/mandos/trunk : revision 13

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos-keygen

Committer: Björn Påhlsson
Date: 2008-07-20 02:52:20 UTC
Revision ID: belorn@braxen-20080720025220-r5u0388uy9iu23h6

Added following support:
Pluginbased client handler
rewritten Mandos client
Avahi instead of udp server discovery
openpgp encrypted key support
Passprompt stand alone application for direct console input
Added logging for Mandos server

files added:
ca.pem

cert.pem

client-cert.pem

client-key.pem

crl.pem

key.pem

plugins.d/Makefile

files removed:
.bzr-builddeb

.bzr-builddeb/default.conf

.bzrignore

COPYING

DBUS-API

INSTALL

NEWS

README

common.ent

dbus-mandos.conf

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.examples

debian/mandos-client.links

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/po

debian/rules

debian/source

debian/source/format

debian/source/local-options

debian/watch

default-mandos

init.d-mandos

initramfs-tools-hook

initramfs-tools-hook-conf

initramfs-tools-script

initramfs-unpack

intro.xml

legalnotice.xml

mandos-clients.conf.xml

mandos-ctl

mandos-ctl.xml

mandos-keygen

mandos-keygen.xml

mandos-monitor

mandos-monitor.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.lsm

mandos.service

mandos.xml

network-hooks.d

network-hooks.d/bridge

network-hooks.d/bridge.conf

network-hooks.d/openvpn

network-hooks.d/openvpn.conf

network-hooks.d/wireless

network-hooks.d/wireless.conf

overview.xml

plugin-runner.conf

plugin-runner.xml

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/mandos-client.xml

plugins.d/password-prompt.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

files renamed:
clients.conf => mandos-clients.conf

plugin-runner.c => plugbasedclient.c

plugins.d/mandos-client.c => plugins.d/mandosclient.c

plugins.d/password-prompt.c => plugins.d/passprompt.c

mandos => server.py

files modified:
Makefile

TODO

Show diffs side-by-side

added added

removed removed

mandos-keygen

#!/bin/sh -e

# Mandos key generator - create a new OpenPGP key for a Mandos client

# This program is free software: you can redistribute it and/or modify

# it under the terms of the GNU General Public License as published by

# the Free Software Foundation, either version 3 of the License, or

# (at your option) any later version.

# This program is distributed in the hope that it will be useful,

# but WITHOUT ANY WARRANTY; without even the implied warranty of

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

# GNU General Public License for more details.

# You should have received a copy of the GNU General Public License

# along with this program. If not, see <http://www.gnu.org/licenses/>.

# Contact the authors at <mandos@recompile.se>.

VERSION="1.6.2"

KEYDIR="/etc/keys/mandos"

KEYTYPE=RSA

KEYLENGTH=4096

SUBKEYTYPE=RSA

SUBKEYLENGTH=4096

KEYNAME="`hostname --fqdn 2>/dev/null || hostname`"

KEYEMAIL=""

KEYCOMMENT=""

KEYEXPIRE=0

FORCE=no

KEYCOMMENT_ORIG="$KEYCOMMENT"

mode=keygen

if [ ! -d "$KEYDIR" ]; then

KEYDIR="/etc/mandos/keys"

# Parse options

TEMP=`getopt --options vhpF:d:t:l:s:L:n:e:c:x:f \

--longoptions version,help,password,passfile:,dir:,type:,length:,subtype:,sublength:,name:,email:,comment:,expire:,force \

--name "$0" -- "$@"`

help(){

basename="`basename $0`"

cat <<EOF

Usage: $basename [ -v | --version ]

$basename [ -h | --help ]

Key creation:

$basename [ OPTIONS ]

Encrypted password creation:

$basename { -p | --password } [ --name NAME ] [ --dir DIR]

$basename { -F | --passfile } FILE [ --name NAME ] [ --dir DIR]

Key creation options:

-v, --version Show program's version number and exit

-h, --help Show this help message and exit

-d DIR, --dir DIR Target directory for key files

-t TYPE, --type TYPE Key type. Default is RSA.

-l BITS, --length BITS

Key length in bits. Default is 4096.

-s TYPE, --subtype TYPE

Subkey type. Default is RSA.

-L BITS, --sublength BITS

Subkey length in bits. Default is 4096.

-n NAME, --name NAME Name of key. Default is the FQDN.

-e ADDRESS, --email ADDRESS

Email address of key. Default is empty.

-c TEXT, --comment TEXT

Comment field for key. The default is empty.

-x TIME, --expire TIME

Key expire time. Default is no expiration.

See gpg(1) for syntax.

-f, --force Force overwriting old key files.

Password creation options:

-p, --password Create an encrypted password using the key in

the key directory. All options other than

--dir and --name are ignored.

-F FILE, --passfile FILE

Encrypt a password from FILE using the key in

the key directory. All options other than

--dir and --name are ignored.

EOF

}

eval set -- "$TEMP"

while :; do

case "$1" in

-p|--password) mode=password; shift;;

-F|--passfile) mode=password; PASSFILE="$2"; shift 2;;

-d|--dir) KEYDIR="$2"; shift 2;;

-t|--type) KEYTYPE="$2"; shift 2;;

-s|--subtype) SUBKEYTYPE="$2"; shift 2;;

-l|--length) KEYLENGTH="$2"; shift 2;;

100

-L|--sublength) SUBKEYLENGTH="$2"; shift 2;;

101

-n|--name) KEYNAME="$2"; shift 2;;

102

-e|--email) KEYEMAIL="$2"; shift 2;;

103

-c|--comment) KEYCOMMENT="$2"; shift 2;;

104

-x|--expire) KEYEXPIRE="$2"; shift 2;;

105

-f|--force) FORCE=yes; shift;;

106

-v|--version) echo "$0 $VERSION"; exit;;

107

-h|--help) help; exit;;

108

--) shift; break;;

109

*) echo "Internal error" >&2; exit 1;;

110

esac

111

done

112

if [ "$#" -gt 0 ]; then

113

echo "Unknown arguments: '$@'" >&2

114

exit 1

115

116

117

SECKEYFILE="$KEYDIR/seckey.txt"

118

PUBKEYFILE="$KEYDIR/pubkey.txt"

119

120

# Check for some invalid values

121

if [ ! -d "$KEYDIR" ]; then

122

echo "$KEYDIR not a directory" >&2

123

exit 1

124

125

if [ ! -r "$KEYDIR" ]; then

126

echo "Directory $KEYDIR not readable" >&2

127

exit 1

128

129

130

if [ "$mode" = keygen ]; then

131

if [ ! -w "$KEYDIR" ]; then

132

echo "Directory $KEYDIR not writeable" >&2

133

exit 1

134

135

if [ -z "$KEYTYPE" ]; then

136

echo "Empty key type" >&2

137

exit 1

138

139

140

if [ -z "$KEYNAME" ]; then

141

echo "Empty key name" >&2

142

exit 1

143

144

145

if [ -z "$KEYLENGTH" ] || [ "$KEYLENGTH" -lt 512 ]; then

146

echo "Invalid key length" >&2

147

exit 1

148

149

150

if [ -z "$KEYEXPIRE" ]; then

151

echo "Empty key expiration" >&2

152

exit 1

153

154

155

# Make FORCE be 0 or 1

156

case "$FORCE" in

157

[Yy][Ee][Ss]|[Tt][Rr][Uu][Ee]) FORCE=1;;

158

[Nn][Oo]|[Ff][Aa][Ll][Ss][Ee]|*) FORCE=0;;

159

esac

160

161

if [ $ -e "$SECKEYFILE" -o -e "$PUBKEYFILE" $ \

162

-a "$FORCE" -eq 0 ]; then

163

echo "Refusing to overwrite old key files; use --force" >&2

164

exit 1

165

166

167

# Set lines for GnuPG batch file

168

if [ -n "$KEYCOMMENT" ]; then

169

KEYCOMMENTLINE="Name-Comment: $KEYCOMMENT"

170

171

if [ -n "$KEYEMAIL" ]; then

172

KEYEMAILLINE="Name-Email: $KEYEMAIL"

173

174

175

# Create temporary gpg batch file

176

BATCHFILE="`mktemp -t mandos-keygen-batch.XXXXXXXXXX`"

177

178

179

if [ "$mode" = password ]; then

180

# Create temporary encrypted password file

181

SECFILE="`mktemp -t mandos-keygen-secfile.XXXXXXXXXX`"

182

183

184

# Create temporary key ring directory

185

RINGDIR="`mktemp -d -t mandos-keygen-keyrings.XXXXXXXXXX`"

186

187

# Remove temporary files on exit

188

trap "

189

set +e; \

190

test -n \"$SECFILE\" && shred --remove \"$SECFILE\"; \

191

shred --remove \"$RINGDIR\"/sec*;

192

test -n \"$BATCHFILE\" && rm --force \"$BATCHFILE\"; \

193

rm --recursive --force \"$RINGDIR\";

194

tty --quiet && stty echo; \

195

" EXIT

196

197

set -e

198

199

umask 077

200

201

if [ "$mode" = keygen ]; then

202

# Create batch file for GnuPG

203

cat >"$BATCHFILE" <<-EOF

204

Key-Type: $KEYTYPE

205

Key-Length: $KEYLENGTH

206

Key-Usage: sign,auth

207

Subkey-Type: $SUBKEYTYPE

208

Subkey-Length: $SUBKEYLENGTH

209

Subkey-Usage: encrypt

210

Name-Real: $KEYNAME

211

$KEYCOMMENTLINE

212

$KEYEMAILLINE

213

Expire-Date: $KEYEXPIRE

214

#Preferences: <string>

215

#Handle: <no-spaces>

216

#%pubring pubring.gpg

217

#%secring secring.gpg

218

%commit

219

EOF

220

221

if tty --quiet; then

222

cat <<-EOF

223

Note: Due to entropy requirements, key generation could take

224

anything from a few minutes to SEVERAL HOURS. Please be

225

patient and/or supply the system with more entropy if needed.

226

EOF

227

echo -n "Started: "

228

date

229

230

231

# Generate a new key in the key rings

232

gpg --quiet --batch --no-tty --no-options --enable-dsa2 \

233

--homedir "$RINGDIR" --trust-model always \

234

--gen-key "$BATCHFILE"

235

rm --force "$BATCHFILE"

236

237

if tty --quiet; then

238

echo -n "Finished: "

239

date

240

241

242

# Backup any old key files

243

if cp --backup=numbered --force "$SECKEYFILE" "$SECKEYFILE" \

244

2>/dev/null; then

245

shred --remove "$SECKEYFILE"

246

247

if cp --backup=numbered --force "$PUBKEYFILE" "$PUBKEYFILE" \

248

2>/dev/null; then

249

rm --force "$PUBKEYFILE"

250

251

252

FILECOMMENT="Mandos client key for $KEYNAME"

253

if [ "$KEYCOMMENT" != "$KEYCOMMENT_ORIG" ]; then

254

FILECOMMENT="$FILECOMMENT ($KEYCOMMENT)"

255

256

257

if [ -n "$KEYEMAIL" ]; then

258

FILECOMMENT="$FILECOMMENT <$KEYEMAIL>"

259

260

261

# Export key from key rings to key files

262

gpg --quiet --batch --no-tty --no-options --enable-dsa2 \

263

--homedir "$RINGDIR" --armor --export-options export-minimal \

264

--comment "$FILECOMMENT" --output "$SECKEYFILE" \

265

--export-secret-keys

266

gpg --quiet --batch --no-tty --no-options --enable-dsa2 \

267

--homedir "$RINGDIR" --armor --export-options export-minimal \

268

--comment "$FILECOMMENT" --output "$PUBKEYFILE" --export

269

270

271

if [ "$mode" = password ]; then

272

# Import key into temporary key rings

273

gpg --quiet --batch --no-tty --no-options --enable-dsa2 \

274

--homedir "$RINGDIR" --trust-model always --armor \

275

--import "$SECKEYFILE"

276

gpg --quiet --batch --no-tty --no-options --enable-dsa2 \

277

--homedir "$RINGDIR" --trust-model always --armor \

278

--import "$PUBKEYFILE"

279

280

# Get fingerprint of key

281

FINGERPRINT="`gpg --quiet --batch --no-tty --no-options \

282

--enable-dsa2 --homedir \"$RINGDIR\" --trust-model always \

283

--fingerprint --with-colons \

284

| sed --quiet \

285

--expression='/^fpr:/{s/^fpr:.*:\$[0-9A-Z]*\$:\$/\\1/p;q}'`"

286

287

test -n "$FINGERPRINT"

288

289

FILECOMMENT="Encrypted password for a Mandos client"

290

291

while [ ! -s "$SECFILE" ]; do

292

if [ -n "$PASSFILE" ]; then

293

cat "$PASSFILE"

294

else

295

tty --quiet && stty -echo

296

echo -n "Enter passphrase: " >&2

297

read first

298

tty --quiet && echo >&2

299

echo -n "Repeat passphrase: " >&2

300

read second

301

if tty --quiet; then

302

echo >&2

303

stty echo

304

305

if [ "$first" != "$second" ]; then

306

echo "Passphrase mismatch" >&2

307

touch "$RINGDIR"/mismatch

308

else

309

echo -n "$first"

310

311

fi | gpg --quiet --batch --no-tty --no-options --enable-dsa2 \

312

--homedir "$RINGDIR" --trust-model always --armor \

313

--encrypt --sign --recipient "$FINGERPRINT" --comment \

314

"$FILECOMMENT" > "$SECFILE"

315

if [ -e "$RINGDIR"/mismatch ]; then

316

rm --force "$RINGDIR"/mismatch

317

if tty --quiet; then

318

> "$SECFILE"

319

else

320

exit 1

321

322

323

done

324

325

cat <<-EOF

326

[$KEYNAME]

327

host = $KEYNAME

328

fingerprint = $FINGERPRINT

329

secret =

330

EOF

331

sed --quiet --expression='

332

/^-----BEGIN PGP MESSAGE-----$/,/^-----END PGP MESSAGE-----$/{

333

/^$/,${

334

# Remove 24-bit Radix-64 checksum

335

s/=....$//

336

# Indent four spaces

337

/^[^-]/s/^/ /p

338

}

339

}' < "$SECFILE"

340

341

342

trap - EXIT

343

344

set +e

345

# Remove the password file, if any

346

if [ -n "$SECFILE" ]; then

347

shred --remove "$SECFILE"

348

349

# Remove the key rings

350

shred --remove "$RINGDIR"/sec*

351

rm --recursive --force "$RINGDIR"

Older »