summaryrefslogtreecommitdiff
path: root/src/monkeysphere-authentication
blob: d7ec40f0bb6610a57e3f3341b657bcf58b32abfb (plain)
  1. #!/usr/bin/env bash
  2. # monkeysphere-authentication: Monkeysphere authentication admin tool
  3. #
  4. # The monkeysphere scripts are written by:
  5. # Jameson Rollins <jrollins@fifthhorseman.net>
  6. # Jamie McClelland <jm@mayfirst.org>
  7. # Daniel Kahn Gillmor <dkg@fifthhorseman.net>
  8. # Micah Anderson <micah@riseup.net>
  9. #
  10. # They are Copyright 2008-2009, and are all released under the GPL,
  11. # version 3 or later.
  12. ########################################################################
  13. PGRM=$(basename $0)
  14. SYSSHAREDIR=${MONKEYSPHERE_SYSSHAREDIR:-"/usr/share/monkeysphere"}
  15. export SYSSHAREDIR
  16. . "${SYSSHAREDIR}/common" || exit 1
  17. SYSDATADIR=${MONKEYSPHERE_SYSDATADIR:-"/var/lib/monkeysphere/authentication"}
  18. export SYSDATADIR
  19. # monkeysphere temp directory, in sysdatadir to enable atomic moves of
  20. # authorized_keys files
  21. MSTMPDIR="${SYSDATADIR}/tmp"
  22. export MSTMPDIR
  23. # UTC date in ISO 8601 format if needed
  24. DATE=$(date -u '+%FT%T')
  25. # unset some environment variables that could screw things up
  26. unset GREP_OPTIONS
  27. # default return code
  28. RETURN=0
  29. ########################################################################
  30. # FUNCTIONS
  31. ########################################################################
  32. usage() {
  33. cat <<EOF >&2
  34. usage: $PGRM <subcommand> [options] [args]
  35. Monkeysphere authentication admin tool.
  36. subcommands:
  37. update-users (u) [USER]... update user authorized_keys files
  38. add-id-certifier (c+) KEYID import and tsign a certification key
  39. --domain (-n) DOMAIN limit ID certifications to DOMAIN
  40. --trust (-t) TRUST trust level of certifier (full)
  41. --depth (-d) DEPTH trust depth for certifier (1)
  42. remove-id-certifier (c-) KEYID remove a certification key
  43. list-id-certifiers (c) list certification keys
  44. expert
  45. diagnostics (d) monkeysphere authentication status
  46. gpg-cmd CMD execute gpg command
  47. version (v) show version number
  48. help (h,?) this help
  49. EOF
  50. }
  51. # function to run command as monkeysphere user
  52. su_monkeysphere_user() {
  53. # if the current user is the monkeysphere user, then just eval
  54. # command
  55. if [ $(id -un) = "$MONKEYSPHERE_USER" ] ; then
  56. eval "$@"
  57. # otherwise su command as monkeysphere user
  58. else
  59. su "$MONKEYSPHERE_USER" -c "$@"
  60. fi
  61. }
  62. # function to interact with the host gnupg keyring
  63. gpg_host() {
  64. local returnCode
  65. GNUPGHOME="$GNUPGHOME_HOST"
  66. export GNUPGHOME
  67. # NOTE: we supress this warning because we need the monkeysphere
  68. # user to be able to read the host pubring. we realize this might
  69. # be problematic, but it's the simplest solution, without too much
  70. # loss of security.
  71. gpg --no-permission-warning "$@"
  72. returnCode="$?"
  73. # always reset the permissions on the host pubring so that the
  74. # monkeysphere user can read the trust signatures
  75. chgrp "$MONKEYSPHERE_USER" "${GNUPGHOME_HOST}/pubring.gpg"
  76. chmod g+r "${GNUPGHOME_HOST}/pubring.gpg"
  77. return "$returnCode"
  78. }
  79. # function to interact with the authentication gnupg keyring
  80. # FIXME: this function requires basically accepts only a single
  81. # argument because of problems with quote expansion. this needs to be
  82. # fixed/improved.
  83. gpg_authentication() {
  84. GNUPGHOME="$GNUPGHOME_AUTHENTICATION"
  85. export GNUPGHOME
  86. su_monkeysphere_user "gpg $@"
  87. }
  88. # check if user is root
  89. is_root() {
  90. [ $(id -u 2>/dev/null) = '0' ]
  91. }
  92. # check that user is root, for functions that require root access
  93. check_user() {
  94. is_root || failure "You must be root to run this command."
  95. }
  96. # output just key fingerprint
  97. fingerprint_server_key() {
  98. # set the pipefail option so functions fails if can't read sec key
  99. set -o pipefail
  100. gpg_host --list-secret-keys --fingerprint \
  101. --with-colons --fixed-list-mode 2> /dev/null | \
  102. grep '^fpr:' | head -1 | cut -d: -f10 2>/dev/null
  103. }
  104. # function to check for host secret key
  105. check_host_keyring() {
  106. fingerprint_server_key >/dev/null \
  107. || failure "You don't appear to have a Monkeysphere host key on this server. Please run 'monkeysphere-server gen-key' first."
  108. }
  109. ########################################################################
  110. # MAIN
  111. ########################################################################
  112. # unset variables that should be defined only in config file
  113. unset KEYSERVER
  114. unset AUTHORIZED_USER_IDS
  115. unset RAW_AUTHORIZED_KEYS
  116. unset MONKEYSPHERE_USER
  117. # load configuration file
  118. [ -e ${MONKEYSPHERE_SERVER_CONFIG:="${SYSCONFIGDIR}/monkeysphere-server.conf"} ] && . "$MONKEYSPHERE_SERVER_CONFIG"
  119. # set empty config variable with ones from the environment, or with
  120. # defaults
  121. LOG_LEVEL=${MONKEYSPHERE_LOG_LEVEL:=${LOG_LEVEL:="INFO"}}
  122. KEYSERVER=${MONKEYSPHERE_KEYSERVER:=${KEYSERVER:="pool.sks-keyservers.net"}}
  123. AUTHORIZED_USER_IDS=${MONKEYSPHERE_AUTHORIZED_USER_IDS:=${AUTHORIZED_USER_IDS:="%h/.monkeysphere/authorized_user_ids"}}
  124. RAW_AUTHORIZED_KEYS=${MONKEYSPHERE_RAW_AUTHORIZED_KEYS:=${RAW_AUTHORIZED_KEYS:="%h/.ssh/authorized_keys"}}
  125. MONKEYSPHERE_USER=${MONKEYSPHERE_MONKEYSPHERE_USER:=${MONKEYSPHERE_USER:="monkeysphere"}}
  126. # other variables
  127. CHECK_KEYSERVER=${MONKEYSPHERE_CHECK_KEYSERVER:="true"}
  128. REQUIRED_USER_KEY_CAPABILITY=${MONKEYSPHERE_REQUIRED_USER_KEY_CAPABILITY:="a"}
  129. GNUPGHOME_HOST=${MONKEYSPHERE_GNUPGHOME_HOST:="${SYSDATADIR}/gnupg-host"}
  130. GNUPGHOME_AUTHENTICATION=${MONKEYSPHERE_GNUPGHOME_AUTHENTICATION:="${SYSDATADIR}/gnupg-authentication"}
  131. # export variables needed in su invocation
  132. export DATE
  133. export MODE
  134. export MONKEYSPHERE_USER
  135. export LOG_LEVEL
  136. export KEYSERVER
  137. export CHECK_KEYSERVER
  138. export REQUIRED_USER_KEY_CAPABILITY
  139. export GNUPGHOME_HOST
  140. export GNUPGHOME_AUTHENTICATION
  141. export GNUPGHOME
  142. # get subcommand
  143. COMMAND="$1"
  144. [ "$COMMAND" ] || failure "Type '$PGRM help' for usage."
  145. shift
  146. case $COMMAND in
  147. 'update-users'|'update-user'|'u')
  148. check_user
  149. check_host_keyring
  150. update_users "$@"
  151. ;;
  152. 'add-identity-certifier'|'add-id-certifier'|'add-certifier'|'c+')
  153. check_user
  154. check_host_keyring
  155. add_certifier "$@"
  156. ;;
  157. 'remove-identity-certifier'|'remove-id-certifier'|'remove-certifier'|'c-')
  158. check_user
  159. check_host_keyring
  160. remove_certifier "$@"
  161. ;;
  162. 'list-identity-certifiers'|'list-id-certifiers'|'list-certifiers'|'list-certifier'|'c')
  163. check_user
  164. check_host_keyring
  165. list_certifiers "$@"
  166. ;;
  167. 'expert'|'e')
  168. check_user
  169. SUBCOMMAND="$1"
  170. shift
  171. case "$SUBCOMMAND" in
  172. 'diagnostics'|'d')
  173. diagnostics
  174. ;;
  175. 'gpg-cmd')
  176. gpg_authentication "$@"
  177. ;;
  178. *)
  179. failure "Unknown expert subcommand: '$COMMAND'
  180. Type '$PGRM help' for usage."
  181. ;;
  182. esac
  183. ;;
  184. 'version'|'v')
  185. echo "$VERSION"
  186. ;;
  187. '--help'|'help'|'-h'|'h'|'?')
  188. usage
  189. ;;
  190. *)
  191. failure "Unknown command: '$COMMAND'
  192. Type '$PGRM help' for usage."
  193. ;;
  194. esac
  195. exit "$RETURN"