summaryrefslogtreecommitdiff
path: root/src/monkeysphere-host
blob: 5c97aa671887eaeb45579345b699ae1ad14c34c5 (plain)
  1. #!/usr/bin/env bash
  2. # monkeysphere-host: Monkeysphere host admin tool
  3. #
  4. # The monkeysphere scripts are written by:
  5. # Jameson Rollins <jrollins@fifthhorseman.net>
  6. # Jamie McClelland <jm@mayfirst.org>
  7. # Daniel Kahn Gillmor <dkg@fifthhorseman.net>
  8. #
  9. # They are Copyright 2008, and are all released under the GPL, version 3
  10. # or later.
  11. ########################################################################
  12. PGRM=$(basename $0)
  13. SYSSHAREDIR=${MONKEYSPHERE_SYSSHAREDIR:-"/usr/share/monkeysphere"}
  14. export SYSSHAREDIR
  15. . "${SYSSHAREDIR}/common" || exit 1
  16. SYSDATADIR=${MONKEYSPHERE_SYSDATADIR:-"/var/lib/monkeysphere/host"}
  17. export SYSDATADIR
  18. # monkeysphere temp directory, in sysdatadir to enable atomic moves of
  19. # authorized_keys files
  20. MSTMPDIR="${SYSDATADIR}/tmp"
  21. export MSTMPDIR
  22. # UTC date in ISO 8601 format if needed
  23. DATE=$(date -u '+%FT%T')
  24. # unset some environment variables that could screw things up
  25. unset GREP_OPTIONS
  26. # default return code
  27. RETURN=0
  28. ########################################################################
  29. # FUNCTIONS
  30. ########################################################################
  31. usage() {
  32. cat <<EOF >&2
  33. usage: $PGRM <subcommand> [options] [args]
  34. Monkeysphere host admin tool.
  35. subcommands:
  36. show-key (s) output all host key information
  37. extend-key (e) EXPIRE extend host key expiration
  38. add-hostname (n+) NAME[:PORT] add hostname user ID to host key
  39. revoke-hostname (n-) NAME[:PORT] revoke hostname user ID
  40. add-revoker (o) FINGERPRINT add a revoker to the host key
  41. revoke-key (r) revoke host key
  42. publish-key (p) publish server host key to keyserver
  43. expert
  44. import-key (i) import existing ssh key to gpg
  45. --hostname (-h) NAME[:PORT] hostname for key user ID
  46. --keyfile (-f) FILE key file to import
  47. --expire (-e) EXPIRE date to expire
  48. gen-key (g) generate gpg key for the host
  49. --hostname (-h) NAME[:PORT] hostname for key user ID
  50. --length (-l) BITS key length in bits (2048)
  51. --expire (-e) EXPIRE date to expire
  52. --revoker (-r) FINGERPRINT add a revoker
  53. diagnostics (d) monkeysphere host status
  54. version (v) show version number
  55. help (h,?) this help
  56. EOF
  57. }
  58. # function to run command as monkeysphere user
  59. su_monkeysphere_user() {
  60. # if the current user is the monkeysphere user, then just eval
  61. # command
  62. if [ $(id -un) = "$MONKEYSPHERE_USER" ] ; then
  63. eval "$@"
  64. # otherwise su command as monkeysphere user
  65. else
  66. su "$MONKEYSPHERE_USER" -c "$@"
  67. fi
  68. }
  69. # function to interact with the host gnupg keyring
  70. gpg_host() {
  71. local returnCode
  72. GNUPGHOME="$GNUPGHOME_HOST"
  73. export GNUPGHOME
  74. # NOTE: we supress this warning because we need the monkeysphere
  75. # user to be able to read the host pubring. we realize this might
  76. # be problematic, but it's the simplest solution, without too much
  77. # loss of security.
  78. gpg --no-permission-warning "$@"
  79. returnCode="$?"
  80. # always reset the permissions on the host pubring so that the
  81. # monkeysphere user can read the trust signatures
  82. chgrp "$MONKEYSPHERE_USER" "${GNUPGHOME_HOST}/pubring.gpg"
  83. chmod g+r "${GNUPGHOME_HOST}/pubring.gpg"
  84. return "$returnCode"
  85. }
  86. # check if user is root
  87. is_root() {
  88. [ $(id -u 2>/dev/null) = '0' ]
  89. }
  90. # check that user is root, for functions that require root access
  91. check_user() {
  92. is_root || failure "You must be root to run this command."
  93. }
  94. # output just key fingerprint
  95. fingerprint_server_key() {
  96. # set the pipefail option so functions fails if can't read sec key
  97. set -o pipefail
  98. gpg_host --list-secret-keys --fingerprint \
  99. --with-colons --fixed-list-mode 2> /dev/null | \
  100. grep '^fpr:' | head -1 | cut -d: -f10 2>/dev/null
  101. }
  102. # function to check for host secret key
  103. check_host_keyring() {
  104. fingerprint_server_key >/dev/null \
  105. || failure "You don't appear to have a Monkeysphere host key on this server. Please run 'monkeysphere-server gen-key' first."
  106. }
  107. ########################################################################
  108. # MAIN
  109. ########################################################################
  110. # unset variables that should be defined only in config file
  111. unset KEYSERVER
  112. unset AUTHORIZED_USER_IDS
  113. unset RAW_AUTHORIZED_KEYS
  114. unset MONKEYSPHERE_USER
  115. # load configuration file
  116. [ -e ${MONKEYSPHERE_SERVER_CONFIG:="${SYSCONFIGDIR}/monkeysphere-server.conf"} ] && . "$MONKEYSPHERE_SERVER_CONFIG"
  117. # set empty config variable with ones from the environment, or with
  118. # defaults
  119. LOG_LEVEL=${MONKEYSPHERE_LOG_LEVEL:=${LOG_LEVEL:="INFO"}}
  120. KEYSERVER=${MONKEYSPHERE_KEYSERVER:=${KEYSERVER:="pool.sks-keyservers.net"}}
  121. AUTHORIZED_USER_IDS=${MONKEYSPHERE_AUTHORIZED_USER_IDS:=${AUTHORIZED_USER_IDS:="%h/.monkeysphere/authorized_user_ids"}}
  122. RAW_AUTHORIZED_KEYS=${MONKEYSPHERE_RAW_AUTHORIZED_KEYS:=${RAW_AUTHORIZED_KEYS:="%h/.ssh/authorized_keys"}}
  123. MONKEYSPHERE_USER=${MONKEYSPHERE_MONKEYSPHERE_USER:=${MONKEYSPHERE_USER:="monkeysphere"}}
  124. # other variables
  125. CHECK_KEYSERVER=${MONKEYSPHERE_CHECK_KEYSERVER:="true"}
  126. REQUIRED_USER_KEY_CAPABILITY=${MONKEYSPHERE_REQUIRED_USER_KEY_CAPABILITY:="a"}
  127. GNUPGHOME_HOST=${MONKEYSPHERE_GNUPGHOME_HOST:="${SYSDATADIR}/gnupg-host"}
  128. GNUPGHOME_AUTHENTICATION=${MONKEYSPHERE_GNUPGHOME_AUTHENTICATION:="${SYSDATADIR}/gnupg-authentication"}
  129. # export variables needed in su invocation
  130. export DATE
  131. export MODE
  132. export MONKEYSPHERE_USER
  133. export LOG_LEVEL
  134. export KEYSERVER
  135. export CHECK_KEYSERVER
  136. export REQUIRED_USER_KEY_CAPABILITY
  137. export GNUPGHOME_HOST
  138. export GNUPGHOME_AUTHENTICATION
  139. export GNUPGHOME
  140. # get subcommand
  141. COMMAND="$1"
  142. [ "$COMMAND" ] || failure "Type '$PGRM help' for usage."
  143. shift
  144. case $COMMAND in
  145. 'show-key'|'show'|'s')
  146. show_server_key
  147. ;;
  148. 'extend-key'|'e')
  149. check_user
  150. check_host_keyring
  151. extend_key "$@"
  152. ;;
  153. 'add-hostname'|'add-name'|'n+')
  154. check_user
  155. check_host_keyring
  156. add_hostname "$@"
  157. ;;
  158. 'revoke-hostname'|'revoke-name'|'n-')
  159. check_user
  160. check_host_keyring
  161. revoke_hostname "$@"
  162. ;;
  163. 'add-revoker'|'o')
  164. check_user
  165. check_host_keyring
  166. add_revoker "$@"
  167. ;;
  168. 'revoke-key'|'r')
  169. check_user
  170. check_host_keyring
  171. revoke_key "$@"
  172. ;;
  173. 'publish-key'|'publish'|'p')
  174. check_user
  175. check_host_keyring
  176. publish_server_key
  177. ;;
  178. 'expert'|'e')
  179. check_user
  180. SUBCOMMAND="$1"
  181. shift
  182. case "$SUBCOMMAND" in
  183. 'import-key'|'i')
  184. import_key "$@"
  185. ;;
  186. 'gen-key'|'g')
  187. gen_key "$@"
  188. ;;
  189. 'diagnostics'|'d')
  190. diagnostics
  191. ;;
  192. *)
  193. failure "Unknown expert subcommand: '$COMMAND'
  194. Type '$PGRM help' for usage."
  195. ;;
  196. esac
  197. ;;
  198. 'version'|'v')
  199. echo "$VERSION"
  200. ;;
  201. '--help'|'help'|'-h'|'h'|'?')
  202. usage
  203. ;;
  204. *)
  205. failure "Unknown command: '$COMMAND'
  206. Type '$PGRM help' for usage."
  207. ;;
  208. esac
  209. exit "$RETURN"