path: root/src/monkeysphere

#!/usr/bin/env bash

# monkeysphere: MonkeySphere client tool
#
# The monkeysphere scripts are written by:
# Jameson Rollins <jrollins@fifthhorseman.net>
# Jamie McClelland <jm@mayfirst.org>
# Daniel Kahn Gillmor <dkg@fifthhorseman.net>
#
# They are Copyright 2008, and are all released under the GPL, version 3
# or later.

########################################################################
PGRM=$(basename $0)

SYSSHAREDIR=${MONKEYSPHERE_SYSSHAREDIR:-"/usr/share/monkeysphere"}
export SYSSHAREDIR
. "${SYSSHAREDIR}/common" || exit 1

# UTC date in ISO 8601 format if needed
DATE=$(date -u '+%FT%T')

# unset some environment variables that could screw things up
unset GREP_OPTIONS

# default return code
RETURN=0

# set the file creation mask to be only owner rw
umask 077

########################################################################
# FUNCTIONS
########################################################################

usage() {
    cat <<EOF >&2
usage: $PGRM <subcommand> [options] [args]
Monkeysphere client tool.

subcommands:
 update-known_hosts (k) [HOST]...    update known_hosts file
 update-authorized_keys (a)          update authorized_keys file
 gen-subkey (g) [KEYID]              generate an authentication subkey
   --length (-l) BITS                  key length in bits (2048)
   --expire (-e) EXPIRE                date to expire
 subkey-to-ssh-agent (s)             store authentication subkey in ssh-agent
 version (v)                         show version number
 help (h,?)                          this help

EOF
}

# generate a subkey with the 'a' usage flags set
gen_subkey(){
    local keyLength
    local keyExpire
    local keyID
    local gpgOut
    local userID

    # set default key parameter values
    keyLength=
    keyExpire=

    # get options
    while true ; do
    case "$1" in
        -l|--length)
        keyLength="$2"
        shift 2
        ;;
        -e|--expire)
        keyExpire="$2"
        shift 2
        ;;
        *)
        if [ "$(echo "$1" | cut -c 1)" = '-' ] ; then
            failure "Unknown option '$1'.
Type '$PGRM help' for usage."
        fi
        break
        ;;
    esac
    done

    case "$#" in
    0)
        gpgSecOut=$(gpg --quiet --fixed-list-mode --list-secret-keys --with-colons 2>/dev/null | egrep '^sec:')
        ;;
    1)
        gpgSecOut=$(gpg --quiet --fixed-list-mode --list-secret-keys --with-colons "$1" | egrep '^sec:') || failure
        ;;
    *)
        failure "You must specify only a single primary key ID."
        ;;
    esac

    # check that only a single secret key was found
    case $(echo "$gpgSecOut" | grep -c '^sec:') in
    0)
        failure "No secret keys found.  Create an OpenPGP key with the following command:
 gpg --gen-key"
        ;;
    1)
        keyID=$(echo "$gpgSecOut" | cut -d: -f5)
        ;;
    *)
        echo "Multiple primary secret keys found:"
        echo "$gpgSecOut" | cut -d: -f5
        failure "Please specify which primary key to use."
        ;;
    esac

    # check that a valid authentication key does not already exist
    IFS=$'\n'
    for line in $(gpg --quiet --fixed-list-mode --list-keys --with-colons "$keyID") ; do
    type=$(echo "$line" | cut -d: -f1)
    validity=$(echo "$line" | cut -d: -f2)
    usage=$(echo "$line" | cut -d: -f12)

    # look at keys only
    if [ "$type" != 'pub' -a "$type" != 'sub' ] ; then
        continue
    fi
    # check for authentication capability
    if ! check_capability "$usage" 'a' ; then
        continue
    fi
    # if authentication key is valid, prompt to continue
    if [ "$validity" = 'u' ] ; then
        echo "A valid authentication key already exists for primary key '$keyID'."
        read -p "Are you sure you would like to generate another one? (y/N) " OK; OK=${OK:N}
        if [ "${OK/y/Y}" != 'Y' ] ; then
        failure "aborting."
        fi
        break
    fi
    done

    # set subkey defaults
    # prompt about key expiration if not specified
    keyExpire=$(get_gpg_expiration "$keyExpire")

    # generate the list of commands that will be passed to edit-key
    editCommands=$(cat <<EOF
addkey
7
S
E
A
Q
$keyLength
$keyExpire
save
EOF
)

    log verbose "generating subkey..."
    fifoDir=$(mktemp -d ${TMPDIR:-/tmp}/tmp.XXXXXXXXXX)
    (umask 077 && mkfifo "$fifoDir/pass")
    echo "$editCommands" | gpg --passphrase-fd 3 3< "$fifoDir/pass" --expert --command-fd 0 --edit-key "$keyID" &

    # FIXME: this needs to fail more gracefully if the passphrase is incorrect
    passphrase_prompt  "Please enter your passphrase for $keyID: " "$fifoDir/pass"

    rm -rf "$fifoDir"
    wait
    log verbose "done."
}

subkey_to_ssh_agent() {
    # try to add all authentication subkeys to the agent:

    local sshaddresponse
    local secretkeys
    local authsubkeys
    local workingdir
    local keysuccess
    local subkey
    local publine
    local kname

    if ! test_gnu_dummy_s2k_extension ; then
    failure "Your version of GnuTLS does not seem capable of using with gpg's exported subkeys.
You may want to consider patching or upgrading to GnuTLS 2.6 or later.

For more details, see:
 http://lists.gnu.org/archive/html/gnutls-devel/2008-08/msg00005.html"
    fi

    # if there's no agent running, don't bother:
    if [ -z "$SSH_AUTH_SOCK" ] || ! which ssh-add >/dev/null ; then
    failure "No ssh-agent available."
    fi

    # and if it looks like it's running, but we can't actually talk to
    # it, bail out:
    ssh-add -l >/dev/null
    sshaddresponse="$?"
    if [ "$sshaddresponse" = "2" ]; then
    failure "Could not connect to ssh-agent"
    fi
    
    # get list of secret keys (to work around https://bugs.g10code.com/gnupg/issue945):
    secretkeys=$(gpg --list-secret-keys --with-colons --fixed-list-mode --fingerprint | \
    grep '^fpr:' | cut -f10 -d: | awk '{ print "0x" $1 "!" }')

    if [ -z "$secretkeys" ]; then
    failure "You have no secret keys in your keyring!
You might want to run 'gpg --gen-key'."
    fi
    
    authsubkeys=$(gpg --list-secret-keys --with-colons --fixed-list-mode \
    --fingerprint --fingerprint $secretkeys | \
    cut -f1,5,10,12 -d: | grep -A1 '^ssb:[^:]*::[^:]*a[^:]*$' | \
    grep '^fpr::' | cut -f3 -d: | sort -u)

    if [ -z "$authsubkeys" ]; then
    failure "no authentication-capable subkeys available.
You might want to 'monkeysphere gen-subkey'"
    fi

    workingdir=$(mktemp -d ${TMPDIR:-/tmp}/tmp.XXXXXXXXXX)
    umask 077
    mkfifo "$workingdir/passphrase"
    keysuccess=1

    # FIXME: we're currently allowing any other options to get passed
    # through to ssh-add.  should we limit it to known ones?  For
    # example: -d or -c and/or -t <lifetime> 

    for subkey in $authsubkeys; do 
    # choose a label by which this key will be known in the agent:
    # we are labelling the key by User ID instead of by
    # fingerprint, but filtering out all / characters to make sure
    # the filename is legit.

    primaryuid=$(gpg --with-colons --list-key "0x${subkey}!" | grep '^pub:' | cut -f10 -d: | tr -d /)

    #kname="[monkeysphere] $primaryuid"
    kname="$primaryuid"

    if [ "$1" = '-d' ]; then
        # we're removing the subkey:
        gpg --export "0x${subkey}!" | openpgp2ssh "$subkey" > "$workingdir/$kname"
        (cd "$workingdir" && ssh-add -d "$kname")
    else
        # we're adding the subkey:
        mkfifo "$workingdir/$kname"
        gpg --quiet --passphrase-fd 3 3<"$workingdir/passphrase" \
        --export-options export-reset-subkey-passwd,export-minimal,no-export-attributes \
        --export-secret-subkeys "0x${subkey}!" | openpgp2ssh "$subkey" > "$workingdir/$kname" &
        (cd "$workingdir" && DISPLAY=nosuchdisplay SSH_ASKPASS=/bin/false ssh-add "$@" "$kname" </dev/null )&

        passphrase_prompt "Enter passphrase for key $kname: " "$workingdir/passphrase"
        wait %2
    fi
    keysuccess="$?"

    rm -f "$workingdir/$kname"
    done

    rm -rf "$workingdir"

    # FIXME: sort out the return values: we're just returning the
    # success or failure of the final authentication subkey in this
    # case.  What if earlier ones failed?
    exit "$keysuccess"
}

########################################################################
# MAIN
########################################################################

# unset variables that should be defined only in config file
unset KEYSERVER
unset CHECK_KEYSERVER
unset KNOWN_HOSTS
unset HASH_KNOWN_HOSTS
unset AUTHORIZED_KEYS

# load global config
[ -r "${SYSCONFIGDIR}/monkeysphere.conf" ] && . "${SYSCONFIGDIR}/monkeysphere.conf"

# set monkeysphere home directory
MONKEYSPHERE_HOME=${MONKEYSPHERE_HOME:="${HOME}/.monkeysphere"}
mkdir -p -m 0700 "$MONKEYSPHERE_HOME"

# load local config
[ -e ${MONKEYSPHERE_CONFIG:="${MONKEYSPHERE_HOME}/monkeysphere.conf"} ] && . "$MONKEYSPHERE_CONFIG"

# set empty config variables with ones from the environment, or from
# config file, or with defaults
LOG_LEVEL=${MONKEYSPHERE_LOG_LEVEL:=${LOG_LEVEL:="INFO"}}
GNUPGHOME=${MONKEYSPHERE_GNUPGHOME:=${GNUPGHOME:="${HOME}/.gnupg"}}
KEYSERVER=${MONKEYSPHERE_KEYSERVER:="$KEYSERVER"}
# if keyserver not specified in env or monkeysphere.conf,
# look in gpg.conf
if [ -z "$KEYSERVER" ] ; then
    if [ -f "${GNUPGHOME}/gpg.conf" ] ; then
    KEYSERVER=$(grep -e "^[[:space:]]*keyserver " "${GNUPGHOME}/gpg.conf" | tail -1 | awk '{ print $2 }')
    fi
fi
# if it's still not specified, use the default
KEYSERVER=${KEYSERVER:="subkeys.pgp.net"}
CHECK_KEYSERVER=${MONKEYSPHERE_CHECK_KEYSERVER:=${CHECK_KEYSERVER:="true"}}
KNOWN_HOSTS=${MONKEYSPHERE_KNOWN_HOSTS:=${KNOWN_HOSTS:="${HOME}/.ssh/known_hosts"}}
HASH_KNOWN_HOSTS=${MONKEYSPHERE_HASH_KNOWN_HOSTS:=${HASH_KNOWN_HOSTS:="true"}}
AUTHORIZED_KEYS=${MONKEYSPHERE_AUTHORIZED_KEYS:=${AUTHORIZED_KEYS:="${HOME}/.ssh/authorized_keys"}}

# other variables not in config file
AUTHORIZED_USER_IDS=${MONKEYSPHERE_AUTHORIZED_USER_IDS:="${MONKEYSPHERE_HOME}/authorized_user_ids"}
REQUIRED_HOST_KEY_CAPABILITY=${MONKEYSPHERE_REQUIRED_HOST_KEY_CAPABILITY:="a"}
REQUIRED_USER_KEY_CAPABILITY=${MONKEYSPHERE_REQUIRED_USER_KEY_CAPABILITY:="a"}

# export GNUPGHOME and make sure gpg home exists with proper
# permissions
export GNUPGHOME
mkdir -p -m 0700 "$GNUPGHOME"
export LOG_LEVEL

# get subcommand
COMMAND="$1"
[ "$COMMAND" ] || failure "Type '$PGRM help' for usage."
shift

case $COMMAND in
    'update-known_hosts'|'update-known-hosts'|'k')
    MODE='known_hosts'

    # touch the known_hosts file so that the file permission check
    # below won't fail upon not finding the file
    (umask 0022 && touch "$KNOWN_HOSTS")

    # check permissions on the known_hosts file path
    check_key_file_permissions "$USER" "$KNOWN_HOSTS" || failure

        # if hosts are specified on the command line, process just
        # those hosts
    if [ "$1" ] ; then
        update_known_hosts "$@"
        RETURN="$?"

        # otherwise, if no hosts are specified, process every host
        # in the user's known_hosts file
    else
        # exit if the known_hosts file does not exist
        if [ ! -e "$KNOWN_HOSTS" ] ; then
        log error "known_hosts file '$KNOWN_HOSTS' does not exist."
        exit
        fi

        process_known_hosts
        RETURN="$?"
    fi
    ;;

    'update-authorized_keys'|'update-authorized-keys'|'a')
    MODE='authorized_keys'

    # check permissions on the authorized_user_ids file path
    check_key_file_permissions "$USER" "$AUTHORIZED_USER_IDS" || failure

    # check permissions on the authorized_keys file path
    check_key_file_permissions "$USER" "$AUTHORIZED_KEYS" || failure

        # exit if the authorized_user_ids file is empty
    if [ ! -e "$AUTHORIZED_USER_IDS" ] ; then
        log error "authorized_user_ids file '$AUTHORIZED_USER_IDS' does not exist."
        exit
    fi

    # process authorized_user_ids file
    process_authorized_user_ids "$AUTHORIZED_USER_IDS"
    RETURN="$?"
    ;;

    'gen-subkey'|'g')
    gen_subkey "$@"
    ;;

    'subkey-to-ssh-agent'|'s')
    subkey_to_ssh_agent "$@"
    ;;

    'version'|'v')
    echo "$VERSION"
    ;;

    '--help'|'help'|'-h'|'h'|'?')
        usage
        ;;

    *)
        failure "Unknown command: '$COMMAND'
Type '$PGRM help' for usage."
        ;;
esac

exit "$RETURN"