From e04825a10f888602276a2e803401a879dbcec671 Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Sun, 29 Jun 2008 14:54:00 -0400 Subject: Add better host certifier management, and updated man page. --- src/monkeysphere | 2 +- src/monkeysphere-server | 72 ++++++++++++++++++++++++++++++++++++------------- 2 files changed, 55 insertions(+), 19 deletions(-) (limited to 'src') diff --git a/src/monkeysphere b/src/monkeysphere index ab42665..b10adb7 100755 --- a/src/monkeysphere +++ b/src/monkeysphere @@ -72,7 +72,7 @@ gen_subkey(){ # prompt if an authentication subkey already exists if echo "$gpgOut" | egrep "^(pub|sub):" | cut -d: -f 12 | grep -q a ; then echo "An authentication subkey already exists for key '$keyID'." - read -p "Are you sure you would like to generate another one? [y|N]: " OK; OK=${OK:N} + read -p "Are you sure you would like to generate another one? (y/N) " OK; OK=${OK:N} if [ "${OK/y/Y}" != 'Y' ] ; then failure "aborting." fi diff --git a/src/monkeysphere-server b/src/monkeysphere-server index 9196c2f..a080076 100755 --- a/src/monkeysphere-server +++ b/src/monkeysphere-server @@ -41,7 +41,9 @@ subcommands: gen-key (g) [HOSTNAME] generate gpg key for the server show-fingerprint (f) show server's host key fingerprint publish-key (p) publish server's host key to keyserver - trust-key (t) KEYID import and tsign a certification key + add-certifier (a) KEYID import and tsign a certification key + remove-certifier (r) KEYID remove a certification key + list-certifiers (l) list certification keys help (h,?) this help EOF @@ -245,7 +247,7 @@ EOF echo "The following key parameters will be used for the host private key:" echo "$keyParameters" - read -p "Generate key? [Y|n]: " OK; OK=${OK:=Y} + read -p "Generate key? (Y/n) " OK; OK=${OK:=Y} if [ ${OK/y/Y} != 'Y' ] ; then failure "aborting." fi @@ -284,7 +286,7 @@ fingerprint_server_key() { # publish server key to keyserver publish_server_key() { - read -p "really publish key to $KEYSERVER? [y|N]: " OK; OK=${OK:=N} + read -p "really publish key to $KEYSERVER? (y/N) " OK; OK=${OK:=N} if [ ${OK/y/Y} != 'Y' ] ; then failure "aborting." fi @@ -297,22 +299,14 @@ publish_server_key() { failure "NOT PUBLISHED (to avoid permanent publication errors during monkeysphere development)." } -# retrieve key from web of trust, and set owner trust to "full" -# if key is found. -trust_key() { +# retrieve key from web of trust, import it into the host keyring, and +# ltsign the key in the host keyring so that it may certify other keys +add_certifier() { local keyID - local trustLevel + local fingerprint + local ltsignCommand keyID="$1" - - # default values for trust depth and domain - DEPTH=${DEPTH:-1} - DOMAIN=${DOMAIN:-} - - if [ -z "$keyID" ] ; then - failure "You must specify key to trust." - fi - export keyID # export host ownertrust to authentication keyring @@ -332,9 +326,18 @@ trust_key() { echo "key found:" gpg_authentication "--fingerprint $fingerprint" + read -p "Are you sure you want to add this key as a certifier of users on this system? (y/N) " OK; OK=${OK:-N} + if [ "${OK/y/Y}" != 'Y' ] ; then + failure "aborting." + fi + # export the key to the host keyring gpg_authentication "--export $keyID" | gpg_host --import + # default values for trust depth and domain + DEPTH=${DEPTH:-1} + DOMAIN=${DOMAIN:-} + # ltsign command # NOTE: *all* user IDs will be ltsigned ltsignCommand=$(cat <