/mandos/trunk : revision 13

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos-keygen

Committer: Björn Påhlsson
Date: 2008-07-20 02:52:20 UTC
Revision ID: belorn@braxen-20080720025220-r5u0388uy9iu23h6

Added following support:
Pluginbased client handler
rewritten Mandos client
Avahi instead of udp server discovery
openpgp encrypted key support
Passprompt stand alone application for direct console input
Added logging for Mandos server

files added:
ca.pem

cert.pem

client-cert.pem

client-key.pem

crl.pem

key.pem

plugins.d/Makefile

files removed:
.bzr-builddeb

.bzr-builddeb/default.conf

.bzrignore

COPYING

DBUS-API

INSTALL

NEWS

README

bugs.xml

common.ent

dbus-mandos.conf

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.examples

debian/mandos-client.links

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/po

debian/rules

debian/source

debian/source/format

debian/source/local-options

debian/upstream

debian/upstream/signing-key.asc

debian/watch

default-mandos

init.d-mandos

initramfs-tools-hook

initramfs-tools-hook-conf

initramfs-tools-script

initramfs-unpack

intro.xml

legalnotice.xml

mandos-clients.conf.xml

mandos-ctl

mandos-ctl.xml

mandos-keygen

mandos-keygen.xml

mandos-monitor

mandos-monitor.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.lsm

mandos.service

mandos.xml

network-hooks.d

network-hooks.d/bridge

network-hooks.d/bridge.conf

network-hooks.d/openvpn

network-hooks.d/openvpn.conf

network-hooks.d/wireless

network-hooks.d/wireless.conf

overview.xml

plugin-helpers

plugin-helpers/mandos-client-iprouteadddel.c

plugin-runner.conf

plugin-runner.xml

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/mandos-client.xml

plugins.d/password-prompt.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

tmpfiles.d-mandos.conf

files renamed:
clients.conf => mandos-clients.conf

plugin-runner.c => plugbasedclient.c

plugins.d/mandos-client.c => plugins.d/mandosclient.c

plugins.d/password-prompt.c => plugins.d/passprompt.c

mandos => server.py

files modified:
Makefile

TODO

Show diffs side-by-side

added added

removed removed

mandos-keygen

#!/bin/sh -e

# Mandos key generator - create a new OpenPGP key for a Mandos client

# This program is free software: you can redistribute it and/or modify

# it under the terms of the GNU General Public License as published by

# the Free Software Foundation, either version 3 of the License, or

# (at your option) any later version.

# This program is distributed in the hope that it will be useful,

# but WITHOUT ANY WARRANTY; without even the implied warranty of

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

# GNU General Public License for more details.

# You should have received a copy of the GNU General Public License

# along with this program. If not, see <http://www.gnu.org/licenses/>.

# Contact the authors at <mandos@recompile.se>.

VERSION="1.7.15"

KEYDIR="/etc/keys/mandos"

KEYTYPE=RSA

KEYLENGTH=4096

SUBKEYTYPE=RSA

SUBKEYLENGTH=4096

KEYNAME="`hostname --fqdn 2>/dev/null || hostname`"

KEYEMAIL=""

KEYCOMMENT=""

KEYEXPIRE=0

FORCE=no

SSH=yes

KEYCOMMENT_ORIG="$KEYCOMMENT"

mode=keygen

if [ ! -d "$KEYDIR" ]; then

KEYDIR="/etc/mandos/keys"

# Parse options

TEMP=`getopt --options vhpF:d:t:l:s:L:n:e:c:x:fS \

--longoptions version,help,password,passfile:,dir:,type:,length:,subtype:,sublength:,name:,email:,comment:,expire:,force,no-ssh \

--name "$0" -- "$@"`

help(){

basename="`basename "$0"`"

cat <<EOF

Usage: $basename [ -v | --version ]

$basename [ -h | --help ]

Key creation:

$basename [ OPTIONS ]

Encrypted password creation:

$basename { -p | --password } [ --name NAME ] [ --dir DIR]

$basename { -F | --passfile } FILE [ --name NAME ] [ --dir DIR]

Key creation options:

-v, --version Show program's version number and exit

-h, --help Show this help message and exit

-d DIR, --dir DIR Target directory for key files

-t TYPE, --type TYPE Key type. Default is RSA.

-l BITS, --length BITS

Key length in bits. Default is 4096.

-s TYPE, --subtype TYPE

Subkey type. Default is RSA.

-L BITS, --sublength BITS

Subkey length in bits. Default is 4096.

-n NAME, --name NAME Name of key. Default is the FQDN.

-e ADDRESS, --email ADDRESS

Email address of key. Default is empty.

-c TEXT, --comment TEXT

Comment field for key. The default is empty.

-x TIME, --expire TIME

Key expire time. Default is no expiration.

See gpg(1) for syntax.

-f, --force Force overwriting old key files.

Password creation options:

-p, --password Create an encrypted password using the key in

the key directory. All options other than

--dir and --name are ignored.

-F FILE, --passfile FILE

Encrypt a password from FILE using the key in

the key directory. All options other than

--dir and --name are ignored.

-S, --no-ssh Don't get SSH key or set "checker" option.

EOF

}

eval set -- "$TEMP"

while :; do

case "$1" in

-p|--password) mode=password; shift;;

-F|--passfile) mode=password; PASSFILE="$2"; shift 2;;

-d|--dir) KEYDIR="$2"; shift 2;;

-t|--type) KEYTYPE="$2"; shift 2;;

100

-s|--subtype) SUBKEYTYPE="$2"; shift 2;;

101

-l|--length) KEYLENGTH="$2"; shift 2;;

102

-L|--sublength) SUBKEYLENGTH="$2"; shift 2;;

103

-n|--name) KEYNAME="$2"; shift 2;;

104

-e|--email) KEYEMAIL="$2"; shift 2;;

105

-c|--comment) KEYCOMMENT="$2"; shift 2;;

106

-x|--expire) KEYEXPIRE="$2"; shift 2;;

107

-f|--force) FORCE=yes; shift;;

108

-S|--no-ssh) SSH=no; shift;;

109

-v|--version) echo "$0 $VERSION"; exit;;

110

-h|--help) help; exit;;

111

--) shift; break;;

112

*) echo "Internal error" >&2; exit 1;;

113

esac

114

done

115

if [ "$#" -gt 0 ]; then

116

echo "Unknown arguments: '$*'" >&2

117

exit 1

118

119

120

SECKEYFILE="$KEYDIR/seckey.txt"

121

PUBKEYFILE="$KEYDIR/pubkey.txt"

122

123

# Check for some invalid values

124

if [ ! -d "$KEYDIR" ]; then

125

echo "$KEYDIR not a directory" >&2

126

exit 1

127

128

if [ ! -r "$KEYDIR" ]; then

129

echo "Directory $KEYDIR not readable" >&2

130

exit 1

131

132

133

if [ "$mode" = keygen ]; then

134

if [ ! -w "$KEYDIR" ]; then

135

echo "Directory $KEYDIR not writeable" >&2

136

exit 1

137

138

if [ -z "$KEYTYPE" ]; then

139

echo "Empty key type" >&2

140

exit 1

141

142

143

if [ -z "$KEYNAME" ]; then

144

echo "Empty key name" >&2

145

exit 1

146

147

148

if [ -z "$KEYLENGTH" ] || [ "$KEYLENGTH" -lt 512 ]; then

149

echo "Invalid key length" >&2

150

exit 1

151

152

153

if [ -z "$KEYEXPIRE" ]; then

154

echo "Empty key expiration" >&2

155

exit 1

156

157

158

# Make FORCE be 0 or 1

159

case "$FORCE" in

160

[Yy][Ee][Ss]|[Tt][Rr][Uu][Ee]) FORCE=1;;

161

[Nn][Oo]|[Ff][Aa][Ll][Ss][Ee]|*) FORCE=0;;

162

esac

163

164

if { [ -e "$SECKEYFILE" ] || [ -e "$PUBKEYFILE" ]; } \

165

&& [ "$FORCE" -eq 0 ]; then

166

echo "Refusing to overwrite old key files; use --force" >&2

167

exit 1

168

169

170

# Set lines for GnuPG batch file

171

if [ -n "$KEYCOMMENT" ]; then

172

KEYCOMMENTLINE="Name-Comment: $KEYCOMMENT"

173

174

if [ -n "$KEYEMAIL" ]; then

175

KEYEMAILLINE="Name-Email: $KEYEMAIL"

176

177

178

# Create temporary gpg batch file

179

BATCHFILE="`mktemp -t mandos-keygen-batch.XXXXXXXXXX`"

180

181

182

if [ "$mode" = password ]; then

183

# Create temporary encrypted password file

184

SECFILE="`mktemp -t mandos-keygen-secfile.XXXXXXXXXX`"

185

186

187

# Create temporary key ring directory

188

RINGDIR="`mktemp -d -t mandos-keygen-keyrings.XXXXXXXXXX`"

189

190

# Remove temporary files on exit

191

trap "

192

set +e; \

193

test -n \"$SECFILE\" && shred --remove \"$SECFILE\"; \

194

shred --remove \"$RINGDIR\"/sec* 2>/dev/null;

195

test -n \"$BATCHFILE\" && rm --force \"$BATCHFILE\"; \

196

rm --recursive --force \"$RINGDIR\";

197

tty --quiet && stty echo; \

198

" EXIT

199

200

set -e

201

202

umask 077

203

204

if [ "$mode" = keygen ]; then

205

# Create batch file for GnuPG

206

cat >"$BATCHFILE" <<-EOF

207

Key-Type: $KEYTYPE

208

Key-Length: $KEYLENGTH

209

Key-Usage: sign,auth

210

Subkey-Type: $SUBKEYTYPE

211

Subkey-Length: $SUBKEYLENGTH

212

Subkey-Usage: encrypt

213

Name-Real: $KEYNAME

214

$KEYCOMMENTLINE

215

$KEYEMAILLINE

216

Expire-Date: $KEYEXPIRE

217

#Preferences: <string>

218

#Handle: <no-spaces>

219

#%pubring pubring.gpg

220

#%secring secring.gpg

221

%no-protection

222

%commit

223

EOF

224

225

if tty --quiet; then

226

cat <<-EOF

227

Note: Due to entropy requirements, key generation could take

228

anything from a few minutes to SEVERAL HOURS. Please be

229

patient and/or supply the system with more entropy if needed.

230

EOF

231

echo -n "Started: "

232

date

233

234

235

# Make sure trustdb.gpg exists;

236

# this is a workaround for Debian bug #737128

237

gpg --quiet --batch --no-tty --no-options --enable-dsa2 \

238

--homedir "$RINGDIR" \

239

--import-ownertrust < /dev/null

240

# Generate a new key in the key rings

241

gpg --quiet --batch --no-tty --no-options --enable-dsa2 \

242

--homedir "$RINGDIR" --trust-model always \

243

--gen-key "$BATCHFILE"

244

rm --force "$BATCHFILE"

245

246

if tty --quiet; then

247

echo -n "Finished: "

248

date

249

250

251

# Backup any old key files

252

if cp --backup=numbered --force "$SECKEYFILE" "$SECKEYFILE" \

253

2>/dev/null; then

254

shred --remove "$SECKEYFILE"

255

256

if cp --backup=numbered --force "$PUBKEYFILE" "$PUBKEYFILE" \

257

2>/dev/null; then

258

rm --force "$PUBKEYFILE"

259

260

261

FILECOMMENT="Mandos client key for $KEYNAME"

262

if [ "$KEYCOMMENT" != "$KEYCOMMENT_ORIG" ]; then

263

FILECOMMENT="$FILECOMMENT ($KEYCOMMENT)"

264

265

266

if [ -n "$KEYEMAIL" ]; then

267

FILECOMMENT="$FILECOMMENT <$KEYEMAIL>"

268

269

270

# Export key from key rings to key files

271

gpg --quiet --batch --no-tty --no-options --enable-dsa2 \

272

--homedir "$RINGDIR" --armor --export-options export-minimal \

273

--comment "$FILECOMMENT" --output "$SECKEYFILE" \

274

--export-secret-keys

275

gpg --quiet --batch --no-tty --no-options --enable-dsa2 \

276

--homedir "$RINGDIR" --armor --export-options export-minimal \

277

--comment "$FILECOMMENT" --output "$PUBKEYFILE" --export

278

279

280

if [ "$mode" = password ]; then

281

282

# Make SSH be 0 or 1

283

case "$SSH" in

284

[Yy][Ee][Ss]|[Tt][Rr][Uu][Ee]) SSH=1;;

285

[Nn][Oo]|[Ff][Aa][Ll][Ss][Ee]|*) SSH=0;;

286

esac

287

288

if [ $SSH -eq 1 ]; then

289

for ssh_keytype in ecdsa-sha2-nistp256 ed25519 rsa; do

290

set +e

291

ssh_fingerprint="`ssh-keyscan -t $ssh_keytype localhost 2>/dev/null`"

292

err=$?

293

set -e

294

if [ $err -ne 0 ]; then

295

ssh_fingerprint=""

296

continue

297

298

if [ -n "$ssh_fingerprint" ]; then

299

ssh_fingerprint="${ssh_fingerprint#localhost }"

300

break

301

302

done

303

304

305

# Import key into temporary key rings

306

gpg --quiet --batch --no-tty --no-options --enable-dsa2 \

307

--homedir "$RINGDIR" --trust-model always --armor \

308

--import "$SECKEYFILE"

309

gpg --quiet --batch --no-tty --no-options --enable-dsa2 \

310

--homedir "$RINGDIR" --trust-model always --armor \

311

--import "$PUBKEYFILE"

312

313

# Get fingerprint of key

314

FINGERPRINT="`gpg --quiet --batch --no-tty --no-options \

315

--enable-dsa2 --homedir "$RINGDIR" --trust-model always \

316

--fingerprint --with-colons \

317

| sed --quiet \

318

--expression='/^fpr:/{s/^fpr:.*:\$[0-9A-Z]*\$:\$/\\1/p;q}'`"

319

320

test -n "$FINGERPRINT"

321

322

FILECOMMENT="Encrypted password for a Mandos client"

323

324

while [ ! -s "$SECFILE" ]; do

325

if [ -n "$PASSFILE" ]; then

326

cat "$PASSFILE"

327

else

328

tty --quiet && stty -echo

329

echo -n "Enter passphrase: " >/dev/tty

330

read -r first

331

tty --quiet && echo >&2

332

echo -n "Repeat passphrase: " >/dev/tty

333

read -r second

334

if tty --quiet; then

335

echo >&2

336

stty echo

337

338

if [ "$first" != "$second" ]; then

339

echo "Passphrase mismatch" >&2

340

touch "$RINGDIR"/mismatch

341

else

342

echo -n "$first"

343

344

fi | gpg --quiet --batch --no-tty --no-options --enable-dsa2 \

345

--homedir "$RINGDIR" --trust-model always --armor \

346

--encrypt --sign --recipient "$FINGERPRINT" --comment \

347

"$FILECOMMENT" > "$SECFILE"

348

if [ -e "$RINGDIR"/mismatch ]; then

349

rm --force "$RINGDIR"/mismatch

350

if tty --quiet; then

351

> "$SECFILE"

352

else

353

exit 1

354

355

356

done

357

358

cat <<-EOF

359

[$KEYNAME]

360

host = $KEYNAME

361

fingerprint = $FINGERPRINT

362

secret =

363

EOF

364

sed --quiet --expression='

365

/^-----BEGIN PGP MESSAGE-----$/,/^-----END PGP MESSAGE-----$/{

366

/^$/,${

367

# Remove 24-bit Radix-64 checksum

368

s/=....$//

369

# Indent four spaces

370

/^[^-]/s/^/ /p

371

}

372

}' < "$SECFILE"

373

if [ -n "$ssh_fingerprint" ]; then

374

echo 'checker = ssh-keyscan -t '"$ssh_keytype"' %%(host)s 2>/dev/null | grep --fixed-strings --line-regexp --quiet --regexp=%%(host)s" %(ssh_fingerprint)s"'

375

echo "ssh_fingerprint = ${ssh_fingerprint}"

376

377

378

379

trap - EXIT

380

381

set +e

382

# Remove the password file, if any

383

if [ -n "$SECFILE" ]; then

384

shred --remove "$SECFILE"

385

386

# Remove the key rings

387

shred --remove "$RINGDIR"/sec* 2>/dev/null

388

rm --recursive --force "$RINGDIR"

Older »