X-Git-Url: http://git.tremily.us/?a=blobdiff_plain;f=src%2Fmonkeysphere;h=8ce0c2267a4b172f4bc818d45e461325979e35bf;hb=f4d3bc45faeb18bf89313fbb446b1eee77501797;hp=b30453ca0ff46277b0d70ee23f39bdda5d59473d;hpb=ff8383ce9092335de6c00447bb45a2a7fbbf8685;p=monkeysphere.git diff --git a/src/monkeysphere b/src/monkeysphere index b30453c..8ce0c22 100755 --- a/src/monkeysphere +++ b/src/monkeysphere @@ -3,7 +3,7 @@ # monkeysphere: Monkeysphere client tool # # The monkeysphere scripts are written by: -# Jameson Rollins +# Jameson Rollins # Jamie McClelland # Daniel Kahn Gillmor # Micah Anderson @@ -12,11 +12,14 @@ # or later. ######################################################################## +set -e + PGRM=$(basename $0) SYSSHAREDIR=${MONKEYSPHERE_SYSSHAREDIR:-"/usr/share/monkeysphere"} export SYSSHAREDIR -. "${SYSSHAREDIR}/common" || exit 1 +. "${SYSSHAREDIR}/defaultenv" +. "${SYSSHAREDIR}/common" # sharedir for host functions MSHAREDIR="${SYSSHAREDIR}/m" @@ -42,10 +45,15 @@ Monkeysphere client tool. subcommands: update-known_hosts (k) [HOST]... update known_hosts file update-authorized_keys (a) update authorized_keys file + ssh-proxycommand HOST [PORT] monkeysphere ssh ProxyCommand + --no-connect do not make TCP connection to host + subkey-to-ssh-agent (s) store authentication subkey in ssh-agent + + keys-for-userid (u) USERID output valid keys for given user ids + sshfprs-for-userid USERID output ssh fingerprints for given user ids gen-subkey (g) [KEYID] generate an authentication subkey --length (-l) BITS key length in bits (2048) - ssh-proxycommand monkeysphere ssh ProxyCommand - subkey-to-ssh-agent (s) store authentication subkey in ssh-agent + version (v) show version number help (h,?) this help @@ -57,6 +65,12 @@ gpg_user() { gpg --no-greeting --quiet --no-tty "$@" } +# output the ssh fingerprint of a gpg key +gpg_ssh_fingerprint() { + keyid="$1" + gpg_user --export "$keyid" --no-armor | "$SYSSHAREDIR/keytrans" openpgp2sshfpr "$keyid" +} + # take a secret key ID and check that only zero or one ID is provided, # and that it corresponds to only a single secret key ID check_gpg_sec_key_id() { @@ -67,7 +81,7 @@ check_gpg_sec_key_id() { gpgSecOut=$(gpg_user --fixed-list-mode --list-secret-keys --with-colons 2>/dev/null | egrep '^sec:') ;; 1) - gpgSecOut=$(gpg_user --fixed-list-mode --list-secret-keys --with-colons "$keyID" | egrep '^sec:') || failure + gpgSecOut=$(gpg_user --fixed-list-mode --list-secret-keys --with-colons "$1" | egrep '^sec:') || failure ;; *) failure "You must specify only a single primary key ID." @@ -84,12 +98,10 @@ check_gpg_sec_key_id() { echo "$gpgSecOut" | cut -d: -f5 ;; *) - echo "Multiple primary secret keys found:" - for key in $(echo "$gpgSecOut" | cut -d: -f5) ; do - echo " $key" - done - echo "Please specify which primary key to use." - failure + local seckeys=$(echo "$gpgSecOut" | cut -d: -f5) + failure "Multiple primary secret keys found: +$seckeys +Please specify which primary key to use." ;; esac } @@ -122,9 +134,10 @@ check_gpg_authentication_subkey() { fi # if authentication key is valid, prompt to continue if [ "$validity" = 'u' ] ; then - echo "A valid authentication key already exists for primary key '$keyID'." - if [ "$PROMPT" = "true" ] ; then - read -p "Are you sure you would like to generate another one? (y/N) " OK; OK=${OK:N} + echo "A valid authentication key already exists for primary key '$keyID'." 1>&2 + if [ "$PROMPT" != "false" ] ; then + printf "Are you sure you would like to generate another one? (y/N) " >&2 + read OK; OK=${OK:N} if [ "${OK/y/Y}" != 'Y' ] ; then failure "aborting." fi @@ -176,21 +189,30 @@ PROMPT=${MONKEYSPHERE_PROMPT:=$PROMPT} KNOWN_HOSTS=${MONKEYSPHERE_KNOWN_HOSTS:=$KNOWN_HOSTS} HASH_KNOWN_HOSTS=${MONKEYSPHERE_HASH_KNOWN_HOSTS:=$HASH_KNOWN_HOSTS} AUTHORIZED_KEYS=${MONKEYSPHERE_AUTHORIZED_KEYS:=$AUTHORIZED_KEYS} +STRICT_MODES=${MONKEYSPHERE_STRICT_MODES:=$STRICT_MODES} # other variables not in config file AUTHORIZED_USER_IDS=${MONKEYSPHERE_AUTHORIZED_USER_IDS:="${MONKEYSPHERE_HOME}/authorized_user_ids"} REQUIRED_HOST_KEY_CAPABILITY=${MONKEYSPHERE_REQUIRED_HOST_KEY_CAPABILITY:="a"} REQUIRED_USER_KEY_CAPABILITY=${MONKEYSPHERE_REQUIRED_USER_KEY_CAPABILITY:="a"} +# note that only using '=' instead of ':=' tests only if the variable +# in unset, not if it's "null" +LOG_PREFIX=${MONKEYSPHERE_LOG_PREFIX='ms: '} # export GNUPGHOME and make sure gpg home exists with proper # permissions export GNUPGHOME mkdir -p -m 0700 "$GNUPGHOME" export LOG_LEVEL +export LOG_PREFIX + +if [ "$#" -eq 0 ] ; then + usage + failure "Please supply a subcommand." +fi # get subcommand COMMAND="$1" -[ "$COMMAND" ] || failure "Type '$PGRM help' for usage." shift case $COMMAND in @@ -218,7 +240,7 @@ case $COMMAND in process_authorized_user_ids "$AUTHORIZED_USER_IDS" ;; - 'import-subkey'|'i') + 'import-subkey'|'import'|'i') source "${MSHAREDIR}/import_subkey" import_subkey "$@" ;; @@ -238,18 +260,37 @@ case $COMMAND in subkey_to_ssh_agent "$@" ;; - 'version'|'v') - echo "$VERSION" + 'sshfpr') + echo "Warning: 'sshfpr' is deprecated. Please use 'sshfprs-for-userid' instead." >&2 + gpg_ssh_fingerprint "$@" ;; - '--help'|'help'|'-h'|'h'|'?') + 'keys-for-userid'|'u') + CHECK_KEYSERVER=${MONKEYSPHERE_CHECK_KEYSERVER:=${CHECK_KEYSERVER:="true"}} + keys_for_userid "$@" + ;; + + 'sshfprs-for-userid') + CHECK_KEYSERVER=${MONKEYSPHERE_CHECK_KEYSERVER:=${CHECK_KEYSERVER:="true"}} + keys_for_userid "$@" | "$SYSSHAREDIR/keytrans" sshfpr + ;; + + 'keys-from-userid') + echo "Warning: 'keys-from-userid' is deprecated. Please use 'keys-for-userid' instead." >&2 + CHECK_KEYSERVER=${MONKEYSPHERE_CHECK_KEYSERVER:=${CHECK_KEYSERVER:="true"}} + keys_for_userid "$@" + ;; + + 'version'|'--version'|'v') + version + ;; + + 'help'|'--help'|'-h'|'h'|'?') usage ;; *) failure "Unknown command: '$COMMAND' -Type '$PGRM help' for usage." +Try '$PGRM help' for usage." ;; esac - -exit "$RETURN"