List key IDs trusted by the system to certify user identities. `c'
may be used in place of `list-id-certifiers'.
.TP
+.B diagnostics
+Review the state of the server with respect to authentication. `d'
+may be used in place of `diagnostics'.
+.TP
+.B gpg-cmd
+Execute a gpg command, as the monkeysphere user, on the monkeysphere
+authentication "sphere" keyring. This takes a single argument
+(multiple gpg arguments need to be quoted). Use this command with
+caution, as modifying the authentication sphere keyring can affect ssh
+user authentication.
+.TP
.B help
Output a brief usage summary. `h' or `?' may be used in place of
`help'.
.B version
show version number
-.SH "EXPERT" SUBCOMMANDS
-
-Some commands are very unlikely to be needed by most administrators.
-These commands must prefaced by the word `expert'.
-.TP
-.B diagnostics
-Review the state of the server with respect to authentication. `d'
-may be used in place of `diagnostics'.
-.TP
-.B gpg-cmd
-Execute a gpg command on the gnupg-authentication keyring as the
-monkeysphere user. This takes a single command (multiple gpg
-arguments need to be quoted). Use this command with caution, as
-modifying the gnupg-authentication keyring can affect ssh user
-authentication.
-
.SH SETUP USER AUTHENTICATION
If the server will handle user authentication through
Publish the host's OpenPGP key to the keyserver. `p' may be used in
place of `publish-key'.
.TP
-.B help
-Output a brief usage summary. `h' or `?' may be used in place of
-`help'.
-.TP
-.B version
-show version number
-
-.SH "EXPERT" SUBCOMMANDS
-
-Some commands are very unlikely to be needed by most administrators.
-These commands must prefaced by the word `expert'.
-.TP
-.B gen-key [HOSTNAME]
-Generate a OpenPGP key for the host. If HOSTNAME is not specified,
-then the system fully-qualified domain name will be user. An
-alternate key bit length can be specified with the `-l' or `--length'
-option (default 2048). An expiration length can be specified with the
-`-e' or `--expire' option (prompt otherwise). The expiration format
-is the same as that of \fBextend-key\fP, below. `g' may be used in
-place of `gen-key'.
-.TP
-.B import-key
-FIXME:
- import-key (i) import existing ssh key to gpg
- --hostname (-h) NAME[:PORT] hostname for key user ID
- --keyfile (-f) FILE key file to import
- --expire (-e) EXPIRE date to expire
+.B import-key [NAME[:PORT]]
+Import a pem-encoded ssh secret host key, from stdin. NAME[:PORT] is
+used to specify the hostname (and port) used in the user ID of the new
+OpenPGP key. If NAME is not specified, then the system
+fully-qualified domain name will be used (ie. `hostname -f'). If PORT
+is not specified, the no port is added to the user ID, which means
+port 22 is assumed. `i' may be used in place of `import-key'.
.TP
.B diagnostics
Review the state of the monkeysphere server host key and report on
there is a valid host key, that the key is published, that the sshd
configuration points to the right place, etc. `d' may be used in
place of `diagnostics'.
+.TP
+.B help
+Output a brief usage summary. `h' or `?' may be used in place of
+`help'.
+.TP
+.B version
+show version number
.SH SETUP HOST AUTHENTICATION
$ monkeysphere-host publish-key
-You must also modify the sshd_config on the server to tell sshd where
-the new server host key is located:
-
-HostKey /var/lib/monkeysphere/host/ssh_host_rsa_key
-
In order for users logging into the system to be able to identify the
host via the monkeysphere, at least one person (e.g. a server admin)
will need to sign the host's key. This is done using standard OpenPGP
remove-id-certifier (c-) KEYID remove a certification key
list-id-certifiers (c) list certification keys
- expert <expert-subcommand> run expert command
- expert help expert command help
-
version (v) show version number
help (h,?) this help
+See ${PGRM}(8) for more info.
EOF
}
list_certifiers "$@"
;;
- 'expert')
- SUBCOMMAND="$1"
- shift
- case "$SUBCOMMAND" in
- 'help'|'h'|'?')
- cat <<EOF
-usage: $PGRM expert <subcommand> [options] [args]
-
-expert subcommands:
- diagnostics (d) monkeysphere authentication status
- gpg-cmd CMD execute gpg command
-
-EOF
- ;;
-
- 'diagnostics'|'d')
- source "${MASHAREDIR}/diagnostics"
- diagnostics
- ;;
-
- 'gpg-cmd')
- gpg_sphere "$@"
- ;;
+ 'diagnostics'|'d')
+ source "${MASHAREDIR}/diagnostics"
+ diagnostics
+ ;;
- *)
- failure "Unknown expert subcommand: '$COMMAND'
-Type '$PGRM help' for usage."
- ;;
- esac
+ 'gpg-cmd')
+ gpg_sphere "$@"
;;
'version'|'v')
revoke-key (r) revoke host key
publish-key (p) publish host key to keyserver
- expert <expert-subcommand> run expert command
- expert help expert command help
+ import-key (i) [NAME[:PORT]] import existing ssh key to gpg
version (v) show version number
help (h,?) this help
+See ${PGRM}(8) for more info.
EOF
}
publish_key
;;
- 'expert')
- SUBCOMMAND="$1"
- shift
- case "$SUBCOMMAND" in
- 'help'|'h'|'?')
- cat <<EOF
-usage: $PGRM expert <subcommand> [options] [args]
-
-expert subcommands:
- import-key (i) [NAME[:PORT]] import existing ssh key to gpg
- gen-key (g) [NAME[:PORT]] generate gpg key for the host
- --length (-l) BITS key length in bits (2048)
- diagnostics (d) monkeysphere host status
+ 'import-key'|'i')
+ load_fingerprint
+ check_host_key
+ source "${MHSHAREDIR}/import_key"
+ import_key "$@"
+ ;;
-EOF
- ;;
-
- 'import-key'|'i')
- load_fingerprint
- check_host_key
- source "${MHSHAREDIR}/import_key"
- import_key "$@"
- ;;
-
- 'gen-key'|'g')
- load_fingerprint
- check_host_key
- source "${MHSHAREDIR}/gen_key"
- gen_key "$@"
- ;;
-
- 'diagnostics'|'d')
- source "${MHSHAREDIR}/diagnostics"
- diagnostics
- ;;
-
- *)
- failure "Unknown expert subcommand: '$COMMAND'
-Type '$PGRM help' for usage."
- ;;
- esac
+ 'diagnostics'|'d')
+ source "${MHSHAREDIR}/diagnostics"
+ diagnostics
;;
'version'|'v')
+++ /dev/null
-# -*-shell-script-*-
-# This should be sourced by bash (though we welcome changes to make it POSIX sh compliant)
-
-# Monkeysphere host gen-key subcommand
-#
-# The monkeysphere scripts are written by:
-# Jameson Rollins <jrollins@finestructure.net>
-# Jamie McClelland <jm@mayfirst.org>
-# Daniel Kahn Gillmor <dkg@fifthhorseman.net>
-#
-# They are Copyright 2008-2009, and are all released under the GPL,
-# version 3 or later.
-
-gen_key() {
-
-local hostName
-local keyType="RSA"
-local keyLength="2048"
-local keyUsage="auth"
-local keyExpire="0"
-local userID
-
-# get options
-while true ; do
- case "$1" in
- -l|--length)
- keyLength="$2"
- shift 2
- ;;
- *)
- if [ "$(echo "$1" | cut -c 1)" = '-' ] ; then
- failure "Unknown option '$1'.
-Type '$PGRM help' for usage."
- fi
- break
- ;;
- esac
-done
-
-hostName=${1:-$(hostname -f)}
-userID="ssh://${hostName}"
-
-# create host home
-mkdir -p "${MHDATADIR}"
-mkdir -p "${MHTMPDIR}"
-mkdir -p "${GNUPGHOME_HOST}"
-chmod 700 "${GNUPGHOME_HOST}"
-
-log debug "generating host key..."
-gpg_host --batch --gen-key <<EOF
-Key-Type: $keyType
-Key-Length: $keyLength
-Key-Usage: $keyUsage
-Name-Real: $userID
-Expire-Date: $keyExpire
-
-%commit
-%echo done
-
-EOF
-
-# load the new host fpr into the fpr variable
-load_fingerprint_secret
-
-# export the host secret key to the monkeysphere ssh sec key file
-# NOTE: assumes that the primary key is the proper key to use
-log debug "creating ssh secret key file..."
-(umask 077 && \
- gpg_host --export-secret-key "$HOST_FINGERPRINT" | \
- openpgp2ssh "$HOST_FINGERPRINT" > "${MHDATADIR}/ssh_host_rsa_key")
-log info "SSH host secret key file: ${MHDATADIR}/ssh_host_rsa_key"
-
-# export the host public key to the monkeysphere ssh pub key file
-log debug "creating ssh public key file..."
-ssh-keygen -y -f "${MHDATADIR}/ssh_host_rsa_key" > "$HOST_KEY_PUB"
-log info "SSH host public key file: $HOST_KEY_PUB"
-
-# export to gpg public key to file
-create_gpg_pub_file
-
-# show info about new key
-show_key
-
-}