summaryrefslogtreecommitdiff
path: root/src/monkeysphere-host
blob: 8562ec64e9cf74330268fb375d87f24323e18a5b (plain)
  1. #!/usr/bin/env bash
  2. # monkeysphere-host: Monkeysphere host admin tool
  3. #
  4. # The monkeysphere scripts are written by:
  5. # Jameson Rollins <jrollins@finestructure.net>
  6. # Jamie McClelland <jm@mayfirst.org>
  7. # Daniel Kahn Gillmor <dkg@fifthhorseman.net>
  8. # Micah Anderson <micah@riseup.net>
  9. #
  10. # They are Copyright 2008-2009, and are all released under the GPL,
  11. # version 3 or later.
  12. ########################################################################
  13. set -e
  14. # set the pipefail option so pipelines fail on first command failure
  15. set -o pipefail
  16. PGRM=$(basename $0)
  17. SYSSHAREDIR=${MONKEYSPHERE_SYSSHAREDIR:-"/usr/share/monkeysphere"}
  18. export SYSSHAREDIR
  19. . "${SYSSHAREDIR}/common" || exit 1
  20. SYSDATADIR=${MONKEYSPHERE_SYSDATADIR:-"/var/lib/monkeysphere"}
  21. export SYSDATADIR
  22. # sharedir for host functions
  23. MHSHAREDIR="${SYSSHAREDIR}/mh"
  24. # datadir for host functions
  25. MHDATADIR="${SYSDATADIR}/host"
  26. # temp directory for temp gnupghome directories for add_revoker
  27. MHTMPDIR="${MHDATADIR}/tmp"
  28. export MHTMPDIR
  29. # host pub key files
  30. HOST_KEY_FILE="${SYSDATADIR}/ssh_host_rsa_key.pub.gpg"
  31. # UTC date in ISO 8601 format if needed
  32. DATE=$(date -u '+%FT%T')
  33. # unset some environment variables that could screw things up
  34. unset GREP_OPTIONS
  35. # default return code
  36. RETURN=0
  37. ########################################################################
  38. # FUNCTIONS
  39. ########################################################################
  40. usage() {
  41. cat <<EOF >&2
  42. usage: $PGRM <subcommand> [options] [args]
  43. Monkeysphere host admin tool.
  44. subcommands:
  45. show-key (s) output all host key information
  46. set-expire (e) EXPIRE set host key expiration
  47. add-hostname (n+) NAME[:PORT] add hostname user ID to host key
  48. revoke-hostname (n-) NAME[:PORT] revoke hostname user ID
  49. add-revoker (o) FINGERPRINT add a revoker to the host key
  50. revoke-key (r) revoke host key
  51. publish-key (p) publish host key to keyserver
  52. import-key (i) [NAME[:PORT]] import existing ssh key to gpg
  53. version (v) show version number
  54. help (h,?) this help
  55. See ${PGRM}(8) for more info.
  56. EOF
  57. }
  58. # function to interact with the gpg keyring
  59. gpg_host() {
  60. GNUPGHOME="$GNUPGHOME_HOST" gpg "$@"
  61. }
  62. # command to list the info about the host key, in colon format
  63. gpg_host_list() {
  64. gpg_host --list-keys --with-colons --fixed-list-mode \
  65. --with-fingerprint --with-fingerprint \
  66. "0x${HOST_FINGERPRINT}!"
  67. }
  68. # command for edit key scripts, takes scripts on stdin
  69. gpg_host_edit() {
  70. gpg_host --quiet --command-fd 0 --edit-key \
  71. "0x${HOST_FINGERPRINT}!" "$@"
  72. }
  73. # export the host public key to the monkeysphere gpg pub key file
  74. create_gpg_pub_file() {
  75. log debug "creating openpgp public key file..."
  76. gpg_host --export --armor --export-options export-minimal \
  77. "0x${HOST_FINGERPRINT}!" > "$HOST_KEY_FILE"
  78. log info "GPG host public key file: $HOST_KEY_FILE"
  79. }
  80. # load the host fingerprint into the fingerprint variable, using the
  81. # export gpg pub key file
  82. # FIXME: this seems much less than ideal, with all this temp keyring
  83. # stuff. is there a way we can do this without having to create temp
  84. # files?
  85. load_fingerprint() {
  86. if [ -f "$HOST_KEY_FILE" ] ; then
  87. HOST_FINGERPRINT=$( \
  88. (FUBAR=$(mktemp -d) && export GNUPGHOME="$FUBAR" \
  89. && gpg --quiet --import \
  90. && gpg --quiet --list-keys --with-colons --with-fingerprint \
  91. && rm -rf "$FUBAR") <"$HOST_KEY_FILE" \
  92. | grep '^fpr:' | cut -d: -f10 )
  93. else
  94. HOST_FINGERPRINT=
  95. fi
  96. }
  97. # load the host fingerprint into the fingerprint variable, using the
  98. # gpg host secret key
  99. load_fingerprint_secret() {
  100. HOST_FINGERPRINT=$( \
  101. gpg_host --quiet --list-secret-key \
  102. --with-colons --with-fingerprint \
  103. | grep '^fpr:' | cut -d: -f10 )
  104. }
  105. # fail if host key present
  106. check_host_key() {
  107. [ ! -s "$HOST_KEY_FILE" ] \
  108. || failure "An OpenPGP host key already exists."
  109. }
  110. # fail if host key not present
  111. check_host_no_key() {
  112. [ -s "$HOST_KEY_FILE" ] \
  113. || failure "You don't appear to have a Monkeysphere host key on this server. Please run 'monkeysphere-host import-key' first."
  114. }
  115. # output the index of a user ID on the host key
  116. # return 1 if user ID not found
  117. find_host_userid() {
  118. local userID="$1"
  119. local tmpuidMatch
  120. local line
  121. # match to only ultimately trusted user IDs
  122. tmpuidMatch="u:$(echo $userID | gpg_escape)"
  123. # find the index of the requsted user ID
  124. # NOTE: this is based on circumstantial evidence that the order of
  125. # this output is the appropriate index
  126. line=$(gpg_host_list | egrep '^(uid|uat):' | cut -f2,10 -d: | \
  127. grep -n -x -F "$tmpuidMatch" 2>/dev/null)
  128. if [ "$line" ] ; then
  129. echo ${line%%:*}
  130. return 0
  131. else
  132. return 1
  133. fi
  134. }
  135. # show info about the host key
  136. show_key() {
  137. local GNUPGHOME
  138. # tmp gpghome dir
  139. export GNUPGHOME=$(mktemp -d)
  140. # trap to remove tmp dir if break
  141. trap "rm -rf $GNUPGHOME" EXIT
  142. gpg --quiet --import <"$HOST_KEY_FILE"
  143. HOST_FINGERPRINT=$(gpg --quiet --list-keys --with-colons --with-fingerprint \
  144. | grep '^fpr:' | cut -d: -f10 )
  145. # list the host key info
  146. gpg --list-keys --fingerprint \
  147. --list-options show-unusable-uids 2>/dev/null
  148. # list the pgp fingerprint
  149. echo "OpenPGP fingerprint: $HOST_FINGERPRINT"
  150. # list the ssh fingerprint
  151. echo -n "ssh fingerprint: "
  152. ssh-keygen -l -f /dev/stdin \
  153. <<<$(openpgp2ssh <"$HOST_KEY_FILE" 2>/dev/null) \
  154. | awk '{ print $1, $2, $4 }'
  155. # remove the tmp file
  156. trap - EXIT
  157. rm -rf "$GNUPGHOME"
  158. }
  159. ########################################################################
  160. # MAIN
  161. ########################################################################
  162. # unset variables that should be defined only in config file
  163. unset KEYSERVER
  164. unset MONKEYSPHERE_USER
  165. # load configuration file
  166. [ -e ${MONKEYSPHERE_HOST_CONFIG:="${SYSCONFIGDIR}/monkeysphere-host.conf"} ] && . "$MONKEYSPHERE_HOST_CONFIG"
  167. # set empty config variable with ones from the environment, or with
  168. # defaults
  169. LOG_LEVEL=${MONKEYSPHERE_LOG_LEVEL:=${LOG_LEVEL:="INFO"}}
  170. KEYSERVER=${MONKEYSPHERE_KEYSERVER:=${KEYSERVER:="pool.sks-keyservers.net"}}
  171. AUTHORIZED_USER_IDS=${MONKEYSPHERE_AUTHORIZED_USER_IDS:=${AUTHORIZED_USER_IDS:="%h/.monkeysphere/authorized_user_ids"}}
  172. RAW_AUTHORIZED_KEYS=${MONKEYSPHERE_RAW_AUTHORIZED_KEYS:=${RAW_AUTHORIZED_KEYS:="%h/.ssh/authorized_keys"}}
  173. MONKEYSPHERE_USER=${MONKEYSPHERE_MONKEYSPHERE_USER:=${MONKEYSPHERE_USER:="monkeysphere"}}
  174. # other variables
  175. CHECK_KEYSERVER=${MONKEYSPHERE_CHECK_KEYSERVER:="true"}
  176. GNUPGHOME_HOST=${MONKEYSPHERE_GNUPGHOME_HOST:="${MHDATADIR}"}
  177. # export variables needed in su invocation
  178. export DATE
  179. export MODE
  180. export LOG_LEVEL
  181. export MONKEYSPHERE_USER
  182. export KEYSERVER
  183. export GNUPGHOME_HOST
  184. export GNUPGHOME
  185. export HOST_FINGERPRINT=
  186. # get subcommand
  187. COMMAND="$1"
  188. [ "$COMMAND" ] || failure "Type '$PGRM help' for usage."
  189. shift
  190. case $COMMAND in
  191. 'show-key'|'show'|'s')
  192. check_host_no_key
  193. show_key
  194. ;;
  195. 'set-expire'|'extend-key'|'e')
  196. check_host_no_key
  197. load_fingerprint
  198. source "${MHSHAREDIR}/set_expire"
  199. set_expire "$@"
  200. ;;
  201. 'add-hostname'|'add-name'|'n+')
  202. check_host_no_key
  203. load_fingerprint
  204. source "${MHSHAREDIR}/add_hostname"
  205. add_hostname "$@"
  206. ;;
  207. 'revoke-hostname'|'revoke-name'|'n-')
  208. check_host_no_key
  209. load_fingerprint
  210. source "${MHSHAREDIR}/revoke_hostname"
  211. revoke_hostname "$@"
  212. ;;
  213. 'add-revoker'|'o')
  214. check_host_no_key
  215. load_fingerprint
  216. source "${MHSHAREDIR}/add_revoker"
  217. add_revoker "$@"
  218. ;;
  219. 'revoke-key'|'r')
  220. check_host_no_key
  221. load_fingerprint
  222. source "${MHSHAREDIR}/revoke_key"
  223. revoke_key "$@"
  224. ;;
  225. 'publish-key'|'publish'|'p')
  226. check_host_no_key
  227. load_fingerprint
  228. source "${MHSHAREDIR}/publish_key"
  229. publish_key
  230. ;;
  231. 'import-key'|'i')
  232. check_host_key
  233. source "${MHSHAREDIR}/import_key"
  234. import_key "$@"
  235. ;;
  236. 'diagnostics'|'d')
  237. load_fingerprint
  238. source "${MHSHAREDIR}/diagnostics"
  239. diagnostics
  240. ;;
  241. 'version'|'v')
  242. echo "$VERSION"
  243. ;;
  244. '--help'|'help'|'-h'|'h'|'?')
  245. usage
  246. ;;
  247. *)
  248. failure "Unknown command: '$COMMAND'
  249. Type '$PGRM help' for usage."
  250. ;;
  251. esac
  252. exit "$RETURN"