summaryrefslogtreecommitdiff
path: root/src/monkeysphere-server
blob: d3ba5e44f788f5b768e355e01bff73639c294616 (plain)
  1. #!/usr/bin/env bash
  2. # monkeysphere-server: MonkeySphere server admin tool
  3. #
  4. # The monkeysphere scripts are written by:
  5. # Jameson Rollins <jrollins@fifthhorseman.net>
  6. # Jamie McClelland <jm@mayfirst.org>
  7. # Daniel Kahn Gillmor <dkg@fifthhorseman.net>
  8. #
  9. # They are Copyright 2008, and are all released under the GPL, version 3
  10. # or later.
  11. ########################################################################
  12. PGRM=$(basename $0)
  13. SYSSHAREDIR=${MONKEYSPHERE_SYSSHAREDIR:-"/usr/share/monkeysphere"}
  14. export SYSSHAREDIR
  15. . "${SYSSHAREDIR}/common" || exit 1
  16. SYSDATADIR=${MONKEYSPHERE_SYSDATADIR:-"/var/lib/monkeysphere"}
  17. export SYSDATADIR
  18. # UTC date in ISO 8601 format if needed
  19. DATE=$(date -u '+%FT%T')
  20. # unset some environment variables that could screw things up
  21. unset GREP_OPTIONS
  22. # default return code
  23. RETURN=0
  24. ########################################################################
  25. # FUNCTIONS
  26. ########################################################################
  27. usage() {
  28. cat <<EOF >&2
  29. usage: $PGRM <subcommand> [options] [args]
  30. Monkeysphere server admin tool.
  31. subcommands:
  32. update-users (u) [USER]... update user authorized_keys files
  33. gen-key (g) [NAME[:PORT]] generate gpg key for the server
  34. --length (-l) BITS key length in bits (2048)
  35. --expire (-e) EXPIRE date to expire
  36. --revoker (-r) FINGERPRINT add a revoker
  37. extend-key (e) EXPIRE extend expiration to EXPIRE
  38. add-hostname (n+) NAME[:PORT] add hostname user ID to server key
  39. revoke-hostname (n-) NAME[:PORT] revoke hostname user ID
  40. show-key (s) output all server host key information
  41. publish-key (p) publish server host key to keyserver
  42. diagnostics (d) report on server monkeysphere status
  43. add-id-certifier (c+) KEYID import and tsign a certification key
  44. --domain (-n) DOMAIN limit ID certifications to DOMAIN
  45. --trust (-t) TRUST trust level of certifier (full)
  46. --depth (-d) DEPTH trust depth for certifier (1)
  47. remove-id-certifier (c-) KEYID remove a certification key
  48. list-id-certifiers (c) list certification keys
  49. gpg-authentication-cmd CMD gnupg-authentication command
  50. help (h,?) this help
  51. EOF
  52. }
  53. su_monkeysphere_user() {
  54. su "$MONKEYSPHERE_USER" -c "$@"
  55. }
  56. # function to interact with the host gnupg keyring
  57. gpg_host() {
  58. local returnCode
  59. GNUPGHOME="$GNUPGHOME_HOST"
  60. export GNUPGHOME
  61. # NOTE: we supress this warning because we need the monkeysphere
  62. # user to be able to read the host pubring. we realize this might
  63. # be problematic, but it's the simplest solution, without too much
  64. # loss of security.
  65. gpg --no-permission-warning "$@"
  66. returnCode="$?"
  67. # always reset the permissions on the host pubring so that the
  68. # monkeysphere user can read the trust signatures
  69. chgrp "$MONKEYSPHERE_USER" "${GNUPGHOME_HOST}/pubring.gpg"
  70. chmod g+r "${GNUPGHOME_HOST}/pubring.gpg"
  71. return "$returnCode"
  72. }
  73. # function to interact with the authentication gnupg keyring
  74. # FIXME: this function requires basically accepts only a single
  75. # argument because of problems with quote expansion. this needs to be
  76. # fixed/improved.
  77. gpg_authentication() {
  78. GNUPGHOME="$GNUPGHOME_AUTHENTICATION"
  79. export GNUPGHOME
  80. su_monkeysphere_user "gpg $@"
  81. }
  82. # output just key fingerprint
  83. fingerprint_server_key() {
  84. gpg_host --list-secret-keys --fingerprint \
  85. --with-colons --fixed-list-mode 2> /dev/null | \
  86. grep '^fpr:' | head -1 | cut -d: -f10
  87. }
  88. # output key information
  89. show_server_key() {
  90. local fingerprint
  91. local tmpkey
  92. fingerprint=$(fingerprint_server_key)
  93. gpg_authentication "--fingerprint --list-key --list-options show-unusable-uids $fingerprint"
  94. # dumping to a file named ' ' so that the ssh-keygen output
  95. # doesn't claim any potentially bogus hostname(s):
  96. tmpkey=$(mktemp -d ${TMPDIR:-/tmp}/tmp.XXXXXXXXXX)
  97. gpg_authentication "--export $fingerprint" | openpgp2ssh "$fingerprint" 2>/dev/null > "$tmpkey/ "
  98. echo -n "ssh fingerprint: "
  99. (cd "$tmpkey" && ssh-keygen -l -f ' ' | awk '{ print $2 }')
  100. rm -rf "$tmpkey"
  101. echo -n "OpenPGP fingerprint: "
  102. echo "$fingerprint"
  103. }
  104. # update authorized_keys for users
  105. update_users() {
  106. if [ "$1" ] ; then
  107. # get users from command line
  108. unames="$@"
  109. else
  110. # or just look at all users if none specified
  111. unames=$(getent passwd | cut -d: -f1)
  112. fi
  113. # set mode
  114. MODE="authorized_keys"
  115. # set gnupg home
  116. GNUPGHOME="$GNUPGHOME_AUTHENTICATION"
  117. # check to see if the gpg trust database has been initialized
  118. if [ ! -s "${GNUPGHOME}/trustdb.gpg" ] ; then
  119. failure "GNUPG trust database uninitialized. Please see MONKEYSPHERE-SERVER(8)."
  120. fi
  121. # make sure the authorized_keys directory exists
  122. mkdir -p "${SYSDATADIR}/authorized_keys"
  123. # loop over users
  124. for uname in $unames ; do
  125. # check all specified users exist
  126. if ! getent passwd "$uname" >/dev/null ; then
  127. log error "----- unknown user '$uname' -----"
  128. continue
  129. fi
  130. # set authorized_user_ids and raw authorized_keys variables,
  131. # translating ssh-style path variables
  132. authorizedUserIDs=$(translate_ssh_variables "$uname" "$AUTHORIZED_USER_IDS")
  133. rawAuthorizedKeys=$(translate_ssh_variables "$uname" "$RAW_AUTHORIZED_KEYS")
  134. # if neither is found, skip user
  135. if [ ! -s "$authorizedUserIDs" ] ; then
  136. if [ "$rawAuthorizedKeys" = '-' -o ! -s "$rawAuthorizedKeys" ] ; then
  137. continue
  138. fi
  139. fi
  140. log verbose "----- user: $uname -----"
  141. # exit if the authorized_user_ids file is empty
  142. if ! check_key_file_permissions "$uname" "$AUTHORIZED_USER_IDS" ; then
  143. log error "Improper permissions on path '$AUTHORIZED_USER_IDS'."
  144. continue
  145. fi
  146. # check permissions on the authorized_keys file path
  147. if ! check_key_file_permissions "$uname" "$RAW_AUTHORIZED_KEYS" ; then
  148. log error "Improper permissions on path '$RAW_AUTHORIZED_KEYS'."
  149. continue
  150. fi
  151. # make temporary directory
  152. TMPLOC=$(mktemp -d ${TMPDIR:-/tmp}/tmp.XXXXXXXXXX)
  153. # trap to delete temporary directory on exit
  154. trap "rm -rf $TMPLOC" EXIT
  155. # create temporary authorized_user_ids file
  156. TMP_AUTHORIZED_USER_IDS="${TMPLOC}/authorized_user_ids"
  157. touch "$TMP_AUTHORIZED_USER_IDS"
  158. # create temporary authorized_keys file
  159. AUTHORIZED_KEYS="${TMPLOC}/authorized_keys"
  160. touch "$AUTHORIZED_KEYS"
  161. # set restrictive permissions on the temporary files
  162. # FIXME: is there a better way to do this?
  163. chmod 0700 "$TMPLOC"
  164. chmod 0600 "$AUTHORIZED_KEYS"
  165. chmod 0600 "$TMP_AUTHORIZED_USER_IDS"
  166. chown -R "$MONKEYSPHERE_USER" "$TMPLOC"
  167. # if the authorized_user_ids file exists...
  168. if [ -s "$authorizedUserIDs" ] ; then
  169. # copy user authorized_user_ids file to temporary
  170. # location
  171. cat "$authorizedUserIDs" > "$TMP_AUTHORIZED_USER_IDS"
  172. # export needed variables
  173. export AUTHORIZED_KEYS
  174. export TMP_AUTHORIZED_USER_IDS
  175. # process authorized_user_ids file, as monkeysphere
  176. # user
  177. su_monkeysphere_user \
  178. ". ${SYSSHAREDIR}/common; process_authorized_user_ids $TMP_AUTHORIZED_USER_IDS"
  179. RETURN="$?"
  180. fi
  181. # add user-controlled authorized_keys file path if specified
  182. if [ "$rawAuthorizedKeys" != '-' -a -s "$rawAuthorizedKeys" ] ; then
  183. log verbose "adding raw authorized_keys file... "
  184. cat "$rawAuthorizedKeys" >> "$AUTHORIZED_KEYS"
  185. fi
  186. # openssh appears to check the contents of the
  187. # authorized_keys file as the user in question, so the
  188. # file must be readable by that user at least.
  189. # FIXME: is there a better way to do this?
  190. chown root "$AUTHORIZED_KEYS"
  191. chgrp $(getent passwd "$uname" | cut -f4 -d:) "$AUTHORIZED_KEYS"
  192. chmod g+r "$AUTHORIZED_KEYS"
  193. # move the resulting authorized_keys file into place
  194. mv -f "$AUTHORIZED_KEYS" "${SYSDATADIR}/authorized_keys/${uname}"
  195. # destroy temporary directory
  196. rm -rf "$TMPLOC"
  197. done
  198. }
  199. # generate server gpg key
  200. gen_key() {
  201. local keyType
  202. local keyLength
  203. local keyUsage
  204. local keyExpire
  205. local revoker
  206. local hostName
  207. local userID
  208. local keyParameters
  209. local fingerprint
  210. # set default key parameter values
  211. keyType="RSA"
  212. keyLength="2048"
  213. keyUsage="auth"
  214. keyExpire=
  215. revoker=
  216. # get options
  217. TEMP=$(PATH="/usr/local/bin:$PATH" getopt -o e:l:r -l expire:,length:,revoker: -n "$PGRM" -- "$@") || failure "getopt failed! Does your getopt support GNU-style long options?"
  218. if [ $? != 0 ] ; then
  219. exit 1
  220. fi
  221. # Note the quotes around `$TEMP': they are essential!
  222. eval set -- "$TEMP"
  223. while true ; do
  224. case "$1" in
  225. -l|--length)
  226. keyLength="$2"
  227. shift 2
  228. ;;
  229. -e|--expire)
  230. keyExpire="$2"
  231. shift 2
  232. ;;
  233. -r|--revoker)
  234. revoker="$2"
  235. shift 2
  236. ;;
  237. --)
  238. shift
  239. ;;
  240. *)
  241. break
  242. ;;
  243. esac
  244. done
  245. hostName=${1:-$(hostname -f)}
  246. userID="ssh://${hostName}"
  247. # check for presense of key with user ID
  248. if gpg_host --list-key ="$userID" > /dev/null 2>&1 ; then
  249. failure "Key for '$userID' already exists"
  250. fi
  251. # prompt about key expiration if not specified
  252. keyExpire=$(get_gpg_expiration "$keyExpire")
  253. # set key parameters
  254. keyParameters=$(cat <<EOF
  255. Key-Type: $keyType
  256. Key-Length: $keyLength
  257. Key-Usage: $keyUsage
  258. Name-Real: $userID
  259. Expire-Date: $keyExpire
  260. EOF
  261. )
  262. # add the revoker field if specified
  263. # FIXME: the "1:" below assumes that $REVOKER's key is an RSA key.
  264. # FIXME: key is marked "sensitive"? is this appropriate?
  265. if [ "$revoker" ] ; then
  266. keyParameters="${keyParameters}"$(cat <<EOF
  267. Revoker: 1:$revoker sensitive
  268. EOF
  269. )
  270. fi
  271. echo "The following key parameters will be used for the host private key:"
  272. echo "$keyParameters"
  273. read -p "Generate key? (Y/n) " OK; OK=${OK:=Y}
  274. if [ ${OK/y/Y} != 'Y' ] ; then
  275. failure "aborting."
  276. fi
  277. # add commit command
  278. keyParameters="${keyParameters}"$(cat <<EOF
  279. %commit
  280. %echo done
  281. EOF
  282. )
  283. log verbose "generating server key..."
  284. echo "$keyParameters" | gpg_host --batch --gen-key
  285. # output the server fingerprint
  286. fingerprint_server_key "=${userID}"
  287. # find the key fingerprint of the newly generated key
  288. fingerprint=$(fingerprint_server_key)
  289. # export host ownertrust to authentication keyring
  290. log verbose "setting ultimate owner trust for server key..."
  291. echo "${fingerprint}:6:" | gpg_authentication "--import-ownertrust"
  292. # translate the private key to ssh format, and export to a file
  293. # for sshs usage.
  294. # NOTE: assumes that the primary key is the proper key to use
  295. (umask 077 && \
  296. gpg_host --export-secret-key "$fingerprint" | \
  297. openpgp2ssh "$fingerprint" > "${SYSDATADIR}/ssh_host_rsa_key")
  298. log info "Private SSH host key output to file: ${SYSDATADIR}/ssh_host_rsa_key"
  299. }
  300. # extend the lifetime of a host key:
  301. extend_key() {
  302. local fpr=$(fingerprint_server_key)
  303. local extendTo="$1"
  304. if [ -z "$fpr" ] ; then
  305. failure "You don't appear to have a MonkeySphere host key on this server. Try 'monkeysphere-server gen-key' first."
  306. fi
  307. # get the new expiration date
  308. extendTo=$(get_gpg_expiration "$extendTo")
  309. gpg_host --quiet --command-fd 0 --edit-key "$fpr" <<EOF
  310. expire
  311. $extendTo
  312. save
  313. EOF
  314. echo
  315. echo "NOTE: Host key expiration date adjusted, but not yet published."
  316. echo "Run '$PGRM publish-key' to publish the new expiration date."
  317. }
  318. # add hostname user ID to server key
  319. add_hostname() {
  320. local userID
  321. local fingerprint
  322. local tmpuidMatch
  323. local line
  324. local adduidCommand
  325. if [ -z "$1" ] ; then
  326. failure "You must specify a hostname to add."
  327. fi
  328. userID="ssh://${1}"
  329. fingerprint=$(fingerprint_server_key)
  330. # match to only ultimately trusted user IDs
  331. tmpuidMatch="u:$(echo $userID | gpg_escape)"
  332. # find the index of the requsted user ID
  333. # NOTE: this is based on circumstantial evidence that the order of
  334. # this output is the appropriate index
  335. if line=$(gpg_host --list-keys --with-colons --fixed-list-mode "0x${fingerprint}!" \
  336. | egrep '^(uid|uat):' | cut -f2,10 -d: | grep -n -x -F "$tmpuidMatch") ; then
  337. failure "Host userID '$userID' already exists."
  338. fi
  339. echo "The following user ID will be added to the host key:"
  340. echo " $userID"
  341. read -p "Are you sure you would like to add this user ID? (y/N) " OK; OK=${OK:=N}
  342. if [ ${OK/y/Y} != 'Y' ] ; then
  343. failure "User ID not added."
  344. fi
  345. # edit-key script command to add user ID
  346. adduidCommand=$(cat <<EOF
  347. adduid
  348. $userID
  349. save
  350. EOF
  351. )
  352. # execute edit-key script
  353. if echo "$adduidCommand" | \
  354. gpg_host --quiet --command-fd 0 --edit-key "0x${fingerprint}!" ; then
  355. # update the trustdb for the authentication keyring
  356. gpg_authentication "--check-trustdb"
  357. show_server_key
  358. echo
  359. echo "NOTE: User ID added to key, but key not published."
  360. echo "Run '$PGRM publish-key' to publish the new user ID."
  361. else
  362. failure "Problem adding user ID."
  363. fi
  364. }
  365. # revoke hostname user ID to server key
  366. revoke_hostname() {
  367. local userID
  368. local fingerprint
  369. local tmpuidMatch
  370. local line
  371. local uidIndex
  372. local message
  373. local revuidCommand
  374. if [ -z "$1" ] ; then
  375. failure "You must specify a hostname to revoke."
  376. fi
  377. echo "WARNING: There is a known bug in this function."
  378. echo "This function has been known to occasionally revoke the wrong user ID."
  379. echo "Please see the following bug report for more information:"
  380. echo "http://web.monkeysphere.info/bugs/revoke-hostname-revoking-wrong-userid/"
  381. read -p "Are you sure you would like to proceed? (y/N) " OK; OK=${OK:=N}
  382. if [ ${OK/y/Y} != 'Y' ] ; then
  383. failure "aborting."
  384. fi
  385. userID="ssh://${1}"
  386. fingerprint=$(fingerprint_server_key)
  387. # match to only ultimately trusted user IDs
  388. tmpuidMatch="u:$(echo $userID | gpg_escape)"
  389. # find the index of the requsted user ID
  390. # NOTE: this is based on circumstantial evidence that the order of
  391. # this output is the appropriate index
  392. if line=$(gpg_host --list-keys --with-colons --fixed-list-mode "0x${fingerprint}!" \
  393. | egrep '^(uid|uat):' | cut -f2,10 -d: | grep -n -x -F "$tmpuidMatch") ; then
  394. uidIndex=${line%%:*}
  395. else
  396. failure "No non-revoked user ID '$userID' is found."
  397. fi
  398. echo "The following host key user ID will be revoked:"
  399. echo " $userID"
  400. read -p "Are you sure you would like to revoke this user ID? (y/N) " OK; OK=${OK:=N}
  401. if [ ${OK/y/Y} != 'Y' ] ; then
  402. failure "User ID not revoked."
  403. fi
  404. message="Hostname removed by monkeysphere-server $DATE"
  405. # edit-key script command to revoke user ID
  406. revuidCommand=$(cat <<EOF
  407. $uidIndex
  408. revuid
  409. y
  410. 4
  411. $message
  412. y
  413. save
  414. EOF
  415. )
  416. # execute edit-key script
  417. if echo "$revuidCommand" | \
  418. gpg_host --quiet --command-fd 0 --edit-key "0x${fingerprint}!" ; then
  419. # update the trustdb for the authentication keyring
  420. gpg_authentication "--check-trustdb"
  421. show_server_key
  422. echo
  423. echo "NOTE: User ID revoked, but revocation not published."
  424. echo "Run '$PGRM publish-key' to publish the revocation."
  425. else
  426. failure "Problem revoking user ID."
  427. fi
  428. }
  429. # publish server key to keyserver
  430. publish_server_key() {
  431. read -p "Really publish host key to $KEYSERVER? (y/N) " OK; OK=${OK:=N}
  432. if [ ${OK/y/Y} != 'Y' ] ; then
  433. failure "key not published."
  434. fi
  435. # find the key fingerprint
  436. fingerprint=$(fingerprint_server_key)
  437. # publish host key
  438. gpg_authentication "--keyserver $KEYSERVER --send-keys '0x${fingerprint}!'"
  439. }
  440. diagnostics() {
  441. # * check on the status and validity of the key and public certificates
  442. local seckey
  443. local keysfound
  444. local curdate
  445. local warnwindow
  446. local warndate
  447. local create
  448. local expire
  449. local uid
  450. local fingerprint
  451. local badhostkeys
  452. local sshd_config
  453. local problemsfound=0
  454. # FIXME: what's the correct, cross-platform answer?
  455. sshd_config=/etc/ssh/sshd_config
  456. seckey=$(gpg_host --list-secret-keys --fingerprint --with-colons --fixed-list-mode)
  457. keysfound=$(echo "$seckey" | grep -c ^sec:)
  458. curdate=$(date +%s)
  459. # warn when anything is 2 months away from expiration
  460. warnwindow='2 months'
  461. warndate=$(advance_date $warnwindow +%s)
  462. if ! id monkeysphere >/dev/null ; then
  463. echo "! No monkeysphere user found! Please create a monkeysphere system user with bash as its shell."
  464. problemsfound=$(($problemsfound+1))
  465. fi
  466. if ! [ -d "$SYSDATADIR" ] ; then
  467. echo "! no $SYSDATADIR directory found. Please create it."
  468. problemsfound=$(($problemsfound+1))
  469. fi
  470. echo "Checking host GPG key..."
  471. if (( "$keysfound" < 1 )); then
  472. echo "! No host key found."
  473. echo " - Recommendation: run 'monkeysphere-server gen-key'"
  474. problemsfound=$(($problemsfound+1))
  475. elif (( "$keysfound" > 1 )); then
  476. echo "! More than one host key found?"
  477. # FIXME: recommend a way to resolve this
  478. problemsfound=$(($problemsfound+1))
  479. else
  480. create=$(echo "$seckey" | grep ^sec: | cut -f6 -d:)
  481. expire=$(echo "$seckey" | grep ^sec: | cut -f7 -d:)
  482. fingerprint=$(echo "$seckey" | grep ^fpr: | head -n1 | cut -f10 -d:)
  483. # check for key expiration:
  484. if [ "$expire" ]; then
  485. if (( "$expire" < "$curdate" )); then
  486. echo "! Host key is expired."
  487. echo " - Recommendation: extend lifetime of key with 'monkeysphere-server extend-key'"
  488. problemsfound=$(($problemsfound+1))
  489. elif (( "$expire" < "$warndate" )); then
  490. echo "! Host key expires in less than $warnwindow:" $(advance_date $(( $expire - $curdate )) seconds +%F)
  491. echo " - Recommendation: extend lifetime of key with 'monkeysphere-server extend-key'"
  492. problemsfound=$(($problemsfound+1))
  493. fi
  494. fi
  495. # and weirdnesses:
  496. if [ "$create" ] && (( "$create" > "$curdate" )); then
  497. echo "! Host key was created in the future(?!). Is your clock correct?"
  498. echo " - Recommendation: Check clock ($(date +%F_%T)); use NTP?"
  499. problemsfound=$(($problemsfound+1))
  500. fi
  501. # check for UserID expiration:
  502. echo "$seckey" | grep ^uid: | cut -d: -f6,7,10 | \
  503. while IFS=: read create expire uid ; do
  504. # FIXME: should we be doing any checking on the form
  505. # of the User ID? Should we be unmangling it somehow?
  506. if [ "$create" ] && (( "$create" > "$curdate" )); then
  507. echo "! User ID '$uid' was created in the future(?!). Is your clock correct?"
  508. echo " - Recommendation: Check clock ($(date +%F_%T)); use NTP?"
  509. problemsfound=$(($problemsfound+1))
  510. fi
  511. if [ "$expire" ] ; then
  512. if (( "$expire" < "$curdate" )); then
  513. echo "! User ID '$uid' is expired."
  514. # FIXME: recommend a way to resolve this
  515. problemsfound=$(($problemsfound+1))
  516. elif (( "$expire" < "$warndate" )); then
  517. echo "! User ID '$uid' expires in less than $warnwindow:" $(advance_date $(( $expire - $curdate )) seconds +%F)
  518. # FIXME: recommend a way to resolve this
  519. problemsfound=$(($problemsfound+1))
  520. fi
  521. fi
  522. done
  523. # FIXME: verify that the host key is properly published to the
  524. # keyservers (do this with the non-privileged user)
  525. # FIXME: check that there are valid, non-expired certifying signatures
  526. # attached to the host key after fetching from the public keyserver
  527. # (do this with the non-privileged user as well)
  528. # FIXME: propose adding a revoker to the host key if none exist (do we
  529. # have a way to do that after key generation?)
  530. # Ensure that the ssh_host_rsa_key file is present and non-empty:
  531. echo
  532. echo "Checking host SSH key..."
  533. if [ ! -s "${SYSDATADIR}/ssh_host_rsa_key" ] ; then
  534. echo "! The host key as prepared for SSH (${SYSDATADIR}/ssh_host_rsa_key) is missing or empty."
  535. problemsfound=$(($problemsfound+1))
  536. else
  537. if [ $(ls -l "${SYSDATADIR}/ssh_host_rsa_key" | cut -f1 -d\ ) != '-rw-------' ] ; then
  538. echo "! Permissions seem wrong for ${SYSDATADIR}/ssh_host_rsa_key -- should be 0600."
  539. problemsfound=$(($problemsfound+1))
  540. fi
  541. # propose changes needed for sshd_config (if any)
  542. if ! grep -q "^HostKey[[:space:]]\+${SYSDATADIR}/ssh_host_rsa_key$" "$sshd_config"; then
  543. echo "! $sshd_config does not point to the monkeysphere host key (${SYSDATADIR}/ssh_host_rsa_key)."
  544. echo " - Recommendation: add a line to $sshd_config: 'HostKey ${SYSDATADIR}/ssh_host_rsa_key'"
  545. problemsfound=$(($problemsfound+1))
  546. fi
  547. if badhostkeys=$(grep -i '^HostKey' "$sshd_config" | grep -v "^HostKey[[:space:]]\+${SYSDATADIR}/ssh_host_rsa_key$") ; then
  548. echo "! $sshd_config refers to some non-monkeysphere host keys:"
  549. echo "$badhostkeys"
  550. echo " - Recommendation: remove the above HostKey lines from $sshd_config"
  551. problemsfound=$(($problemsfound+1))
  552. fi
  553. fi
  554. fi
  555. # FIXME: look at the ownership/privileges of the various keyrings,
  556. # directories housing them, etc (what should those values be? can
  557. # we make them as minimal as possible?)
  558. # FIXME: look to see that the ownertrust rules are set properly on the
  559. # authentication keyring
  560. # FIXME: make sure that at least one identity certifier exists
  561. # FIXME: look at the timestamps on the monkeysphere-generated
  562. # authorized_keys files -- warn if they seem out-of-date.
  563. # FIXME: check for a cronjob that updates monkeysphere-generated
  564. # authorized_keys?
  565. echo
  566. echo "Checking for MonkeySphere-enabled public-key authentication for users ..."
  567. # Ensure that User ID authentication is enabled:
  568. if ! grep -q "^AuthorizedKeysFile[[:space:]]\+${SYSDATADIR}/authorized_keys/%u$" "$sshd_config"; then
  569. echo "! $sshd_config does not point to monkeysphere authorized keys."
  570. echo " - Recommendation: add a line to $sshd_config: 'AuthorizedKeysFile ${SYSDATADIR}/authorized_keys/%u'"
  571. problemsfound=$(($problemsfound+1))
  572. fi
  573. if badauthorizedkeys=$(grep -i '^AuthorizedKeysFile' "$sshd_config" | grep -v "^AuthorizedKeysFile[[:space:]]\+${SYSDATADIR}/authorized_keys/%u$") ; then
  574. echo "! $sshd_config refers to non-monkeysphere authorized_keys files:"
  575. echo "$badauthorizedkeys"
  576. echo " - Recommendation: remove the above AuthorizedKeysFile lines from $sshd_config"
  577. problemsfound=$(($problemsfound+1))
  578. fi
  579. if [ "$problemsfound" -gt 0 ]; then
  580. echo "When the above $problemsfound issue"$(if [ "$problemsfound" -eq 1 ] ; then echo " is" ; else echo "s are" ; fi)" resolved, please re-run:"
  581. echo " monkeysphere-server diagnostics"
  582. else
  583. echo "Everything seems to be in order!"
  584. fi
  585. }
  586. # retrieve key from web of trust, import it into the host keyring, and
  587. # ltsign the key in the host keyring so that it may certify other keys
  588. add_certifier() {
  589. local domain
  590. local trust
  591. local depth
  592. local keyID
  593. local fingerprint
  594. local ltsignCommand
  595. local trustval
  596. # set default values for trust depth and domain
  597. domain=
  598. trust=full
  599. depth=1
  600. # get options
  601. TEMP=$(PATH="/usr/local/bin:$PATH" getopt -o n:t:d: -l domain:,trust:,depth: -n "$PGRM" -- "$@") || failure "getopt failed! Does your getopt support GNU-style long options?"
  602. if [ $? != 0 ] ; then
  603. exit 1
  604. fi
  605. # Note the quotes around `$TEMP': they are essential!
  606. eval set -- "$TEMP"
  607. while true ; do
  608. case "$1" in
  609. -n|--domain)
  610. domain="$2"
  611. shift 2
  612. ;;
  613. -t|--trust)
  614. trust="$2"
  615. shift 2
  616. ;;
  617. -d|--depth)
  618. depth="$2"
  619. shift 2
  620. ;;
  621. --)
  622. shift
  623. ;;
  624. *)
  625. break
  626. ;;
  627. esac
  628. done
  629. keyID="$1"
  630. if [ -z "$keyID" ] ; then
  631. failure "You must specify the key ID of a key to add, or specify a file to read the key from."
  632. fi
  633. if [ -f "$keyID" ] ; then
  634. echo "Reading key from file '$keyID':"
  635. importinfo=$(gpg_authentication "--import" < "$keyID" 2>&1) || failure "could not read key from '$keyID'"
  636. # FIXME: if this is tried when the key database is not
  637. # up-to-date, i got these errors (using set -x):
  638. # ++ su -m monkeysphere -c '\''gpg --import'\''
  639. # Warning: using insecure memory!
  640. # gpg: key D21739E9: public key "Daniel Kahn Gillmor <dkg@fifthhorseman.net>" imported
  641. # gpg: Total number processed: 1
  642. # gpg: imported: 1 (RSA: 1)
  643. # gpg: can'\''t create `/var/monkeysphere/gnupg-host/pubring.gpg.tmp'\'': Permission denied
  644. # gpg: failed to rebuild keyring cache: Permission denied
  645. # gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
  646. # gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
  647. # gpg: next trustdb check due at 2009-01-10'
  648. # + failure 'could not read key from '\''/root/dkg.gpg'\'''
  649. # + echo 'could not read key from '\''/root/dkg.gpg'\'''
  650. keyID=$(echo "$importinfo" | grep '^gpg: key ' | cut -f2 -d: | cut -f3 -d\ )
  651. if [ -z "$keyID" ] || [ $(echo "$keyID" | wc -l) -ne 1 ] ; then
  652. failure "Expected there to be a single gpg key in the file."
  653. fi
  654. else
  655. # get the key from the key server
  656. gpg_authentication "--keyserver $KEYSERVER --recv-key '0x${keyID}!'" || failure "Could not receive a key with this ID from the '$KEYSERVER' keyserver."
  657. fi
  658. export keyID
  659. # get the full fingerprint of a key ID
  660. fingerprint=$(gpg_authentication "--list-key --with-colons --with-fingerprint 0x${keyID}!" | \
  661. grep '^fpr:' | grep "$keyID" | cut -d: -f10)
  662. if [ -z "$fingerprint" ] ; then
  663. failure "Key '$keyID' not found."
  664. fi
  665. echo
  666. echo "key found:"
  667. gpg_authentication "--fingerprint 0x${fingerprint}!"
  668. echo "Are you sure you want to add the above key as a"
  669. read -p "certifier of users on this system? (y/N) " OK; OK=${OK:-N}
  670. if [ "${OK/y/Y}" != 'Y' ] ; then
  671. failure "Identity certifier not added."
  672. fi
  673. # export the key to the host keyring
  674. gpg_authentication "--export 0x${fingerprint}!" | gpg_host --import
  675. if [ "$trust" == marginal ]; then
  676. trustval=1
  677. elif [ "$trust" == full ]; then
  678. trustval=2
  679. else
  680. failure "Trust value requested ('$trust') was unclear (only 'marginal' or 'full' are supported)."
  681. fi
  682. # ltsign command
  683. # NOTE: *all* user IDs will be ltsigned
  684. ltsignCommand=$(cat <<EOF
  685. ltsign
  686. y
  687. $trustval
  688. $depth
  689. $domain
  690. y
  691. save
  692. EOF
  693. )
  694. # ltsign the key
  695. if echo "$ltsignCommand" | \
  696. gpg_host --quiet --command-fd 0 --edit-key "0x${fingerprint}!" ; then
  697. # update the trustdb for the authentication keyring
  698. gpg_authentication "--check-trustdb"
  699. echo
  700. echo "Identity certifier added."
  701. else
  702. failure "Problem adding identify certifier."
  703. fi
  704. }
  705. # delete a certifiers key from the host keyring
  706. remove_certifier() {
  707. local keyID
  708. local fingerprint
  709. keyID="$1"
  710. if [ -z "$keyID" ] ; then
  711. failure "You must specify the key ID of a key to remove."
  712. fi
  713. if gpg_authentication "--no-options --list-options show-uid-validity --keyring ${GNUPGHOME_AUTHENTICATION}/pubring.gpg --list-key 0x${keyID}!" ; then
  714. read -p "Really remove above listed identity certifier? (y/N) " OK; OK=${OK:-N}
  715. if [ "${OK/y/Y}" != 'Y' ] ; then
  716. failure "Identity certifier not removed."
  717. fi
  718. else
  719. failure
  720. fi
  721. # delete the requested key
  722. if gpg_authentication "--delete-key --batch --yes 0x${keyID}!" ; then
  723. # delete key from host keyring as well
  724. gpg_host --delete-key --batch --yes "0x${keyID}!"
  725. # update the trustdb for the authentication keyring
  726. gpg_authentication "--check-trustdb"
  727. echo
  728. echo "Identity certifier removed."
  729. else
  730. failure "Problem removing identity certifier."
  731. fi
  732. }
  733. # list the host certifiers
  734. list_certifiers() {
  735. local keys
  736. local key
  737. # find trusted keys in authentication keychain
  738. keys=$(gpg_authentication "--no-options --list-options show-uid-validity --keyring ${GNUPGHOME_AUTHENTICATION}/pubring.gpg --list-keys --with-colons --fingerprint" | \
  739. grep ^pub: | cut -d: -f2,5 | egrep '^(u|f):' | cut -d: -f2)
  740. # output keys
  741. for key in $keys ; do
  742. gpg_authentication "--no-options --list-options show-uid-validity --keyring ${GNUPGHOME_AUTHENTICATION}/pubring.gpg --list-key --fingerprint $key"
  743. done
  744. }
  745. # issue command to gpg-authentication keyring
  746. gpg_authentication_cmd() {
  747. gpg_authentication "$@"
  748. }
  749. ########################################################################
  750. # MAIN
  751. ########################################################################
  752. # unset variables that should be defined only in config file
  753. unset KEYSERVER
  754. unset AUTHORIZED_USER_IDS
  755. unset RAW_AUTHORIZED_KEYS
  756. unset MONKEYSPHERE_USER
  757. # load configuration file
  758. [ -e ${MONKEYSPHERE_SERVER_CONFIG:="${SYSCONFIGDIR}/monkeysphere-server.conf"} ] && . "$MONKEYSPHERE_SERVER_CONFIG"
  759. # set empty config variable with ones from the environment, or with
  760. # defaults
  761. LOG_LEVEL=${MONKEYSPHERE_LOG_LEVEL:=${LOG_LEVEL:="INFO"}}
  762. KEYSERVER=${MONKEYSPHERE_KEYSERVER:=${KEYSERVER:="pool.sks-keyservers.net"}}
  763. AUTHORIZED_USER_IDS=${MONKEYSPHERE_AUTHORIZED_USER_IDS:=${AUTHORIZED_USER_IDS:="%h/.monkeysphere/authorized_user_ids"}}
  764. RAW_AUTHORIZED_KEYS=${MONKEYSPHERE_RAW_AUTHORIZED_KEYS:=${RAW_AUTHORIZED_KEYS:="%h/.ssh/authorized_keys"}}
  765. MONKEYSPHERE_USER=${MONKEYSPHERE_MONKEYSPHERE_USER:=${MONKEYSPHERE_USER:="monkeysphere"}}
  766. # other variables
  767. CHECK_KEYSERVER=${MONKEYSPHERE_CHECK_KEYSERVER:="true"}
  768. REQUIRED_USER_KEY_CAPABILITY=${MONKEYSPHERE_REQUIRED_USER_KEY_CAPABILITY:="a"}
  769. GNUPGHOME_HOST=${MONKEYSPHERE_GNUPGHOME_HOST:="${SYSDATADIR}/gnupg-host"}
  770. GNUPGHOME_AUTHENTICATION=${MONKEYSPHERE_GNUPGHOME_AUTHENTICATION:="${SYSDATADIR}/gnupg-authentication"}
  771. # export variables needed in su invocation
  772. export DATE
  773. export MODE
  774. export MONKEYSPHERE_USER
  775. export LOG_LEVEL
  776. export KEYSERVER
  777. export CHECK_KEYSERVER
  778. export REQUIRED_USER_KEY_CAPABILITY
  779. export GNUPGHOME_HOST
  780. export GNUPGHOME_AUTHENTICATION
  781. export GNUPGHOME
  782. # get subcommand
  783. COMMAND="$1"
  784. [ "$COMMAND" ] || failure "Type '$PGRM help' for usage."
  785. shift
  786. case $COMMAND in
  787. 'update-users'|'update-user'|'u')
  788. update_users "$@"
  789. ;;
  790. 'gen-key'|'g')
  791. gen_key "$@"
  792. ;;
  793. 'extend-key'|'e')
  794. extend_key "$@"
  795. ;;
  796. 'add-hostname'|'add-name'|'n+')
  797. add_hostname "$@"
  798. ;;
  799. 'revoke-hostname'|'revoke-name'|'n-')
  800. revoke_hostname "$@"
  801. ;;
  802. 'show-key'|'show'|'s')
  803. show_server_key
  804. ;;
  805. 'publish-key'|'publish'|'p')
  806. publish_server_key
  807. ;;
  808. 'diagnostics'|'d')
  809. diagnostics
  810. ;;
  811. 'add-identity-certifier'|'add-id-certifier'|'add-certifier'|'c+')
  812. add_certifier "$@"
  813. ;;
  814. 'remove-identity-certifier'|'remove-id-certifier'|'remove-certifier'|'c-')
  815. remove_certifier "$@"
  816. ;;
  817. 'list-identity-certifiers'|'list-id-certifiers'|'list-certifiers'|'list-certifier'|'c')
  818. list_certifiers "$@"
  819. ;;
  820. 'gpg-authentication-cmd')
  821. gpg_authentication_cmd "$@"
  822. ;;
  823. '--help'|'help'|'-h'|'h'|'?')
  824. usage
  825. ;;
  826. *)
  827. failure "Unknown command: '$COMMAND'
  828. Type '$PGRM help' for usage."
  829. ;;
  830. esac
  831. exit "$RETURN"