summaryrefslogtreecommitdiff
path: root/src/monkeysphere-server
blob: f1b4892f75b33cd328dc1096389c59cf23eefbad (plain)
  1. #!/bin/sh
  2. ########################################################################
  3. PGRM=$(basename $0)
  4. SHAREDIR=${SHAREDIR:-"/usr/share/monkeysphere"}
  5. export SHAREDIR
  6. . "${SHAREDIR}/common"
  7. # date in UTF format if needed
  8. DATE=$(date -u '+%FT%T')
  9. # unset some environment variables that could screw things up
  10. GREP_OPTIONS=
  11. ########################################################################
  12. # FUNCTIONS
  13. ########################################################################
  14. usage() {
  15. cat <<EOF
  16. usage: $PGRM <subcommand> [args]
  17. Monkeysphere server admin tool.
  18. subcommands:
  19. update-users (s) [USER]... update authorized_keys file
  20. gen-key (g) generate gpg key for the host
  21. publish-key (p) publish host gpg to keyserver
  22. trust-key (t) KEYID [KEYID]... mark keyid as trusted
  23. update-user-userid (u) USER UID [UID]... add/update userid for user
  24. help (h,?) this help
  25. EOF
  26. }
  27. # generate server gpg key
  28. gen_key() {
  29. KEY_TYPE=${KEY_TYPE:-RSA}
  30. KEY_LENGTH=${KEY_LENGTH:-2048}
  31. KEY_USAGE=${KEY_USAGE:-encrypt,auth}
  32. SERVICE=${SERVICE:-ssh}
  33. HOSTNAME_FQDN=${HOSTNAME_FQDN:-$(hostname -f)}
  34. USERID=${USERID:-"$SERVICE"://"$HOSTNAME_FQDN"}
  35. echo "key parameters:"
  36. cat <<EOF
  37. Key-Type: $KEY_TYPE
  38. Key-Length: $KEY_LENGTH
  39. Key-Usage: $KEY_USAGE
  40. Name-Real: $USERID
  41. EOF
  42. read -p "generate key? [Y|n]: " OK; OK=${OK:=Y}
  43. if [ ${OK/y/Y} != 'Y' ] ; then
  44. failure "aborting."
  45. fi
  46. if gpg --list-key ="$USERID" > /dev/null 2>&1 ; then
  47. failure "key for '$USERID' already exists"
  48. fi
  49. echo "generating server key..."
  50. gpg --batch --gen-key <<EOF
  51. Key-Type: $KEY_TYPE
  52. Key-Length: $KEY_LENGTH
  53. Key-Usage: $KEY_USAGE
  54. Name-Real: $USERID
  55. %commit
  56. EOF
  57. }
  58. # publish server key to keyserver
  59. publish_key() {
  60. read -p "publish key to $KEYSERVER? [Y|n]: " OK; OK=${OK:=Y}
  61. if [ ${OK/y/Y} != 'Y' ] ; then
  62. failure "aborting."
  63. fi
  64. keyID=$(gpg --list-key --with-colons ="$USERID" 2> /dev/null | grep '^pub:' | cut -d: -f5)
  65. # dummy command so as not to publish fakes keys during testing
  66. # eventually:
  67. #gpg --send-keys --keyserver "$KEYSERVER" "$keyID"
  68. echo "gpg --send-keys --keyserver $KEYSERVER $keyID"
  69. }
  70. # trust key
  71. trust_key() {
  72. for keyID ; do
  73. # get the key from the key server
  74. gpg --keyserver "$KEYSERVER" --recv-key "$keyID" || failure "could not retrieve key '$keyID'"
  75. # edit the key to change trust
  76. # FIXME: need to figure out how to automate this,
  77. # in a batch mode or something.
  78. gpg --edit-key "$keyID"
  79. done
  80. }
  81. ########################################################################
  82. # MAIN
  83. ########################################################################
  84. COMMAND="$1"
  85. [ "$COMMAND" ] || failure "Type '$PGRM help' for usage."
  86. shift
  87. # set ms home directory
  88. MS_HOME=${MS_HOME:-"$ETC"}
  89. # load configuration file
  90. MS_CONF=${MS_CONF:-"$MS_HOME"/monkeysphere-server.conf}
  91. [ -e "$MS_CONF" ] && . "$MS_CONF"
  92. # set empty config variable with defaults
  93. GNUPGHOME=${GNUPGHOME:-"$MS_HOME"/gnupg}
  94. KEYSERVER=${KEYSERVER:-subkeys.pgp.net}
  95. REQUIRED_KEY_CAPABILITY=${REQUIRED_KEY_CAPABILITY:-"e a"}
  96. USER_CONTROLLED_AUTHORIZED_KEYS=${USER_CONTROLLED_AUTHORIZED_KEYS:-%h/.ssh/authorized_keys}
  97. STAGING_AREA=${STAGING_AREA:-"$LIB"/stage}
  98. export GNUPGHOME
  99. # make sure gpg home exists with proper permissions
  100. mkdir -p -m 0700 "$GNUPGHOME"
  101. case $COMMAND in
  102. 'update-users'|'s')
  103. if [ "$1" ] ; then
  104. unames="$@"
  105. else
  106. unames=$(ls -1 "$MS_HOME"/authorized_user_ids)
  107. fi
  108. for uname in $unames ; do
  109. MODE="authorized_keys"
  110. authorizedUserIDs="$MS_HOME"/authorized_user_ids/"$uname"
  111. cacheDir="$STAGING_AREA"/"$uname"/user_keys
  112. msAuthorizedKeys="$STAGING_AREA"/"$uname"/authorized_keys
  113. # make sure authorized_user_ids file exists
  114. if [ ! -s "$authorizedUserIDs" ] ; then
  115. log "authorized_user_ids file for '$uname' is empty or does not exist."
  116. continue
  117. fi
  118. log "processing authorized_keys for user '$uname'..."
  119. process_authorized_ids "$authorizedUserIDs" "$cacheDir"
  120. # write output key file
  121. log "writing monkeysphere authorized_keys file... "
  122. touch "$msAuthorizedKeys"
  123. if [ "$(ls "$cacheDir")" ] ; then
  124. log -n "adding gpg keys... "
  125. cat "$cacheDir"/* > "$msAuthorizedKeys"
  126. echo "done."
  127. else
  128. log "no gpg keys to add."
  129. fi
  130. if [ "$USER_CONTROLLED_AUTHORIZED_KEYS" ] ; then
  131. userHome=$(getent passwd "$uname" | cut -d: -f6)
  132. userAuthorizedKeys=${USER_CONTROLLED_AUTHORIZED_KEYS/\%h/"$userHome"}
  133. if [ -s "$userAuthorizedKeys" ] ; then
  134. log -n "adding user authorized_keys file... "
  135. cat "$userAuthorizedKeys" >> "$msAuthorizedKeys"
  136. echo "done."
  137. fi
  138. fi
  139. log "monkeysphere authorized_keys file generated:"
  140. log "$msAuthorizedKeys"
  141. done
  142. ;;
  143. 'gen-key'|'g')
  144. gen_key
  145. ;;
  146. 'publish-key'|'p')
  147. publish_key
  148. ;;
  149. 'trust-key'|'t')
  150. if [ -z "$1" ] ; then
  151. failure "you must specify at least one key to trust."
  152. fi
  153. trust_key "$@"
  154. ;;
  155. 'update-user-userid'|'u')
  156. uname="$1"
  157. shift
  158. if [ -z "$uname" ] ; then
  159. failure "you must specify user."
  160. fi
  161. if [ -z "$1" ] ; then
  162. failure "you must specify at least one userid."
  163. fi
  164. for userID ; do
  165. AUTHORIZED_USER_IDS="$MS_HOME"/authorized_user_ids/"$uname"
  166. if ! grep -q "^${userID}\$" "$AUTHORIZED_USER_IDS" ; then
  167. log "userid '$userID' not in authorized_user_ids file."
  168. continue
  169. fi
  170. log "processing user id: '$userID'"
  171. process_user_id "$userID" "$userKeysCacheDir" > /dev/null
  172. done
  173. ;;
  174. 'help'|'h'|'?')
  175. usage
  176. ;;
  177. *)
  178. failure "Unknown command: '$COMMAND'
  179. Type 'cereal-admin help' for usage."
  180. ;;
  181. esac