/mandos/release : revision 237.7.846

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/release

« back to all changes in this revision

Viewing changes to mandos-keygen

Committer: Teddy Hogeborn
Date: 2024-09-09 04:24:39 UTC
mto: This revision was merged to the branch mainline in revision 410.
Revision ID: teddy@recompile.se-20240909042439-j85mr20uli2hnyis

Eliminate compiler warnings

Many programs use nested functions, which now result in a linker
warning about executable stack.  Hide this warning.  Also, rewrite a
loop in the plymouth plugin to avoid warning about signed overflow.
This change also makes the plugin pick the alphabetically first
process entry instead of the last, in case many plymouth processes are
found (which should be unlikely).

* Makefile (plugin-runner, dracut-module/password-agent,
  plugins.d/password-prompt, plugins.d/mandos-client,
  plugins.d/plymouth): New target; set LDFLAGS to add "-Xlinker
  --no-warn-execstack".
* plugins.d/plymouth.c (get_pid): When no pid files are found, and we
  are looking through the process list, go though it from the start
  instead of from the end, i.e. in normal alphabetical order and not
  in reverse order.

files added:
bugs.xml

debian/mandos-client.templates

debian/mandos.maintscript

debian/mandos.templates

debian/po/POTFILES.in

debian/po/de.po

debian/po/en_US.po

debian/po/es.po

debian/po/fr.po

debian/po/nl.po

debian/po/pt.po

debian/po/pt_BR.po

debian/po/sv.po

debian/po/templates.pot

debian/source/lintian-overrides

debian/tests

debian/tests/control

debian/upstream/metadata

dracut-module

dracut-module/ask-password-mandos.path

dracut-module/ask-password-mandos.service

dracut-module/cmdline-mandos.sh

dracut-module/module-setup.sh

dracut-module/password-agent.c

dracut-module/password-agent.xml

initramfs-tools-conf

initramfs-tools-conf-hook

initramfs-tools-script-stop

mandos-to-cryptroot-unlock

plugin-helpers

plugin-helpers/mandos-client-iprouteadddel.c

sysusers.d-mandos.conf

tmpfiles.d-mandos.conf

files removed:
initramfs-tools-hook-conf

files modified:
.bzrignore

DBUS-API

INSTALL

Makefile

NEWS

README

TODO

clients.conf

common.ent

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.dirs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/rules

debian/watch

init.d-mandos

initramfs-tools-hook

initramfs-tools-script

initramfs-unpack

intro.xml

legalnotice.xml

mandos

mandos-clients.conf.xml

mandos-ctl

mandos-ctl.xml

mandos-keygen

mandos-keygen.xml

mandos-monitor

mandos-monitor.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.lsm

mandos.service

mandos.xml

network-hooks.d/bridge

network-hooks.d/openvpn

network-hooks.d/wireless

overview.xml

plugin-runner.c

plugin-runner.xml

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/mandos-client.c

plugins.d/mandos-client.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

Show diffs side-by-side

added added

removed removed

mandos-keygen

#!/bin/sh -e

# Mandos key generator - create a new OpenPGP key for a Mandos client

# This program is free software: you can redistribute it and/or modify

# it under the terms of the GNU General Public License as published by

# Mandos key generator - create new keys for a Mandos client

# This file is part of Mandos.

# Mandos is free software: you can redistribute it and/or modify it

# under the terms of the GNU General Public License as published by

# the Free Software Foundation, either version 3 of the License, or

# (at your option) any later version.

# This program is distributed in the hope that it will be useful,

# but WITHOUT ANY WARRANTY; without even the implied warranty of

# Mandos is distributed in the hope that it will be useful, but

# WITHOUT ANY WARRANTY; without even the implied warranty of

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

# GNU General Public License for more details.

# You should have received a copy of the GNU General Public License

# along with this program. If not, see <http://www.gnu.org/licenses/>.

# along with Mandos. If not, see <http://www.gnu.org/licenses/>.

# Contact the authors at <mandos@recompile.se>.

VERSION="1.6.5"

VERSION="1.8.16"

KEYDIR="/etc/keys/mandos"

KEYTYPE=RSA

KEYEMAIL=""

KEYCOMMENT=""

KEYEXPIRE=0

TLS_KEYTYPE=ed25519

FORCE=no

SSH=yes

KEYCOMMENT_ORIG="$KEYCOMMENT"

mode=keygen

# Parse options

TEMP=`getopt --options vhpF:d:t:l:s:L:n:e:c:x:f \

--longoptions version,help,password,passfile:,dir:,type:,length:,subtype:,sublength:,name:,email:,comment:,expire:,force \

TEMP=`getopt --options vhpF:d:t:l:s:L:n:e:c:x:T:fS \

--longoptions version,help,password,passfile:,dir:,type:,length:,subtype:,sublength:,name:,email:,comment:,expire:,tls-keytype:,force,no-ssh \

--name "$0" -- "$@"`

help(){

basename="`basename $0`"

basename="`basename "$0"`"

cat <<EOF

Usage: $basename [ -v | --version ]

$basename [ -h | --help ]

-v, --version Show program's version number and exit

-h, --help Show this help message and exit

-d DIR, --dir DIR Target directory for key files

-t TYPE, --type TYPE Key type. Default is RSA.

-t TYPE, --type TYPE OpenPGP key type. Default is RSA.

-l BITS, --length BITS

Key length in bits. Default is 4096.

OpenPGP key length in bits. Default is 4096.

-s TYPE, --subtype TYPE

Subkey type. Default is RSA.

OpenPGP subkey type. Default is RSA.

-L BITS, --sublength BITS

Subkey length in bits. Default is 4096.

OpenPGP subkey length in bits. Default 4096.

-n NAME, --name NAME Name of key. Default is the FQDN.

-e ADDRESS, --email ADDRESS

Email address of key. Default is empty.

Email address of OpenPGP key. Default empty.

-c TEXT, --comment TEXT

Comment field for key. The default is empty.

Comment field for OpenPGP key. Default empty.

-x TIME, --expire TIME

Key expire time. Default is no expiration.

OpenPGP key expire time. Default is none.

See gpg(1) for syntax.

-T TYPE, --tls-keytype TYPE

TLS key type. Default is ed25519.

-f, --force Force overwriting old key files.

Password creation options:

Encrypt a password from FILE using the key in

the key directory. All options other than

--dir and --name are ignored.

-S, --no-ssh Don't get SSH key or set "checker" option.

EOF

}

102

109

-e|--email) KEYEMAIL="$2"; shift 2;;

103

110

-c|--comment) KEYCOMMENT="$2"; shift 2;;

104

111

-x|--expire) KEYEXPIRE="$2"; shift 2;;

112

-T|--tls-keytype) TLS_KEYTYPE="$2"; shift 2;;

105

113

-f|--force) FORCE=yes; shift;;

114

-S|--no-ssh) SSH=no; shift;;

106

115

-v|--version) echo "$0 $VERSION"; exit;;

107

116

-h|--help) help; exit;;

108

117

--) shift; break;;

110

119

esac

111

120

done

112

121

if [ "$#" -gt 0 ]; then

113

echo "Unknown arguments: '$@'" >&2

122

echo "Unknown arguments: '$*'" >&2

114

123

exit 1

115

124

116

125

117

126

SECKEYFILE="$KEYDIR/seckey.txt"

118

127

PUBKEYFILE="$KEYDIR/pubkey.txt"

128

TLS_PRIVKEYFILE="$KEYDIR/tls-privkey.pem"

129

TLS_PUBKEYFILE="$KEYDIR/tls-pubkey.pem"

119

130

120

131

# Check for some invalid values

121

132

if [ ! -d "$KEYDIR" ]; then

136

147

echo "Empty key type" >&2

137

148

exit 1

138

149

139

150

140

151

if [ -z "$KEYNAME" ]; then

141

152

echo "Empty key name" >&2

142

153

exit 1

143

154

144

155

145

156

if [ -z "$KEYLENGTH" ] || [ "$KEYLENGTH" -lt 512 ]; then

146

157

echo "Invalid key length" >&2

147

158

exit 1

148

159

149

160

150

161

if [ -z "$KEYEXPIRE" ]; then

151

162

echo "Empty key expiration" >&2

152

163

exit 1

153

164

154

165

155

166

# Make FORCE be 0 or 1

156

167

case "$FORCE" in

157

168

[Yy][Ee][Ss]|[Tt][Rr][Uu][Ee]) FORCE=1;;

158

169

[Nn][Oo]|[Ff][Aa][Ll][Ss][Ee]|*) FORCE=0;;

159

170

esac

160

161

if [ $ -e "$SECKEYFILE" -o -e "$PUBKEYFILE" $ \

162

-a "$FORCE" -eq 0 ]; then

171

172

if { [ -e "$SECKEYFILE" ] || [ -e "$PUBKEYFILE" ] \

173

|| [ -e "$TLS_PRIVKEYFILE" ] \

174

|| [ -e "$TLS_PUBKEYFILE" ]; } \

175

&& [ "$FORCE" -eq 0 ]; then

163

176

echo "Refusing to overwrite old key files; use --force" >&2

164

177

exit 1

165

178

166

179

167

180

# Set lines for GnuPG batch file

168

181

if [ -n "$KEYCOMMENT" ]; then

169

182

KEYCOMMENTLINE="Name-Comment: $KEYCOMMENT"

171

184

if [ -n "$KEYEMAIL" ]; then

172

185

KEYEMAILLINE="Name-Email: $KEYEMAIL"

173

186

174

187

175

188

# Create temporary gpg batch file

176

189

BATCHFILE="`mktemp -t mandos-keygen-batch.XXXXXXXXXX`"

190

TLS_PRIVKEYTMP="`mktemp -t mandos-keygen-privkey.XXXXXXXXXX`"

177

191

178

192

179

193

if [ "$mode" = password ]; then

188

202

trap "

189

203

set +e; \

190

204

test -n \"$SECFILE\" && shred --remove \"$SECFILE\"; \

191

shred --remove \"$RINGDIR\"/sec*;

205

test -n \"$TLS_PRIVKEYTMP\" && shred --remove \"$TLS_PRIVKEYTMP\"; \

206

shred --remove \"$RINGDIR\"/sec* 2>/dev/null;

192

207

test -n \"$BATCHFILE\" && rm --force \"$BATCHFILE\"; \

193

208

rm --recursive --force \"$RINGDIR\";

194

209

tty --quiet && stty echo; \

215

230

#Handle: <no-spaces>

216

231

#%pubring pubring.gpg

217

232

#%secring secring.gpg

233

%no-protection

218

234

%commit

219

235

EOF

220

236

221

237

if tty --quiet; then

222

238

cat <<-EOF

223

239

Note: Due to entropy requirements, key generation could take

227

243

echo -n "Started: "

228

244

date

229

245

230

246

247

# Generate TLS private key

248

if certtool --generate-privkey --password='' \

249

--outfile "$TLS_PRIVKEYTMP" --sec-param ultra \

250

--key-type="$TLS_KEYTYPE" --pkcs8 --no-text 2>/dev/null; then

251

252

# Backup any old key files

253

if cp --backup=numbered --force "$TLS_PRIVKEYFILE" "$TLS_PRIVKEYFILE" \

254

2>/dev/null; then

255

shred --remove "$TLS_PRIVKEYFILE" 2>/dev/null || :

256

257

if cp --backup=numbered --force "$TLS_PUBKEYFILE" "$TLS_PUBKEYFILE" \

258

2>/dev/null; then

259

rm --force "$TLS_PUBKEYFILE"

260

261

cp --archive "$TLS_PRIVKEYTMP" "$TLS_PRIVKEYFILE"

262

shred --remove "$TLS_PRIVKEYTMP" 2>/dev/null || :

263

264

## TLS public key

265

266

# First try certtool from GnuTLS

267

if ! certtool --password='' --load-privkey="$TLS_PRIVKEYFILE" \

268

--outfile="$TLS_PUBKEYFILE" --pubkey-info --no-text \

269

2>/dev/null; then

270

# Otherwise try OpenSSL

271

if ! openssl pkey -in "$TLS_PRIVKEYFILE" \

272

-out "$TLS_PUBKEYFILE" -pubout; then

273

rm --force "$TLS_PUBKEYFILE"

274

# None of the commands succeded; give up

275

return 1

276

277

278

279

231

280

# Make sure trustdb.gpg exists;

232

281

# this is a workaround for Debian bug #737128

233

282

gpg --quiet --batch --no-tty --no-options --enable-dsa2 \

238

287

--homedir "$RINGDIR" --trust-model always \

239

288

--gen-key "$BATCHFILE"

240

289

rm --force "$BATCHFILE"

241

290

242

291

if tty --quiet; then

243

292

echo -n "Finished: "

244

293

date

245

294

246

295

247

296

# Backup any old key files

248

297

if cp --backup=numbered --force "$SECKEYFILE" "$SECKEYFILE" \

249

298

2>/dev/null; then

250

shred --remove "$SECKEYFILE"

299

shred --remove "$SECKEYFILE" 2>/dev/null || :

251

300

252

301

if cp --backup=numbered --force "$PUBKEYFILE" "$PUBKEYFILE" \

253

302

2>/dev/null; then

254

303

rm --force "$PUBKEYFILE"

255

304

256

305

257

306

FILECOMMENT="Mandos client key for $KEYNAME"

258

307

if [ "$KEYCOMMENT" != "$KEYCOMMENT_ORIG" ]; then

259

308

FILECOMMENT="$FILECOMMENT ($KEYCOMMENT)"

260

309

261

310

262

311

if [ -n "$KEYEMAIL" ]; then

263

312

FILECOMMENT="$FILECOMMENT <$KEYEMAIL>"

264

313

265

314

266

315

# Export key from key rings to key files

267

316

gpg --quiet --batch --no-tty --no-options --enable-dsa2 \

268

317

--homedir "$RINGDIR" --armor --export-options export-minimal \

274

323

275

324

276

325

if [ "$mode" = password ]; then

326

327

# Make SSH be 0 or 1

328

case "$SSH" in

329

[Yy][Ee][Ss]|[Tt][Rr][Uu][Ee]) SSH=1;;

330

[Nn][Oo]|[Ff][Aa][Ll][Ss][Ee]|*) SSH=0;;

331

esac

332

333

if [ $SSH -eq 1 ]; then

334

for ssh_keytype in ecdsa-sha2-nistp256 ed25519 rsa; do

335

set +e

336

ssh_fingerprint="`ssh-keyscan -t $ssh_keytype localhost 2>/dev/null`"

337

err=$?

338

set -e

339

if [ $err -ne 0 ]; then

340

ssh_fingerprint=""

341

continue

342

343

if [ -n "$ssh_fingerprint" ]; then

344

ssh_fingerprint="${ssh_fingerprint#localhost }"

345

break

346

347

done

348

349

277

350

# Import key into temporary key rings

278

351

gpg --quiet --batch --no-tty --no-options --enable-dsa2 \

279

352

--homedir "$RINGDIR" --trust-model always --armor \

281

354

gpg --quiet --batch --no-tty --no-options --enable-dsa2 \

282

355

--homedir "$RINGDIR" --trust-model always --armor \

283

356

--import "$PUBKEYFILE"

284

357

285

358

# Get fingerprint of key

286

359

FINGERPRINT="`gpg --quiet --batch --no-tty --no-options \

287

--enable-dsa2 --homedir \"$RINGDIR\" --trust-model always \

360

--enable-dsa2 --homedir "$RINGDIR" --trust-model always \

288

361

--fingerprint --with-colons \

289

362

| sed --quiet \

290

363

--expression='/^fpr:/{s/^fpr:.*:\$[0-9A-Z]*\$:\$/\\1/p;q}'`"

291

364

292

365

test -n "$FINGERPRINT"

293

366

367

if [ -r "$TLS_PUBKEYFILE" ]; then

368

KEY_ID="$(certtool --key-id --hash=sha256 \

369

--infile="$TLS_PUBKEYFILE" 2>/dev/null || :)"

370

371

if [ -z "$KEY_ID" ]; then

372

KEY_ID=$(openssl pkey -pubin -in "$TLS_PUBKEYFILE" \

373

-outform der \

374

| openssl sha256 \

375

| sed --expression='s/^.*[^[:xdigit:]]//')

376

377

test -n "$KEY_ID"

378

379

294

380

FILECOMMENT="Encrypted password for a Mandos client"

295

381

296

382

while [ ! -s "$SECFILE" ]; do

297

383

if [ -n "$PASSFILE" ]; then

298

cat "$PASSFILE"

384

cat -- "$PASSFILE"

299

385

else

300

386

tty --quiet && stty -echo

301

echo -n "Enter passphrase: " >&2

302

read first

387

echo -n "Enter passphrase: " >/dev/tty

388

read -r first

303

389

tty --quiet && echo >&2

304

echo -n "Repeat passphrase: " >&2

305

read second

390

echo -n "Repeat passphrase: " >/dev/tty

391

read -r second

306

392

if tty --quiet; then

307

393

echo >&2

308

394

stty echo

311

397

echo "Passphrase mismatch" >&2

312

398

touch "$RINGDIR"/mismatch

313

399

else

314

echo -n "$first"

400

printf "%s" "$first"

315

401

316

402

fi | gpg --quiet --batch --no-tty --no-options --enable-dsa2 \

317

403

--homedir "$RINGDIR" --trust-model always --armor \

326

412

327

413

328

414

done

329

415

330

416

cat <<-EOF

331

417

[$KEYNAME]

332

418

host = $KEYNAME

419

EOF

420

if [ -n "$KEY_ID" ]; then

421

echo "key_id = $KEY_ID"

422

423

cat <<-EOF

333

424

fingerprint = $FINGERPRINT

334

425

secret =

335

426

EOF

342

433

/^[^-]/s/^/ /p

343

434

}

344

435

}' < "$SECFILE"

436

if [ -n "$ssh_fingerprint" ]; then

437

echo 'checker = ssh-keyscan -t '"$ssh_keytype"' %%(host)s 2>/dev/null | grep --fixed-strings --line-regexp --quiet --regexp=%%(host)s" %(ssh_fingerprint)s"'

438

echo "ssh_fingerprint = ${ssh_fingerprint}"

439

345

440

346

441

347

442

trap - EXIT

349

444

set +e

350

445

# Remove the password file, if any

351

446

if [ -n "$SECFILE" ]; then

352

shred --remove "$SECFILE"

447

shred --remove "$SECFILE" 2>/dev/null

353

448

354

449

# Remove the key rings

355

shred --remove "$RINGDIR"/sec*

450

shred --remove "$RINGDIR"/sec* 2>/dev/null

356

451

rm --recursive --force "$RINGDIR"

Older »