From: Jameson Graef Rollins Date: Sun, 1 Feb 2009 01:35:43 +0000 (-0500) Subject: break out subfunctions from monkeysphere command X-Git-Tag: monkeysphere_0.23~154^2~3 X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=54b8a4cdbedafdde87cfa35dc61a48d6a2d46bc6;p=monkeysphere.git break out subfunctions from monkeysphere command --- diff --git a/Makefile b/Makefile index 6b674f1..212f174 100755 --- a/Makefile +++ b/Makefile @@ -47,17 +47,19 @@ clean: # this target is to be called from the tarball, not from the git # working dir! install: all installman - mkdir -p $(DESTDIR)$(PREFIX)/bin $(DESTDIR)$(PREFIX)/sbin $(DESTDIR)$(PREFIX)/share/monkeysphere - mkdir -p $(DESTDIR)$(PREFIX)/share/doc/monkeysphere + mkdir -p $(DESTDIR)$(PREFIX)/bin $(DESTDIR)$(PREFIX)/sbin $(DESTDIR)$(PREFIX)/share/monkeysphere/ + mkdir -p $(DESTDIR)$(PREFIX)/share/doc/monkeysphere/m $(DESTDIR)$(PREFIX)/share/doc/monkeysphere/mh $(DESTDIR)$(PREFIX)/share/doc/monkeysphere/ma mkdir -p $(DESTDIR)$(ETCPREFIX)/etc/monkeysphere install src/monkeysphere src/keytrans/openpgp2ssh src/keytrans/pem2openpgp $(DESTDIR)$(PREFIX)/bin - install src/monkeysphere-authentication src/monkeysphere-host $(DESTDIR)$(PREFIX)/sbin + install src/monkeysphere-host src/monkeysphere-authentication $(DESTDIR)$(PREFIX)/sbin install -m 0644 src/common $(DESTDIR)$(PREFIX)/share/monkeysphere + install -m 0644 src/subcommands/m/* $(DESTDIR)$(PREFIX)/share/monkeysphere/m + install -m 0644 src/subcommands/mh/* $(DESTDIR)$(PREFIX)/share/monkeysphere/mh + install -m 0644 src/subcommands/ma/* $(DESTDIR)$(PREFIX)/share/monkeysphere/ma install doc/* $(DESTDIR)$(PREFIX)/share/doc/monkeysphere - install -m 0644 etc/gnupg-host.conf $(DESTDIR)$(ETCPREFIX)/etc/monkeysphere/gnupg-host.conf$(ETCSUFFIX) - install -m 0644 etc/gnupg-authentication.conf $(DESTDIR)$(ETCPREFIX)/etc/monkeysphere/gnupg-authentication.conf$(ETCSUFFIX) install -m 0644 etc/monkeysphere.conf $(DESTDIR)$(ETCPREFIX)/etc/monkeysphere/monkeysphere.conf$(ETCSUFFIX) - install -m 0644 etc/monkeysphere-server.conf $(DESTDIR)$(ETCPREFIX)/etc/monkeysphere/monkeysphere-server.conf$(ETCSUFFIX) + install -m 0644 etc/monkeysphere-host.conf $(DESTDIR)$(ETCPREFIX)/etc/monkeysphere/monkeysphere-host.conf$(ETCSUFFIX) + install -m 0644 etc/monkeysphere-authentication.conf $(DESTDIR)$(ETCPREFIX)/etc/monkeysphere/monkeysphere-authentication.conf$(ETCSUFFIX) installman: mkdir -p $(DESTDIR)$(MANPREFIX)/man1 $(DESTDIR)$(MANPREFIX)/man7 $(DESTDIR)$(MANPREFIX)/man8 diff --git a/src/monkeysphere b/src/monkeysphere index 46abf6f..bce0072 100755 --- a/src/monkeysphere +++ b/src/monkeysphere @@ -1,6 +1,6 @@ #!/usr/bin/env bash -# monkeysphere: MonkeySphere client tool +# monkeysphere: Monkeysphere client tool # # The monkeysphere scripts are written by: # Jameson Rollins @@ -18,6 +18,9 @@ SYSSHAREDIR=${MONKEYSPHERE_SYSSHAREDIR:-"/usr/share/monkeysphere"} export SYSSHAREDIR . "${SYSSHAREDIR}/common" || exit 1 +# sharedir for host functions +MSHAREDIR="${SYSSHAREDIR}/m" + # UTC date in ISO 8601 format if needed DATE=$(date -u '+%FT%T') @@ -56,261 +59,6 @@ subcommands: EOF } -# import an existing ssh key as a gpg subkey -import_subkey() { - local keyFile="~/.ssh/id_rsa" - local keyExpire - local keyID - local gpgOut - local userID - - # get options - while true ; do - case "$1" in - -f|--keyfile) - keyFile="$2" - shift 2 - ;; - -e|--expire) - keyExpire="$2" - shift 2 - ;; - *) - if [ "$(echo "$1" | cut -c 1)" = '-' ] ; then - failure "Unknown option '$1'. -Type '$PGRM help' for usage." - fi - break - ;; - esac - done - - log verbose "importing ssh key..." - fifoDir=$(mktemp -d ${TMPDIR:-/tmp}/tmp.XXXXXXXXXX) - (umask 077 && mkfifo "$fifoDir/pass") - ssh2openpgp | gpg --passphrase-fd 3 3< "$fifoDir/pass" --expert --command-fd 0 --import & - - passphrase_prompt "Please enter your passphrase for $keyID: " "$fifoDir/pass" - - rm -rf "$fifoDir" - wait - log verbose "done." -} - -# generate a subkey with the 'a' usage flags set -gen_subkey(){ - local keyLength - local keyExpire - local keyID - local gpgOut - local userID - - # get options - while true ; do - case "$1" in - -l|--length) - keyLength="$2" - shift 2 - ;; - -e|--expire) - keyExpire="$2" - shift 2 - ;; - *) - if [ "$(echo "$1" | cut -c 1)" = '-' ] ; then - failure "Unknown option '$1'. -Type '$PGRM help' for usage." - fi - break - ;; - esac - done - - case "$#" in - 0) - gpgSecOut=$(gpg --quiet --fixed-list-mode --list-secret-keys --with-colons 2>/dev/null | egrep '^sec:') - ;; - 1) - gpgSecOut=$(gpg --quiet --fixed-list-mode --list-secret-keys --with-colons "$1" | egrep '^sec:') || failure - ;; - *) - failure "You must specify only a single primary key ID." - ;; - esac - - # check that only a single secret key was found - case $(echo "$gpgSecOut" | grep -c '^sec:') in - 0) - failure "No secret keys found. Create an OpenPGP key with the following command: - gpg --gen-key" - ;; - 1) - keyID=$(echo "$gpgSecOut" | cut -d: -f5) - ;; - *) - echo "Multiple primary secret keys found:" - echo "$gpgSecOut" | cut -d: -f5 - failure "Please specify which primary key to use." - ;; - esac - - # check that a valid authentication key does not already exist - IFS=$'\n' - for line in $(gpg --quiet --fixed-list-mode --list-keys --with-colons "$keyID") ; do - type=$(echo "$line" | cut -d: -f1) - validity=$(echo "$line" | cut -d: -f2) - usage=$(echo "$line" | cut -d: -f12) - - # look at keys only - if [ "$type" != 'pub' -a "$type" != 'sub' ] ; then - continue - fi - # check for authentication capability - if ! check_capability "$usage" 'a' ; then - continue - fi - # if authentication key is valid, prompt to continue - if [ "$validity" = 'u' ] ; then - echo "A valid authentication key already exists for primary key '$keyID'." - read -p "Are you sure you would like to generate another one? (y/N) " OK; OK=${OK:N} - if [ "${OK/y/Y}" != 'Y' ] ; then - failure "aborting." - fi - break - fi - done - - # set subkey defaults - # prompt about key expiration if not specified - keyExpire=$(get_gpg_expiration "$keyExpire") - - # generate the list of commands that will be passed to edit-key - editCommands=$(cat </dev/null ; then - failure "No ssh-agent available." - fi - - # and if it looks like it's running, but we can't actually talk to - # it, bail out: - ssh-add -l >/dev/null - sshaddresponse="$?" - if [ "$sshaddresponse" = "2" ]; then - failure "Could not connect to ssh-agent" - fi - - # get list of secret keys (to work around https://bugs.g10code.com/gnupg/issue945): - secretkeys=$(gpg --list-secret-keys --with-colons --fixed-list-mode --fingerprint | \ - grep '^fpr:' | cut -f10 -d: | awk '{ print "0x" $1 "!" }') - - if [ -z "$secretkeys" ]; then - failure "You have no secret keys in your keyring! -You might want to run 'gpg --gen-key'." - fi - - authsubkeys=$(gpg --list-secret-keys --with-colons --fixed-list-mode \ - --fingerprint --fingerprint $secretkeys | \ - cut -f1,5,10,12 -d: | grep -A1 '^ssb:[^:]*::[^:]*a[^:]*$' | \ - grep '^fpr::' | cut -f3 -d: | sort -u) - - if [ -z "$authsubkeys" ]; then - failure "no authentication-capable subkeys available. -You might want to 'monkeysphere gen-subkey'" - fi - - workingdir=$(mktemp -d ${TMPDIR:-/tmp}/tmp.XXXXXXXXXX) - umask 077 - mkfifo "$workingdir/passphrase" - keysuccess=1 - - # FIXME: we're currently allowing any other options to get passed - # through to ssh-add. should we limit it to known ones? For - # example: -d or -c and/or -t - - for subkey in $authsubkeys; do - # choose a label by which this key will be known in the agent: - # we are labelling the key by User ID instead of by - # fingerprint, but filtering out all / characters to make sure - # the filename is legit. - - primaryuid=$(gpg --with-colons --list-key "0x${subkey}!" | grep '^pub:' | cut -f10 -d: | tr -d /) - - #kname="[monkeysphere] $primaryuid" - kname="$primaryuid" - - if [ "$1" = '-d' ]; then - # we're removing the subkey: - gpg --export "0x${subkey}!" | openpgp2ssh "$subkey" > "$workingdir/$kname" - (cd "$workingdir" && ssh-add -d "$kname") - else - # we're adding the subkey: - mkfifo "$workingdir/$kname" - gpg --quiet --passphrase-fd 3 3<"$workingdir/passphrase" \ - --export-options export-reset-subkey-passwd,export-minimal,no-export-attributes \ - --export-secret-subkeys "0x${subkey}!" | openpgp2ssh "$subkey" > "$workingdir/$kname" & - (cd "$workingdir" && DISPLAY=nosuchdisplay SSH_ASKPASS=/bin/false ssh-add "$@" "$kname" +# Jamie McClelland +# Daniel Kahn Gillmor +# +# They are Copyright 2008-2009, and are all released under the GPL, +# version 3 or later. + +# generate a subkey with the 'a' usage flags set + +gen_subkey(){ + local keyLength + local keyExpire + local keyID + local gpgOut + local userID + + # get options + while true ; do + case "$1" in + -l|--length) + keyLength="$2" + shift 2 + ;; + -e|--expire) + keyExpire="$2" + shift 2 + ;; + *) + if [ "$(echo "$1" | cut -c 1)" = '-' ] ; then + failure "Unknown option '$1'. +Type '$PGRM help' for usage." + fi + break + ;; + esac + done + + case "$#" in + 0) + gpgSecOut=$(gpg --quiet --fixed-list-mode --list-secret-keys --with-colons 2>/dev/null | egrep '^sec:') + ;; + 1) + gpgSecOut=$(gpg --quiet --fixed-list-mode --list-secret-keys --with-colons "$1" | egrep '^sec:') || failure + ;; + *) + failure "You must specify only a single primary key ID." + ;; + esac + + # check that only a single secret key was found + case $(echo "$gpgSecOut" | grep -c '^sec:') in + 0) + failure "No secret keys found. Create an OpenPGP key with the following command: + gpg --gen-key" + ;; + 1) + keyID=$(echo "$gpgSecOut" | cut -d: -f5) + ;; + *) + echo "Multiple primary secret keys found:" + echo "$gpgSecOut" | cut -d: -f5 + failure "Please specify which primary key to use." + ;; + esac + + # check that a valid authentication key does not already exist + IFS=$'\n' + for line in $(gpg --quiet --fixed-list-mode --list-keys --with-colons "$keyID") ; do + type=$(echo "$line" | cut -d: -f1) + validity=$(echo "$line" | cut -d: -f2) + usage=$(echo "$line" | cut -d: -f12) + + # look at keys only + if [ "$type" != 'pub' -a "$type" != 'sub' ] ; then + continue + fi + # check for authentication capability + if ! check_capability "$usage" 'a' ; then + continue + fi + # if authentication key is valid, prompt to continue + if [ "$validity" = 'u' ] ; then + echo "A valid authentication key already exists for primary key '$keyID'." + read -p "Are you sure you would like to generate another one? (y/N) " OK; OK=${OK:N} + if [ "${OK/y/Y}" != 'Y' ] ; then + failure "aborting." + fi + break + fi + done + + # set subkey defaults + # prompt about key expiration if not specified + keyExpire=$(get_gpg_expiration "$keyExpire") + + # generate the list of commands that will be passed to edit-key + editCommands=$(cat < +# Jamie McClelland +# Daniel Kahn Gillmor +# +# They are Copyright 2008-2009, and are all released under the GPL, +# version 3 or later. + +# import an existing ssh key as a gpg subkey + +import_subkey() { + local keyFile="~/.ssh/id_rsa" + local keyExpire + local keyID + local gpgOut + local userID + + # get options + while true ; do + case "$1" in + -f|--keyfile) + keyFile="$2" + shift 2 + ;; + -e|--expire) + keyExpire="$2" + shift 2 + ;; + *) + if [ "$(echo "$1" | cut -c 1)" = '-' ] ; then + failure "Unknown option '$1'. +Type '$PGRM help' for usage." + fi + break + ;; + esac + done + + log verbose "importing ssh key..." + fifoDir=$(mktemp -d ${TMPDIR:-/tmp}/tmp.XXXXXXXXXX) + (umask 077 && mkfifo "$fifoDir/pass") + ssh2openpgp | gpg --passphrase-fd 3 3< "$fifoDir/pass" --expert --command-fd 0 --import & + + passphrase_prompt "Please enter your passphrase for $keyID: " "$fifoDir/pass" + + rm -rf "$fifoDir" + wait + log verbose "done." +} diff --git a/src/subcommands/m/subkey-to-ssh-agent b/src/subcommands/m/subkey-to-ssh-agent new file mode 100644 index 0000000..9bedb5e --- /dev/null +++ b/src/subcommands/m/subkey-to-ssh-agent @@ -0,0 +1,112 @@ +# -*-shell-script-*- +# This should be sourced by bash (though we welcome changes to make it POSIX sh compliant) + +# Monkeysphere subkey-to-ssh-agent subcommand +# +# The monkeysphere scripts are written by: +# Jameson Rollins +# Jamie McClelland +# Daniel Kahn Gillmor +# +# They are Copyright 2008-2009, and are all released under the GPL, +# version 3 or later. + +# try to add all authentication subkeys to the agent + +subkey_to_ssh_agent() { + local sshaddresponse + local secretkeys + local authsubkeys + local workingdir + local keysuccess + local subkey + local publine + local kname + + if ! test_gnu_dummy_s2k_extension ; then + failure "Your version of GnuTLS does not seem capable of using with gpg's exported subkeys. +You may want to consider patching or upgrading to GnuTLS 2.6 or later. + +For more details, see: + http://lists.gnu.org/archive/html/gnutls-devel/2008-08/msg00005.html" + fi + + # if there's no agent running, don't bother: + if [ -z "$SSH_AUTH_SOCK" ] || ! which ssh-add >/dev/null ; then + failure "No ssh-agent available." + fi + + # and if it looks like it's running, but we can't actually talk to + # it, bail out: + ssh-add -l >/dev/null + sshaddresponse="$?" + if [ "$sshaddresponse" = "2" ]; then + failure "Could not connect to ssh-agent" + fi + + # get list of secret keys (to work around https://bugs.g10code.com/gnupg/issue945): + secretkeys=$(gpg --list-secret-keys --with-colons --fixed-list-mode --fingerprint | \ + grep '^fpr:' | cut -f10 -d: | awk '{ print "0x" $1 "!" }') + + if [ -z "$secretkeys" ]; then + failure "You have no secret keys in your keyring! +You might want to run 'gpg --gen-key'." + fi + + authsubkeys=$(gpg --list-secret-keys --with-colons --fixed-list-mode \ + --fingerprint --fingerprint $secretkeys | \ + cut -f1,5,10,12 -d: | grep -A1 '^ssb:[^:]*::[^:]*a[^:]*$' | \ + grep '^fpr::' | cut -f3 -d: | sort -u) + + if [ -z "$authsubkeys" ]; then + failure "no authentication-capable subkeys available. +You might want to 'monkeysphere gen-subkey'" + fi + + workingdir=$(mktemp -d ${TMPDIR:-/tmp}/tmp.XXXXXXXXXX) + umask 077 + mkfifo "$workingdir/passphrase" + keysuccess=1 + + # FIXME: we're currently allowing any other options to get passed + # through to ssh-add. should we limit it to known ones? For + # example: -d or -c and/or -t + + for subkey in $authsubkeys; do + # choose a label by which this key will be known in the agent: + # we are labelling the key by User ID instead of by + # fingerprint, but filtering out all / characters to make sure + # the filename is legit. + + primaryuid=$(gpg --with-colons --list-key "0x${subkey}!" | grep '^pub:' | cut -f10 -d: | tr -d /) + + #kname="[monkeysphere] $primaryuid" + kname="$primaryuid" + + if [ "$1" = '-d' ]; then + # we're removing the subkey: + gpg --export "0x${subkey}!" | openpgp2ssh "$subkey" > "$workingdir/$kname" + (cd "$workingdir" && ssh-add -d "$kname") + else + # we're adding the subkey: + mkfifo "$workingdir/$kname" + gpg --quiet --passphrase-fd 3 3<"$workingdir/passphrase" \ + --export-options export-reset-subkey-passwd,export-minimal,no-export-attributes \ + --export-secret-subkeys "0x${subkey}!" | openpgp2ssh "$subkey" > "$workingdir/$kname" & + (cd "$workingdir" && DISPLAY=nosuchdisplay SSH_ASKPASS=/bin/false ssh-add "$@" "$kname"