#!/usr/bin/env bash # Monkeysphere host gen-key subcommand # # The monkeysphere scripts are written by: # Jameson Rollins <jrollins@fifthhorseman.net> # Jamie McClelland <jm@mayfirst.org> # Daniel Kahn Gillmor <dkg@fifthhorseman.net> # # They are Copyright 2008, and are all released under the GPL, version 3 # or later. local keyType="RSA" local keyLength="2048" local keyUsage="auth" local keyExpire local revoker local hostName=$(hostname -f) local userID local keyParameters local fingerprint # check for presense of secret key # FIXME: is this the proper test to be doing here? fingerprint_server_key >/dev/null \ && failure "An OpenPGP host key already exists." # get options while true ; do case "$1" in -h|--hostname) hostName="$2" shift 2 ;; -l|--length) keyLength="$2" shift 2 ;; -e|--expire) keyExpire="$2" shift 2 ;; -r|--revoker) revoker="$2" shift 2 ;; *) if [ "$(echo "$1" | cut -c 1)" = '-' ] ; then failure "Unknown option '$1'. Type '$PGRM help' for usage." fi break ;; esac done userID="ssh://${hostName}" # prompt about key expiration if not specified keyExpire=$(get_gpg_expiration "$keyExpire") # set key parameters keyParameters=\ "Key-Type: $keyType Key-Length: $keyLength Key-Usage: $keyUsage Name-Real: $userID Expire-Date: $keyExpire" # add the revoker field if specified # FIXME: the "1:" below assumes that $REVOKER's key is an RSA key. # FIXME: key is marked "sensitive"? is this appropriate? if [ "$revoker" ] ; then keyParameters=\ "${keyParameters} Revoker: 1:${revoker} sensitive" fi echo "The following key parameters will be used for the host private key:" echo "$keyParameters" read -p "Generate key? (Y/n) " OK; OK=${OK:=Y} if [ ${OK/y/Y} != 'Y' ] ; then failure "aborting." fi # add commit command # must include blank line! keyParameters=\ "${keyParameters} %commit %echo done" log verbose "generating host key..." echo "$keyParameters" | gpg_host --batch --gen-key # find the key fingerprint of the newly generated key fingerprint=$(fingerprint_server_key) # export host ownertrust to authentication keyring log verbose "setting ultimate owner trust for host key..." echo "${fingerprint}:6:" | gpg_authentication "--import-ownertrust" # translate the private key to ssh format, and export to a file # for sshs usage. # NOTE: assumes that the primary key is the proper key to use (umask 077 && \ gpg_host --export-secret-key "$fingerprint" | \ openpgp2ssh "$fingerprint" > "${SYSDATADIR}/ssh_host_rsa_key") log info "SSH host private key output to file: ${SYSDATADIR}/ssh_host_rsa_key" ssh-keygen -y -f "${SYSDATADIR}/ssh_host_rsa_key" > "${SYSDATADIR}/ssh_host_rsa_key.pub" log info "SSH host public key output to file: ${SYSDATADIR}/ssh_host_rsa_key.pub" gpg_authentication "--export-options export-minimal --armor --export 0x${fingerprint}\!" > "${SYSDATADIR}/ssh_host_rsa_key.pub.gpg" log info "SSH host public key in OpenPGP form: ${SYSDATADIR}/ssh_host_rsa_key.pub.gpg" # show info about new key show_key