/usr/share/monkeysphere/m/subkey_to_ssh_agent is in monkeysphere 0.41-1ubuntu1.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 | # -*-shell-script-*-
# This should be sourced by bash (though we welcome changes to make it POSIX sh compliant)
# Monkeysphere subkey-to-ssh-agent subcommand
#
# The monkeysphere scripts are written by:
# Jameson Rollins <jrollins@finestructure.net>
# Jamie McClelland <jm@mayfirst.org>
# Daniel Kahn Gillmor <dkg@fifthhorseman.net>
#
# They are Copyright 2008-2009, and are all released under the GPL,
# version 3 or later.
# try to add all authentication subkeys to the agent
# FIXME: what if you only want to add one authentication subkey to the
# agent?
subkey_to_ssh_agent() {
local sshaddresponse=0
local secretkeys
local authsubkeys
local workingdir
local keysuccess=0
local subkey
local publine
local kname
local awk_pgrm
# if there's no agent running, don't bother:
if [ -z "$SSH_AUTH_SOCK" ] || ! type ssh-add >/dev/null ; then
failure "No ssh-agent available."
fi
# and if it looks like it's running, but we can't actually talk to
# it, bail out:
ssh-add -l >/dev/null || sshaddresponse="$?"
if [ "$sshaddresponse" = "2" ]; then
failure "Could not connect to ssh-agent"
fi
# if the MONKEYSPHERE_SUBKEYS_FOR_AGENT variable is set, use the
# keys specified there
if [ "$MONKEYSPHERE_SUBKEYS_FOR_AGENT" ] ; then
authsubkeys="$MONKEYSPHERE_SUBKEYS_FOR_AGENT"
# otherwise find all authentication-capable subkeys and use those
else
# get list of secret keys
# (to work around bug https://bugs.g10code.com/gnupg/issue945):
secretkeys=$(gpg_user --list-secret-keys --with-colons \
--fingerprint | \
awk -F: '/^fpr:/{ if (ok) { print "0x" $10 "!" } ; ok=0 } /^sec:/{ ok=1 }')
if [ -z "$secretkeys" ]; then
failure "You have no secret keys in your keyring!
You might want to run 'gpg --gen-key'."
fi
# $2 regex means "is some kind of valid, or at least not invalid"
# $12 ~ /a/ means "authentication-capable"
# $4 == 1 means "RSA"
awk_pgrm='
/^sub:/{ if (($2 ~ /^[somfuq-]$/) && ($12 ~ /a/) && ($4 == 1)) { ok = 1 }; };
/^fpr:/{ if (ok) { print $10 ; ok = 0; }; };'
authsubkeys=$(gpg_user --list-keys --with-colons \
--fingerprint --fingerprint $secretkeys | \
awk -F: "$awk_pgrm" | sort -u)
if [ -z "$authsubkeys" ]; then
failure "no authentication-capable subkeys available.
You might want to run 'monkeysphere gen-subkey'."
fi
fi
workingdir=$(msmktempdir)
trap "rm -rf $workingdir" EXIT
umask 077
mkfifo "$workingdir/passphrase"
# FIXME: we're currently allowing any other options to get passed
# through to ssh-add. should we limit it to known ones? For
# example: -d or -c and/or -t <lifetime>
for subkey in $authsubkeys; do
# test that the subkey has proper capability
awk_pgrm='
/^[ps]ub:/{ caps = $12 }
/^fpr:/{ if ($10 == "'"${subkey}"'") { print caps }; }'
capability=$(gpg_user --with-colons --with-fingerprint --with-fingerprint \
--list-keys "0x${subkey}!" \
| awk -F: "$awk_pgrm")
if ! check_capability "$capability" 'a' ; then
log error "Did not find authentication-capable subkey with key ID '$subkey'."
continue
fi
# choose a label by which this key will be known in the agent:
# we are labelling the key by User ID instead of by
# fingerprint, but filtering out all / characters to make sure
# the filename is legit.
# FIXME: this assumes that the first listed uid is the primary
# UID. does gpg guarantee that? is there some better way to
# get this info?
primaryuid=$(gpg_user --with-colons --list-key "0x${subkey}!" | grep '^uid:' | head -n1 | cut -f10 -d: | tr -d /)
#kname="[monkeysphere] $primaryuid"
kname="${primaryuid:-Monkeysphere Key 0x${subkey}}"
if [ "$1" = '-d' ]; then
# we're removing the subkey:
gpg_user --export --no-armor "0x${subkey}!" | openpgp2ssh "$subkey" > "$workingdir/$kname"
(cd "$workingdir" && ssh-add -d "$kname") || keysuccess="$?"
else
if is_gpg_version_greater_equal 2.1.0; then
awk_pgrm='
/^fpr:/{ fpr = $10 }
/^grp:/{ if (fpr == "'"${subkey}"'") { print $10; } }'
keygrip=$(gpg_user --with-colons --with-keygrip --with-fingerprint \
--with-fingerprint --list-keys "0x${subkey}!" \
| awk -F: "$awk_pgrm")
agent-transfer "$@" "$keygrip" "$kname" || keysuccess="$?"
else
# we're adding the subkey:
mkfifo "$workingdir/$kname"
gpg_user --batch --passphrase-fd 3 3<"$workingdir/passphrase" \
--export-options export-reset-subkey-passwd,export-minimal,no-export-attributes \
--export-secret-subkeys --no-armor "0x${subkey}!" | openpgp2ssh "$subkey" > "$workingdir/$kname" &
(cd "$workingdir" && DISPLAY=nosuchdisplay SSH_ASKPASS=/bin/false ssh-add "$@" "$kname" </dev/null )&
passphrase_prompt "Enter passphrase for key $kname: " "$workingdir/passphrase"
wait %2 || keysuccess="$?"
fi
fi
rm -f "$workingdir/$kname"
done
trap - EXIT
rm -rf "$workingdir"
# FIXME: sort out the return values: we're just returning the
# failure code of the last authentication subkey which fails.
# what if more than one authentication subkey fails?
return "$keysuccess"
}
|