/mandos/trunk : revision 1312

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos-keygen

Committer: Teddy Hogeborn
Date: 2024-11-17 18:43:11 UTC
Revision ID: teddy@recompile.se-20241117184311-ox25kvngy62h209g

Debian package: Avoid suggesting a C compiler unnecessarily

The list of suggested packages, meant to enable the "mandos" program
to find the correct value of SO_BINDTODEVICE by using a C compiler,
are not necessary when Python 3.3 or later is used, since it has the
SO_BINDTODEVICE constant defined in the "socket" module. Also, Python
2.6 or older has the same constant in the old "IN" module. Therefore,
we should suggest these Python versions as alternatives to a C
compiler, so that a C compiler is not installed unnecessarily.

debian/control (Package: mandos/Suggests): Add "python3 (>= 3.3)" and
"python (<= 2.6)" as alternatives to "libc6-dev | libc-dev" and
"c-compiler".

files added:
bugs.xml

debian/mandos-client.templates

debian/mandos.maintscript

debian/mandos.templates

debian/po/POTFILES.in

debian/po/de.po

debian/po/en_US.po

debian/po/es.po

debian/po/fr.po

debian/po/nl.po

debian/po/pt.po

debian/po/pt_BR.po

debian/po/sv.po

debian/po/templates.pot

debian/source/lintian-overrides

debian/tests

debian/tests/control

debian/upstream/metadata

dracut-module

dracut-module/ask-password-mandos.path

dracut-module/ask-password-mandos.service

dracut-module/cmdline-mandos.sh

dracut-module/module-setup.sh

dracut-module/password-agent.c

dracut-module/password-agent.xml

initramfs-tools-conf

initramfs-tools-conf-hook

initramfs-tools-script-stop

mandos-to-cryptroot-unlock

plugin-helpers

plugin-helpers/mandos-client-iprouteadddel.c

sysusers.d-mandos.conf

tmpfiles.d-mandos.conf

files removed:
initramfs-tools-hook-conf

files modified:
.bzrignore

DBUS-API

INSTALL

Makefile

NEWS

README

TODO

clients.conf

common.ent

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.dirs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/rules

debian/watch

init.d-mandos

initramfs-tools-hook

initramfs-tools-script

initramfs-unpack

intro.xml

legalnotice.xml

mandos

mandos-clients.conf.xml

mandos-ctl

mandos-ctl.xml

mandos-keygen

mandos-keygen.xml

mandos-monitor

mandos-monitor.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.lsm

mandos.service

mandos.xml

network-hooks.d/bridge

network-hooks.d/openvpn

network-hooks.d/wireless

overview.xml

plugin-runner.c

plugin-runner.xml

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/mandos-client.c

plugins.d/mandos-client.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

Show diffs side-by-side

added added

removed removed

mandos-keygen

#!/bin/sh -e

# Mandos key generator - create a new OpenPGP key for a Mandos client

# This program is free software: you can redistribute it and/or modify

# it under the terms of the GNU General Public License as published by

# Mandos key generator - create new keys for a Mandos client

# This file is part of Mandos.

# Mandos is free software: you can redistribute it and/or modify it

# under the terms of the GNU General Public License as published by

# the Free Software Foundation, either version 3 of the License, or

# (at your option) any later version.

# This program is distributed in the hope that it will be useful,

# but WITHOUT ANY WARRANTY; without even the implied warranty of

# Mandos is distributed in the hope that it will be useful, but

# WITHOUT ANY WARRANTY; without even the implied warranty of

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

# GNU General Public License for more details.

# You should have received a copy of the GNU General Public License

# along with this program. If not, see <http://www.gnu.org/licenses/>.

# along with Mandos. If not, see <http://www.gnu.org/licenses/>.

# Contact the authors at <mandos@recompile.se>.

VERSION="1.6.8"

VERSION="1.8.17"

KEYDIR="/etc/keys/mandos"

KEYTYPE=RSA

KEYEMAIL=""

KEYCOMMENT=""

KEYEXPIRE=0

TLS_KEYTYPE=ed25519

FORCE=no

SSH=yes

KEYCOMMENT_ORIG="$KEYCOMMENT"

# Parse options

TEMP=`getopt --options vhpF:d:t:l:s:L:n:e:c:x:fS \

--longoptions version,help,password,passfile:,dir:,type:,length:,subtype:,sublength:,name:,email:,comment:,expire:,force,no-ssh \

TEMP=`getopt --options vhpF:d:t:l:s:L:n:e:c:x:T:fS \

--longoptions version,help,password,passfile:,dir:,type:,length:,subtype:,sublength:,name:,email:,comment:,expire:,tls-keytype:,force,no-ssh \

--name "$0" -- "$@"`

help(){

basename="`basename $0`"

basename="`basename "$0"`"

cat <<EOF

Usage: $basename [ -v | --version ]

$basename [ -h | --help ]

-v, --version Show program's version number and exit

-h, --help Show this help message and exit

-d DIR, --dir DIR Target directory for key files

-t TYPE, --type TYPE Key type. Default is RSA.

-t TYPE, --type TYPE OpenPGP key type. Default is RSA.

-l BITS, --length BITS

Key length in bits. Default is 4096.

OpenPGP key length in bits. Default is 4096.

-s TYPE, --subtype TYPE

Subkey type. Default is RSA.

OpenPGP subkey type. Default is RSA.

-L BITS, --sublength BITS

Subkey length in bits. Default is 4096.

OpenPGP subkey length in bits. Default 4096.

-n NAME, --name NAME Name of key. Default is the FQDN.

-e ADDRESS, --email ADDRESS

Email address of key. Default is empty.

Email address of OpenPGP key. Default empty.

-c TEXT, --comment TEXT

Comment field for key. The default is empty.

Comment field for OpenPGP key. Default empty.

-x TIME, --expire TIME

Key expire time. Default is no expiration.

OpenPGP key expire time. Default is none.

See gpg(1) for syntax.

-T TYPE, --tls-keytype TYPE

TLS key type. Default is ed25519.

-f, --force Force overwriting old key files.

Password creation options:

104

109

-e|--email) KEYEMAIL="$2"; shift 2;;

105

110

-c|--comment) KEYCOMMENT="$2"; shift 2;;

106

111

-x|--expire) KEYEXPIRE="$2"; shift 2;;

112

-T|--tls-keytype) TLS_KEYTYPE="$2"; shift 2;;

107

113

-f|--force) FORCE=yes; shift;;

108

114

-S|--no-ssh) SSH=no; shift;;

109

115

-v|--version) echo "$0 $VERSION"; exit;;

113

119

esac

114

120

done

115

121

if [ "$#" -gt 0 ]; then

116

echo "Unknown arguments: '$@'" >&2

122

echo "Unknown arguments: '$*'" >&2

117

123

exit 1

118

124

119

125

120

126

SECKEYFILE="$KEYDIR/seckey.txt"

121

127

PUBKEYFILE="$KEYDIR/pubkey.txt"

128

TLS_PRIVKEYFILE="$KEYDIR/tls-privkey.pem"

129

TLS_PUBKEYFILE="$KEYDIR/tls-pubkey.pem"

122

130

123

131

# Check for some invalid values

124

132

if [ ! -d "$KEYDIR" ]; then

139

147

echo "Empty key type" >&2

140

148

exit 1

141

149

142

150

143

151

if [ -z "$KEYNAME" ]; then

144

152

echo "Empty key name" >&2

145

153

exit 1

146

154

147

155

148

156

if [ -z "$KEYLENGTH" ] || [ "$KEYLENGTH" -lt 512 ]; then

149

157

echo "Invalid key length" >&2

150

158

exit 1

151

159

152

160

153

161

if [ -z "$KEYEXPIRE" ]; then

154

162

echo "Empty key expiration" >&2

155

163

exit 1

156

164

157

165

158

166

# Make FORCE be 0 or 1

159

167

case "$FORCE" in

160

168

[Yy][Ee][Ss]|[Tt][Rr][Uu][Ee]) FORCE=1;;

161

169

[Nn][Oo]|[Ff][Aa][Ll][Ss][Ee]|*) FORCE=0;;

162

170

esac

163

164

if [ $ -e "$SECKEYFILE" -o -e "$PUBKEYFILE" $ \

165

-a "$FORCE" -eq 0 ]; then

171

172

if { [ -e "$SECKEYFILE" ] || [ -e "$PUBKEYFILE" ] \

173

|| [ -e "$TLS_PRIVKEYFILE" ] \

174

|| [ -e "$TLS_PUBKEYFILE" ]; } \

175

&& [ "$FORCE" -eq 0 ]; then

166

176

echo "Refusing to overwrite old key files; use --force" >&2

167

177

exit 1

168

178

169

179

170

180

# Set lines for GnuPG batch file

171

181

if [ -n "$KEYCOMMENT" ]; then

172

182

KEYCOMMENTLINE="Name-Comment: $KEYCOMMENT"

174

184

if [ -n "$KEYEMAIL" ]; then

175

185

KEYEMAILLINE="Name-Email: $KEYEMAIL"

176

186

177

187

178

188

# Create temporary gpg batch file

179

189

BATCHFILE="`mktemp -t mandos-keygen-batch.XXXXXXXXXX`"

190

TLS_PRIVKEYTMP="`mktemp -t mandos-keygen-privkey.XXXXXXXXXX`"

180

191

181

192

182

193

if [ "$mode" = password ]; then

191

202

trap "

192

203

set +e; \

193

204

test -n \"$SECFILE\" && shred --remove \"$SECFILE\"; \

205

test -n \"$TLS_PRIVKEYTMP\" && shred --remove \"$TLS_PRIVKEYTMP\"; \

194

206

shred --remove \"$RINGDIR\"/sec* 2>/dev/null;

195

207

test -n \"$BATCHFILE\" && rm --force \"$BATCHFILE\"; \

196

208

rm --recursive --force \"$RINGDIR\";

218

230

#Handle: <no-spaces>

219

231

#%pubring pubring.gpg

220

232

#%secring secring.gpg

233

%no-protection

221

234

%commit

222

235

EOF

223

236

224

237

if tty --quiet; then

225

238

cat <<-EOF

226

239

Note: Due to entropy requirements, key generation could take

230

243

echo -n "Started: "

231

244

date

232

245

233

246

247

# Generate TLS private key

248

if certtool --generate-privkey --password='' \

249

--outfile "$TLS_PRIVKEYTMP" --sec-param ultra \

250

--key-type="$TLS_KEYTYPE" --pkcs8 --no-text 2>/dev/null; then

251

252

# Backup any old key files

253

if cp --backup=numbered --force "$TLS_PRIVKEYFILE" "$TLS_PRIVKEYFILE" \

254

2>/dev/null; then

255

shred --remove "$TLS_PRIVKEYFILE" 2>/dev/null || :

256

257

if cp --backup=numbered --force "$TLS_PUBKEYFILE" "$TLS_PUBKEYFILE" \

258

2>/dev/null; then

259

rm --force "$TLS_PUBKEYFILE"

260

261

cp --archive "$TLS_PRIVKEYTMP" "$TLS_PRIVKEYFILE"

262

shred --remove "$TLS_PRIVKEYTMP" 2>/dev/null || :

263

264

## TLS public key

265

266

# First try certtool from GnuTLS

267

if ! certtool --password='' --load-privkey="$TLS_PRIVKEYFILE" \

268

--outfile="$TLS_PUBKEYFILE" --pubkey-info --no-text \

269

2>/dev/null; then

270

# Otherwise try OpenSSL

271

if ! openssl pkey -in "$TLS_PRIVKEYFILE" \

272

-out "$TLS_PUBKEYFILE" -pubout; then

273

rm --force "$TLS_PUBKEYFILE"

274

# None of the commands succeded; give up

275

return 1

276

277

278

279

234

280

# Make sure trustdb.gpg exists;

235

281

# this is a workaround for Debian bug #737128

236

282

gpg --quiet --batch --no-tty --no-options --enable-dsa2 \

241

287

--homedir "$RINGDIR" --trust-model always \

242

288

--gen-key "$BATCHFILE"

243

289

rm --force "$BATCHFILE"

244

290

245

291

if tty --quiet; then

246

292

echo -n "Finished: "

247

293

date

248

294

249

295

250

296

# Backup any old key files

251

297

if cp --backup=numbered --force "$SECKEYFILE" "$SECKEYFILE" \

252

298

2>/dev/null; then

253

shred --remove "$SECKEYFILE"

299

shred --remove "$SECKEYFILE" 2>/dev/null || :

254

300

255

301

if cp --backup=numbered --force "$PUBKEYFILE" "$PUBKEYFILE" \

256

302

2>/dev/null; then

257

303

rm --force "$PUBKEYFILE"

258

304

259

305

260

306

FILECOMMENT="Mandos client key for $KEYNAME"

261

307

if [ "$KEYCOMMENT" != "$KEYCOMMENT_ORIG" ]; then

262

308

FILECOMMENT="$FILECOMMENT ($KEYCOMMENT)"

263

309

264

310

265

311

if [ -n "$KEYEMAIL" ]; then

266

312

FILECOMMENT="$FILECOMMENT <$KEYEMAIL>"

267

313

268

314

269

315

# Export key from key rings to key files

270

316

gpg --quiet --batch --no-tty --no-options --enable-dsa2 \

271

317

--homedir "$RINGDIR" --armor --export-options export-minimal \

277

323

278

324

279

325

if [ "$mode" = password ]; then

280

326

281

327

# Make SSH be 0 or 1

282

328

case "$SSH" in

283

329

[Yy][Ee][Ss]|[Tt][Rr][Uu][Ee]) SSH=1;;

284

330

[Nn][Oo]|[Ff][Aa][Ll][Ss][Ee]|*) SSH=0;;

285

331

esac

286

332

287

333

if [ $SSH -eq 1 ]; then

288

set +e

289

ssh_fingerprint="`ssh-keyscan localhost 2>/dev/null`"

290

if [ $? -ne 0 ]; then

291

ssh_fingerprint=""

292

293

set -e

294

ssh_fingerprint="${ssh_fingerprint#localhost }"

334

# The -q option is new in OpenSSH 9.8

335

for ssh_keyscan_quiet in "-q " ""; do

336

for ssh_keytype in ecdsa-sha2-nistp256 ed25519 rsa; do

337

set +e

338

ssh_fingerprint="`ssh-keyscan ${ssh_keyscan_quiet}-t $ssh_keytype localhost 2>/dev/null`"

339

err=$?

340

set -e

341

if [ $err -ne 0 ]; then

342

ssh_fingerprint=""

343

continue

344

345

if [ -n "$ssh_fingerprint" ]; then

346

ssh_fingerprint="${ssh_fingerprint#localhost }"

347

break 2

348

349

done

350

done

295

351

296

352

297

353

# Import key into temporary key rings

298

354

gpg --quiet --batch --no-tty --no-options --enable-dsa2 \

299

355

--homedir "$RINGDIR" --trust-model always --armor \

301

357

gpg --quiet --batch --no-tty --no-options --enable-dsa2 \

302

358

--homedir "$RINGDIR" --trust-model always --armor \

303

359

--import "$PUBKEYFILE"

304

360

305

361

# Get fingerprint of key

306

362

FINGERPRINT="`gpg --quiet --batch --no-tty --no-options \

307

--enable-dsa2 --homedir \"$RINGDIR\" --trust-model always \

363

--enable-dsa2 --homedir "$RINGDIR" --trust-model always \

308

364

--fingerprint --with-colons \

309

365

| sed --quiet \

310

366

--expression='/^fpr:/{s/^fpr:.*:\$[0-9A-Z]*\$:\$/\\1/p;q}'`"

311

367

312

368

test -n "$FINGERPRINT"

313

369

370

if [ -r "$TLS_PUBKEYFILE" ]; then

371

KEY_ID="$(certtool --key-id --hash=sha256 \

372

--infile="$TLS_PUBKEYFILE" 2>/dev/null || :)"

373

374

if [ -z "$KEY_ID" ]; then

375

KEY_ID=$(openssl pkey -pubin -in "$TLS_PUBKEYFILE" \

376

-outform der \

377

| openssl sha256 \

378

| sed --expression='s/^.*[^[:xdigit:]]//')

379

380

test -n "$KEY_ID"

381

382

314

383

FILECOMMENT="Encrypted password for a Mandos client"

315

384

316

385

while [ ! -s "$SECFILE" ]; do

317

386

if [ -n "$PASSFILE" ]; then

318

cat "$PASSFILE"

387

cat -- "$PASSFILE"

319

388

else

320

389

tty --quiet && stty -echo

321

echo -n "Enter passphrase: " >&2

322

read first

390

echo -n "Enter passphrase: " >/dev/tty

391

read -r first

323

392

tty --quiet && echo >&2

324

echo -n "Repeat passphrase: " >&2

325

read second

393

echo -n "Repeat passphrase: " >/dev/tty

394

read -r second

326

395

if tty --quiet; then

327

396

echo >&2

328

397

stty echo

331

400

echo "Passphrase mismatch" >&2

332

401

touch "$RINGDIR"/mismatch

333

402

else

334

echo -n "$first"

403

printf "%s" "$first"

335

404

336

405

fi | gpg --quiet --batch --no-tty --no-options --enable-dsa2 \

337

406

--homedir "$RINGDIR" --trust-model always --armor \

346

415

347

416

348

417

done

349

418

350

419

cat <<-EOF

351

420

[$KEYNAME]

352

421

host = $KEYNAME

422

EOF

423

if [ -n "$KEY_ID" ]; then

424

echo "key_id = $KEY_ID"

425

426

cat <<-EOF

353

427

fingerprint = $FINGERPRINT

354

428

secret =

355

429

EOF

363

437

}

364

438

}' < "$SECFILE"

365

439

if [ -n "$ssh_fingerprint" ]; then

366

echo 'checker = ssh-keyscan %%(host)s 2>/dev/null | grep --fixed-strings --line-regexp --quiet --regexp=%%(host)s" %(ssh_fingerprint)s"'

440

echo 'checker = ssh-keyscan '"$ssh_keyscan_quiet"'-t '"$ssh_keytype"' %%(host)s 2>/dev/null | grep --fixed-strings --line-regexp --quiet --regexp=%%(host)s" %(ssh_fingerprint)s"'

367

441

echo "ssh_fingerprint = ${ssh_fingerprint}"

368

442

369

443

373

447

set +e

374

448

# Remove the password file, if any

375

449

if [ -n "$SECFILE" ]; then

376

shred --remove "$SECFILE"

450

shred --remove "$SECFILE" 2>/dev/null

377

451

378

452

# Remove the key rings

379

453

shred --remove "$RINGDIR"/sec* 2>/dev/null

Older »