summaryrefslogtreecommitdiff
path: root/src/monkeysphere-server
blob: 3cc7454faec27528e4e9822020a373010e6e2144 (plain)
  1. #!/bin/bash
  2. # monkeysphere-server: MonkeySphere server admin tool
  3. #
  4. # The monkeysphere scripts are written by:
  5. # Jameson Rollins <jrollins@fifthhorseman.net>
  6. #
  7. # They are Copyright 2008, and are all released under the GPL, version 3
  8. # or later.
  9. ########################################################################
  10. PGRM=$(basename $0)
  11. SHAREDIR=${SHAREDIR:-"/usr/share/monkeysphere"}
  12. export SHAREDIR
  13. . "${SHAREDIR}/common"
  14. # date in UTF format if needed
  15. DATE=$(date -u '+%FT%T')
  16. # unset some environment variables that could screw things up
  17. GREP_OPTIONS=
  18. ########################################################################
  19. # FUNCTIONS
  20. ########################################################################
  21. usage() {
  22. cat <<EOF
  23. usage: $PGRM <subcommand> [args]
  24. MonkeySphere server admin tool.
  25. subcommands:
  26. update-users (s) [USER]... update users authorized_keys files
  27. gen-key (g) generate gpg key for the server
  28. publish-key (p) publish server key to keyserver
  29. trust-keys (t) KEYID... mark keyids as trusted
  30. update-user-userids (u) USER UID... add/update user IDs for a user
  31. remove-user-userids (r) USER UID... remove user IDs for a user
  32. help (h,?) this help
  33. EOF
  34. }
  35. # generate server gpg key
  36. gen_key() {
  37. # set key defaults
  38. KEY_TYPE=${KEY_TYPE:-"RSA"}
  39. KEY_LENGTH=${KEY_LENGTH:-"2048"}
  40. KEY_USAGE=${KEY_USAGE:-"auth,encrypt"}
  41. SERVICE=${SERVICE:-"ssh"}
  42. HOSTNAME_FQDN=${HOSTNAME_FQDN:-$(hostname -f)}
  43. USERID=${USERID:-"$SERVICE"://"$HOSTNAME_FQDN"}
  44. # set key parameters
  45. keyParameters=$(cat <<EOF
  46. Key-Type: $KEY_TYPE
  47. Key-Length: $KEY_LENGTH
  48. Key-Usage: $KEY_USAGE
  49. Name-Real: $USERID
  50. EOF
  51. )
  52. # add the revoker field if requested
  53. if [ "$REVOKER" ] ; then
  54. keyParameters="${keyParameters}"$(cat <<EOF
  55. Revoker: 1:$REVOKER sensitive
  56. EOF
  57. )
  58. fi
  59. echo "The following key parameters will be used:"
  60. echo "$keyParameters"
  61. read -p "generate key? [Y|n]: " OK; OK=${OK:=Y}
  62. if [ ${OK/y/Y} != 'Y' ] ; then
  63. failure "aborting."
  64. fi
  65. if gpg --list-key ="$USERID" > /dev/null 2>&1 ; then
  66. failure "key for '$USERID' already exists"
  67. fi
  68. # add commit command
  69. keyParameters="${keyParameters}"$(cat <<EOF
  70. %commit
  71. %echo done
  72. EOF
  73. )
  74. log "generating server key..."
  75. echo "$keyParameters" | gpg --batch --gen-key
  76. }
  77. ########################################################################
  78. # MAIN
  79. ########################################################################
  80. COMMAND="$1"
  81. [ "$COMMAND" ] || failure "Type '$PGRM help' for usage."
  82. shift
  83. # set ms home directory
  84. MS_HOME=${MS_HOME:-"$ETC"}
  85. # load configuration file
  86. MS_CONF=${MS_CONF:-"$MS_HOME"/monkeysphere-server.conf}
  87. [ -e "$MS_CONF" ] && . "$MS_CONF"
  88. # set empty config variable with defaults
  89. GNUPGHOME=${GNUPGHOME:-"$MS_HOME"/gnupg}
  90. KEYSERVER=${KEYSERVER:-subkeys.pgp.net}
  91. REQUIRED_USER_KEY_CAPABILITY=${REQUIRED_USER_KEY_CAPABILITY:-"a"}
  92. USER_CONTROLLED_AUTHORIZED_KEYS=${USER_CONTROLLED_AUTHORIZED_KEYS:-%h/.ssh/authorized_keys}
  93. export GNUPGHOME
  94. # make sure gpg home exists with proper permissions
  95. mkdir -p -m 0700 "$GNUPGHOME"
  96. case $COMMAND in
  97. 'update-users'|'update-user'|'s')
  98. if [ "$1" ] ; then
  99. unames="$@"
  100. else
  101. unames=$(ls -1 "$MS_HOME"/authorized_user_ids)
  102. fi
  103. for uname in $unames ; do
  104. MODE="authorized_keys"
  105. log "----- user: $uname -----"
  106. # set variables for the user
  107. AUTHORIZED_USER_IDS="$MS_HOME"/authorized_user_ids/"$uname"
  108. msAuthorizedKeys="$CACHE"/"$uname"/authorized_keys
  109. cacheDir="$CACHE"/"$uname"/user_keys
  110. # make sure user's authorized_user_ids file exists
  111. touch "$AUTHORIZED_USER_IDS"
  112. # skip if the user's authorized_user_ids file is empty
  113. if [ ! -s "$AUTHORIZED_USER_IDS" ] ; then
  114. log "authorized_user_ids file for '$uname' is empty."
  115. continue
  116. fi
  117. # set user-controlled authorized_keys file path
  118. if [ "$USER_CONTROLLED_AUTHORIZED_KEYS" ] ; then
  119. userHome=$(getent passwd "$uname" | cut -d: -f6)
  120. userAuthorizedKeys=${USER_CONTROLLED_AUTHORIZED_KEYS/\%h/"$userHome"}
  121. fi
  122. # update authorized_keys
  123. update_authorized_keys "$msAuthorizedKeys" "$userAuthorizedKeys" "$cacheDir"
  124. done
  125. log "----- done. -----"
  126. ;;
  127. 'gen-key'|'g')
  128. gen_key
  129. ;;
  130. 'publish-key'|'p')
  131. publish_server_key
  132. ;;
  133. 'trust-keys'|'trust-key'|'t')
  134. if [ -z "$1" ] ; then
  135. failure "You must specify at least one key to trust."
  136. fi
  137. # process key IDs
  138. for keyID ; do
  139. trust_key "$keyID"
  140. done
  141. ;;
  142. 'update-user-userids'|'update-user-userid'|'u')
  143. uname="$1"
  144. shift
  145. if [ -z "$uname" ] ; then
  146. failure "You must specify user."
  147. fi
  148. if [ -z "$1" ] ; then
  149. failure "You must specify at least one user ID."
  150. fi
  151. # set variables for the user
  152. AUTHORIZED_USER_IDS="$MS_HOME"/authorized_user_ids/"$uname"
  153. cacheDir="$CACHE"/"$uname"/user_keys
  154. # make sure user's authorized_user_ids file exists
  155. touch "$AUTHORIZED_USER_IDS"
  156. # process the user IDs
  157. for userID ; do
  158. update_userid "$userID" "$cacheDir"
  159. done
  160. log "Run the following to update user's authorized_keys file:"
  161. log "$PGRM update-users $uname"
  162. ;;
  163. 'remove-user-userids'|'remove-user-userid'|'r')
  164. uname="$1"
  165. shift
  166. if [ -z "$uname" ] ; then
  167. failure "You must specify user."
  168. fi
  169. if [ -z "$1" ] ; then
  170. failure "You must specify at least one user ID."
  171. fi
  172. # set variables for the user
  173. AUTHORIZED_USER_IDS="$MS_HOME"/authorized_user_ids/"$uname"
  174. # make sure user's authorized_user_ids file exists
  175. touch "$AUTHORIZED_USER_IDS"
  176. # process the user IDs
  177. for userID ; do
  178. remove_userid "$userID"
  179. done
  180. log "Run the following to update user's authorized_keys file:"
  181. log "$PGRM update-users $uname"
  182. ;;
  183. 'help'|'h'|'?')
  184. usage
  185. ;;
  186. *)
  187. failure "Unknown command: '$COMMAND'
  188. Type '$PGRM help' for usage."
  189. ;;
  190. esac