blob: 06b5810f886f99800a1cac53109917db66cdf64b (
plain)
- # -*-shell-script-*-
- # This should be sourced by bash (though we welcome changes to make it POSIX sh compliant)
- # Monkeysphere host revoke-hostname subcommand
- #
- # The monkeysphere scripts are written by:
- # Jameson Rollins <jrollins@finestructure.net>
- # Jamie McClelland <jm@mayfirst.org>
- # Daniel Kahn Gillmor <dkg@fifthhorseman.net>
- #
- # They are Copyright 2008-2009, and are all released under the GPL,
- # version 3 or later.
- # revoke hostname user ID from host key
- revoke_hostname() {
- local userID
- local fingerprint
- local tmpuidMatch
- local line
- local uidIndex
- local message
- local revuidCommand
- if [ -z "$1" ] ; then
- failure "You must specify a hostname to revoke."
- fi
- echo "WARNING: There is a known bug in this function."
- echo "This function has been known to occasionally revoke the wrong user ID."
- echo "Please see the following bug report for more information:"
- echo "http://web.monkeysphere.info/bugs/revoke-hostname-revoking-wrong-userid/"
- read -p "Are you sure you would like to proceed? (y/N) " OK; OK=${OK:=N}
- if [ ${OK/y/Y} != 'Y' ] ; then
- failure "aborting."
- fi
- userID="ssh://${1}"
- fingerprint=$(fingerprint_host_key)
- # match to only ultimately trusted user IDs
- tmpuidMatch="u:$(echo $userID | gpg_escape)"
- # find the index of the requsted user ID
- # NOTE: this is based on circumstantial evidence that the order of
- # this output is the appropriate index
- if line=$(gpg_host --list-keys --with-colons --fixed-list-mode "0x${fingerprint}!" \
- | egrep '^(uid|uat):' | cut -f2,10 -d: | grep -n -x -F "$tmpuidMatch") ; then
- uidIndex=${line%%:*}
- else
- failure "No non-revoked user ID '$userID' is found."
- fi
- echo "The following host key user ID will be revoked:"
- echo " $userID"
- read -p "Are you sure you would like to revoke this user ID? (y/N) " OK; OK=${OK:=N}
- if [ ${OK/y/Y} != 'Y' ] ; then
- failure "User ID not revoked."
- fi
- message="Hostname removed by monkeysphere-server $DATE"
- # edit-key script command to revoke user ID
- revuidCommand=$(cat <<EOF
- $uidIndex
- revuid
- y
- 4
- $message
- y
- save
- EOF
- )
- # execute edit-key script
- if echo "$revuidCommand" | \
- gpg_host --quiet --command-fd 0 --edit-key "0x${fingerprint}!" ; then
- show_key
- echo
- echo "NOTE: User ID revoked, but revocation not published."
- echo "Run '$PGRM publish-key' to publish the revocation."
- else
- failure "Problem revoking user ID."
- fi
- }
|