summaryrefslogtreecommitdiff
path: root/src/share/mh/revoke_key
blob: 380236b91b87daaf3d339b146dde59872f3fe966 (plain)
  1. # -*-shell-script-*-
  2. # This should be sourced by bash (though we welcome changes to make it POSIX sh compliant)
  3. # Monkeysphere host revoke-key subcommand
  4. #
  5. # The monkeysphere scripts are written by:
  6. # Jameson Rollins <jrollins@finestructure.net>
  7. # Jamie McClelland <jm@mayfirst.org>
  8. # Daniel Kahn Gillmor <dkg@fifthhorseman.net>
  9. #
  10. # They are Copyright 2008-2009, and are all released under the GPL,
  11. # version 3 or later.
  12. # revoke host key
  13. revoke_key() {
  14. # Coming in here, we expect $HOST_FINGERPRINT to be set, and we
  15. # believe that there is in fact a key.
  16. # our current implementation is very simple: we just want to
  17. # generate the revocation certificate on stdout. This provides
  18. # for the two most likely (but hopefully not common) scenarios:
  19. # an admin wants a revocation certificate for the host which they
  20. # can store securely offline. In this case, the admin can
  21. # redirect stdout to a file, or can simply copy/paste or
  22. # transcribe from the terminal.
  23. # Alternately, an admin might want to publish the revocation
  24. # certificate immediately. here's a quick way to do this:
  25. # tmp=$(mktemp -d)
  26. # export GNUPGHOME="$tmp"
  27. # gpg --import < /var/lib/monkeysphere/ssh_host_rsa_key.pub.gpg
  28. # monkeysphere-host revoke-key | gpg --import
  29. # gpg --keyserver pool.sks-keyservers.net --send $(hostname -f)
  30. # note: we're not using the gpg_host function because we actually
  31. # want to use gpg's UI in this case, so we want to omit --no-tty
  32. GNUPGHOME="$GNUPGHOME_HOST" gpg --no-greeting --quiet --armor --gen-revoke "0x${HOST_FINGERPRINT}!"
  33. }