From d8ece7d101fb16c99dfcc1224cc48f2c9cd4024d Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Mon, 18 Aug 2008 15:21:11 -0400 Subject: [PATCH] added 'monkeysphere-server extend-key' subcommand --- debian/changelog | 7 ++++- man/man8/monkeysphere-server.8 | 29 +++++++++++++----- src/common | 22 ++++++++++++++ src/monkeysphere-server | 54 ++++++++++++++++++++++------------ 4 files changed, 86 insertions(+), 26 deletions(-) diff --git a/debian/changelog b/debian/changelog index 828973f..40172aa 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,9 +1,14 @@ monkeysphere (0.9-1) experimental; urgency=low + [ Daniel Kahn Gillmor ] + * implemented "monkeysphere-server extend-key" to adjust expiration + dates. + + [ Jameson Graef Rollins ] * fixed bug in user id processing that prevented bad primary keys from being properly removed. - -- Jameson Graef Rollins Mon, 18 Aug 2008 10:13:36 -0700 + -- Daniel Kahn Gillmor Mon, 18 Aug 2008 14:59:56 -0400 monkeysphere (0.8-1) experimental; urgency=low diff --git a/man/man8/monkeysphere-server.8 b/man/man8/monkeysphere-server.8 index 8e7278b..416cc87 100644 --- a/man/man8/monkeysphere-server.8 +++ b/man/man8/monkeysphere-server.8 @@ -36,13 +36,28 @@ specified, then all accounts on the system are processed. `u' may be used in place of `update-users'. .TP .B gen-key [HOSTNAME] -Generate a OpenPGP key pair for the host. If HOSTNAME is not -specified, then the system fully-qualified domain name will be user. -An alternate key bit length can be specified with the `-l' or -`--length' option (default 2048). An expiration length can be -specified with the `-e' or `--expire' option (prompt otherwise). A -key revoker fingerprint can be specified with the `-r' or `--revoker' -option. `g' may be used in place of `gen-key'. +Generate a OpenPGP key for the host. If HOSTNAME is not specified, +then the system fully-qualified domain name will be user. An +alternate key bit length can be specified with the `-l' or `--length' +option (default 2048). An expiration length can be specified with the +`-e' or `--expire' option (prompt otherwise). The expiration format +is the same as that of \fBextend-key\fP, below. A key revoker +fingerprint can be specified with the `-r' or `--revoker' option. `g' +may be used in place of `gen-key'. +.TP +.B extend-key EXPIRE +Extend the validity of the OpenPGP key for the host until EXPIRE from +the present. If EXPIRE is not specified, then the user will be +prompted for the extension term. Expiration is specified like GnuPG +does: +.nf + 0 = key does not expire + = key expires in n days + w = key expires in n weeks + m = key expires in n months + y = key expires in n years +.fi +`e' may be used in place of `extend-key'. .TP .B add-hostname HOSTNAME Add a hostname user ID to the server host key. `n+' may be used in diff --git a/src/common b/src/common index 9a03b9c..54ea9cb 100644 --- a/src/common +++ b/src/common @@ -83,6 +83,28 @@ gpg_escape() { sed 's/:/\\x3a/g' } +# prompt for GPG-formatted expiration, and emit result on stdout +get_gpg_expiration() { + local keyExpire= + + cat >&2 < = key expires in n days + w = key expires in n weeks + m = key expires in n months + y = key expires in n years +EOF + while [ -z "$keyExpire" ] ; do + read -p "Key is valid for? (0) " keyExpire + if ! test_gpg_expire ${keyExpire:=0} ; then + echo "invalid value" >&2 + unset keyExpire + fi + done + echo "$keyExpire" +} + # remove all lines with specified string from specified file remove_line() { local file diff --git a/src/monkeysphere-server b/src/monkeysphere-server index 052e6de..91e2121 100755 --- a/src/monkeysphere-server +++ b/src/monkeysphere-server @@ -4,6 +4,7 @@ # # The monkeysphere scripts are written by: # Jameson Rollins +# Daniel Kahn Gillmor # # They are Copyright 2008, and are all released under the GPL, version 3 # or later. @@ -43,6 +44,7 @@ subcommands: --length (-l) BITS key length in bits (2048) --expire (-e) EXPIRE date to expire --revoker (-r) FINGERPRINT add a revoker + extend-key (e) EXPIRE extend expiration to EXPIRE add-hostname (n+) NAME[:PORT] add hostname user ID to server key revoke-hostname (n-) NAME[:PORT] revoke hostname user ID show-key (s) output all server host key information @@ -296,22 +298,9 @@ gen_key() { # prompt about key expiration if not specified if [ -z "$keyExpire" ] ; then - cat < = key expires in n days - w = key expires in n weeks - m = key expires in n months - y = key expires in n years -EOF - while [ -z "$keyExpire" ] ; do - read -p "Key is valid for? (0) " keyExpire - if ! test_gpg_expire ${keyExpire:=0} ; then - echo "invalid value" - unset keyExpire - fi - done - elif ! test_gpg_expire "$keyExpire" ; then + keyExpire=$(get_gpg_expiration) + fi + if ! test_gpg_expire "$keyExpire" ; then failure "invalid key expiration value '$keyExpire'." fi @@ -373,6 +362,31 @@ EOF log "Private SSH host key output to file: ${VARLIB}/ssh_host_rsa_key" } +# extend the lifetime of a host key: +extend_key() { + local fpr=$(fingerprint_server_key) + local extendTo="$1" + + if [ -z "$fpr" ] ; then + failure "You don't appear to have a MonkeySphere host key on this server. Try 'monkeysphere-server gen-key' first." + fi + + if [ -z "$extendTo" ]; then + extendTo=$(get_gpg_expiration) + fi + if ! test_gpg_expire "$extendTo" ; then + failure "invalid expiration value '$extendTo'." + fi + + gpg_host --quiet --command-fd 0 --edit-key "$fpr" <