summaryrefslogtreecommitdiff
path: root/src/monkeysphere-server
blob: 4d7acc6cb50276bb7a46ae589d3c6995ed540252 (plain)
  1. #!/bin/bash
  2. # monkeysphere-server: MonkeySphere server admin tool
  3. #
  4. # The monkeysphere scripts are written by:
  5. # Jameson Rollins <jrollins@fifthhorseman.net>
  6. #
  7. # They are Copyright 2008, and are all released under the GPL, version 3
  8. # or later.
  9. ########################################################################
  10. PGRM=$(basename $0)
  11. SHARE=${MONKEYSPHERE_SHARE:="/usr/share/monkeysphere"}
  12. export SHARE
  13. . "${SHARE}/common" || exit 1
  14. VARLIB="/var/lib/monkeysphere"
  15. export VARLIB
  16. # date in UTF format if needed
  17. DATE=$(date -u '+%FT%T')
  18. # unset some environment variables that could screw things up
  19. unset GREP_OPTIONS
  20. # default return code
  21. RETURN=0
  22. ########################################################################
  23. # FUNCTIONS
  24. ########################################################################
  25. usage() {
  26. cat <<EOF
  27. usage: $PGRM <subcommand> [options] [args]
  28. MonkeySphere server admin tool.
  29. subcommands:
  30. update-users (u) [USER]... update user authorized_keys files
  31. gen-key (g) [HOSTNAME] generate gpg key for the server
  32. -l|--length BITS key length in bits (2048)
  33. -e|--expire EXPIRE date to expire
  34. -r|--revoker FINGERPRINT add a revoker
  35. show-fingerprint (f) show server's host key fingerprint
  36. publish-key (p) publish server's host key to keyserver
  37. add-identity-certifier (a) KEYID import and tsign a certification key
  38. -n|--domain DOMAIN limit ID certifications to IDs in DOMAIN ()
  39. -t|--trust TRUST trust level of certifier (full)
  40. -d|--depth DEPTH trust depth for certifier (1)
  41. remove-identity-certifier (r) KEYID remove a certification key
  42. list-identity-certifiers (l) list certification keys
  43. gpg-authentication-cmd CMD gnupg-authentication command
  44. help (h,?) this help
  45. EOF
  46. }
  47. su_monkeysphere_user() {
  48. su --preserve-environment "$MONKEYSPHERE_USER" -- -c "$@"
  49. }
  50. # function to interact with the host gnupg keyring
  51. gpg_host() {
  52. local returnCode
  53. GNUPGHOME="$GNUPGHOME_HOST"
  54. export GNUPGHOME
  55. # NOTE: we supress this warning because we need the monkeysphere
  56. # user to be able to read the host pubring. we realize this might
  57. # be problematic, but it's the simplest solution, without too much
  58. # loss of security.
  59. gpg --no-permission-warning "$@"
  60. returnCode="$?"
  61. # always reset the permissions on the host pubring so that the
  62. # monkeysphere user can read the trust signatures
  63. chgrp "$MONKEYSPHERE_USER" "${GNUPGHOME_HOST}/pubring.gpg"
  64. chmod g+r "${GNUPGHOME_HOST}/pubring.gpg"
  65. return "$returnCode"
  66. }
  67. # function to interact with the authentication gnupg keyring
  68. # FIXME: this function requires basically accepts only a single
  69. # argument because of problems with quote expansion. this needs to be
  70. # fixed/improved.
  71. gpg_authentication() {
  72. GNUPGHOME="$GNUPGHOME_AUTHENTICATION"
  73. export GNUPGHOME
  74. su_monkeysphere_user "gpg $@"
  75. }
  76. # update authorized_keys for users
  77. update_users() {
  78. if [ "$1" ] ; then
  79. # get users from command line
  80. unames="$@"
  81. else
  82. # or just look at all users if none specified
  83. unames=$(getent passwd | cut -d: -f1)
  84. fi
  85. # set mode
  86. MODE="authorized_keys"
  87. # set gnupg home
  88. GNUPGHOME="$GNUPGHOME_AUTHENTICATION"
  89. # check to see if the gpg trust database has been initialized
  90. if [ ! -s "${GNUPGHOME}/trustdb.gpg" ] ; then
  91. failure "GNUPG trust database uninitialized. Please see MONKEYSPHERE-SERVER(8)."
  92. fi
  93. # make sure the authorized_keys directory exists
  94. mkdir -p "${VARLIB}/authorized_keys"
  95. # loop over users
  96. for uname in $unames ; do
  97. # check all specified users exist
  98. if ! getent passwd "$uname" >/dev/null ; then
  99. log "----- unknown user '$uname' -----"
  100. continue
  101. fi
  102. # set authorized_user_ids and raw authorized_keys variables,
  103. # translating ssh-style path variables
  104. authorizedUserIDs=$(translate_ssh_variables "$uname" "$AUTHORIZED_USER_IDS")
  105. rawAuthorizedKeys=$(translate_ssh_variables "$uname" "$RAW_AUTHORIZED_KEYS")
  106. # if neither is found, skip user
  107. if [ ! -s "$authorizedUserIDs" ] ; then
  108. if [ "$rawAuthorizedKeys" = '-' -o ! -s "$rawAuthorizedKeys" ] ; then
  109. continue
  110. fi
  111. fi
  112. log "----- user: $uname -----"
  113. if ! check_key_file_permissions "$uname" "$AUTHORIZED_USER_IDS" ; then
  114. log "Improper permissions on authorized_user_ids file."
  115. continue
  116. fi
  117. if ! check_key_file_permissions "$uname" "$RAW_AUTHORIZED_KEYS" ; then
  118. log "Improper permissions on authorized_keys file."
  119. continue
  120. fi
  121. # make temporary directory
  122. TMPDIR=$(mktemp -d)
  123. # trap to delete temporary directory on exit
  124. trap "rm -rf $TMPDIR" EXIT
  125. # create temporary authorized_user_ids file
  126. TMP_AUTHORIZED_USER_IDS="${TMPDIR}/authorized_user_ids"
  127. touch "$TMP_AUTHORIZED_USER_IDS"
  128. # create temporary authorized_keys file
  129. AUTHORIZED_KEYS="${TMPDIR}/authorized_keys"
  130. touch "$AUTHORIZED_KEYS"
  131. # set restrictive permissions on the temporary files
  132. # FIXME: is there a better way to do this?
  133. chmod 0700 "$TMPDIR"
  134. chmod 0600 "$AUTHORIZED_KEYS"
  135. chmod 0600 "$TMP_AUTHORIZED_USER_IDS"
  136. chown -R "$MONKEYSPHERE_USER" "$TMPDIR"
  137. # if the authorized_user_ids file exists...
  138. if [ -s "$authorizedUserIDs" ] ; then
  139. # copy user authorized_user_ids file to temporary
  140. # location
  141. cat "$authorizedUserIDs" > "$TMP_AUTHORIZED_USER_IDS"
  142. # export needed variables
  143. export AUTHORIZED_KEYS
  144. export TMP_AUTHORIZED_USER_IDS
  145. # process authorized_user_ids file, as monkeysphere
  146. # user
  147. su_monkeysphere_user \
  148. ". ${SHARE}/common; process_authorized_user_ids $TMP_AUTHORIZED_USER_IDS"
  149. RETURN="$?"
  150. fi
  151. # add user-controlled authorized_keys file path if specified
  152. if [ "$rawAuthorizedKeys" != '-' -a -s "$rawAuthorizedKeys" ] ; then
  153. log -n "adding raw authorized_keys file... "
  154. cat "$rawAuthorizedKeys" >> "$AUTHORIZED_KEYS"
  155. loge "done."
  156. fi
  157. # openssh appears to check the contents of the
  158. # authorized_keys file as the user in question, so the
  159. # file must be readable by that user at least.
  160. # FIXME: is there a better way to do this?
  161. chown root "$AUTHORIZED_KEYS"
  162. chgrp $(getent passwd "$uname" | cut -f4 -d:) "$AUTHORIZED_KEYS"
  163. chmod g+r "$AUTHORIZED_KEYS"
  164. # if the resulting authorized_keys file is not empty, move
  165. # it into place
  166. mv -f "$AUTHORIZED_KEYS" "${VARLIB}/authorized_keys/${uname}"
  167. # destroy temporary directory
  168. rm -rf "$TMPDIR"
  169. done
  170. }
  171. # generate server gpg key
  172. gen_key() {
  173. local keyType
  174. local keyLength
  175. local keyUsage
  176. local keyExpire
  177. local revoker
  178. local hostName
  179. local userID
  180. local keyParameters
  181. local fingerprint
  182. # set default key parameter values
  183. keyType="RSA"
  184. keyLength="2048"
  185. keyUsage="auth"
  186. keyExpire=
  187. revoker=
  188. # get options
  189. TEMP=$(getopt -o l:e:r: -l length:,expire:,revoker: -n "$PGRM" -- "$@")
  190. if [ $? != 0 ] ; then
  191. exit 1
  192. fi
  193. # Note the quotes around `$TEMP': they are essential!
  194. eval set -- "$TEMP"
  195. while true ; do
  196. case "$1" in
  197. -l|--length)
  198. keyLength="$2"
  199. shift 2
  200. ;;
  201. -e|--expire)
  202. keyExpire="$2"
  203. shift 2
  204. ;;
  205. -r|--revoker)
  206. revoker="$2"
  207. shift 2
  208. ;;
  209. --)
  210. shift
  211. ;;
  212. *)
  213. break
  214. ;;
  215. esac
  216. done
  217. hostName=${1:-$(hostname --fqdn)}
  218. userID="ssh://${hostName}"
  219. # check for presense of key with user ID
  220. if gpg_host --list-key ="$userID" > /dev/null 2>&1 ; then
  221. failure "Key for '$userID' already exists"
  222. fi
  223. # prompt about key expiration if not specified
  224. if [ -z "$keyExpire" ] ; then
  225. cat <<EOF
  226. Please specify how long the key should be valid.
  227. 0 = key does not expire
  228. <n> = key expires in n days
  229. <n>w = key expires in n weeks
  230. <n>m = key expires in n months
  231. <n>y = key expires in n years
  232. EOF
  233. while [ -z "$keyExpire" ] ; do
  234. read -p "Key is valid for? (0) " keyExpire
  235. if ! test_gpg_expire ${keyExpire:=0} ; then
  236. echo "invalid value"
  237. unset keyExpire
  238. fi
  239. done
  240. elif ! test_gpg_expire "$keyExpire" ; then
  241. failure "invalid key expiration value '$keyExpire'."
  242. fi
  243. # set key parameters
  244. keyParameters=$(cat <<EOF
  245. Key-Type: $keyType
  246. Key-Length: $keyLength
  247. Key-Usage: $keyUsage
  248. Name-Real: $userID
  249. Expire-Date: $keyExpire
  250. EOF
  251. )
  252. # add the revoker field if specified
  253. # FIXME: the "1:" below assumes that $REVOKER's key is an RSA key.
  254. # FIXME: key is marked "sensitive"? is this appropriate?
  255. if [ "$revoker" ] ; then
  256. keyParameters="${keyParameters}"$(cat <<EOF
  257. Revoker: 1:$revoker sensitive
  258. EOF
  259. )
  260. fi
  261. echo "The following key parameters will be used for the host private key:"
  262. echo "$keyParameters"
  263. read -p "Generate key? (Y/n) " OK; OK=${OK:=Y}
  264. if [ ${OK/y/Y} != 'Y' ] ; then
  265. failure "aborting."
  266. fi
  267. # add commit command
  268. keyParameters="${keyParameters}"$(cat <<EOF
  269. %commit
  270. %echo done
  271. EOF
  272. )
  273. log "generating server key..."
  274. echo "$keyParameters" | gpg_host --batch --gen-key
  275. # output the server fingerprint
  276. fingerprint_server_key "=${userID}"
  277. # find the key fingerprint of the server primary key
  278. fingerprint=$(gpg_host --list-key --with-colons --with-fingerprint "=${userID}" | \
  279. grep '^fpr:' | head -1 | cut -d: -f10)
  280. # translate the private key to ssh format, and export to a file
  281. # for sshs usage.
  282. # NOTE: assumes that the primary key is the proper key to use
  283. (umask 077 && \
  284. gpg_host --export-secret-key "$fingerprint" | \
  285. openpgp2ssh "$fingerprint" > "${VARLIB}/ssh_host_rsa_key")
  286. log "Private SSH host key output to file: ${VARLIB}/ssh_host_rsa_key"
  287. }
  288. # gpg output key fingerprint
  289. fingerprint_server_key() {
  290. gpg_host --fingerprint --list-secret-keys
  291. }
  292. # publish server key to keyserver
  293. publish_server_key() {
  294. read -p "Really publish key to $KEYSERVER? (y/N) " OK; OK=${OK:=N}
  295. if [ ${OK/y/Y} != 'Y' ] ; then
  296. failure "aborting."
  297. fi
  298. # publish host key
  299. # FIXME: need to figure out better way to identify host key
  300. # dummy command so as not to publish fakes keys during testing
  301. # eventually:
  302. #gpg_authentication "--keyserver $KEYSERVER --send-keys $(hostname -f)"
  303. echo "NOT PUBLISHED (to avoid permanent publication errors during monkeysphere development)."
  304. echo "The following command should publish the key:"
  305. echo "monkeysphere-server gpg-authentication-cmd '--keyserver $KEYSERVER --send-keys $(hostname -f)'"
  306. exit 255
  307. }
  308. # retrieve key from web of trust, import it into the host keyring, and
  309. # ltsign the key in the host keyring so that it may certify other keys
  310. add_certifier() {
  311. local domain
  312. local trust
  313. local depth
  314. local keyID
  315. local fingerprint
  316. local ltsignCommand
  317. local trustval
  318. # set default values for trust depth and domain
  319. domain=
  320. trust=full
  321. depth=1
  322. # get options
  323. TEMP=$(getopt -o n:t:d: -l domain:,trust:,depth: -n "$PGRM" -- "$@")
  324. if [ $? != 0 ] ; then
  325. exit 1
  326. fi
  327. # Note the quotes around `$TEMP': they are essential!
  328. eval set -- "$TEMP"
  329. while true ; do
  330. case "$1" in
  331. -n|--domain)
  332. domain="$2"
  333. shift 2
  334. ;;
  335. -t|--trust)
  336. trust="$2"
  337. shift 2
  338. ;;
  339. -d|--depth)
  340. depth="$2"
  341. shift 2
  342. ;;
  343. --)
  344. shift
  345. ;;
  346. *)
  347. break
  348. ;;
  349. esac
  350. done
  351. keyID="$1"
  352. if [ -z "$keyID" ] ; then
  353. failure "You must specify the key ID of a key to add."
  354. fi
  355. export keyID
  356. # export host ownertrust to authentication keyring
  357. gpg_host --export-ownertrust | gpg_authentication "--import-ownertrust"
  358. # get the key from the key server
  359. gpg_authentication "--keyserver $KEYSERVER --recv-key '$keyID'"
  360. # get the full fingerprint of a key ID
  361. fingerprint=$(gpg_authentication "--list-key --with-colons --with-fingerprint $keyID" | \
  362. grep '^fpr:' | grep "$keyID" | cut -d: -f10)
  363. echo "key found:"
  364. gpg_authentication "--fingerprint $fingerprint"
  365. echo "Are you sure you want to add this key as a certifier of"
  366. read -p "users on this system? (y/N) " OK; OK=${OK:-N}
  367. if [ "${OK/y/Y}" != 'Y' ] ; then
  368. failure "aborting."
  369. fi
  370. # export the key to the host keyring
  371. gpg_authentication "--export $keyID" | gpg_host --import
  372. if [ "$trust" == marginal ]; then
  373. trustval=1
  374. elif [ "$trust" == full ]; then
  375. trustval=2
  376. else
  377. failure "trust value requested ('$trust') was unclear (only 'marginal' or 'full' are supported)"
  378. fi
  379. # ltsign command
  380. # NOTE: *all* user IDs will be ltsigned
  381. ltsignCommand=$(cat <<EOF
  382. ltsign
  383. y
  384. $trustval
  385. $depth
  386. $domain
  387. y
  388. save
  389. EOF
  390. )
  391. # ltsign the key
  392. echo "$ltsignCommand" | gpg_host --quiet --command-fd 0 --edit-key "$fingerprint"
  393. # update the trustdb for the authentication keyring
  394. gpg_authentication "--check-trustdb"
  395. }
  396. # delete a certifiers key from the host keyring
  397. remove_certifier() {
  398. local keyID
  399. local fingerprint
  400. keyID="$1"
  401. if [ -z "$keyID" ] ; then
  402. failure "You must specify the key ID of a key to remove."
  403. fi
  404. # delete the requested key (with prompting)
  405. gpg_host --delete-key "$keyID"
  406. # update the trustdb for the authentication keyring
  407. gpg_authentication "--check-trustdb"
  408. }
  409. # list the host certifiers
  410. list_certifiers() {
  411. gpg_host --list-keys
  412. }
  413. # issue command to gpg-authentication keyring
  414. gpg_authentication_cmd() {
  415. gpg_authentication "$@"
  416. }
  417. ########################################################################
  418. # MAIN
  419. ########################################################################
  420. # unset variables that should be defined only in config file
  421. unset KEYSERVER
  422. unset AUTHORIZED_USER_IDS
  423. unset RAW_AUTHORIZED_KEYS
  424. unset MONKEYSPHERE_USER
  425. # load configuration file
  426. [ -e ${MONKEYSPHERE_SERVER_CONFIG:="${ETC}/monkeysphere-server.conf"} ] && . "$MONKEYSPHERE_SERVER_CONFIG"
  427. # set empty config variable with ones from the environment, or with
  428. # defaults
  429. KEYSERVER=${MONKEYSPHERE_KEYSERVER:=${KEYSERVER:="subkeys.pgp.net"}}
  430. AUTHORIZED_USER_IDS=${MONKEYSPHERE_AUTHORIZED_USER_IDS:=${AUTHORIZED_USER_IDS:="%h/.config/monkeysphere/authorized_user_ids"}}
  431. RAW_AUTHORIZED_KEYS=${MONKEYSPHERE_RAW_AUTHORIZED_KEYS:=${RAW_AUTHORIZED_KEYS:="%h/.ssh/authorized_keys"}}
  432. MONKEYSPHERE_USER=${MONKEYSPHERE_MONKEYSPHERE_USER:=${MONKEYSPHERE_USER:="monkeysphere"}}
  433. # other variables
  434. CHECK_KEYSERVER=${MONKEYSPHERE_CHECK_KEYSERVER:="true"}
  435. REQUIRED_USER_KEY_CAPABILITY=${MONKEYSPHERE_REQUIRED_USER_KEY_CAPABILITY:="a"}
  436. GNUPGHOME_HOST=${MONKEYSPHERE_GNUPGHOME_HOST:="${VARLIB}/gnupg-host"}
  437. GNUPGHOME_AUTHENTICATION=${MONKEYSPHERE_GNUPGHOME_AUTHENTICATION:="${VARLIB}/gnupg-authentication"}
  438. # export variables needed in su invocation
  439. export DATE
  440. export MODE
  441. export MONKEYSPHERE_USER
  442. export KEYSERVER
  443. export CHECK_KEYSERVER
  444. export REQUIRED_USER_KEY_CAPABILITY
  445. export GNUPGHOME_HOST
  446. export GNUPGHOME_AUTHENTICATION
  447. export GNUPGHOME
  448. # get subcommand
  449. COMMAND="$1"
  450. [ "$COMMAND" ] || failure "Type '$PGRM help' for usage."
  451. shift
  452. case $COMMAND in
  453. 'update-users'|'update-user'|'u')
  454. update_users "$@"
  455. ;;
  456. 'gen-key'|'g')
  457. gen_key "$@"
  458. ;;
  459. 'show-fingerprint'|'f')
  460. fingerprint_server_key
  461. ;;
  462. 'publish-key'|'p')
  463. publish_server_key
  464. ;;
  465. 'add-identity-certifier'|'add-certifier'|'a')
  466. add_certifier "$1"
  467. ;;
  468. 'remove-identity-certifier'|'remove-certifier'|'r')
  469. remove_certifier "$1"
  470. ;;
  471. 'list-identity-certifiers'|'list-certifiers'|'list-certifier'|'l')
  472. list_certifiers "$@"
  473. ;;
  474. 'gpg-authentication-cmd')
  475. gpg_authentication_cmd "$@"
  476. ;;
  477. 'help'|'h'|'?')
  478. usage
  479. ;;
  480. *)
  481. failure "Unknown command: '$COMMAND'
  482. Type '$PGRM help' for usage."
  483. ;;
  484. esac
  485. exit "$RETURN"