summaryrefslogtreecommitdiff
path: root/src/monkeysphere-authentication
blob: 1763b03bfa6b21b6d0a21fe40bc818bc4cd518d4 (plain)
  1. #!/usr/bin/env bash
  2. # monkeysphere-authentication: Monkeysphere authentication admin tool
  3. #
  4. # The monkeysphere scripts are written by:
  5. # Jameson Rollins <jrollins@fifthhorseman.net>
  6. # Jamie McClelland <jm@mayfirst.org>
  7. # Daniel Kahn Gillmor <dkg@fifthhorseman.net>
  8. #
  9. # They are Copyright 2008, and are all released under the GPL, version 3
  10. # or later.
  11. ########################################################################
  12. PGRM=$(basename $0)
  13. SYSSHAREDIR=${MONKEYSPHERE_SYSSHAREDIR:-"/usr/share/monkeysphere"}
  14. export SYSSHAREDIR
  15. . "${SYSSHAREDIR}/common" || exit 1
  16. SYSDATADIR=${MONKEYSPHERE_SYSDATADIR:-"/var/lib/monkeysphere/authentication"}
  17. export SYSDATADIR
  18. # monkeysphere temp directory, in sysdatadir to enable atomic moves of
  19. # authorized_keys files
  20. MSTMPDIR="${SYSDATADIR}/tmp"
  21. export MSTMPDIR
  22. # UTC date in ISO 8601 format if needed
  23. DATE=$(date -u '+%FT%T')
  24. # unset some environment variables that could screw things up
  25. unset GREP_OPTIONS
  26. # default return code
  27. RETURN=0
  28. ########################################################################
  29. # FUNCTIONS
  30. ########################################################################
  31. usage() {
  32. cat <<EOF >&2
  33. usage: $PGRM <subcommand> [options] [args]
  34. Monkeysphere authentication admin tool.
  35. subcommands:
  36. update-users (u) [USER]... update user authorized_keys files
  37. add-id-certifier (c+) KEYID import and tsign a certification key
  38. --domain (-n) DOMAIN limit ID certifications to DOMAIN
  39. --trust (-t) TRUST trust level of certifier (full)
  40. --depth (-d) DEPTH trust depth for certifier (1)
  41. remove-id-certifier (c-) KEYID remove a certification key
  42. list-id-certifiers (c) list certification keys
  43. expert
  44. diagnostics (d) monkeysphere authentication status
  45. gpg-cmd CMD execute gpg command
  46. version (v) show version number
  47. help (h,?) this help
  48. EOF
  49. }
  50. # function to run command as monkeysphere user
  51. su_monkeysphere_user() {
  52. # if the current user is the monkeysphere user, then just eval
  53. # command
  54. if [ $(id -un) = "$MONKEYSPHERE_USER" ] ; then
  55. eval "$@"
  56. # otherwise su command as monkeysphere user
  57. else
  58. su "$MONKEYSPHERE_USER" -c "$@"
  59. fi
  60. }
  61. # function to interact with the host gnupg keyring
  62. gpg_host() {
  63. local returnCode
  64. GNUPGHOME="$GNUPGHOME_HOST"
  65. export GNUPGHOME
  66. # NOTE: we supress this warning because we need the monkeysphere
  67. # user to be able to read the host pubring. we realize this might
  68. # be problematic, but it's the simplest solution, without too much
  69. # loss of security.
  70. gpg --no-permission-warning "$@"
  71. returnCode="$?"
  72. # always reset the permissions on the host pubring so that the
  73. # monkeysphere user can read the trust signatures
  74. chgrp "$MONKEYSPHERE_USER" "${GNUPGHOME_HOST}/pubring.gpg"
  75. chmod g+r "${GNUPGHOME_HOST}/pubring.gpg"
  76. return "$returnCode"
  77. }
  78. # function to interact with the authentication gnupg keyring
  79. # FIXME: this function requires basically accepts only a single
  80. # argument because of problems with quote expansion. this needs to be
  81. # fixed/improved.
  82. gpg_authentication() {
  83. GNUPGHOME="$GNUPGHOME_AUTHENTICATION"
  84. export GNUPGHOME
  85. su_monkeysphere_user "gpg $@"
  86. }
  87. # check if user is root
  88. is_root() {
  89. [ $(id -u 2>/dev/null) = '0' ]
  90. }
  91. # check that user is root, for functions that require root access
  92. check_user() {
  93. is_root || failure "You must be root to run this command."
  94. }
  95. # output just key fingerprint
  96. fingerprint_server_key() {
  97. # set the pipefail option so functions fails if can't read sec key
  98. set -o pipefail
  99. gpg_host --list-secret-keys --fingerprint \
  100. --with-colons --fixed-list-mode 2> /dev/null | \
  101. grep '^fpr:' | head -1 | cut -d: -f10 2>/dev/null
  102. }
  103. # function to check for host secret key
  104. check_host_keyring() {
  105. fingerprint_server_key >/dev/null \
  106. || failure "You don't appear to have a Monkeysphere host key on this server. Please run 'monkeysphere-server gen-key' first."
  107. }
  108. ########################################################################
  109. # MAIN
  110. ########################################################################
  111. # unset variables that should be defined only in config file
  112. unset KEYSERVER
  113. unset AUTHORIZED_USER_IDS
  114. unset RAW_AUTHORIZED_KEYS
  115. unset MONKEYSPHERE_USER
  116. # load configuration file
  117. [ -e ${MONKEYSPHERE_SERVER_CONFIG:="${SYSCONFIGDIR}/monkeysphere-server.conf"} ] && . "$MONKEYSPHERE_SERVER_CONFIG"
  118. # set empty config variable with ones from the environment, or with
  119. # defaults
  120. LOG_LEVEL=${MONKEYSPHERE_LOG_LEVEL:=${LOG_LEVEL:="INFO"}}
  121. KEYSERVER=${MONKEYSPHERE_KEYSERVER:=${KEYSERVER:="pool.sks-keyservers.net"}}
  122. AUTHORIZED_USER_IDS=${MONKEYSPHERE_AUTHORIZED_USER_IDS:=${AUTHORIZED_USER_IDS:="%h/.monkeysphere/authorized_user_ids"}}
  123. RAW_AUTHORIZED_KEYS=${MONKEYSPHERE_RAW_AUTHORIZED_KEYS:=${RAW_AUTHORIZED_KEYS:="%h/.ssh/authorized_keys"}}
  124. MONKEYSPHERE_USER=${MONKEYSPHERE_MONKEYSPHERE_USER:=${MONKEYSPHERE_USER:="monkeysphere"}}
  125. # other variables
  126. CHECK_KEYSERVER=${MONKEYSPHERE_CHECK_KEYSERVER:="true"}
  127. REQUIRED_USER_KEY_CAPABILITY=${MONKEYSPHERE_REQUIRED_USER_KEY_CAPABILITY:="a"}
  128. GNUPGHOME_HOST=${MONKEYSPHERE_GNUPGHOME_HOST:="${SYSDATADIR}/gnupg-host"}
  129. GNUPGHOME_AUTHENTICATION=${MONKEYSPHERE_GNUPGHOME_AUTHENTICATION:="${SYSDATADIR}/gnupg-authentication"}
  130. # export variables needed in su invocation
  131. export DATE
  132. export MODE
  133. export MONKEYSPHERE_USER
  134. export LOG_LEVEL
  135. export KEYSERVER
  136. export CHECK_KEYSERVER
  137. export REQUIRED_USER_KEY_CAPABILITY
  138. export GNUPGHOME_HOST
  139. export GNUPGHOME_AUTHENTICATION
  140. export GNUPGHOME
  141. # get subcommand
  142. COMMAND="$1"
  143. [ "$COMMAND" ] || failure "Type '$PGRM help' for usage."
  144. shift
  145. case $COMMAND in
  146. 'update-users'|'update-user'|'u')
  147. check_user
  148. check_host_keyring
  149. update_users "$@"
  150. ;;
  151. 'add-identity-certifier'|'add-id-certifier'|'add-certifier'|'c+')
  152. check_user
  153. check_host_keyring
  154. add_certifier "$@"
  155. ;;
  156. 'remove-identity-certifier'|'remove-id-certifier'|'remove-certifier'|'c-')
  157. check_user
  158. check_host_keyring
  159. remove_certifier "$@"
  160. ;;
  161. 'list-identity-certifiers'|'list-id-certifiers'|'list-certifiers'|'list-certifier'|'c')
  162. check_user
  163. check_host_keyring
  164. list_certifiers "$@"
  165. ;;
  166. 'expert'|'e')
  167. check_user
  168. SUBCOMMAND="$1"
  169. shift
  170. case "$SUBCOMMAND" in
  171. 'diagnostics'|'d')
  172. diagnostics
  173. ;;
  174. 'gpg-cmd')
  175. gpg_authentication "$@"
  176. ;;
  177. *)
  178. failure "Unknown expert subcommand: '$COMMAND'
  179. Type '$PGRM help' for usage."
  180. ;;
  181. esac
  182. ;;
  183. 'version'|'v')
  184. echo "$VERSION"
  185. ;;
  186. '--help'|'help'|'-h'|'h'|'?')
  187. usage
  188. ;;
  189. *)
  190. failure "Unknown command: '$COMMAND'
  191. Type '$PGRM help' for usage."
  192. ;;
  193. esac
  194. exit "$RETURN"