#!/usr/bin/env bash # monkeysphere-host: Monkeysphere host admin tool # # The monkeysphere scripts are written by: # Jameson Rollins <jrollins@fifthhorseman.net> # Jamie McClelland <jm@mayfirst.org> # Daniel Kahn Gillmor <dkg@fifthhorseman.net> # # They are Copyright 2008, and are all released under the GPL, version 3 # or later. ######################################################################## PGRM=$(basename $0) SYSSHAREDIR=${MONKEYSPHERE_SYSSHAREDIR:-"/usr/share/monkeysphere"} export SYSSHAREDIR . "${SYSSHAREDIR}/common" || exit 1 SYSDATADIR=${MONKEYSPHERE_SYSDATADIR:-"/var/lib/monkeysphere/host"} export SYSDATADIR # monkeysphere temp directory, in sysdatadir to enable atomic moves of # authorized_keys files MSTMPDIR="${SYSDATADIR}/tmp" export MSTMPDIR # UTC date in ISO 8601 format if needed DATE=$(date -u '+%FT%T') # unset some environment variables that could screw things up unset GREP_OPTIONS # default return code RETURN=0 ######################################################################## # FUNCTIONS ######################################################################## usage() { cat <<EOF >&2 usage: $PGRM <subcommand> [options] [args] Monkeysphere host admin tool. subcommands: show-key (s) output all host key information extend-key (e) EXPIRE extend host key expiration add-hostname (n+) NAME[:PORT] add hostname user ID to host key revoke-hostname (n-) NAME[:PORT] revoke hostname user ID add-revoker (o) FINGERPRINT add a revoker to the host key revoke-key (r) revoke host key publish-key (p) publish server host key to keyserver expert import-key (i) NAME[:PORT] import existing ssh key to gpg --keyfile (-f) FILE key file to import --expire (-e) EXPIRE date to expire gen-key (g) NAME[:PORT] generate gpg key for the host --length (-l) BITS key length in bits (2048) --expire (-e) EXPIRE date to expire --revoker (-r) FINGERPRINT add a revoker diagnostics (d) monkeysphere host status version (v) show version number help (h,?) this help EOF } # function to run command as monkeysphere user su_monkeysphere_user() { # if the current user is the monkeysphere user, then just eval # command if [ $(id -un) = "$MONKEYSPHERE_USER" ] ; then eval "$@" # otherwise su command as monkeysphere user else su "$MONKEYSPHERE_USER" -c "$@" fi } # function to interact with the host gnupg keyring gpg_host() { local returnCode GNUPGHOME="$GNUPGHOME_HOST" export GNUPGHOME # NOTE: we supress this warning because we need the monkeysphere # user to be able to read the host pubring. we realize this might # be problematic, but it's the simplest solution, without too much # loss of security. gpg --no-permission-warning "$@" returnCode="$?" # always reset the permissions on the host pubring so that the # monkeysphere user can read the trust signatures chgrp "$MONKEYSPHERE_USER" "${GNUPGHOME_HOST}/pubring.gpg" chmod g+r "${GNUPGHOME_HOST}/pubring.gpg" return "$returnCode" } # output just key fingerprint fingerprint_server_key() { # set the pipefail option so functions fails if can't read sec key set -o pipefail gpg_host --list-secret-keys --fingerprint \ --with-colons --fixed-list-mode 2> /dev/null | \ grep '^fpr:' | head -1 | cut -d: -f10 2>/dev/null } # function to check for host secret key check_host_keyring() { fingerprint_server_key >/dev/null \ || failure "You don't appear to have a Monkeysphere host key on this server. Please run 'monkeysphere-server gen-key' first." } ######################################################################## # MAIN ######################################################################## # unset variables that should be defined only in config file unset KEYSERVER unset AUTHORIZED_USER_IDS unset RAW_AUTHORIZED_KEYS unset MONKEYSPHERE_USER # load configuration file [ -e ${MONKEYSPHERE_SERVER_CONFIG:="${SYSCONFIGDIR}/monkeysphere-server.conf"} ] && . "$MONKEYSPHERE_SERVER_CONFIG" # set empty config variable with ones from the environment, or with # defaults LOG_LEVEL=${MONKEYSPHERE_LOG_LEVEL:=${LOG_LEVEL:="INFO"}} KEYSERVER=${MONKEYSPHERE_KEYSERVER:=${KEYSERVER:="pool.sks-keyservers.net"}} AUTHORIZED_USER_IDS=${MONKEYSPHERE_AUTHORIZED_USER_IDS:=${AUTHORIZED_USER_IDS:="%h/.monkeysphere/authorized_user_ids"}} RAW_AUTHORIZED_KEYS=${MONKEYSPHERE_RAW_AUTHORIZED_KEYS:=${RAW_AUTHORIZED_KEYS:="%h/.ssh/authorized_keys"}} MONKEYSPHERE_USER=${MONKEYSPHERE_MONKEYSPHERE_USER:=${MONKEYSPHERE_USER:="monkeysphere"}} # other variables CHECK_KEYSERVER=${MONKEYSPHERE_CHECK_KEYSERVER:="true"} REQUIRED_USER_KEY_CAPABILITY=${MONKEYSPHERE_REQUIRED_USER_KEY_CAPABILITY:="a"} GNUPGHOME_HOST=${MONKEYSPHERE_GNUPGHOME_HOST:="${SYSDATADIR}/gnupg-host"} GNUPGHOME_AUTHENTICATION=${MONKEYSPHERE_GNUPGHOME_AUTHENTICATION:="${SYSDATADIR}/gnupg-authentication"} # export variables needed in su invocation export DATE export MODE export MONKEYSPHERE_USER export LOG_LEVEL export KEYSERVER export CHECK_KEYSERVER export REQUIRED_USER_KEY_CAPABILITY export GNUPGHOME_HOST export GNUPGHOME_AUTHENTICATION export GNUPGHOME # get subcommand COMMAND="$1" [ "$COMMAND" ] || failure "Type '$PGRM help' for usage." shift case $COMMAND in 'show-key'|'show'|'s') show_server_key ;; 'extend-key'|'e') check_host_keyring extend_key "$@" ;; 'add-hostname'|'add-name'|'n+') check_host_keyring add_hostname "$@" ;; 'revoke-hostname'|'revoke-name'|'n-') check_host_keyring revoke_hostname "$@" ;; 'add-revoker'|'o') check_host_keyring add_revoker "$@" ;; 'revoke-key'|'r') check_host_keyring revoke_key "$@" ;; 'publish-key'|'publish'|'p') check_host_keyring publish_server_key ;; 'expert'|'e') check_user SUBCOMMAND="$1" shift case "$SUBCOMMAND" in 'import-key'|'i') import_key "$@" ;; 'gen-key'|'g') gen_key "$@" ;; 'diagnostics'|'d') diagnostics ;; *) failure "Unknown expert subcommand: '$COMMAND' Type '$PGRM help' for usage." ;; esac ;; 'version'|'v') echo "$VERSION" ;; '--help'|'help'|'-h'|'h'|'?') usage ;; *) failure "Unknown command: '$COMMAND' Type '$PGRM help' for usage." ;; esac exit "$RETURN"