blob: bd956e09cd1f87f65a3a0704736d8bb518f6d156 (
plain)
- #!/usr/bin/env bash
- # monkeysphere-host: Monkeysphere host admin tool
- #
- # The monkeysphere scripts are written by:
- # Jameson Rollins <jrollins@finestructure.net>
- # Jamie McClelland <jm@mayfirst.org>
- # Daniel Kahn Gillmor <dkg@fifthhorseman.net>
- # Micah Anderson <micah@riseup.net>
- #
- # They are Copyright 2008-2009, and are all released under the GPL,
- # version 3 or later.
- ########################################################################
- set -e
- # set the pipefail option so pipelines fail on first command failure
- set -o pipefail
- PGRM=$(basename $0)
- SYSSHAREDIR=${MONKEYSPHERE_SYSSHAREDIR:-"/usr/share/monkeysphere"}
- export SYSSHAREDIR
- . "${SYSSHAREDIR}/common" || exit 1
- SYSDATADIR=${MONKEYSPHERE_SYSDATADIR:-"/var/lib/monkeysphere"}
- export SYSDATADIR
- # sharedir for host functions
- MHSHAREDIR="${SYSSHAREDIR}/mh"
- # datadir for host functions
- MHDATADIR="${SYSDATADIR}/host"
- # temp directory for temp gnupghome directories for add_revoker
- MHTMPDIR="${MHDATADIR}/tmp"
- export MHTMPDIR
- # host pub key files
- HOST_KEY_FILE="${SYSDATADIR}/ssh_host_rsa_key.pub.gpg"
- # UTC date in ISO 8601 format if needed
- DATE=$(date -u '+%FT%T')
- # unset some environment variables that could screw things up
- unset GREP_OPTIONS
- # default return code
- RETURN=0
- ########################################################################
- # FUNCTIONS
- ########################################################################
- usage() {
- cat <<EOF >&2
- usage: $PGRM <subcommand> [options] [args]
- Monkeysphere host admin tool.
- subcommands:
- show-key (s) output all host key information
- set-expire (e) EXPIRE set host key expiration
- add-hostname (n+) NAME[:PORT] add hostname user ID to host key
- revoke-hostname (n-) NAME[:PORT] revoke hostname user ID
- add-revoker (o) FINGERPRINT add a revoker to the host key
- revoke-key (r) revoke host key
- publish-key (p) publish host key to keyserver
- import-key (i) [NAME[:PORT]] import existing ssh key to gpg
- version (v) show version number
- help (h,?) this help
- See ${PGRM}(8) for more info.
- EOF
- }
- # function to interact with the gpg keyring
- gpg_host() {
- GNUPGHOME="$GNUPGHOME_HOST" gpg "$@"
- }
- # command to list the info about the host key, in colon format
- gpg_host_list() {
- gpg_host --list-keys --with-colons --fixed-list-mode \
- --with-fingerprint --with-fingerprint \
- "0x${HOST_FINGERPRINT}!"
- }
- # command for edit key scripts, takes scripts on stdin
- gpg_host_edit() {
- gpg_host --quiet --command-fd 0 --edit-key \
- "0x${HOST_FINGERPRINT}!" "$@"
- }
- # export the host public key to the monkeysphere gpg pub key file
- create_gpg_pub_file() {
- log debug "creating openpgp public key file..."
- gpg_host --export --armor --export-options export-minimal \
- "0x${HOST_FINGERPRINT}!" > "$HOST_KEY_FILE"
- log info "GPG host public key file: $HOST_KEY_FILE"
- }
- # load the host fingerprint into the fingerprint variable, using the
- # export gpg pub key file
- # FIXME: this seems much less than ideal, with all this temp keyring
- # stuff. is there a way we can do this without having to create temp
- # files?
- load_fingerprint() {
- if [ -f "$HOST_KEY_FILE" ] ; then
- HOST_FINGERPRINT=$( \
- (FUBAR=$(mktemp -d) && export GNUPGHOME="$FUBAR" \
- && gpg --quiet --import \
- && gpg --quiet --list-keys --with-colons --with-fingerprint \
- && rm -rf "$FUBAR") <"$HOST_KEY_FILE" \
- | grep '^fpr:' | cut -d: -f10 )
- else
- HOST_FINGERPRINT=
- fi
- }
- # load the host fingerprint into the fingerprint variable, using the
- # gpg host secret key
- load_fingerprint_secret() {
- HOST_FINGERPRINT=$( \
- gpg_host --quiet --list-secret-key \
- --with-colons --with-fingerprint \
- | grep '^fpr:' | cut -d: -f10 )
- }
- # fail if host key present
- check_host_key() {
- [ -z "$HOST_FINGERPRINT" ] \
- || failure "An OpenPGP host key already exists."
- }
- # fail if host key not present
- check_host_no_key() {
- [ "$HOST_FINGERPRINT" ] \
- || failure "You don't appear to have a Monkeysphere host key on this server. Please run 'monkeysphere-host expert import-key' first."
- }
- # output the index of a user ID on the host key
- # return 1 if user ID not found
- find_host_userid() {
- local userID="$1"
- local tmpuidMatch
- local line
- # match to only ultimately trusted user IDs
- tmpuidMatch="u:$(echo $userID | gpg_escape)"
- # find the index of the requsted user ID
- # NOTE: this is based on circumstantial evidence that the order of
- # this output is the appropriate index
- line=$(gpg_host_list | egrep '^(uid|uat):' | cut -f2,10 -d: | \
- grep -n -x -F "$tmpuidMatch" 2>/dev/null)
- if [ "$line" ] ; then
- echo ${line%%:*}
- return 0
- else
- return 1
- fi
- }
- # show info about the host key
- show_key() {
- gpg_host --fingerprint --list-key --list-options show-unusable-uids \
- "0x${HOST_FINGERPRINT}!" 2>/dev/null || true
- # FIXME: make sure expiration date is shown
- echo "OpenPGP fingerprint: $HOST_FINGERPRINT"
- echo -n "ssh fingerprint: "
- ssh-keygen -l -f /dev/stdin \
- <<<$( gpg_host --export "$HOST_FINGERPRINT" 2>/dev/null \
- | openpgp2ssh "$HOST_FINGERPRINT" 2>/dev/null) \
- | awk '{ print $1, $2, $4 }'
- # FIXME: other relevant key parameters?
- }
- ########################################################################
- # MAIN
- ########################################################################
- # unset variables that should be defined only in config file
- unset KEYSERVER
- unset MONKEYSPHERE_USER
- # load configuration file
- [ -e ${MONKEYSPHERE_HOST_CONFIG:="${SYSCONFIGDIR}/monkeysphere-host.conf"} ] && . "$MONKEYSPHERE_HOST_CONFIG"
- # set empty config variable with ones from the environment, or with
- # defaults
- LOG_LEVEL=${MONKEYSPHERE_LOG_LEVEL:=${LOG_LEVEL:="INFO"}}
- KEYSERVER=${MONKEYSPHERE_KEYSERVER:=${KEYSERVER:="pool.sks-keyservers.net"}}
- AUTHORIZED_USER_IDS=${MONKEYSPHERE_AUTHORIZED_USER_IDS:=${AUTHORIZED_USER_IDS:="%h/.monkeysphere/authorized_user_ids"}}
- RAW_AUTHORIZED_KEYS=${MONKEYSPHERE_RAW_AUTHORIZED_KEYS:=${RAW_AUTHORIZED_KEYS:="%h/.ssh/authorized_keys"}}
- MONKEYSPHERE_USER=${MONKEYSPHERE_MONKEYSPHERE_USER:=${MONKEYSPHERE_USER:="monkeysphere"}}
- # other variables
- CHECK_KEYSERVER=${MONKEYSPHERE_CHECK_KEYSERVER:="true"}
- GNUPGHOME_HOST=${MONKEYSPHERE_GNUPGHOME_HOST:="${MHDATADIR}"}
- # export variables needed in su invocation
- export DATE
- export MODE
- export LOG_LEVEL
- export MONKEYSPHERE_USER
- export KEYSERVER
- export GNUPGHOME_HOST
- export GNUPGHOME
- export HOST_FINGERPRINT=
- # get subcommand
- COMMAND="$1"
- [ "$COMMAND" ] || failure "Type '$PGRM help' for usage."
- shift
- case $COMMAND in
- 'show-key'|'show'|'s')
- load_fingerprint
- check_host_no_key
- show_key
- ;;
- 'set-expire'|'extend-key'|'e')
- load_fingerprint
- check_host_no_key
- source "${MHSHAREDIR}/set_expire"
- set_expire "$@"
- ;;
- 'add-hostname'|'add-name'|'n+')
- load_fingerprint
- check_host_no_key
- source "${MHSHAREDIR}/add_hostname"
- add_hostname "$@"
- ;;
- 'revoke-hostname'|'revoke-name'|'n-')
- load_fingerprint
- check_host_no_key
- source "${MHSHAREDIR}/revoke_hostname"
- revoke_hostname "$@"
- ;;
- 'add-revoker'|'o')
- load_fingerprint
- check_host_no_key
- source "${MHSHAREDIR}/add_revoker"
- add_revoker "$@"
- ;;
- 'revoke-key'|'r')
- load_fingerprint
- check_host_no_key
- source "${MHSHAREDIR}/revoke_key"
- revoke_key "$@"
- ;;
- 'publish-key'|'publish'|'p')
- load_fingerprint
- check_host_no_key
- source "${MHSHAREDIR}/publish_key"
- publish_key
- ;;
- 'import-key'|'i')
- load_fingerprint
- check_host_key
- source "${MHSHAREDIR}/import_key"
- import_key "$@"
- ;;
- 'diagnostics'|'d')
- source "${MHSHAREDIR}/diagnostics"
- diagnostics
- ;;
- 'version'|'v')
- echo "$VERSION"
- ;;
- '--help'|'help'|'-h'|'h'|'?')
- usage
- ;;
- *)
- failure "Unknown command: '$COMMAND'
- Type '$PGRM help' for usage."
- ;;
- esac
- exit "$RETURN"
|