summaryrefslogtreecommitdiff
path: root/src/monkeysphere-host
blob: 19ab5fcf8e7c84c72c13cff342b0c30872b524c9 (plain)
  1. #!/usr/bin/env bash
  2. # monkeysphere-host: Monkeysphere host admin tool
  3. #
  4. # The monkeysphere scripts are written by:
  5. # Jameson Rollins <jrollins@fifthhorseman.net>
  6. # Jamie McClelland <jm@mayfirst.org>
  7. # Daniel Kahn Gillmor <dkg@fifthhorseman.net>
  8. #
  9. # They are Copyright 2008, and are all released under the GPL, version 3
  10. # or later.
  11. ########################################################################
  12. PGRM=$(basename $0)
  13. SYSSHAREDIR=${MONKEYSPHERE_SYSSHAREDIR:-"/usr/share/monkeysphere"}
  14. export SYSSHAREDIR
  15. . "${SYSSHAREDIR}/common" || exit 1
  16. SYSDATADIR=${MONKEYSPHERE_SYSDATADIR:-"/var/lib/monkeysphere/host"}
  17. export SYSDATADIR
  18. # monkeysphere temp directory, in sysdatadir to enable atomic moves of
  19. # authorized_keys files
  20. MSTMPDIR="${SYSDATADIR}/tmp"
  21. export MSTMPDIR
  22. # UTC date in ISO 8601 format if needed
  23. DATE=$(date -u '+%FT%T')
  24. # unset some environment variables that could screw things up
  25. unset GREP_OPTIONS
  26. # default return code
  27. RETURN=0
  28. ########################################################################
  29. # FUNCTIONS
  30. ########################################################################
  31. usage() {
  32. cat <<EOF >&2
  33. usage: $PGRM <subcommand> [options] [args]
  34. Monkeysphere host admin tool.
  35. subcommands:
  36. show-key (s) output all host key information
  37. extend-key (e) EXPIRE extend host key expiration
  38. add-hostname (n+) NAME[:PORT] add hostname user ID to host key
  39. revoke-hostname (n-) NAME[:PORT] revoke hostname user ID
  40. add-revoker (o) FINGERPRINT add a revoker to the host key
  41. revoke-key (r) revoke host key
  42. publish-key (p) publish server host key to keyserver
  43. expert
  44. import-key (i) NAME[:PORT] import existing ssh key to gpg
  45. --keyfile (-f) FILE key file to import
  46. --expire (-e) EXPIRE date to expire
  47. gen-key (g) NAME[:PORT] generate gpg key for the host
  48. --length (-l) BITS key length in bits (2048)
  49. --expire (-e) EXPIRE date to expire
  50. --revoker (-r) FINGERPRINT add a revoker
  51. diagnostics (d) monkeysphere host status
  52. version (v) show version number
  53. help (h,?) this help
  54. EOF
  55. }
  56. # function to run command as monkeysphere user
  57. su_monkeysphere_user() {
  58. # if the current user is the monkeysphere user, then just eval
  59. # command
  60. if [ $(id -un) = "$MONKEYSPHERE_USER" ] ; then
  61. eval "$@"
  62. # otherwise su command as monkeysphere user
  63. else
  64. su "$MONKEYSPHERE_USER" -c "$@"
  65. fi
  66. }
  67. # function to interact with the host gnupg keyring
  68. gpg_host() {
  69. local returnCode
  70. GNUPGHOME="$GNUPGHOME_HOST"
  71. export GNUPGHOME
  72. # NOTE: we supress this warning because we need the monkeysphere
  73. # user to be able to read the host pubring. we realize this might
  74. # be problematic, but it's the simplest solution, without too much
  75. # loss of security.
  76. gpg --no-permission-warning "$@"
  77. returnCode="$?"
  78. # always reset the permissions on the host pubring so that the
  79. # monkeysphere user can read the trust signatures
  80. chgrp "$MONKEYSPHERE_USER" "${GNUPGHOME_HOST}/pubring.gpg"
  81. chmod g+r "${GNUPGHOME_HOST}/pubring.gpg"
  82. return "$returnCode"
  83. }
  84. # output just key fingerprint
  85. fingerprint_server_key() {
  86. # set the pipefail option so functions fails if can't read sec key
  87. set -o pipefail
  88. gpg_host --list-secret-keys --fingerprint \
  89. --with-colons --fixed-list-mode 2> /dev/null | \
  90. grep '^fpr:' | head -1 | cut -d: -f10 2>/dev/null
  91. }
  92. # function to check for host secret key
  93. check_host_keyring() {
  94. fingerprint_server_key >/dev/null \
  95. || failure "You don't appear to have a Monkeysphere host key on this server. Please run 'monkeysphere-server gen-key' first."
  96. }
  97. ########################################################################
  98. # MAIN
  99. ########################################################################
  100. # unset variables that should be defined only in config file
  101. unset KEYSERVER
  102. unset AUTHORIZED_USER_IDS
  103. unset RAW_AUTHORIZED_KEYS
  104. unset MONKEYSPHERE_USER
  105. # load configuration file
  106. [ -e ${MONKEYSPHERE_SERVER_CONFIG:="${SYSCONFIGDIR}/monkeysphere-server.conf"} ] && . "$MONKEYSPHERE_SERVER_CONFIG"
  107. # set empty config variable with ones from the environment, or with
  108. # defaults
  109. LOG_LEVEL=${MONKEYSPHERE_LOG_LEVEL:=${LOG_LEVEL:="INFO"}}
  110. KEYSERVER=${MONKEYSPHERE_KEYSERVER:=${KEYSERVER:="pool.sks-keyservers.net"}}
  111. AUTHORIZED_USER_IDS=${MONKEYSPHERE_AUTHORIZED_USER_IDS:=${AUTHORIZED_USER_IDS:="%h/.monkeysphere/authorized_user_ids"}}
  112. RAW_AUTHORIZED_KEYS=${MONKEYSPHERE_RAW_AUTHORIZED_KEYS:=${RAW_AUTHORIZED_KEYS:="%h/.ssh/authorized_keys"}}
  113. MONKEYSPHERE_USER=${MONKEYSPHERE_MONKEYSPHERE_USER:=${MONKEYSPHERE_USER:="monkeysphere"}}
  114. # other variables
  115. CHECK_KEYSERVER=${MONKEYSPHERE_CHECK_KEYSERVER:="true"}
  116. REQUIRED_USER_KEY_CAPABILITY=${MONKEYSPHERE_REQUIRED_USER_KEY_CAPABILITY:="a"}
  117. GNUPGHOME_HOST=${MONKEYSPHERE_GNUPGHOME_HOST:="${SYSDATADIR}/gnupg-host"}
  118. GNUPGHOME_AUTHENTICATION=${MONKEYSPHERE_GNUPGHOME_AUTHENTICATION:="${SYSDATADIR}/gnupg-authentication"}
  119. # export variables needed in su invocation
  120. export DATE
  121. export MODE
  122. export MONKEYSPHERE_USER
  123. export LOG_LEVEL
  124. export KEYSERVER
  125. export CHECK_KEYSERVER
  126. export REQUIRED_USER_KEY_CAPABILITY
  127. export GNUPGHOME_HOST
  128. export GNUPGHOME_AUTHENTICATION
  129. export GNUPGHOME
  130. # get subcommand
  131. COMMAND="$1"
  132. [ "$COMMAND" ] || failure "Type '$PGRM help' for usage."
  133. shift
  134. case $COMMAND in
  135. 'show-key'|'show'|'s')
  136. show_server_key
  137. ;;
  138. 'extend-key'|'e')
  139. check_host_keyring
  140. extend_key "$@"
  141. ;;
  142. 'add-hostname'|'add-name'|'n+')
  143. check_host_keyring
  144. add_hostname "$@"
  145. ;;
  146. 'revoke-hostname'|'revoke-name'|'n-')
  147. check_host_keyring
  148. revoke_hostname "$@"
  149. ;;
  150. 'add-revoker'|'o')
  151. check_host_keyring
  152. add_revoker "$@"
  153. ;;
  154. 'revoke-key'|'r')
  155. check_host_keyring
  156. revoke_key "$@"
  157. ;;
  158. 'publish-key'|'publish'|'p')
  159. check_host_keyring
  160. publish_server_key
  161. ;;
  162. 'expert'|'e')
  163. check_user
  164. SUBCOMMAND="$1"
  165. shift
  166. case "$SUBCOMMAND" in
  167. 'import-key'|'i')
  168. import_key "$@"
  169. ;;
  170. 'gen-key'|'g')
  171. gen_key "$@"
  172. ;;
  173. 'diagnostics'|'d')
  174. diagnostics
  175. ;;
  176. *)
  177. failure "Unknown expert subcommand: '$COMMAND'
  178. Type '$PGRM help' for usage."
  179. ;;
  180. esac
  181. ;;
  182. 'version'|'v')
  183. echo "$VERSION"
  184. ;;
  185. '--help'|'help'|'-h'|'h'|'?')
  186. usage
  187. ;;
  188. *)
  189. failure "Unknown command: '$COMMAND'
  190. Type '$PGRM help' for usage."
  191. ;;
  192. esac
  193. exit "$RETURN"