/mandos/trunk : revision 1312

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos-keygen

Committer: Teddy Hogeborn
Date: 2024-11-17 18:43:11 UTC
Revision ID: teddy@recompile.se-20241117184311-ox25kvngy62h209g

Debian package: Avoid suggesting a C compiler unnecessarily

The list of suggested packages, meant to enable the "mandos" program
to find the correct value of SO_BINDTODEVICE by using a C compiler,
are not necessary when Python 3.3 or later is used, since it has the
SO_BINDTODEVICE constant defined in the "socket" module. Also, Python
2.6 or older has the same constant in the old "IN" module. Therefore,
we should suggest these Python versions as alternatives to a C
compiler, so that a C compiler is not installed unnecessarily.

debian/control (Package: mandos/Suggests): Add "python3 (>= 3.3)" and
"python (<= 2.6)" as alternatives to "libc6-dev | libc-dev" and
"c-compiler".

files added:
DBUS-API

bugs.xml

dbus-mandos.conf

debian/mandos-client.examples

debian/mandos-client.templates

debian/mandos.maintscript

debian/mandos.templates

debian/po/POTFILES.in

debian/po/de.po

debian/po/en_US.po

debian/po/es.po

debian/po/fr.po

debian/po/nl.po

debian/po/pt.po

debian/po/pt_BR.po

debian/po/sv.po

debian/po/templates.pot

debian/source

debian/source/format

debian/source/lintian-overrides

debian/source/local-options

debian/tests

debian/tests/control

debian/upstream

debian/upstream/metadata

debian/upstream/signing-key.asc

dracut-module

dracut-module/ask-password-mandos.path

dracut-module/ask-password-mandos.service

dracut-module/cmdline-mandos.sh

dracut-module/module-setup.sh

dracut-module/password-agent.c

dracut-module/password-agent.xml

initramfs-tools-conf

initramfs-tools-conf-hook

initramfs-tools-script-stop

initramfs-unpack

intro.xml

mandos-ctl.xml

mandos-monitor

mandos-monitor.xml

mandos-to-cryptroot-unlock

mandos.service

network-hooks.d

network-hooks.d/bridge

network-hooks.d/bridge.conf

network-hooks.d/openvpn

network-hooks.d/openvpn.conf

network-hooks.d/wireless

network-hooks.d/wireless.conf

plugin-helpers

plugin-helpers/mandos-client-iprouteadddel.c

plugins.d/plymouth.c

plugins.d/plymouth.xml

sysusers.d-mandos.conf

tmpfiles.d-mandos.conf

files removed:
initramfs-tools-hook-conf

files modified:
.bzrignore

INSTALL

Makefile

NEWS

README

TODO

clients.conf

common.ent

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/rules

debian/watch

init.d-mandos

initramfs-tools-hook

initramfs-tools-script

legalnotice.xml

mandos

mandos-clients.conf.xml

mandos-ctl

mandos-keygen

mandos-keygen.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.lsm

mandos.xml

overview.xml

plugin-runner.c

plugin-runner.xml

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/mandos-client.c

plugins.d/mandos-client.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

Show diffs side-by-side

added added

removed removed

mandos-keygen

#!/bin/sh -e

# Mandos key generator - create a new OpenPGP key for a Mandos client

# This program is free software: you can redistribute it and/or modify

# it under the terms of the GNU General Public License as published by

# Mandos key generator - create new keys for a Mandos client

# This file is part of Mandos.

# Mandos is free software: you can redistribute it and/or modify it

# under the terms of the GNU General Public License as published by

# the Free Software Foundation, either version 3 of the License, or

# (at your option) any later version.

# This program is distributed in the hope that it will be useful,

# but WITHOUT ANY WARRANTY; without even the implied warranty of

# Mandos is distributed in the hope that it will be useful, but

# WITHOUT ANY WARRANTY; without even the implied warranty of

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

# GNU General Public License for more details.

# You should have received a copy of the GNU General Public License

# along with this program. If not, see <http://www.gnu.org/licenses/>.

# along with Mandos. If not, see <http://www.gnu.org/licenses/>.

# Contact the authors at <mandos@fukt.bsnet.se>.

# Contact the authors at <mandos@recompile.se>.

VERSION="1.0.12"

VERSION="1.8.17"

KEYDIR="/etc/keys/mandos"

KEYTYPE=DSA

KEYLENGTH=2048

SUBKEYTYPE=ELG-E

SUBKEYLENGTH=2048

KEYTYPE=RSA

KEYLENGTH=4096

SUBKEYTYPE=RSA

SUBKEYLENGTH=4096

KEYNAME="`hostname --fqdn 2>/dev/null || hostname`"

KEYEMAIL=""

KEYCOMMENT="Mandos client key"

KEYCOMMENT=""

KEYEXPIRE=0

TLS_KEYTYPE=ed25519

FORCE=no

SSH=yes

KEYCOMMENT_ORIG="$KEYCOMMENT"

mode=keygen

# Parse options

TEMP=`getopt --options vhpF:d:t:l:s:L:n:e:c:x:f \

--longoptions version,help,password,passfile:,dir:,type:,length:,subtype:,sublength:,name:,email:,comment:,expire:,force \

TEMP=`getopt --options vhpF:d:t:l:s:L:n:e:c:x:T:fS \

--longoptions version,help,password,passfile:,dir:,type:,length:,subtype:,sublength:,name:,email:,comment:,expire:,tls-keytype:,force,no-ssh \

--name "$0" -- "$@"`

help(){

basename="`basename $0`"

basename="`basename "$0"`"

cat <<EOF

Usage: $basename [ -v | --version ]

$basename [ -h | --help ]

-v, --version Show program's version number and exit

-h, --help Show this help message and exit

-d DIR, --dir DIR Target directory for key files

-t TYPE, --type TYPE Key type. Default is DSA.

-t TYPE, --type TYPE OpenPGP key type. Default is RSA.

-l BITS, --length BITS

Key length in bits. Default is 2048.

OpenPGP key length in bits. Default is 4096.

-s TYPE, --subtype TYPE

Subkey type. Default is ELG-E.

OpenPGP subkey type. Default is RSA.

-L BITS, --sublength BITS

Subkey length in bits. Default is 2048.

OpenPGP subkey length in bits. Default 4096.

-n NAME, --name NAME Name of key. Default is the FQDN.

-e ADDRESS, --email ADDRESS

Email address of key. Default is empty.

Email address of OpenPGP key. Default empty.

-c TEXT, --comment TEXT

Comment field for key. The default value is

"Mandos client key".

Comment field for OpenPGP key. Default empty.

-x TIME, --expire TIME

Key expire time. Default is no expiration.

OpenPGP key expire time. Default is none.

See gpg(1) for syntax.

-T TYPE, --tls-keytype TYPE

TLS key type. Default is ed25519.

-f, --force Force overwriting old key files.

Password creation options:

Encrypt a password from FILE using the key in

the key directory. All options other than

--dir and --name are ignored.

-S, --no-ssh Don't get SSH key or set "checker" option.

EOF

}

103

109

-e|--email) KEYEMAIL="$2"; shift 2;;

104

110

-c|--comment) KEYCOMMENT="$2"; shift 2;;

105

111

-x|--expire) KEYEXPIRE="$2"; shift 2;;

112

-T|--tls-keytype) TLS_KEYTYPE="$2"; shift 2;;

106

113

-f|--force) FORCE=yes; shift;;

114

-S|--no-ssh) SSH=no; shift;;

107

115

-v|--version) echo "$0 $VERSION"; exit;;

108

116

-h|--help) help; exit;;

109

117

--) shift; break;;

111

119

esac

112

120

done

113

121

if [ "$#" -gt 0 ]; then

114

echo "Unknown arguments: '$@'" >&2

122

echo "Unknown arguments: '$*'" >&2

115

123

exit 1

116

124

117

125

118

126

SECKEYFILE="$KEYDIR/seckey.txt"

119

127

PUBKEYFILE="$KEYDIR/pubkey.txt"

128

TLS_PRIVKEYFILE="$KEYDIR/tls-privkey.pem"

129

TLS_PUBKEYFILE="$KEYDIR/tls-pubkey.pem"

120

130

121

131

# Check for some invalid values

122

132

if [ ! -d "$KEYDIR" ]; then

137

147

echo "Empty key type" >&2

138

148

exit 1

139

149

140

150

141

151

if [ -z "$KEYNAME" ]; then

142

152

echo "Empty key name" >&2

143

153

exit 1

144

154

145

155

146

156

if [ -z "$KEYLENGTH" ] || [ "$KEYLENGTH" -lt 512 ]; then

147

157

echo "Invalid key length" >&2

148

158

exit 1

149

159

150

160

151

161

if [ -z "$KEYEXPIRE" ]; then

152

162

echo "Empty key expiration" >&2

153

163

exit 1

154

164

155

165

156

166

# Make FORCE be 0 or 1

157

167

case "$FORCE" in

158

168

[Yy][Ee][Ss]|[Tt][Rr][Uu][Ee]) FORCE=1;;

159

169

[Nn][Oo]|[Ff][Aa][Ll][Ss][Ee]|*) FORCE=0;;

160

170

esac

161

162

if [ $ -e "$SECKEYFILE" -o -e "$PUBKEYFILE" $ \

163

-a "$FORCE" -eq 0 ]; then

171

172

if { [ -e "$SECKEYFILE" ] || [ -e "$PUBKEYFILE" ] \

173

|| [ -e "$TLS_PRIVKEYFILE" ] \

174

|| [ -e "$TLS_PUBKEYFILE" ]; } \

175

&& [ "$FORCE" -eq 0 ]; then

164

176

echo "Refusing to overwrite old key files; use --force" >&2

165

177

exit 1

166

178

167

179

168

180

# Set lines for GnuPG batch file

169

181

if [ -n "$KEYCOMMENT" ]; then

170

182

KEYCOMMENTLINE="Name-Comment: $KEYCOMMENT"

172

184

if [ -n "$KEYEMAIL" ]; then

173

185

KEYEMAILLINE="Name-Email: $KEYEMAIL"

174

186

175

187

176

188

# Create temporary gpg batch file

177

189

BATCHFILE="`mktemp -t mandos-keygen-batch.XXXXXXXXXX`"

190

TLS_PRIVKEYTMP="`mktemp -t mandos-keygen-privkey.XXXXXXXXXX`"

178

191

179

192

180

193

if [ "$mode" = password ]; then

189

202

trap "

190

203

set +e; \

191

204

test -n \"$SECFILE\" && shred --remove \"$SECFILE\"; \

192

shred --remove \"$RINGDIR\"/sec*;

205

test -n \"$TLS_PRIVKEYTMP\" && shred --remove \"$TLS_PRIVKEYTMP\"; \

206

shred --remove \"$RINGDIR\"/sec* 2>/dev/null;

193

207

test -n \"$BATCHFILE\" && rm --force \"$BATCHFILE\"; \

194

208

rm --recursive --force \"$RINGDIR\";

195

stty echo; \

209

tty --quiet && stty echo; \

196

210

" EXIT

197

211

212

set -e

213

198

214

umask 077

199

215

200

216

if [ "$mode" = keygen ]; then

202

218

cat >"$BATCHFILE" <<-EOF

203

219

Key-Type: $KEYTYPE

204

220

Key-Length: $KEYLENGTH

205

#Key-Usage: encrypt,sign,auth

221

Key-Usage: sign,auth

206

222

Subkey-Type: $SUBKEYTYPE

207

223

Subkey-Length: $SUBKEYLENGTH

208

#Subkey-Usage: encrypt,sign,auth

224

Subkey-Usage: encrypt

209

225

Name-Real: $KEYNAME

210

226

$KEYCOMMENTLINE

211

227

$KEYEMAILLINE

214

230

#Handle: <no-spaces>

215

231

#%pubring pubring.gpg

216

232

#%secring secring.gpg

233

%no-protection

217

234

%commit

218

235

EOF

219

236

237

if tty --quiet; then

238

cat <<-EOF

239

Note: Due to entropy requirements, key generation could take

240

anything from a few minutes to SEVERAL HOURS. Please be

241

patient and/or supply the system with more entropy if needed.

242

EOF

243

echo -n "Started: "

244

date

245

246

247

# Generate TLS private key

248

if certtool --generate-privkey --password='' \

249

--outfile "$TLS_PRIVKEYTMP" --sec-param ultra \

250

--key-type="$TLS_KEYTYPE" --pkcs8 --no-text 2>/dev/null; then

251

252

# Backup any old key files

253

if cp --backup=numbered --force "$TLS_PRIVKEYFILE" "$TLS_PRIVKEYFILE" \

254

2>/dev/null; then

255

shred --remove "$TLS_PRIVKEYFILE" 2>/dev/null || :

256

257

if cp --backup=numbered --force "$TLS_PUBKEYFILE" "$TLS_PUBKEYFILE" \

258

2>/dev/null; then

259

rm --force "$TLS_PUBKEYFILE"

260

261

cp --archive "$TLS_PRIVKEYTMP" "$TLS_PRIVKEYFILE"

262

shred --remove "$TLS_PRIVKEYTMP" 2>/dev/null || :

263

264

## TLS public key

265

266

# First try certtool from GnuTLS

267

if ! certtool --password='' --load-privkey="$TLS_PRIVKEYFILE" \

268

--outfile="$TLS_PUBKEYFILE" --pubkey-info --no-text \

269

2>/dev/null; then

270

# Otherwise try OpenSSL

271

if ! openssl pkey -in "$TLS_PRIVKEYFILE" \

272

-out "$TLS_PUBKEYFILE" -pubout; then

273

rm --force "$TLS_PUBKEYFILE"

274

# None of the commands succeded; give up

275

return 1

276

277

278

279

280

# Make sure trustdb.gpg exists;

281

# this is a workaround for Debian bug #737128

282

gpg --quiet --batch --no-tty --no-options --enable-dsa2 \

283

--homedir "$RINGDIR" \

284

--import-ownertrust < /dev/null

220

285

# Generate a new key in the key rings

221

286

gpg --quiet --batch --no-tty --no-options --enable-dsa2 \

222

287

--homedir "$RINGDIR" --trust-model always \

223

288

--gen-key "$BATCHFILE"

224

289

rm --force "$BATCHFILE"

225

290

291

if tty --quiet; then

292

echo -n "Finished: "

293

date

294

295

226

296

# Backup any old key files

227

297

if cp --backup=numbered --force "$SECKEYFILE" "$SECKEYFILE" \

228

298

2>/dev/null; then

229

shred --remove "$SECKEYFILE"

299

shred --remove "$SECKEYFILE" 2>/dev/null || :

230

300

231

301

if cp --backup=numbered --force "$PUBKEYFILE" "$PUBKEYFILE" \

232

302

2>/dev/null; then

233

303

rm --force "$PUBKEYFILE"

234

304

235

305

236

306

FILECOMMENT="Mandos client key for $KEYNAME"

237

307

if [ "$KEYCOMMENT" != "$KEYCOMMENT_ORIG" ]; then

238

308

FILECOMMENT="$FILECOMMENT ($KEYCOMMENT)"

239

309

240

310

241

311

if [ -n "$KEYEMAIL" ]; then

242

312

FILECOMMENT="$FILECOMMENT <$KEYEMAIL>"

243

313

244

314

245

315

# Export key from key rings to key files

246

316

gpg --quiet --batch --no-tty --no-options --enable-dsa2 \

247

317

--homedir "$RINGDIR" --armor --export-options export-minimal \

253

323

254

324

255

325

if [ "$mode" = password ]; then

326

327

# Make SSH be 0 or 1

328

case "$SSH" in

329

[Yy][Ee][Ss]|[Tt][Rr][Uu][Ee]) SSH=1;;

330

[Nn][Oo]|[Ff][Aa][Ll][Ss][Ee]|*) SSH=0;;

331

esac

332

333

if [ $SSH -eq 1 ]; then

334

# The -q option is new in OpenSSH 9.8

335

for ssh_keyscan_quiet in "-q " ""; do

336

for ssh_keytype in ecdsa-sha2-nistp256 ed25519 rsa; do

337

set +e

338

ssh_fingerprint="`ssh-keyscan ${ssh_keyscan_quiet}-t $ssh_keytype localhost 2>/dev/null`"

339

err=$?

340

set -e

341

if [ $err -ne 0 ]; then

342

ssh_fingerprint=""

343

continue

344

345

if [ -n "$ssh_fingerprint" ]; then

346

ssh_fingerprint="${ssh_fingerprint#localhost }"

347

break 2

348

349

done

350

done

351

352

256

353

# Import key into temporary key rings

257

354

gpg --quiet --batch --no-tty --no-options --enable-dsa2 \

258

355

--homedir "$RINGDIR" --trust-model always --armor \

260

357

gpg --quiet --batch --no-tty --no-options --enable-dsa2 \

261

358

--homedir "$RINGDIR" --trust-model always --armor \

262

359

--import "$PUBKEYFILE"

263

360

264

361

# Get fingerprint of key

265

362

FINGERPRINT="`gpg --quiet --batch --no-tty --no-options \

266

--enable-dsa2 --homedir \"$RINGDIR\" --trust-model always \

363

--enable-dsa2 --homedir "$RINGDIR" --trust-model always \

267

364

--fingerprint --with-colons \

268

365

| sed --quiet \

269

366

--expression='/^fpr:/{s/^fpr:.*:\$[0-9A-Z]*\$:\$/\\1/p;q}'`"

270

367

271

368

test -n "$FINGERPRINT"

272

369

370

if [ -r "$TLS_PUBKEYFILE" ]; then

371

KEY_ID="$(certtool --key-id --hash=sha256 \

372

--infile="$TLS_PUBKEYFILE" 2>/dev/null || :)"

373

374

if [ -z "$KEY_ID" ]; then

375

KEY_ID=$(openssl pkey -pubin -in "$TLS_PUBKEYFILE" \

376

-outform der \

377

| openssl sha256 \

378

| sed --expression='s/^.*[^[:xdigit:]]//')

379

380

test -n "$KEY_ID"

381

382

273

383

FILECOMMENT="Encrypted password for a Mandos client"

274

275

if [ -n "$PASSFILE" ]; then

276

cat "$PASSFILE"

277

else

278

stty -echo

279

echo -n "Enter passphrase: " >&2

280

first="$(head --lines=1 | tr --delete '\n')"

281

echo -n -e "\nRepeat passphrase: " >&2

282

second="$(head --lines=1 | tr --delete '\n')"

283

echo >&2

284

stty echo

285

if [ "$first" != "$second" ]; then

286

echo -e "Passphrase mismatch" >&2

287

touch "$RINGDIR"/mismatch

384

385

while [ ! -s "$SECFILE" ]; do

386

if [ -n "$PASSFILE" ]; then

387

cat -- "$PASSFILE"

288

388

else

289

echo -n "$first"

389

tty --quiet && stty -echo

390

echo -n "Enter passphrase: " >/dev/tty

391

read -r first

392

tty --quiet && echo >&2

393

echo -n "Repeat passphrase: " >/dev/tty

394

read -r second

395

if tty --quiet; then

396

echo >&2

397

stty echo

398

399

if [ "$first" != "$second" ]; then

400

echo "Passphrase mismatch" >&2

401

touch "$RINGDIR"/mismatch

402

else

403

printf "%s" "$first"

404

405

fi | gpg --quiet --batch --no-tty --no-options --enable-dsa2 \

406

--homedir "$RINGDIR" --trust-model always --armor \

407

--encrypt --sign --recipient "$FINGERPRINT" --comment \

408

"$FILECOMMENT" > "$SECFILE"

409

if [ -e "$RINGDIR"/mismatch ]; then

410

rm --force "$RINGDIR"/mismatch

411

if tty --quiet; then

412

> "$SECFILE"

413

else

414

exit 1

415

290

416

291

fi | gpg --quiet --batch --no-tty --no-options --enable-dsa2 \

292

--homedir "$RINGDIR" --trust-model always --armor --encrypt \

293

--sign --recipient "$FINGERPRINT" --comment "$FILECOMMENT" \

294

> "$SECFILE"

295

if [ -e "$RINGDIR"/mismatch ]; then

296

rm --force "$RINGDIR"/mismatch

297

exit 1

298

299

417

done

418

300

419

cat <<-EOF

301

420

[$KEYNAME]

302

421

host = $KEYNAME

422

EOF

423

if [ -n "$KEY_ID" ]; then

424

echo "key_id = $KEY_ID"

425

426

cat <<-EOF

303

427

fingerprint = $FINGERPRINT

304

428

secret =

305

429

EOF

312

436

/^[^-]/s/^/ /p

313

437

}

314

438

}' < "$SECFILE"

439

if [ -n "$ssh_fingerprint" ]; then

440

echo 'checker = ssh-keyscan '"$ssh_keyscan_quiet"'-t '"$ssh_keytype"' %%(host)s 2>/dev/null | grep --fixed-strings --line-regexp --quiet --regexp=%%(host)s" %(ssh_fingerprint)s"'

441

echo "ssh_fingerprint = ${ssh_fingerprint}"

442

315

443

316

444

317

445

trap - EXIT

319

447

set +e

320

448

# Remove the password file, if any

321

449

if [ -n "$SECFILE" ]; then

322

shred --remove "$SECFILE"

450

shred --remove "$SECFILE" 2>/dev/null

323

451

324

452

# Remove the key rings

325

shred --remove "$RINGDIR"/sec*

453

shred --remove "$RINGDIR"/sec* 2>/dev/null

326

454

rm --recursive --force "$RINGDIR"

Older »