monkeysphere (0.9-1) experimental; urgency=low
+ [ Daniel Kahn Gillmor ]
+ * implemented "monkeysphere-server extend-key" to adjust expiration
+ dates.
+
+ [ Jameson Graef Rollins ]
* fixed bug in user id processing that prevented bad primary keys from
being properly removed.
- -- Jameson Graef Rollins <jrollins@phys.columbia.edu> Mon, 18 Aug 2008 10:13:36 -0700
+ -- Daniel Kahn Gillmor <dkg-debian.org@fifthhorseman.net> Mon, 18 Aug 2008 14:59:56 -0400
monkeysphere (0.8-1) experimental; urgency=low
used in place of `update-users'.
.TP
.B gen-key [HOSTNAME]
-Generate a OpenPGP key pair for the host. If HOSTNAME is not
-specified, then the system fully-qualified domain name will be user.
-An alternate key bit length can be specified with the `-l' or
-`--length' option (default 2048). An expiration length can be
-specified with the `-e' or `--expire' option (prompt otherwise). A
-key revoker fingerprint can be specified with the `-r' or `--revoker'
-option. `g' may be used in place of `gen-key'.
+Generate a OpenPGP key for the host. If HOSTNAME is not specified,
+then the system fully-qualified domain name will be user. An
+alternate key bit length can be specified with the `-l' or `--length'
+option (default 2048). An expiration length can be specified with the
+`-e' or `--expire' option (prompt otherwise). The expiration format
+is the same as that of \fBextend-key\fP, below. A key revoker
+fingerprint can be specified with the `-r' or `--revoker' option. `g'
+may be used in place of `gen-key'.
+.TP
+.B extend-key EXPIRE
+Extend the validity of the OpenPGP key for the host until EXPIRE from
+the present. If EXPIRE is not specified, then the user will be
+prompted for the extension term. Expiration is specified like GnuPG
+does:
+.nf
+ 0 = key does not expire
+ <n> = key expires in n days
+ <n>w = key expires in n weeks
+ <n>m = key expires in n months
+ <n>y = key expires in n years
+.fi
+`e' may be used in place of `extend-key'.
.TP
.B add-hostname HOSTNAME
Add a hostname user ID to the server host key. `n+' may be used in
sed 's/:/\\x3a/g'
}
+# prompt for GPG-formatted expiration, and emit result on stdout
+get_gpg_expiration() {
+ local keyExpire=
+
+ cat >&2 <<EOF
+Please specify how long the key should be valid.
+ 0 = key does not expire
+ <n> = key expires in n days
+ <n>w = key expires in n weeks
+ <n>m = key expires in n months
+ <n>y = key expires in n years
+EOF
+ while [ -z "$keyExpire" ] ; do
+ read -p "Key is valid for? (0) " keyExpire
+ if ! test_gpg_expire ${keyExpire:=0} ; then
+ echo "invalid value" >&2
+ unset keyExpire
+ fi
+ done
+ echo "$keyExpire"
+}
+
# remove all lines with specified string from specified file
remove_line() {
local file
#
# The monkeysphere scripts are written by:
# Jameson Rollins <jrollins@fifthhorseman.net>
+# Daniel Kahn Gillmor <dkg@fifthhorseman.net>
#
# They are Copyright 2008, and are all released under the GPL, version 3
# or later.
--length (-l) BITS key length in bits (2048)
--expire (-e) EXPIRE date to expire
--revoker (-r) FINGERPRINT add a revoker
+ extend-key (e) EXPIRE extend expiration to EXPIRE
add-hostname (n+) NAME[:PORT] add hostname user ID to server key
revoke-hostname (n-) NAME[:PORT] revoke hostname user ID
show-key (s) output all server host key information
# prompt about key expiration if not specified
if [ -z "$keyExpire" ] ; then
- cat <<EOF
-Please specify how long the key should be valid.
- 0 = key does not expire
- <n> = key expires in n days
- <n>w = key expires in n weeks
- <n>m = key expires in n months
- <n>y = key expires in n years
-EOF
- while [ -z "$keyExpire" ] ; do
- read -p "Key is valid for? (0) " keyExpire
- if ! test_gpg_expire ${keyExpire:=0} ; then
- echo "invalid value"
- unset keyExpire
- fi
- done
- elif ! test_gpg_expire "$keyExpire" ; then
+ keyExpire=$(get_gpg_expiration)
+ fi
+ if ! test_gpg_expire "$keyExpire" ; then
failure "invalid key expiration value '$keyExpire'."
fi
log "Private SSH host key output to file: ${VARLIB}/ssh_host_rsa_key"
}
+# extend the lifetime of a host key:
+extend_key() {
+ local fpr=$(fingerprint_server_key)
+ local extendTo="$1"
+
+ if [ -z "$fpr" ] ; then
+ failure "You don't appear to have a MonkeySphere host key on this server. Try 'monkeysphere-server gen-key' first."
+ fi
+
+ if [ -z "$extendTo" ]; then
+ extendTo=$(get_gpg_expiration)
+ fi
+ if ! test_gpg_expire "$extendTo" ; then
+ failure "invalid expiration value '$extendTo'."
+ fi
+
+ gpg_host --quiet --command-fd 0 --edit-key "$fpr" <<EOF
+expire
+$extendTo
+save
+EOF
+ echo "NOTE: Host key expiration date adjusted, but not yet published."
+ echo "Run '$PGRM publish-key' to publish the new expiration date."
+}
+
# add hostname user ID to server key
add_hostname() {
local userID
if [ "$expire" ]; then
if (( "$expire" < "$curdate" )); then
echo "! Host key is expired."
- # FIXME: recommend a way to resolve this other than re-keying?
+ echo " - Recommendation: extend lifetime of key with 'monkeysphere-server extend-key'"
elif (( "$expire" < "$warndate" )); then
echo "! Host key expires in less than $warnwindow:" $(date -d "$(( $expire - $curdate )) seconds" +%F)
- # FIXME: recommend a way to resolve this?
+ echo " - Recommendation: extend lifetime of key with 'monkeysphere-server extend-key'"
fi
fi
gen_key "$@"
;;
+ 'extend-key'|'e')
+ extend_key "$@"
+ ;;
+
'add-hostname'|'add-name'|'n+')
add_hostname "$@"
;;