#!/usr/bin/env bash # monkeysphere-authentication: Monkeysphere authentication admin tool # # The monkeysphere scripts are written by: # Jameson Rollins <jrollins@finestructure.net> # Jamie McClelland <jm@mayfirst.org> # Daniel Kahn Gillmor <dkg@fifthhorseman.net> # Micah Anderson <micah@riseup.net> # # They are Copyright 2008-2009, and are all released under the GPL, # version 3 or later. ######################################################################## set -e PGRM=$(basename $0) SYSSHAREDIR=${MONKEYSPHERE_SYSSHAREDIR:-"/usr/share/monkeysphere"} export SYSSHAREDIR . "${SYSSHAREDIR}/common" || exit 1 SYSDATADIR=${MONKEYSPHERE_SYSDATADIR:-"/var/lib/monkeysphere"} export SYSDATADIR # sharedir for authentication functions MASHAREDIR="${SYSSHAREDIR}/ma" # datadir for authentication functions MADATADIR="${SYSDATADIR}/authentication" # temp directory to enable atomic moves of authorized_keys files MATMPDIR="${MADATADIR}/tmp" export MSTMPDIR # UTC date in ISO 8601 format if needed DATE=$(date -u '+%FT%T') # unset some environment variables that could screw things up unset GREP_OPTIONS # default return code RETURN=0 ######################################################################## # FUNCTIONS ######################################################################## usage() { cat <<EOF >&2 usage: $PGRM <subcommand> [options] [args] Monkeysphere authentication admin tool. subcommands: setup (s) setup monkeysphere user authentication update-users (u) [USER]... update user authorized_keys files add-id-certifier (c+) KEYID import and tsign a certification key --domain (-n) DOMAIN limit ID certifications to DOMAIN --trust (-t) TRUST trust level of certifier (full) --depth (-d) DEPTH trust depth for certifier (1) remove-id-certifier (c-) KEYID remove a certification key list-id-certifiers (c) list certification keys expert <expert-subcommand> run expert command expert help expert command help version (v) show version number help (h,?) this help EOF } # function to run command as monkeysphere user su_monkeysphere_user() { # if the current user is the monkeysphere user, then just eval # command if [ $(id -un) = "$MONKEYSPHERE_USER" ] ; then eval "$@" # otherwise su command as monkeysphere user else su "$MONKEYSPHERE_USER" -c "$@" fi } # function to interact with the gpg core keyring gpg_core() { GNUPGHOME="$GNUPGHOME_CORE" export GNUPGHOME # NOTE: we supress this warning because we need the monkeysphere # user to be able to read the host pubring. we realize this might # be problematic, but it's the simplest solution, without too much # loss of security. gpg "$@" } # function to interact with the gpg sphere keyring # FIXME: this function requires basically accepts only a single # argument because of problems with quote expansion. this needs to be # fixed/improved. gpg_sphere() { GNUPGHOME="$GNUPGHOME_SPHERE" export GNUPGHOME su_monkeysphere_user "gpg $@" } # export signatures from core to sphere gpg_core_sphere_sig_transfer() { gpg_core --export-options export-local-sigs --export | \ gpg_sphere --import-options import-local-sigs --import } ######################################################################## # MAIN ######################################################################## # unset variables that should be defined only in config file unset KEYSERVER unset AUTHORIZED_USER_IDS unset RAW_AUTHORIZED_KEYS unset MONKEYSPHERE_USER # load configuration file [ -e ${MONKEYSPHERE_AUTHENTICATION_CONFIG:="${SYSCONFIGDIR}/monkeysphere-authentication.conf"} ] && . "$MONKEYSPHERE_AUTHENTICATION_CONFIG" # set empty config variable with ones from the environment, or with # defaults LOG_LEVEL=${MONKEYSPHERE_LOG_LEVEL:=${LOG_LEVEL:="INFO"}} KEYSERVER=${MONKEYSPHERE_KEYSERVER:=${KEYSERVER:="pool.sks-keyservers.net"}} AUTHORIZED_USER_IDS=${MONKEYSPHERE_AUTHORIZED_USER_IDS:=${AUTHORIZED_USER_IDS:="%h/.monkeysphere/authorized_user_ids"}} RAW_AUTHORIZED_KEYS=${MONKEYSPHERE_RAW_AUTHORIZED_KEYS:=${RAW_AUTHORIZED_KEYS:="%h/.ssh/authorized_keys"}} MONKEYSPHERE_USER=${MONKEYSPHERE_MONKEYSPHERE_USER:=${MONKEYSPHERE_USER:="monkeysphere"}} # other variables CHECK_KEYSERVER=${MONKEYSPHERE_CHECK_KEYSERVER:="true"} REQUIRED_USER_KEY_CAPABILITY=${MONKEYSPHERE_REQUIRED_USER_KEY_CAPABILITY:="a"} GNUPGHOME_CORE=${MONKEYSPHERE_GNUPGHOME_CORE:="${MADATADIR}/core"} GNUPGHOME_SPHERE=${MONKEYSPHERE_GNUPGHOME_SPHERE:="${MADATADIR}/sphere"} CORE_KEYLENGTH=${MONKEYSPHERE_CORE_KEYLENGTH:="2048"} # export variables needed in su invocation export DATE export MODE export LOG_LEVEL export MONKEYSPHERE_USER export KEYSERVER export CHECK_KEYSERVER export REQUIRED_USER_KEY_CAPABILITY export GNUPGHOME_CORE export GNUPGHOME_SPHERE export GNUPGHOME export CORE_KEYLENGTH # get subcommand COMMAND="$1" [ "$COMMAND" ] || failure "Type '$PGRM help' for usage." shift case $COMMAND in 'setup'|'setup'|'s') source "${MASHAREDIR}/setup" setup "$@" ;; 'update-users'|'update-user'|'u') source "${MASHAREDIR}/update_users" update_users "$@" ;; 'add-identity-certifier'|'add-id-certifier'|'add-certifier'|'c+') source "${MASHAREDIR}/add_certifier" add_certifier "$@" ;; 'remove-identity-certifier'|'remove-id-certifier'|'remove-certifier'|'c-') source "${MASHAREDIR}/remove_certifier" remove_certifier "$@" ;; 'list-identity-certifiers'|'list-id-certifiers'|'list-certifiers'|'list-certifier'|'c') source "${MASHAREDIR}/list_certifiers" list_certifiers "$@" ;; 'expert'|'e') SUBCOMMAND="$1" shift case "$SUBCOMMAND" in 'help'|'h'|'?') cat <<EOF usage: $PGRM expert <subcommand> [options] [args] expert subcommands: diagnostics (d) monkeysphere authentication status gpg-cmd CMD execute gpg command EOF ;; 'diagnostics'|'d') source "${MASHAREDIR}/diagnostics" diagnostics ;; 'gpg-cmd') gpg_sphere "$@" ;; *) failure "Unknown expert subcommand: '$COMMAND' Type '$PGRM help' for usage." ;; esac ;; 'version'|'v') echo "$VERSION" ;; '--help'|'help'|'-h'|'h'|'?') usage ;; *) failure "Unknown command: '$COMMAND' Type '$PGRM help' for usage." ;; esac exit "$RETURN"