/mandos/release : revision 237.2.1

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/release

« back to all changes in this revision

Viewing changes to mandos-keygen

Committer: Teddy Hogeborn
Date: 2008-12-10 01:26:02 UTC
mfrom: (237.1.2 mandos)
mto: (24.1.114 mandos) (237.4.2 mandos-pipe-ipc) (299.1.1 release) (300.1.1 release) (301.1.1 release)
mto: This revision was merged to the branch mainline in revision 238.
Revision ID: teddy@fukt.bsnet.se-20081210012602-vhz3h75xkj24t340

First version of a somewhat complete D-Bus server interface.  Also
change user/group name to "_mandos".

* debian/mandos.postinst: Rename old "mandos" user and group to
                          "_mandos"; create "_mandos" user and group
                          if none exist.
* debian/mandos-client.postinst: - '' -

* initramfs-tools-hook: Try "_mandos" before "mandos" as user and
                        group name.

* mandos (_datetime_to_dbus_struct): New; was previously local.
  (Client.started): Renamed to "last_started".  All users changed.
  (Client.started): New; boolean.
  (Client.dbus_object_path): New.
  (Client.check_command): Renamed to "checker_command".  All users
                          changed.
  (Client.__init__): Set and use "self.dbus_object_path".  Set
                     "self.started".
  (Client.start): Update "self.started".  Emit "self.PropertyChanged"
                  signals for both "started" and "last_started".
  (Client.stop): Update "self.started".  Emit "self.PropertyChanged"
                 signal for "started".
  (Client.checker_callback): Take additional "command" argument.  All
                             callers changed. Emit
                             "self.PropertyChanged" signal.
  (Client.bump_timeout): Emit "self.PropertyChanged" signal for
                         "last_checked_ok".
  (Client.start_checker): Emit "self.PropertyChanged" signal for
                          "checker_running".
  (Client.stop_checker): Emit "self.PropertyChanged" signal for
                         "checker_running".
  (Client.still_valid): Bug fix: use "getattr(self, started, False)"
                        instead of "self.started" in case this client
                        object is so new that the "started" attribute
                        has not been created yet.
  (Client.IntervalChanged, Client.CheckerIsRunning, Client.GetChecker,
  Client.GetCreated, Client.GetFingerprint, Client.GetHost,
  Client.GetInterval, Client.GetName, Client.GetStarted,
  Client.GetTimeout, Client.StateChanged, Client.TimeoutChanged):
  Removed; all callers changed.
  (Client.CheckerCompleted): Add "condition" and "command" arguments.
                             All callers changed.
  (Client.GetAllProperties, Client.PropertyChanged): New.
  (Client.StillValid): Renamed to "IsStillValid".
  (Client.StartChecker): Changed to its own function to avoid the
                         return value from "Client.start_checker()".
  (Client.Stop): Changed to its own function to avoid the return value
                 from "Client.stop()".
  (main): Try "_mandos" before "mandos" as user and group name.
          Removed inner function "remove_from_clients".  New inner
          class "MandosServer".

files added:
debian/mandos-client.config

debian/mandos-client.templates

debian/mandos.config

debian/mandos.templates

debian/po/POTFILES.in

debian/po/sv.po

initramfs-tools-hook-conf

files removed:
DBUS-API

bugs.xml

dbus-mandos.conf

debian/mandos-client.examples

debian/mandos-client.templates

debian/mandos.maintscript

debian/mandos.templates

debian/po/POTFILES.in

debian/po/de.po

debian/po/en_US.po

debian/po/es.po

debian/po/fr.po

debian/po/nl.po

debian/po/pt.po

debian/po/pt_BR.po

debian/po/sv.po

debian/po/templates.pot

debian/source

debian/source/format

debian/source/lintian-overrides

debian/source/local-options

debian/tests

debian/tests/control

debian/upstream

debian/upstream/metadata

debian/upstream/signing-key.asc

debian/watch

dracut-module

dracut-module/ask-password-mandos.path

dracut-module/ask-password-mandos.service

dracut-module/cmdline-mandos.sh

dracut-module/module-setup.sh

dracut-module/password-agent.c

dracut-module/password-agent.xml

initramfs-tools-conf

initramfs-tools-conf-hook

initramfs-tools-script-stop

initramfs-unpack

intro.xml

mandos-ctl

mandos-ctl.xml

mandos-monitor

mandos-monitor.xml

mandos-to-cryptroot-unlock

mandos.service

network-hooks.d

network-hooks.d/bridge

network-hooks.d/bridge.conf

network-hooks.d/openvpn

network-hooks.d/openvpn.conf

network-hooks.d/wireless

network-hooks.d/wireless.conf

plugin-helpers

plugin-helpers/mandos-client-iprouteadddel.c

plugins.d/plymouth.c

plugins.d/plymouth.xml

sysusers.d-mandos.conf

tmpfiles.d-mandos.conf

files modified:
.bzrignore

INSTALL

Makefile

NEWS

README

TODO

clients.conf

common.ent

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/rules

init.d-mandos

initramfs-tools-hook

initramfs-tools-script

legalnotice.xml

mandos

mandos-clients.conf.xml

mandos-keygen

mandos-keygen.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.lsm

mandos.xml

overview.xml

plugin-runner.c

plugin-runner.conf

plugin-runner.xml

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/mandos-client.c

plugins.d/mandos-client.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

Show diffs side-by-side

added added

removed removed

mandos-keygen

#!/bin/sh -e

# Mandos key generator - create new keys for a Mandos client

# This file is part of Mandos.

# Mandos is free software: you can redistribute it and/or modify it

# under the terms of the GNU General Public License as published by

# Mandos key generator - create a new OpenPGP key for a Mandos client

# This program is free software: you can redistribute it and/or modify

# it under the terms of the GNU General Public License as published by

# the Free Software Foundation, either version 3 of the License, or

# (at your option) any later version.

# Mandos is distributed in the hope that it will be useful, but

# WITHOUT ANY WARRANTY; without even the implied warranty of

# This program is distributed in the hope that it will be useful,

# but WITHOUT ANY WARRANTY; without even the implied warranty of

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

# GNU General Public License for more details.

# You should have received a copy of the GNU General Public License

# along with Mandos. If not, see <http://www.gnu.org/licenses/>.

# along with this program. If not, see <http://www.gnu.org/licenses/>.

# Contact the authors at <mandos@recompile.se>.

# Contact the authors at <mandos@fukt.bsnet.se>.

VERSION="1.8.17"

VERSION="1.0.2"

KEYDIR="/etc/keys/mandos"

KEYTYPE=RSA

KEYLENGTH=4096

SUBKEYTYPE=RSA

SUBKEYLENGTH=4096

KEYTYPE=DSA

KEYLENGTH=2048

SUBKEYTYPE=ELG-E

SUBKEYLENGTH=2048

KEYNAME="`hostname --fqdn 2>/dev/null || hostname`"

KEYEMAIL=""

KEYCOMMENT=""

KEYCOMMENT="Mandos client key"

KEYEXPIRE=0

TLS_KEYTYPE=ed25519

FORCE=no

SSH=yes

KEYCOMMENT_ORIG="$KEYCOMMENT"

mode=keygen

# Parse options

TEMP=`getopt --options vhpF:d:t:l:s:L:n:e:c:x:T:fS \

--longoptions version,help,password,passfile:,dir:,type:,length:,subtype:,sublength:,name:,email:,comment:,expire:,tls-keytype:,force,no-ssh \

TEMP=`getopt --options vhpF:d:t:l:s:L:n:e:c:x:f \

--longoptions version,help,password,passfile:,dir:,type:,length:,subtype:,sublength:,name:,email:,comment:,expire:,force \

--name "$0" -- "$@"`

help(){

basename="`basename "$0"`"

basename="`basename $0`"

cat <<EOF

Usage: $basename [ -v | --version ]

$basename [ -h | --help ]

-v, --version Show program's version number and exit

-h, --help Show this help message and exit

-d DIR, --dir DIR Target directory for key files

-t TYPE, --type TYPE OpenPGP key type. Default is RSA.

-t TYPE, --type TYPE Key type. Default is DSA.

-l BITS, --length BITS

OpenPGP key length in bits. Default is 4096.

Key length in bits. Default is 2048.

-s TYPE, --subtype TYPE

OpenPGP subkey type. Default is RSA.

Subkey type. Default is ELG-E.

-L BITS, --sublength BITS

OpenPGP subkey length in bits. Default 4096.

Subkey length in bits. Default is 2048.

-n NAME, --name NAME Name of key. Default is the FQDN.

-e ADDRESS, --email ADDRESS

Email address of OpenPGP key. Default empty.

Email address of key. Default is empty.

-c TEXT, --comment TEXT

Comment field for OpenPGP key. Default empty.

Comment field for key. The default value is

"Mandos client key".

-x TIME, --expire TIME

OpenPGP key expire time. Default is none.

Key expire time. Default is no expiration.

See gpg(1) for syntax.

-T TYPE, --tls-keytype TYPE

TLS key type. Default is ed25519.

-f, --force Force overwriting old key files.

Password creation options:

Encrypt a password from FILE using the key in

the key directory. All options other than

--dir and --name are ignored.

-S, --no-ssh Don't get SSH key or set "checker" option.

EOF

}

109

103

-e|--email) KEYEMAIL="$2"; shift 2;;

110

104

-c|--comment) KEYCOMMENT="$2"; shift 2;;

111

105

-x|--expire) KEYEXPIRE="$2"; shift 2;;

112

-T|--tls-keytype) TLS_KEYTYPE="$2"; shift 2;;

113

106

-f|--force) FORCE=yes; shift;;

114

-S|--no-ssh) SSH=no; shift;;

115

107

-v|--version) echo "$0 $VERSION"; exit;;

116

108

-h|--help) help; exit;;

117

109

--) shift; break;;

119

111

esac

120

112

done

121

113

if [ "$#" -gt 0 ]; then

122

echo "Unknown arguments: '$*'" >&2

114

echo "Unknown arguments: '$@'" >&2

123

115

exit 1

124

116

125

117

126

118

SECKEYFILE="$KEYDIR/seckey.txt"

127

119

PUBKEYFILE="$KEYDIR/pubkey.txt"

128

TLS_PRIVKEYFILE="$KEYDIR/tls-privkey.pem"

129

TLS_PUBKEYFILE="$KEYDIR/tls-pubkey.pem"

130

120

131

121

# Check for some invalid values

132

122

if [ ! -d "$KEYDIR" ]; then

147

137

echo "Empty key type" >&2

148

138

exit 1

149

139

150

140

151

141

if [ -z "$KEYNAME" ]; then

152

142

echo "Empty key name" >&2

153

143

exit 1

154

144

155

145

156

146

if [ -z "$KEYLENGTH" ] || [ "$KEYLENGTH" -lt 512 ]; then

157

147

echo "Invalid key length" >&2

158

148

exit 1

162

152

echo "Empty key expiration" >&2

163

153

exit 1

164

154

165

155

166

156

# Make FORCE be 0 or 1

167

157

case "$FORCE" in

168

158

[Yy][Ee][Ss]|[Tt][Rr][Uu][Ee]) FORCE=1;;

169

159

[Nn][Oo]|[Ff][Aa][Ll][Ss][Ee]|*) FORCE=0;;

170

160

esac

171

172

if { [ -e "$SECKEYFILE" ] || [ -e "$PUBKEYFILE" ] \

173

|| [ -e "$TLS_PRIVKEYFILE" ] \

174

|| [ -e "$TLS_PUBKEYFILE" ]; } \

175

&& [ "$FORCE" -eq 0 ]; then

161

162

if [ $ -e "$SECKEYFILE" -o -e "$PUBKEYFILE" $ \

163

-a "$FORCE" -eq 0 ]; then

176

164

echo "Refusing to overwrite old key files; use --force" >&2

177

165

exit 1

178

166

179

167

180

168

# Set lines for GnuPG batch file

181

169

if [ -n "$KEYCOMMENT" ]; then

182

170

KEYCOMMENTLINE="Name-Comment: $KEYCOMMENT"

187

175

188

176

# Create temporary gpg batch file

189

177

BATCHFILE="`mktemp -t mandos-keygen-batch.XXXXXXXXXX`"

190

TLS_PRIVKEYTMP="`mktemp -t mandos-keygen-privkey.XXXXXXXXXX`"

191

178

192

179

193

180

if [ "$mode" = password ]; then

202

189

trap "

203

190

set +e; \

204

191

test -n \"$SECFILE\" && shred --remove \"$SECFILE\"; \

205

test -n \"$TLS_PRIVKEYTMP\" && shred --remove \"$TLS_PRIVKEYTMP\"; \

206

shred --remove \"$RINGDIR\"/sec* 2>/dev/null;

192

shred --remove \"$RINGDIR\"/sec*;

207

193

test -n \"$BATCHFILE\" && rm --force \"$BATCHFILE\"; \

208

194

rm --recursive --force \"$RINGDIR\";

209

tty --quiet && stty echo; \

195

stty echo; \

210

196

" EXIT

211

197

212

set -e

213

214

198

umask 077

215

199

216

200

if [ "$mode" = keygen ]; then

218

202

cat >"$BATCHFILE" <<-EOF

219

203

Key-Type: $KEYTYPE

220

204

Key-Length: $KEYLENGTH

221

Key-Usage: sign,auth

205

#Key-Usage: encrypt,sign,auth

222

206

Subkey-Type: $SUBKEYTYPE

223

207

Subkey-Length: $SUBKEYLENGTH

224

Subkey-Usage: encrypt

208

#Subkey-Usage: encrypt,sign,auth

225

209

Name-Real: $KEYNAME

226

210

$KEYCOMMENTLINE

227

211

$KEYEMAILLINE

230

214

#Handle: <no-spaces>

231

215

#%pubring pubring.gpg

232

216

#%secring secring.gpg

233

%no-protection

234

217

%commit

235

218

EOF

236

237

if tty --quiet; then

238

cat <<-EOF

239

Note: Due to entropy requirements, key generation could take

240

anything from a few minutes to SEVERAL HOURS. Please be

241

patient and/or supply the system with more entropy if needed.

242

EOF

243

echo -n "Started: "

244

date

245

246

247

# Generate TLS private key

248

if certtool --generate-privkey --password='' \

249

--outfile "$TLS_PRIVKEYTMP" --sec-param ultra \

250

--key-type="$TLS_KEYTYPE" --pkcs8 --no-text 2>/dev/null; then

251

252

# Backup any old key files

253

if cp --backup=numbered --force "$TLS_PRIVKEYFILE" "$TLS_PRIVKEYFILE" \

254

2>/dev/null; then

255

shred --remove "$TLS_PRIVKEYFILE" 2>/dev/null || :

256

257

if cp --backup=numbered --force "$TLS_PUBKEYFILE" "$TLS_PUBKEYFILE" \

258

2>/dev/null; then

259

rm --force "$TLS_PUBKEYFILE"

260

261

cp --archive "$TLS_PRIVKEYTMP" "$TLS_PRIVKEYFILE"

262

shred --remove "$TLS_PRIVKEYTMP" 2>/dev/null || :

263

264

## TLS public key

265

266

# First try certtool from GnuTLS

267

if ! certtool --password='' --load-privkey="$TLS_PRIVKEYFILE" \

268

--outfile="$TLS_PUBKEYFILE" --pubkey-info --no-text \

269

2>/dev/null; then

270

# Otherwise try OpenSSL

271

if ! openssl pkey -in "$TLS_PRIVKEYFILE" \

272

-out "$TLS_PUBKEYFILE" -pubout; then

273

rm --force "$TLS_PUBKEYFILE"

274

# None of the commands succeded; give up

275

return 1

276

277

278

279

280

# Make sure trustdb.gpg exists;

281

# this is a workaround for Debian bug #737128

282

gpg --quiet --batch --no-tty --no-options --enable-dsa2 \

283

--homedir "$RINGDIR" \

284

--import-ownertrust < /dev/null

219

285

220

# Generate a new key in the key rings

286

221

gpg --quiet --batch --no-tty --no-options --enable-dsa2 \

287

222

--homedir "$RINGDIR" --trust-model always \

288

223

--gen-key "$BATCHFILE"

289

224

rm --force "$BATCHFILE"

290

291

if tty --quiet; then

292

echo -n "Finished: "

293

date

294

295

225

296

226

# Backup any old key files

297

227

if cp --backup=numbered --force "$SECKEYFILE" "$SECKEYFILE" \

298

228

2>/dev/null; then

299

shred --remove "$SECKEYFILE" 2>/dev/null || :

229

shred --remove "$SECKEYFILE"

300

230

301

231

if cp --backup=numbered --force "$PUBKEYFILE" "$PUBKEYFILE" \

302

232

2>/dev/null; then

303

233

rm --force "$PUBKEYFILE"

304

234

305

235

306

236

FILECOMMENT="Mandos client key for $KEYNAME"

307

237

if [ "$KEYCOMMENT" != "$KEYCOMMENT_ORIG" ]; then

308

238

FILECOMMENT="$FILECOMMENT ($KEYCOMMENT)"

309

239

310

240

311

241

if [ -n "$KEYEMAIL" ]; then

312

242

FILECOMMENT="$FILECOMMENT <$KEYEMAIL>"

313

243

314

244

315

245

# Export key from key rings to key files

316

246

gpg --quiet --batch --no-tty --no-options --enable-dsa2 \

317

247

--homedir "$RINGDIR" --armor --export-options export-minimal \

323

253

324

254

325

255

if [ "$mode" = password ]; then

326

327

# Make SSH be 0 or 1

328

case "$SSH" in

329

[Yy][Ee][Ss]|[Tt][Rr][Uu][Ee]) SSH=1;;

330

[Nn][Oo]|[Ff][Aa][Ll][Ss][Ee]|*) SSH=0;;

331

esac

332

333

if [ $SSH -eq 1 ]; then

334

# The -q option is new in OpenSSH 9.8

335

for ssh_keyscan_quiet in "-q " ""; do

336

for ssh_keytype in ecdsa-sha2-nistp256 ed25519 rsa; do

337

set +e

338

ssh_fingerprint="`ssh-keyscan ${ssh_keyscan_quiet}-t $ssh_keytype localhost 2>/dev/null`"

339

err=$?

340

set -e

341

if [ $err -ne 0 ]; then

342

ssh_fingerprint=""

343

continue

344

345

if [ -n "$ssh_fingerprint" ]; then

346

ssh_fingerprint="${ssh_fingerprint#localhost }"

347

break 2

348

349

done

350

done

351

352

353

256

# Import key into temporary key rings

354

257

gpg --quiet --batch --no-tty --no-options --enable-dsa2 \

355

258

--homedir "$RINGDIR" --trust-model always --armor \

357

260

gpg --quiet --batch --no-tty --no-options --enable-dsa2 \

358

261

--homedir "$RINGDIR" --trust-model always --armor \

359

262

--import "$PUBKEYFILE"

360

263

361

264

# Get fingerprint of key

362

265

FINGERPRINT="`gpg --quiet --batch --no-tty --no-options \

363

--enable-dsa2 --homedir "$RINGDIR" --trust-model always \

266

--enable-dsa2 --homedir \"$RINGDIR\" --trust-model always \

364

267

--fingerprint --with-colons \

365

268

| sed --quiet \

366

269

--expression='/^fpr:/{s/^fpr:.*:\$[0-9A-Z]*\$:\$/\\1/p;q}'`"

367

270

368

271

test -n "$FINGERPRINT"

369

370

if [ -r "$TLS_PUBKEYFILE" ]; then

371

KEY_ID="$(certtool --key-id --hash=sha256 \

372

--infile="$TLS_PUBKEYFILE" 2>/dev/null || :)"

373

374

if [ -z "$KEY_ID" ]; then

375

KEY_ID=$(openssl pkey -pubin -in "$TLS_PUBKEYFILE" \

376

-outform der \

377

| openssl sha256 \

378

| sed --expression='s/^.*[^[:xdigit:]]//')

379

380

test -n "$KEY_ID"

381

382

272

383

273

FILECOMMENT="Encrypted password for a Mandos client"

384

385

while [ ! -s "$SECFILE" ]; do

386

if [ -n "$PASSFILE" ]; then

387

cat -- "$PASSFILE"

274

275

if [ -n "$PASSFILE" ]; then

276

cat "$PASSFILE"

277

else

278

stty -echo

279

echo -n "Enter passphrase: " >&2

280

first="$(head --lines=1 | tr --delete '\n')"

281

echo -n -e "\nRepeat passphrase: " >&2

282

second="$(head --lines=1 | tr --delete '\n')"

283

echo >&2

284

stty echo

285

if [ "$first" != "$second" ]; then

286

echo -e "Passphrase mismatch" >&2

287

false

388

288

else

389

tty --quiet && stty -echo

390

echo -n "Enter passphrase: " >/dev/tty

391

read -r first

392

tty --quiet && echo >&2

393

echo -n "Repeat passphrase: " >/dev/tty

394

read -r second

395

if tty --quiet; then

396

echo >&2

397

stty echo

398

399

if [ "$first" != "$second" ]; then

400

echo "Passphrase mismatch" >&2

401

touch "$RINGDIR"/mismatch

402

else

403

printf "%s" "$first"

404

405

fi | gpg --quiet --batch --no-tty --no-options --enable-dsa2 \

406

--homedir "$RINGDIR" --trust-model always --armor \

407

--encrypt --sign --recipient "$FINGERPRINT" --comment \

408

"$FILECOMMENT" > "$SECFILE"

409

if [ -e "$RINGDIR"/mismatch ]; then

410

rm --force "$RINGDIR"/mismatch

411

if tty --quiet; then

412

> "$SECFILE"

413

else

414

exit 1

415

289

echo -n "$first"

416

290

417

done

418

291

fi | gpg --quiet --batch --no-tty --no-options --enable-dsa2 \

292

--homedir "$RINGDIR" --trust-model always --armor --encrypt \

293

--sign --recipient "$FINGERPRINT" --comment "$FILECOMMENT" \

294

> "$SECFILE"

295

status="${PIPESTATUS[0]}"

296

if [ "$status" -ne 0 ]; then

297

exit "$status"

298

299

419

300

cat <<-EOF

420

301

[$KEYNAME]

421

302

host = $KEYNAME

422

EOF

423

if [ -n "$KEY_ID" ]; then

424

echo "key_id = $KEY_ID"

425

426

cat <<-EOF

427

303

fingerprint = $FINGERPRINT

428

304

secret =

429

305

EOF

436

312

/^[^-]/s/^/ /p

437

313

}

438

314

}' < "$SECFILE"

439

if [ -n "$ssh_fingerprint" ]; then

440

echo 'checker = ssh-keyscan '"$ssh_keyscan_quiet"'-t '"$ssh_keytype"' %%(host)s 2>/dev/null | grep --fixed-strings --line-regexp --quiet --regexp=%%(host)s" %(ssh_fingerprint)s"'

441

echo "ssh_fingerprint = ${ssh_fingerprint}"

442

443

315

444

316

445

317

trap - EXIT

447

319

set +e

448

320

# Remove the password file, if any

449

321

if [ -n "$SECFILE" ]; then

450

shred --remove "$SECFILE" 2>/dev/null

322

shred --remove "$SECFILE"

451

323

452

324

# Remove the key rings

453

shred --remove "$RINGDIR"/sec* 2>/dev/null

325

shred --remove "$RINGDIR"/sec*

454

326

rm --recursive --force "$RINGDIR"

Older »