summaryrefslogtreecommitdiff
path: root/src/monkeysphere-server
blob: 2531437eb83f4b3a2c1d3d98b17548ba138312b3 (plain)
  1. #!/usr/bin/env bash
  2. # monkeysphere-server: MonkeySphere server admin tool
  3. #
  4. # The monkeysphere scripts are written by:
  5. # Jameson Rollins <jrollins@fifthhorseman.net>
  6. # Jamie McClelland <jm@mayfirst.org>
  7. # Daniel Kahn Gillmor <dkg@fifthhorseman.net>
  8. #
  9. # They are Copyright 2008, and are all released under the GPL, version 3
  10. # or later.
  11. ########################################################################
  12. PGRM=$(basename $0)
  13. SYSSHAREDIR=${MONKEYSPHERE_SYSSHAREDIR:-"/usr/share/monkeysphere"}
  14. export SYSSHAREDIR
  15. . "${SYSSHAREDIR}/common" || exit 1
  16. SYSDATADIR=${MONKEYSPHERE_SYSDATADIR:-"/var/lib/monkeysphere"}
  17. export SYSDATADIR
  18. # monkeysphere temp directory, in sysdatadir to enable atomic moves of
  19. # authorized_keys files
  20. MSTMPDIR="${SYSDATADIR}/tmp"
  21. export MSTMPDIR
  22. # UTC date in ISO 8601 format if needed
  23. DATE=$(date -u '+%FT%T')
  24. # unset some environment variables that could screw things up
  25. unset GREP_OPTIONS
  26. # default return code
  27. RETURN=0
  28. ########################################################################
  29. # FUNCTIONS
  30. ########################################################################
  31. usage() {
  32. cat <<EOF >&2
  33. usage: $PGRM <subcommand> [options] [args]
  34. Monkeysphere server admin tool.
  35. subcommands:
  36. update-users (u) [USER]... update user authorized_keys files
  37. import-key (i) import existing ssh key to gpg
  38. --hostname (-h) NAME[:PORT] hostname for key user ID
  39. --keyfile (-f) FILE key file to import
  40. --expire (-e) EXPIRE date to expire
  41. gen-key (g) generate gpg key for the host
  42. --hostname (-h) NAME[:PORT] hostname for key user ID
  43. --length (-l) BITS key length in bits (2048)
  44. --expire (-e) EXPIRE date to expire
  45. --revoker (-r) FINGERPRINT add a revoker
  46. extend-key (e) EXPIRE extend host key expiration
  47. add-hostname (n+) NAME[:PORT] add hostname user ID to host key
  48. revoke-hostname (n-) NAME[:PORT] revoke hostname user ID
  49. add-revoker (o) FINGERPRINT add a revoker to the host key
  50. revoke-key (r) revoke host key
  51. show-key (s) output all server host key information
  52. publish-key (p) publish server host key to keyserver
  53. diagnostics (d) report on server monkeysphere status
  54. add-id-certifier (c+) KEYID import and tsign a certification key
  55. --domain (-n) DOMAIN limit ID certifications to DOMAIN
  56. --trust (-t) TRUST trust level of certifier (full)
  57. --depth (-d) DEPTH trust depth for certifier (1)
  58. remove-id-certifier (c-) KEYID remove a certification key
  59. list-id-certifiers (c) list certification keys
  60. gpg-authentication-cmd CMD give a gpg command to the
  61. authentication keyring
  62. version (v) show version number
  63. help (h,?) this help
  64. EOF
  65. }
  66. # function to run command as monkeysphere user
  67. su_monkeysphere_user() {
  68. # if the current user is the monkeysphere user, then just eval
  69. # command
  70. if [ $(id -un) = "$MONKEYSPHERE_USER" ] ; then
  71. eval "$@"
  72. # otherwise su command as monkeysphere user
  73. else
  74. su "$MONKEYSPHERE_USER" -c "$@"
  75. fi
  76. }
  77. # function to interact with the host gnupg keyring
  78. gpg_host() {
  79. local returnCode
  80. GNUPGHOME="$GNUPGHOME_HOST"
  81. export GNUPGHOME
  82. # NOTE: we supress this warning because we need the monkeysphere
  83. # user to be able to read the host pubring. we realize this might
  84. # be problematic, but it's the simplest solution, without too much
  85. # loss of security.
  86. gpg --no-permission-warning "$@"
  87. returnCode="$?"
  88. # always reset the permissions on the host pubring so that the
  89. # monkeysphere user can read the trust signatures
  90. chgrp "$MONKEYSPHERE_USER" "${GNUPGHOME_HOST}/pubring.gpg"
  91. chmod g+r "${GNUPGHOME_HOST}/pubring.gpg"
  92. return "$returnCode"
  93. }
  94. # function to interact with the authentication gnupg keyring
  95. # FIXME: this function requires basically accepts only a single
  96. # argument because of problems with quote expansion. this needs to be
  97. # fixed/improved.
  98. gpg_authentication() {
  99. GNUPGHOME="$GNUPGHOME_AUTHENTICATION"
  100. export GNUPGHOME
  101. su_monkeysphere_user "gpg $@"
  102. }
  103. # output just key fingerprint
  104. fingerprint_server_key() {
  105. # set the pipefail option so functions fails if can't read sec key
  106. set -o pipefail
  107. gpg_host --list-secret-keys --fingerprint \
  108. --with-colons --fixed-list-mode 2> /dev/null | \
  109. grep '^fpr:' | head -1 | cut -d: -f10 2>/dev/null
  110. }
  111. # function to check for host secret key
  112. check_host_keyring() {
  113. fingerprint_server_key >/dev/null \
  114. || failure "You don't appear to have a Monkeysphere host key on this server. Please run 'monkeysphere-server gen-key' first."
  115. }
  116. # output key information
  117. show_server_key() {
  118. local fingerprintPGP
  119. local fingerprintSSH
  120. local ret=0
  121. # FIXME: you shouldn't have to be root to see the host key fingerprint
  122. check_host_keyring
  123. fingerprintPGP=$(fingerprint_server_key)
  124. gpg_authentication "--fingerprint --list-key --list-options show-unusable-uids $fingerprintPGP" 2>/dev/null
  125. if [ $? -ne 0 ] ; then
  126. log info "You must be root to see host OpenPGP fingerprint."
  127. ret='1'
  128. else
  129. echo "OpenPGP fingerprint: $fingerprintPGP"
  130. fi
  131. if [ -f "${SYSDATADIR}/ssh_host_rsa_key.pub" ] ; then
  132. fingerprintSSH=$(ssh-keygen -l -f "${SYSDATADIR}/ssh_host_rsa_key.pub" | \
  133. awk '{ print $1, $2, $4 }')
  134. echo "ssh fingerprint: $fingerprintSSH"
  135. else
  136. log info "SSH host key not found."
  137. ret='1'
  138. fi
  139. return $ret
  140. }
  141. # update authorized_keys for users
  142. update_users() {
  143. if [ "$1" ] ; then
  144. # get users from command line
  145. unames="$@"
  146. else
  147. # or just look at all users if none specified
  148. unames=$(getent passwd | cut -d: -f1)
  149. fi
  150. RETCODE=0
  151. # set mode
  152. MODE="authorized_keys"
  153. # set gnupg home
  154. GNUPGHOME="$GNUPGHOME_AUTHENTICATION"
  155. # check to see if the gpg trust database has been initialized
  156. if [ ! -s "${GNUPGHOME}/trustdb.gpg" ] ; then
  157. failure "GNUPG trust database uninitialized. Please see MONKEYSPHERE-SERVER(8)."
  158. fi
  159. # make sure the authorized_keys directory exists
  160. mkdir -p "${SYSDATADIR}/authorized_keys"
  161. # loop over users
  162. for uname in $unames ; do
  163. # check all specified users exist
  164. if ! id "$uname" >/dev/null ; then
  165. log error "----- unknown user '$uname' -----"
  166. continue
  167. fi
  168. log verbose "----- user: $uname -----"
  169. # make temporary directory
  170. TMPLOC=$(mktemp -d ${MSTMPDIR}/tmp.XXXXXXXXXX) || failure "Could not create temporary directory!"
  171. # trap to delete temporary directory on exit
  172. trap "rm -rf $TMPLOC" EXIT
  173. # create temporary authorized_user_ids file
  174. TMP_AUTHORIZED_USER_IDS="${TMPLOC}/authorized_user_ids"
  175. touch "$TMP_AUTHORIZED_USER_IDS"
  176. # create temporary authorized_keys file
  177. AUTHORIZED_KEYS="${TMPLOC}/authorized_keys"
  178. touch "$AUTHORIZED_KEYS"
  179. # set restrictive permissions on the temporary files
  180. # FIXME: is there a better way to do this?
  181. chmod 0700 "$TMPLOC"
  182. chmod 0600 "$AUTHORIZED_KEYS"
  183. chmod 0600 "$TMP_AUTHORIZED_USER_IDS"
  184. chown -R "$MONKEYSPHERE_USER" "$TMPLOC"
  185. # process authorized_user_ids file
  186. log debug "checking for authorized_user_ids..."
  187. # translating ssh-style path variables
  188. authorizedUserIDs=$(translate_ssh_variables "$uname" "$AUTHORIZED_USER_IDS")
  189. if [ -s "$authorizedUserIDs" ] ; then
  190. # check permissions on the authorized_user_ids file path
  191. if check_key_file_permissions "$uname" "$authorizedUserIDs" ; then
  192. # copy user authorized_user_ids file to temporary
  193. # location
  194. cat "$authorizedUserIDs" > "$TMP_AUTHORIZED_USER_IDS"
  195. # export needed variables
  196. export AUTHORIZED_KEYS
  197. export TMP_AUTHORIZED_USER_IDS
  198. # process authorized_user_ids file, as monkeysphere
  199. # user
  200. su_monkeysphere_user \
  201. ". ${SYSSHAREDIR}/common; process_authorized_user_ids $TMP_AUTHORIZED_USER_IDS"
  202. RETURN="$?"
  203. else
  204. log debug "not processing authorized_user_ids."
  205. fi
  206. else
  207. log debug "empty or absent authorized_user_ids file."
  208. fi
  209. # add user-controlled authorized_keys file if specified
  210. # translate ssh-style path variables
  211. rawAuthorizedKeys=$(translate_ssh_variables "$uname" "$RAW_AUTHORIZED_KEYS")
  212. if [ "$rawAuthorizedKeys" != 'none' ] ; then
  213. log debug "checking for raw authorized_keys..."
  214. if [ -s "$rawAuthorizedKeys" ] ; then
  215. # check permissions on the authorized_keys file path
  216. if check_key_file_permissions "$uname" "$rawAuthorizedKeys" ; then
  217. log verbose "adding raw authorized_keys file... "
  218. cat "$rawAuthorizedKeys" >> "$AUTHORIZED_KEYS"
  219. else
  220. log debug "not adding raw authorized_keys file."
  221. fi
  222. else
  223. log debug "empty or absent authorized_keys file."
  224. fi
  225. fi
  226. # move the new authorized_keys file into place
  227. if [ -s "$AUTHORIZED_KEYS" ] ; then
  228. # openssh appears to check the contents of the
  229. # authorized_keys file as the user in question, so the
  230. # file must be readable by that user at least.
  231. # but in general, we don't want the user tampering with
  232. # this file directly, so we'll adopt this approach: Own
  233. # the file by the monkeysphere-server invoker (usually
  234. # root, but should be the same uid that sshd is launched
  235. # as); change the group of the file so that members of the
  236. # user's group can read it.
  237. # FIXME: is there a better way to do this?
  238. chown $(whoami) "$AUTHORIZED_KEYS" && \
  239. chgrp $(id -g "$uname") "$AUTHORIZED_KEYS" && \
  240. chmod g+r "$AUTHORIZED_KEYS" && \
  241. mv -f "$AUTHORIZED_KEYS" "${SYSDATADIR}/authorized_keys/${uname}" || \
  242. {
  243. log error "Failed to install authorized_keys for '$uname'!"
  244. rm -f "${SYSDATADIR}/authorized_keys/${uname}"
  245. # indicate that there has been a failure:
  246. RETURN=1
  247. }
  248. else
  249. rm -f "${SYSDATADIR}/authorized_keys/${uname}"
  250. fi
  251. # unset the trap
  252. trap - EXIT
  253. # destroy temporary directory
  254. rm -rf "$TMPLOC"
  255. done
  256. }
  257. # import an existing ssh key to a gpg key
  258. import_key() {
  259. local hostName=$(hostname -f)
  260. local keyFile="/etc/ssh/ssh_host_rsa_key"
  261. local keyExpire
  262. local userID
  263. # check for presense of secret key
  264. # FIXME: is this the proper test to be doing here?
  265. fingerprint_server_key >/dev/null \
  266. && failure "An OpenPGP host key already exists."
  267. # get options
  268. while true ; do
  269. case "$1" in
  270. -h|--hostname)
  271. hostName="$2"
  272. shift 2
  273. ;;
  274. -f|--keyfile)
  275. keyFile="$2"
  276. shift 2
  277. ;;
  278. -e|--expire)
  279. keyExpire="$2"
  280. shift 2
  281. ;;
  282. *)
  283. if [ "$(echo "$1" | cut -c 1)" = '-' ] ; then
  284. failure "Unknown option '$1'.
  285. Type '$PGRM help' for usage."
  286. fi
  287. break
  288. ;;
  289. esac
  290. done
  291. if [ ! -f "$keyFile" ] ; then
  292. failure "SSH secret key file '$keyFile' not found."
  293. fi
  294. userID="ssh://${hostName}"
  295. # prompt about key expiration if not specified
  296. keyExpire=$(get_gpg_expiration "$keyExpire")
  297. echo "The following key parameters will be used for the host private key:"
  298. echo "Import: $keyFile"
  299. echo "Name-Real: $userID"
  300. echo "Expire-Date: $keyExpire"
  301. read -p "Import key? (Y/n) " OK; OK=${OK:=Y}
  302. if [ ${OK/y/Y} != 'Y' ] ; then
  303. failure "aborting."
  304. fi
  305. log verbose "importing ssh key..."
  306. # translate ssh key to a private key
  307. (umask 077 && \
  308. pem2openpgp "$userID" "$keyExpire" < "$sshKey" | gpg_host --import)
  309. # find the key fingerprint of the newly converted key
  310. fingerprint=$(fingerprint_server_key)
  311. # export host ownertrust to authentication keyring
  312. log verbose "setting ultimate owner trust for host key..."
  313. echo "${fingerprint}:6:" | gpg_host "--import-ownertrust"
  314. echo "${fingerprint}:6:" | gpg_authentication "--import-ownertrust"
  315. # export public key to file
  316. gpg_authentication "--export-options export-minimal --armor --export 0x${fingerprint}\!" > "${SYSDATADIR}/ssh_host_rsa_key.pub.gpg"
  317. log info "SSH host public key in OpenPGP form: ${SYSDATADIR}/ssh_host_rsa_key.pub.gpg"
  318. # show info about new key
  319. show_server_key
  320. }
  321. # generate server gpg key
  322. gen_key() {
  323. local keyType="RSA"
  324. local keyLength="2048"
  325. local keyUsage="auth"
  326. local keyExpire
  327. local revoker
  328. local hostName=$(hostname -f)
  329. local userID
  330. local keyParameters
  331. local fingerprint
  332. # check for presense of secret key
  333. # FIXME: is this the proper test to be doing here?
  334. fingerprint_server_key >/dev/null \
  335. && failure "An OpenPGP host key already exists."
  336. # get options
  337. while true ; do
  338. case "$1" in
  339. -h|--hostname)
  340. hostName="$2"
  341. shift 2
  342. ;;
  343. -l|--length)
  344. keyLength="$2"
  345. shift 2
  346. ;;
  347. -e|--expire)
  348. keyExpire="$2"
  349. shift 2
  350. ;;
  351. -r|--revoker)
  352. revoker="$2"
  353. shift 2
  354. ;;
  355. *)
  356. if [ "$(echo "$1" | cut -c 1)" = '-' ] ; then
  357. failure "Unknown option '$1'.
  358. Type '$PGRM help' for usage."
  359. fi
  360. break
  361. ;;
  362. esac
  363. done
  364. userID="ssh://${hostName}"
  365. # prompt about key expiration if not specified
  366. keyExpire=$(get_gpg_expiration "$keyExpire")
  367. # set key parameters
  368. keyParameters=\
  369. "Key-Type: $keyType
  370. Key-Length: $keyLength
  371. Key-Usage: $keyUsage
  372. Name-Real: $userID
  373. Expire-Date: $keyExpire"
  374. # add the revoker field if specified
  375. # FIXME: the "1:" below assumes that $REVOKER's key is an RSA key.
  376. # FIXME: key is marked "sensitive"? is this appropriate?
  377. if [ "$revoker" ] ; then
  378. keyParameters=\
  379. "${keyParameters}
  380. Revoker: 1:${revoker} sensitive"
  381. fi
  382. echo "The following key parameters will be used for the host private key:"
  383. echo "$keyParameters"
  384. read -p "Generate key? (Y/n) " OK; OK=${OK:=Y}
  385. if [ ${OK/y/Y} != 'Y' ] ; then
  386. failure "aborting."
  387. fi
  388. # add commit command
  389. # must include blank line!
  390. keyParameters=\
  391. "${keyParameters}
  392. %commit
  393. %echo done"
  394. log verbose "generating host key..."
  395. echo "$keyParameters" | gpg_host --batch --gen-key
  396. # find the key fingerprint of the newly generated key
  397. fingerprint=$(fingerprint_server_key)
  398. # export host ownertrust to authentication keyring
  399. log verbose "setting ultimate owner trust for host key..."
  400. echo "${fingerprint}:6:" | gpg_authentication "--import-ownertrust"
  401. # translate the private key to ssh format, and export to a file
  402. # for sshs usage.
  403. # NOTE: assumes that the primary key is the proper key to use
  404. (umask 077 && \
  405. gpg_host --export-secret-key "$fingerprint" | \
  406. openpgp2ssh "$fingerprint" > "${SYSDATADIR}/ssh_host_rsa_key")
  407. log info "SSH host private key output to file: ${SYSDATADIR}/ssh_host_rsa_key"
  408. ssh-keygen -y -f "${SYSDATADIR}/ssh_host_rsa_key" > "${SYSDATADIR}/ssh_host_rsa_key.pub"
  409. log info "SSH host public key output to file: ${SYSDATADIR}/ssh_host_rsa_key.pub"
  410. gpg_authentication "--export-options export-minimal --armor --export 0x${fingerprint}\!" > "${SYSDATADIR}/ssh_host_rsa_key.pub.gpg"
  411. log info "SSH host public key in OpenPGP form: ${SYSDATADIR}/ssh_host_rsa_key.pub.gpg"
  412. # show info about new key
  413. show_server_key
  414. }
  415. # extend the lifetime of a host key:
  416. extend_key() {
  417. local fpr=$(fingerprint_server_key)
  418. local extendTo="$1"
  419. # get the new expiration date
  420. extendTo=$(get_gpg_expiration "$extendTo")
  421. gpg_host --quiet --command-fd 0 --edit-key "$fpr" <<EOF
  422. expire
  423. $extendTo
  424. save
  425. EOF
  426. echo
  427. echo "NOTE: Host key expiration date adjusted, but not yet published."
  428. echo "Run '$PGRM publish-key' to publish the new expiration date."
  429. }
  430. # add hostname user ID to server key
  431. add_hostname() {
  432. local userID
  433. local fingerprint
  434. local tmpuidMatch
  435. local line
  436. local adduidCommand
  437. if [ -z "$1" ] ; then
  438. failure "You must specify a hostname to add."
  439. fi
  440. userID="ssh://${1}"
  441. fingerprint=$(fingerprint_server_key)
  442. # match to only ultimately trusted user IDs
  443. tmpuidMatch="u:$(echo $userID | gpg_escape)"
  444. # find the index of the requsted user ID
  445. # NOTE: this is based on circumstantial evidence that the order of
  446. # this output is the appropriate index
  447. if line=$(gpg_host --list-keys --with-colons --fixed-list-mode "0x${fingerprint}!" \
  448. | egrep '^(uid|uat):' | cut -f2,10 -d: | grep -n -x -F "$tmpuidMatch") ; then
  449. failure "Host userID '$userID' already exists."
  450. fi
  451. echo "The following user ID will be added to the host key:"
  452. echo " $userID"
  453. read -p "Are you sure you would like to add this user ID? (y/N) " OK; OK=${OK:=N}
  454. if [ ${OK/y/Y} != 'Y' ] ; then
  455. failure "User ID not added."
  456. fi
  457. # edit-key script command to add user ID
  458. adduidCommand=$(cat <<EOF
  459. adduid
  460. $userID
  461. save
  462. EOF
  463. )
  464. # execute edit-key script
  465. if echo "$adduidCommand" | \
  466. gpg_host --quiet --command-fd 0 --edit-key "0x${fingerprint}!" ; then
  467. # update the trustdb for the authentication keyring
  468. gpg_authentication "--check-trustdb"
  469. show_server_key
  470. echo
  471. echo "NOTE: User ID added to key, but key not published."
  472. echo "Run '$PGRM publish-key' to publish the new user ID."
  473. else
  474. failure "Problem adding user ID."
  475. fi
  476. }
  477. # revoke hostname user ID to server key
  478. revoke_hostname() {
  479. local userID
  480. local fingerprint
  481. local tmpuidMatch
  482. local line
  483. local uidIndex
  484. local message
  485. local revuidCommand
  486. if [ -z "$1" ] ; then
  487. failure "You must specify a hostname to revoke."
  488. fi
  489. echo "WARNING: There is a known bug in this function."
  490. echo "This function has been known to occasionally revoke the wrong user ID."
  491. echo "Please see the following bug report for more information:"
  492. echo "http://web.monkeysphere.info/bugs/revoke-hostname-revoking-wrong-userid/"
  493. read -p "Are you sure you would like to proceed? (y/N) " OK; OK=${OK:=N}
  494. if [ ${OK/y/Y} != 'Y' ] ; then
  495. failure "aborting."
  496. fi
  497. userID="ssh://${1}"
  498. fingerprint=$(fingerprint_server_key)
  499. # match to only ultimately trusted user IDs
  500. tmpuidMatch="u:$(echo $userID | gpg_escape)"
  501. # find the index of the requsted user ID
  502. # NOTE: this is based on circumstantial evidence that the order of
  503. # this output is the appropriate index
  504. if line=$(gpg_host --list-keys --with-colons --fixed-list-mode "0x${fingerprint}!" \
  505. | egrep '^(uid|uat):' | cut -f2,10 -d: | grep -n -x -F "$tmpuidMatch") ; then
  506. uidIndex=${line%%:*}
  507. else
  508. failure "No non-revoked user ID '$userID' is found."
  509. fi
  510. echo "The following host key user ID will be revoked:"
  511. echo " $userID"
  512. read -p "Are you sure you would like to revoke this user ID? (y/N) " OK; OK=${OK:=N}
  513. if [ ${OK/y/Y} != 'Y' ] ; then
  514. failure "User ID not revoked."
  515. fi
  516. message="Hostname removed by monkeysphere-server $DATE"
  517. # edit-key script command to revoke user ID
  518. revuidCommand=$(cat <<EOF
  519. $uidIndex
  520. revuid
  521. y
  522. 4
  523. $message
  524. y
  525. save
  526. EOF
  527. )
  528. # execute edit-key script
  529. if echo "$revuidCommand" | \
  530. gpg_host --quiet --command-fd 0 --edit-key "0x${fingerprint}!" ; then
  531. # update the trustdb for the authentication keyring
  532. gpg_authentication "--check-trustdb"
  533. show_server_key
  534. echo
  535. echo "NOTE: User ID revoked, but revocation not published."
  536. echo "Run '$PGRM publish-key' to publish the revocation."
  537. else
  538. failure "Problem revoking user ID."
  539. fi
  540. }
  541. # add a revoker to the host key
  542. add_revoker() {
  543. # FIXME: implement!
  544. failure "not implemented yet!"
  545. }
  546. # revoke the host key
  547. revoke_key() {
  548. # FIXME: implement!
  549. failure "not implemented yet!"
  550. }
  551. # publish server key to keyserver
  552. publish_server_key() {
  553. read -p "Really publish host key to $KEYSERVER? (y/N) " OK; OK=${OK:=N}
  554. if [ ${OK/y/Y} != 'Y' ] ; then
  555. failure "key not published."
  556. fi
  557. # find the key fingerprint
  558. fingerprint=$(fingerprint_server_key)
  559. # publish host key
  560. gpg_authentication "--keyserver $KEYSERVER --send-keys '0x${fingerprint}!'"
  561. }
  562. diagnostics() {
  563. # * check on the status and validity of the key and public certificates
  564. local seckey
  565. local keysfound
  566. local curdate
  567. local warnwindow
  568. local warndate
  569. local create
  570. local expire
  571. local uid
  572. local fingerprint
  573. local badhostkeys
  574. local sshd_config
  575. local problemsfound=0
  576. # FIXME: what's the correct, cross-platform answer?
  577. sshd_config=/etc/ssh/sshd_config
  578. seckey=$(gpg_host --list-secret-keys --fingerprint --with-colons --fixed-list-mode)
  579. keysfound=$(echo "$seckey" | grep -c ^sec:)
  580. curdate=$(date +%s)
  581. # warn when anything is 2 months away from expiration
  582. warnwindow='2 months'
  583. warndate=$(advance_date $warnwindow +%s)
  584. if ! id monkeysphere >/dev/null ; then
  585. echo "! No monkeysphere user found! Please create a monkeysphere system user with bash as its shell."
  586. problemsfound=$(($problemsfound+1))
  587. fi
  588. if ! [ -d "$SYSDATADIR" ] ; then
  589. echo "! no $SYSDATADIR directory found. Please create it."
  590. problemsfound=$(($problemsfound+1))
  591. fi
  592. echo "Checking host GPG key..."
  593. if (( "$keysfound" < 1 )); then
  594. echo "! No host key found."
  595. echo " - Recommendation: run 'monkeysphere-server gen-key'"
  596. problemsfound=$(($problemsfound+1))
  597. elif (( "$keysfound" > 1 )); then
  598. echo "! More than one host key found?"
  599. # FIXME: recommend a way to resolve this
  600. problemsfound=$(($problemsfound+1))
  601. else
  602. create=$(echo "$seckey" | grep ^sec: | cut -f6 -d:)
  603. expire=$(echo "$seckey" | grep ^sec: | cut -f7 -d:)
  604. fingerprint=$(echo "$seckey" | grep ^fpr: | head -n1 | cut -f10 -d:)
  605. # check for key expiration:
  606. if [ "$expire" ]; then
  607. if (( "$expire" < "$curdate" )); then
  608. echo "! Host key is expired."
  609. echo " - Recommendation: extend lifetime of key with 'monkeysphere-server extend-key'"
  610. problemsfound=$(($problemsfound+1))
  611. elif (( "$expire" < "$warndate" )); then
  612. echo "! Host key expires in less than $warnwindow:" $(advance_date $(( $expire - $curdate )) seconds +%F)
  613. echo " - Recommendation: extend lifetime of key with 'monkeysphere-server extend-key'"
  614. problemsfound=$(($problemsfound+1))
  615. fi
  616. fi
  617. # and weirdnesses:
  618. if [ "$create" ] && (( "$create" > "$curdate" )); then
  619. echo "! Host key was created in the future(?!). Is your clock correct?"
  620. echo " - Recommendation: Check clock ($(date +%F_%T)); use NTP?"
  621. problemsfound=$(($problemsfound+1))
  622. fi
  623. # check for UserID expiration:
  624. echo "$seckey" | grep ^uid: | cut -d: -f6,7,10 | \
  625. while IFS=: read create expire uid ; do
  626. # FIXME: should we be doing any checking on the form
  627. # of the User ID? Should we be unmangling it somehow?
  628. if [ "$create" ] && (( "$create" > "$curdate" )); then
  629. echo "! User ID '$uid' was created in the future(?!). Is your clock correct?"
  630. echo " - Recommendation: Check clock ($(date +%F_%T)); use NTP?"
  631. problemsfound=$(($problemsfound+1))
  632. fi
  633. if [ "$expire" ] ; then
  634. if (( "$expire" < "$curdate" )); then
  635. echo "! User ID '$uid' is expired."
  636. # FIXME: recommend a way to resolve this
  637. problemsfound=$(($problemsfound+1))
  638. elif (( "$expire" < "$warndate" )); then
  639. echo "! User ID '$uid' expires in less than $warnwindow:" $(advance_date $(( $expire - $curdate )) seconds +%F)
  640. # FIXME: recommend a way to resolve this
  641. problemsfound=$(($problemsfound+1))
  642. fi
  643. fi
  644. done
  645. # FIXME: verify that the host key is properly published to the
  646. # keyservers (do this with the non-privileged user)
  647. # FIXME: check that there are valid, non-expired certifying signatures
  648. # attached to the host key after fetching from the public keyserver
  649. # (do this with the non-privileged user as well)
  650. # FIXME: propose adding a revoker to the host key if none exist (do we
  651. # have a way to do that after key generation?)
  652. # Ensure that the ssh_host_rsa_key file is present and non-empty:
  653. echo
  654. echo "Checking host SSH key..."
  655. if [ ! -s "${SYSDATADIR}/ssh_host_rsa_key" ] ; then
  656. echo "! The host key as prepared for SSH (${SYSDATADIR}/ssh_host_rsa_key) is missing or empty."
  657. problemsfound=$(($problemsfound+1))
  658. else
  659. if [ $(ls -l "${SYSDATADIR}/ssh_host_rsa_key" | cut -f1 -d\ ) != '-rw-------' ] ; then
  660. echo "! Permissions seem wrong for ${SYSDATADIR}/ssh_host_rsa_key -- should be 0600."
  661. problemsfound=$(($problemsfound+1))
  662. fi
  663. # propose changes needed for sshd_config (if any)
  664. if ! grep -q "^HostKey[[:space:]]\+${SYSDATADIR}/ssh_host_rsa_key$" "$sshd_config"; then
  665. echo "! $sshd_config does not point to the monkeysphere host key (${SYSDATADIR}/ssh_host_rsa_key)."
  666. echo " - Recommendation: add a line to $sshd_config: 'HostKey ${SYSDATADIR}/ssh_host_rsa_key'"
  667. problemsfound=$(($problemsfound+1))
  668. fi
  669. if badhostkeys=$(grep -i '^HostKey' "$sshd_config" | grep -v "^HostKey[[:space:]]\+${SYSDATADIR}/ssh_host_rsa_key$") ; then
  670. echo "! $sshd_config refers to some non-monkeysphere host keys:"
  671. echo "$badhostkeys"
  672. echo " - Recommendation: remove the above HostKey lines from $sshd_config"
  673. problemsfound=$(($problemsfound+1))
  674. fi
  675. # FIXME: test (with ssh-keyscan?) that the running ssh
  676. # daemon is actually offering the monkeysphere host key.
  677. fi
  678. fi
  679. # FIXME: look at the ownership/privileges of the various keyrings,
  680. # directories housing them, etc (what should those values be? can
  681. # we make them as minimal as possible?)
  682. # FIXME: look to see that the ownertrust rules are set properly on the
  683. # authentication keyring
  684. # FIXME: make sure that at least one identity certifier exists
  685. # FIXME: look at the timestamps on the monkeysphere-generated
  686. # authorized_keys files -- warn if they seem out-of-date.
  687. # FIXME: check for a cronjob that updates monkeysphere-generated
  688. # authorized_keys?
  689. echo
  690. echo "Checking for MonkeySphere-enabled public-key authentication for users ..."
  691. # Ensure that User ID authentication is enabled:
  692. if ! grep -q "^AuthorizedKeysFile[[:space:]]\+${SYSDATADIR}/authorized_keys/%u$" "$sshd_config"; then
  693. echo "! $sshd_config does not point to monkeysphere authorized keys."
  694. echo " - Recommendation: add a line to $sshd_config: 'AuthorizedKeysFile ${SYSDATADIR}/authorized_keys/%u'"
  695. problemsfound=$(($problemsfound+1))
  696. fi
  697. if badauthorizedkeys=$(grep -i '^AuthorizedKeysFile' "$sshd_config" | grep -v "^AuthorizedKeysFile[[:space:]]\+${SYSDATADIR}/authorized_keys/%u$") ; then
  698. echo "! $sshd_config refers to non-monkeysphere authorized_keys files:"
  699. echo "$badauthorizedkeys"
  700. echo " - Recommendation: remove the above AuthorizedKeysFile lines from $sshd_config"
  701. problemsfound=$(($problemsfound+1))
  702. fi
  703. if [ "$problemsfound" -gt 0 ]; then
  704. echo "When the above $problemsfound issue"$(if [ "$problemsfound" -eq 1 ] ; then echo " is" ; else echo "s are" ; fi)" resolved, please re-run:"
  705. echo " monkeysphere-server diagnostics"
  706. else
  707. echo "Everything seems to be in order!"
  708. fi
  709. }
  710. # retrieve key from web of trust, import it into the host keyring, and
  711. # ltsign the key in the host keyring so that it may certify other keys
  712. add_certifier() {
  713. local domain
  714. local trust
  715. local depth
  716. local keyID
  717. local fingerprint
  718. local ltsignCommand
  719. local trustval
  720. # set default values for trust depth and domain
  721. domain=
  722. trust=full
  723. depth=1
  724. # get options
  725. while true ; do
  726. case "$1" in
  727. -n|--domain)
  728. domain="$2"
  729. shift 2
  730. ;;
  731. -t|--trust)
  732. trust="$2"
  733. shift 2
  734. ;;
  735. -d|--depth)
  736. depth="$2"
  737. shift 2
  738. ;;
  739. *)
  740. if [ "$(echo "$1" | cut -c 1)" = '-' ] ; then
  741. failure "Unknown option '$1'.
  742. Type '$PGRM help' for usage."
  743. fi
  744. break
  745. ;;
  746. esac
  747. done
  748. keyID="$1"
  749. if [ -z "$keyID" ] ; then
  750. failure "You must specify the key ID of a key to add, or specify a file to read the key from."
  751. fi
  752. if [ -f "$keyID" ] ; then
  753. echo "Reading key from file '$keyID':"
  754. importinfo=$(gpg_authentication "--import" < "$keyID" 2>&1) || failure "could not read key from '$keyID'"
  755. # FIXME: if this is tried when the key database is not
  756. # up-to-date, i got these errors (using set -x):
  757. # ++ su -m monkeysphere -c '\''gpg --import'\''
  758. # Warning: using insecure memory!
  759. # gpg: key D21739E9: public key "Daniel Kahn Gillmor <dkg@fifthhorseman.net>" imported
  760. # gpg: Total number processed: 1
  761. # gpg: imported: 1 (RSA: 1)
  762. # gpg: can'\''t create `/var/monkeysphere/gnupg-host/pubring.gpg.tmp'\'': Permission denied
  763. # gpg: failed to rebuild keyring cache: Permission denied
  764. # gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
  765. # gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
  766. # gpg: next trustdb check due at 2009-01-10'
  767. # + failure 'could not read key from '\''/root/dkg.gpg'\'''
  768. # + echo 'could not read key from '\''/root/dkg.gpg'\'''
  769. keyID=$(echo "$importinfo" | grep '^gpg: key ' | cut -f2 -d: | cut -f3 -d\ )
  770. if [ -z "$keyID" ] || [ $(echo "$keyID" | wc -l) -ne 1 ] ; then
  771. failure "Expected there to be a single gpg key in the file."
  772. fi
  773. else
  774. # get the key from the key server
  775. gpg_authentication "--keyserver $KEYSERVER --recv-key '0x${keyID}!'" || failure "Could not receive a key with this ID from the '$KEYSERVER' keyserver."
  776. fi
  777. export keyID
  778. # get the full fingerprint of a key ID
  779. fingerprint=$(gpg_authentication "--list-key --with-colons --with-fingerprint 0x${keyID}!" | \
  780. grep '^fpr:' | grep "$keyID" | cut -d: -f10)
  781. if [ -z "$fingerprint" ] ; then
  782. failure "Key '$keyID' not found."
  783. fi
  784. echo
  785. echo "key found:"
  786. gpg_authentication "--fingerprint 0x${fingerprint}!"
  787. echo "Are you sure you want to add the above key as a"
  788. read -p "certifier of users on this system? (y/N) " OK; OK=${OK:-N}
  789. if [ "${OK/y/Y}" != 'Y' ] ; then
  790. failure "Identity certifier not added."
  791. fi
  792. # export the key to the host keyring
  793. gpg_authentication "--export 0x${fingerprint}!" | gpg_host --import
  794. if [ "$trust" = marginal ]; then
  795. trustval=1
  796. elif [ "$trust" = full ]; then
  797. trustval=2
  798. else
  799. failure "Trust value requested ('$trust') was unclear (only 'marginal' or 'full' are supported)."
  800. fi
  801. # ltsign command
  802. # NOTE: *all* user IDs will be ltsigned
  803. ltsignCommand=$(cat <<EOF
  804. ltsign
  805. y
  806. $trustval
  807. $depth
  808. $domain
  809. y
  810. save
  811. EOF
  812. )
  813. # ltsign the key
  814. if echo "$ltsignCommand" | \
  815. gpg_host --quiet --command-fd 0 --edit-key "0x${fingerprint}!" ; then
  816. # update the trustdb for the authentication keyring
  817. gpg_authentication "--check-trustdb"
  818. echo
  819. echo "Identity certifier added."
  820. else
  821. failure "Problem adding identify certifier."
  822. fi
  823. }
  824. # delete a certifiers key from the host keyring
  825. remove_certifier() {
  826. local keyID
  827. local fingerprint
  828. keyID="$1"
  829. if [ -z "$keyID" ] ; then
  830. failure "You must specify the key ID of a key to remove."
  831. fi
  832. if gpg_authentication "--no-options --list-options show-uid-validity --keyring ${GNUPGHOME_AUTHENTICATION}/pubring.gpg --list-key 0x${keyID}!" ; then
  833. read -p "Really remove above listed identity certifier? (y/N) " OK; OK=${OK:-N}
  834. if [ "${OK/y/Y}" != 'Y' ] ; then
  835. failure "Identity certifier not removed."
  836. fi
  837. else
  838. failure
  839. fi
  840. # delete the requested key
  841. if gpg_authentication "--delete-key --batch --yes 0x${keyID}!" ; then
  842. # delete key from host keyring as well
  843. gpg_host --delete-key --batch --yes "0x${keyID}!"
  844. # update the trustdb for the authentication keyring
  845. gpg_authentication "--check-trustdb"
  846. echo
  847. echo "Identity certifier removed."
  848. else
  849. failure "Problem removing identity certifier."
  850. fi
  851. }
  852. # list the host certifiers
  853. list_certifiers() {
  854. local keys
  855. local key
  856. # find trusted keys in authentication keychain
  857. keys=$(gpg_authentication "--no-options --list-options show-uid-validity --keyring ${GNUPGHOME_AUTHENTICATION}/pubring.gpg --list-keys --with-colons --fingerprint" | \
  858. grep ^pub: | cut -d: -f2,5 | egrep '^(u|f):' | cut -d: -f2)
  859. # output keys
  860. for key in $keys ; do
  861. gpg_authentication "--no-options --list-options show-uid-validity --keyring ${GNUPGHOME_AUTHENTICATION}/pubring.gpg --list-key --fingerprint $key"
  862. done
  863. }
  864. # issue command to gpg-authentication keyring
  865. gpg_authentication_cmd() {
  866. gpg_authentication "$@"
  867. }
  868. ########################################################################
  869. # MAIN
  870. ########################################################################
  871. # unset variables that should be defined only in config file
  872. unset KEYSERVER
  873. unset AUTHORIZED_USER_IDS
  874. unset RAW_AUTHORIZED_KEYS
  875. unset MONKEYSPHERE_USER
  876. # load configuration file
  877. [ -e ${MONKEYSPHERE_SERVER_CONFIG:="${SYSCONFIGDIR}/monkeysphere-server.conf"} ] && . "$MONKEYSPHERE_SERVER_CONFIG"
  878. # set empty config variable with ones from the environment, or with
  879. # defaults
  880. LOG_LEVEL=${MONKEYSPHERE_LOG_LEVEL:=${LOG_LEVEL:="INFO"}}
  881. KEYSERVER=${MONKEYSPHERE_KEYSERVER:=${KEYSERVER:="pool.sks-keyservers.net"}}
  882. AUTHORIZED_USER_IDS=${MONKEYSPHERE_AUTHORIZED_USER_IDS:=${AUTHORIZED_USER_IDS:="%h/.monkeysphere/authorized_user_ids"}}
  883. RAW_AUTHORIZED_KEYS=${MONKEYSPHERE_RAW_AUTHORIZED_KEYS:=${RAW_AUTHORIZED_KEYS:="%h/.ssh/authorized_keys"}}
  884. MONKEYSPHERE_USER=${MONKEYSPHERE_MONKEYSPHERE_USER:=${MONKEYSPHERE_USER:="monkeysphere"}}
  885. # other variables
  886. CHECK_KEYSERVER=${MONKEYSPHERE_CHECK_KEYSERVER:="true"}
  887. REQUIRED_USER_KEY_CAPABILITY=${MONKEYSPHERE_REQUIRED_USER_KEY_CAPABILITY:="a"}
  888. GNUPGHOME_HOST=${MONKEYSPHERE_GNUPGHOME_HOST:="${SYSDATADIR}/gnupg-host"}
  889. GNUPGHOME_AUTHENTICATION=${MONKEYSPHERE_GNUPGHOME_AUTHENTICATION:="${SYSDATADIR}/gnupg-authentication"}
  890. # export variables needed in su invocation
  891. export DATE
  892. export MODE
  893. export MONKEYSPHERE_USER
  894. export LOG_LEVEL
  895. export KEYSERVER
  896. export CHECK_KEYSERVER
  897. export REQUIRED_USER_KEY_CAPABILITY
  898. export GNUPGHOME_HOST
  899. export GNUPGHOME_AUTHENTICATION
  900. export GNUPGHOME
  901. # get subcommand
  902. COMMAND="$1"
  903. [ "$COMMAND" ] || failure "Type '$PGRM help' for usage."
  904. shift
  905. case $COMMAND in
  906. 'update-users'|'update-user'|'u')
  907. check_host_keyring
  908. update_users "$@"
  909. ;;
  910. 'import-key'|'i')
  911. import_key "$@"
  912. ;;
  913. 'gen-key'|'g')
  914. gen_key "$@"
  915. ;;
  916. 'extend-key'|'e')
  917. check_host_keyring
  918. extend_key "$@"
  919. ;;
  920. 'add-hostname'|'add-name'|'n+')
  921. check_host_keyring
  922. add_hostname "$@"
  923. ;;
  924. 'revoke-hostname'|'revoke-name'|'n-')
  925. check_host_keyring
  926. revoke_hostname "$@"
  927. ;;
  928. 'add-revoker'|'o')
  929. check_host_keyring
  930. add_revoker "$@"
  931. ;;
  932. 'revoke-key'|'r')
  933. check_host_keyring
  934. revoke_key "$@"
  935. ;;
  936. 'show-key'|'show'|'s')
  937. show_server_key
  938. ;;
  939. 'publish-key'|'publish'|'p')
  940. check_host_keyring
  941. publish_server_key
  942. ;;
  943. 'diagnostics'|'d')
  944. diagnostics
  945. ;;
  946. 'add-identity-certifier'|'add-id-certifier'|'add-certifier'|'c+')
  947. check_host_keyring
  948. add_certifier "$@"
  949. ;;
  950. 'remove-identity-certifier'|'remove-id-certifier'|'remove-certifier'|'c-')
  951. check_host_keyring
  952. remove_certifier "$@"
  953. ;;
  954. 'list-identity-certifiers'|'list-id-certifiers'|'list-certifiers'|'list-certifier'|'c')
  955. check_host_keyring
  956. list_certifiers "$@"
  957. ;;
  958. 'gpg-authentication-cmd')
  959. gpg_authentication_cmd "$@"
  960. ;;
  961. 'version'|'v')
  962. echo "$VERSION"
  963. ;;
  964. '--help'|'help'|'-h'|'h'|'?')
  965. usage
  966. ;;
  967. *)
  968. failure "Unknown command: '$COMMAND'
  969. Type '$PGRM help' for usage."
  970. ;;
  971. esac
  972. exit "$RETURN"