/mandos/trunk : revision 1312

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos-keygen

Committer: Teddy Hogeborn
Date: 2024-11-17 18:43:11 UTC
Revision ID: teddy@recompile.se-20241117184311-ox25kvngy62h209g

Debian package: Avoid suggesting a C compiler unnecessarily

The list of suggested packages, meant to enable the "mandos" program
to find the correct value of SO_BINDTODEVICE by using a C compiler,
are not necessary when Python 3.3 or later is used, since it has the
SO_BINDTODEVICE constant defined in the "socket" module. Also, Python
2.6 or older has the same constant in the old "IN" module. Therefore,
we should suggest these Python versions as alternatives to a C
compiler, so that a C compiler is not installed unnecessarily.

debian/control (Package: mandos/Suggests): Add "python3 (>= 3.3)" and
"python (<= 2.6)" as alternatives to "libc6-dev | libc-dev" and
"c-compiler".

files added:
.bzr-builddeb

.bzr-builddeb/default.conf

DBUS-API

NEWS

bugs.xml

common.ent

dbus-mandos.conf

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.examples

debian/mandos-client.links

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos-client.templates

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.maintscript

debian/mandos.postinst

debian/mandos.prerm

debian/mandos.templates

debian/po

debian/po/POTFILES.in

debian/po/de.po

debian/po/en_US.po

debian/po/es.po

debian/po/fr.po

debian/po/nl.po

debian/po/pt.po

debian/po/pt_BR.po

debian/po/sv.po

debian/po/templates.pot

debian/rules

debian/source

debian/source/format

debian/source/lintian-overrides

debian/source/local-options

debian/tests

debian/tests/control

debian/upstream

debian/upstream/metadata

debian/upstream/signing-key.asc

debian/watch

dracut-module

dracut-module/ask-password-mandos.path

dracut-module/ask-password-mandos.service

dracut-module/cmdline-mandos.sh

dracut-module/module-setup.sh

dracut-module/password-agent.c

dracut-module/password-agent.xml

initramfs-tools-conf

initramfs-tools-conf-hook

initramfs-tools-script-stop

initramfs-unpack

intro.xml

mandos-ctl

mandos-ctl.xml

mandos-monitor

mandos-monitor.xml

mandos-to-cryptroot-unlock

mandos.lsm

mandos.service

network-hooks.d

network-hooks.d/bridge

network-hooks.d/bridge.conf

network-hooks.d/openvpn

network-hooks.d/openvpn.conf

network-hooks.d/wireless

network-hooks.d/wireless.conf

plugin-helpers

plugin-helpers/mandos-client-iprouteadddel.c

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

sysusers.d-mandos.conf

tmpfiles.d-mandos.conf

files removed:
etc-plugins.d-README

initramfs-tools-hook-conf

plugins.d/usplash

files modified:
.bzrignore

INSTALL

Makefile

README

TODO

clients.conf

default-mandos

init.d-mandos

initramfs-tools-hook

initramfs-tools-script

legalnotice.xml

mandos

mandos-clients.conf.xml

mandos-keygen

mandos-keygen.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.xml

overview.xml

plugin-runner.c

plugin-runner.conf

plugin-runner.xml

plugins.d/mandos-client.c

plugins.d/mandos-client.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

Show diffs side-by-side

added added

removed removed

mandos-keygen

#!/bin/sh -e

# Mandos key generator - create a new OpenPGP key for a Mandos client

# This program is free software: you can redistribute it and/or modify

# it under the terms of the GNU General Public License as published by

# Mandos key generator - create new keys for a Mandos client

# This file is part of Mandos.

# Mandos is free software: you can redistribute it and/or modify it

# under the terms of the GNU General Public License as published by

# the Free Software Foundation, either version 3 of the License, or

# (at your option) any later version.

# This program is distributed in the hope that it will be useful,

# but WITHOUT ANY WARRANTY; without even the implied warranty of

# Mandos is distributed in the hope that it will be useful, but

# WITHOUT ANY WARRANTY; without even the implied warranty of

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

# GNU General Public License for more details.

# You should have received a copy of the GNU General Public License

# along with this program. If not, see <http://www.gnu.org/licenses/>.

# along with Mandos. If not, see <http://www.gnu.org/licenses/>.

# Contact the authors at <mandos@fukt.bsnet.se>.

# Contact the authors at <mandos@recompile.se>.

VERSION="1.0"

VERSION="1.8.17"

KEYDIR="/etc/keys/mandos"

KEYTYPE=DSA

KEYLENGTH=2048

SUBKEYTYPE=ELG-E

SUBKEYLENGTH=2048

KEYNAME="`hostname --fqdn`"

KEYTYPE=RSA

KEYLENGTH=4096

SUBKEYTYPE=RSA

SUBKEYLENGTH=4096

KEYNAME="`hostname --fqdn 2>/dev/null || hostname`"

KEYEMAIL=""

KEYCOMMENT="Mandos client key"

KEYCOMMENT=""

KEYEXPIRE=0

TLS_KEYTYPE=ed25519

FORCE=no

SSH=yes

KEYCOMMENT_ORIG="$KEYCOMMENT"

mode=keygen

# Parse options

TEMP=`getopt --options vhd:t:l:n:e:c:x:f \

--longoptions version,help,password,dir:,type:,length:,subtype:,sublength:,name:,email:,comment:,expire:,force \

TEMP=`getopt --options vhpF:d:t:l:s:L:n:e:c:x:T:fS \

--longoptions version,help,password,passfile:,dir:,type:,length:,subtype:,sublength:,name:,email:,comment:,expire:,tls-keytype:,force,no-ssh \

--name "$0" -- "$@"`

help(){

basename="`basename $0`"

basename="`basename "$0"`"

cat <<EOF

Usage: $basename [ -v | --version ]

$basename [ -h | --help ]

$basename [ OPTIONS ]

Encrypted password creation:

$basename { -p | --password } [ --name NAME ] [ --dir DIR]

$basename { -F | --passfile } FILE [ --name NAME ] [ --dir DIR]

Key creation options:

-v, --version Show program's version number and exit

-h, --help Show this help message and exit

-d DIR, --dir DIR Target directory for key files

-t TYPE, --type TYPE Key type. Default is DSA.

-t TYPE, --type TYPE OpenPGP key type. Default is RSA.

-l BITS, --length BITS

Key length in bits. Default is 2048.

OpenPGP key length in bits. Default is 4096.

-s TYPE, --subtype TYPE

Subkey type. Default is ELG-E.

OpenPGP subkey type. Default is RSA.

-L BITS, --sublength BITS

Subkey length in bits. Default is 2048.

OpenPGP subkey length in bits. Default 4096.

-n NAME, --name NAME Name of key. Default is the FQDN.

-e ADDRESS, --email ADDRESS

Email address of key. Default is empty.

Email address of OpenPGP key. Default empty.

-c TEXT, --comment TEXT

Comment field for key. The default value is

"Mandos client key".

Comment field for OpenPGP key. Default empty.

-x TIME, --expire TIME

Key expire time. Default is no expiration.

OpenPGP key expire time. Default is none.

See gpg(1) for syntax.

-f, --force Force overwriting old keys.

-T TYPE, --tls-keytype TYPE

TLS key type. Default is ed25519.

-f, --force Force overwriting old key files.

Password creation options:

-p, --password Create an encrypted password using the keys in

the key directory. All options other than

--dir and --name are ignored.

-p, --password Create an encrypted password using the key in

the key directory. All options other than

--dir and --name are ignored.

-F FILE, --passfile FILE

Encrypt a password from FILE using the key in

the key directory. All options other than

--dir and --name are ignored.

-S, --no-ssh Don't get SSH key or set "checker" option.

EOF

}

while :; do

100

case "$1" in

101

-p|--password) mode=password; shift;;

102

-F|--passfile) mode=password; PASSFILE="$2"; shift 2;;

103

-d|--dir) KEYDIR="$2"; shift 2;;

104

-t|--type) KEYTYPE="$2"; shift 2;;

105

-s|--subtype) SUBKEYTYPE="$2"; shift 2;;

109

-e|--email) KEYEMAIL="$2"; shift 2;;

110

-c|--comment) KEYCOMMENT="$2"; shift 2;;

111

-x|--expire) KEYEXPIRE="$2"; shift 2;;

112

-T|--tls-keytype) TLS_KEYTYPE="$2"; shift 2;;

113

-f|--force) FORCE=yes; shift;;

114

-S|--no-ssh) SSH=no; shift;;

100

115

-v|--version) echo "$0 $VERSION"; exit;;

101

116

-h|--help) help; exit;;

102

117

--) shift; break;;

104

119

esac

105

120

done

106

121

if [ "$#" -gt 0 ]; then

107

echo "Unknown arguments: '$@'" >&2

122

echo "Unknown arguments: '$*'" >&2

108

123

exit 1

109

124

110

125

111

126

SECKEYFILE="$KEYDIR/seckey.txt"

112

127

PUBKEYFILE="$KEYDIR/pubkey.txt"

128

TLS_PRIVKEYFILE="$KEYDIR/tls-privkey.pem"

129

TLS_PUBKEYFILE="$KEYDIR/tls-pubkey.pem"

113

130

114

131

# Check for some invalid values

115

132

if [ ! -d "$KEYDIR" ]; then

130

147

echo "Empty key type" >&2

131

148

exit 1

132

149

133

150

134

151

if [ -z "$KEYNAME" ]; then

135

152

echo "Empty key name" >&2

136

153

exit 1

137

154

138

155

139

156

if [ -z "$KEYLENGTH" ] || [ "$KEYLENGTH" -lt 512 ]; then

140

157

echo "Invalid key length" >&2

141

158

exit 1

145

162

echo "Empty key expiration" >&2

146

163

exit 1

147

164

148

165

149

166

# Make FORCE be 0 or 1

150

167

case "$FORCE" in

151

168

[Yy][Ee][Ss]|[Tt][Rr][Uu][Ee]) FORCE=1;;

152

169

[Nn][Oo]|[Ff][Aa][Ll][Ss][Ee]|*) FORCE=0;;

153

170

esac

154

155

if [ $ -e "$SECKEYFILE" -o -e "$PUBKEYFILE" $ \

156

-a "$FORCE" -eq 0 ]; then

171

172

if { [ -e "$SECKEYFILE" ] || [ -e "$PUBKEYFILE" ] \

173

|| [ -e "$TLS_PRIVKEYFILE" ] \

174

|| [ -e "$TLS_PUBKEYFILE" ]; } \

175

&& [ "$FORCE" -eq 0 ]; then

157

176

echo "Refusing to overwrite old key files; use --force" >&2

158

177

exit 1

159

178

160

179

161

180

# Set lines for GnuPG batch file

162

181

if [ -n "$KEYCOMMENT" ]; then

163

182

KEYCOMMENTLINE="Name-Comment: $KEYCOMMENT"

168

187

169

188

# Create temporary gpg batch file

170

189

BATCHFILE="`mktemp -t mandos-keygen-batch.XXXXXXXXXX`"

190

TLS_PRIVKEYTMP="`mktemp -t mandos-keygen-privkey.XXXXXXXXXX`"

171

191

172

192

173

193

if [ "$mode" = password ]; then

182

202

trap "

183

203

set +e; \

184

204

test -n \"$SECFILE\" && shred --remove \"$SECFILE\"; \

185

shred --remove \"$RINGDIR\"/sec*;

205

test -n \"$TLS_PRIVKEYTMP\" && shred --remove \"$TLS_PRIVKEYTMP\"; \

206

shred --remove \"$RINGDIR\"/sec* 2>/dev/null;

186

207

test -n \"$BATCHFILE\" && rm --force \"$BATCHFILE\"; \

187

208

rm --recursive --force \"$RINGDIR\";

188

stty echo; \

209

tty --quiet && stty echo; \

189

210

" EXIT

190

211

212

set -e

213

191

214

umask 077

192

215

193

216

if [ "$mode" = keygen ]; then

195

218

cat >"$BATCHFILE" <<-EOF

196

219

Key-Type: $KEYTYPE

197

220

Key-Length: $KEYLENGTH

198

#Key-Usage: encrypt,sign,auth

221

Key-Usage: sign,auth

199

222

Subkey-Type: $SUBKEYTYPE

200

223

Subkey-Length: $SUBKEYLENGTH

201

#Subkey-Usage: encrypt,sign,auth

224

Subkey-Usage: encrypt

202

225

Name-Real: $KEYNAME

203

226

$KEYCOMMENTLINE

204

227

$KEYEMAILLINE

207

230

#Handle: <no-spaces>

208

231

#%pubring pubring.gpg

209

232

#%secring secring.gpg

233

%no-protection

210

234

%commit

211

235

EOF

212

236

237

if tty --quiet; then

238

cat <<-EOF

239

Note: Due to entropy requirements, key generation could take

240

anything from a few minutes to SEVERAL HOURS. Please be

241

patient and/or supply the system with more entropy if needed.

242

EOF

243

echo -n "Started: "

244

date

245

246

247

# Generate TLS private key

248

if certtool --generate-privkey --password='' \

249

--outfile "$TLS_PRIVKEYTMP" --sec-param ultra \

250

--key-type="$TLS_KEYTYPE" --pkcs8 --no-text 2>/dev/null; then

251

252

# Backup any old key files

253

if cp --backup=numbered --force "$TLS_PRIVKEYFILE" "$TLS_PRIVKEYFILE" \

254

2>/dev/null; then

255

shred --remove "$TLS_PRIVKEYFILE" 2>/dev/null || :

256

257

if cp --backup=numbered --force "$TLS_PUBKEYFILE" "$TLS_PUBKEYFILE" \

258

2>/dev/null; then

259

rm --force "$TLS_PUBKEYFILE"

260

261

cp --archive "$TLS_PRIVKEYTMP" "$TLS_PRIVKEYFILE"

262

shred --remove "$TLS_PRIVKEYTMP" 2>/dev/null || :

263

264

## TLS public key

265

266

# First try certtool from GnuTLS

267

if ! certtool --password='' --load-privkey="$TLS_PRIVKEYFILE" \

268

--outfile="$TLS_PUBKEYFILE" --pubkey-info --no-text \

269

2>/dev/null; then

270

# Otherwise try OpenSSL

271

if ! openssl pkey -in "$TLS_PRIVKEYFILE" \

272

-out "$TLS_PUBKEYFILE" -pubout; then

273

rm --force "$TLS_PUBKEYFILE"

274

# None of the commands succeded; give up

275

return 1

276

277

278

279

280

# Make sure trustdb.gpg exists;

281

# this is a workaround for Debian bug #737128

282

gpg --quiet --batch --no-tty --no-options --enable-dsa2 \

283

--homedir "$RINGDIR" \

284

--import-ownertrust < /dev/null

213

285

# Generate a new key in the key rings

214

286

gpg --quiet --batch --no-tty --no-options --enable-dsa2 \

215

287

--homedir "$RINGDIR" --trust-model always \

216

288

--gen-key "$BATCHFILE"

217

289

rm --force "$BATCHFILE"

218

290

291

if tty --quiet; then

292

echo -n "Finished: "

293

date

294

295

219

296

# Backup any old key files

220

297

if cp --backup=numbered --force "$SECKEYFILE" "$SECKEYFILE" \

221

298

2>/dev/null; then

222

shred --remove "$SECKEYFILE"

299

shred --remove "$SECKEYFILE" 2>/dev/null || :

223

300

224

301

if cp --backup=numbered --force "$PUBKEYFILE" "$PUBKEYFILE" \

225

302

2>/dev/null; then

226

303

rm --force "$PUBKEYFILE"

227

304

228

305

229

306

FILECOMMENT="Mandos client key for $KEYNAME"

230

307

if [ "$KEYCOMMENT" != "$KEYCOMMENT_ORIG" ]; then

231

308

FILECOMMENT="$FILECOMMENT ($KEYCOMMENT)"

232

309

233

310

234

311

if [ -n "$KEYEMAIL" ]; then

235

312

FILECOMMENT="$FILECOMMENT <$KEYEMAIL>"

236

313

237

238

# Export keys from key rings to key files

314

315

# Export key from key rings to key files

239

316

gpg --quiet --batch --no-tty --no-options --enable-dsa2 \

240

317

--homedir "$RINGDIR" --armor --export-options export-minimal \

241

318

--comment "$FILECOMMENT" --output "$SECKEYFILE" \

246

323

247

324

248

325

if [ "$mode" = password ]; then

249

# Import keys into temporary key rings

326

327

# Make SSH be 0 or 1

328

case "$SSH" in

329

[Yy][Ee][Ss]|[Tt][Rr][Uu][Ee]) SSH=1;;

330

[Nn][Oo]|[Ff][Aa][Ll][Ss][Ee]|*) SSH=0;;

331

esac

332

333

if [ $SSH -eq 1 ]; then

334

# The -q option is new in OpenSSH 9.8

335

for ssh_keyscan_quiet in "-q " ""; do

336

for ssh_keytype in ecdsa-sha2-nistp256 ed25519 rsa; do

337

set +e

338

ssh_fingerprint="`ssh-keyscan ${ssh_keyscan_quiet}-t $ssh_keytype localhost 2>/dev/null`"

339

err=$?

340

set -e

341

if [ $err -ne 0 ]; then

342

ssh_fingerprint=""

343

continue

344

345

if [ -n "$ssh_fingerprint" ]; then

346

ssh_fingerprint="${ssh_fingerprint#localhost }"

347

break 2

348

349

done

350

done

351

352

353

# Import key into temporary key rings

250

354

gpg --quiet --batch --no-tty --no-options --enable-dsa2 \

251

355

--homedir "$RINGDIR" --trust-model always --armor \

252

356

--import "$SECKEYFILE"

253

357

gpg --quiet --batch --no-tty --no-options --enable-dsa2 \

254

358

--homedir "$RINGDIR" --trust-model always --armor \

255

359

--import "$PUBKEYFILE"

256

360

257

361

# Get fingerprint of key

258

362

FINGERPRINT="`gpg --quiet --batch --no-tty --no-options \

259

--enable-dsa2 --homedir \"$RINGDIR\" --trust-model always \

363

--enable-dsa2 --homedir "$RINGDIR" --trust-model always \

260

364

--fingerprint --with-colons \

261

365

| sed --quiet \

262

366

--expression='/^fpr:/{s/^fpr:.*:\$[0-9A-Z]*\$:\$/\\1/p;q}'`"

263

367

264

368

test -n "$FINGERPRINT"

265

369

370

if [ -r "$TLS_PUBKEYFILE" ]; then

371

KEY_ID="$(certtool --key-id --hash=sha256 \

372

--infile="$TLS_PUBKEYFILE" 2>/dev/null || :)"

373

374

if [ -z "$KEY_ID" ]; then

375

KEY_ID=$(openssl pkey -pubin -in "$TLS_PUBKEYFILE" \

376

-outform der \

377

| openssl sha256 \

378

| sed --expression='s/^.*[^[:xdigit:]]//')

379

380

test -n "$KEY_ID"

381

382

266

383

FILECOMMENT="Encrypted password for a Mandos client"

267

268

stty -echo

269

echo -n "Enter passphrase: " >&2

270

head --lines=1 | tr --delete '\n' \

271

| gpg --quiet --batch --no-tty --no-options --enable-dsa2 \

272

--homedir "$RINGDIR" --trust-model always --armor --encrypt \

273

--recipient "$FINGERPRINT" --comment "$FILECOMMENT" \

274

> "$SECFILE"

275

echo >&2

276

stty echo

277

384

385

while [ ! -s "$SECFILE" ]; do

386

if [ -n "$PASSFILE" ]; then

387

cat -- "$PASSFILE"

388

else

389

tty --quiet && stty -echo

390

echo -n "Enter passphrase: " >/dev/tty

391

read -r first

392

tty --quiet && echo >&2

393

echo -n "Repeat passphrase: " >/dev/tty

394

read -r second

395

if tty --quiet; then

396

echo >&2

397

stty echo

398

399

if [ "$first" != "$second" ]; then

400

echo "Passphrase mismatch" >&2

401

touch "$RINGDIR"/mismatch

402

else

403

printf "%s" "$first"

404

405

fi | gpg --quiet --batch --no-tty --no-options --enable-dsa2 \

406

--homedir "$RINGDIR" --trust-model always --armor \

407

--encrypt --sign --recipient "$FINGERPRINT" --comment \

408

"$FILECOMMENT" > "$SECFILE"

409

if [ -e "$RINGDIR"/mismatch ]; then

410

rm --force "$RINGDIR"/mismatch

411

if tty --quiet; then

412

> "$SECFILE"

413

else

414

exit 1

415

416

417

done

418

278

419

cat <<-EOF

279

420

[$KEYNAME]

280

421

host = $KEYNAME

422

EOF

423

if [ -n "$KEY_ID" ]; then

424

echo "key_id = $KEY_ID"

425

426

cat <<-EOF

281

427

fingerprint = $FINGERPRINT

282

428

secret =

283

EOF

429

EOF

284

430

sed --quiet --expression='

285

431

/^-----BEGIN PGP MESSAGE-----$/,/^-----END PGP MESSAGE-----$/{

286

432

/^$/,${

290

436

/^[^-]/s/^/ /p

291

437

}

292

438

}' < "$SECFILE"

439

if [ -n "$ssh_fingerprint" ]; then

440

echo 'checker = ssh-keyscan '"$ssh_keyscan_quiet"'-t '"$ssh_keytype"' %%(host)s 2>/dev/null | grep --fixed-strings --line-regexp --quiet --regexp=%%(host)s" %(ssh_fingerprint)s"'

441

echo "ssh_fingerprint = ${ssh_fingerprint}"

442

293

443

294

444

295

445

trap - EXIT

297

447

set +e

298

448

# Remove the password file, if any

299

449

if [ -n "$SECFILE" ]; then

300

shred --remove "$SECFILE"

450

shred --remove "$SECFILE" 2>/dev/null

301

451

302

452

# Remove the key rings

303

shred --remove "$RINGDIR"/sec*

453

shred --remove "$RINGDIR"/sec* 2>/dev/null

304

454

rm --recursive --force "$RINGDIR"

Older »