summaryrefslogtreecommitdiff
path: root/src/monkeysphere-server
blob: c81c066f167e5a2b7e10db131aede4a7a6798737 (plain)
  1. #!/bin/bash
  2. # monkeysphere-server: MonkeySphere server admin tool
  3. #
  4. # The monkeysphere scripts are written by:
  5. # Jameson Rollins <jrollins@fifthhorseman.net>
  6. # Daniel Kahn Gillmor <dkg@fifthhorseman.net>
  7. #
  8. # They are Copyright 2008, and are all released under the GPL, version 3
  9. # or later.
  10. ########################################################################
  11. PGRM=$(basename $0)
  12. SHARE=${MONKEYSPHERE_SHARE:="/usr/share/monkeysphere"}
  13. export SHARE
  14. . "${SHARE}/common" || exit 1
  15. VARLIB="/var/lib/monkeysphere"
  16. export VARLIB
  17. # date in UTF format if needed
  18. DATE=$(date -u '+%FT%T')
  19. # unset some environment variables that could screw things up
  20. unset GREP_OPTIONS
  21. # default return code
  22. RETURN=0
  23. ########################################################################
  24. # FUNCTIONS
  25. ########################################################################
  26. usage() {
  27. cat <<EOF >&2
  28. usage: $PGRM <subcommand> [options] [args]
  29. MonkeySphere server admin tool.
  30. subcommands:
  31. update-users (u) [USER]... update user authorized_keys files
  32. gen-key (g) [NAME[:PORT]] generate gpg key for the server
  33. --length (-l) BITS key length in bits (2048)
  34. --expire (-e) EXPIRE date to expire
  35. --revoker (-r) FINGERPRINT add a revoker
  36. extend-key (e) EXPIRE extend expiration to EXPIRE
  37. add-hostname (n+) NAME[:PORT] add hostname user ID to server key
  38. revoke-hostname (n-) NAME[:PORT] revoke hostname user ID
  39. show-key (s) output all server host key information
  40. publish-key (p) publish server host key to keyserver
  41. diagnostics (d) report on server monkeysphere status
  42. add-id-certifier (c+) KEYID import and tsign a certification key
  43. --domain (-n) DOMAIN limit ID certifications to DOMAIN
  44. --trust (-t) TRUST trust level of certifier (full)
  45. --depth (-d) DEPTH trust depth for certifier (1)
  46. remove-id-certifier (c-) KEYID remove a certification key
  47. list-id-certifiers (c) list certification keys
  48. gpg-authentication-cmd CMD gnupg-authentication command
  49. help (h,?) this help
  50. EOF
  51. }
  52. su_monkeysphere_user() {
  53. su --preserve-environment "$MONKEYSPHERE_USER" -- -c "$@"
  54. }
  55. # function to interact with the host gnupg keyring
  56. gpg_host() {
  57. local returnCode
  58. GNUPGHOME="$GNUPGHOME_HOST"
  59. export GNUPGHOME
  60. # NOTE: we supress this warning because we need the monkeysphere
  61. # user to be able to read the host pubring. we realize this might
  62. # be problematic, but it's the simplest solution, without too much
  63. # loss of security.
  64. gpg --no-permission-warning "$@"
  65. returnCode="$?"
  66. # always reset the permissions on the host pubring so that the
  67. # monkeysphere user can read the trust signatures
  68. chgrp "$MONKEYSPHERE_USER" "${GNUPGHOME_HOST}/pubring.gpg"
  69. chmod g+r "${GNUPGHOME_HOST}/pubring.gpg"
  70. return "$returnCode"
  71. }
  72. # function to interact with the authentication gnupg keyring
  73. # FIXME: this function requires basically accepts only a single
  74. # argument because of problems with quote expansion. this needs to be
  75. # fixed/improved.
  76. gpg_authentication() {
  77. GNUPGHOME="$GNUPGHOME_AUTHENTICATION"
  78. export GNUPGHOME
  79. su_monkeysphere_user "gpg $@"
  80. }
  81. # output just key fingerprint
  82. fingerprint_server_key() {
  83. gpg_host --list-secret-keys --fingerprint \
  84. --with-colons --fixed-list-mode 2> /dev/null | \
  85. grep '^fpr:' | head -1 | cut -d: -f10
  86. }
  87. # output key information
  88. show_server_key() {
  89. local fingerprint
  90. local tmpkey
  91. fingerprint=$(fingerprint_server_key)
  92. gpg_authentication "--fingerprint --list-key --list-options show-unusable-uids $fingerprint"
  93. # dumping to a file named ' ' so that the ssh-keygen output
  94. # doesn't claim any potentially bogus hostname(s):
  95. tmpkey=$(mktemp -d)
  96. gpg_authentication "--export $fingerprint" | openpgp2ssh "$fingerprint" 2>/dev/null > "$tmpkey/ "
  97. echo -n "ssh fingerprint: "
  98. (cd "$tmpkey" && ssh-keygen -l -f ' ' | awk '{ print $2 }')
  99. rm -rf "$tmpkey"
  100. echo -n "OpenPGP fingerprint: "
  101. echo "$fingerprint"
  102. }
  103. # update authorized_keys for users
  104. update_users() {
  105. if [ "$1" ] ; then
  106. # get users from command line
  107. unames="$@"
  108. else
  109. # or just look at all users if none specified
  110. unames=$(getent passwd | cut -d: -f1)
  111. fi
  112. # set mode
  113. MODE="authorized_keys"
  114. # set gnupg home
  115. GNUPGHOME="$GNUPGHOME_AUTHENTICATION"
  116. # check to see if the gpg trust database has been initialized
  117. if [ ! -s "${GNUPGHOME}/trustdb.gpg" ] ; then
  118. failure "GNUPG trust database uninitialized. Please see MONKEYSPHERE-SERVER(8)."
  119. fi
  120. # make sure the authorized_keys directory exists
  121. mkdir -p "${VARLIB}/authorized_keys"
  122. # loop over users
  123. for uname in $unames ; do
  124. # check all specified users exist
  125. if ! getent passwd "$uname" >/dev/null ; then
  126. log info "----- unknown user '$uname' -----"
  127. continue
  128. fi
  129. # set authorized_user_ids and raw authorized_keys variables,
  130. # translating ssh-style path variables
  131. authorizedUserIDs=$(translate_ssh_variables "$uname" "$AUTHORIZED_USER_IDS")
  132. rawAuthorizedKeys=$(translate_ssh_variables "$uname" "$RAW_AUTHORIZED_KEYS")
  133. # if neither is found, skip user
  134. if [ ! -s "$authorizedUserIDs" ] ; then
  135. if [ "$rawAuthorizedKeys" = '-' -o ! -s "$rawAuthorizedKeys" ] ; then
  136. continue
  137. fi
  138. fi
  139. log info "----- user: $uname -----"
  140. # exit if the authorized_user_ids file is empty
  141. if ! check_key_file_permissions "$uname" "$AUTHORIZED_USER_IDS" ; then
  142. log error "Improper permissions on authorized_user_ids file path."
  143. continue
  144. fi
  145. # check permissions on the authorized_keys file path
  146. if ! check_key_file_permissions "$uname" "$RAW_AUTHORIZED_KEYS" ; then
  147. log error "Improper permissions on authorized_keys file path path."
  148. continue
  149. fi
  150. # make temporary directory
  151. TMPDIR=$(mktemp -d)
  152. # trap to delete temporary directory on exit
  153. trap "rm -rf $TMPDIR" EXIT
  154. # create temporary authorized_user_ids file
  155. TMP_AUTHORIZED_USER_IDS="${TMPDIR}/authorized_user_ids"
  156. touch "$TMP_AUTHORIZED_USER_IDS"
  157. # create temporary authorized_keys file
  158. AUTHORIZED_KEYS="${TMPDIR}/authorized_keys"
  159. touch "$AUTHORIZED_KEYS"
  160. # set restrictive permissions on the temporary files
  161. # FIXME: is there a better way to do this?
  162. chmod 0700 "$TMPDIR"
  163. chmod 0600 "$AUTHORIZED_KEYS"
  164. chmod 0600 "$TMP_AUTHORIZED_USER_IDS"
  165. chown -R "$MONKEYSPHERE_USER" "$TMPDIR"
  166. # if the authorized_user_ids file exists...
  167. if [ -s "$authorizedUserIDs" ] ; then
  168. # copy user authorized_user_ids file to temporary
  169. # location
  170. cat "$authorizedUserIDs" > "$TMP_AUTHORIZED_USER_IDS"
  171. # export needed variables
  172. export AUTHORIZED_KEYS
  173. export TMP_AUTHORIZED_USER_IDS
  174. # process authorized_user_ids file, as monkeysphere
  175. # user
  176. su_monkeysphere_user \
  177. ". ${SHARE}/common; process_authorized_user_ids $TMP_AUTHORIZED_USER_IDS"
  178. RETURN="$?"
  179. fi
  180. # add user-controlled authorized_keys file path if specified
  181. if [ "$rawAuthorizedKeys" != '-' -a -s "$rawAuthorizedKeys" ] ; then
  182. log info "adding raw authorized_keys file... "
  183. cat "$rawAuthorizedKeys" >> "$AUTHORIZED_KEYS"
  184. fi
  185. # openssh appears to check the contents of the
  186. # authorized_keys file as the user in question, so the
  187. # file must be readable by that user at least.
  188. # FIXME: is there a better way to do this?
  189. chown root "$AUTHORIZED_KEYS"
  190. chgrp $(getent passwd "$uname" | cut -f4 -d:) "$AUTHORIZED_KEYS"
  191. chmod g+r "$AUTHORIZED_KEYS"
  192. # move the resulting authorized_keys file into place
  193. mv -f "$AUTHORIZED_KEYS" "${VARLIB}/authorized_keys/${uname}"
  194. # destroy temporary directory
  195. rm -rf "$TMPDIR"
  196. done
  197. }
  198. # generate server gpg key
  199. gen_key() {
  200. local keyType
  201. local keyLength
  202. local keyUsage
  203. local keyExpire
  204. local revoker
  205. local hostName
  206. local userID
  207. local keyParameters
  208. local fingerprint
  209. # set default key parameter values
  210. keyType="RSA"
  211. keyLength="2048"
  212. keyUsage="auth"
  213. keyExpire=
  214. revoker=
  215. # get options
  216. TEMP=$(getopt -o e:l:r -l expire:,length:,revoker: -n "$PGRM" -- "$@")
  217. if [ $? != 0 ] ; then
  218. exit 1
  219. fi
  220. # Note the quotes around `$TEMP': they are essential!
  221. eval set -- "$TEMP"
  222. while true ; do
  223. case "$1" in
  224. -l|--length)
  225. keyLength="$2"
  226. shift 2
  227. ;;
  228. -e|--expire)
  229. keyExpire="$2"
  230. shift 2
  231. ;;
  232. -r|--revoker)
  233. revoker="$2"
  234. shift 2
  235. ;;
  236. --)
  237. shift
  238. ;;
  239. *)
  240. break
  241. ;;
  242. esac
  243. done
  244. hostName=${1:-$(hostname --fqdn)}
  245. userID="ssh://${hostName}"
  246. # check for presense of key with user ID
  247. if gpg_host --list-key ="$userID" > /dev/null 2>&1 ; then
  248. failure "Key for '$userID' already exists"
  249. fi
  250. # prompt about key expiration if not specified
  251. keyExpire=$(get_gpg_expiration "$keyExpire")
  252. # set key parameters
  253. keyParameters=$(cat <<EOF
  254. Key-Type: $keyType
  255. Key-Length: $keyLength
  256. Key-Usage: $keyUsage
  257. Name-Real: $userID
  258. Expire-Date: $keyExpire
  259. EOF
  260. )
  261. # add the revoker field if specified
  262. # FIXME: the "1:" below assumes that $REVOKER's key is an RSA key.
  263. # FIXME: key is marked "sensitive"? is this appropriate?
  264. if [ "$revoker" ] ; then
  265. keyParameters="${keyParameters}"$(cat <<EOF
  266. Revoker: 1:$revoker sensitive
  267. EOF
  268. )
  269. fi
  270. echo "The following key parameters will be used for the host private key:"
  271. echo "$keyParameters"
  272. read -p "Generate key? (Y/n) " OK; OK=${OK:=Y}
  273. if [ ${OK/y/Y} != 'Y' ] ; then
  274. failure "aborting."
  275. fi
  276. # add commit command
  277. keyParameters="${keyParameters}"$(cat <<EOF
  278. %commit
  279. %echo done
  280. EOF
  281. )
  282. log info "generating server key..."
  283. echo "$keyParameters" | gpg_host --batch --gen-key
  284. # output the server fingerprint
  285. fingerprint_server_key "=${userID}"
  286. # find the key fingerprint of the newly generated key
  287. fingerprint=$(fingerprint_server_key)
  288. # export host ownertrust to authentication keyring
  289. log info "setting ultimate owner trust for server key..."
  290. echo "${fingerprint}:6:" | gpg_authentication "--import-ownertrust"
  291. # translate the private key to ssh format, and export to a file
  292. # for sshs usage.
  293. # NOTE: assumes that the primary key is the proper key to use
  294. (umask 077 && \
  295. gpg_host --export-secret-key "$fingerprint" | \
  296. openpgp2ssh "$fingerprint" > "${VARLIB}/ssh_host_rsa_key")
  297. log info "Private SSH host key output to file: ${VARLIB}/ssh_host_rsa_key"
  298. }
  299. # extend the lifetime of a host key:
  300. extend_key() {
  301. local fpr=$(fingerprint_server_key)
  302. local extendTo="$1"
  303. if [ -z "$fpr" ] ; then
  304. failure "You don't appear to have a MonkeySphere host key on this server. Try 'monkeysphere-server gen-key' first."
  305. fi
  306. # get the new expiration date
  307. extendTo=$(get_gpg_expiration "$extendTo")
  308. gpg_host --quiet --command-fd 0 --edit-key "$fpr" <<EOF
  309. expire
  310. $extendTo
  311. save
  312. EOF
  313. echo
  314. echo "NOTE: Host key expiration date adjusted, but not yet published."
  315. echo "Run '$PGRM publish-key' to publish the new expiration date."
  316. }
  317. # add hostname user ID to server key
  318. add_hostname() {
  319. local userID
  320. local fingerprint
  321. local tmpuidMatch
  322. local line
  323. local adduidCommand
  324. if [ -z "$1" ] ; then
  325. failure "You must specify a hostname to add."
  326. fi
  327. userID="ssh://${1}"
  328. fingerprint=$(fingerprint_server_key)
  329. # match to only ultimately trusted user IDs
  330. tmpuidMatch="u:$(echo $userID | gpg_escape)"
  331. # find the index of the requsted user ID
  332. # NOTE: this is based on circumstantial evidence that the order of
  333. # this output is the appropriate index
  334. if line=$(gpg_host --list-keys --with-colons --fixed-list-mode "0x${fingerprint}!" \
  335. | egrep '^(uid|uat):' | cut -f2,10 -d: | grep -n -x -F "$tmpuidMatch") ; then
  336. failure "Host userID '$userID' already exists."
  337. fi
  338. echo "The following user ID will be added to the host key:"
  339. echo " $userID"
  340. read -p "Are you sure you would like to add this user ID? (y/N) " OK; OK=${OK:=N}
  341. if [ ${OK/y/Y} != 'Y' ] ; then
  342. failure "User ID not added."
  343. fi
  344. # edit-key script command to add user ID
  345. adduidCommand=$(cat <<EOF
  346. adduid
  347. $userID
  348. save
  349. EOF
  350. )
  351. # execute edit-key script
  352. if echo "$adduidCommand" | \
  353. gpg_host --quiet --command-fd 0 --edit-key "0x${fingerprint}!" ; then
  354. # update the trustdb for the authentication keyring
  355. gpg_authentication "--check-trustdb"
  356. show_server_key
  357. echo
  358. echo "NOTE: User ID added to key, but key not published."
  359. echo "Run '$PGRM publish-key' to publish the new user ID."
  360. else
  361. failure "Problem adding user ID."
  362. fi
  363. }
  364. # revoke hostname user ID to server key
  365. revoke_hostname() {
  366. local userID
  367. local fingerprint
  368. local tmpuidMatch
  369. local line
  370. local uidIndex
  371. local message
  372. local revuidCommand
  373. if [ -z "$1" ] ; then
  374. failure "You must specify a hostname to revoke."
  375. fi
  376. echo "WARNING: There is a known bug in this function."
  377. echo "This function has been known to occasionally revoke the wrong user ID."
  378. echo "Please see the following bug report for more information:"
  379. echo "http://web.monkeysphere.info/bugs/revoke-hostname-revoking-wrong-userid/"
  380. read -p "Are you sure you would like to proceed? (y/N) " OK; OK=${OK:=N}
  381. if [ ${OK/y/Y} != 'Y' ] ; then
  382. failure "aborting."
  383. fi
  384. userID="ssh://${1}"
  385. fingerprint=$(fingerprint_server_key)
  386. # match to only ultimately trusted user IDs
  387. tmpuidMatch="u:$(echo $userID | gpg_escape)"
  388. # find the index of the requsted user ID
  389. # NOTE: this is based on circumstantial evidence that the order of
  390. # this output is the appropriate index
  391. if line=$(gpg_host --list-keys --with-colons --fixed-list-mode "0x${fingerprint}!" \
  392. | egrep '^(uid|uat):' | cut -f2,10 -d: | grep -n -x -F "$tmpuidMatch") ; then
  393. uidIndex=${line%%:*}
  394. else
  395. failure "No non-revoked user ID '$userID' is found."
  396. fi
  397. echo "The following host key user ID will be revoked:"
  398. echo " $userID"
  399. read -p "Are you sure you would like to revoke this user ID? (y/N) " OK; OK=${OK:=N}
  400. if [ ${OK/y/Y} != 'Y' ] ; then
  401. failure "User ID not revoked."
  402. fi
  403. message="Hostname removed by monkeysphere-server $DATE"
  404. # edit-key script command to revoke user ID
  405. revuidCommand=$(cat <<EOF
  406. $uidIndex
  407. revuid
  408. y
  409. 4
  410. $message
  411. y
  412. save
  413. EOF
  414. )
  415. # execute edit-key script
  416. if echo "$revuidCommand" | \
  417. gpg_host --quiet --command-fd 0 --edit-key "0x${fingerprint}!" ; then
  418. # update the trustdb for the authentication keyring
  419. gpg_authentication "--check-trustdb"
  420. show_server_key
  421. echo
  422. echo "NOTE: User ID revoked, but revocation not published."
  423. echo "Run '$PGRM publish-key' to publish the revocation."
  424. else
  425. failure "Problem revoking user ID."
  426. fi
  427. }
  428. # publish server key to keyserver
  429. publish_server_key() {
  430. read -p "Really publish host key to $KEYSERVER? (y/N) " OK; OK=${OK:=N}
  431. if [ ${OK/y/Y} != 'Y' ] ; then
  432. failure "key not published."
  433. fi
  434. # find the key fingerprint
  435. fingerprint=$(fingerprint_server_key)
  436. # publish host key
  437. gpg_authentication "--keyserver $KEYSERVER --send-keys '0x${fingerprint}!'"
  438. }
  439. diagnostics() {
  440. # * check on the status and validity of the key and public certificates
  441. local seckey
  442. local keysfound
  443. local curdate
  444. local warnwindow
  445. local warndate
  446. local create
  447. local expire
  448. local uid
  449. local fingerprint
  450. local badhostkeys
  451. local sshd_config
  452. # FIXME: what's the correct, cross-platform answer?
  453. sshd_config=/etc/ssh/sshd_config
  454. seckey=$(gpg_host --list-secret-keys --fingerprint --with-colons --fixed-list-mode)
  455. keysfound=$(echo "$seckey" | grep -c ^sec:)
  456. curdate=$(date +%s)
  457. # warn when anything is 2 months away from expiration
  458. warnwindow='2 months'
  459. warndate=$(date +%s -d "$warnwindow")
  460. echo "Checking host GPG key..."
  461. if (( "$keysfound" < 1 )); then
  462. echo "! No host key found."
  463. echo " - Recommendation: run 'monkeysphere-server gen-key'"
  464. elif (( "$keysfound" > 1 )); then
  465. echo "! More than one host key found?"
  466. # FIXME: recommend a way to resolve this
  467. else
  468. create=$(echo "$seckey" | grep ^sec: | cut -f6 -d:)
  469. expire=$(echo "$seckey" | grep ^sec: | cut -f7 -d:)
  470. fingerprint=$(echo "$seckey" | grep ^fpr: | head -n1 | cut -f10 -d:)
  471. # check for key expiration:
  472. if [ "$expire" ]; then
  473. if (( "$expire" < "$curdate" )); then
  474. echo "! Host key is expired."
  475. echo " - Recommendation: extend lifetime of key with 'monkeysphere-server extend-key'"
  476. elif (( "$expire" < "$warndate" )); then
  477. echo "! Host key expires in less than $warnwindow:" $(date -d "$(( $expire - $curdate )) seconds" +%F)
  478. echo " - Recommendation: extend lifetime of key with 'monkeysphere-server extend-key'"
  479. fi
  480. fi
  481. # and weirdnesses:
  482. if [ "$create" ] && (( "$create" > "$curdate" )); then
  483. echo "! Host key was created in the future(?!). Is your clock correct?"
  484. echo " - Recommendation: Check clock ($(date +%F_%T)); use NTP?"
  485. fi
  486. # check for UserID expiration:
  487. echo "$seckey" | grep ^uid: | cut -d: -f6,7,10 | \
  488. while IFS=: read create expire uid ; do
  489. # FIXME: should we be doing any checking on the form
  490. # of the User ID? Should we be unmangling it somehow?
  491. if [ "$create" ] && (( "$create" > "$curdate" )); then
  492. echo "! User ID '$uid' was created in the future(?!). Is your clock correct?"
  493. echo " - Recommendation: Check clock ($(date +%F_%T)); use NTP?"
  494. fi
  495. if [ "$expire" ] ; then
  496. if (( "$expire" < "$curdate" )); then
  497. echo "! User ID '$uid' is expired."
  498. # FIXME: recommend a way to resolve this
  499. elif (( "$expire" < "$warndate" )); then
  500. echo "! User ID '$uid' expires in less than $warnwindow:" $(date -d "$(( $expire - $curdate )) seconds" +%F)
  501. # FIXME: recommend a way to resolve this
  502. fi
  503. fi
  504. done
  505. # FIXME: verify that the host key is properly published to the
  506. # keyservers (do this with the non-privileged user)
  507. # FIXME: check that there are valid, non-expired certifying signatures
  508. # attached to the host key after fetching from the public keyserver
  509. # (do this with the non-privileged user as well)
  510. # FIXME: propose adding a revoker to the host key if none exist (do we
  511. # have a way to do that after key generation?)
  512. # Ensure that the ssh_host_rsa_key file is present and non-empty:
  513. echo
  514. echo "Checking host SSH key..."
  515. if [ ! -s "${VARLIB}/ssh_host_rsa_key" ] ; then
  516. echo "! The host key as prepared for SSH (${VARLIB}/ssh_host_rsa_key) is missing or empty."
  517. else
  518. if [ $(stat -c '%a' "${VARLIB}/ssh_host_rsa_key") != 600 ] ; then
  519. echo "! Permissions seem wrong for ${VARLIB}/ssh_host_rsa_key -- should be 0600."
  520. fi
  521. # propose changes needed for sshd_config (if any)
  522. if ! grep -q "^HostKey[[:space:]]\+${VARLIB}/ssh_host_rsa_key$" "$sshd_config"; then
  523. echo "! $sshd_config does not point to the monkeysphere host key (${VARLIB}/ssh_host_rsa_key)."
  524. echo " - Recommendation: add a line to $sshd_config: 'HostKey ${VARLIB}/ssh_host_rsa_key'"
  525. fi
  526. if badhostkeys=$(grep -i '^HostKey' "$sshd_config" | grep -q -v "^HostKey[[:space:]]\+${VARLIB}/ssh_host_rsa_key$") ; then
  527. echo "! $sshd_config refers to some non-monkeysphere host keys:"
  528. echo "$badhostkeys"
  529. echo " - Recommendation: remove the above HostKey lines from $sshd_config"
  530. fi
  531. fi
  532. fi
  533. # FIXME: look at the ownership/privileges of the various keyrings,
  534. # directories housing them, etc (what should those values be? can
  535. # we make them as minimal as possible?)
  536. # FIXME: look to see that the ownertrust rules are set properly on the
  537. # authentication keyring
  538. # FIXME: make sure that at least one identity certifier exists
  539. echo
  540. echo "Checking for MonkeySphere-enabled public-key authentication for users ..."
  541. # Ensure that User ID authentication is enabled:
  542. if ! grep -q "^AuthorizedKeysFile[[:space:]]\+${VARLIB}/authorized_keys/%u$" "$sshd_config"; then
  543. echo "! $sshd_config does not point to monkeysphere authorized keys."
  544. echo " - Recommendation: add a line to $sshd_config: 'AuthorizedKeysFile ${VARLIB}/authorized_keys/%u'"
  545. fi
  546. if badauthorizedkeys=$(grep -i '^AuthorizedKeysFile' "$sshd_config" | grep -q -v "^AuthorizedKeysFile[[:space:]]\+${VARLIB}/authorized_keys/%u$") ; then
  547. echo "! $sshd_config refers to non-monkeysphere authorized_keys files:"
  548. echo "$badauthorizedkeys"
  549. echo " - Recommendation: remove the above AuthorizedKeysFile lines from $sshd_config"
  550. fi
  551. }
  552. # retrieve key from web of trust, import it into the host keyring, and
  553. # ltsign the key in the host keyring so that it may certify other keys
  554. add_certifier() {
  555. local domain
  556. local trust
  557. local depth
  558. local keyID
  559. local fingerprint
  560. local ltsignCommand
  561. local trustval
  562. # set default values for trust depth and domain
  563. domain=
  564. trust=full
  565. depth=1
  566. # get options
  567. TEMP=$(getopt -o n:t:d: -l domain:,trust:,depth: -n "$PGRM" -- "$@")
  568. if [ $? != 0 ] ; then
  569. exit 1
  570. fi
  571. # Note the quotes around `$TEMP': they are essential!
  572. eval set -- "$TEMP"
  573. while true ; do
  574. case "$1" in
  575. -n|--domain)
  576. domain="$2"
  577. shift 2
  578. ;;
  579. -t|--trust)
  580. trust="$2"
  581. shift 2
  582. ;;
  583. -d|--depth)
  584. depth="$2"
  585. shift 2
  586. ;;
  587. --)
  588. shift
  589. ;;
  590. *)
  591. break
  592. ;;
  593. esac
  594. done
  595. keyID="$1"
  596. if [ -z "$keyID" ] ; then
  597. failure "You must specify the key ID of a key to add."
  598. fi
  599. export keyID
  600. # get the key from the key server
  601. gpg_authentication "--keyserver $KEYSERVER --recv-key '0x${keyID}!'"
  602. # get the full fingerprint of a key ID
  603. fingerprint=$(gpg_authentication "--list-key --with-colons --with-fingerprint 0x${keyID}!" | \
  604. grep '^fpr:' | grep "$keyID" | cut -d: -f10)
  605. if [ -z "$fingerprint" ] ; then
  606. failure "Key '$keyID' not found."
  607. fi
  608. echo
  609. echo "key found:"
  610. gpg_authentication "--fingerprint 0x${fingerprint}!"
  611. echo "Are you sure you want to add the above key as a"
  612. read -p "certifier of users on this system? (y/N) " OK; OK=${OK:-N}
  613. if [ "${OK/y/Y}" != 'Y' ] ; then
  614. failure "Identity certifier not added."
  615. fi
  616. # export the key to the host keyring
  617. gpg_authentication "--export 0x${fingerprint}!" | gpg_host --import
  618. if [ "$trust" == marginal ]; then
  619. trustval=1
  620. elif [ "$trust" == full ]; then
  621. trustval=2
  622. else
  623. failure "Trust value requested ('$trust') was unclear (only 'marginal' or 'full' are supported)."
  624. fi
  625. # ltsign command
  626. # NOTE: *all* user IDs will be ltsigned
  627. ltsignCommand=$(cat <<EOF
  628. ltsign
  629. y
  630. $trustval
  631. $depth
  632. $domain
  633. y
  634. save
  635. EOF
  636. )
  637. # ltsign the key
  638. if echo "$ltsignCommand" | \
  639. gpg_host --quiet --command-fd 0 --edit-key "0x${fingerprint}!" ; then
  640. # update the trustdb for the authentication keyring
  641. gpg_authentication "--check-trustdb"
  642. echo
  643. echo "Identity certifier added."
  644. else
  645. failure "Problem adding identify certifier."
  646. fi
  647. }
  648. # delete a certifiers key from the host keyring
  649. remove_certifier() {
  650. local keyID
  651. local fingerprint
  652. keyID="$1"
  653. if [ -z "$keyID" ] ; then
  654. failure "You must specify the key ID of a key to remove."
  655. fi
  656. if gpg_authentication "--no-options --list-options show-uid-validity --keyring ${GNUPGHOME_AUTHENTICATION}/pubring.gpg --list-key 0x${keyID}!" ; then
  657. read -p "Really remove above listed identity certifier? (y/N) " OK; OK=${OK:-N}
  658. if [ "${OK/y/Y}" != 'Y' ] ; then
  659. failure "Identity certifier not removed."
  660. fi
  661. else
  662. failure
  663. fi
  664. # delete the requested key
  665. if gpg_authentication "--delete-key --batch --yes 0x${keyID}!" ; then
  666. # delete key from host keyring as well
  667. gpg_host --delete-key --batch --yes "0x${keyID}!"
  668. # update the trustdb for the authentication keyring
  669. gpg_authentication "--check-trustdb"
  670. echo
  671. echo "Identity certifier removed."
  672. else
  673. failure "Problem removing identity certifier."
  674. fi
  675. }
  676. # list the host certifiers
  677. list_certifiers() {
  678. local keys
  679. local key
  680. # find trusted keys in authentication keychain
  681. keys=$(gpg_authentication "--no-options --list-options show-uid-validity --keyring ${GNUPGHOME_AUTHENTICATION}/pubring.gpg --list-keys --with-colons --fingerprint" | \
  682. grep ^pub: | cut -d: -f2,5 | egrep '^(u|f):' | cut -d: -f2)
  683. # output keys
  684. for key in $keys ; do
  685. gpg_authentication "--no-options --list-options show-uid-validity --keyring ${GNUPGHOME_AUTHENTICATION}/pubring.gpg --list-key --fingerprint $key"
  686. done
  687. }
  688. # issue command to gpg-authentication keyring
  689. gpg_authentication_cmd() {
  690. gpg_authentication "$@"
  691. }
  692. ########################################################################
  693. # MAIN
  694. ########################################################################
  695. # unset variables that should be defined only in config file
  696. unset KEYSERVER
  697. unset AUTHORIZED_USER_IDS
  698. unset RAW_AUTHORIZED_KEYS
  699. unset MONKEYSPHERE_USER
  700. # load configuration file
  701. [ -e ${MONKEYSPHERE_SERVER_CONFIG:="${ETC}/monkeysphere-server.conf"} ] && . "$MONKEYSPHERE_SERVER_CONFIG"
  702. # set empty config variable with ones from the environment, or with
  703. # defaults
  704. LOG_LEVEL=${MONKEYSPHERE_LOG_LEVEL:=${LOG_LEVEL:="info"}}
  705. KEYSERVER=${MONKEYSPHERE_KEYSERVER:=${KEYSERVER:="subkeys.pgp.net"}}
  706. AUTHORIZED_USER_IDS=${MONKEYSPHERE_AUTHORIZED_USER_IDS:=${AUTHORIZED_USER_IDS:="%h/.config/monkeysphere/authorized_user_ids"}}
  707. RAW_AUTHORIZED_KEYS=${MONKEYSPHERE_RAW_AUTHORIZED_KEYS:=${RAW_AUTHORIZED_KEYS:="%h/.ssh/authorized_keys"}}
  708. MONKEYSPHERE_USER=${MONKEYSPHERE_MONKEYSPHERE_USER:=${MONKEYSPHERE_USER:="monkeysphere"}}
  709. # other variables
  710. CHECK_KEYSERVER=${MONKEYSPHERE_CHECK_KEYSERVER:="true"}
  711. REQUIRED_USER_KEY_CAPABILITY=${MONKEYSPHERE_REQUIRED_USER_KEY_CAPABILITY:="a"}
  712. GNUPGHOME_HOST=${MONKEYSPHERE_GNUPGHOME_HOST:="${VARLIB}/gnupg-host"}
  713. GNUPGHOME_AUTHENTICATION=${MONKEYSPHERE_GNUPGHOME_AUTHENTICATION:="${VARLIB}/gnupg-authentication"}
  714. # export variables needed in su invocation
  715. export DATE
  716. export MODE
  717. export MONKEYSPHERE_USER
  718. export LOG_LEVEL
  719. export KEYSERVER
  720. export CHECK_KEYSERVER
  721. export REQUIRED_USER_KEY_CAPABILITY
  722. export GNUPGHOME_HOST
  723. export GNUPGHOME_AUTHENTICATION
  724. export GNUPGHOME
  725. # get subcommand
  726. COMMAND="$1"
  727. [ "$COMMAND" ] || failure "Type '$PGRM help' for usage."
  728. shift
  729. case $COMMAND in
  730. 'update-users'|'update-user'|'u')
  731. update_users "$@"
  732. ;;
  733. 'gen-key'|'g')
  734. gen_key "$@"
  735. ;;
  736. 'extend-key'|'e')
  737. extend_key "$@"
  738. ;;
  739. 'add-hostname'|'add-name'|'n+')
  740. add_hostname "$@"
  741. ;;
  742. 'revoke-hostname'|'revoke-name'|'n-')
  743. revoke_hostname "$@"
  744. ;;
  745. 'show-key'|'show'|'s')
  746. show_server_key
  747. ;;
  748. 'publish-key'|'publish'|'p')
  749. publish_server_key
  750. ;;
  751. 'diagnostics'|'d')
  752. diagnostics
  753. ;;
  754. 'add-identity-certifier'|'add-id-certifier'|'add-certifier'|'c+')
  755. add_certifier "$@"
  756. ;;
  757. 'remove-identity-certifier'|'remove-id-certifier'|'remove-certifier'|'c-')
  758. remove_certifier "$@"
  759. ;;
  760. 'list-identity-certifiers'|'list-id-certifiers'|'list-certifiers'|'list-certifier'|'c')
  761. list_certifiers "$@"
  762. ;;
  763. 'gpg-authentication-cmd')
  764. gpg_authentication_cmd "$@"
  765. ;;
  766. '--help'|'help'|'-h'|'h'|'?')
  767. usage
  768. ;;
  769. *)
  770. failure "Unknown command: '$COMMAND'
  771. Type '$PGRM help' for usage."
  772. ;;
  773. esac
  774. exit "$RETURN"