/mandos/trunk : revision 1313

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos-keygen

Committer: Teddy Hogeborn
Date: 2024-11-22 20:28:54 UTC
Revision ID: teddy@recompile.se-20241122202854-dycuf117byxhxl32

mandos-monitor: Avoid debug messages from urwid

Avoid debug messages from urwid. Any logging output before the screen
has been set up will mangle the screen.

* mandos-monitor: When setting up logging, set urwid to only show log
messages of level INFO or above.

(Thanks to an anonymous contributor for reporting this.)

files added:
debian/mandos.maintscript

debian/po/POTFILES.in

debian/po/de.po

debian/po/en_US.po

debian/po/es.po

debian/po/fr.po

debian/po/nl.po

debian/po/pt.po

debian/po/pt_BR.po

debian/po/sv.po

debian/po/templates.pot

debian/source/lintian-overrides

debian/tests

debian/tests/control

debian/upstream/metadata

dracut-module

dracut-module/ask-password-mandos.path

dracut-module/ask-password-mandos.service

dracut-module/cmdline-mandos.sh

dracut-module/module-setup.sh

dracut-module/password-agent.c

dracut-module/password-agent.xml

initramfs-tools-conf-hook

sysusers.d-mandos.conf

files modified:
.bzrignore

DBUS-API

INSTALL

Makefile

NEWS

TODO

clients.conf

common.ent

debian/changelog

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos-client.templates

debian/mandos.dirs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.templates

debian/rules

debian/watch

initramfs-tools-hook

initramfs-tools-script

initramfs-unpack

intro.xml

mandos

mandos-clients.conf.xml

mandos-ctl

mandos-ctl.xml

mandos-keygen

mandos-keygen.xml

mandos-monitor

mandos-options.xml

mandos-to-cryptroot-unlock

mandos.conf.xml

mandos.lsm

mandos.service

mandos.xml

plugin-helpers/mandos-client-iprouteadddel.c

plugin-runner.c

plugin-runner.xml

plugins.d/askpass-fifo.c

plugins.d/mandos-client.c

plugins.d/mandos-client.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

Show diffs side-by-side

added added

removed removed

mandos-keygen

# Contact the authors at <mandos@recompile.se>.

VERSION="1.7.20"

VERSION="1.8.17"

KEYDIR="/etc/keys/mandos"

KEYTYPE=RSA

147

echo "Empty key type" >&2

148

exit 1

149

150

151

if [ -z "$KEYNAME" ]; then

152

echo "Empty key name" >&2

153

exit 1

154

155

156

if [ -z "$KEYLENGTH" ] || [ "$KEYLENGTH" -lt 512 ]; then

157

echo "Invalid key length" >&2

158

exit 1

159

160

161

if [ -z "$KEYEXPIRE" ]; then

162

echo "Empty key expiration" >&2

163

exit 1

164

165

166

# Make FORCE be 0 or 1

167

case "$FORCE" in

168

[Yy][Ee][Ss]|[Tt][Rr][Uu][Ee]) FORCE=1;;

169

[Nn][Oo]|[Ff][Aa][Ll][Ss][Ee]|*) FORCE=0;;

170

esac

171

172

if { [ -e "$SECKEYFILE" ] || [ -e "$PUBKEYFILE" ] \

173

|| [ -e "$TLS_PRIVKEYFILE" ] \

174

|| [ -e "$TLS_PUBKEYFILE" ]; } \

176

echo "Refusing to overwrite old key files; use --force" >&2

177

exit 1

178

179

180

# Set lines for GnuPG batch file

181

if [ -n "$KEYCOMMENT" ]; then

182

KEYCOMMENTLINE="Name-Comment: $KEYCOMMENT"

184

if [ -n "$KEYEMAIL" ]; then

185

KEYEMAILLINE="Name-Email: $KEYEMAIL"

186

187

188

# Create temporary gpg batch file

189

BATCHFILE="`mktemp -t mandos-keygen-batch.XXXXXXXXXX`"

190

TLS_PRIVKEYTMP="`mktemp -t mandos-keygen-privkey.XXXXXXXXXX`"

190

191

192

193

if [ "$mode" = password ]; then

201

202

trap "

202

203

set +e; \

203

204

test -n \"$SECFILE\" && shred --remove \"$SECFILE\"; \

205

test -n \"$TLS_PRIVKEYTMP\" && shred --remove \"$TLS_PRIVKEYTMP\"; \

204

206

shred --remove \"$RINGDIR\"/sec* 2>/dev/null;

205

207

test -n \"$BATCHFILE\" && rm --force \"$BATCHFILE\"; \

206

208

rm --recursive --force \"$RINGDIR\";

231

233

%no-protection

232

234

%commit

233

235

EOF

234

236

235

237

if tty --quiet; then

236

238

cat <<-EOF

237

239

Note: Due to entropy requirements, key generation could take

241

243

echo -n "Started: "

242

244

date

243

245

244

245

# Backup any old key files

246

if cp --backup=numbered --force "$TLS_PRIVKEYFILE" "$TLS_PRIVKEYFILE" \

247

2>/dev/null; then

248

shred --remove "$TLS_PRIVKEYFILE"

249

250

if cp --backup=numbered --force "$TLS_PUBKEYFILE" "$TLS_PUBKEYFILE" \

251

2>/dev/null; then

252

rm --force "$TLS_PUBKEYFILE"

253

254

255

## Generate TLS private key

256

257

# First try certtool from GnuTLS

258

if ! certtool --generate-privkey --password='' \

259

--outfile "$TLS_PRIVKEYFILE" --sec-param ultra \

260

--key-type="$TLS_KEYTYPE" --pkcs8 --no-text 2>/dev/null; then

261

# Otherwise try OpenSSL

262

if ! openssl genpkey -algorithm X25519 -out \

263

/etc/keys/mandos/tls-privkey.pem; then

264

rm --force /etc/keys/mandos/tls-privkey.pem

265

# None of the commands succeded; give up

266

return 1

246

247

# Generate TLS private key

248

if certtool --generate-privkey --password='' \

249

--outfile "$TLS_PRIVKEYTMP" --sec-param ultra \

250

--key-type="$TLS_KEYTYPE" --pkcs8 --no-text 2>/dev/null; then

251

252

# Backup any old key files

253

if cp --backup=numbered --force "$TLS_PRIVKEYFILE" "$TLS_PRIVKEYFILE" \

254

2>/dev/null; then

255

shred --remove "$TLS_PRIVKEYFILE" 2>/dev/null || :

267

256

268

269

270

## TLS public key

271

272

# First try certtool from GnuTLS

273

if ! certtool --password='' --load-privkey="$TLS_PRIVKEYFILE" \

274

--outfile="$TLS_PUBKEYFILE" --pubkey-info --no-text \

275

2>/dev/null; then

276

# Otherwise try OpenSSL

277

if ! openssl pkey -in "$TLS_PRIVKEYFILE" \

278

-out "$TLS_PUBKEYFILE" -pubout; then

257

if cp --backup=numbered --force "$TLS_PUBKEYFILE" "$TLS_PUBKEYFILE" \

258

2>/dev/null; then

279

259

rm --force "$TLS_PUBKEYFILE"

280

# None of the commands succeded; give up

281

return 1

260

261

cp --archive "$TLS_PRIVKEYTMP" "$TLS_PRIVKEYFILE"

262

shred --remove "$TLS_PRIVKEYTMP" 2>/dev/null || :

263

264

## TLS public key

265

266

# First try certtool from GnuTLS

267

if ! certtool --password='' --load-privkey="$TLS_PRIVKEYFILE" \

268

--outfile="$TLS_PUBKEYFILE" --pubkey-info --no-text \

269

2>/dev/null; then

270

# Otherwise try OpenSSL

271

if ! openssl pkey -in "$TLS_PRIVKEYFILE" \

272

-out "$TLS_PUBKEYFILE" -pubout; then

273

rm --force "$TLS_PUBKEYFILE"

274

# None of the commands succeded; give up

275

return 1

276

282

277

283

278

284

279

285

280

# Make sure trustdb.gpg exists;

286

281

# this is a workaround for Debian bug #737128

287

282

gpg --quiet --batch --no-tty --no-options --enable-dsa2 \

292

287

--homedir "$RINGDIR" --trust-model always \

293

288

--gen-key "$BATCHFILE"

294

289

rm --force "$BATCHFILE"

295

290

296

291

if tty --quiet; then

297

292

echo -n "Finished: "

298

293

date

299

294

300

295

301

296

# Backup any old key files

302

297

if cp --backup=numbered --force "$SECKEYFILE" "$SECKEYFILE" \

303

298

2>/dev/null; then

304

shred --remove "$SECKEYFILE"

299

shred --remove "$SECKEYFILE" 2>/dev/null || :

305

300

306

301

if cp --backup=numbered --force "$PUBKEYFILE" "$PUBKEYFILE" \

307

302

2>/dev/null; then

308

303

rm --force "$PUBKEYFILE"

309

304

310

305

311

306

FILECOMMENT="Mandos client key for $KEYNAME"

312

307

if [ "$KEYCOMMENT" != "$KEYCOMMENT_ORIG" ]; then

313

308

FILECOMMENT="$FILECOMMENT ($KEYCOMMENT)"

314

309

315

310

316

311

if [ -n "$KEYEMAIL" ]; then

317

312

FILECOMMENT="$FILECOMMENT <$KEYEMAIL>"

318

313

319

314

320

315

# Export key from key rings to key files

321

316

gpg --quiet --batch --no-tty --no-options --enable-dsa2 \

322

317

--homedir "$RINGDIR" --armor --export-options export-minimal \

328

323

329

324

330

325

if [ "$mode" = password ]; then

331

326

332

327

# Make SSH be 0 or 1

333

328

case "$SSH" in

334

329

[Yy][Ee][Ss]|[Tt][Rr][Uu][Ee]) SSH=1;;

335

330

[Nn][Oo]|[Ff][Aa][Ll][Ss][Ee]|*) SSH=0;;

336

331

esac

337

332

338

333

if [ $SSH -eq 1 ]; then

339

for ssh_keytype in ecdsa-sha2-nistp256 ed25519 rsa; do

340

set +e

341

ssh_fingerprint="`ssh-keyscan -t $ssh_keytype localhost 2>/dev/null`"

342

err=$?

343

set -e

344

if [ $err -ne 0 ]; then

345

ssh_fingerprint=""

346

continue

347

348

if [ -n "$ssh_fingerprint" ]; then

349

ssh_fingerprint="${ssh_fingerprint#localhost }"

350

break

351

334

# The -q option is new in OpenSSH 9.8

335

for ssh_keyscan_quiet in "-q " ""; do

336

for ssh_keytype in ecdsa-sha2-nistp256 ed25519 rsa; do

337

set +e

338

ssh_fingerprint="`ssh-keyscan ${ssh_keyscan_quiet}-t $ssh_keytype localhost 2>/dev/null`"

339

err=$?

340

set -e

341

if [ $err -ne 0 ]; then

342

ssh_fingerprint=""

343

continue

344

345

if [ -n "$ssh_fingerprint" ]; then

346

ssh_fingerprint="${ssh_fingerprint#localhost }"

347

break 2

348

349

done

352

350

done

353

351

354

352

355

353

# Import key into temporary key rings

356

354

gpg --quiet --batch --no-tty --no-options --enable-dsa2 \

357

355

--homedir "$RINGDIR" --trust-model always --armor \

359

357

gpg --quiet --batch --no-tty --no-options --enable-dsa2 \

360

358

--homedir "$RINGDIR" --trust-model always --armor \

361

359

--import "$PUBKEYFILE"

362

360

363

361

# Get fingerprint of key

364

362

FINGERPRINT="`gpg --quiet --batch --no-tty --no-options \

365

363

--enable-dsa2 --homedir "$RINGDIR" --trust-model always \

366

364

--fingerprint --with-colons \

367

365

| sed --quiet \

368

366

--expression='/^fpr:/{s/^fpr:.*:\$[0-9A-Z]*\$:\$/\\1/p;q}'`"

369

367

370

368

test -n "$FINGERPRINT"

371

372

KEY_ID="$(certtool --key-id --hash=sha256 \

369

370

if [ -r "$TLS_PUBKEYFILE" ]; then

371

KEY_ID="$(certtool --key-id --hash=sha256 \

373

372

--infile="$TLS_PUBKEYFILE" 2>/dev/null || :)"

374

373

375

if [ -z "$KEY_ID" ]; then

376

KEY_ID=$(openssl pkey -pubin -in /tmp/tls-pubkey.pem \

377

-outform der \

378

| openssl sha256 \

379

| sed --expression='s/^.*[^[:xdigit:]]//')

374

if [ -z "$KEY_ID" ]; then

375

KEY_ID=$(openssl pkey -pubin -in "$TLS_PUBKEYFILE" \

376

-outform der \

377

| openssl sha256 \

378

| sed --expression='s/^.*[^[:xdigit:]]//')

379

380

test -n "$KEY_ID"

380

381

test -n "$KEY_ID"

382

383

FILECOMMENT="Encrypted password for a Mandos client"

384

385

while [ ! -s "$SECFILE" ]; do

386

if [ -n "$PASSFILE" ]; then

387

cat "$PASSFILE"

387

cat -- "$PASSFILE"

388

else

389

tty --quiet && stty -echo

390

echo -n "Enter passphrase: " >/dev/tty

400

echo "Passphrase mismatch" >&2

401

touch "$RINGDIR"/mismatch

402

else

403

echo -n "$first"

403

printf "%s" "$first"

404

405

fi | gpg --quiet --batch --no-tty --no-options --enable-dsa2 \

406

--homedir "$RINGDIR" --trust-model always --armor \

415

416

417

done

418

419

cat <<-EOF

420

[$KEYNAME]

421

host = $KEYNAME

422

key_id = $KEY_ID

422

EOF

423

if [ -n "$KEY_ID" ]; then

424

echo "key_id = $KEY_ID"

425

426

cat <<-EOF

423

427

fingerprint = $FINGERPRINT

424

428

secret =

425

429

EOF

433

437

}

434

438

}' < "$SECFILE"

435

439

if [ -n "$ssh_fingerprint" ]; then

436

echo 'checker = ssh-keyscan -t '"$ssh_keytype"' %%(host)s 2>/dev/null | grep --fixed-strings --line-regexp --quiet --regexp=%%(host)s" %(ssh_fingerprint)s"'

440

echo 'checker = ssh-keyscan '"$ssh_keyscan_quiet"'-t '"$ssh_keytype"' %%(host)s 2>/dev/null | grep --fixed-strings --line-regexp --quiet --regexp=%%(host)s" %(ssh_fingerprint)s"'

437

441

echo "ssh_fingerprint = ${ssh_fingerprint}"

438

442

439

443

447

set +e

444

448

# Remove the password file, if any

445

449

if [ -n "$SECFILE" ]; then

446

shred --remove "$SECFILE"

450

shred --remove "$SECFILE" 2>/dev/null

447

451

448

452

# Remove the key rings

449

453

shred --remove "$RINGDIR"/sec* 2>/dev/null

Older »