/mandos/trunk : revision 1312

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos-keygen

Committer: Teddy Hogeborn
Date: 2024-11-17 18:43:11 UTC
Revision ID: teddy@recompile.se-20241117184311-ox25kvngy62h209g

Debian package: Avoid suggesting a C compiler unnecessarily

The list of suggested packages, meant to enable the "mandos" program
to find the correct value of SO_BINDTODEVICE by using a C compiler,
are not necessary when Python 3.3 or later is used, since it has the
SO_BINDTODEVICE constant defined in the "socket" module. Also, Python
2.6 or older has the same constant in the old "IN" module. Therefore,
we should suggest these Python versions as alternatives to a C
compiler, so that a C compiler is not installed unnecessarily.

debian/control (Package: mandos/Suggests): Add "python3 (>= 3.3)" and
"python (<= 2.6)" as alternatives to "libc6-dev | libc-dev" and
"c-compiler".

files added:
debian/mandos.maintscript

debian/po/es.po

debian/po/nl.po

debian/po/pt_BR.po

files modified:
.bzrignore

DBUS-API

Makefile

NEWS

TODO

clients.conf

common.ent

debian/changelog

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos-client.templates

debian/mandos.dirs

debian/mandos.lintian-overrides

debian/po/fr.po

debian/rules

dracut-module/ask-password-mandos.service

dracut-module/module-setup.sh

dracut-module/password-agent.c

dracut-module/password-agent.xml

initramfs-tools-hook

initramfs-tools-script

initramfs-unpack

intro.xml

mandos

mandos-clients.conf.xml

mandos-ctl

mandos-keygen

mandos-monitor

mandos-to-cryptroot-unlock

mandos.conf.xml

mandos.lsm

mandos.service

mandos.xml

plugin-helpers/mandos-client-iprouteadddel.c

plugin-runner.c

plugin-runner.xml

plugins.d/askpass-fifo.c

plugins.d/mandos-client.c

plugins.d/mandos-client.xml

plugins.d/password-prompt.c

plugins.d/plymouth.c

plugins.d/splashy.c

plugins.d/usplash.c

Show diffs side-by-side

added added

removed removed

mandos-keygen

# Contact the authors at <mandos@recompile.se>.

VERSION="1.8.9"

VERSION="1.8.17"

KEYDIR="/etc/keys/mandos"

KEYTYPE=RSA

147

echo "Empty key type" >&2

148

exit 1

149

150

151

if [ -z "$KEYNAME" ]; then

152

echo "Empty key name" >&2

153

exit 1

154

155

156

if [ -z "$KEYLENGTH" ] || [ "$KEYLENGTH" -lt 512 ]; then

157

echo "Invalid key length" >&2

158

exit 1

159

160

161

if [ -z "$KEYEXPIRE" ]; then

162

echo "Empty key expiration" >&2

163

exit 1

164

165

166

# Make FORCE be 0 or 1

167

case "$FORCE" in

168

[Yy][Ee][Ss]|[Tt][Rr][Uu][Ee]) FORCE=1;;

169

[Nn][Oo]|[Ff][Aa][Ll][Ss][Ee]|*) FORCE=0;;

170

esac

171

172

if { [ -e "$SECKEYFILE" ] || [ -e "$PUBKEYFILE" ] \

173

|| [ -e "$TLS_PRIVKEYFILE" ] \

174

|| [ -e "$TLS_PUBKEYFILE" ]; } \

176

echo "Refusing to overwrite old key files; use --force" >&2

177

exit 1

178

179

180

# Set lines for GnuPG batch file

181

if [ -n "$KEYCOMMENT" ]; then

182

KEYCOMMENTLINE="Name-Comment: $KEYCOMMENT"

184

if [ -n "$KEYEMAIL" ]; then

185

KEYEMAILLINE="Name-Email: $KEYEMAIL"

186

187

188

# Create temporary gpg batch file

189

BATCHFILE="`mktemp -t mandos-keygen-batch.XXXXXXXXXX`"

190

TLS_PRIVKEYTMP="`mktemp -t mandos-keygen-privkey.XXXXXXXXXX`"

233

%no-protection

234

%commit

235

EOF

236

237

if tty --quiet; then

238

cat <<-EOF

239

Note: Due to entropy requirements, key generation could take

276

277

278

279

280

# Make sure trustdb.gpg exists;

281

# this is a workaround for Debian bug #737128

282

gpg --quiet --batch --no-tty --no-options --enable-dsa2 \

287

--homedir "$RINGDIR" --trust-model always \

288

--gen-key "$BATCHFILE"

289

rm --force "$BATCHFILE"

290

291

if tty --quiet; then

292

echo -n "Finished: "

293

date

294

295

296

# Backup any old key files

297

if cp --backup=numbered --force "$SECKEYFILE" "$SECKEYFILE" \

298

2>/dev/null; then

302

2>/dev/null; then

303

rm --force "$PUBKEYFILE"

304

305

306

FILECOMMENT="Mandos client key for $KEYNAME"

307

if [ "$KEYCOMMENT" != "$KEYCOMMENT_ORIG" ]; then

308

FILECOMMENT="$FILECOMMENT ($KEYCOMMENT)"

309

310

311

if [ -n "$KEYEMAIL" ]; then

312

FILECOMMENT="$FILECOMMENT <$KEYEMAIL>"

313

314

315

# Export key from key rings to key files

316

gpg --quiet --batch --no-tty --no-options --enable-dsa2 \

317

--homedir "$RINGDIR" --armor --export-options export-minimal \

323

324

325

if [ "$mode" = password ]; then

326

327

# Make SSH be 0 or 1

328

case "$SSH" in

329

[Yy][Ee][Ss]|[Tt][Rr][Uu][Ee]) SSH=1;;

330

[Nn][Oo]|[Ff][Aa][Ll][Ss][Ee]|*) SSH=0;;

331

esac

332

333

if [ $SSH -eq 1 ]; then

334

for ssh_keytype in ecdsa-sha2-nistp256 ed25519 rsa; do

335

set +e

336

ssh_fingerprint="`ssh-keyscan -t $ssh_keytype localhost 2>/dev/null`"

337

err=$?

338

set -e

339

if [ $err -ne 0 ]; then

340

ssh_fingerprint=""

341

continue

342

343

if [ -n "$ssh_fingerprint" ]; then

344

ssh_fingerprint="${ssh_fingerprint#localhost }"

345

break

346

334

# The -q option is new in OpenSSH 9.8

335

for ssh_keyscan_quiet in "-q " ""; do

336

for ssh_keytype in ecdsa-sha2-nistp256 ed25519 rsa; do

337

set +e

338

ssh_fingerprint="`ssh-keyscan ${ssh_keyscan_quiet}-t $ssh_keytype localhost 2>/dev/null`"

339

err=$?

340

set -e

341

if [ $err -ne 0 ]; then

342

ssh_fingerprint=""

343

continue

344

345

if [ -n "$ssh_fingerprint" ]; then

346

ssh_fingerprint="${ssh_fingerprint#localhost }"

347

break 2

348

349

done

347

350

done

348

351

349

352

350

353

# Import key into temporary key rings

351

354

gpg --quiet --batch --no-tty --no-options --enable-dsa2 \

352

355

--homedir "$RINGDIR" --trust-model always --armor \

354

357

gpg --quiet --batch --no-tty --no-options --enable-dsa2 \

355

358

--homedir "$RINGDIR" --trust-model always --armor \

356

359

--import "$PUBKEYFILE"

357

360

358

361

# Get fingerprint of key

359

362

FINGERPRINT="`gpg --quiet --batch --no-tty --no-options \

360

363

--enable-dsa2 --homedir "$RINGDIR" --trust-model always \

361

364

--fingerprint --with-colons \

362

365

| sed --quiet \

363

366

--expression='/^fpr:/{s/^fpr:.*:\$[0-9A-Z]*\$:\$/\\1/p;q}'`"

364

367

365

368

test -n "$FINGERPRINT"

366

369

367

370

if [ -r "$TLS_PUBKEYFILE" ]; then

368

371

KEY_ID="$(certtool --key-id --hash=sha256 \

369

372

--infile="$TLS_PUBKEYFILE" 2>/dev/null || :)"

376

379

377

380

test -n "$KEY_ID"

378

381

379

382

380

383

FILECOMMENT="Encrypted password for a Mandos client"

381

384

382

385

while [ ! -s "$SECFILE" ]; do

383

386

if [ -n "$PASSFILE" ]; then

384

387

cat -- "$PASSFILE"

397

400

echo "Passphrase mismatch" >&2

398

401

touch "$RINGDIR"/mismatch

399

402

else

400

echo -n "$first"

403

printf "%s" "$first"

401

404

402

405

fi | gpg --quiet --batch --no-tty --no-options --enable-dsa2 \

403

406

--homedir "$RINGDIR" --trust-model always --armor \

412

415

413

416

414

417

done

415

418

416

419

cat <<-EOF

417

420

[$KEYNAME]

418

421

host = $KEYNAME

434

437

}

435

438

}' < "$SECFILE"

436

439

if [ -n "$ssh_fingerprint" ]; then

437

echo 'checker = ssh-keyscan -t '"$ssh_keytype"' %%(host)s 2>/dev/null | grep --fixed-strings --line-regexp --quiet --regexp=%%(host)s" %(ssh_fingerprint)s"'

440

echo 'checker = ssh-keyscan '"$ssh_keyscan_quiet"'-t '"$ssh_keytype"' %%(host)s 2>/dev/null | grep --fixed-strings --line-regexp --quiet --regexp=%%(host)s" %(ssh_fingerprint)s"'

438

441

echo "ssh_fingerprint = ${ssh_fingerprint}"

439

442

440

443

Older »