/mandos/trunk : revision 13

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos-keygen

Committer: Björn Påhlsson
Date: 2008-07-20 02:52:20 UTC
Revision ID: belorn@braxen-20080720025220-r5u0388uy9iu23h6

Added following support:
Pluginbased client handler
rewritten Mandos client
Avahi instead of udp server discovery
openpgp encrypted key support
Passprompt stand alone application for direct console input
Added logging for Mandos server

files added:
ca.pem

cert.pem

client-cert.pem

client-key.pem

crl.pem

key.pem

plugins.d/Makefile

files removed:
.bzr-builddeb

.bzr-builddeb/default.conf

.bzrignore

COPYING

DBUS-API

INSTALL

NEWS

README

bugs.xml

common.ent

dbus-mandos.conf

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.examples

debian/mandos-client.links

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/po

debian/rules

debian/source

debian/source/format

debian/source/local-options

debian/upstream

debian/upstream/signing-key.asc

debian/watch

default-mandos

init.d-mandos

initramfs-tools-hook

initramfs-tools-hook-conf

initramfs-tools-script

initramfs-unpack

intro.xml

legalnotice.xml

mandos-clients.conf.xml

mandos-ctl

mandos-ctl.xml

mandos-keygen

mandos-keygen.xml

mandos-monitor

mandos-monitor.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.lsm

mandos.service

mandos.xml

network-hooks.d

network-hooks.d/bridge

network-hooks.d/bridge.conf

network-hooks.d/openvpn

network-hooks.d/openvpn.conf

network-hooks.d/wireless

network-hooks.d/wireless.conf

overview.xml

plugin-helpers

plugin-helpers/mandos-client-iprouteadddel.c

plugin-runner.conf

plugin-runner.xml

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/mandos-client.xml

plugins.d/password-prompt.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

tmpfiles.d-mandos.conf

files renamed:
clients.conf => mandos-clients.conf

plugin-runner.c => plugbasedclient.c

plugins.d/mandos-client.c => plugins.d/mandosclient.c

plugins.d/password-prompt.c => plugins.d/passprompt.c

mandos => server.py

files modified:
Makefile

TODO

Show diffs side-by-side

added added

removed removed

mandos-keygen

#!/bin/sh -e

# Mandos key generator - create a new OpenPGP key for a Mandos client

# This program is free software: you can redistribute it and/or modify

# it under the terms of the GNU General Public License as published by

# the Free Software Foundation, either version 3 of the License, or

# (at your option) any later version.

# This program is distributed in the hope that it will be useful,

# but WITHOUT ANY WARRANTY; without even the implied warranty of

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

# GNU General Public License for more details.

# You should have received a copy of the GNU General Public License

# along with this program. If not, see <http://www.gnu.org/licenses/>.

# Contact the authors at <mandos@recompile.se>.

VERSION="1.7.14"

KEYDIR="/etc/keys/mandos"

KEYTYPE=RSA

KEYLENGTH=4096

SUBKEYTYPE=RSA

SUBKEYLENGTH=4096

KEYNAME="`hostname --fqdn 2>/dev/null || hostname`"

KEYEMAIL=""

KEYCOMMENT=""

KEYEXPIRE=0

FORCE=no

SSH=yes

KEYCOMMENT_ORIG="$KEYCOMMENT"

mode=keygen

if [ ! -d "$KEYDIR" ]; then

KEYDIR="/etc/mandos/keys"

# Parse options

TEMP=`getopt --options vhpF:d:t:l:s:L:n:e:c:x:fS \

--longoptions version,help,password,passfile:,dir:,type:,length:,subtype:,sublength:,name:,email:,comment:,expire:,force,no-ssh \

--name "$0" -- "$@"`

help(){

basename="`basename "$0"`"

cat <<EOF

Usage: $basename [ -v | --version ]

$basename [ -h | --help ]

Key creation:

$basename [ OPTIONS ]

Encrypted password creation:

$basename { -p | --password } [ --name NAME ] [ --dir DIR]

$basename { -F | --passfile } FILE [ --name NAME ] [ --dir DIR]

Key creation options:

-v, --version Show program's version number and exit

-h, --help Show this help message and exit

-d DIR, --dir DIR Target directory for key files

-t TYPE, --type TYPE Key type. Default is RSA.

-l BITS, --length BITS

Key length in bits. Default is 4096.

-s TYPE, --subtype TYPE

Subkey type. Default is RSA.

-L BITS, --sublength BITS

Subkey length in bits. Default is 4096.

-n NAME, --name NAME Name of key. Default is the FQDN.

-e ADDRESS, --email ADDRESS

Email address of key. Default is empty.

-c TEXT, --comment TEXT

Comment field for key. The default is empty.

-x TIME, --expire TIME

Key expire time. Default is no expiration.

See gpg(1) for syntax.

-f, --force Force overwriting old key files.

Password creation options:

-p, --password Create an encrypted password using the key in

the key directory. All options other than

--dir and --name are ignored.

-F FILE, --passfile FILE

Encrypt a password from FILE using the key in

the key directory. All options other than

--dir and --name are ignored.

-S, --no-ssh Don't get SSH key or set "checker" option.

EOF

}

eval set -- "$TEMP"

while :; do

case "$1" in

-p|--password) mode=password; shift;;

-F|--passfile) mode=password; PASSFILE="$2"; shift 2;;

-d|--dir) KEYDIR="$2"; shift 2;;

-t|--type) KEYTYPE="$2"; shift 2;;

100

-s|--subtype) SUBKEYTYPE="$2"; shift 2;;

101

-l|--length) KEYLENGTH="$2"; shift 2;;

102

-L|--sublength) SUBKEYLENGTH="$2"; shift 2;;

103

-n|--name) KEYNAME="$2"; shift 2;;

104

-e|--email) KEYEMAIL="$2"; shift 2;;

105

-c|--comment) KEYCOMMENT="$2"; shift 2;;

106

-x|--expire) KEYEXPIRE="$2"; shift 2;;

107

-f|--force) FORCE=yes; shift;;

108

-S|--no-ssh) SSH=no; shift;;

109

-v|--version) echo "$0 $VERSION"; exit;;

110

-h|--help) help; exit;;

111

--) shift; break;;

112

*) echo "Internal error" >&2; exit 1;;

113

esac

114

done

115

if [ "$#" -gt 0 ]; then

116

echo "Unknown arguments: '$*'" >&2

117

exit 1

118

119

120

SECKEYFILE="$KEYDIR/seckey.txt"

121

PUBKEYFILE="$KEYDIR/pubkey.txt"

122

123

# Check for some invalid values

124

if [ ! -d "$KEYDIR" ]; then

125

echo "$KEYDIR not a directory" >&2

126

exit 1

127

128

if [ ! -r "$KEYDIR" ]; then

129

echo "Directory $KEYDIR not readable" >&2

130

exit 1

131

132

133

if [ "$mode" = keygen ]; then

134

if [ ! -w "$KEYDIR" ]; then

135

echo "Directory $KEYDIR not writeable" >&2

136

exit 1

137

138

if [ -z "$KEYTYPE" ]; then

139

echo "Empty key type" >&2

140

exit 1

141

142

143

if [ -z "$KEYNAME" ]; then

144

echo "Empty key name" >&2

145

exit 1

146

147

148

if [ -z "$KEYLENGTH" ] || [ "$KEYLENGTH" -lt 512 ]; then

149

echo "Invalid key length" >&2

150

exit 1

151

152

153

if [ -z "$KEYEXPIRE" ]; then

154

echo "Empty key expiration" >&2

155

exit 1

156

157

158

# Make FORCE be 0 or 1

159

case "$FORCE" in

160

[Yy][Ee][Ss]|[Tt][Rr][Uu][Ee]) FORCE=1;;

161

[Nn][Oo]|[Ff][Aa][Ll][Ss][Ee]|*) FORCE=0;;

162

esac

163

164

if [ $ -e "$SECKEYFILE" -o -e "$PUBKEYFILE" $ \

165

-a "$FORCE" -eq 0 ]; then

166

echo "Refusing to overwrite old key files; use --force" >&2

167

exit 1

168

169

170

# Set lines for GnuPG batch file

171

if [ -n "$KEYCOMMENT" ]; then

172

KEYCOMMENTLINE="Name-Comment: $KEYCOMMENT"

173

174

if [ -n "$KEYEMAIL" ]; then

175

KEYEMAILLINE="Name-Email: $KEYEMAIL"

176

177

178

# Create temporary gpg batch file

179

BATCHFILE="`mktemp -t mandos-keygen-batch.XXXXXXXXXX`"

180

181

182

if [ "$mode" = password ]; then

183

# Create temporary encrypted password file

184

SECFILE="`mktemp -t mandos-keygen-secfile.XXXXXXXXXX`"

185

186

187

# Create temporary key ring directory

188

RINGDIR="`mktemp -d -t mandos-keygen-keyrings.XXXXXXXXXX`"

189

190

# Remove temporary files on exit

191

trap "

192

set +e; \

193

test -n \"$SECFILE\" && shred --remove \"$SECFILE\"; \

194

shred --remove \"$RINGDIR\"/sec* 2>/dev/null;

195

test -n \"$BATCHFILE\" && rm --force \"$BATCHFILE\"; \

196

rm --recursive --force \"$RINGDIR\";

197

tty --quiet && stty echo; \

198

" EXIT

199

200

set -e

201

202

umask 077

203

204

if [ "$mode" = keygen ]; then

205

# Create batch file for GnuPG

206

cat >"$BATCHFILE" <<-EOF

207

Key-Type: $KEYTYPE

208

Key-Length: $KEYLENGTH

209

Key-Usage: sign,auth

210

Subkey-Type: $SUBKEYTYPE

211

Subkey-Length: $SUBKEYLENGTH

212

Subkey-Usage: encrypt

213

Name-Real: $KEYNAME

214

$KEYCOMMENTLINE

215

$KEYEMAILLINE

216

Expire-Date: $KEYEXPIRE

217

#Preferences: <string>

218

#Handle: <no-spaces>

219

#%pubring pubring.gpg

220

#%secring secring.gpg

221

%no-protection

222

%commit

223

EOF

224

225

if tty --quiet; then

226

cat <<-EOF

227

Note: Due to entropy requirements, key generation could take

228

anything from a few minutes to SEVERAL HOURS. Please be

229

patient and/or supply the system with more entropy if needed.

230

EOF

231

echo -n "Started: "

232

date

233

234

235

# Make sure trustdb.gpg exists;

236

# this is a workaround for Debian bug #737128

237

gpg --quiet --batch --no-tty --no-options --enable-dsa2 \

238

--homedir "$RINGDIR" \

239

--import-ownertrust < /dev/null

240

# Generate a new key in the key rings

241

gpg --quiet --batch --no-tty --no-options --enable-dsa2 \

242

--homedir "$RINGDIR" --trust-model always \

243

--gen-key "$BATCHFILE"

244

rm --force "$BATCHFILE"

245

246

if tty --quiet; then

247

echo -n "Finished: "

248

date

249

250

251

# Backup any old key files

252

if cp --backup=numbered --force "$SECKEYFILE" "$SECKEYFILE" \

253

2>/dev/null; then

254

shred --remove "$SECKEYFILE"

255

256

if cp --backup=numbered --force "$PUBKEYFILE" "$PUBKEYFILE" \

257

2>/dev/null; then

258

rm --force "$PUBKEYFILE"

259

260

261

FILECOMMENT="Mandos client key for $KEYNAME"

262

if [ "$KEYCOMMENT" != "$KEYCOMMENT_ORIG" ]; then

263

FILECOMMENT="$FILECOMMENT ($KEYCOMMENT)"

264

265

266

if [ -n "$KEYEMAIL" ]; then

267

FILECOMMENT="$FILECOMMENT <$KEYEMAIL>"

268

269

270

# Export key from key rings to key files

271

gpg --quiet --batch --no-tty --no-options --enable-dsa2 \

272

--homedir "$RINGDIR" --armor --export-options export-minimal \

273

--comment "$FILECOMMENT" --output "$SECKEYFILE" \

274

--export-secret-keys

275

gpg --quiet --batch --no-tty --no-options --enable-dsa2 \

276

--homedir "$RINGDIR" --armor --export-options export-minimal \

277

--comment "$FILECOMMENT" --output "$PUBKEYFILE" --export

278

279

280

if [ "$mode" = password ]; then

281

282

# Make SSH be 0 or 1

283

case "$SSH" in

284

[Yy][Ee][Ss]|[Tt][Rr][Uu][Ee]) SSH=1;;

285

[Nn][Oo]|[Ff][Aa][Ll][Ss][Ee]|*) SSH=0;;

286

esac

287

288

if [ $SSH -eq 1 ]; then

289

for ssh_keytype in ecdsa-sha2-nistp256 ed25519 rsa; do

290

set +e

291

ssh_fingerprint="`ssh-keyscan -t $ssh_keytype localhost 2>/dev/null`"

292

set -e

293

if [ $? -ne 0 ]; then

294

ssh_fingerprint=""

295

continue

296

297

if [ -n "$ssh_fingerprint" ]; then

298

ssh_fingerprint="${ssh_fingerprint#localhost }"

299

break

300

301

done

302

303

304

# Import key into temporary key rings

305

gpg --quiet --batch --no-tty --no-options --enable-dsa2 \

306

--homedir "$RINGDIR" --trust-model always --armor \

307

--import "$SECKEYFILE"

308

gpg --quiet --batch --no-tty --no-options --enable-dsa2 \

309

--homedir "$RINGDIR" --trust-model always --armor \

310

--import "$PUBKEYFILE"

311

312

# Get fingerprint of key

313

FINGERPRINT="`gpg --quiet --batch --no-tty --no-options \

314

--enable-dsa2 --homedir "$RINGDIR" --trust-model always \

315

--fingerprint --with-colons \

316

| sed --quiet \

317

--expression='/^fpr:/{s/^fpr:.*:\$[0-9A-Z]*\$:\$/\\1/p;q}'`"

318

319

test -n "$FINGERPRINT"

320

321

FILECOMMENT="Encrypted password for a Mandos client"

322

323

while [ ! -s "$SECFILE" ]; do

324

if [ -n "$PASSFILE" ]; then

325

cat "$PASSFILE"

326

else

327

tty --quiet && stty -echo

328

echo -n "Enter passphrase: " >/dev/tty

329

read first

330

tty --quiet && echo >&2

331

echo -n "Repeat passphrase: " >/dev/tty

332

read second

333

if tty --quiet; then

334

echo >&2

335

stty echo

336

337

if [ "$first" != "$second" ]; then

338

echo "Passphrase mismatch" >&2

339

touch "$RINGDIR"/mismatch

340

else

341

echo -n "$first"

342

343

fi | gpg --quiet --batch --no-tty --no-options --enable-dsa2 \

344

--homedir "$RINGDIR" --trust-model always --armor \

345

--encrypt --sign --recipient "$FINGERPRINT" --comment \

346

"$FILECOMMENT" > "$SECFILE"

347

if [ -e "$RINGDIR"/mismatch ]; then

348

rm --force "$RINGDIR"/mismatch

349

if tty --quiet; then

350

> "$SECFILE"

351

else

352

exit 1

353

354

355

done

356

357

cat <<-EOF

358

[$KEYNAME]

359

host = $KEYNAME

360

fingerprint = $FINGERPRINT

361

secret =

362

EOF

363

sed --quiet --expression='

364

/^-----BEGIN PGP MESSAGE-----$/,/^-----END PGP MESSAGE-----$/{

365

/^$/,${

366

# Remove 24-bit Radix-64 checksum

367

s/=....$//

368

# Indent four spaces

369

/^[^-]/s/^/ /p

370

}

371

}' < "$SECFILE"

372

if [ -n "$ssh_fingerprint" ]; then

373

echo 'checker = ssh-keyscan -t '"$ssh_keytype"' %%(host)s 2>/dev/null | grep --fixed-strings --line-regexp --quiet --regexp=%%(host)s" %(ssh_fingerprint)s"'

374

echo "ssh_fingerprint = ${ssh_fingerprint}"

375

376

377

378

trap - EXIT

379

380

set +e

381

# Remove the password file, if any

382

if [ -n "$SECFILE" ]; then

383

shred --remove "$SECFILE"

384

385

# Remove the key rings

386

shred --remove "$RINGDIR"/sec* 2>/dev/null

387

rm --recursive --force "$RINGDIR"

Older »