summaryrefslogtreecommitdiff
path: root/src/monkeysphere-server
blob: 3ca0656e4ad5168b48a6282c4174a25f301168ce (plain)
  1. #!/bin/bash
  2. # monkeysphere-server: MonkeySphere server admin tool
  3. #
  4. # The monkeysphere scripts are written by:
  5. # Jameson Rollins <jrollins@fifthhorseman.net>
  6. #
  7. # They are Copyright 2008, and are all released under the GPL, version 3
  8. # or later.
  9. ########################################################################
  10. PGRM=$(basename $0)
  11. SHARE=${MONKEYSPHERE_SHARE:="/usr/share/monkeysphere"}
  12. export SHARE
  13. . "${SHARE}/common" || exit 1
  14. VARLIB="/var/lib/monkeysphere"
  15. export VARLIB
  16. # date in UTF format if needed
  17. DATE=$(date -u '+%FT%T')
  18. # unset some environment variables that could screw things up
  19. unset GREP_OPTIONS
  20. # default return code
  21. RETURN=0
  22. ########################################################################
  23. # FUNCTIONS
  24. ########################################################################
  25. usage() {
  26. cat <<EOF
  27. usage: $PGRM <subcommand> [options] [args]
  28. MonkeySphere server admin tool.
  29. subcommands:
  30. update-users (u) [USER]... update user authorized_keys files
  31. gen-key (g) [HOSTNAME] generate gpg key for the server
  32. -l|--length BITS key length in bits (2048)
  33. -e|--expire EXPIRE date to expire
  34. -r|--revoker FINGERPRINT add a revoker
  35. show-fingerprint (f) show server's host key fingerprint
  36. publish-key (p) publish server's host key to keyserver
  37. diagnostics (d) report on the server's monkeysphere status
  38. add-identity-certifier (a) KEYID import and tsign a certification key
  39. -n|--domain DOMAIN limit ID certifications to IDs in DOMAIN
  40. -t|--trust TRUST trust level of certifier (full)
  41. -d|--depth DEPTH trust depth for certifier (1)
  42. remove-identity-certifier (r) KEYID remove a certification key
  43. list-identity-certifiers (l) list certification keys
  44. gpg-authentication-cmd CMD gnupg-authentication command
  45. -h|--help|help (h,?) this help
  46. EOF
  47. }
  48. su_monkeysphere_user() {
  49. su --preserve-environment "$MONKEYSPHERE_USER" -- -c "$@"
  50. }
  51. # function to interact with the host gnupg keyring
  52. gpg_host() {
  53. local returnCode
  54. GNUPGHOME="$GNUPGHOME_HOST"
  55. export GNUPGHOME
  56. # NOTE: we supress this warning because we need the monkeysphere
  57. # user to be able to read the host pubring. we realize this might
  58. # be problematic, but it's the simplest solution, without too much
  59. # loss of security.
  60. gpg --no-permission-warning "$@"
  61. returnCode="$?"
  62. # always reset the permissions on the host pubring so that the
  63. # monkeysphere user can read the trust signatures
  64. chgrp "$MONKEYSPHERE_USER" "${GNUPGHOME_HOST}/pubring.gpg"
  65. chmod g+r "${GNUPGHOME_HOST}/pubring.gpg"
  66. return "$returnCode"
  67. }
  68. # function to interact with the authentication gnupg keyring
  69. # FIXME: this function requires basically accepts only a single
  70. # argument because of problems with quote expansion. this needs to be
  71. # fixed/improved.
  72. gpg_authentication() {
  73. GNUPGHOME="$GNUPGHOME_AUTHENTICATION"
  74. export GNUPGHOME
  75. su_monkeysphere_user "gpg $@"
  76. }
  77. # update authorized_keys for users
  78. update_users() {
  79. if [ "$1" ] ; then
  80. # get users from command line
  81. unames="$@"
  82. else
  83. # or just look at all users if none specified
  84. unames=$(getent passwd | cut -d: -f1)
  85. fi
  86. # set mode
  87. MODE="authorized_keys"
  88. # set gnupg home
  89. GNUPGHOME="$GNUPGHOME_AUTHENTICATION"
  90. # check to see if the gpg trust database has been initialized
  91. if [ ! -s "${GNUPGHOME}/trustdb.gpg" ] ; then
  92. failure "GNUPG trust database uninitialized. Please see MONKEYSPHERE-SERVER(8)."
  93. fi
  94. # make sure the authorized_keys directory exists
  95. mkdir -p "${VARLIB}/authorized_keys"
  96. # loop over users
  97. for uname in $unames ; do
  98. # check all specified users exist
  99. if ! getent passwd "$uname" >/dev/null ; then
  100. log "----- unknown user '$uname' -----"
  101. continue
  102. fi
  103. # set authorized_user_ids and raw authorized_keys variables,
  104. # translating ssh-style path variables
  105. authorizedUserIDs=$(translate_ssh_variables "$uname" "$AUTHORIZED_USER_IDS")
  106. rawAuthorizedKeys=$(translate_ssh_variables "$uname" "$RAW_AUTHORIZED_KEYS")
  107. # if neither is found, skip user
  108. if [ ! -s "$authorizedUserIDs" ] ; then
  109. if [ "$rawAuthorizedKeys" = '-' -o ! -s "$rawAuthorizedKeys" ] ; then
  110. continue
  111. fi
  112. fi
  113. log "----- user: $uname -----"
  114. # exit if the authorized_user_ids file is empty
  115. if ! check_key_file_permissions "$uname" "$AUTHORIZED_USER_IDS" ; then
  116. log "Improper permissions on authorized_user_ids file path."
  117. continue
  118. fi
  119. # check permissions on the authorized_keys file path
  120. if ! check_key_file_permissions "$uname" "$RAW_AUTHORIZED_KEYS" ; then
  121. log "Improper permissions on authorized_keys file path path."
  122. continue
  123. fi
  124. # make temporary directory
  125. TMPDIR=$(mktemp -d)
  126. # trap to delete temporary directory on exit
  127. trap "rm -rf $TMPDIR" EXIT
  128. # create temporary authorized_user_ids file
  129. TMP_AUTHORIZED_USER_IDS="${TMPDIR}/authorized_user_ids"
  130. touch "$TMP_AUTHORIZED_USER_IDS"
  131. # create temporary authorized_keys file
  132. AUTHORIZED_KEYS="${TMPDIR}/authorized_keys"
  133. touch "$AUTHORIZED_KEYS"
  134. # set restrictive permissions on the temporary files
  135. # FIXME: is there a better way to do this?
  136. chmod 0700 "$TMPDIR"
  137. chmod 0600 "$AUTHORIZED_KEYS"
  138. chmod 0600 "$TMP_AUTHORIZED_USER_IDS"
  139. chown -R "$MONKEYSPHERE_USER" "$TMPDIR"
  140. # if the authorized_user_ids file exists...
  141. if [ -s "$authorizedUserIDs" ] ; then
  142. # copy user authorized_user_ids file to temporary
  143. # location
  144. cat "$authorizedUserIDs" > "$TMP_AUTHORIZED_USER_IDS"
  145. # export needed variables
  146. export AUTHORIZED_KEYS
  147. export TMP_AUTHORIZED_USER_IDS
  148. # process authorized_user_ids file, as monkeysphere
  149. # user
  150. su_monkeysphere_user \
  151. ". ${SHARE}/common; process_authorized_user_ids $TMP_AUTHORIZED_USER_IDS"
  152. RETURN="$?"
  153. fi
  154. # add user-controlled authorized_keys file path if specified
  155. if [ "$rawAuthorizedKeys" != '-' -a -s "$rawAuthorizedKeys" ] ; then
  156. log -n "adding raw authorized_keys file... "
  157. cat "$rawAuthorizedKeys" >> "$AUTHORIZED_KEYS"
  158. loge "done."
  159. fi
  160. # openssh appears to check the contents of the
  161. # authorized_keys file as the user in question, so the
  162. # file must be readable by that user at least.
  163. # FIXME: is there a better way to do this?
  164. chown root "$AUTHORIZED_KEYS"
  165. chgrp $(getent passwd "$uname" | cut -f4 -d:) "$AUTHORIZED_KEYS"
  166. chmod g+r "$AUTHORIZED_KEYS"
  167. # move the resulting authorized_keys file into place
  168. mv -f "$AUTHORIZED_KEYS" "${VARLIB}/authorized_keys/${uname}"
  169. # destroy temporary directory
  170. rm -rf "$TMPDIR"
  171. done
  172. }
  173. # generate server gpg key
  174. gen_key() {
  175. local keyType
  176. local keyLength
  177. local keyUsage
  178. local keyExpire
  179. local revoker
  180. local hostName
  181. local userID
  182. local keyParameters
  183. local fingerprint
  184. # set default key parameter values
  185. keyType="RSA"
  186. keyLength="2048"
  187. keyUsage="auth"
  188. keyExpire=
  189. revoker=
  190. # get options
  191. TEMP=$(getopt -o e:l:r -l expire:,length:,revoker: -n "$PGRM" -- "$@")
  192. if [ $? != 0 ] ; then
  193. exit 1
  194. fi
  195. # Note the quotes around `$TEMP': they are essential!
  196. eval set -- "$TEMP"
  197. while true ; do
  198. case "$1" in
  199. -l|--length)
  200. keyLength="$2"
  201. shift 2
  202. ;;
  203. -e|--expire)
  204. keyExpire="$2"
  205. shift 2
  206. ;;
  207. -r|--revoker)
  208. revoker="$2"
  209. shift 2
  210. ;;
  211. --)
  212. shift
  213. ;;
  214. *)
  215. break
  216. ;;
  217. esac
  218. done
  219. hostName=${1:-$(hostname --fqdn)}
  220. userID="ssh://${hostName}"
  221. # check for presense of key with user ID
  222. if gpg_host --list-key ="$userID" > /dev/null 2>&1 ; then
  223. failure "Key for '$userID' already exists"
  224. fi
  225. # prompt about key expiration if not specified
  226. if [ -z "$keyExpire" ] ; then
  227. cat <<EOF
  228. Please specify how long the key should be valid.
  229. 0 = key does not expire
  230. <n> = key expires in n days
  231. <n>w = key expires in n weeks
  232. <n>m = key expires in n months
  233. <n>y = key expires in n years
  234. EOF
  235. while [ -z "$keyExpire" ] ; do
  236. read -p "Key is valid for? (0) " keyExpire
  237. if ! test_gpg_expire ${keyExpire:=0} ; then
  238. echo "invalid value"
  239. unset keyExpire
  240. fi
  241. done
  242. elif ! test_gpg_expire "$keyExpire" ; then
  243. failure "invalid key expiration value '$keyExpire'."
  244. fi
  245. # set key parameters
  246. keyParameters=$(cat <<EOF
  247. Key-Type: $keyType
  248. Key-Length: $keyLength
  249. Key-Usage: $keyUsage
  250. Name-Real: $userID
  251. Expire-Date: $keyExpire
  252. EOF
  253. )
  254. # add the revoker field if specified
  255. # FIXME: the "1:" below assumes that $REVOKER's key is an RSA key.
  256. # FIXME: key is marked "sensitive"? is this appropriate?
  257. if [ "$revoker" ] ; then
  258. keyParameters="${keyParameters}"$(cat <<EOF
  259. Revoker: 1:$revoker sensitive
  260. EOF
  261. )
  262. fi
  263. echo "The following key parameters will be used for the host private key:"
  264. echo "$keyParameters"
  265. read -p "Generate key? (Y/n) " OK; OK=${OK:=Y}
  266. if [ ${OK/y/Y} != 'Y' ] ; then
  267. failure "aborting."
  268. fi
  269. # add commit command
  270. keyParameters="${keyParameters}"$(cat <<EOF
  271. %commit
  272. %echo done
  273. EOF
  274. )
  275. log "generating server key..."
  276. echo "$keyParameters" | gpg_host --batch --gen-key
  277. # output the server fingerprint
  278. fingerprint_server_key "=${userID}"
  279. # find the key fingerprint of the server primary key
  280. fingerprint=$(gpg_host --list-key --with-colons --with-fingerprint "=${userID}" | \
  281. grep '^fpr:' | head -1 | cut -d: -f10)
  282. # export host ownertrust to authentication keyring
  283. log "setting ultimate owner trust for server key..."
  284. echo "${fingerprint}:6:" | gpg_authentication "--import-ownertrust"
  285. # translate the private key to ssh format, and export to a file
  286. # for sshs usage.
  287. # NOTE: assumes that the primary key is the proper key to use
  288. (umask 077 && \
  289. gpg_host --export-secret-key "$fingerprint" | \
  290. openpgp2ssh "$fingerprint" > "${VARLIB}/ssh_host_rsa_key")
  291. log "Private SSH host key output to file: ${VARLIB}/ssh_host_rsa_key"
  292. }
  293. # gpg output key fingerprint
  294. fingerprint_server_key() {
  295. gpg_host --fingerprint --list-secret-keys
  296. }
  297. # publish server key to keyserver
  298. publish_server_key() {
  299. read -p "Really publish key to $KEYSERVER? (y/N) " OK; OK=${OK:=N}
  300. if [ ${OK/y/Y} != 'Y' ] ; then
  301. failure "aborting."
  302. fi
  303. # publish host key
  304. # FIXME: need to figure out better way to identify host key
  305. # dummy command so as not to publish fakes keys during testing
  306. # eventually:
  307. #gpg_authentication "--keyserver $KEYSERVER --send-keys $(hostname -f)"
  308. echo "NOT PUBLISHED (to avoid permanent publication errors during monkeysphere development)."
  309. echo "The following command should publish the key:"
  310. echo "monkeysphere-server gpg-authentication-cmd '--keyserver $KEYSERVER --send-keys $(hostname -f)'"
  311. exit 255
  312. }
  313. diagnostics() {
  314. # * check on the status and validity of the key and public certificates
  315. local seckey
  316. local keysfound
  317. local curdate
  318. local warnwindow
  319. local warndate
  320. local create
  321. local expire
  322. local uid
  323. local fingerprint
  324. local badhostkeys
  325. seckey=$(gpg_host --list-secret-keys --fingerprint --with-colons --fixed-list-mode)
  326. keysfound=$(echo "$seckey" | grep -c ^sec:)
  327. curdate=$(date +%s)
  328. # warn when anything is 2 months away from expiration
  329. warnwindow='2 months'
  330. warndate=$(date +%s -d "$warnwindow")
  331. echo "Checking host GPG key..."
  332. if (( "$keysfound" < 1 )); then
  333. echo "! No host key found."
  334. echo " - Recommendation: run 'monkeysphere-server gen-key'"
  335. elif (( "$keysfound" > 1 )); then
  336. echo "! More than one host key found?"
  337. # FIXME: recommend a way to resolve this
  338. else
  339. create=$(echo "$seckey" | grep ^sec: | cut -f6 -d:)
  340. expire=$(echo "$seckey" | grep ^sec: | cut -f7 -d:)
  341. fingerprint=$(echo "$seckey" | grep ^fpr: | head -n1 | cut -f10 -d:)
  342. # check for key expiration:
  343. if [ "$expire" ]; then
  344. if (( "$expire" < "$curdate" )); then
  345. echo "! Host key is expired."
  346. # FIXME: recommend a way to resolve this other than re-keying?
  347. elif (( "$expire" < "$warndate" )); then
  348. echo "! Host key expires in less than $warnwindow:" $(date -d "$(( $expire - $curdate )) seconds" +%F)
  349. # FIXME: recommend a way to resolve this?
  350. fi
  351. fi
  352. # and weirdnesses:
  353. if [ "$create" ] && (( "$create" > "$curdate" )); then
  354. echo "! Host key was created in the future(?!). Is your clock correct?"
  355. echo " - Recommendation: Check clock ($(date +%F_%T)); use NTP?"
  356. fi
  357. # check for UserID expiration:
  358. echo "$seckey" | grep ^uid: | cut -d: -f6,7,10 | \
  359. while IFS=: read create expire uid ; do
  360. # FIXME: should we be doing any checking on the form
  361. # of the User ID? Should we be unmangling it somehow?
  362. if [ "$create" ] && (( "$create" > "$curdate" )); then
  363. echo "! User ID '$uid' was created in the future(?!). Is your clock correct?"
  364. echo " - Recommendation: Check clock ($(date +%F_%T)); use NTP?"
  365. fi
  366. if [ "$expire" ] ; then
  367. if (( "$expire" < "$curdate" )); then
  368. echo "! User ID '$uid' is expired."
  369. # FIXME: recommend a way to resolve this
  370. elif (( "$expire" < "$warndate" )); then
  371. echo "! User ID '$uid' expires in less than $warnwindow:" $(date -d "$(( $expire - $curdate )) seconds" +%F)
  372. # FIXME: recommend a way to resolve this
  373. fi
  374. fi
  375. done
  376. # FIXME: verify that the host key is properly published to the
  377. # keyservers (do this with the non-privileged user)
  378. # FIXME: check that there are valid, non-expired certifying signatures
  379. # attached to the host key after fetching from the public keyserver
  380. # (do this with the non-privileged user as well)
  381. # FIXME: propose adding a revoker to the host key if none exist (do we
  382. # have a way to do that after key generation?)
  383. # Ensure that the ssh_host_rsa_key file is present and non-empty:
  384. echo "Checking host SSH key..."
  385. if [ ! -s "${VARLIB}/ssh_host_rsa_key" ] ; then
  386. echo "! The host key as prepared for SSH (${VARLIB}/ssh_host_rsa_key) is missing or empty."
  387. else
  388. if [ $(stat -c '%a' "${VARLIB}/ssh_host_rsa_key") != 600 ] ; then
  389. echo "! Permissions seem wrong for ${VARLIB}/ssh_host_rsa_key -- should be 0600."
  390. fi
  391. # propose changes needed for sshd_config (if any)
  392. if ! grep -q "^HostKey[[:space:]]\+${VARLIB}/ssh_host_rsa_key$" /etc/ssh/sshd_config; then
  393. echo "! /etc/ssh/sshd_config does not point to the monkeysphere host key (${VARLIB}/ssh_host_rsa_key)."
  394. echo " - Recommendation: add a line to /etc/ssh/sshd_config: 'HostKey ${VARLIB}/ssh_host_rsa_key'"
  395. fi
  396. if badhostkeys=$(grep -i '^HostKey' | grep -q -v "^HostKey[[:space:]]\+${VARLIB}/ssh_host_rsa_key$") ; then
  397. echo "! /etc/sshd_config refers to some non-monkeysphere host keys:"
  398. echo "$badhostkeys"
  399. echo " - Recommendation: remove the above HostKey lines from /etc/ssh/sshd_config"
  400. fi
  401. fi
  402. fi
  403. # FIXME: look at the ownership/privileges of the various keyrings,
  404. # directories housing them, etc (what should those values be? can
  405. # we make them as minimal as possible?)
  406. # FIXME: look to see that the ownertrust rules are set properly on the
  407. # authentication keyring
  408. # FIXME: make sure that at least one identity certifier exists
  409. echo "Checking for MonkeySphere-enabled public-key authentication for users ..."
  410. # Ensure that User ID authentication is enabled:
  411. if ! grep -q "^AuthorizedKeysFile[[:space:]]\+${VARLIB}/authorized_keys/%u$" /etc/ssh/sshd_config; then
  412. echo "! /etc/ssh/sshd_config does not point to monkeysphere authorized keys."
  413. echo " - Recommendation: add a line to /etc/ssh/sshd_config: 'AuthorizedKeysFile ${VARLIB}/authorized_keys/%u'"
  414. fi
  415. if badauthorizedkeys=$(grep -i '^AuthorizedKeysFile' | grep -q -v "^AuthorizedKeysFile[[:space:]]\+${VARLIB}/authorized_keys/%u$") ; then
  416. echo "! /etc/sshd_config refers to non-monkeysphere authorized_keys files:"
  417. echo "$badauthorizedkeys"
  418. echo " - Recommendation: remove the above AuthorizedKeysFile lines from /etc/ssh/sshd_config"
  419. fi
  420. }
  421. # retrieve key from web of trust, import it into the host keyring, and
  422. # ltsign the key in the host keyring so that it may certify other keys
  423. add_certifier() {
  424. local domain
  425. local trust
  426. local depth
  427. local keyID
  428. local fingerprint
  429. local ltsignCommand
  430. local trustval
  431. # set default values for trust depth and domain
  432. domain=
  433. trust=full
  434. depth=1
  435. # get options
  436. TEMP=$(getopt -o n:t:d: -l domain:,trust:,depth: -n "$PGRM" -- "$@")
  437. if [ $? != 0 ] ; then
  438. exit 1
  439. fi
  440. # Note the quotes around `$TEMP': they are essential!
  441. eval set -- "$TEMP"
  442. while true ; do
  443. case "$1" in
  444. -n|--domain)
  445. domain="$2"
  446. shift 2
  447. ;;
  448. -t|--trust)
  449. trust="$2"
  450. shift 2
  451. ;;
  452. -d|--depth)
  453. depth="$2"
  454. shift 2
  455. ;;
  456. --)
  457. shift
  458. ;;
  459. *)
  460. break
  461. ;;
  462. esac
  463. done
  464. keyID="$1"
  465. if [ -z "$keyID" ] ; then
  466. failure "You must specify the key ID of a key to add."
  467. fi
  468. export keyID
  469. # get the key from the key server
  470. gpg_authentication "--keyserver $KEYSERVER --recv-key '$keyID'"
  471. # get the full fingerprint of a key ID
  472. fingerprint=$(gpg_authentication "--list-key --with-colons --with-fingerprint $keyID" | \
  473. grep '^fpr:' | grep "$keyID" | cut -d: -f10)
  474. echo "key found:"
  475. gpg_authentication "--fingerprint $fingerprint"
  476. echo "Are you sure you want to add this key as a certifier of"
  477. read -p "users on this system? (y/N) " OK; OK=${OK:-N}
  478. if [ "${OK/y/Y}" != 'Y' ] ; then
  479. failure "aborting."
  480. fi
  481. # export the key to the host keyring
  482. gpg_authentication "--export $keyID" | gpg_host --import
  483. if [ "$trust" == marginal ]; then
  484. trustval=1
  485. elif [ "$trust" == full ]; then
  486. trustval=2
  487. else
  488. failure "trust value requested ('$trust') was unclear (only 'marginal' or 'full' are supported)"
  489. fi
  490. # ltsign command
  491. # NOTE: *all* user IDs will be ltsigned
  492. ltsignCommand=$(cat <<EOF
  493. ltsign
  494. y
  495. $trustval
  496. $depth
  497. $domain
  498. y
  499. save
  500. EOF
  501. )
  502. # ltsign the key
  503. echo "$ltsignCommand" | gpg_host --quiet --command-fd 0 --edit-key "$fingerprint"
  504. # update the trustdb for the authentication keyring
  505. gpg_authentication "--check-trustdb"
  506. }
  507. # delete a certifiers key from the host keyring
  508. remove_certifier() {
  509. local keyID
  510. local fingerprint
  511. keyID="$1"
  512. if [ -z "$keyID" ] ; then
  513. failure "You must specify the key ID of a key to remove."
  514. fi
  515. # delete the requested key (with prompting)
  516. gpg_host --delete-key "$keyID"
  517. # update the trustdb for the authentication keyring
  518. gpg_authentication "--check-trustdb"
  519. }
  520. # list the host certifiers
  521. list_certifiers() {
  522. gpg_host --list-keys
  523. }
  524. # issue command to gpg-authentication keyring
  525. gpg_authentication_cmd() {
  526. gpg_authentication "$@"
  527. }
  528. ########################################################################
  529. # MAIN
  530. ########################################################################
  531. # unset variables that should be defined only in config file
  532. unset KEYSERVER
  533. unset AUTHORIZED_USER_IDS
  534. unset RAW_AUTHORIZED_KEYS
  535. unset MONKEYSPHERE_USER
  536. # load configuration file
  537. [ -e ${MONKEYSPHERE_SERVER_CONFIG:="${ETC}/monkeysphere-server.conf"} ] && . "$MONKEYSPHERE_SERVER_CONFIG"
  538. # set empty config variable with ones from the environment, or with
  539. # defaults
  540. KEYSERVER=${MONKEYSPHERE_KEYSERVER:=${KEYSERVER:="subkeys.pgp.net"}}
  541. AUTHORIZED_USER_IDS=${MONKEYSPHERE_AUTHORIZED_USER_IDS:=${AUTHORIZED_USER_IDS:="%h/.config/monkeysphere/authorized_user_ids"}}
  542. RAW_AUTHORIZED_KEYS=${MONKEYSPHERE_RAW_AUTHORIZED_KEYS:=${RAW_AUTHORIZED_KEYS:="%h/.ssh/authorized_keys"}}
  543. MONKEYSPHERE_USER=${MONKEYSPHERE_MONKEYSPHERE_USER:=${MONKEYSPHERE_USER:="monkeysphere"}}
  544. # other variables
  545. CHECK_KEYSERVER=${MONKEYSPHERE_CHECK_KEYSERVER:="true"}
  546. REQUIRED_USER_KEY_CAPABILITY=${MONKEYSPHERE_REQUIRED_USER_KEY_CAPABILITY:="a"}
  547. GNUPGHOME_HOST=${MONKEYSPHERE_GNUPGHOME_HOST:="${VARLIB}/gnupg-host"}
  548. GNUPGHOME_AUTHENTICATION=${MONKEYSPHERE_GNUPGHOME_AUTHENTICATION:="${VARLIB}/gnupg-authentication"}
  549. # export variables needed in su invocation
  550. export DATE
  551. export MODE
  552. export MONKEYSPHERE_USER
  553. export KEYSERVER
  554. export CHECK_KEYSERVER
  555. export REQUIRED_USER_KEY_CAPABILITY
  556. export GNUPGHOME_HOST
  557. export GNUPGHOME_AUTHENTICATION
  558. export GNUPGHOME
  559. # get subcommand
  560. COMMAND="$1"
  561. [ "$COMMAND" ] || failure "Type '$PGRM help' for usage."
  562. shift
  563. case $COMMAND in
  564. 'update-users'|'update-user'|'u')
  565. update_users "$@"
  566. ;;
  567. 'gen-key'|'g')
  568. gen_key "$@"
  569. ;;
  570. 'show-fingerprint'|'f')
  571. fingerprint_server_key
  572. ;;
  573. 'publish-key'|'p')
  574. publish_server_key
  575. ;;
  576. 'diagnostics'|'d')
  577. diagnostics
  578. ;;
  579. 'add-identity-certifier'|'add-certifier'|'a')
  580. add_certifier "$1"
  581. ;;
  582. 'remove-identity-certifier'|'remove-certifier'|'r')
  583. remove_certifier "$1"
  584. ;;
  585. 'list-identity-certifiers'|'list-certifiers'|'list-certifier'|'l')
  586. list_certifiers "$@"
  587. ;;
  588. 'gpg-authentication-cmd')
  589. gpg_authentication_cmd "$@"
  590. ;;
  591. '--help'|'help'|'-h'|'h'|'?')
  592. usage
  593. ;;
  594. *)
  595. failure "Unknown command: '$COMMAND'
  596. Type '$PGRM help' for usage."
  597. ;;
  598. esac
  599. exit "$RETURN"