This file is indexed.

/usr/sbin/monkeysphere-authentication is in monkeysphere 0.41-1.

This file is owned by root:root, with mode 0o755.

The actual contents of the file can be viewed below.

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
#!/usr/bin/env bash

# monkeysphere-authentication: Monkeysphere authentication admin tool
#
# The monkeysphere scripts are written by:
# Jameson Rollins <jrollins@finestructure.net>
# Jamie McClelland <jm@mayfirst.org>
# Daniel Kahn Gillmor <dkg@fifthhorseman.net>
# Micah Anderson <micah@riseup.net>
#
# They are Copyright 2008-2009, and are all released under the GPL,
# version 3 or later.

########################################################################
set -e

# set the pipefail option so pipelines fail on first command failure
set -o pipefail

PGRM=$(basename $0)

SYSSHAREDIR=${MONKEYSPHERE_SYSSHAREDIR:-"/usr/share/monkeysphere"}
export SYSSHAREDIR
. "${SYSSHAREDIR}/defaultenv"
. "${SYSSHAREDIR}/common"

# sharedir for authentication functions
MASHAREDIR="${SYSSHAREDIR}/ma"

# datadir for authentication functions
MADATADIR="${SYSDATADIR}/authentication"

# temp directory to enable atomic moves of authorized_keys files
MATMPDIR="${MADATADIR}/tmp"
export MATMPDIR

# UTC date in ISO 8601 format if needed
DATE=$(date -u '+%FT%T')

# unset some environment variables that could screw things up
unset GREP_OPTIONS

########################################################################
# FUNCTIONS
########################################################################

usage() {
    cat <<EOF >&2
usage: $PGRM <subcommand> [options] [args]
Monkeysphere authentication admin tool.

subcommands:
 update-users (u) [USER]...        update user authorized_keys files
 keys-for-user (k) USER            output user authorized_keys lines to stdout
 refresh-keys (r)                  refresh keys in keyring

 add-id-certifier (c+) KEYID|FILE  import and tsign a certification key
   [--domain (-n) DOMAIN]            limit ID certifications to DOMAIN
   [--trust (-t) TRUST]              trust level of certifier (default: full)
   [--depth (-d) DEPTH]              trust depth for certifier (default: 1)
 remove-id-certifier (c-) KEYID    remove a certification key
 list-id-certifiers (c)            list certification keys

 version (v)                       show version number
 help (h,?)                        this help

See ${PGRM}(8) for more info.
EOF
}

# function to interact with the gpg core keyring
gpg_core() {
    GNUPGHOME="$GNUPGHOME_CORE"
    export GNUPGHOME

    gpg --fixed-list-mode --no-greeting --quiet --no-tty "$@"
}

# function to interact with the gpg sphere keyring
gpg_sphere() {
    GNUPGHOME="$GNUPGHOME_SPHERE"
    export GNUPGHOME
 
    su_monkeysphere_user gpg --fixed-list-mode --no-greeting --quiet --no-tty "$@"
}

check_openpgp2ssh_sanity() {
    if [[ `su_monkeysphere_user openpgp2ssh ABC &>/dev/null || echo $?` != "255" ]]; then
        echo "openpgp2ssh command gives unexpected return code. This can lead to a scenario where no authorized keys are populated, even though they are otherwise valid. Aborting!" 
        exit 1
    fi; 
}

# output to stdout the core fingerprint from the gpg core secret
# keyring
core_fingerprint() {
    log debug "determining core key fingerprint..."
    gpg_core --list-secret-key --with-colons \
        --with-fingerprint \
	| awk -F: '/^fpr:/{ if (ok) { print $10 } ; ok=0 } /^sec:/{ ok=1 }'
}

# export signatures from core to sphere
gpg_core_sphere_sig_transfer() {
    log debug "exporting core local sigs to sphere..."
    gpg_core --export-options export-local-sigs --export | \
	gpg_sphere --import-options import-local-sigs --import 2>&1 | log debug
}

########################################################################
# MAIN
########################################################################

# set unset default variables
AUTHORIZED_USER_IDS="%h/.monkeysphere/authorized_user_ids"
RAW_AUTHORIZED_KEYS="%h/.ssh/authorized_keys"

# load configuration file
[ -e ${MONKEYSPHERE_AUTHENTICATION_CONFIG:="${SYSCONFIGDIR}/monkeysphere-authentication.conf"} ] \
    && . "$MONKEYSPHERE_AUTHENTICATION_CONFIG"

# set empty config variable with ones from the environment
LOG_LEVEL=${MONKEYSPHERE_LOG_LEVEL:=$LOG_LEVEL}
KEYSERVER=${MONKEYSPHERE_KEYSERVER:=$KEYSERVER}
CHECK_KEYSERVER=${MONKEYSPHERE_CHECK_KEYSERVER:=$CHECK_KEYSERVER}
MONKEYSPHERE_USER=${MONKEYSPHERE_MONKEYSPHERE_USER:=$MONKEYSPHERE_USER}
MONKEYSPHERE_GROUP=$(get_primary_group "$MONKEYSPHERE_USER")
PROMPT=${MONKEYSPHERE_PROMPT:=$PROMPT}
AUTHORIZED_USER_IDS=${MONKEYSPHERE_AUTHORIZED_USER_IDS:=$AUTHORIZED_USER_IDS}
RAW_AUTHORIZED_KEYS=${MONKEYSPHERE_RAW_AUTHORIZED_KEYS:=$RAW_AUTHORIZED_KEYS}
STRICT_MODES=${MONKEYSPHERE_STRICT_MODES:=$STRICT_MODES}

# other variables
REQUIRED_USER_KEY_CAPABILITY=${MONKEYSPHERE_REQUIRED_USER_KEY_CAPABILITY:="a"}
GNUPGHOME_CORE=${MONKEYSPHERE_GNUPGHOME_CORE:="${MADATADIR}/core"}
GNUPGHOME_SPHERE=${MONKEYSPHERE_GNUPGHOME_SPHERE:="${MADATADIR}/sphere"}
CORE_KEYLENGTH=${MONKEYSPHERE_CORE_KEYLENGTH:="2048"}
LOG_PREFIX=${MONKEYSPHERE_LOG_PREFIX:='ms: '}

# export variables needed in su invocation
export DATE
export LOG_LEVEL
export KEYSERVER
export MONKEYSPHERE_USER
export MONKEYSPHERE_GROUP
export PROMPT
export CHECK_KEYSERVER
export REQUIRED_USER_KEY_CAPABILITY
export GNUPGHOME_CORE
export GNUPGHOME_SPHERE
export GNUPGHOME
export CORE_KEYLENGTH
export LOG_PREFIX

if [ "$#" -eq 0 ] ; then 
    usage
    failure "Please supply a subcommand."
fi

# get subcommand
COMMAND="$1"
shift

case $COMMAND in
    'setup'|'setup'|'s')
	source "${MASHAREDIR}/setup"
	setup
	;;

    'update-users'|'update-user'|'update'|'u')
	source "${MASHAREDIR}/setup"
	setup
	check_openpgp2ssh_sanity
	source "${MASHAREDIR}/update_users"
	OUTPUT_STDOUT= update_users "$@"
	;;

    'keys-for-user'|'k')
	(( $# > 0 )) || failure "Must specify user."
	source "${MASHAREDIR}/setup"
	setup
	check_openpgp2ssh_sanity
	source "${MASHAREDIR}/update_users"
	OUTPUT_STDOUT=true update_users "$1"
	;;

    'refresh-keys'|'refresh'|'r')
	source "${MASHAREDIR}/setup"
	setup
	gpg_sphere --keyserver "$KEYSERVER" --refresh-keys
	;;

    'add-identity-certifier'|'add-id-certifier'|'add-certifier'|'c+')
	source "${MASHAREDIR}/setup"
	setup
	source "${MASHAREDIR}/add_certifier"
	add_certifier "$@"
	;;

    'remove-identity-certifier'|'remove-id-certifier'|'remove-certifier'|'c-')
	source "${MASHAREDIR}/setup"
	setup
	source "${MASHAREDIR}/remove_certifier"
	remove_certifier "$@"
	;;

    'list-identity-certifiers'|'list-id-certifiers'|'list-certifiers'|'list-certifier'|'c')
	source "${MASHAREDIR}/setup"
	setup
	source "${MASHAREDIR}/list_certifiers"
	list_certifiers
	;;

    'diagnostics'|'d')
	source "${MASHAREDIR}/setup"
	setup
	source "${MASHAREDIR}/diagnostics"
	diagnostics
	;;

    'gpg-cmd')
	source "${MASHAREDIR}/setup"
	setup
	gpg_sphere "$@"
	;;

    'version'|'--version'|'v')
	version
	;;

    '--help'|'help'|'-h'|'h'|'?')
        usage
        ;;

    *)
        failure "Unknown command: '$COMMAND'
Try '$PGRM help' for usage."
        ;;
esac