summaryrefslogtreecommitdiff
path: root/src/monkeysphere-server
blob: 560d249867d780183f9b070ed341c099bf948963 (plain)
  1. #!/bin/bash
  2. # monkeysphere-server: MonkeySphere server admin tool
  3. #
  4. # The monkeysphere scripts are written by:
  5. # Jameson Rollins <jrollins@fifthhorseman.net>
  6. #
  7. # They are Copyright 2008, and are all released under the GPL, version 3
  8. # or later.
  9. ########################################################################
  10. PGRM=$(basename $0)
  11. SHAREDIR=${SHAREDIR:-"/usr/share/monkeysphere"}
  12. export SHAREDIR
  13. . "${SHAREDIR}/common"
  14. # date in UTF format if needed
  15. DATE=$(date -u '+%FT%T')
  16. # unset some environment variables that could screw things up
  17. GREP_OPTIONS=
  18. ########################################################################
  19. # FUNCTIONS
  20. ########################################################################
  21. usage() {
  22. cat <<EOF
  23. usage: $PGRM <subcommand> [args]
  24. MonkeySphere server admin tool.
  25. subcommands:
  26. update-users (s) [USER]... update users authorized_keys files
  27. gen-key (g) [HOSTNAME] generate gpg key for the server
  28. publish-key (p) publish server key to keyserver
  29. trust-keys (t) KEYID... mark keyids as trusted
  30. update-user-userids (u) USER UID... add/update user IDs for a user
  31. remove-user-userids (r) USER UID... remove user IDs for a user
  32. help (h,?) this help
  33. EOF
  34. }
  35. # generate server gpg key
  36. gen_key() {
  37. local hostName
  38. hostName=${1:-$(hostname --fqdn)}
  39. # set key defaults
  40. KEY_TYPE=${KEY_TYPE:-"RSA"}
  41. KEY_LENGTH=${KEY_LENGTH:-"2048"}
  42. KEY_USAGE=${KEY_USAGE:-"auth,encrypt"}
  43. cat <<EOF
  44. Please specify how long the key should be valid.
  45. 0 = key does not expire
  46. <n> = key expires in n days
  47. <n>w = key expires in n weeks
  48. <n>m = key expires in n months
  49. <n>y = key expires in n years
  50. EOF
  51. read -p "Key is valid for? ($EXPIRE) " EXPIRE; EXPIRE=${EXPIRE:-"0"}
  52. SERVICE=${SERVICE:-"ssh"}
  53. USERID=${USERID:-"$SERVICE"://"$hostName"}
  54. # set key parameters
  55. keyParameters=$(cat <<EOF
  56. Key-Type: $KEY_TYPE
  57. Key-Length: $KEY_LENGTH
  58. Key-Usage: $KEY_USAGE
  59. Name-Real: $USERID
  60. Expire-Date: $EXPIRE
  61. EOF
  62. )
  63. # add the revoker field if requested
  64. if [ "$REVOKER" ] ; then
  65. keyParameters="${keyParameters}"$(cat <<EOF
  66. Revoker: 1:$REVOKER sensitive
  67. EOF
  68. )
  69. fi
  70. echo "The following key parameters will be used:"
  71. echo "$keyParameters"
  72. read -p "generate key? [Y|n]: " OK; OK=${OK:=Y}
  73. if [ ${OK/y/Y} != 'Y' ] ; then
  74. failure "aborting."
  75. fi
  76. if gpg --list-key ="$USERID" > /dev/null 2>&1 ; then
  77. failure "key for '$USERID' already exists"
  78. fi
  79. # add commit command
  80. keyParameters="${keyParameters}"$(cat <<EOF
  81. %commit
  82. %echo done
  83. EOF
  84. )
  85. log -n "generating server key... "
  86. echo "$keyParameters" | gpg --batch --gen-key
  87. loge "done."
  88. }
  89. ########################################################################
  90. # MAIN
  91. ########################################################################
  92. COMMAND="$1"
  93. [ "$COMMAND" ] || failure "Type '$PGRM help' for usage."
  94. shift
  95. # set ms home directory
  96. MS_HOME=${MS_HOME:-"$ETC"}
  97. # load configuration file
  98. MS_CONF=${MS_CONF:-"$MS_HOME"/monkeysphere-server.conf}
  99. [ -e "$MS_CONF" ] && . "$MS_CONF"
  100. # set empty config variable with defaults
  101. GNUPGHOME=${GNUPGHOME:-"${MS_HOME}/gnupg"}
  102. KEYSERVER=${KEYSERVER:-"subkeys.pgp.net"}
  103. CHECK_KEYSERVER=${CHECK_KEYSERVER:="true"}
  104. REQUIRED_USER_KEY_CAPABILITY=${REQUIRED_USER_KEY_CAPABILITY:-"a"}
  105. USER_CONTROLLED_AUTHORIZED_KEYS=${USER_CONTROLLED_AUTHORIZED_KEYS:-"%h/.ssh/authorized_keys"}
  106. export GNUPGHOME
  107. # make sure the monkeysphere home directory exists
  108. mkdir -p "${MS_HOME}/authorized_user_ids"
  109. # make sure gpg home exists with proper permissions
  110. mkdir -p -m 0700 "$GNUPGHOME"
  111. # make sure the authorized_keys directory exists
  112. mkdir -p "${CACHE}/authorized_keys"
  113. case $COMMAND in
  114. 'update-users'|'update-user'|'s')
  115. if [ "$1" ] ; then
  116. unames="$@"
  117. else
  118. unames=$(ls -1 "${MS_HOME}/authorized_user_ids")
  119. fi
  120. for uname in $unames ; do
  121. MODE="authorized_keys"
  122. log "----- user: $uname -----"
  123. # set variables for the user
  124. AUTHORIZED_USER_IDS="${MS_HOME}/authorized_user_ids/${uname}"
  125. # temporary authorized_keys file
  126. AUTHORIZED_KEYS="${CACHE}/authorized_keys/${uname}.tmp"
  127. # make sure user's authorized_user_ids file exists
  128. touch "$AUTHORIZED_USER_IDS"
  129. # make sure the authorized_keys file exists and is clear
  130. > "$AUTHORIZED_KEYS"
  131. # skip if the user's authorized_user_ids file is empty
  132. if [ ! -s "$AUTHORIZED_USER_IDS" ] ; then
  133. log "authorized_user_ids file for '$uname' is empty."
  134. continue
  135. fi
  136. # process authorized_user_ids file
  137. log "processing authorized_user_ids file..."
  138. process_authorized_user_ids
  139. # add user-controlled authorized_keys file path if specified
  140. if [ "$USER_CONTROLLED_AUTHORIZED_KEYS" != '-' ] ; then
  141. userHome=$(getent passwd "$uname" | cut -d: -f6)
  142. userAuthorizedKeys=${USER_CONTROLLED_AUTHORIZED_KEYS/\%h/"$userHome"}
  143. log -n "adding user's authorized_keys file... "
  144. cat "$userAuthorizedKeys" >> "$AUTHORIZED_KEYS"
  145. loge "done."
  146. fi
  147. # move the temp authorized_keys file into place
  148. mv -f "${CACHE}/authorized_keys/${uname}.tmp" "${CACHE}/authorized_keys/${uname}"
  149. log "authorized_keys file updated."
  150. done
  151. log "----- done. -----"
  152. ;;
  153. 'gen-key'|'g')
  154. gen_key "$1"
  155. ;;
  156. 'publish-key'|'p')
  157. publish_server_key
  158. ;;
  159. 'trust-keys'|'trust-key'|'t')
  160. if [ -z "$1" ] ; then
  161. failure "You must specify at least one key to trust."
  162. fi
  163. # process key IDs
  164. for keyID ; do
  165. trust_key "$keyID"
  166. done
  167. ;;
  168. 'update-user-userids'|'update-user-userid'|'u')
  169. uname="$1"
  170. shift
  171. if [ -z "$uname" ] ; then
  172. failure "You must specify user."
  173. fi
  174. if [ -z "$1" ] ; then
  175. failure "You must specify at least one user ID."
  176. fi
  177. # set variables for the user
  178. AUTHORIZED_USER_IDS="$MS_HOME"/authorized_user_ids/"$uname"
  179. # make sure user's authorized_user_ids file exists
  180. touch "$AUTHORIZED_USER_IDS"
  181. # process the user IDs
  182. for userID ; do
  183. update_userid "$userID"
  184. done
  185. log "Run the following to update user's authorized_keys file:"
  186. log "$PGRM update-users $uname"
  187. ;;
  188. 'remove-user-userids'|'remove-user-userid'|'r')
  189. uname="$1"
  190. shift
  191. if [ -z "$uname" ] ; then
  192. failure "You must specify user."
  193. fi
  194. if [ -z "$1" ] ; then
  195. failure "You must specify at least one user ID."
  196. fi
  197. # set variables for the user
  198. AUTHORIZED_USER_IDS="$MS_HOME"/authorized_user_ids/"$uname"
  199. # make sure user's authorized_user_ids file exists
  200. touch "$AUTHORIZED_USER_IDS"
  201. # process the user IDs
  202. for userID ; do
  203. remove_userid "$userID"
  204. done
  205. log "Run the following to update user's authorized_keys file:"
  206. log "$PGRM update-users $uname"
  207. ;;
  208. 'help'|'h'|'?')
  209. usage
  210. ;;
  211. *)
  212. failure "Unknown command: '$COMMAND'
  213. Type '$PGRM help' for usage."
  214. ;;
  215. esac