#!/bin/bash # monkeysphere-server: MonkeySphere server admin tool # # The monkeysphere scripts are written by: # Jameson Rollins <jrollins@fifthhorseman.net> # # They are Copyright 2008, and are all released under the GPL, version 3 # or later. ######################################################################## PGRM=$(basename $0) SHAREDIR=${SHAREDIR:-"/usr/share/monkeysphere"} export SHAREDIR . "${SHAREDIR}/common" # date in UTF format if needed DATE=$(date -u '+%FT%T') # unset some environment variables that could screw things up GREP_OPTIONS= ######################################################################## # FUNCTIONS ######################################################################## usage() { cat <<EOF usage: $PGRM <subcommand> [args] MonkeySphere server admin tool. subcommands: update-users (s) [USER]... update users authorized_keys files gen-key (g) generate gpg key for the server publish-key (p) publish server key to keyserver trust-keys (t) KEYID... mark keyids as trusted update-user-userids (u) USER UID... add/update user IDs for a user remove-user-userids (r) USER UID... remove user IDs for a user help (h,?) this help EOF } # generate server gpg key gen_key() { # set key defaults KEY_TYPE=${KEY_TYPE:-"RSA"} KEY_LENGTH=${KEY_LENGTH:-"2048"} KEY_USAGE=${KEY_USAGE:-"auth,encrypt"} SERVICE=${SERVICE:-"ssh"} HOSTNAME_FQDN=${HOSTNAME_FQDN:-$(hostname -f)} USERID=${USERID:-"$SERVICE"://"$HOSTNAME_FQDN"} # set key parameters keyParameters=$(cat <<EOF Key-Type: $KEY_TYPE Key-Length: $KEY_LENGTH Key-Usage: $KEY_USAGE Name-Real: $USERID EOF ) # add the revoker field if requested if [ "$REVOKER" ] ; then keyParameters="${keyParameters}"$(cat <<EOF Revoker: 1:$REVOKER sensitive EOF ) fi echo "The following key parameters will be used:" echo "$keyParameters" read -p "generate key? [Y|n]: " OK; OK=${OK:=Y} if [ ${OK/y/Y} != 'Y' ] ; then failure "aborting." fi if gpg --list-key ="$USERID" > /dev/null 2>&1 ; then failure "key for '$USERID' already exists" fi # add commit command keyParameters="${keyParameters}"$(cat <<EOF %commit %echo done EOF ) log "generating server key..." echo "$keyParameters" | gpg --batch --gen-key } ######################################################################## # MAIN ######################################################################## COMMAND="$1" [ "$COMMAND" ] || failure "Type '$PGRM help' for usage." shift # set ms home directory MS_HOME=${MS_HOME:-"$ETC"} # load configuration file MS_CONF=${MS_CONF:-"$MS_HOME"/monkeysphere-server.conf} [ -e "$MS_CONF" ] && . "$MS_CONF" # set empty config variable with defaults GNUPGHOME=${GNUPGHOME:-"$MS_HOME"/gnupg} KEYSERVER=${KEYSERVER:-subkeys.pgp.net} REQUIRED_USER_KEY_CAPABILITY=${REQUIRED_USER_KEY_CAPABILITY:-"a"} USER_CONTROLLED_AUTHORIZED_KEYS=${USER_CONTROLLED_AUTHORIZED_KEYS:-%h/.ssh/authorized_keys} export GNUPGHOME # make sure gpg home exists with proper permissions mkdir -p -m 0700 "$GNUPGHOME" case $COMMAND in 'update-users'|'update-user'|'s') if [ "$1" ] ; then unames="$@" else unames=$(ls -1 "$MS_HOME"/authorized_user_ids) fi for uname in $unames ; do MODE="authorized_keys" log "----- user: $uname -----" # set variables for the user AUTHORIZED_USER_IDS="$MS_HOME"/authorized_user_ids/"$uname" msAuthorizedKeys="$CACHE"/"$uname"/authorized_keys cacheDir="$CACHE"/"$uname"/user_keys # make sure user's authorized_user_ids file exists touch "$AUTHORIZED_USER_IDS" # skip if the user's authorized_user_ids file is empty if [ ! -s "$AUTHORIZED_USER_IDS" ] ; then log "authorized_user_ids file for '$uname' is empty." continue fi # set user-controlled authorized_keys file path if [ "$USER_CONTROLLED_AUTHORIZED_KEYS" ] ; then userHome=$(getent passwd "$uname" | cut -d: -f6) userAuthorizedKeys=${USER_CONTROLLED_AUTHORIZED_KEYS/\%h/"$userHome"} fi # update authorized_keys update_authorized_keys "$msAuthorizedKeys" "$userAuthorizedKeys" "$cacheDir" done log "----- done. -----" ;; 'gen-key'|'g') gen_key ;; 'publish-key'|'p') publish_server_key ;; 'trust-keys'|'trust-key'|'t') if [ -z "$1" ] ; then failure "You must specify at least one key to trust." fi # process key IDs for keyID ; do trust_key "$keyID" done ;; 'update-user-userids'|'update-user-userid'|'u') uname="$1" shift if [ -z "$uname" ] ; then failure "You must specify user." fi if [ -z "$1" ] ; then failure "You must specify at least one user ID." fi # set variables for the user AUTHORIZED_USER_IDS="$MS_HOME"/authorized_user_ids/"$uname" cacheDir="$CACHE"/"$uname"/user_keys # make sure user's authorized_user_ids file exists touch "$AUTHORIZED_USER_IDS" # process the user IDs for userID ; do update_userid "$userID" "$cacheDir" done log "Run the following to update user's authorized_keys file:" log "$PGRM update-users $uname" ;; 'remove-user-userids'|'remove-user-userid'|'r') uname="$1" shift if [ -z "$uname" ] ; then failure "You must specify user." fi if [ -z "$1" ] ; then failure "You must specify at least one user ID." fi # set variables for the user AUTHORIZED_USER_IDS="$MS_HOME"/authorized_user_ids/"$uname" # make sure user's authorized_user_ids file exists touch "$AUTHORIZED_USER_IDS" # process the user IDs for userID ; do remove_userid "$userID" done log "Run the following to update user's authorized_keys file:" log "$PGRM update-users $uname" ;; 'help'|'h'|'?') usage ;; *) failure "Unknown command: '$COMMAND' Type '$PGRM help' for usage." ;; esac