summaryrefslogtreecommitdiff
path: root/src/monkeysphere-server
blob: 65a7dda473177138176acd778c62d4ad59cb9360 (plain)
  1. #!/bin/sh
  2. # monkeysphere-server: MonkeySphere server admin tool
  3. #
  4. # The monkeysphere scripts are written by:
  5. # Jameson Rollins <jrollins@fifthhorseman.net>
  6. #
  7. # They are Copyright 2008, and are all released under the GPL, version 3
  8. # or later.
  9. ########################################################################
  10. PGRM=$(basename $0)
  11. SHAREDIR=${SHAREDIR:-"/usr/share/monkeysphere"}
  12. export SHAREDIR
  13. . "${SHAREDIR}/common"
  14. # date in UTF format if needed
  15. DATE=$(date -u '+%FT%T')
  16. # unset some environment variables that could screw things up
  17. GREP_OPTIONS=
  18. ########################################################################
  19. # FUNCTIONS
  20. ########################################################################
  21. usage() {
  22. cat <<EOF
  23. usage: $PGRM <subcommand> [args]
  24. Monkeysphere server admin tool.
  25. subcommands:
  26. update-users (s) [USER]... update users authorized_keys files
  27. gen-key (g) generate gpg key for the server
  28. publish-key (p) publish server key to keyserver
  29. trust-keys (t) KEYID... mark keyids as trusted
  30. update-user-userids (u) USER UID... add/update userids for a user
  31. help (h,?) this help
  32. EOF
  33. }
  34. # generate server gpg key
  35. gen_key() {
  36. # set key defaults
  37. KEY_TYPE=${KEY_TYPE:-"RSA"}
  38. KEY_LENGTH=${KEY_LENGTH:-"2048"}
  39. KEY_USAGE=${KEY_USAGE:-"encrypt,auth"}
  40. SERVICE=${SERVICE:-"ssh"}
  41. HOSTNAME_FQDN=${HOSTNAME_FQDN:-$(hostname -f)}
  42. USERID=${USERID:-"$SERVICE"://"$HOSTNAME_FQDN"}
  43. # set key parameters
  44. keyParameters=$(cat <<EOF
  45. Key-Type: $KEY_TYPE
  46. Key-Length: $KEY_LENGTH
  47. Key-Usage: $KEY_USAGE
  48. Name-Real: $USERID
  49. EOF
  50. )
  51. # add the revoker field if requested
  52. if [ "$REVOKER" ] ; then
  53. keyParameters="${keyParameters}"$(cat <<EOF
  54. Revoker: 1:$REVOKER sensitive
  55. EOF
  56. )
  57. fi
  58. echo "The following key parameters will be used:"
  59. echo "$keyParameters"
  60. read -p "generate key? [Y|n]: " OK; OK=${OK:=Y}
  61. if [ ${OK/y/Y} != 'Y' ] ; then
  62. failure "aborting."
  63. fi
  64. if gpg --list-key ="$USERID" > /dev/null 2>&1 ; then
  65. failure "key for '$USERID' already exists"
  66. fi
  67. # add commit command
  68. keyParameters="${keyParameters}"$(cat <<EOF
  69. %commit
  70. %echo done
  71. EOF
  72. )
  73. log "generating server key..."
  74. echo "$keyParameters" | gpg --batch --gen-key
  75. }
  76. # publish server key to keyserver
  77. publish_key() {
  78. read -p "publish key to $KEYSERVER? [Y|n]: " OK; OK=${OK:=Y}
  79. if [ ${OK/y/Y} != 'Y' ] ; then
  80. failure "aborting."
  81. fi
  82. keyID=$(gpg --list-key --with-colons ="$USERID" 2> /dev/null | grep '^pub:' | cut -d: -f5)
  83. # dummy command so as not to publish fakes keys during testing
  84. # eventually:
  85. #gpg --send-keys --keyserver "$KEYSERVER" "$keyID"
  86. echo "NOT PUBLISHED: gpg --send-keys --keyserver $KEYSERVER $keyID"
  87. }
  88. ########################################################################
  89. # MAIN
  90. ########################################################################
  91. COMMAND="$1"
  92. [ "$COMMAND" ] || failure "Type '$PGRM help' for usage."
  93. shift
  94. # set ms home directory
  95. MS_HOME=${MS_HOME:-"$ETC"}
  96. # load configuration file
  97. MS_CONF=${MS_CONF:-"$MS_HOME"/monkeysphere-server.conf}
  98. [ -e "$MS_CONF" ] && . "$MS_CONF"
  99. # set empty config variable with defaults
  100. GNUPGHOME=${GNUPGHOME:-"$MS_HOME"/gnupg}
  101. KEYSERVER=${KEYSERVER:-subkeys.pgp.net}
  102. REQUIRED_KEY_CAPABILITY=${REQUIRED_KEY_CAPABILITY:-"e a"}
  103. USER_CONTROLLED_AUTHORIZED_KEYS=${USER_CONTROLLED_AUTHORIZED_KEYS:-%h/.ssh/authorized_keys}
  104. export GNUPGHOME
  105. # make sure gpg home exists with proper permissions
  106. mkdir -p -m 0700 "$GNUPGHOME"
  107. case $COMMAND in
  108. 'update-users'|'s')
  109. if [ "$1" ] ; then
  110. unames="$@"
  111. else
  112. unames=$(ls -1 "$MS_HOME"/authorized_user_ids)
  113. fi
  114. for uname in $unames ; do
  115. MODE="authorized_keys"
  116. log "----- user: $uname -----"
  117. AUTHORIZED_USER_IDS="$MS_HOME"/authorized_user_ids/"$uname"
  118. msAuthorizedKeys="$CACHE"/"$uname"/authorized_keys
  119. cacheDir="$CACHE"/"$uname"/user_keys
  120. # make sure authorized_user_ids file exists
  121. if [ ! -s "$AUTHORIZED_USER_IDS" ] ; then
  122. log "authorized_user_ids file for '$uname' is empty or does not exist."
  123. continue
  124. fi
  125. # set user-controlled authorized_keys file path
  126. if [ "$USER_CONTROLLED_AUTHORIZED_KEYS" ] ; then
  127. userHome=$(getent passwd "$uname" | cut -d: -f6)
  128. userAuthorizedKeys=${USER_CONTROLLED_AUTHORIZED_KEYS/\%h/"$userHome"}
  129. fi
  130. # update authorized_keys
  131. update_authorized_keys "$msAuthorizedKeys" "$userAuthorizedKeys" "$cacheDir"
  132. done
  133. log "----- done. -----"
  134. ;;
  135. 'gen-key'|'g')
  136. gen_key
  137. ;;
  138. 'publish-key'|'p')
  139. publish_key
  140. ;;
  141. 'trust-keys'|'t')
  142. if [ -z "$1" ] ; then
  143. failure "you must specify at least one key to trust."
  144. fi
  145. for keyID ; do
  146. trust_key "$keyID"
  147. done
  148. ;;
  149. 'update-user-userids'|'u')
  150. uname="$1"
  151. shift
  152. if [ -z "$uname" ] ; then
  153. failure "you must specify user."
  154. fi
  155. if [ -z "$1" ] ; then
  156. failure "you must specify at least one userid."
  157. fi
  158. AUTHORIZED_USER_IDS="$MS_HOME"/authorized_user_ids/"$uname"
  159. cacheDir="$CACHE"/"$uname"/user_keys
  160. for userID ; do
  161. update_userid "$userID" "$cacheDir"
  162. done
  163. ;;
  164. 'help'|'h'|'?')
  165. usage
  166. ;;
  167. *)
  168. failure "Unknown command: '$COMMAND'
  169. Type 'cereal-admin help' for usage."
  170. ;;
  171. esac