fail; } if ('.' == (*userid)) /* advance to the start of the next label */ userid++; } else { - err("invalid character in domain name: %c\n", *userid); + err(0,"invalid character in domain name: %c\n", *userid); goto fail; } } /* ensure that the last character is valid: */ if (!isalnum(*(userid - 1))) { - err("hostname did not end with a letter or a digit!\n"); + err(0,"hostname did not end with a letter or a digit!\n"); goto fail; } /* FIXME: fqdn's can be unicode now, thanks to RFC 3490 -- how do we diff --git a/src/keytrans/gnutls-helpers.h b/src/keytrans/gnutls-helpers.h index 00cdec7..670d5ff 100644 --- a/src/keytrans/gnutls-helpers.h +++ b/src/keytrans/gnutls-helpers.h @@ -23,7 +23,7 @@ int init_gnutls(); /* logging and output functions: */ -void err(const char* fmt, ...); +void err(int level, const char* fmt, ...); void logfunc(int level, const char* string); /* basic datum manipulations: */ diff --git a/src/keytrans/openpgp2ssh.c b/src/keytrans/openpgp2ssh.c index 4593b33..9e356e7 100644 --- a/src/keytrans/openpgp2ssh.c +++ b/src/keytrans/openpgp2ssh.c @@ -56,43 +56,43 @@ int convert_private_pgp_to_x509(gnutls_x509_privkey_t* output, const gnutls_open pgp_algo = gnutls_openpgp_privkey_get_pk_algorithm(*pgp_privkey, &pgp_bits); if (pgp_algo < 0) { - err("failed to get OpenPGP key algorithm (error: %d)\n", pgp_algo); + err(0, "failed to get OpenPGP key algorithm (error: %d)\n", pgp_algo); return 1; } if (pgp_algo == GNUTLS_PK_RSA) { - err("OpenPGP RSA Key, with %d bits\n", pgp_bits); + err(0,"OpenPGP RSA Key, with %d bits\n", pgp_bits); ret = gnutls_openpgp_privkey_export_rsa_raw(*pgp_privkey, &m, &e, &d, &p, &q, &u); if (GNUTLS_E_SUCCESS != ret) { - err ("failed to export RSA key parameters (error: %d)\n", ret); + err(1, "failed to export RSA key parameters (error: %d)\n", ret); return 1; } ret = gnutls_x509_privkey_import_rsa_raw (*output, &m, &e, &d, &p, &q, &u); if (GNUTLS_E_SUCCESS != ret) { - err ("failed to import RSA key parameters (error: %d)\n", ret); + err(1, "failed to import RSA key parameters (error: %d)\n", ret); return 1; } } else if (pgp_algo == GNUTLS_PK_DSA) { - err("OpenPGP DSA Key, with %d bits\n", pgp_bits); + err(0,"OpenPGP DSA Key, with %d bits\n", pgp_bits); ret = gnutls_openpgp_privkey_export_dsa_raw(*pgp_privkey, &p, &q, &g, &y, &x); if (GNUTLS_E_SUCCESS != ret) { - err ("failed to export DSA key parameters (error: %d)\n", ret); + err(0,"failed to export DSA key parameters (error: %d)\n", ret); return 1; } ret = gnutls_x509_privkey_import_dsa_raw (*output, &p, &q, &g, &y, &x); if (GNUTLS_E_SUCCESS != ret) { - err ("failed to import DSA key parameters (error: %d)\n", ret); + err(0,"failed to import DSA key parameters (error: %d)\n", ret); return 1; } } else { - err("OpenPGP Key was not RSA or DSA -- can't deal! (actual algorithm was: %d)\n", pgp_algo); + err(0,"OpenPGP Key was not RSA or DSA -- can't deal! (actual algorithm was: %d)\n", pgp_algo); return 1; } ret = gnutls_x509_privkey_fix(*output); if (ret != 0) { - err("failed to fix up the private key in X.509 format (error: %d)\n", ret); + err(0,"failed to fix up the private key in X.509 format (error: %d)\n", ret); return 1; } @@ -132,46 +132,46 @@ int emit_public_openssh_from_pgp(const gnutls_openpgp_crt_t* pgp_crt, gnutls_ope /* figure out if we've got the right thing: */ subkeycount = gnutls_openpgp_crt_get_subkey_count(*pgp_crt); if (subkeycount < 0) { - err("Could not determine subkey count (got value %d)\n", subkeycount); + err(0,"Could not determine subkey count (got value %d)\n", subkeycount); return 1; } if ((keyid == NULL) && (subkeycount > 0)) { - err("No keyid passed in, but there were %d keys to choose from\n", subkeycount + 1); + err(0,"No keyid passed in, but there were %d keys to choose from\n", subkeycount + 1); return 1; } if (keyid != NULL) { ret = gnutls_openpgp_crt_get_key_id(*pgp_crt, curkeyid); if (ret) { - err("Could not get keyid (error: %d)\n", ret); + err(0,"Could not get keyid (error: %d)\n", ret); return 1; } } if ((keyid == NULL) || (memcmp(*keyid, curkeyid, sizeof(gnutls_openpgp_keyid_t)) == 0)) { /* we want to export the primary key: */ - err("exporting primary key\n"); + err(0,"exporting primary key\n"); /* FIXME: this is almost identical to the block below for subkeys. This clumsiness seems inherent in the gnutls OpenPGP API, though. ugh. */ algo = gnutls_openpgp_crt_get_pk_algorithm(*pgp_crt, &bits); if (algo < 0) { - err("failed to get the algorithm of the OpenPGP public key (error: %d)\n", algo); + err(0,"failed to get the algorithm of the OpenPGP public key (error: %d)\n", algo); return algo; } else if (algo == GNUTLS_PK_RSA) { - err("OpenPGP RSA certificate, with %d bits\n", bits); + err(0,"OpenPGP RSA certificate, with %d bits\n", bits); ret = gnutls_openpgp_crt_get_pk_rsa_raw(*pgp_crt, &m, &e); if (GNUTLS_E_SUCCESS != ret) { - err ("failed to export RSA key parameters (error: %d)\n", ret); + err(0,"failed to export RSA key parameters (error: %d)\n", ret); return 1; } } else if (algo == GNUTLS_PK_DSA) { - err("OpenPGP DSA Key, with %d bits\n", bits); + err(0,"OpenPGP DSA Key, with %d bits\n", bits); ret = gnutls_openpgp_crt_get_pk_dsa_raw(*pgp_crt, &p, &q, &g, &y); if (GNUTLS_E_SUCCESS != ret) { - err ("failed to export DSA key parameters (error: %d)\n", ret); + err(0,"failed to export DSA key parameters (error: %d)\n", ret); return 1; } } @@ -182,30 +182,30 @@ int emit_public_openssh_from_pgp(const gnutls_openpgp_crt_t* pgp_crt, gnutls_ope for (subkeyidx = 0; (subkeyidx < subkeycount) && !found; subkeyidx++) { ret = gnutls_openpgp_crt_get_subkey_id(*pgp_crt, subkeyidx, curkeyid); if (ret) { - err("Could not get keyid of subkey with index %d (error: %d)\n", subkeyidx, ret); + err(0,"Could not get keyid of subkey with index %d (error: %d)\n", subkeyidx, ret); return 1; } if (memcmp(*keyid, curkeyid, sizeof(gnutls_openpgp_keyid_t)) == 0) { - err("exporting subkey index %d\n", subkeyidx); + err(0,"exporting subkey index %d\n", subkeyidx); /* FIXME: this is almost identical to the block above for the primary key. */ algo = gnutls_openpgp_crt_get_subkey_pk_algorithm(*pgp_crt, subkeyidx, &bits); if (algo < 0) { - err("failed to get the algorithm of the OpenPGP public key (error: %d)\n", algo); + err(0,"failed to get the algorithm of the OpenPGP public key (error: %d)\n", algo); return algo; } else if (algo == GNUTLS_PK_RSA) { - err("OpenPGP RSA certificate, with %d bits\n", bits); + err(0,"OpenPGP RSA certificate, with %d bits\n", bits); ret = gnutls_openpgp_crt_get_subkey_pk_rsa_raw(*pgp_crt, subkeyidx, &m, &e); if (GNUTLS_E_SUCCESS != ret) { - err ("failed to export RSA key parameters (error: %d)\n", ret); + err(0,"failed to export RSA key parameters (error: %d)\n", ret); return 1; } } else if (algo == GNUTLS_PK_DSA) { - err("OpenPGP DSA Key, with %d bits\n", bits); + err(0,"OpenPGP DSA Key, with %d bits\n", bits); ret = gnutls_openpgp_crt_get_subkey_pk_dsa_raw(*pgp_crt, subkeyidx, &p, &q, &g, &y); if (GNUTLS_E_SUCCESS != ret) { - err ("failed to export DSA key parameters (error: %d)\n", ret); + err(0,"failed to export DSA key parameters (error: %d)\n", ret); return 1; } } @@ -216,7 +216,7 @@ int emit_public_openssh_from_pgp(const gnutls_openpgp_crt_t* pgp_crt, gnutls_ope } if (!found) { - err("Could not find key in input\n"); + err(0,"Could not find key in input\n"); return 1; } @@ -239,12 +239,12 @@ int emit_public_openssh_from_pgp(const gnutls_openpgp_crt_t* pgp_crt, gnutls_ope all[3] = &g; all[4] = &y; } else { - err("Key algorithm was neither DSA nor RSA (it was %d). Can't deal. Sorry!\n", algo); + err(0,"Key algorithm was neither DSA nor RSA (it was %d). Can't deal. Sorry!\n", algo); return 1; } if (ret = datum_from_string(&algolabel, algoname), ret) { - err("couldn't label string (error: %d)\n", ret); + err(0,"couldn't label string (error: %d)\n", ret); return ret; } @@ -252,23 +252,23 @@ int emit_public_openssh_from_pgp(const gnutls_openpgp_crt_t* pgp_crt, gnutls_ope pipefd = create_writing_pipe(&child_pid, b64args[0], b64args); if (pipefd < 0) { - err("failed to create a writing pipe (returned %d)\n", pipefd); + err(0,"failed to create a writing pipe (returned %d)\n", pipefd); return pipefd; } write(1, output_data, strlen(output_data)); if (0 != write_data_fd_with_length(pipefd, all, mpicount)) { - err("was not able to write out RSA key data\n"); + err(0,"was not able to write out RSA key data\n"); return 1; } close(pipefd); if (child_pid != waitpid(child_pid, &pipestatus, 0)) { - err("could not wait for child process to return for some reason.\n"); + err(0,"could not wait for child process to return for some reason.\n"); return 1; } if (pipestatus != 0) { - err("base64 pipe died with return code %d\n", pipestatus); + err(0,"base64 pipe died with return code %d\n", pipestatus); return pipestatus; } @@ -306,22 +306,22 @@ int main(int argc, char* argv[]) { /* slurp in the key from stdin */ if (ret = set_datum_fd(&data, 0), ret) { - err("didn't read file descriptor 0\n"); + err(0,"didn't read file descriptor 0\n"); return 1; } if (ret = gnutls_openpgp_privkey_init(&pgp_privkey), ret) { - err("Failed to initialized OpenPGP private key (error: %d)\n", ret); + err(0,"Failed to initialized OpenPGP private key (error: %d)\n", ret); return 1; } /* check whether it's a private key or a public key, by trying them: */ if ((gnutls_openpgp_privkey_import(pgp_privkey, &data, GNUTLS_OPENPGP_FMT_RAW, NULL, 0) == 0) || (gnutls_openpgp_privkey_import(pgp_privkey, &data, GNUTLS_OPENPGP_FMT_BASE64, NULL, 0) == 0)) { /* we're dealing with a private key */ - err("Translating private key\n"); + err(0,"Translating private key\n"); if (ret = gnutls_x509_privkey_init(&x509_privkey), ret) { - err("Failed to initialize X.509 private key for output (error: %d)\n", ret); + err(0,"Failed to initialize X.509 private key for output (error: %d)\n", ret); return 1; } @@ -342,20 +342,20 @@ int main(int argc, char* argv[]) { } else { if (ret = gnutls_openpgp_crt_init(&pgp_crt), ret) { - err("Failed to initialized OpenPGP certificate (error: %d)\n", ret); + err(0,"Failed to initialized OpenPGP certificate (error: %d)\n", ret); return 1; } if ((gnutls_openpgp_crt_import(pgp_crt, &data, GNUTLS_OPENPGP_FMT_RAW) == 0) || (gnutls_openpgp_crt_import(pgp_crt, &data, GNUTLS_OPENPGP_FMT_BASE64) == 0)) { /* we're dealing with a public key */ - err("Translating public key\n"); + err(0,"Translating public key\n"); ret = emit_public_openssh_from_pgp(&pgp_crt, use_keyid); } else { /* we have no idea what kind of key this is at all anyway! */ - err("Input does contain any form of OpenPGP key I recognize."); + err(0,"Input does contain any form of OpenPGP key I recognize."); return 1; } } -- cgit v1.2.3 From 2fa88e2fde0f56774c76e5cbdc8ea2c67849f3c0 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Fri, 13 Jun 2008 13:11:54 -0400 Subject: invert the sense of the loglevel test. duh. --- src/keytrans/gnutls-helpers.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'src') diff --git a/src/keytrans/gnutls-helpers.c b/src/keytrans/gnutls-helpers.c index c6e4979..d5f3719 100644 --- a/src/keytrans/gnutls-helpers.c +++ b/src/keytrans/gnutls-helpers.c @@ -15,11 +15,13 @@ /* for exit() */ #include +/* higher levels allow more frivolous error messages through. + this is set with the MONKEYSPHERE_DEBUG variable */ static int loglevel = 0; void err(int level, const char* fmt, ...) { va_list ap; - if (level < loglevel) + if (level > loglevel) return; va_start(ap, fmt); vfprintf(stderr, fmt, ap); -- cgit v1.2.3 From 0c2c01095b4e3e707a08e9ff6ebe61f18689bcaa Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Fri, 13 Jun 2008 14:56:01 -0400 Subject: Modify how logging is handled. Now send most everything to stderr. Change to known_hosts hashing on by default. --- src/common | 22 ++++++++-------------- src/monkeysphere | 36 ++++++++++++++++++------------------ src/monkeysphere-server | 4 ++-- 3 files changed, 28 insertions(+), 34 deletions(-) (limited to 'src') diff --git a/src/common b/src/common index 8b0f41a..0f98923 100644 --- a/src/common +++ b/src/common @@ -23,14 +23,8 @@ failure() { exit ${2:-'1'} } -# write output to stdout -log() { - echo -n "ms: " - echo "$@" -} - # write output to stderr -loge() { +log() { echo -n "ms: " 1>&2 echo "$@" 1>&2 } @@ -153,7 +147,7 @@ process_user_id() { # return 1 if there only "tru" lines are output from gpg if [ -z "$(echo "$gpgOut" | grep -v '^tru:')" ] ; then - loge " key not found." + log " key not found." return 1 fi @@ -182,18 +176,18 @@ process_user_id() { # check primary key validity if [ "$validity" != 'u' -a "$validity" != 'f' ] ; then - loge " unacceptable primary key validity ($validity)." + log " unacceptable primary key validity ($validity)." continue fi # check capability is not Disabled... if check_capability "$capability" 'D' ; then - loge " key disabled." + log " key disabled." continue fi # check overall key capability # must be Encryption and Authentication if ! check_capability "$capability" $requiredPubCapability ; then - loge " unacceptable primary key capability ($capability)." + log " unacceptable primary key capability ($capability)." continue fi @@ -242,7 +236,7 @@ process_user_id() { # key cache file if [ "$keyOK" -a "$uidOK" -a "${keyIDs[*]}" ] ; then for keyID in ${keyIDs[@]} ; do - loge " acceptable key/uid found." + log " acceptable key/uid found." if [ "$MODE" = 'known_hosts' ] ; then # export the key @@ -298,11 +292,11 @@ process_known_hosts() { cacheDir="$2" # take all the hosts from the known_hosts file (first field), - # grep out all the hashed hosts (lines starting with '|') + # grep out all the hashed hosts (lines starting with '|')... cut -d ' ' -f 1 "$knownHosts" | \ grep -v '^|.*$' | \ while IFS=, read -r -a hosts ; do - # process each host + # ...and process each host for host in ${hosts[*]} ; do process_host "$host" "$cacheDir" done diff --git a/src/monkeysphere b/src/monkeysphere index 6e71765..69741e1 100755 --- a/src/monkeysphere +++ b/src/monkeysphere @@ -15,7 +15,7 @@ SHAREDIR=${SHAREDIR:-"/usr/share/monkeysphere"} export SHAREDIR . "${SHAREDIR}/common" -GLOBAL_CONFIG=${GLOBAL_CONFIG:-"${ETC}"/monkeysphere.conf} +GLOBAL_CONFIG=${GLOBAL_CONFIG:-"${ETC}/monkeysphere.conf"} [ -r "$GLOBAL_CONFIG" ] && . "$GLOBAL_CONFIG" # date in UTF format if needed @@ -63,7 +63,7 @@ gen_ae_subkey(){ # return 1 if there only "tru" lines are output from gpg if [ -z "$(echo "$gpgOut" | grep -v '^tru:')" ] ; then - loge " key not found." + log " key not found." return 1 fi @@ -78,7 +78,7 @@ Name-Real: $userID EOF ) - log "The following key parameters will be used:" + echo "The following key parameters will be used:" echo "$keyParameters" read -p "generate key? [Y|n]: " OK; OK=${OK:=Y} @@ -107,27 +107,27 @@ COMMAND="$1" shift # set ms home directory -MS_HOME=${MS_HOME:-"$HOME"/.config/monkeysphere} +MS_HOME=${MS_HOME:-"${HOME}/.config/monkeysphere"} # load configuration file -MS_CONF=${MS_CONF:-"$MS_HOME"/monkeysphere.conf} +MS_CONF=${MS_CONF:-"${MS_HOME}/monkeysphere.conf"} [ -e "$MS_CONF" ] && . "$MS_CONF" # set empty config variable with defaults -AUTHORIZED_USER_IDS=${AUTHORIZED_USER_IDS:-"$MS_HOME"/authorized_user_ids} -GNUPGHOME=${GNUPGHOME:-"$HOME"/.gnupg} -KEYSERVER=${KEYSERVER:-subkeys.pgp.net} +AUTHORIZED_USER_IDS=${AUTHORIZED_USER_IDS:-"${MS_HOME}/authorized_user_ids"} +GNUPGHOME=${GNUPGHOME:-"${HOME}/.gnupg"} +KEYSERVER=${KEYSERVER:-"subkeys.pgp.net"} REQUIRED_KEY_CAPABILITY=${REQUIRED_KEY_CAPABILITY:-"e a"} -USER_CONTROLLED_AUTHORIZED_KEYS=${USER_CONTROLLED_AUTHORIZED_KEYS:-%h/.ssh/authorized_keys} -USER_KNOWN_HOSTS=${USER_KNOWN_HOSTS:-"$HOME"/.ssh/known_hosts} -HASH_KNOWN_HOSTS=${HASH_KNOWN_HOSTS:-} +USER_CONTROLLED_AUTHORIZED_KEYS=${USER_CONTROLLED_AUTHORIZED_KEYS:-"%h/.ssh/authorized_keys"} +USER_KNOWN_HOSTS=${USER_KNOWN_HOSTS:-"${HOME}/.ssh/known_hosts"} +HASH_KNOWN_HOSTS=${HASH_KNOWN_HOSTS:-"true"} export GNUPGHOME # stagging locations -hostKeysCacheDir="$MS_HOME"/host_keys -userKeysCacheDir="$MS_HOME"/user_keys -msAuthorizedKeys="$MS_HOME"/authorized_keys +hostKeysCacheDir="${MS_HOME}/host_keys" +userKeysCacheDir="${MS_HOME}/user_keys" +msAuthorizedKeys="${MS_HOME}/authorized_keys" # make sure gpg home exists with proper permissions mkdir -p -m 0700 "$GNUPGHOME" @@ -142,6 +142,7 @@ case $COMMAND in MODE='known_hosts' # touch the known_hosts file to make sure it exists + # ssh-keygen complains if it doesn't exist touch "$USER_KNOWN_HOSTS" # if hosts are specified on the command line, process just @@ -151,8 +152,8 @@ case $COMMAND in process_host "$host" "$hostKeysCacheDir" done - # otherwise, if no hosts are specified, process the user - # known_hosts file + # otherwise, if no hosts are specified, process every user + # in the user's known_hosts file else if [ ! -s "$USER_KNOWN_HOSTS" ] ; then failure "known_hosts file '$USER_KNOWN_HOSTS' is empty." @@ -167,8 +168,7 @@ case $COMMAND in # make sure authorized_user_ids file exists if [ ! -s "$AUTHORIZED_USER_IDS" ] ; then - log "authorized_user_ids file is empty or does not exist." - exit + failure "authorized_user_ids file is empty or does not exist." fi # set user-controlled authorized_keys file path diff --git a/src/monkeysphere-server b/src/monkeysphere-server index 0ff06af..65a7dda 100755 --- a/src/monkeysphere-server +++ b/src/monkeysphere-server @@ -70,7 +70,7 @@ EOF ) fi - log "The following key parameters will be used:" + echo "The following key parameters will be used:" echo "$keyParameters" read -p "generate key? [Y|n]: " OK; OK=${OK:=Y} @@ -90,7 +90,7 @@ EOF EOF ) - echo "generating server key..." + log "generating server key..." echo "$keyParameters" | gpg --batch --gen-key } -- cgit v1.2.3 From ad0a9cc0958b30f5be851453ea22c151097fad0c Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Fri, 13 Jun 2008 15:36:11 -0400 Subject: More cleanup: - Batch mode for trust_key function. - fix some loggging. - Clean up publish_server_key function -> STILL NON-FUNCTIONING - more work on monkeysphere-ssh-proxycommand man page --- man/man1/monkeysphere-ssh-proxycommand.1 | 31 ++++++--- src/common | 108 +++++++++++++++++++++---------- src/monkeysphere | 23 +++---- src/monkeysphere-server | 19 +----- 4 files changed, 109 insertions(+), 72 deletions(-) (limited to 'src') diff --git a/man/man1/monkeysphere-ssh-proxycommand.1 b/man/man1/monkeysphere-ssh-proxycommand.1 index 41a95aa..63b5a5e 100644 --- a/man/man1/monkeysphere-ssh-proxycommand.1 +++ b/man/man1/monkeysphere-ssh-proxycommand.1 @@ -2,19 +2,32 @@ .SH NAME monkeysphere-ssh-proxycommand \- MonkeySphere ssh ProxyCommand script .PD -.SH SYNOPSIS -.B ssh -o ProxyCommand="monkeysphere-ssh-proxycommand %h %p" ... -.PD .SH DESCRIPTION .PP -MonkeySphere is a system to leverage the OpenPGP Web of Trust for ssh -authentication and encryption. OpenPGP keys are tracked via GnuPG, -and added to the ssh authorized_keys and known_hosts files to be used -for authentication and encryption of ssh connection. - \fBmonkeysphere-ssh-proxy\fP is an ssh proxy command that can be used to trigger a monkeysphere update of the known_hosts file for the hosts -that are being connected to. +that are being connected to. It is meant to be run as an ssh +ProxyCommand. This can either be done by specifying the proxy command +on the command line: + +.B ssh -o ProxyCommand="monkeysphere-ssh-proxycommand %h %p" ... + +or by adding the following line to your ~/.ssh/config script: + +.B ProxyCommand monkeysphere-ssh-proxycommand %h %p + +The script is very simple, and can easily be incorporated into other +ProxyCommand scripts. All it does is first runs + +.B monkeysphere update-known-hosts HOST + +and then + +.B exec nc HOST PORT + +Run the following command for more info: + +.B less $(which monkeysphere-ssh-proxycommand) .PD .SH AUTHOR Written by Jameson Rollins diff --git a/src/common b/src/common index 0f98923..d56028f 100644 --- a/src/common +++ b/src/common @@ -42,7 +42,7 @@ cutline() { # retrieve all keys with given user id from keyserver # FIXME: need to figure out how to retrieve all matching keys # (not just first 5) -gpg_fetch_keys() { +gpg_fetch_userid() { local id id="$1" echo 1,2,3,4,5 | \ @@ -69,6 +69,18 @@ check_capability() { return 0 } +# get the full fingerprint of a key ID +get_key_fingerprint() { + local keyID + + keyID="$1" + + gpg --list-key --with-colons --fixed-list-mode \ + --with-fingerprint "$keyID" | grep "$keyID" | \ + grep '^fpr:' | cut -d: -f10 +} + + # convert escaped characters from gpg output back into original # character # FIXME: undo all escape character translation in with-colons gpg output @@ -139,7 +151,7 @@ process_user_id() { requiredPubCapability=$(echo "$REQUIRED_KEY_CAPABILITY" | tr "[:lower:]" "[:upper:]") # fetch keys from keyserver, return 1 if none found - gpg_fetch_keys "$userID" || return 1 + gpg_fetch_userid "$userID" || return 1 # output gpg info for (exact) userid and store gpgOut=$(gpg --fixed-list-mode --list-key --with-colons \ @@ -261,6 +273,36 @@ process_user_id() { echo "$cacheDir"/"$userIDHash"."$pubKeyID" } +# update the cache for userid, and prompt to add file to +# authorized_user_ids file if the userid is found in gpg +# and not already in file. +update_userid() { + local userID + local cacheDir + local userIDKeyCache + + userID="$1" + cacheDir="$2" + + log "processing userid: '$userID'" + userIDKeyCache=$(process_user_id "$userID" "$cacheDir") + if [ -z "$userIDKeyCache" ] ; then + return 1 + fi + if ! grep -q "^${userID}\$" "$AUTHORIZED_USER_IDS" ; then + echo "the following userid is not in the authorized_user_ids file:" + echo " $userID" + read -p "would you like to add it? [Y|n]: " OK; OK=${OK:=Y} + if [ ${OK/y/Y} = 'Y' ] ; then + log -n "adding userid to authorized_user_ids file... " + echo "$userID" >> "$AUTHORIZED_USER_IDS" + echo "done." + else + log "authorized_user_ids file untouched." + fi + fi +} + # process a host for addition to a known_host file process_host() { local host @@ -392,42 +434,38 @@ process_userids_from_authorized_keys() { done } -# update the cache for userid, and prompt to add file to -# authorized_user_ids file if the userid is found in gpg -# and not already in file. -update_userid() { - local userID - local cacheDir - local userIDKeyCache - - userID="$1" - cacheDir="$2" - - log "processing userid: '$userID'" - userIDKeyCache=$(process_user_id "$userID" "$cacheDir") - if [ -z "$userIDKeyCache" ] ; then - return 1 - fi - if ! grep -q "^${userID}\$" "$AUTHORIZED_USER_IDS" ; then - echo "the following userid is not in the authorized_user_ids file:" - echo " $userID" - read -p "would you like to add? [Y|n]: " OK; OK=${OK:=Y} - if [ ${OK/y/Y} = 'Y' ] ; then - log -n " adding userid to authorized_user_ids file... " - echo "$userID" >> "$AUTHORIZED_USER_IDS" - echo "done." - fi - fi -} - # retrieve key from web of trust, and set owner trust to "full" # if key is found. trust_key() { # get the key from the key server - gpg --keyserver "$KEYSERVER" --recv-key "$keyID" || failure "could not retrieve key '$keyID'" + if ! gpg --keyserver "$KEYSERVER" --recv-key "$keyID" ; then + log "could not retrieve key '$keyID'" + return 1 + fi + + # get key fingerprint + fingerprint=$(get_key_fingerprint "$keyID") + + # import "full" trust for fingerprint into gpg + echo ${fingerprint}:5: | gpg --import-ownertrust + if [ $? = 0 ] ; then + log "owner trust updated." + else + failure "there was a problem changing owner trust." + fi +} + +# publish server key to keyserver +publish_server_key() { + read -p "really publish key to $KEYSERVER? [y|N]: " OK; OK=${OK:=N} + if [ ${OK/y/Y} != 'Y' ] ; then + failure "aborting." + fi - # edit the key to change trust - # FIXME: need to figure out how to automate this, - # in a batch mode or something. - gpg --edit-key "$keyID" + # publish host key + # FIXME: need to figure out better way to identify host key + # dummy command so as not to publish fakes keys during testing + # eventually: + #gpg --send-keys --keyserver "$KEYSERVER" $(hostname -f) + echo "NOT PUBLISHED: gpg --send-keys --keyserver $KEYSERVER $(hostname -f)" } diff --git a/src/monkeysphere b/src/monkeysphere index 69741e1..782ba5e 100755 --- a/src/monkeysphere +++ b/src/monkeysphere @@ -136,6 +136,7 @@ mkdir -p -m 0700 "$GNUPGHOME" mkdir -p -m 0700 "$MS_HOME" mkdir -p "$hostKeysCacheDir" mkdir -p "$userKeysCacheDir" +touch "$AUTHORIZED_USER_IDS" case $COMMAND in 'update-known_hosts'|'update-known-hosts'|'k') @@ -163,12 +164,21 @@ case $COMMAND in fi ;; + 'update-userids'|'u') + if [ -z "$1" ] ; then + failure "you must specify at least one userid." + fi + for userID ; do + update_userid "$userID" "$userKeysCacheDir" + done + ;; + 'update-authorized_keys'|'update-authorized-keys'|'a') MODE='authorized_keys' # make sure authorized_user_ids file exists if [ ! -s "$AUTHORIZED_USER_IDS" ] ; then - failure "authorized_user_ids file is empty or does not exist." + failure "$AUTHORIZED_USER_IDS is empty." fi # set user-controlled authorized_keys file path @@ -178,15 +188,6 @@ case $COMMAND in update_authorized_keys "$msAuthorizedKeys" "$userAuthorizedKeys" "$userKeysCacheDir" ;; - 'update-userids'|'u') - if [ -z "$1" ] ; then - failure "you must specify at least one userid." - fi - for userID ; do - update_userid "$userID" "$userKeysCacheDir" - done - ;; - 'gen-ae-subkey'|'g') keyID="$1" if [ -z "$keyID" ] ; then @@ -201,6 +202,6 @@ case $COMMAND in *) failure "Unknown command: '$COMMAND' -Type 'cereal-admin help' for usage." +Type '$PGRM help' for usage." ;; esac diff --git a/src/monkeysphere-server b/src/monkeysphere-server index 65a7dda..ffb3452 100755 --- a/src/monkeysphere-server +++ b/src/monkeysphere-server @@ -94,21 +94,6 @@ EOF echo "$keyParameters" | gpg --batch --gen-key } -# publish server key to keyserver -publish_key() { - read -p "publish key to $KEYSERVER? [Y|n]: " OK; OK=${OK:=Y} - if [ ${OK/y/Y} != 'Y' ] ; then - failure "aborting." - fi - - keyID=$(gpg --list-key --with-colons ="$USERID" 2> /dev/null | grep '^pub:' | cut -d: -f5) - - # dummy command so as not to publish fakes keys during testing - # eventually: - #gpg --send-keys --keyserver "$KEYSERVER" "$keyID" - echo "NOT PUBLISHED: gpg --send-keys --keyserver $KEYSERVER $keyID" -} - ######################################################################## # MAIN ######################################################################## @@ -176,7 +161,7 @@ case $COMMAND in ;; 'publish-key'|'p') - publish_key + publish_server_key ;; 'trust-keys'|'t') @@ -210,6 +195,6 @@ case $COMMAND in *) failure "Unknown command: '$COMMAND' -Type 'cereal-admin help' for usage." +Type '$PGRM help' for usage." ;; esac -- cgit v1.2.3 From 6075397cffdceaf72dd3b430c9124c2ebb59ac65 Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Fri, 13 Jun 2008 16:56:50 -0400 Subject: make sure the authorized_user_ids file exists for users processed by monkeysphere-server. --- debian/monkeysphere.dirs | 1 + src/monkeysphere | 4 ++-- src/monkeysphere-server | 23 ++++++++++++++++++----- 3 files changed, 21 insertions(+), 7 deletions(-) (limited to 'src') diff --git a/debian/monkeysphere.dirs b/debian/monkeysphere.dirs index fa2bf5f..4604eee 100644 --- a/debian/monkeysphere.dirs +++ b/debian/monkeysphere.dirs @@ -1,3 +1,4 @@ usr/share/monkeysphere var/cache/monkeysphere etc/monkeysphere +etc/monkeysphere/authorized_user_ids diff --git a/src/monkeysphere b/src/monkeysphere index 782ba5e..997ca58 100755 --- a/src/monkeysphere +++ b/src/monkeysphere @@ -31,7 +31,7 @@ GREP_OPTIONS= usage() { cat < [args] -Monkeysphere client tool. +MonkeySphere client tool. subcommands: update-known_hosts (k) [HOST]... update known_hosts file @@ -176,7 +176,7 @@ case $COMMAND in 'update-authorized_keys'|'update-authorized-keys'|'a') MODE='authorized_keys' - # make sure authorized_user_ids file exists + # fail if the authorized_user_ids file is empty if [ ! -s "$AUTHORIZED_USER_IDS" ] ; then failure "$AUTHORIZED_USER_IDS is empty." fi diff --git a/src/monkeysphere-server b/src/monkeysphere-server index ffb3452..922aad3 100755 --- a/src/monkeysphere-server +++ b/src/monkeysphere-server @@ -28,7 +28,7 @@ GREP_OPTIONS= usage() { cat < [args] -Monkeysphere server admin tool. +MonkeySphere server admin tool. subcommands: update-users (s) [USER]... update users authorized_keys files @@ -121,7 +121,7 @@ export GNUPGHOME mkdir -p -m 0700 "$GNUPGHOME" case $COMMAND in - 'update-users'|'s') + 'update-users'|'update-user'|'s') if [ "$1" ] ; then unames="$@" else @@ -133,13 +133,17 @@ case $COMMAND in log "----- user: $uname -----" + # set variables for the user AUTHORIZED_USER_IDS="$MS_HOME"/authorized_user_ids/"$uname" msAuthorizedKeys="$CACHE"/"$uname"/authorized_keys cacheDir="$CACHE"/"$uname"/user_keys - # make sure authorized_user_ids file exists + # make sure user's authorized_user_ids file exists + touch "$AUTHORIZED_USER_IDS" + + # skip if the user's authorized_user_ids file is empty if [ ! -s "$AUTHORIZED_USER_IDS" ] ; then - log "authorized_user_ids file for '$uname' is empty or does not exist." + log "authorized_user_ids file for '$uname' is empty." continue fi @@ -164,10 +168,12 @@ case $COMMAND in publish_server_key ;; - 'trust-keys'|'t') + 'trust-keys'|'trust-key'|'t') if [ -z "$1" ] ; then failure "you must specify at least one key to trust." fi + + # process key IDs for keyID ; do trust_key "$keyID" done @@ -182,8 +188,15 @@ case $COMMAND in if [ -z "$1" ] ; then failure "you must specify at least one userid." fi + + # set variables for the user AUTHORIZED_USER_IDS="$MS_HOME"/authorized_user_ids/"$uname" cacheDir="$CACHE"/"$uname"/user_keys + + # make sure user's authorized_user_ids file exists + touch "$AUTHORIZED_USER_IDS" + + # process the user IDs for userID ; do update_userid "$userID" "$cacheDir" done -- cgit v1.2.3 From 2ed952e2207d5278cfe96db2d7eeed40709f846b Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Fri, 13 Jun 2008 17:47:34 -0400 Subject: Add 'remove_userid' function, inverse of 'update_userids'. Also, tweaked some of the output and man pages. --- debian/control | 2 +- man/man1/monkeysphere.1 | 15 +++++++++++---- man/man8/monkeysphere-server.8 | 17 +++++++++++++---- src/common | 32 +++++++++++++++++++++++++++----- src/monkeysphere | 18 ++++++++++++++++-- src/monkeysphere-server | 33 +++++++++++++++++++++++++++++++-- 6 files changed, 99 insertions(+), 18 deletions(-) (limited to 'src') diff --git a/debian/control b/debian/control index afd5bfa..d4d25c6 100644 --- a/debian/control +++ b/debian/control @@ -10,7 +10,7 @@ Dm-Upload-Allowed: yes Package: monkeysphere Architecture: any -Depends: openssh-client, gnupg | gnupg2, coreutils (>= 6), ${shlibs:Depends} +Depends: openssh-client, gnupg | gnupg2, coreutils (>= 6), moreutils, ${shlibs:Depends} Recommends: netcat Enhances: openssh-client, openssh-server Description: use the OpenPGP web of trust to verify ssh connections diff --git a/man/man1/monkeysphere.1 b/man/man1/monkeysphere.1 index d00a9db..762f008 100644 --- a/man/man1/monkeysphere.1 +++ b/man/man1/monkeysphere.1 @@ -31,25 +31,32 @@ listed in the known_hosts file will be processed. `k' may be used in place of `update-known_hosts'. .TP .B update-userids [USERID]... -Add/update a userid in the authorized_user_ids file. The user IDs +Add/update a user ID to the authorized_user_ids file. The user IDs specified should be exact matches to OpenPGP user IDs. For each specified user ID, gpg will be queried for a key associated with that user ID, querying a keyserver if none is found in the user's keychain. If a key is found, it will be added to the user_keys cache (see KEY CACHES) and the user ID will be added to the user's -authorized_user_ids file (if it wasn't already present). +authorized_user_ids file (if it wasn't already present). `u' may be +used in place of `update-userids'. +.TP +.B remove-userids [USERID]... +Remove a user ID from the authorized_user_ids file. The user IDs +specified should be exact matches to OpenPGP user IDs. `r' may be +used in place of `remove-userids'. .TP .B update-authorized_keys Update the monkeysphere authorized_keys file. The monkeysphere authorized_keys file will be regenerated from the valid keys in the user_key cache, and the user's independently controlled -authorized_keys file (usually ~/.ssh/authorized_keys). +authorized_keys file (usually ~/.ssh/authorized_keys). `a' may be +used in place of `update-authorized_keys'. .TP .B gen-ae-subkey KEYID Generate an `ae` capable subkey. For the primary key with the specified key ID, generate a subkey with "authentication" and "encryption" capability that can be used for MonkeySphere -transactions. +transactions. `g' may be used in place of `gen-ae-subkey'. .TP .B help Output a brief usage summary. `h' or `?' may be used in place of diff --git a/man/man8/monkeysphere-server.8 b/man/man8/monkeysphere-server.8 index cc07077..8f62610 100644 --- a/man/man8/monkeysphere-server.8 +++ b/man/man8/monkeysphere-server.8 @@ -19,18 +19,27 @@ be used for authentication and encryption of ssh connection. Update the admin-controlled authorized_keys files for user. For each user specified, update the user's authorized_keys file in /var/cache/monkeysphere/USER. See `man monkeysphere' for more info. +`k' may be used in place of `update-known_hosts'. .TP .B gen-key -Generate a gpg key for the host. +Generate a gpg key for the host. `g' may be used in place of +`gen-key'. .TP .B publish-key -Publish the host's gpg key to a keyserver. +Publish the host's gpg key to a keyserver. `p' may be used in place +of `publish-key' .TP .B trust-keys KEYID... -Mark key specified with KEYID with full owner trust. +Mark key specified with KEYID with full owner trust. `t' may be used +in place of `trust-keys'. .TP .B update-user-userids USER USERID... -Add/update a userid in the authorized_user_ids file for USER. +Add/update a user ID to the authorized_user_ids file for USER. `u' may +be used in place of `update-user-userids'. +.TP +.B remove-user-userids USER USERID... +Remove a user ID from the authorized_user_ids file for USER. `r' may +be used in place of `remove-user-userids'. .TP .B help Output a brief usage summary. `h' or `?' may be used in place of diff --git a/src/common b/src/common index d56028f..01e6f32 100644 --- a/src/common +++ b/src/common @@ -240,6 +240,9 @@ process_user_id() { # hash userid for cache file name userIDHash=$(echo "$userID" | sha1sum | awk '{ print $1 }') + # make sure the cache directory exists + mkdir -p "$cacheDir" + # touch/clear key cache file # (will be left empty if there are noacceptable keys) > "$cacheDir"/"$userIDHash"."$pubKeyID" @@ -285,16 +288,16 @@ update_userid() { cacheDir="$2" log "processing userid: '$userID'" + userIDKeyCache=$(process_user_id "$userID" "$cacheDir") + if [ -z "$userIDKeyCache" ] ; then return 1 fi if ! grep -q "^${userID}\$" "$AUTHORIZED_USER_IDS" ; then - echo "the following userid is not in the authorized_user_ids file:" - echo " $userID" - read -p "would you like to add it? [Y|n]: " OK; OK=${OK:=Y} + read -p "user ID not currently authorized. authorize? [Y|n]: " OK; OK=${OK:=Y} if [ ${OK/y/Y} = 'Y' ] ; then - log -n "adding userid to authorized_user_ids file... " + log -n "adding user ID to authorized_user_ids file... " echo "$userID" >> "$AUTHORIZED_USER_IDS" echo "done." else @@ -303,6 +306,24 @@ update_userid() { fi } +# remove a userid from the authorized_user_ids file +remove_userid() { + local userID + + userID="$1" + + log "processing userid: '$userID'" + + if ! grep -q "^${userID}\$" "$AUTHORIZED_USER_IDS" ; then + log "user ID not currently authorized." + return 1 + fi + + log -n "removing user ID '$userID'... " + grep -v "$userID" "$AUTHORIZED_USER_IDS" | sponge "$AUTHORIZED_USER_IDS" + echo "done." +} + # process a host for addition to a known_host file process_host() { local host @@ -373,7 +394,8 @@ update_authorized_keys() { cat "$userAuthorizedKeys" >> "$msAuthorizedKeys" echo "done." fi - log "monkeysphere authorized_keys file generated: $msAuthorizedKeys" + log "monkeysphere authorized_keys file generated:" + log "$msAuthorizedKeys" } # process an authorized_*_ids file diff --git a/src/monkeysphere b/src/monkeysphere index 997ca58..1ba51d7 100755 --- a/src/monkeysphere +++ b/src/monkeysphere @@ -35,7 +35,8 @@ MonkeySphere client tool. subcommands: update-known_hosts (k) [HOST]... update known_hosts file - update-userids (u) [USERID]... add/update userid + update-userids (u) [USERID]... add/update user IDs + remove-userids (r) [USERID]... remove user IDs update-authorized_keys (a) update authorized_keys file gen-ae-subkey (g) KEYID generate an 'ae' capable subkey help (h,?) this help @@ -164,13 +165,26 @@ case $COMMAND in fi ;; - 'update-userids'|'u') + 'update-userids'|'update-userid'|'u') if [ -z "$1" ] ; then failure "you must specify at least one userid." fi for userID ; do update_userid "$userID" "$userKeysCacheDir" done + log "run the following to update your monkeysphere authorized_keys file:" + log "$PGRM update-authorized_keys" + ;; + + 'remove-userids'|'remove-userid'|'r') + if [ -z "$1" ] ; then + failure "you must specify at least one userid." + fi + for userID ; do + remove_userid "$userID" + done + log "run the following to update your monkeysphere authorized_keys file:" + log "$PGRM update-authorized_keys" ;; 'update-authorized_keys'|'update-authorized-keys'|'a') diff --git a/src/monkeysphere-server b/src/monkeysphere-server index 922aad3..13221c5 100755 --- a/src/monkeysphere-server +++ b/src/monkeysphere-server @@ -35,7 +35,8 @@ subcommands: gen-key (g) generate gpg key for the server publish-key (p) publish server key to keyserver trust-keys (t) KEYID... mark keyids as trusted - update-user-userids (u) USER UID... add/update userids for a user + update-user-userids (u) USER UID... add/update user IDs for a user + remove-user-userids (r) USER UID... remove user IDs for a user help (h,?) this help EOF @@ -179,7 +180,7 @@ case $COMMAND in done ;; - 'update-user-userids'|'u') + 'update-user-userids'|'update-user-userid'|'u') uname="$1" shift if [ -z "$uname" ] ; then @@ -200,6 +201,34 @@ case $COMMAND in for userID ; do update_userid "$userID" "$cacheDir" done + + log "run the following to update user's authorized_keys file:" + log "$PGRM update-users $uname" + ;; + + 'remove-user-userids'|'remove-user-userid'|'r') + uname="$1" + shift + if [ -z "$uname" ] ; then + failure "you must specify user." + fi + if [ -z "$1" ] ; then + failure "you must specify at least one userid." + fi + + # set variables for the user + AUTHORIZED_USER_IDS="$MS_HOME"/authorized_user_ids/"$uname" + + # make sure user's authorized_user_ids file exists + touch "$AUTHORIZED_USER_IDS" + + # process the user IDs + for userID ; do + remove_userid "$userID" + done + + log "run the following to update user's authorized_keys file:" + log "$PGRM update-users $uname" ;; 'help'|'h'|'?') -- cgit v1.2.3 From 3141ed26d4d5af1886166f5d91a041dc60d381eb Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Sat, 14 Jun 2008 15:06:48 -0400 Subject: cleaning up error output. --- src/keytrans/openpgp2ssh.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src') diff --git a/src/keytrans/openpgp2ssh.c b/src/keytrans/openpgp2ssh.c index 9e356e7..58f569e 100644 --- a/src/keytrans/openpgp2ssh.c +++ b/src/keytrans/openpgp2ssh.c @@ -355,7 +355,7 @@ int main(int argc, char* argv[]) { } else { /* we have no idea what kind of key this is at all anyway! */ - err(0,"Input does contain any form of OpenPGP key I recognize."); + err(0,"Input does contain any form of OpenPGP key I recognize.\n"); return 1; } } -- cgit v1.2.3 From 31e072432f985e03cc27b101f3a150fb45204d4f Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Sat, 14 Jun 2008 15:58:19 -0400 Subject: Add lsign-key to the trust_keys function so that the trusted key actually ends up with full validity. --- src/common | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'src') diff --git a/src/common b/src/common index 01e6f32..19b5485 100644 --- a/src/common +++ b/src/common @@ -468,6 +468,11 @@ trust_key() { # get key fingerprint fingerprint=$(get_key_fingerprint "$keyID") + # attach a "non-exportable" signature to the key + # this is required for the key to have any validity at all + # the 'y's on stdin indicates "yes, i really want to sign" + echo -e 'y\ny' | gpg --lsign-key --command-fd 0 "$fingerprint" + # import "full" trust for fingerprint into gpg echo ${fingerprint}:5: | gpg --import-ownertrust if [ $? = 0 ] ; then -- cgit v1.2.3 From 28c7489bb830c8ef9bb7c6e40e3fc4d47a702614 Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Sat, 14 Jun 2008 15:58:34 -0400 Subject: More work on the man pages. --- man/man1/monkeysphere-ssh-proxycommand.1 | 12 ++++++--- man/man1/monkeysphere.1 | 44 ++++++++++++++++++++------------ man/man1/openpgp2ssh.1 | 2 +- man/man8/monkeysphere-server.8 | 25 ++++++++++++------ src/monkeysphere-server | 2 +- 5 files changed, 55 insertions(+), 30 deletions(-) (limited to 'src') diff --git a/man/man1/monkeysphere-ssh-proxycommand.1 b/man/man1/monkeysphere-ssh-proxycommand.1 index 63b5a5e..8392ae8 100644 --- a/man/man1/monkeysphere-ssh-proxycommand.1 +++ b/man/man1/monkeysphere-ssh-proxycommand.1 @@ -1,9 +1,11 @@ .TH MONKEYSPHERE-SSH-PROXYCOMMAND "1" "June 2008" "monkeysphere 0.1" "User Commands" + .SH NAME + monkeysphere-ssh-proxycommand \- MonkeySphere ssh ProxyCommand script -.PD + .SH DESCRIPTION -.PP + \fBmonkeysphere-ssh-proxy\fP is an ssh proxy command that can be used to trigger a monkeysphere update of the known_hosts file for the hosts that are being connected to. It is meant to be run as an ssh @@ -28,11 +30,13 @@ and then Run the following command for more info: .B less $(which monkeysphere-ssh-proxycommand) -.PD + .SH AUTHOR + Written by Jameson Rollins -.PD + .SH SEE ALSO + .BR monkeypshere (1), .BR ssh (1), .BR gpg (1) diff --git a/man/man1/monkeysphere.1 b/man/man1/monkeysphere.1 index 762f008..526cad6 100644 --- a/man/man1/monkeysphere.1 +++ b/man/man1/monkeysphere.1 @@ -1,20 +1,24 @@ .TH MONKEYSPHERE "1" "June 2008" "monkeysphere 0.1" "User Commands" + .SH NAME + monkeysphere \- MonkeySphere client user interface -.PD + .SH SYNOPSIS + .B monkeysphere \fIcommand\fP [\fIargs\fP] -.PD + .SH DESCRIPTION -.PP + MonkeySphere is a system to leverage the OpenPGP Web of Trust for ssh authentication and encryption. OpenPGP keys are tracked via GnuPG, and added to the ssh authorized_keys and known_hosts files to be used for authentication and encryption of ssh connection. \fBmonkeysphere\fP is the MonkeySphere client utility. -.PD + .SH SUBCOMMANDS + \fBmonkeysphere\fP takes various subcommands: .TP .B update-known_hosts [HOST]... @@ -61,10 +65,15 @@ transactions. `g' may be used in place of `gen-ae-subkey'. .B help Output a brief usage summary. `h' or `?' may be used in place of `help'. -.PD + +.SH HOST URIs + +Host OpenPGP keys have associated user IDs that use the ssh URI +specification for the host, ie. "ssh://host.full.domain". + .SH KEY ACCEPTABILITY + GPG keys are considered acceptable if the following criteria are met: -.PD .TP .B capability The key must have both the "authentication" and "encrypt" capability @@ -72,8 +81,9 @@ flags. .TP .B validity The key must be "fully" valid, and must not be expired or revoked. -.PD + .SH KEY CACHES + Monkeysphere keeps track of keys in key cache directories. The files in the cache are named with the format "USERID_HASH.PUB_KEY_ID", where USERID_HASH is a hash of the exact OpenPGP user ID, and PUB_KEY_ID is @@ -86,9 +96,9 @@ will be stored in the host_keys cache files, and authorized_keys style key lines will be stored in the user_keys cache files. OpenPGP keys are converted to ssh-style keys with the openpgp2ssh utility (see `man openpgp2ssh'). -.PD + .SH FILES -.PD 1 + .TP ~/.config/monkeysphere/monkeysphere.conf User monkeysphere config file. @@ -97,8 +107,8 @@ User monkeysphere config file. System-wide monkeysphere config file. .TP ~/.config/monkeysphere/authorized_user_ids -GPG user IDs associated with keys that will be checked for addition to -the authorized_keys file. +OpenPGP user IDs associated with keys that will be checked for +addition to the authorized_keys file. .TP ~/.config/monkeysphere/authorized_keys Monkeysphere generated authorized_keys file. @@ -108,12 +118,14 @@ User keys cache directory. .TP ~/.config/monkeysphere/host_keys Host keys cache directory. -.PD + .SH AUTHOR + Written by Jameson Rollins -.PD + .SH SEE ALSO -.BR ssh (1), + .BR monkeysphere-ssh-proxycommand (1), -.BR gpg (1), -.BR monkeysphere-server (8) +.BR monkeysphere-server (8), +.BR ssh (1), +.BR gpg (1) diff --git a/man/man1/openpgp2ssh.1 b/man/man1/openpgp2ssh.1 index 83b6154..bea1da5 100644 --- a/man/man1/openpgp2ssh.1 +++ b/man/man1/openpgp2ssh.1 @@ -69,7 +69,7 @@ and this man page were written by Daniel Kahn Gillmor . .Sh BUGS .Nm -currently only exports into formats used by the OpenSSH. +Currently only exports into formats used by the OpenSSH. It should support other key output formats, such as those used by lsh(1) and putty(1). .Pp diff --git a/man/man8/monkeysphere-server.8 b/man/man8/monkeysphere-server.8 index 8f62610..eafd6a8 100644 --- a/man/man8/monkeysphere-server.8 +++ b/man/man8/monkeysphere-server.8 @@ -1,18 +1,24 @@ .TH MONKEYSPHERE-SERVER "1" "June 2008" "monkeysphere 0.1" "User Commands" + .SH NAME + monkeysphere-server \- monkeysphere server admin user interface + .SH SYNOPSIS + .B monkeysphere-server \fIcommand\fP [\fIargs\fP] + .SH DESCRIPTION -.PP + \fBMonkeySphere\fP is a system to leverage the OpenPGP Web of Trust for ssh authentication and encryption. OpenPGP keys are tracked via GnuPG, and added to the ssh authorized_keys and known_hosts files to be used for authentication and encryption of ssh connection. \fBmonkeysphere-server\fP is the MonkeySphere server admin utility. -.PD + .SH SUBCOMMANDS + \fBmonkeysphere-server\fP takes various subcommands: .TP .B update-users [USER]... @@ -26,11 +32,11 @@ Generate a gpg key for the host. `g' may be used in place of `gen-key'. .TP .B publish-key -Publish the host's gpg key to a keyserver. `p' may be used in place +Publish the host's gpg key to the keyserver. `p' may be used in place of `publish-key' .TP .B trust-keys KEYID... -Mark key specified with KEYID with full owner trust. `t' may be used +Mark key specified with key IDs with full owner trust. `t' may be used in place of `trust-keys'. .TP .B update-user-userids USER USERID... @@ -44,9 +50,9 @@ be used in place of `remove-user-userids'. .B help Output a brief usage summary. `h' or `?' may be used in place of `help'. -.PD + .SH FILES -.PD 1 + .TP /etc/monkeysphere/monkeysphere-server.conf System monkeysphere-server config file. @@ -60,12 +66,15 @@ Monkeysphere GNUPG home directory. /etc/monkeysphere/authorized_user_ids/USER Server maintained authorized_user_ids files for users. .TP -/var/cachemonkeysphere/USER +/var/cache/monkeysphere/USER User keys cache directories. -.PD + .SH AUTHOR + Written by Jameson Rollins + .SH SEE ALSO + .BR monkeysphere (1), .BR gpg (1), .BR ssh (1) diff --git a/src/monkeysphere-server b/src/monkeysphere-server index 13221c5..e05b4b7 100755 --- a/src/monkeysphere-server +++ b/src/monkeysphere-server @@ -47,7 +47,7 @@ gen_key() { # set key defaults KEY_TYPE=${KEY_TYPE:-"RSA"} KEY_LENGTH=${KEY_LENGTH:-"2048"} - KEY_USAGE=${KEY_USAGE:-"encrypt,auth"} + KEY_USAGE=${KEY_USAGE:-"auth,encrypt"} SERVICE=${SERVICE:-"ssh"} HOSTNAME_FQDN=${HOSTNAME_FQDN:-$(hostname -f)} -- cgit v1.2.3 From 07cb14cdb80ef060e63ba2713ef70b67db9f5783 Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Sun, 15 Jun 2008 11:46:07 -0400 Subject: Separate required key capability variables for users and hosts. Change default for user to be "a", and host to be "e a". --- etc/monkeysphere-server.conf | 9 ++++++--- etc/monkeysphere.conf | 6 +++++- src/common | 33 ++++++++++++++++++++------------- src/monkeysphere | 3 ++- src/monkeysphere-server | 2 +- 5 files changed, 34 insertions(+), 19 deletions(-) (limited to 'src') diff --git a/etc/monkeysphere-server.conf b/etc/monkeysphere-server.conf index 3c16c5f..82da497 100644 --- a/etc/monkeysphere-server.conf +++ b/etc/monkeysphere-server.conf @@ -1,20 +1,23 @@ # MonkeySphere server configuration file. +# This is an sh-style shell configuration file. Variable names should +# be separated from their assignements by a single '=' and no spaces. + # GPG home directory for server #GNUPGHOME=/etc/monkeysphere/gnupg # GPG keyserver to search for keys #KEYSERVER=subkeys.pgp.net -# Required key capabilities +# Required user key capabilities # Must be quoted, lowercase, space-seperated list of the following: # e = encrypt # s = sign # c = certify # a = authentication -#REQUIRED_KEY_CAPABILITY="e a" +#REQUIRED_USER_KEY_CAPABILITY="a" # Whether to add user controlled authorized_keys file to # monkeysphere-generated authorized_keys file. Should be path to file -# where '%h' will be substituted for the user's home directory. +# where '%h' will be replaced by the home directory of the user. #USER_CONTROLLED_AUTHORIZED_KEYS=%h/.ssh/authorized_keys diff --git a/etc/monkeysphere.conf b/etc/monkeysphere.conf index 385165a..d478b93 100644 --- a/etc/monkeysphere.conf +++ b/etc/monkeysphere.conf @@ -1,5 +1,8 @@ # MonkeySphere system-wide client configuration file. +# This is an sh-style shell configuration file. Variable names should +# be separated from their assignements by a single '=' and no spaces. + # authorized_user_ids file #AUTHORIZED_USER_IDS=~/.config/monkeysphere/authorized_user_ids @@ -15,7 +18,8 @@ # s = sign # c = certify # a = authentication -#REQUIRED_KEY_CAPABILITY="e a" +#REQUIRED_HOST_KEY_CAPABILITY="e a" +#REQUIRED_USER_KEY_CAPABILITY="a" # Path to user-controlled authorized_keys file to add to # Monkeysphere-generated authorized_keys file. If empty, then no diff --git a/src/common b/src/common index 19b5485..8d8e506 100644 --- a/src/common +++ b/src/common @@ -1,13 +1,13 @@ # -*-shell-script-*- -# Shared bash functions for the monkeysphere +# Shared sh functions for the monkeysphere # # Written by # Jameson Rollins # # Copyright 2008, released under the GPL, version 3 or later -# all caps variables are meant to be user supplied (ie. from config +# all-caps variables are meant to be user supplied (ie. from config # file) and are considered global ######################################################################## @@ -123,13 +123,14 @@ gpg2authorized_keys() { # userid and key policy checking # the following checks policy on the returned keys # - checks that full key has appropriate valididy (u|f) -# - checks key has specified capability (REQUIRED_KEY_CAPABILITY) +# - checks key has specified capability (REQUIRED_*_KEY_CAPABILITY) # - checks that particular desired user id has appropriate validity # see /usr/share/doc/gnupg/DETAILS.gz # expects global variable: "MODE" process_user_id() { local userID local cacheDir + local requiredCapability local requiredPubCapability local gpgOut local line @@ -148,7 +149,13 @@ process_user_id() { userID="$1" cacheDir="$2" - requiredPubCapability=$(echo "$REQUIRED_KEY_CAPABILITY" | tr "[:lower:]" "[:upper:]") + # set the required key capability based on the mode + if [ "$MODE" = 'known_hosts' ] ; then + requiredCapability="$REQUIRED_HOST_KEY_CAPABILITY" + elif [ "$MODE" = 'authorized_keys' ] ; then + requiredCapability="$REQUIRED_USER_KEY_CAPABILITY" + fi + requiredPubCapability=$(echo "$requiredCapability" | tr "[:lower:]" "[:upper:]") # fetch keys from keyserver, return 1 if none found gpg_fetch_userid "$userID" || return 1 @@ -207,7 +214,7 @@ process_user_id() { keyOK=true # add primary key ID to key list if it has required capability - if check_capability "$capability" $REQUIRED_KEY_CAPABILITY ; then + if check_capability "$capability" $requiredCapability ; then keyIDs[${#keyIDs[*]}]="$keyid" fi ;; @@ -230,7 +237,7 @@ process_user_id() { ;; 'sub') # sub keys # add sub key ID to key list if it has required capability - if check_capability "$capability" $REQUIRED_KEY_CAPABILITY ; then + if check_capability "$capability" $requiredCapability ; then keyIDs[${#keyIDs[*]}]="$keyid" fi ;; @@ -282,16 +289,16 @@ process_user_id() { update_userid() { local userID local cacheDir - local userIDKeyCache + local keyCache userID="$1" cacheDir="$2" log "processing userid: '$userID'" - userIDKeyCache=$(process_user_id "$userID" "$cacheDir") + keyCachePath=$(process_user_id "$userID" "$cacheDir") - if [ -z "$userIDKeyCache" ] ; then + if [ -z "$keyCachePath" ] ; then return 1 fi if ! grep -q "^${userID}\$" "$AUTHORIZED_USER_IDS" ; then @@ -328,17 +335,17 @@ remove_userid() { process_host() { local host local cacheDir - local hostKeyCachePath + local keyCachePath host="$1" cacheDir="$2" log "processing host: '$host'" - hostKeyCachePath=$(process_user_id "ssh://${host}" "$cacheDir") + keyCachePath=$(process_user_id "ssh://${host}" "$cacheDir") if [ $? = 0 ] ; then ssh-keygen -R "$host" -f "$USER_KNOWN_HOSTS" - cat "$hostKeyCachePath" >> "$USER_KNOWN_HOSTS" + cat "$keyCachePath" >> "$USER_KNOWN_HOSTS" fi } @@ -425,7 +432,7 @@ process_authorized_ids() { # EXPERIMENTAL (unused) process userids found in authorized_keys file # go through line-by-line, extract monkeysphere userids from comment # fields, and process each userid -process_userids_from_authorized_keys() { +process_authorized_keys() { local authorizedKeys local cacheDir local userID diff --git a/src/monkeysphere b/src/monkeysphere index 1ba51d7..ff4423b 100755 --- a/src/monkeysphere +++ b/src/monkeysphere @@ -118,7 +118,8 @@ MS_CONF=${MS_CONF:-"${MS_HOME}/monkeysphere.conf"} AUTHORIZED_USER_IDS=${AUTHORIZED_USER_IDS:-"${MS_HOME}/authorized_user_ids"} GNUPGHOME=${GNUPGHOME:-"${HOME}/.gnupg"} KEYSERVER=${KEYSERVER:-"subkeys.pgp.net"} -REQUIRED_KEY_CAPABILITY=${REQUIRED_KEY_CAPABILITY:-"e a"} +REQUIRED_HOST_KEY_CAPABILITY=${REQUIRED_HOST_KEY_CAPABILITY:-"e a"} +REQUIRED_USER_KEY_CAPABILITY=${REQUIRED_USER_KEY_CAPABILITY:-"a"} USER_CONTROLLED_AUTHORIZED_KEYS=${USER_CONTROLLED_AUTHORIZED_KEYS:-"%h/.ssh/authorized_keys"} USER_KNOWN_HOSTS=${USER_KNOWN_HOSTS:-"${HOME}/.ssh/known_hosts"} HASH_KNOWN_HOSTS=${HASH_KNOWN_HOSTS:-"true"} diff --git a/src/monkeysphere-server b/src/monkeysphere-server index e05b4b7..7d11138 100755 --- a/src/monkeysphere-server +++ b/src/monkeysphere-server @@ -113,7 +113,7 @@ MS_CONF=${MS_CONF:-"$MS_HOME"/monkeysphere-server.conf} # set empty config variable with defaults GNUPGHOME=${GNUPGHOME:-"$MS_HOME"/gnupg} KEYSERVER=${KEYSERVER:-subkeys.pgp.net} -REQUIRED_KEY_CAPABILITY=${REQUIRED_KEY_CAPABILITY:-"e a"} +REQUIRED_USER_KEY_CAPABILITY=${REQUIRED_USER_KEY_CAPABILITY:-"a"} USER_CONTROLLED_AUTHORIZED_KEYS=${USER_CONTROLLED_AUTHORIZED_KEYS:-%h/.ssh/authorized_keys} export GNUPGHOME -- cgit v1.2.3 From 5ff6e131ad52ce4de7172e56170ea4f37e397a9e Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Sun, 15 Jun 2008 18:23:39 -0400 Subject: Fix gen-subkey function for client. --- man/man1/monkeysphere.1 | 15 ++++++----- src/monkeysphere | 68 ++++++++++++++++++++++++------------------------- src/monkeysphere-server | 2 +- 3 files changed, 42 insertions(+), 43 deletions(-) (limited to 'src') diff --git a/man/man1/monkeysphere.1 b/man/man1/monkeysphere.1 index 526cad6..95f1e59 100644 --- a/man/man1/monkeysphere.1 +++ b/man/man1/monkeysphere.1 @@ -56,11 +56,11 @@ user_key cache, and the user's independently controlled authorized_keys file (usually ~/.ssh/authorized_keys). `a' may be used in place of `update-authorized_keys'. .TP -.B gen-ae-subkey KEYID -Generate an `ae` capable subkey. For the primary key with the -specified key ID, generate a subkey with "authentication" and -"encryption" capability that can be used for MonkeySphere -transactions. `g' may be used in place of `gen-ae-subkey'. +.B gen-subkey KEYID +Generate an `a` capable subkey. For the primary key with the +specified key ID, generate a subkey with "authentication" capability +that can be used for MonkeySphere transactions. `g' may be used in +place of `gen-subkey'. .TP .B help Output a brief usage summary. `h' or `?' may be used in place of @@ -76,8 +76,9 @@ specification for the host, ie. "ssh://host.full.domain". GPG keys are considered acceptable if the following criteria are met: .TP .B capability -The key must have both the "authentication" and "encrypt" capability -flags. +For host keys, the key must have both the "authentication" ("a") and +"encrypt" ("e") capability flags. For user keys, the key must have +the "authentication" ("a") capability flag. .TP .B validity The key must be "fully" valid, and must not be expired or revoked. diff --git a/src/monkeysphere b/src/monkeysphere index ff4423b..6369197 100755 --- a/src/monkeysphere +++ b/src/monkeysphere @@ -1,4 +1,4 @@ -#!/bin/sh +#!/bin/bash # monkeysphere: MonkeySphere client tool # @@ -38,14 +38,15 @@ subcommands: update-userids (u) [USERID]... add/update user IDs remove-userids (r) [USERID]... remove user IDs update-authorized_keys (a) update authorized_keys file - gen-ae-subkey (g) KEYID generate an 'ae' capable subkey + gen-subkey (g) KEYID generate an 'a' capable subkey help (h,?) this help EOF } -# generate a subkey with the 'a' and 'e' usage flags set -gen_ae_subkey(){ +# generate a subkey with the 'a' usage flags set +# FIXME: not working yet. +gen_subkey(){ local keyID local gpgOut local userID @@ -54,11 +55,6 @@ gen_ae_subkey(){ keyID="$1" - # set subkey defaults - SUBKEY_TYPE=${KEY_TYPE:-"RSA"} - SUBKEY_LENGTH=${KEY_LENGTH:-"1024"} - SUBKEY_USAGE=${KEY_USAGE:-"encrypt,auth"} - gpgOut=$(gpg --fixed-list-mode --list-keys --with-colons \ "$keyID" 2> /dev/null) @@ -68,35 +64,37 @@ gen_ae_subkey(){ return 1 fi - userID=$(echo "$gpgOut" | grep "^uid:" | cut -d: -f10) - - # set key parameters - keyParameters=$(cat < = key expires in n days + w = key expires in n weeks + m = key expires in n months + y = key expires in n years EOF -) - - echo "The following key parameters will be used:" - echo "$keyParameters" - - read -p "generate key? [Y|n]: " OK; OK=${OK:=Y} - if [ ${OK/y/Y} != 'Y' ] ; then - failure "aborting." - fi - - # add commit command - keyParameters="${keyParameters}"$(cat < Date: Sun, 15 Jun 2008 18:31:09 -0400 Subject: fix some output formatting. --- src/monkeysphere | 13 +++++-------- src/monkeysphere-server | 14 +++++++------- 2 files changed, 12 insertions(+), 15 deletions(-) (limited to 'src') diff --git a/src/monkeysphere b/src/monkeysphere index 6369197..23ebd63 100755 --- a/src/monkeysphere +++ b/src/monkeysphere @@ -45,14 +45,12 @@ EOF } # generate a subkey with the 'a' usage flags set -# FIXME: not working yet. +# FIXME: this needs some tweaking to clean it up gen_subkey(){ local keyID local gpgOut local userID - log "warning: this function is still not working." - keyID="$1" gpgOut=$(gpg --fixed-list-mode --list-keys --with-colons \ @@ -60,8 +58,7 @@ gen_subkey(){ # return 1 if there only "tru" lines are output from gpg if [ -z "$(echo "$gpgOut" | grep -v '^tru:')" ] ; then - log " key not found." - return 1 + failure "Key ID '$keyID' not found." fi # set subkey defaults @@ -171,7 +168,7 @@ case $COMMAND in for userID ; do update_userid "$userID" "$userKeysCacheDir" done - log "run the following to update your monkeysphere authorized_keys file:" + log "Run the following to update your monkeysphere authorized_keys file:" log "$PGRM update-authorized_keys" ;; @@ -182,7 +179,7 @@ case $COMMAND in for userID ; do remove_userid "$userID" done - log "run the following to update your monkeysphere authorized_keys file:" + log "Run the following to update your monkeysphere authorized_keys file:" log "$PGRM update-authorized_keys" ;; @@ -204,7 +201,7 @@ case $COMMAND in 'gen-subkey'|'g') keyID="$1" if [ -z "$keyID" ] ; then - failure "you must specify keyid of primary key." + failure "You must specify the key ID of your primary key." fi gen_subkey "$keyID" ;; diff --git a/src/monkeysphere-server b/src/monkeysphere-server index 58eafaa..3cc7454 100755 --- a/src/monkeysphere-server +++ b/src/monkeysphere-server @@ -171,7 +171,7 @@ case $COMMAND in 'trust-keys'|'trust-key'|'t') if [ -z "$1" ] ; then - failure "you must specify at least one key to trust." + failure "You must specify at least one key to trust." fi # process key IDs @@ -184,10 +184,10 @@ case $COMMAND in uname="$1" shift if [ -z "$uname" ] ; then - failure "you must specify user." + failure "You must specify user." fi if [ -z "$1" ] ; then - failure "you must specify at least one userid." + failure "You must specify at least one user ID." fi # set variables for the user @@ -202,7 +202,7 @@ case $COMMAND in update_userid "$userID" "$cacheDir" done - log "run the following to update user's authorized_keys file:" + log "Run the following to update user's authorized_keys file:" log "$PGRM update-users $uname" ;; @@ -210,10 +210,10 @@ case $COMMAND in uname="$1" shift if [ -z "$uname" ] ; then - failure "you must specify user." + failure "You must specify user." fi if [ -z "$1" ] ; then - failure "you must specify at least one userid." + failure "You must specify at least one user ID." fi # set variables for the user @@ -227,7 +227,7 @@ case $COMMAND in remove_userid "$userID" done - log "run the following to update user's authorized_keys file:" + log "Run the following to update user's authorized_keys file:" log "$PGRM update-users $uname" ;; -- cgit v1.2.3 From b13286dc0e549347f86b64049d4eb2bd2891e1ab Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Mon, 16 Jun 2008 00:48:13 -0400 Subject: openpgp2ssh now handles private key export for subkeys, not just public keys. --- src/keytrans/openpgp2ssh.c | 120 ++++++++++++++++++++++++++++++++++++--------- 1 file changed, 98 insertions(+), 22 deletions(-) (limited to 'src') diff --git a/src/keytrans/openpgp2ssh.c b/src/keytrans/openpgp2ssh.c index 58f569e..ce4d13d 100644 --- a/src/keytrans/openpgp2ssh.c +++ b/src/keytrans/openpgp2ssh.c @@ -40,6 +40,10 @@ int convert_private_pgp_to_x509(gnutls_x509_privkey_t* output, const gnutls_open gnutls_pk_algorithm_t pgp_algo; unsigned int pgp_bits; int ret; + gnutls_openpgp_keyid_t curkeyid; + int subkeyidx; + int subkeycount; + int found = 0; /* FIXME: actually respect keyid argument. At the moment, we just emit the primary key. */ @@ -54,32 +58,104 @@ int convert_private_pgp_to_x509(gnutls_x509_privkey_t* output, const gnutls_open init_datum(&y); init_datum(&x); - pgp_algo = gnutls_openpgp_privkey_get_pk_algorithm(*pgp_privkey, &pgp_bits); - if (pgp_algo < 0) { - err(0, "failed to get OpenPGP key algorithm (error: %d)\n", pgp_algo); + + subkeycount = gnutls_openpgp_privkey_get_subkey_count(*pgp_privkey); + if (subkeycount < 0) { + err(0,"Could not determine subkey count (got value %d)\n", subkeycount); return 1; } - if (pgp_algo == GNUTLS_PK_RSA) { - err(0,"OpenPGP RSA Key, with %d bits\n", pgp_bits); - ret = gnutls_openpgp_privkey_export_rsa_raw(*pgp_privkey, &m, &e, &d, &p, &q, &u); - if (GNUTLS_E_SUCCESS != ret) { - err(1, "failed to export RSA key parameters (error: %d)\n", ret); + + if ((keyid == NULL) && + (subkeycount > 0)) { + err(0,"No keyid passed in, but there were %d keys to choose from\n", subkeycount + 1); + return 1; + } + + if (keyid != NULL) { + ret = gnutls_openpgp_privkey_get_key_id(*pgp_privkey, curkeyid); + if (ret) { + err(0,"Could not get keyid (error: %d)\n", ret); return 1; } + } + if ((keyid == NULL) || (memcmp(*keyid, curkeyid, sizeof(gnutls_openpgp_keyid_t)) == 0)) { + /* we want to export the primary key: */ + err(0,"exporting primary key\n"); - ret = gnutls_x509_privkey_import_rsa_raw (*output, &m, &e, &d, &p, &q, &u); - if (GNUTLS_E_SUCCESS != ret) { - err(1, "failed to import RSA key parameters (error: %d)\n", ret); + /* FIXME: this is almost identical to the block below for subkeys. + This clumsiness seems inherent in the gnutls OpenPGP API, + though. ugh. */ + pgp_algo = gnutls_openpgp_privkey_get_pk_algorithm(*pgp_privkey, &pgp_bits); + if (pgp_algo < 0) { + err(0, "failed to get OpenPGP key algorithm (error: %d)\n", pgp_algo); return 1; } - } else if (pgp_algo == GNUTLS_PK_DSA) { - err(0,"OpenPGP DSA Key, with %d bits\n", pgp_bits); - ret = gnutls_openpgp_privkey_export_dsa_raw(*pgp_privkey, &p, &q, &g, &y, &x); + if (pgp_algo == GNUTLS_PK_RSA) { + err(0,"OpenPGP RSA Key, with %d bits\n", pgp_bits); + ret = gnutls_openpgp_privkey_export_rsa_raw(*pgp_privkey, &m, &e, &d, &p, &q, &u); + if (GNUTLS_E_SUCCESS != ret) { + err(0, "failed to export RSA key parameters (error: %d)\n", ret); + return 1; + } + + } else if (pgp_algo == GNUTLS_PK_DSA) { + err(0,"OpenPGP DSA Key, with %d bits\n", pgp_bits); + ret = gnutls_openpgp_privkey_export_dsa_raw(*pgp_privkey, &p, &q, &g, &y, &x); + if (GNUTLS_E_SUCCESS != ret) { + err(0,"failed to export DSA key parameters (error: %d)\n", ret); + return 1; + } + } + found = 1; + } else { + /* lets trawl through the subkeys until we find the one we want: */ + for (subkeyidx = 0; (subkeyidx < subkeycount) && !found; subkeyidx++) { + ret = gnutls_openpgp_privkey_get_subkey_id(*pgp_privkey, subkeyidx, curkeyid); + if (ret) { + err(0,"Could not get keyid of subkey with index %d (error: %d)\n", subkeyidx, ret); + return 1; + } + if (memcmp(*keyid, curkeyid, sizeof(gnutls_openpgp_keyid_t)) == 0) { + err(0,"exporting subkey index %d\n", subkeyidx); + + /* FIXME: this is almost identical to the block above for the + primary key. */ + pgp_algo = gnutls_openpgp_privkey_get_subkey_pk_algorithm(*pgp_privkey, subkeyidx, &pgp_bits); + if (pgp_algo < 0) { + err(0,"failed to get the algorithm of the OpenPGP public key (error: %d)\n", pgp_algo); + return pgp_algo; + } else if (pgp_algo == GNUTLS_PK_RSA) { + err(0,"OpenPGP RSA key, with %d bits\n", pgp_bits); + ret = gnutls_openpgp_privkey_export_subkey_rsa_raw(*pgp_privkey, subkeyidx, &m, &e, &d, &p, &q, &u); + if (GNUTLS_E_SUCCESS != ret) { + err(0,"failed to export RSA key parameters (error: %d)\n", ret); + return 1; + } + } else if (pgp_algo == GNUTLS_PK_DSA) { + err(0,"OpenPGP DSA Key, with %d bits\n", pgp_bits); + ret = gnutls_openpgp_privkey_export_subkey_dsa_raw(*pgp_privkey, subkeyidx, &p, &q, &g, &y, &x); + if (GNUTLS_E_SUCCESS != ret) { + err(0,"failed to export DSA key parameters (error: %d)\n", ret); + return 1; + } + } + found = 1; + } + } + } + + if (!found) { + err(0,"Could not find key in input\n"); + return 1; + } + + if (pgp_algo == GNUTLS_PK_RSA) { + ret = gnutls_x509_privkey_import_rsa_raw (*output, &m, &e, &d, &p, &q, &u); if (GNUTLS_E_SUCCESS != ret) { - err(0,"failed to export DSA key parameters (error: %d)\n", ret); + err(0, "failed to import RSA key parameters (error: %d)\n", ret); return 1; } - + } else if (pgp_algo == GNUTLS_PK_DSA) { ret = gnutls_x509_privkey_import_dsa_raw (*output, &p, &q, &g, &y, &x); if (GNUTLS_E_SUCCESS != ret) { err(0,"failed to import DSA key parameters (error: %d)\n", ret); @@ -164,14 +240,14 @@ int emit_public_openssh_from_pgp(const gnutls_openpgp_crt_t* pgp_crt, gnutls_ope err(0,"OpenPGP RSA certificate, with %d bits\n", bits); ret = gnutls_openpgp_crt_get_pk_rsa_raw(*pgp_crt, &m, &e); if (GNUTLS_E_SUCCESS != ret) { - err(0,"failed to export RSA key parameters (error: %d)\n", ret); + err(0,"failed to export RSA certificate parameters (error: %d)\n", ret); return 1; } } else if (algo == GNUTLS_PK_DSA) { - err(0,"OpenPGP DSA Key, with %d bits\n", bits); + err(0,"OpenPGP DSA certificate, with %d bits\n", bits); ret = gnutls_openpgp_crt_get_pk_dsa_raw(*pgp_crt, &p, &q, &g, &y); if (GNUTLS_E_SUCCESS != ret) { - err(0,"failed to export DSA key parameters (error: %d)\n", ret); + err(0,"failed to export DSA certificate parameters (error: %d)\n", ret); return 1; } } @@ -198,14 +274,14 @@ int emit_public_openssh_from_pgp(const gnutls_openpgp_crt_t* pgp_crt, gnutls_ope err(0,"OpenPGP RSA certificate, with %d bits\n", bits); ret = gnutls_openpgp_crt_get_subkey_pk_rsa_raw(*pgp_crt, subkeyidx, &m, &e); if (GNUTLS_E_SUCCESS != ret) { - err(0,"failed to export RSA key parameters (error: %d)\n", ret); + err(0,"failed to export RSA certificate parameters (error: %d)\n", ret); return 1; } } else if (algo == GNUTLS_PK_DSA) { - err(0,"OpenPGP DSA Key, with %d bits\n", bits); + err(0,"OpenPGP DSA certificate, with %d bits\n", bits); ret = gnutls_openpgp_crt_get_subkey_pk_dsa_raw(*pgp_crt, subkeyidx, &p, &q, &g, &y); if (GNUTLS_E_SUCCESS != ret) { - err(0,"failed to export DSA key parameters (error: %d)\n", ret); + err(0,"failed to export DSA certificate parameters (error: %d)\n", ret); return 1; } } -- cgit v1.2.3 From 785736d891f6c61eb5d7f4f10687ef9a0d920c3b Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Mon, 16 Jun 2008 01:05:12 -0400 Subject: openpgp2ssh whitespace and comment cleanup. --- src/keytrans/openpgp2ssh.c | 7 ------- 1 file changed, 7 deletions(-) (limited to 'src') diff --git a/src/keytrans/openpgp2ssh.c b/src/keytrans/openpgp2ssh.c index ce4d13d..511af71 100644 --- a/src/keytrans/openpgp2ssh.c +++ b/src/keytrans/openpgp2ssh.c @@ -45,9 +45,6 @@ int convert_private_pgp_to_x509(gnutls_x509_privkey_t* output, const gnutls_open int subkeycount; int found = 0; -/* FIXME: actually respect keyid argument. At the moment, we just - emit the primary key. */ - init_datum(&m); init_datum(&e); init_datum(&d); @@ -58,7 +55,6 @@ int convert_private_pgp_to_x509(gnutls_x509_privkey_t* output, const gnutls_open init_datum(&y); init_datum(&x); - subkeycount = gnutls_openpgp_privkey_get_subkey_count(*pgp_privkey); if (subkeycount < 0) { err(0,"Could not determine subkey count (got value %d)\n", subkeycount); @@ -436,9 +432,6 @@ int main(int argc, char* argv[]) { } } - - - gnutls_global_deinit(); return 0; } -- cgit v1.2.3 From 9715df03ccc1620db97d3fea50e5031f6ed36fde Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Mon, 16 Jun 2008 10:24:39 -0400 Subject: genericized the hex printing capabilities. --- src/keytrans/gnutls-helpers.c | 19 ++++++++++++++----- src/keytrans/gnutls-helpers.h | 2 ++ 2 files changed, 16 insertions(+), 5 deletions(-) (limited to 'src') diff --git a/src/keytrans/gnutls-helpers.c b/src/keytrans/gnutls-helpers.c index d5f3719..5b4c46a 100644 --- a/src/keytrans/gnutls-helpers.c +++ b/src/keytrans/gnutls-helpers.c @@ -15,6 +15,8 @@ /* for exit() */ #include +#include + /* higher levels allow more frivolous error messages through. this is set with the MONKEYSPHERE_DEBUG variable */ static int loglevel = 0; @@ -40,14 +42,21 @@ void init_keyid(gnutls_openpgp_keyid_t keyid) { void make_keyid_printable(printable_keyid out, gnutls_openpgp_keyid_t keyid) +{ + assert(sizeof(out) >= 2*sizeof(keyid)); + hex_print_data((char*)out, (const char*)keyid, sizeof(keyid)); +} + +/* you must have twice as many bytes in the out buffer as in the in buffer */ +void hex_print_data(char* out, const char* in, size_t incount) { static const char hex[16] = "0123456789ABCDEF"; - unsigned int kix = 0, outix = 0; + unsigned int inix = 0, outix = 0; - while (kix < sizeof(gnutls_openpgp_keyid_t)) { - out[outix] = hex[(keyid[kix] >> 4) & 0x0f]; - out[outix + 1] = hex[keyid[kix] & 0x0f]; - kix++; + while (inix < incount) { + out[outix] = hex[(in[inix] >> 4) & 0x0f]; + out[outix + 1] = hex[in[inix] & 0x0f]; + inix++; outix += 2; } } diff --git a/src/keytrans/gnutls-helpers.h b/src/keytrans/gnutls-helpers.h index 670d5ff..f196456 100644 --- a/src/keytrans/gnutls-helpers.h +++ b/src/keytrans/gnutls-helpers.h @@ -48,6 +48,8 @@ void collapse_printable_keyid(gnutls_openpgp_keyid_t out, printable_keyid in); int convert_string_to_keyid(gnutls_openpgp_keyid_t out, const char* str); int convert_string_to_printable_keyid(printable_keyid out, const char* str); +/* you must have twice as many bytes in the out buffer as in the in buffer */ +void hex_print_data(char* out, const char* in, size_t incount); /* functions to get data into datum objects: */ -- cgit v1.2.3 From bb17921883afe6edfeaa029d2113baebf10b7b92 Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Mon, 16 Jun 2008 14:07:33 -0400 Subject: Allow for specification of whether to check keyserver. Update proxy command to check keyserver if host not found in known_hosts. --- src/monkeysphere-ssh-proxycommand | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) (limited to 'src') diff --git a/src/monkeysphere-ssh-proxycommand b/src/monkeysphere-ssh-proxycommand index 417d013..ec162ab 100755 --- a/src/monkeysphere-ssh-proxycommand +++ b/src/monkeysphere-ssh-proxycommand @@ -16,6 +16,36 @@ HOST="$1" PORT="$2" +usage() { +cat <&2 +usage: ssh -o ProxyCommand="$(basename $0) %h %p" ... +EOF +} + +log() { + echo "$@" >&2 +} + +if [ -z "$HOST" ] ; then + log "host must be specified." + usage + exit 1 +fi +if [ -z "$PORT" ] ; then + log "port must be specified." + usage + exit 1 +fi + +# check for the host key in the known_hosts file +hostKey=$(ssh-keygen -F "$HOST") + +# if the host key is not found in the known_hosts file, +# check the keyserver +if [ -z "$hostKey" ] ; then + CHECK_KEYSERVER="true" +fi + # update the known_hosts file for the host monkeysphere update-known-hosts "$HOST" -- cgit v1.2.3 From b6983d7cb86f450ebd7fafcb254011fd7099c246 Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Mon, 16 Jun 2008 14:07:33 -0400 Subject: Allow for specification of whether to check keyserver. Update proxy command to check keyserver if host not found in known_hosts. --- src/common | 40 +++++++++++++++++++++++++-------------- src/monkeysphere | 2 +- src/monkeysphere-ssh-proxycommand | 30 +++++++++++++++++++++++++++++ 3 files changed, 57 insertions(+), 15 deletions(-) (limited to 'src') diff --git a/src/common b/src/common index 8d8e506..471e75a 100644 --- a/src/common +++ b/src/common @@ -43,12 +43,22 @@ cutline() { # FIXME: need to figure out how to retrieve all matching keys # (not just first 5) gpg_fetch_userid() { - local id - id="$1" - echo 1,2,3,4,5 | \ - gpg --quiet --batch --command-fd 0 --with-colons \ - --keyserver "$KEYSERVER" \ - --search ="$id" >/dev/null 2>&1 + local userID + + userID="$1" + + # if CHECK_KEYSERVER variable set, check the keyserver + # for the user ID + if [ "CHECK_KEYSERVER" ] ; then + echo 1,2,3,4,5 | \ + gpg --quiet --batch --command-fd 0 --with-colons \ + --keyserver "$KEYSERVER" \ + --search ="$userID" >/dev/null 2>&1 + + # otherwise just return true + else + return + fi } # check that characters are in a string (in an AND fashion). @@ -117,7 +127,7 @@ gpg2authorized_keys() { gpg --export "$keyID" | \ openpgp2ssh "$keyID" | tr -d '\n' - echo " MonkeySphere${DATE}:${userID}" + echo " MonkeySphere${DATE}: ${userID}" } # userid and key policy checking @@ -296,18 +306,23 @@ update_userid() { log "processing userid: '$userID'" + # return 1 if there is no output of the user ID processing + # ie. no key was found keyCachePath=$(process_user_id "$userID" "$cacheDir") - if [ -z "$keyCachePath" ] ; then return 1 fi + + # check if user ID is in the authorized_user_ids file if ! grep -q "^${userID}\$" "$AUTHORIZED_USER_IDS" ; then read -p "user ID not currently authorized. authorize? [Y|n]: " OK; OK=${OK:=Y} if [ ${OK/y/Y} = 'Y' ] ; then + # add if specified log -n "adding user ID to authorized_user_ids file... " echo "$userID" >> "$AUTHORIZED_USER_IDS" echo "done." else + # else do nothing log "authorized_user_ids file untouched." fi fi @@ -340,7 +355,7 @@ process_host() { host="$1" cacheDir="$2" - log "processing host: '$host'" + log "processing host: $host" keyCachePath=$(process_user_id "ssh://${host}" "$cacheDir") if [ $? = 0 ] ; then @@ -353,18 +368,15 @@ process_host() { # go through line-by-line, extract each host, and process with the # host processing function process_known_hosts() { - local knownHosts local cacheDir local hosts local host - knownHosts="$1" - cacheDir="$2" + cacheDir="$1" # take all the hosts from the known_hosts file (first field), # grep out all the hashed hosts (lines starting with '|')... - cut -d ' ' -f 1 "$knownHosts" | \ - grep -v '^|.*$' | \ + meat "$USER_KNOWN_HOSTS" | cut -d ' ' -f 1 | grep -v '^|.*$' | \ while IFS=, read -r -a hosts ; do # ...and process each host for host in ${hosts[*]} ; do diff --git a/src/monkeysphere b/src/monkeysphere index 23ebd63..79bc352 100755 --- a/src/monkeysphere +++ b/src/monkeysphere @@ -157,7 +157,7 @@ case $COMMAND in failure "known_hosts file '$USER_KNOWN_HOSTS' is empty." fi log "processing known_hosts file..." - process_known_hosts "$USER_KNOWN_HOSTS" "$hostKeysCacheDir" + process_known_hosts "$hostKeysCacheDir" fi ;; diff --git a/src/monkeysphere-ssh-proxycommand b/src/monkeysphere-ssh-proxycommand index 417d013..ec162ab 100755 --- a/src/monkeysphere-ssh-proxycommand +++ b/src/monkeysphere-ssh-proxycommand @@ -16,6 +16,36 @@ HOST="$1" PORT="$2" +usage() { +cat <&2 +usage: ssh -o ProxyCommand="$(basename $0) %h %p" ... +EOF +} + +log() { + echo "$@" >&2 +} + +if [ -z "$HOST" ] ; then + log "host must be specified." + usage + exit 1 +fi +if [ -z "$PORT" ] ; then + log "port must be specified." + usage + exit 1 +fi + +# check for the host key in the known_hosts file +hostKey=$(ssh-keygen -F "$HOST") + +# if the host key is not found in the known_hosts file, +# check the keyserver +if [ -z "$hostKey" ] ; then + CHECK_KEYSERVER="true" +fi + # update the known_hosts file for the host monkeysphere update-known-hosts "$HOST" -- cgit v1.2.3 From c32302172e3533b2170329206ff011d6e3a26a49 Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Mon, 16 Jun 2008 14:43:40 -0400 Subject: Fix bug in configuration handling for HASH_KNOWN_HOSTS and USER_CONTROLLED_AUTHORIZED_KEYS --- etc/monkeysphere-server.conf | 1 + etc/monkeysphere.conf | 11 +++++------ src/common | 4 ++-- src/monkeysphere | 7 ++----- src/monkeysphere-server | 6 +++--- 5 files changed, 13 insertions(+), 16 deletions(-) (limited to 'src') diff --git a/etc/monkeysphere-server.conf b/etc/monkeysphere-server.conf index 82da497..3915bf4 100644 --- a/etc/monkeysphere-server.conf +++ b/etc/monkeysphere-server.conf @@ -20,4 +20,5 @@ # Whether to add user controlled authorized_keys file to # monkeysphere-generated authorized_keys file. Should be path to file # where '%h' will be replaced by the home directory of the user. +# To not add any user-controlled file, put "-" #USER_CONTROLLED_AUTHORIZED_KEYS=%h/.ssh/authorized_keys diff --git a/etc/monkeysphere.conf b/etc/monkeysphere.conf index d478b93..003ecf6 100644 --- a/etc/monkeysphere.conf +++ b/etc/monkeysphere.conf @@ -22,14 +22,13 @@ #REQUIRED_USER_KEY_CAPABILITY="a" # Path to user-controlled authorized_keys file to add to -# Monkeysphere-generated authorized_keys file. If empty, then no -# user-controlled file will be added. +# Monkeysphere-generated authorized_keys file. +# To not add any user-controlled file, put "-" #USER_CONTROLLED_AUTHORIZED_KEYS=~/.ssh/authorized_keys # User known_hosts file #USER_KNOWN_HOSTS=~/.ssh/known_hosts -# Whether or not to hash the generated known_hosts lines -# (empty mean "no"). -#HASH_KNOWN_HOSTS= - +# Whether or not to hash the generated known_hosts lines. +# Should be "true" or "false" +#HASH_KNOWN_HOSTS=true diff --git a/src/common b/src/common index 471e75a..c0a9030 100644 --- a/src/common +++ b/src/common @@ -275,7 +275,7 @@ process_user_id() { gpg2known_hosts "$keyID" "$userID" >> \ "$cacheDir"/"$userIDHash"."$pubKeyID" # hash the cache file if specified - if [ "$HASH_KNOWN_HOSTS" ] ; then + if [ "$HASH_KNOWN_HOSTS" = "true" ] ; then ssh-keygen -H -f "$cacheDir"/"$userIDHash"."$pubKeyID" > /dev/null 2>&1 rm "$cacheDir"/"$userIDHash"."$pubKeyID".old fi @@ -408,7 +408,7 @@ update_authorized_keys() { else log "no gpg keys to add." fi - if [ "$userAuthorizedKeys" -a -s "$userAuthorizedKeys" ] ; then + if [ "$userAuthorizedKeys" != "-" -a -s "$userAuthorizedKeys" ] ; then log -n "adding user authorized_keys file... " cat "$userAuthorizedKeys" >> "$msAuthorizedKeys" echo "done." diff --git a/src/monkeysphere b/src/monkeysphere index 79bc352..a6ca62d 100755 --- a/src/monkeysphere +++ b/src/monkeysphere @@ -115,7 +115,7 @@ GNUPGHOME=${GNUPGHOME:-"${HOME}/.gnupg"} KEYSERVER=${KEYSERVER:-"subkeys.pgp.net"} REQUIRED_HOST_KEY_CAPABILITY=${REQUIRED_HOST_KEY_CAPABILITY:-"e a"} REQUIRED_USER_KEY_CAPABILITY=${REQUIRED_USER_KEY_CAPABILITY:-"a"} -USER_CONTROLLED_AUTHORIZED_KEYS=${USER_CONTROLLED_AUTHORIZED_KEYS:-"%h/.ssh/authorized_keys"} +USER_CONTROLLED_AUTHORIZED_KEYS=${USER_CONTROLLED_AUTHORIZED_KEYS:-"${HOME}/.ssh/authorized_keys"} USER_KNOWN_HOSTS=${USER_KNOWN_HOSTS:-"${HOME}/.ssh/known_hosts"} HASH_KNOWN_HOSTS=${HASH_KNOWN_HOSTS:-"true"} @@ -191,11 +191,8 @@ case $COMMAND in failure "$AUTHORIZED_USER_IDS is empty." fi - # set user-controlled authorized_keys file path - userAuthorizedKeys=${USER_CONTROLLED_AUTHORIZED_KEYS/\%h/"$HOME"} - # update authorized_keys - update_authorized_keys "$msAuthorizedKeys" "$userAuthorizedKeys" "$userKeysCacheDir" + update_authorized_keys "$msAuthorizedKeys" "$USER_CONTROLLED_AUTHORIZED_KEYS" "$userKeysCacheDir" ;; 'gen-subkey'|'g') diff --git a/src/monkeysphere-server b/src/monkeysphere-server index 3cc7454..cdb76ee 100755 --- a/src/monkeysphere-server +++ b/src/monkeysphere-server @@ -111,10 +111,10 @@ MS_CONF=${MS_CONF:-"$MS_HOME"/monkeysphere-server.conf} [ -e "$MS_CONF" ] && . "$MS_CONF" # set empty config variable with defaults -GNUPGHOME=${GNUPGHOME:-"$MS_HOME"/gnupg} -KEYSERVER=${KEYSERVER:-subkeys.pgp.net} +GNUPGHOME=${GNUPGHOME:-"${MS_HOME}/gnupg"} +KEYSERVER=${KEYSERVER:-"subkeys.pgp.net"} REQUIRED_USER_KEY_CAPABILITY=${REQUIRED_USER_KEY_CAPABILITY:-"a"} -USER_CONTROLLED_AUTHORIZED_KEYS=${USER_CONTROLLED_AUTHORIZED_KEYS:-%h/.ssh/authorized_keys} +USER_CONTROLLED_AUTHORIZED_KEYS=${USER_CONTROLLED_AUTHORIZED_KEYS:-"%h/.ssh/authorized_keys"} export GNUPGHOME -- cgit v1.2.3 From 62ff87e0328bc1406979656029a5e313839cac35 Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Mon, 16 Jun 2008 14:52:20 -0400 Subject: Add log output for keyserver checking. Fix bug in proxy command to export CHECK_KEYSERVER variable. --- src/common | 31 +++++++++++++++++-------------- src/monkeysphere | 1 + src/monkeysphere-ssh-proxycommand | 9 +++++---- 3 files changed, 23 insertions(+), 18 deletions(-) (limited to 'src') diff --git a/src/common b/src/common index c0a9030..d1554a6 100644 --- a/src/common +++ b/src/common @@ -47,17 +47,17 @@ gpg_fetch_userid() { userID="$1" - # if CHECK_KEYSERVER variable set, check the keyserver - # for the user ID - if [ "CHECK_KEYSERVER" ] ; then - echo 1,2,3,4,5 | \ - gpg --quiet --batch --command-fd 0 --with-colons \ - --keyserver "$KEYSERVER" \ - --search ="$userID" >/dev/null 2>&1 - - # otherwise just return true + log "checking keyserver $KEYSERVER..." + echo 1,2,3,4,5 | \ + gpg --quiet --batch --command-fd 0 --with-colons \ + --keyserver "$KEYSERVER" \ + --search ="$userID" >/dev/null 2>&1 + if [ "$?" = 0 ] ; then + log " user ID found on keyserver." + return 0 else - return + log " user ID not found on keyserver." + return 1 fi } @@ -167,8 +167,11 @@ process_user_id() { fi requiredPubCapability=$(echo "$requiredCapability" | tr "[:lower:]" "[:upper:]") - # fetch keys from keyserver, return 1 if none found - gpg_fetch_userid "$userID" || return 1 + # if CHECK_KEYSERVER variable set, check the keyserver + # for the user ID + if [ "$CHECK_KEYSERVER" = "true" ] ; then + gpg_fetch_userid "$userID" + fi # output gpg info for (exact) userid and store gpgOut=$(gpg --fixed-list-mode --list-key --with-colons \ @@ -176,7 +179,7 @@ process_user_id() { # return 1 if there only "tru" lines are output from gpg if [ -z "$(echo "$gpgOut" | grep -v '^tru:')" ] ; then - log " key not found." + log " key not found in keychain." return 1 fi @@ -268,7 +271,7 @@ process_user_id() { # key cache file if [ "$keyOK" -a "$uidOK" -a "${keyIDs[*]}" ] ; then for keyID in ${keyIDs[@]} ; do - log " acceptable key/uid found." + log " acceptable key/userID found." if [ "$MODE" = 'known_hosts' ] ; then # export the key diff --git a/src/monkeysphere b/src/monkeysphere index a6ca62d..230de06 100755 --- a/src/monkeysphere +++ b/src/monkeysphere @@ -113,6 +113,7 @@ MS_CONF=${MS_CONF:-"${MS_HOME}/monkeysphere.conf"} AUTHORIZED_USER_IDS=${AUTHORIZED_USER_IDS:-"${MS_HOME}/authorized_user_ids"} GNUPGHOME=${GNUPGHOME:-"${HOME}/.gnupg"} KEYSERVER=${KEYSERVER:-"subkeys.pgp.net"} +CHECK_KEYSERVER=${CHECK_KEYSERVER:="true"} REQUIRED_HOST_KEY_CAPABILITY=${REQUIRED_HOST_KEY_CAPABILITY:-"e a"} REQUIRED_USER_KEY_CAPABILITY=${REQUIRED_USER_KEY_CAPABILITY:-"a"} USER_CONTROLLED_AUTHORIZED_KEYS=${USER_CONTROLLED_AUTHORIZED_KEYS:-"${HOME}/.ssh/authorized_keys"} diff --git a/src/monkeysphere-ssh-proxycommand b/src/monkeysphere-ssh-proxycommand index ec162ab..3887e48 100755 --- a/src/monkeysphere-ssh-proxycommand +++ b/src/monkeysphere-ssh-proxycommand @@ -40,11 +40,12 @@ fi # check for the host key in the known_hosts file hostKey=$(ssh-keygen -F "$HOST") -# if the host key is not found in the known_hosts file, -# check the keyserver -if [ -z "$hostKey" ] ; then - CHECK_KEYSERVER="true" +# if the host key is found in the known_hosts file, +# don't check the keyserver +if [ "$hostKey" ] ; then + CHECK_KEYSERVER="false" fi +export CHECK_KEYSERVER # update the known_hosts file for the host monkeysphere update-known-hosts "$HOST" -- cgit v1.2.3 From deb41134ca527508253244cfa8860a2031034825 Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Mon, 16 Jun 2008 15:26:21 -0400 Subject: Add extra variables to gen-key. --- src/monkeysphere-server | 26 ++++++++++++++++++++------ 1 file changed, 20 insertions(+), 6 deletions(-) (limited to 'src') diff --git a/src/monkeysphere-server b/src/monkeysphere-server index cdb76ee..6279c45 100755 --- a/src/monkeysphere-server +++ b/src/monkeysphere-server @@ -32,7 +32,7 @@ MonkeySphere server admin tool. subcommands: update-users (s) [USER]... update users authorized_keys files - gen-key (g) generate gpg key for the server + gen-key (g) [HOSTNAME] generate gpg key for the server publish-key (p) publish server key to keyserver trust-keys (t) KEYID... mark keyids as trusted update-user-userids (u) USER UID... add/update user IDs for a user @@ -44,14 +44,26 @@ EOF # generate server gpg key gen_key() { + local hostName + + hostName=${1:-$(hostname --fqdn)} + # set key defaults KEY_TYPE=${KEY_TYPE:-"RSA"} KEY_LENGTH=${KEY_LENGTH:-"2048"} KEY_USAGE=${KEY_USAGE:-"auth,encrypt"} - SERVICE=${SERVICE:-"ssh"} - HOSTNAME_FQDN=${HOSTNAME_FQDN:-$(hostname -f)} + cat < = key expires in n days + w = key expires in n weeks + m = key expires in n months + y = key expires in n years +EOF + read -p "Key is valid for? ($EXPIRE) " EXPIRE; EXPIRE=${EXPIRE:-"0"} - USERID=${USERID:-"$SERVICE"://"$HOSTNAME_FQDN"} + SERVICE=${SERVICE:-"ssh"} + USERID=${USERID:-"$SERVICE"://"$hostName"} # set key parameters keyParameters=$(cat < Date: Mon, 16 Jun 2008 19:54:12 -0400 Subject: Total rework of uid processing: rid of cache directory --- src/common | 249 +++++++++++++++++++++++++++++++------------------------ src/monkeysphere | 6 +- 2 files changed, 142 insertions(+), 113 deletions(-) (limited to 'src') diff --git a/src/common b/src/common index 8d8e506..8b078d6 100644 --- a/src/common +++ b/src/common @@ -43,12 +43,21 @@ cutline() { # FIXME: need to figure out how to retrieve all matching keys # (not just first 5) gpg_fetch_userid() { - local id - id="$1" - echo 1,2,3,4,5 | \ - gpg --quiet --batch --command-fd 0 --with-colons \ - --keyserver "$KEYSERVER" \ - --search ="$id" >/dev/null 2>&1 + local userID + userID="$1" + + # if CHECK_KEYSERVER variable set, check the keyserver + # for the user ID + if [ "CHECK_KEYSERVER" ] ; then + echo 1,2,3,4,5 | \ + gpg --quiet --batch --command-fd 0 --with-colons \ + --keyserver "$KEYSERVER" \ + --search ="$userID" >/dev/null 2>&1 + + # otherwise just return true + else + return + fi } # check that characters are in a string (in an AND fashion). @@ -117,7 +126,7 @@ gpg2authorized_keys() { gpg --export "$keyID" | \ openpgp2ssh "$keyID" | tr -d '\n' - echo " MonkeySphere${DATE}:${userID}" + echo " MonkeySphere${DATE}: ${userID}" } # userid and key policy checking @@ -133,17 +142,18 @@ process_user_id() { local requiredCapability local requiredPubCapability local gpgOut + local userIDHash + local keyCacheDir local line local type local validity local keyid local uidfpr - local capability + local usage local keyOK local pubKeyID local uidOK local keyIDs - local userIDHash local keyID userID="$1" @@ -161,126 +171,121 @@ process_user_id() { gpg_fetch_userid "$userID" || return 1 # output gpg info for (exact) userid and store - gpgOut=$(gpg --fixed-list-mode --list-key --with-colons \ - ="$userID" 2> /dev/null) - - # return 1 if there only "tru" lines are output from gpg - if [ -z "$(echo "$gpgOut" | grep -v '^tru:')" ] ; then - log " key not found." - return 1 + gpgOut=$(gpg --list-key --fixed-list-mode --with-colon \ + --with-fingerprint --with-fingerprint \ + ="$userID" 2>/dev/null) + + # if the gpg query return code is not 0, return 1 + if [ "$?" -ne 0 ] ; then + log " key not found." + return 1 fi + echo "$gpgOut" + # loop over all lines in the gpg output and process. # need to do it this way (as opposed to "while read...") so that # variables set in loop will be visible outside of loop - for line in $(seq 1 $(echo "$gpgOut" | wc -l)) ; do - - # read the contents of the line - type=$(echo "$gpgOut" | cutline "$line" | cut -d: -f1) - validity=$(echo "$gpgOut" | cutline "$line" | cut -d: -f2) - keyid=$(echo "$gpgOut" | cutline "$line" | cut -d: -f5) - uidfpr=$(echo "$gpgOut" | cutline "$line" | cut -d: -f10) - capability=$(echo "$gpgOut" | cutline "$line" | cut -d: -f12) - + echo "$gpgOut" | cut -d: -f1,2,5,10,12 | \ + while IFS=: read -r type validity keyid uidfpr usage ; do # process based on record type case $type in 'pub') # primary keys # new key, wipe the slate keyOK= - pubKeyID= uidOK= - keyIDs= - - pubKeyID="$keyid" + pubKeyOK= + fingerprint= - # check primary key validity + # if overall key is not valid, skip if [ "$validity" != 'u' -a "$validity" != 'f' ] ; then log " unacceptable primary key validity ($validity)." continue fi - # check capability is not Disabled... - if check_capability "$capability" 'D' ; then + # if overall key is disabled, skip + if check_capability "$usage" 'D' ; then log " key disabled." continue fi - # check overall key capability - # must be Encryption and Authentication - if ! check_capability "$capability" $requiredPubCapability ; then - log " unacceptable primary key capability ($capability)." + # if overall key capability is not ok, skip + if ! check_capability "$usage" $requiredPubCapability ; then + log " unacceptable primary key capability ($usage)." continue fi - # mark if primary key is acceptable + # mark overall key as ok keyOK=true - # add primary key ID to key list if it has required capability - if check_capability "$capability" $requiredCapability ; then - keyIDs[${#keyIDs[*]}]="$keyid" + # mark primary key as ok if capability is ok + if check_capability "$usage" $requiredCapability ; then + pubKeyOK=true fi ;; 'uid') # user ids - # check key ok and we have key fingerprint + # if the overall key is not ok, skip if [ -z "$keyOK" ] ; then continue fi - # check key validity - if [ "$validity" != 'u' -a "$validity" != 'f' ] ; then + # if an acceptable user ID was already found, skip + if [ "$uidOK" ] ; then continue fi - # check the uid matches + # if the user ID does not match, skip if [ "$(unescape "$uidfpr")" != "$userID" ] ; then continue fi + # if the user ID validity is not ok, skip + if [ "$validity" != 'u' -a "$validity" != 'f' ] ; then + continue + fi - # mark if uid acceptable + # mark user ID acceptable uidOK=true + + # output a line for the primary key + # 0 = ok, 1 = bad + if [ "$keyOK" -a "$uidOK" -a "$pubKeyOK" ] ; then + log " acceptable key found" + echo 0 "$fingerprint" + else + echo 1 "$fingerprint" + fi ;; 'sub') # sub keys - # add sub key ID to key list if it has required capability - if check_capability "$capability" $requiredCapability ; then - keyIDs[${#keyIDs[*]}]="$keyid" + # unset acceptability of last key + subKeyOK= + fingerprint= + + # if the overall key is not ok, skip + if [ -z "$keyOK" ] ; then + continue + fi + # if sub key validity is not ok, skip + if [ "$validity" != 'u' -a "$validity" != 'f' ] ; then + continue + fi + # if sub key capability is not ok, skip + if ! check_capability "$usage" $requiredCapability ; then + continue + fi + + # mark sub key as ok + subKeyOK=true + ;; + 'fpr') # key fingerprint + fingerprint="$uidfpr" + + # output a line for the last subkey + # 0 = ok, 1 = bad + if [ "$keyOK" -a "$uidOK" -a "$subKeyOK" ] ; then + log " acceptable key found" + echo 0 "$fingerprint" + else + echo 1 "$fingerprint" fi ;; esac done - - # hash userid for cache file name - userIDHash=$(echo "$userID" | sha1sum | awk '{ print $1 }') - - # make sure the cache directory exists - mkdir -p "$cacheDir" - - # touch/clear key cache file - # (will be left empty if there are noacceptable keys) - > "$cacheDir"/"$userIDHash"."$pubKeyID" - - # for each acceptable key, write an ssh key line to the - # key cache file - if [ "$keyOK" -a "$uidOK" -a "${keyIDs[*]}" ] ; then - for keyID in ${keyIDs[@]} ; do - log " acceptable key/uid found." - - if [ "$MODE" = 'known_hosts' ] ; then - # export the key - gpg2known_hosts "$keyID" "$userID" >> \ - "$cacheDir"/"$userIDHash"."$pubKeyID" - # hash the cache file if specified - if [ "$HASH_KNOWN_HOSTS" ] ; then - ssh-keygen -H -f "$cacheDir"/"$userIDHash"."$pubKeyID" > /dev/null 2>&1 - rm "$cacheDir"/"$userIDHash"."$pubKeyID".old - fi - elif [ "$MODE" = 'authorized_keys' ] ; then - # export the key - # FIXME: needs to apply extra options for authorized_keys - # lines if specified - gpg2authorized_keys "$keyID" "$userID" >> \ - "$cacheDir"/"$userIDHash"."$pubKeyID" - fi - done - fi - - # echo the path to the key cache file - echo "$cacheDir"/"$userIDHash"."$pubKeyID" } # update the cache for userid, and prompt to add file to @@ -296,18 +301,23 @@ update_userid() { log "processing userid: '$userID'" + # return 1 if there is no output of the user ID processing + # ie. no key was found keyCachePath=$(process_user_id "$userID" "$cacheDir") - if [ -z "$keyCachePath" ] ; then return 1 fi + + # check if user ID is in the authorized_user_ids file if ! grep -q "^${userID}\$" "$AUTHORIZED_USER_IDS" ; then read -p "user ID not currently authorized. authorize? [Y|n]: " OK; OK=${OK:=Y} if [ ${OK/y/Y} = 'Y' ] ; then + # add if specified log -n "adding user ID to authorized_user_ids file... " echo "$userID" >> "$AUTHORIZED_USER_IDS" echo "done." else + # else do nothing log "authorized_user_ids file untouched." fi fi @@ -321,16 +331,34 @@ remove_userid() { log "processing userid: '$userID'" + # check if user ID is in the authorized_user_ids file if ! grep -q "^${userID}\$" "$AUTHORIZED_USER_IDS" ; then log "user ID not currently authorized." return 1 fi + # remove user ID from file log -n "removing user ID '$userID'... " grep -v "$userID" "$AUTHORIZED_USER_IDS" | sponge "$AUTHORIZED_USER_IDS" echo "done." } +# remove all keys from specified key cache from known_hosts file +remove_known_hosts_host_keys() { + local keyCachePath + local hosts + local type + local key + local comment + + keyCachePath="$1" + + meat "${keyCachePath}/keys" | \ + while read -r hosts type key comment ; do + grep -v "$key" "$USER_KNOWN_HOSTS" | sponge "$USER_KNOWN_HOSTS" + done +} + # process a host for addition to a known_host file process_host() { local host @@ -340,31 +368,35 @@ process_host() { host="$1" cacheDir="$2" - log "processing host: '$host'" - - keyCachePath=$(process_user_id "ssh://${host}" "$cacheDir") - if [ $? = 0 ] ; then - ssh-keygen -R "$host" -f "$USER_KNOWN_HOSTS" - cat "$keyCachePath" >> "$USER_KNOWN_HOSTS" - fi + log "processing host: $host" + + userID="ssh://${host}" + process_user_id "ssh://${host}" + exit + process_user_id "ssh://${host}" | \ + while read -r ok key ; do + # remove the old host key line + remove_known_hosts_host_keys "$key" + # if key OK, add new host line + if [ "$ok" -eq '0' ] ; then + known_hosts_line "$host" "$key" >> "$USER_KNOWN_HOSTS" + fi + done } # process known_hosts file # go through line-by-line, extract each host, and process with the # host processing function process_known_hosts() { - local knownHosts local cacheDir local hosts local host - knownHosts="$1" - cacheDir="$2" + cacheDir="$1" # take all the hosts from the known_hosts file (first field), # grep out all the hashed hosts (lines starting with '|')... - cut -d ' ' -f 1 "$knownHosts" | \ - grep -v '^|.*$' | \ + meat "$USER_KNOWN_HOSTS" | cut -d ' ' -f 1 | grep -v '^|.*$' | \ while IFS=, read -r -a hosts ; do # ...and process each host for host in ${hosts[*]} ; do @@ -415,17 +447,14 @@ process_authorized_ids() { authorizedIDs="$1" cacheDir="$2" - # clean out keys file and remake keys directory - rm -rf "$cacheDir" - mkdir -p "$cacheDir" - - # loop through all user ids in file - # FIXME: needs to handle authorized_keys options - cat "$authorizedIDs" | meat | \ - while read -r userID ; do - # process the userid - log "processing userid: '$userID'" - process_user_id "$userID" "$cacheDir" > /dev/null + process_user_id "$userID" | \ + while read -r ok key ; do + # remove the old host key line + remove_authorized_keys_user_keys "$key" + # if key OK, add new host line + if [ "$ok" -eq '0' ] ; then + authorized_keys_line "$userID" "$key" >> "$USER_AUTHORIZED_KEYS" + fi done } diff --git a/src/monkeysphere b/src/monkeysphere index 23ebd63..91401b9 100755 --- a/src/monkeysphere +++ b/src/monkeysphere @@ -147,7 +147,7 @@ case $COMMAND in # those hosts if [ "$1" ] ; then for host ; do - process_host "$host" "$hostKeysCacheDir" + process_host "$host" done # otherwise, if no hosts are specified, process every user @@ -157,7 +157,7 @@ case $COMMAND in failure "known_hosts file '$USER_KNOWN_HOSTS' is empty." fi log "processing known_hosts file..." - process_known_hosts "$USER_KNOWN_HOSTS" "$hostKeysCacheDir" + process_known_hosts "$USER_KNOWN_HOSTS" fi ;; @@ -166,7 +166,7 @@ case $COMMAND in failure "you must specify at least one userid." fi for userID ; do - update_userid "$userID" "$userKeysCacheDir" + update_userid "$userID" done log "Run the following to update your monkeysphere authorized_keys file:" log "$PGRM update-authorized_keys" -- cgit v1.2.3 From b92675786ac883551528b3870c71c98066d60c0f Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Tue, 17 Jun 2008 11:11:27 -0400 Subject: Major rework to remove all caching. Everything processed straight from gpg keyring. Major code simplification and cleanup. --- etc/monkeysphere.conf | 15 +- src/common | 388 ++++++++++++++++++++++++++---------------------- src/monkeysphere | 33 ++-- src/monkeysphere-server | 37 +++-- 4 files changed, 255 insertions(+), 218 deletions(-) (limited to 'src') diff --git a/etc/monkeysphere.conf b/etc/monkeysphere.conf index 003ecf6..17c1a14 100644 --- a/etc/monkeysphere.conf +++ b/etc/monkeysphere.conf @@ -3,9 +3,6 @@ # This is an sh-style shell configuration file. Variable names should # be separated from their assignements by a single '=' and no spaces. -# authorized_user_ids file -#AUTHORIZED_USER_IDS=~/.config/monkeysphere/authorized_user_ids - # GPG home directory #GNUPGHOME=~/.gnupg @@ -21,14 +18,12 @@ #REQUIRED_HOST_KEY_CAPABILITY="e a" #REQUIRED_USER_KEY_CAPABILITY="a" -# Path to user-controlled authorized_keys file to add to -# Monkeysphere-generated authorized_keys file. -# To not add any user-controlled file, put "-" -#USER_CONTROLLED_AUTHORIZED_KEYS=~/.ssh/authorized_keys - -# User known_hosts file -#USER_KNOWN_HOSTS=~/.ssh/known_hosts +# ssh known_hosts file +#KNOWN_HOSTS=~/.ssh/known_hosts # Whether or not to hash the generated known_hosts lines. # Should be "true" or "false" #HASH_KNOWN_HOSTS=true + +# ssh authorized_keys file +#AUTHORIZED_KEYS=~/.ssh/known_hosts diff --git a/src/common b/src/common index 64d28cb..7a90453 100644 --- a/src/common +++ b/src/common @@ -11,12 +11,16 @@ # file) and are considered global ######################################################################## +### COMMON VARIABLES + # managed directories ETC="/etc/monkeysphere" export ETC CACHE="/var/cache/monkeysphere" export CACHE + ######################################################################## +### UTILITY FUNCTIONS failure() { echo "$1" >&2 @@ -29,6 +33,10 @@ log() { echo "$@" 1>&2 } +loge() { + echo "$@" 1>&2 +} + # cut out all comments(#) and blank lines from standard input meat() { grep -v -e "^[[:space:]]*#" -e '^$' @@ -39,72 +47,89 @@ cutline() { head --line="$1" | tail -1 } -# retrieve all keys with given user id from keyserver -# FIXME: need to figure out how to retrieve all matching keys -# (not just first 5) -gpg_fetch_userid() { - local userID - - userID="$1" - - log "checking keyserver $KEYSERVER..." - echo 1,2,3,4,5 | \ - gpg --quiet --batch --command-fd 0 --with-colons \ - --keyserver "$KEYSERVER" \ - --search ="$userID" >/dev/null 2>&1 - if [ "$?" = 0 ] ; then - log " user ID found on keyserver." - return 0 - else - log " user ID not found on keyserver." - return 1 - fi -} - # check that characters are in a string (in an AND fashion). # used for checking key capability # check_capability capability a [b...] check_capability() { - local capability + local usage local capcheck - capability="$1" + usage="$1" shift 1 for capcheck ; do - if echo "$capability" | grep -q -v "$capcheck" ; then + if echo "$usage" | grep -q -v "$capcheck" ; then return 1 fi done return 0 } -# get the full fingerprint of a key ID -get_key_fingerprint() { +# convert escaped characters from gpg output back into original +# character +# FIXME: undo all escape character translation in with-colons gpg output +unescape() { + echo "$1" | sed 's/\\x3a/:/' +} + +# remove all lines with specified string from specified file +remove_file_line() { + local file + local string + + file="$1" + string="$2" + + if [ "$file" -a "$string" ] ; then + grep -v "$string" "$file" | sponge "$file" + fi +} + +### CONVERTION UTILITIES + +# output the ssh key for a given key ID +gpg2ssh() { local keyID + + #keyID="$1" #TMP + # only use last 16 characters until openpgp2ssh can take all 40 #TMP + keyID=$(echo "$1" | cut -c 25-) #TMP - keyID="$1" + gpg --export "$keyID" | openpgp2ssh "$keyID" 2> /dev/null +} - gpg --list-key --with-colons --fixed-list-mode \ - --with-fingerprint "$keyID" | grep "$keyID" | \ - grep '^fpr:' | cut -d: -f10 +# output known_hosts line from ssh key +ssh2known_hosts() { + local host + local key + + host="$1" + key="$2" + + echo -n "$host " + echo -n "$key" | tr -d '\n' + echo " MonkeySphere${DATE}" } +# output authorized_keys line from ssh key +ssh2authorized_keys() { + local userID + local key + + userID="$1" + key="$2" -# convert escaped characters from gpg output back into original -# character -# FIXME: undo all escape character translation in with-colons gpg output -unescape() { - echo "$1" | sed 's/\\x3a/:/' + echo -n "$key" | tr -d '\n' + echo " MonkeySphere${DATE}: ${userID}" } # convert key from gpg to ssh known_hosts format gpg2known_hosts() { - local keyID local host + local keyID - keyID="$1" - host=$(echo "$2" | sed -e "s|ssh://||") + host="$1" + keyID="$2" # NOTE: it seems that ssh-keygen -R removes all comment fields from # all lines in the known_hosts file. why? @@ -112,53 +137,88 @@ gpg2known_hosts() { # following regexp: # '^MonkeySphere[[:digit:]]{4}(-[[:digit:]]{2}){2}T[[:digit:]]{2}(:[[:digit:]]{2}){2}$' echo -n "$host " - gpg --export "$keyID" | \ - openpgp2ssh "$keyID" | tr -d '\n' + gpg2ssh "$keyID" | tr -d '\n' echo " MonkeySphere${DATE}" } # convert key from gpg to ssh authorized_keys format gpg2authorized_keys() { + local userID local keyID + + userID="$1" + keyID="$2" + + # NOTE: just in case, the COMMENT can be matched with the + # following regexp: + # '^MonkeySphere[[:digit:]]{4}(-[[:digit:]]{2}){2}T[[:digit:]]{2}(:[[:digit:]]{2}){2}$' + gpg2ssh "$keyID" | tr -d '\n' + echo " MonkeySphere${DATE}: ${userID}" +} + +### GPG UTILITIES + +# retrieve all keys with given user id from keyserver +# FIXME: need to figure out how to retrieve all matching keys +# (not just first N (5 in this case)) +gpg_fetch_userid() { local userID + userID="$1" + + log -n " checking keyserver $KEYSERVER... " + echo 1,2,3,4,5 | \ + gpg --quiet --batch --with-colons \ + --command-fd 0 --keyserver "$KEYSERVER" \ + --search ="$userID" > /dev/null 2>&1 + loge "done." +} + +# get the full fingerprint of a key ID +get_key_fingerprint() { + local keyID + keyID="$1" - userID="$2" - gpg --export "$keyID" | \ - openpgp2ssh "$keyID" | tr -d '\n' - echo " MonkeySphere${DATE}: ${userID}" + gpg --list-key --with-colons --fixed-list-mode \ + --with-fingerprint "$keyID" | grep "$keyID" | \ + grep '^fpr:' | cut -d: -f10 } +######################################################################## +### PROCESSING FUNCTIONS + # userid and key policy checking # the following checks policy on the returned keys # - checks that full key has appropriate valididy (u|f) # - checks key has specified capability (REQUIRED_*_KEY_CAPABILITY) -# - checks that particular desired user id has appropriate validity -# see /usr/share/doc/gnupg/DETAILS.gz +# - checks that requested user ID has appropriate validity +# (see /usr/share/doc/gnupg/DETAILS.gz) +# output is one line for every found key, in the following format: +# +# flag fingerprint +# +# "flag" is an acceptability flag, 0 = ok, 1 = bad +# "fingerprint" is the fingerprint of the key +# # expects global variable: "MODE" process_user_id() { local userID - local cacheDir local requiredCapability local requiredPubCapability local gpgOut - local userIDHash - local keyCacheDir - local line local type local validity local keyid local uidfpr local usage local keyOK - local pubKeyID local uidOK - local keyIDs - local keyID + local lastKey + local lastKeyOK + local fingerprint userID="$1" - cacheDir="$2" # set the required key capability based on the mode if [ "$MODE" = 'known_hosts' ] ; then @@ -181,12 +241,10 @@ process_user_id() { # if the gpg query return code is not 0, return 1 if [ "$?" -ne 0 ] ; then - log " key not found." + log " - key not found." return 1 fi - echo "$gpgOut" - # loop over all lines in the gpg output and process. # need to do it this way (as opposed to "while read...") so that # variables set in loop will be visible outside of loop @@ -198,22 +256,25 @@ process_user_id() { # new key, wipe the slate keyOK= uidOK= - pubKeyOK= + lastKey=pub + lastKeyOK= fingerprint= + log " primary key found: $keyid" + # if overall key is not valid, skip if [ "$validity" != 'u' -a "$validity" != 'f' ] ; then - log " unacceptable primary key validity ($validity)." + log " - unacceptable primary key validity ($validity)." continue fi # if overall key is disabled, skip if check_capability "$usage" 'D' ; then - log " key disabled." + log " - key disabled." continue fi # if overall key capability is not ok, skip if ! check_capability "$usage" $requiredPubCapability ; then - log " unacceptable primary key capability ($usage)." + log " - unacceptable primary key capability ($usage)." continue fi @@ -222,14 +283,10 @@ process_user_id() { # mark primary key as ok if capability is ok if check_capability "$usage" $requiredCapability ; then - pubKeyOK=true + lastKeyOK=true fi ;; 'uid') # user ids - # if the overall key is not ok, skip - if [ -z "$keyOK" ] ; then - continue - fi # if an acceptable user ID was already found, skip if [ "$uidOK" ] ; then continue @@ -248,8 +305,8 @@ process_user_id() { # output a line for the primary key # 0 = ok, 1 = bad - if [ "$keyOK" -a "$uidOK" -a "$pubKeyOK" ] ; then - log " acceptable key found" + if [ "$keyOK" -a "$uidOK" -a "$lastKeyOK" ] ; then + log " * acceptable key found." echo 0 "$fingerprint" else echo 1 "$fingerprint" @@ -257,13 +314,10 @@ process_user_id() { ;; 'sub') # sub keys # unset acceptability of last key - subKeyOK= + lastKey=sub + lastKeyOK= fingerprint= - # if the overall key is not ok, skip - if [ -z "$keyOK" ] ; then - continue - fi # if sub key validity is not ok, skip if [ "$validity" != 'u' -a "$validity" != 'f' ] ; then continue @@ -274,15 +328,20 @@ process_user_id() { fi # mark sub key as ok - subKeyOK=true + lastKeyOK=true ;; 'fpr') # key fingerprint fingerprint="$uidfpr" + # if the last key was the pub key, skip + if [ "$lastKey" = pub ] ; then + continue + fi + # output a line for the last subkey # 0 = ok, 1 = bad - if [ "$keyOK" -a "$uidOK" -a "$subKeyOK" ] ; then - log " acceptable key found" + if [ "$keyOK" -a "$uidOK" -a "$lastKeyOK" ] ; then + log " * acceptable key found." echo 0 "$fingerprint" else echo 1 "$fingerprint" @@ -297,32 +356,25 @@ process_user_id() { # and not already in file. update_userid() { local userID - local cacheDir - local keyCache userID="$1" - cacheDir="$2" log "processing userid: '$userID'" - # return 1 if there is no output of the user ID processing - # ie. no key was found - keyCachePath=$(process_user_id "$userID" "$cacheDir") - if [ -z "$keyCachePath" ] ; then - return 1 - fi + # process the user ID to pull it from keyserver + process_user_id "$userID" | grep -q "^0 " # check if user ID is in the authorized_user_ids file if ! grep -q "^${userID}\$" "$AUTHORIZED_USER_IDS" ; then read -p "user ID not currently authorized. authorize? [Y|n]: " OK; OK=${OK:=Y} if [ ${OK/y/Y} = 'Y' ] ; then # add if specified - log -n "adding user ID to authorized_user_ids file... " + log -n " adding user ID to authorized_user_ids file... " echo "$userID" >> "$AUTHORIZED_USER_IDS" - echo "done." + loge "done." else # else do nothing - log "authorized_user_ids file untouched." + log " authorized_user_ids file untouched." fi fi } @@ -337,53 +389,70 @@ remove_userid() { # check if user ID is in the authorized_user_ids file if ! grep -q "^${userID}\$" "$AUTHORIZED_USER_IDS" ; then - log "user ID not currently authorized." + log " user ID not currently authorized." return 1 fi # remove user ID from file - log -n "removing user ID '$userID'... " - grep -v "$userID" "$AUTHORIZED_USER_IDS" | sponge "$AUTHORIZED_USER_IDS" - echo "done." + log -n " removing user ID '$userID'... " + remove_file_line "$AUTHORIZED_USER_IDS" "^${userID}$" + loge "done." } -# remove all keys from specified key cache from known_hosts file -remove_known_hosts_host_keys() { - local keyCachePath - local hosts - local type - local key - local comment +# process a host in known_host file +process_host_known_hosts() { + local host + local userID + local ok + local keyid + local tmpfile - keyCachePath="$1" + host="$1" + userID="ssh://${host}" + + log "processing host: $host" - meat "${keyCachePath}/keys" | \ - while read -r hosts type key comment ; do - grep -v "$key" "$USER_KNOWN_HOSTS" | sponge "$USER_KNOWN_HOSTS" + process_user_id "ssh://${host}" | \ + while read -r ok keyid ; do + sshKey=$(gpg2ssh "$keyid") + # remove the old host key line + remove_file_line "$KNOWN_HOSTS" "$sshKey" + # if key OK, add new host line + if [ "$ok" -eq '0' ] ; then + # hash if specified + if [ "$HASH_KNOWN_HOSTS" = 'true' ] ; then + # FIXME: this is really hackish cause ssh-keygen won't + # hash from stdin to stdout + tmpfile=$(mktemp) + ssh2known_hosts "$host" "$sshKey" > "$tmpfile" + ssh-keygen -H -f "$tmpfile" 2> /dev/null + cat "$tmpfile" >> "$KNOWN_HOSTS" + rm -f "$tmpfile" "${tmpfile}.old" + else + ssh2known_hosts "$host" "$sshKey" >> "$KNOWN_HOSTS" + fi + fi done } -# process a host for addition to a known_host file -process_host() { - local host - local cacheDir - local keyCachePath +# process a uid in an authorized_keys file +process_uid_authorized_keys() { + local userID + local ok + local keyid - host="$1" - cacheDir="$2" + userID="$1" - log "processing host: $host" + log "processing user ID: $userID" - userID="ssh://${host}" - process_user_id "ssh://${host}" - exit - process_user_id "ssh://${host}" | \ - while read -r ok key ; do + process_user_id "$userID" | \ + while read -r ok keyid ; do + sshKey=$(gpg2ssh "$keyid") # remove the old host key line - remove_known_hosts_host_keys "$key" + remove_file_line "$AUTHORIZED_KEYS" "$sshKey" # if key OK, add new host line if [ "$ok" -eq '0' ] ; then - known_hosts_line "$host" "$key" >> "$USER_KNOWN_HOSTS" + ssh2authorized_keys "$userID" "$sshKey" >> "$AUTHORIZED_KEYS" fi done } @@ -392,110 +461,69 @@ process_host() { # go through line-by-line, extract each host, and process with the # host processing function process_known_hosts() { - local cacheDir local hosts local host - cacheDir="$1" - # take all the hosts from the known_hosts file (first field), # grep out all the hashed hosts (lines starting with '|')... - meat "$USER_KNOWN_HOSTS" | cut -d ' ' -f 1 | grep -v '^|.*$' | \ + cat "$KNOWN_HOSTS" | meat | \ + cut -d ' ' -f 1 | grep -v '^|.*$' | \ while IFS=, read -r -a hosts ; do - # ...and process each host + # and process each host for host in ${hosts[*]} ; do - process_host "$host" "$cacheDir" + process_host_known_hosts "$host" done done } -# update an authorized_keys file after first processing the -# authorized_user_ids file -update_authorized_keys() { - local msAuthorizedKeys - local userAuthorizedKeys - local cacheDir - - msAuthorizedKeys="$1" - userAuthorizedKeys="$2" - cacheDir="$3" - - process_authorized_ids "$AUTHORIZED_USER_IDS" "$cacheDir" - - # write output key file - log "writing monkeysphere authorized_keys file... " - touch "$msAuthorizedKeys" - if [ "$(ls "$cacheDir")" ] ; then - log -n "adding gpg keys... " - cat "$cacheDir"/* > "$msAuthorizedKeys" - echo "done." - else - log "no gpg keys to add." - fi - if [ "$userAuthorizedKeys" != "-" -a -s "$userAuthorizedKeys" ] ; then - log -n "adding user authorized_keys file... " - cat "$userAuthorizedKeys" >> "$msAuthorizedKeys" - echo "done." - fi - log "monkeysphere authorized_keys file generated:" - log "$msAuthorizedKeys" -} - -# process an authorized_*_ids file -# go through line-by-line, extract each userid, and process -process_authorized_ids() { - local authorizedIDs - local cacheDir - local userID - - authorizedIDs="$1" - cacheDir="$2" +# process an authorized_user_ids file for authorized_keys +process_authorized_user_ids() { + local userid - process_user_id "$userID" | \ - while read -r ok key ; do - # remove the old host key line - remove_authorized_keys_user_keys "$key" - # if key OK, add new host line - if [ "$ok" -eq '0' ] ; then - authorized_keys_line "$userID" "$key" >> "$USER_AUTHORIZED_KEYS" - fi + cat "$AUTHORIZED_USER_IDS" | meat | \ + while read -r userid ; do + process_uid_authorized_keys "$userid" done } # EXPERIMENTAL (unused) process userids found in authorized_keys file # go through line-by-line, extract monkeysphere userids from comment # fields, and process each userid +# NOT WORKING process_authorized_keys() { local authorizedKeys - local cacheDir local userID authorizedKeys="$1" - cacheDir="$2" # take all the monkeysphere userids from the authorized_keys file # comment field (third field) that starts with "MonkeySphere uid:" # FIXME: needs to handle authorized_keys options (field 0) - cat "$authorizedKeys" | \ + cat "$authorizedKeys" | meat | \ while read -r options keytype key comment ; do # if the comment field is empty, assume the third field was # the comment if [ -z "$comment" ] ; then comment="$key" fi - if ! echo "$comment" | grep '^MonkeySphere userID:.*$' ; then + + if echo "$comment" | egrep -v -q '^MonkeySphere[[:digit:]]{4}(-[[:digit:]]{2}){2}T[[:digit:]]{2}(:[[:digit:]]{2}){2}:' ; then continue fi - userID=$(echo "$comment" | sed -e "/^MonkeySphere userID://") + userID=$(echo "$comment" | awk "{ print $2 }") if [ -z "$userID" ] ; then continue fi + # process the userid log "processing userid: '$userID'" - process_user_id "$userID" "$cacheDir" > /dev/null + process_user_id "$userID" > /dev/null done } +################################################## +### GPG HELPER FUNCTIONS + # retrieve key from web of trust, and set owner trust to "full" # if key is found. trust_key() { diff --git a/src/monkeysphere b/src/monkeysphere index 8e4c4eb..6853f58 100755 --- a/src/monkeysphere +++ b/src/monkeysphere @@ -53,7 +53,7 @@ gen_subkey(){ keyID="$1" - gpgOut=$(gpg --fixed-list-mode --list-keys --with-colons \ + gpgOut=$(gpg --quiet --fixed-list-mode --list-keys --with-colons \ "$keyID" 2> /dev/null) # return 1 if there only "tru" lines are output from gpg @@ -90,8 +90,9 @@ save EOF ) - echo "generating subkey..." + log "generating subkey..." echo "$editCommands" | gpg --expert --command-fd 0 --edit-key "$keyID" + log "done." } ######################################################################## @@ -116,25 +117,19 @@ KEYSERVER=${KEYSERVER:-"subkeys.pgp.net"} CHECK_KEYSERVER=${CHECK_KEYSERVER:="true"} REQUIRED_HOST_KEY_CAPABILITY=${REQUIRED_HOST_KEY_CAPABILITY:-"e a"} REQUIRED_USER_KEY_CAPABILITY=${REQUIRED_USER_KEY_CAPABILITY:-"a"} -USER_CONTROLLED_AUTHORIZED_KEYS=${USER_CONTROLLED_AUTHORIZED_KEYS:-"${HOME}/.ssh/authorized_keys"} -USER_KNOWN_HOSTS=${USER_KNOWN_HOSTS:-"${HOME}/.ssh/known_hosts"} +KNOWN_HOSTS=${KNOWN_HOSTS:-"${HOME}/.ssh/known_hosts"} +AUTHORIZED_KEYS=${AUTHORIZED_KEYS:-"${HOME}/.ssh/authorized_keys"} HASH_KNOWN_HOSTS=${HASH_KNOWN_HOSTS:-"true"} export GNUPGHOME -# stagging locations -hostKeysCacheDir="${MS_HOME}/host_keys" -userKeysCacheDir="${MS_HOME}/user_keys" -msAuthorizedKeys="${MS_HOME}/authorized_keys" - # make sure gpg home exists with proper permissions mkdir -p -m 0700 "$GNUPGHOME" # make sure the user monkeysphere home directory exists mkdir -p -m 0700 "$MS_HOME" -mkdir -p "$hostKeysCacheDir" -mkdir -p "$userKeysCacheDir" touch "$AUTHORIZED_USER_IDS" +touch "$AUTHORIZED_KEYS" case $COMMAND in 'update-known_hosts'|'update-known-hosts'|'k') @@ -142,23 +137,25 @@ case $COMMAND in # touch the known_hosts file to make sure it exists # ssh-keygen complains if it doesn't exist - touch "$USER_KNOWN_HOSTS" + touch "$KNOWN_HOSTS" # if hosts are specified on the command line, process just # those hosts if [ "$1" ] ; then for host ; do - process_host "$host" + process_host_known_hosts "$host" done + log "known_hosts file updated." # otherwise, if no hosts are specified, process every user # in the user's known_hosts file else - if [ ! -s "$USER_KNOWN_HOSTS" ] ; then - failure "known_hosts file '$USER_KNOWN_HOSTS' is empty." + if [ ! -s "$KNOWN_HOSTS" ] ; then + failure "known_hosts file '$KNOWN_HOSTS' is empty." fi log "processing known_hosts file..." process_known_hosts + log "known_hosts file updated." fi ;; @@ -192,8 +189,10 @@ case $COMMAND in failure "$AUTHORIZED_USER_IDS is empty." fi - # update authorized_keys - update_authorized_keys "$msAuthorizedKeys" "$USER_CONTROLLED_AUTHORIZED_KEYS" "$userKeysCacheDir" + # process authorized_user_ids file + log "processing authorized_user_ids file..." + process_authorized_user_ids + log "authorized_keys file updated." ;; 'gen-subkey'|'g') diff --git a/src/monkeysphere-server b/src/monkeysphere-server index 6279c45..560d249 100755 --- a/src/monkeysphere-server +++ b/src/monkeysphere-server @@ -106,7 +106,7 @@ EOF log -n "generating server key... " echo "$keyParameters" | gpg --batch --gen-key - echo "done." + loge "done." } ######################################################################## @@ -127,20 +127,25 @@ MS_CONF=${MS_CONF:-"$MS_HOME"/monkeysphere-server.conf} # set empty config variable with defaults GNUPGHOME=${GNUPGHOME:-"${MS_HOME}/gnupg"} KEYSERVER=${KEYSERVER:-"subkeys.pgp.net"} +CHECK_KEYSERVER=${CHECK_KEYSERVER:="true"} REQUIRED_USER_KEY_CAPABILITY=${REQUIRED_USER_KEY_CAPABILITY:-"a"} USER_CONTROLLED_AUTHORIZED_KEYS=${USER_CONTROLLED_AUTHORIZED_KEYS:-"%h/.ssh/authorized_keys"} export GNUPGHOME +# make sure the monkeysphere home directory exists +mkdir -p "${MS_HOME}/authorized_user_ids" # make sure gpg home exists with proper permissions mkdir -p -m 0700 "$GNUPGHOME" +# make sure the authorized_keys directory exists +mkdir -p "${CACHE}/authorized_keys" case $COMMAND in 'update-users'|'update-user'|'s') if [ "$1" ] ; then unames="$@" else - unames=$(ls -1 "$MS_HOME"/authorized_user_ids) + unames=$(ls -1 "${MS_HOME}/authorized_user_ids") fi for uname in $unames ; do @@ -149,12 +154,14 @@ case $COMMAND in log "----- user: $uname -----" # set variables for the user - AUTHORIZED_USER_IDS="$MS_HOME"/authorized_user_ids/"$uname" - msAuthorizedKeys="$CACHE"/"$uname"/authorized_keys - cacheDir="$CACHE"/"$uname"/user_keys + AUTHORIZED_USER_IDS="${MS_HOME}/authorized_user_ids/${uname}" + # temporary authorized_keys file + AUTHORIZED_KEYS="${CACHE}/authorized_keys/${uname}.tmp" # make sure user's authorized_user_ids file exists touch "$AUTHORIZED_USER_IDS" + # make sure the authorized_keys file exists and is clear + > "$AUTHORIZED_KEYS" # skip if the user's authorized_user_ids file is empty if [ ! -s "$AUTHORIZED_USER_IDS" ] ; then @@ -162,14 +169,23 @@ case $COMMAND in continue fi - # set user-controlled authorized_keys file path - if [ "$USER_CONTROLLED_AUTHORIZED_KEYS" ] ; then + # process authorized_user_ids file + log "processing authorized_user_ids file..." + process_authorized_user_ids + + # add user-controlled authorized_keys file path if specified + if [ "$USER_CONTROLLED_AUTHORIZED_KEYS" != '-' ] ; then userHome=$(getent passwd "$uname" | cut -d: -f6) userAuthorizedKeys=${USER_CONTROLLED_AUTHORIZED_KEYS/\%h/"$userHome"} + log -n "adding user's authorized_keys file... " + cat "$userAuthorizedKeys" >> "$AUTHORIZED_KEYS" + loge "done." fi - # update authorized_keys - update_authorized_keys "$msAuthorizedKeys" "$userAuthorizedKeys" "$cacheDir" + # move the temp authorized_keys file into place + mv -f "${CACHE}/authorized_keys/${uname}.tmp" "${CACHE}/authorized_keys/${uname}" + + log "authorized_keys file updated." done log "----- done. -----" @@ -206,14 +222,13 @@ case $COMMAND in # set variables for the user AUTHORIZED_USER_IDS="$MS_HOME"/authorized_user_ids/"$uname" - cacheDir="$CACHE"/"$uname"/user_keys # make sure user's authorized_user_ids file exists touch "$AUTHORIZED_USER_IDS" # process the user IDs for userID ; do - update_userid "$userID" "$cacheDir" + update_userid "$userID" done log "Run the following to update user's authorized_keys file:" -- cgit v1.2.3 From 363b8d8cb785c25937460b552fefde5fbccfb6ba Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Tue, 17 Jun 2008 14:35:06 -0400 Subject: Add preliminary script to try to import a gpg private key into the ssh agent. --- src/seckey2sshagent | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100755 src/seckey2sshagent (limited to 'src') diff --git a/src/seckey2sshagent b/src/seckey2sshagent new file mode 100755 index 0000000..0e8d695 --- /dev/null +++ b/src/seckey2sshagent @@ -0,0 +1,25 @@ +#!/bin/sh + +cleanup() { + echo -n "removing temp gpg home... " + rm -rf $FOO + echo "done." +} + +trap cleanup EXIT + +GPGID="$1" + +idchars=$(echo $GPGID | wc -m) +if [ "$idchars" -ne 17 ] ; then + echo "GPGID is not 16 characters ($idchars)." + exit 1 +fi + +FOO=$(mktemp -d) + +gpg --export-secret-key --export-options export-reset-subkey-passwd $GPGID | GNUPGHOME=$FOO gpg --import + +GNUPGHOME=$FOO gpg --edit-key $GPGID + +GNUPGHOME=$FOO gpg --export-secret-key $GPGID | openpgp2ssh $GPGID | ssh-add -c /dev/stdin -- cgit v1.2.3