To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to mandos-keygen
- browse files at revision 1086
- compare with another revision
- download diff
- download tarball
- view history from revision 1086
- Committer: Teddy Hogeborn
- Date: 2019-03-18 22:29:25 UTC
- Revision ID: teddy@recompile.se-20190318222925-jvhek84dgcfgj6g3
mandos-ctl: Refactor tests
* mandos-ctl: Where the clients names "foo" and "barbar" do not refer
to the actual mock clients in the TestCommand class,
change all occurrences of these names to "client1" and
"client2" (or just "client" when only one is used) .
Also change all test doubles to use correct terminology;
some things called mocks are actually stubs or spies,
and rename all true mocks to have "mock" in their names.
Also eliminate duplicate values in tests; derive values
from previously defined values whenever possible.
* mandos-ctl: Where the clients names "foo" and "barbar" do not refer
to the actual mock clients in the TestCommand class,
change all occurrences of these names to "client1" and
"client2" (or just "client" when only one is used) .
Also change all test doubles to use correct terminology;
some things called mocks are actually stubs or spies,
and rename all true mocks to have "mock" in their names.
Also eliminate duplicate values in tests; derive values
from previously defined values whenever possible.
- files added:
- .bzr-builddeb
- debian
- debian/po
- debian/source
- debian/upstream
- network-hooks.d
- plugin-helpers
- files removed:
- initramfs-tools-hook-conf
- files renamed:
- plugins.d/password-request.c => plugins.d/mandos-client.c
- plugins.d/password-request.xml => plugins.d/mandos-client.xml
- files modified:
- Makefile
added
removed
mandos-keygen
1
1
#!/bin/sh -e
2
2
#
3
# Mandos key generator - create a new OpenPGP key for a Mandos client
4
#
5
# Copyright © 2007-2008 Teddy Hogeborn & Björn Påhlsson
6
#
7
# This program is free software: you can redistribute it and/or modify
8
# it under the terms of the GNU General Public License as published by
3
# Mandos key generator - create new keys for a Mandos client
4
#
5
# Copyright © 2008-2019 Teddy Hogeborn
6
# Copyright © 2008-2019 Björn Påhlsson
7
#
8
# This file is part of Mandos.
9
#
10
# Mandos is free software: you can redistribute it and/or modify it
11
# under the terms of the GNU General Public License as published by
9
12
# the Free Software Foundation, either version 3 of the License, or
10
13
# (at your option) any later version.
11
14
#
12
# This program is distributed in the hope that it will be useful,
13
# but WITHOUT ANY WARRANTY; without even the implied warranty of
15
# Mandos is distributed in the hope that it will be useful, but
16
# WITHOUT ANY WARRANTY; without even the implied warranty of
14
17
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15
18
# GNU General Public License for more details.
16
19
#
17
20
# You should have received a copy of the GNU General Public License
18
# along with this program. If not, see <http://www.gnu.org/licenses/>.
19
#
20
# Contact the authors at <mandos@fukt.bsnet.se>.
21
#
22
23
VERSION="1.0"
24
25
KEYDIR="/etc/mandos"
26
KEYTYPE=DSA
27
KEYLENGTH=1024
28
SUBKEYTYPE=ELG-E
29
SUBKEYLENGTH=2048
30
KEYNAME="`hostname --fqdn`"
21
# along with Mandos. If not, see <http://www.gnu.org/licenses/>.
22
#
23
# Contact the authors at <mandos@recompile.se>.
24
#
25
26
VERSION="1.8.3"
27
28
KEYDIR="/etc/keys/mandos"
29
KEYTYPE=RSA
30
KEYLENGTH=4096
31
SUBKEYTYPE=RSA
32
SUBKEYLENGTH=4096
33
KEYNAME="`hostname --fqdn 2>/dev/null || hostname`"
31
34
KEYEMAIL=""
32
KEYCOMMENT="Mandos client key"
35
KEYCOMMENT=""
33
36
KEYEXPIRE=0
37
TLS_KEYTYPE=ed25519
34
38
FORCE=no
39
SSH=yes
35
40
KEYCOMMENT_ORIG="$KEYCOMMENT"
41
mode=keygen
42
43
if [ ! -d "$KEYDIR" ]; then
44
KEYDIR="/etc/mandos/keys"
45
fi
36
46
37
47
# Parse options
38
TEMP=`getopt --options vhd:t:l:n:e:c:x:f \
39
--longoptions version,help,dir:,type:,length:,name:,email:,comment:,expire:,force \
48
TEMP=`getopt --options vhpF:d:t:l:s:L:n:e:c:x:T:fS \
49
--longoptions version,help,password,passfile:,dir:,type:,length:,subtype:,sublength:,name:,email:,comment:,expire:,tls-keytype:,force,no-ssh \
40
50
--name "$0" -- "$@"`
41
51
42
52
help(){
53
basename="`basename "$0"`"
43
54
cat <<EOF
44
Usage: `basename $0` [options]
55
Usage: $basename [ -v | --version ]
56
$basename [ -h | --help ]
57
Key creation:
58
$basename [ OPTIONS ]
59
Encrypted password creation:
60
$basename { -p | --password } [ --name NAME ] [ --dir DIR]
61
$basename { -F | --passfile } FILE [ --name NAME ] [ --dir DIR]
45
62
46
Options:
63
Key creation options:
47
64
-v, --version Show program's version number and exit
48
65
-h, --help Show this help message and exit
49
66
-d DIR, --dir DIR Target directory for key files
50
-t TYPE, --type TYPE Key type. Default is DSA.
67
-t TYPE, --type TYPE OpenPGP key type. Default is RSA.
51
68
-l BITS, --length BITS
52
Key length in bits. Default is 1024.
69
OpenPGP key length in bits. Default is 4096.
53
70
-s TYPE, --subtype TYPE
54
Subkey type. Default is ELG-E.
71
OpenPGP subkey type. Default is RSA.
55
72
-L BITS, --sublength BITS
56
Subkey length in bits. Default is 2048.
73
OpenPGP subkey length in bits. Default 4096.
57
74
-n NAME, --name NAME Name of key. Default is the FQDN.
58
-e EMAIL, --email EMAIL
59
Email address of key. Default is empty.
60
-c COMMENT, --comment COMMENT
61
Comment field for key. The default value is
62
"Mandos client key".
75
-e ADDRESS, --email ADDRESS
76
Email address of OpenPGP key. Default empty.
77
-c TEXT, --comment TEXT
78
Comment field for OpenPGP key. Default empty.
63
79
-x TIME, --expire TIME
64
Key expire time. Default is no expiration.
80
OpenPGP key expire time. Default is none.
65
81
See gpg(1) for syntax.
66
-f, --force Force overwriting old keys.
82
-T TYPE, --tls-keytype TYPE
83
TLS key type. Default is ed25519.
84
-f, --force Force overwriting old key files.
85
86
Password creation options:
87
-p, --password Create an encrypted password using the key in
88
the key directory. All options other than
89
--dir and --name are ignored.
90
-F FILE, --passfile FILE
91
Encrypt a password from FILE using the key in
92
the key directory. All options other than
93
--dir and --name are ignored.
94
-S, --no-ssh Don't get SSH key or set "checker" option.
67
95
EOF
68
96
}
69
97
70
98
eval set -- "$TEMP"
71
99
while :; do
72
100
case "$1" in
101
-p|--password) mode=password; shift;;
102
-F|--passfile) mode=password; PASSFILE="$2"; shift 2;;
73
103
-d|--dir) KEYDIR="$2"; shift 2;;
74
104
-t|--type) KEYTYPE="$2"; shift 2;;
75
105
-s|--subtype) SUBKEYTYPE="$2"; shift 2;;
79
109
-e|--email) KEYEMAIL="$2"; shift 2;;
80
110
-c|--comment) KEYCOMMENT="$2"; shift 2;;
81
111
-x|--expire) KEYEXPIRE="$2"; shift 2;;
112
-T|--tls-keytype) TLS_KEYTYPE="$2"; shift 2;;
82
113
-f|--force) FORCE=yes; shift;;
114
-S|--no-ssh) SSH=no; shift;;
83
115
-v|--version) echo "$0 $VERSION"; exit;;
84
116
-h|--help) help; exit;;
85
117
--) shift; break;;
87
119
esac
88
120
done
89
121
if [ "$#" -gt 0 ]; then
90
echo "Unknown arguments: '$@'" >&2
122
echo "Unknown arguments: '$*'" >&2
91
123
exit 1
92
124
fi
93
125
94
126
SECKEYFILE="$KEYDIR/seckey.txt"
95
127
PUBKEYFILE="$KEYDIR/pubkey.txt"
128
TLS_PRIVKEYFILE="$KEYDIR/tls-privkey.pem"
129
TLS_PUBKEYFILE="$KEYDIR/tls-pubkey.pem"
96
130
97
131
# Check for some invalid values
98
if [ -d "$KEYDIR" ]; then :; else
132
if [ ! -d "$KEYDIR" ]; then
99
133
echo "$KEYDIR not a directory" >&2
100
134
exit 1
101
135
fi
102
if [ -w "$KEYDIR" ]; then :; else
103
echo "Directory $KEYDIR not writeable" >&2
104
exit 1
105
fi
106
107
if [ -z "$KEYTYPE" ]; then
108
echo "Empty key type" >&2
109
exit 1
110
fi
111
112
if [ -z "$KEYNAME" ]; then
113
echo "Empty key name" >&2
114
exit 1
115
fi
116
117
if [ -z "$KEYLENGTH" ] || [ "$KEYLENGTH" -lt 512 ]; then
118
echo "Invalid key length" >&2
119
exit 1
120
fi
121
122
if [ -z "$KEYEXPIRE" ]; then
123
echo "Empty key expiration" >&2
124
exit 1
125
fi
126
127
# Make FORCE be 0 or 1
128
case "$FORCE" in
129
[Yy][Ee][Ss]|[Tt][Rr][Uu][Ee]) FORCE=1;;
130
[Nn][Oo]|[Ff][Aa][Ll][Ss][Ee]|*) FORCE=0;;
131
esac
132
133
if { [ -e "$SECKEYFILE" ] || [ -e "$PUBKEYFILE" ]; } \
134
&& [ "$FORCE" -eq 0 ]; then
135
echo "Refusing to overwrite old key files; use --force" >&2
136
exit 1
137
fi
138
139
# Set lines for GnuPG batch file
140
if [ -n "$KEYCOMMENT" ]; then
141
KEYCOMMENTLINE="Name-Comment: $KEYCOMMENT"
142
fi
143
if [ -n "$KEYEMAIL" ]; then
144
KEYEMAILLINE="Name-Email: $KEYEMAIL"
145
fi
146
147
# Create temp files
148
BATCHFILE="`mktemp -t mandos-gpg-batch.XXXXXXXXXX`"
149
SECRING="`mktemp -t mandos-gpg-secring.XXXXXXXXXX`"
150
PUBRING="`mktemp -t mandos-gpg-pubring.XXXXXXXXXX`"
136
if [ ! -r "$KEYDIR" ]; then
137
echo "Directory $KEYDIR not readable" >&2
138
exit 1
139
fi
140
141
if [ "$mode" = keygen ]; then
142
if [ ! -w "$KEYDIR" ]; then
143
echo "Directory $KEYDIR not writeable" >&2
144
exit 1
145
fi
146
if [ -z "$KEYTYPE" ]; then
147
echo "Empty key type" >&2
148
exit 1
149
fi
150
151
if [ -z "$KEYNAME" ]; then
152
echo "Empty key name" >&2
153
exit 1
154
fi
155
156
if [ -z "$KEYLENGTH" ] || [ "$KEYLENGTH" -lt 512 ]; then
157
echo "Invalid key length" >&2
158
exit 1
159
fi
160
161
if [ -z "$KEYEXPIRE" ]; then
162
echo "Empty key expiration" >&2
163
exit 1
164
fi
165
166
# Make FORCE be 0 or 1
167
case "$FORCE" in
168
[Yy][Ee][Ss]|[Tt][Rr][Uu][Ee]) FORCE=1;;
169
[Nn][Oo]|[Ff][Aa][Ll][Ss][Ee]|*) FORCE=0;;
170
esac
171
172
if { [ -e "$SECKEYFILE" ] || [ -e "$PUBKEYFILE" ] \
173
|| [ -e "$TLS_PRIVKEYFILE" ] \
174
|| [ -e "$TLS_PUBKEYFILE" ]; } \
175
&& [ "$FORCE" -eq 0 ]; then
176
echo "Refusing to overwrite old key files; use --force" >&2
177
exit 1
178
fi
179
180
# Set lines for GnuPG batch file
181
if [ -n "$KEYCOMMENT" ]; then
182
KEYCOMMENTLINE="Name-Comment: $KEYCOMMENT"
183
fi
184
if [ -n "$KEYEMAIL" ]; then
185
KEYEMAILLINE="Name-Email: $KEYEMAIL"
186
fi
187
188
# Create temporary gpg batch file
189
BATCHFILE="`mktemp -t mandos-keygen-batch.XXXXXXXXXX`"
190
TLS_PRIVKEYTMP="`mktemp -t mandos-keygen-privkey.XXXXXXXXXX`"
191
fi
192
193
if [ "$mode" = password ]; then
194
# Create temporary encrypted password file
195
SECFILE="`mktemp -t mandos-keygen-secfile.XXXXXXXXXX`"
196
fi
197
198
# Create temporary key ring directory
199
RINGDIR="`mktemp -d -t mandos-keygen-keyrings.XXXXXXXXXX`"
151
200
152
201
# Remove temporary files on exit
153
202
trap "
154
203
set +e; \
155
rm --force $PUBRING $BATCHFILE; \
156
shred --remove $SECRING; \
157
stty echo; \
204
test -n \"$SECFILE\" && shred --remove \"$SECFILE\"; \
205
test -n \"$TLS_PRIVKEYTMP\" && shred --remove \"$TLS_PRIVKEYTMP\"; \
206
shred --remove \"$RINGDIR\"/sec* 2>/dev/null;
207
test -n \"$BATCHFILE\" && rm --force \"$BATCHFILE\"; \
208
rm --recursive --force \"$RINGDIR\";
209
tty --quiet && stty echo; \
158
210
" EXIT
159
211
160
# Create batch file for GnuPG
161
cat >"$BATCHFILE" <<EOF
162
Key-Type: $KEYTYPE
163
Key-Length: $KEYLENGTH
164
#Key-Usage: encrypt,sign,auth
165
Subkey-Type: $SUBKEYTYPE
166
Subkey-Length: $SUBKEYLENGTH
167
#Subkey-Usage: encrypt,sign,auth
168
Name-Real: $KEYNAME
169
$KEYCOMMENTLINE
170
$KEYEMAILLINE
171
Expire-Date: $KEYEXPIRE
172
#Preferences: <string>
173
#Handle: <no-spaces>
174
%pubring $PUBRING
175
%secring $SECRING
176
%commit
177
EOF
178
179
umask 027
180
181
# Generate a new key in the key rings
182
gpg --no-random-seed-file --quiet --batch --no-tty \
183
--no-default-keyring --no-options --enable-dsa2 \
184
--secret-keyring "$SECRING" --keyring "$PUBRING" \
185
--gen-key "$BATCHFILE"
186
rm --force "$BATCHFILE"
187
188
# Backup any old key files
189
if cp --backup=numbered --force "$SECKEYFILE" "$SECKEYFILE" \
190
2>/dev/null; then
191
shred --remove "$SECKEYFILE"
192
fi
193
if cp --backup=numbered --force "$PUBKEYFILE" "$PUBKEYFILE" \
194
2>/dev/null; then
195
rm --force "$PUBKEYFILE"
196
fi
197
198
FILECOMMENT="Mandos client key for $KEYNAME"
199
if [ "$KEYCOMMENT" != "$KEYCOMMENT_ORIG" ]; then
200
FILECOMMENT="$FILECOMMENT ($KEYCOMMENT)"
201
fi
202
203
if [ -n "$KEYEMAIL" ]; then
204
FILECOMMENT="$FILECOMMENT <$KEYEMAIL>"
205
fi
206
207
# Export keys from key rings to key files
208
gpg --no-random-seed-file --quiet --batch --no-tty --armor \
209
--no-default-keyring --no-options --enable-dsa2 \
210
--secret-keyring "$SECRING" --keyring "$PUBRING" \
211
--export-options export-minimal --comment "$FILECOMMENT" \
212
--output "$SECKEYFILE" --export-secret-keys
213
gpg --no-random-seed-file --quiet --batch --no-tty --armor \
214
--no-default-keyring --no-options --enable-dsa2 \
215
--secret-keyring "$SECRING" --keyring "$PUBRING" \
216
--export-options export-minimal --comment "$FILECOMMENT" \
217
--output "$PUBKEYFILE" --export
212
set -e
213
214
umask 077
215
216
if [ "$mode" = keygen ]; then
217
# Create batch file for GnuPG
218
cat >"$BATCHFILE" <<-EOF
219
Key-Type: $KEYTYPE
220
Key-Length: $KEYLENGTH
221
Key-Usage: sign,auth
222
Subkey-Type: $SUBKEYTYPE
223
Subkey-Length: $SUBKEYLENGTH
224
Subkey-Usage: encrypt
225
Name-Real: $KEYNAME
226
$KEYCOMMENTLINE
227
$KEYEMAILLINE
228
Expire-Date: $KEYEXPIRE
229
#Preferences: <string>
230
#Handle: <no-spaces>
231
#%pubring pubring.gpg
232
#%secring secring.gpg
233
%no-protection
234
%commit
235
EOF
236
237
if tty --quiet; then
238
cat <<-EOF
239
Note: Due to entropy requirements, key generation could take
240
anything from a few minutes to SEVERAL HOURS. Please be
241
patient and/or supply the system with more entropy if needed.
242
EOF
243
echo -n "Started: "
244
date
245
fi
246
247
# Generate TLS private key
248
if certtool --generate-privkey --password='' \
249
--outfile "$TLS_PRIVKEYTMP" --sec-param ultra \
250
--key-type="$TLS_KEYTYPE" --pkcs8 --no-text 2>/dev/null; then
251
252
# Backup any old key files
253
if cp --backup=numbered --force "$TLS_PRIVKEYFILE" "$TLS_PRIVKEYFILE" \
254
2>/dev/null; then
255
shred --remove "$TLS_PRIVKEYFILE" 2>/dev/null || :
256
fi
257
if cp --backup=numbered --force "$TLS_PUBKEYFILE" "$TLS_PUBKEYFILE" \
258
2>/dev/null; then
259
rm --force "$TLS_PUBKEYFILE"
260
fi
261
cp --archive "$TLS_PRIVKEYTMP" "$TLS_PRIVKEYFILE"
262
shred --remove "$TLS_PRIVKEYTMP" 2>/dev/null || :
263
264
## TLS public key
265
266
# First try certtool from GnuTLS
267
if ! certtool --password='' --load-privkey="$TLS_PRIVKEYFILE" \
268
--outfile="$TLS_PUBKEYFILE" --pubkey-info --no-text \
269
2>/dev/null; then
270
# Otherwise try OpenSSL
271
if ! openssl pkey -in "$TLS_PRIVKEYFILE" \
272
-out "$TLS_PUBKEYFILE" -pubout; then
273
rm --force "$TLS_PUBKEYFILE"
274
# None of the commands succeded; give up
275
return 1
276
fi
277
fi
278
fi
279
280
# Make sure trustdb.gpg exists;
281
# this is a workaround for Debian bug #737128
282
gpg --quiet --batch --no-tty --no-options --enable-dsa2 \
283
--homedir "$RINGDIR" \
284
--import-ownertrust < /dev/null
285
# Generate a new key in the key rings
286
gpg --quiet --batch --no-tty --no-options --enable-dsa2 \
287
--homedir "$RINGDIR" --trust-model always \
288
--gen-key "$BATCHFILE"
289
rm --force "$BATCHFILE"
290
291
if tty --quiet; then
292
echo -n "Finished: "
293
date
294
fi
295
296
# Backup any old key files
297
if cp --backup=numbered --force "$SECKEYFILE" "$SECKEYFILE" \
298
2>/dev/null; then
299
shred --remove "$SECKEYFILE" 2>/dev/null || :
300
fi
301
if cp --backup=numbered --force "$PUBKEYFILE" "$PUBKEYFILE" \
302
2>/dev/null; then
303
rm --force "$PUBKEYFILE"
304
fi
305
306
FILECOMMENT="Mandos client key for $KEYNAME"
307
if [ "$KEYCOMMENT" != "$KEYCOMMENT_ORIG" ]; then
308
FILECOMMENT="$FILECOMMENT ($KEYCOMMENT)"
309
fi
310
311
if [ -n "$KEYEMAIL" ]; then
312
FILECOMMENT="$FILECOMMENT <$KEYEMAIL>"
313
fi
314
315
# Export key from key rings to key files
316
gpg --quiet --batch --no-tty --no-options --enable-dsa2 \
317
--homedir "$RINGDIR" --armor --export-options export-minimal \
318
--comment "$FILECOMMENT" --output "$SECKEYFILE" \
319
--export-secret-keys
320
gpg --quiet --batch --no-tty --no-options --enable-dsa2 \
321
--homedir "$RINGDIR" --armor --export-options export-minimal \
322
--comment "$FILECOMMENT" --output "$PUBKEYFILE" --export
323
fi
324
325
if [ "$mode" = password ]; then
326
327
# Make SSH be 0 or 1
328
case "$SSH" in
329
[Yy][Ee][Ss]|[Tt][Rr][Uu][Ee]) SSH=1;;
330
[Nn][Oo]|[Ff][Aa][Ll][Ss][Ee]|*) SSH=0;;
331
esac
332
333
if [ $SSH -eq 1 ]; then
334
for ssh_keytype in ecdsa-sha2-nistp256 ed25519 rsa; do
335
set +e
336
ssh_fingerprint="`ssh-keyscan -t $ssh_keytype localhost 2>/dev/null`"
337
err=$?
338
set -e
339
if [ $err -ne 0 ]; then
340
ssh_fingerprint=""
341
continue
342
fi
343
if [ -n "$ssh_fingerprint" ]; then
344
ssh_fingerprint="${ssh_fingerprint#localhost }"
345
break
346
fi
347
done
348
fi
349
350
# Import key into temporary key rings
351
gpg --quiet --batch --no-tty --no-options --enable-dsa2 \
352
--homedir "$RINGDIR" --trust-model always --armor \
353
--import "$SECKEYFILE"
354
gpg --quiet --batch --no-tty --no-options --enable-dsa2 \
355
--homedir "$RINGDIR" --trust-model always --armor \
356
--import "$PUBKEYFILE"
357
358
# Get fingerprint of key
359
FINGERPRINT="`gpg --quiet --batch --no-tty --no-options \
360
--enable-dsa2 --homedir "$RINGDIR" --trust-model always \
361
--fingerprint --with-colons \
362
| sed --quiet \
363
--expression='/^fpr:/{s/^fpr:.*:\\([0-9A-Z]*\\):\$/\\1/p;q}'`"
364
365
test -n "$FINGERPRINT"
366
367
if [ -r "$TLS_PUBKEYFILE" ]; then
368
KEY_ID="$(certtool --key-id --hash=sha256 \
369
--infile="$TLS_PUBKEYFILE" 2>/dev/null || :)"
370
371
if [ -z "$KEY_ID" ]; then
372
KEY_ID=$(openssl pkey -pubin -in "$TLS_PUBKEYFILE" \
373
-outform der \
374
| openssl sha256 \
375
| sed --expression='s/^.*[^[:xdigit:]]//')
376
fi
377
test -n "$KEY_ID"
378
fi
379
380
FILECOMMENT="Encrypted password for a Mandos client"
381
382
while [ ! -s "$SECFILE" ]; do
383
if [ -n "$PASSFILE" ]; then
384
cat "$PASSFILE"
385
else
386
tty --quiet && stty -echo
387
echo -n "Enter passphrase: " >/dev/tty
388
read -r first
389
tty --quiet && echo >&2
390
echo -n "Repeat passphrase: " >/dev/tty
391
read -r second
392
if tty --quiet; then
393
echo >&2
394
stty echo
395
fi
396
if [ "$first" != "$second" ]; then
397
echo "Passphrase mismatch" >&2
398
touch "$RINGDIR"/mismatch
399
else
400
echo -n "$first"
401
fi
402
fi | gpg --quiet --batch --no-tty --no-options --enable-dsa2 \
403
--homedir "$RINGDIR" --trust-model always --armor \
404
--encrypt --sign --recipient "$FINGERPRINT" --comment \
405
"$FILECOMMENT" > "$SECFILE"
406
if [ -e "$RINGDIR"/mismatch ]; then
407
rm --force "$RINGDIR"/mismatch
408
if tty --quiet; then
409
> "$SECFILE"
410
else
411
exit 1
412
fi
413
fi
414
done
415
416
cat <<-EOF
417
[$KEYNAME]
418
host = $KEYNAME
419
EOF
420
if [ -n "$KEY_ID" ]; then
421
echo "key_id = $KEY_ID"
422
fi
423
cat <<-EOF
424
fingerprint = $FINGERPRINT
425
secret =
426
EOF
427
sed --quiet --expression='
428
/^-----BEGIN PGP MESSAGE-----$/,/^-----END PGP MESSAGE-----$/{
429
/^$/,${
430
# Remove 24-bit Radix-64 checksum
431
s/=....$//
432
# Indent four spaces
433
/^[^-]/s/^/ /p
434
}
435
}' < "$SECFILE"
436
if [ -n "$ssh_fingerprint" ]; then
437
echo 'checker = ssh-keyscan -t '"$ssh_keytype"' %%(host)s 2>/dev/null | grep --fixed-strings --line-regexp --quiet --regexp=%%(host)s" %(ssh_fingerprint)s"'
438
echo "ssh_fingerprint = ${ssh_fingerprint}"
439
fi
440
fi
218
441
219
442
trap - EXIT
220
443
444
set +e
445
# Remove the password file, if any
446
if [ -n "$SECFILE" ]; then
447
shred --remove "$SECFILE" 2>/dev/null
448
fi
221
449
# Remove the key rings
222
shred --remove "$SECRING"
223
rm --force "$PUBRING"
450
shred --remove "$RINGDIR"/sec* 2>/dev/null
451
rm --recursive --force "$RINGDIR"
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0