/mandos/trunk : revision 723.1.1

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos-keygen

Committer: Teddy Hogeborn
Date: 2014-07-25 22:44:20 UTC
mto: This revision was merged to the branch mainline in revision 724.
Revision ID: teddy@recompile.se-20140725224420-4a5ct2ptt0hsc92z

Require Python 2.7.

This is in preparation for the eventual move to Python 3, which will
happen as soon as all Python modules required by Mandos are available.
The mandos-ctl and mandos-monitor programs are already portable
between Python 2.6 and Python 3 without changes; this change will
bring the requirement up to Python 2.7.

* INSTALL (Prerequisites/Libraries/Mandos Server): Document
                                                   requirement of
                                                   Python 2.7; remove
                                                   Python-argparse
                                                   which is in the
                                                   Python 2.7 standard
                                                   library.
* debian/control (Source: mandos/Build-Depends-Indep): Depend on
                                                       exactly the
                                                       python2.7
                                                       package and all
                                                       the Python 2.7
                                                       versions of the
                                                       python modules.
  (Package: mandos/Depends): - '' - but still depend on python (<=2.7)
                            and the generic versions of the Python
                            modules; this is for mandos-ctl and
                            mandos-monitor, both of which are
                            compatible with Python 3, and use
                            #!/usr/bin/python.
* mandos: Use #!/usr/bin/python2.7 instead of #!/usr/bin/python.

files added:
.bzr-builddeb

.bzr-builddeb/default.conf

.bzrignore

DBUS-API

INSTALL

NEWS

README

common.ent

dbus-mandos.conf

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.examples

debian/mandos-client.links

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/po

debian/rules

debian/source

debian/source/format

debian/source/local-options

debian/upstream

debian/upstream/signing-key.asc

debian/watch

default-mandos

init.d-mandos

initramfs-tools-script

initramfs-unpack

intro.xml

legalnotice.xml

mandos-ctl

mandos-ctl.xml

mandos-keygen.xml

mandos-monitor

mandos-monitor.xml

mandos-options.xml

mandos.lsm

mandos.service

network-hooks.d

network-hooks.d/bridge

network-hooks.d/bridge.conf

network-hooks.d/openvpn

network-hooks.d/openvpn.conf

network-hooks.d/wireless

network-hooks.d/wireless.conf

overview.xml

plugin-runner.conf

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

files removed:
network-protocol.txt

files renamed:
mandos-client.c => plugin-runner.c

mandos-client.xml => plugin-runner.xml

plugins.d/password-request.c => plugins.d/mandos-client.c

plugins.d/password-request.xml => plugins.d/mandos-client.xml

files modified:
Makefile

TODO

clients.conf

initramfs-tools-hook

initramfs-tools-hook-conf

mandos

mandos-clients.conf.xml

mandos-keygen

mandos.conf

mandos.conf.xml

mandos.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

Show diffs side-by-side

added added

removed removed

mandos-keygen

# Mandos key generator - create a new OpenPGP key for a Mandos client

# This program is free software: you can redistribute it and/or modify

# it under the terms of the GNU General Public License as published by

# You should have received a copy of the GNU General Public License

# along with this program. If not, see <http://www.gnu.org/licenses/>.

# Contact the authors at <mandos@fukt.bsnet.se>.

# Contact the authors at <mandos@recompile.se>.

VERSION="1.0"

VERSION="1.6.7"

KEYDIR="/etc/mandos"

KEYTYPE=DSA

KEYLENGTH=1024

KEYNAME="`hostname --fqdn`"

KEYDIR="/etc/keys/mandos"

KEYTYPE=RSA

KEYLENGTH=4096

SUBKEYTYPE=RSA

SUBKEYLENGTH=4096

KEYNAME="`hostname --fqdn 2>/dev/null || hostname`"

KEYEMAIL=""

KEYCOMMENT="Mandos client key"

KEYCOMMENT=""

KEYEXPIRE=0

FORCE=no

SSH=yes

KEYCOMMENT_ORIG="$KEYCOMMENT"

mode=keygen

if [ ! -d "$KEYDIR" ]; then

KEYDIR="/etc/mandos/keys"

# Parse options

TEMP=`getopt --options vhd:t:l:n:e:c:x:f \

--longoptions version,help,dir:,type:,length:,name:,email:,comment:,expire:,force \

TEMP=`getopt --options vhpF:d:t:l:s:L:n:e:c:x:fS \

--longoptions version,help,password,passfile:,dir:,type:,length:,subtype:,sublength:,name:,email:,comment:,expire:,force,no-ssh \

--name "$0" -- "$@"`

help(){

basename="`basename $0`"

cat <<EOF

Usage: `basename $0` [options]

Usage: $basename [ -v | --version ]

$basename [ -h | --help ]

Key creation:

$basename [ OPTIONS ]

Encrypted password creation:

$basename { -p | --password } [ --name NAME ] [ --dir DIR]

$basename { -F | --passfile } FILE [ --name NAME ] [ --dir DIR]

Options:

Key creation options:

-v, --version Show program's version number and exit

-h, --help Show this help message and exit

-d DIR, --dir DIR Target directory for key files

-t TYPE, --type TYPE Key type. Default is DSA.

-t TYPE, --type TYPE Key type. Default is RSA.

-l BITS, --length BITS

Key length in bits. Default is 1024.

Key length in bits. Default is 4096.

-s TYPE, --subtype TYPE

Subkey type. Default is RSA.

-L BITS, --sublength BITS

Subkey length in bits. Default is 4096.

-n NAME, --name NAME Name of key. Default is the FQDN.

-e EMAIL, --email EMAIL

-e ADDRESS, --email ADDRESS

Email address of key. Default is empty.

-c COMMENT, --comment COMMENT

Comment field for key. The default value is

"Mandos client key".

-c TEXT, --comment TEXT

Comment field for key. The default is empty.

-x TIME, --expire TIME

Key expire time. Default is no expiration.

See gpg(1) for syntax.

-f, --force Force overwriting old keys.

-f, --force Force overwriting old key files.

Password creation options:

-p, --password Create an encrypted password using the key in

the key directory. All options other than

--dir and --name are ignored.

-F FILE, --passfile FILE

Encrypt a password from FILE using the key in

the key directory. All options other than

--dir and --name are ignored.

-S, --no-ssh Don't get SSH key or set "checker" option.

EOF

}

eval set -- "$TEMP"

while :; do

case "$1" in

-p|--password) mode=password; shift;;

-F|--passfile) mode=password; PASSFILE="$2"; shift 2;;

-d|--dir) KEYDIR="$2"; shift 2;;

-t|--type) KEYTYPE="$2"; shift 2;;

100

-s|--subtype) SUBKEYTYPE="$2"; shift 2;;

101

-l|--length) KEYLENGTH="$2"; shift 2;;

102

-L|--sublength) SUBKEYLENGTH="$2"; shift 2;;

103

-n|--name) KEYNAME="$2"; shift 2;;

104

-e|--email) KEYEMAIL="$2"; shift 2;;

105

-c|--comment) KEYCOMMENT="$2"; shift 2;;

-x|--expire) KEYCOMMENT="$2"; shift 2;;

106

-x|--expire) KEYEXPIRE="$2"; shift 2;;

107

-f|--force) FORCE=yes; shift;;

108

-S|--no-ssh) SSH=no; shift;;

109

-v|--version) echo "$0 $VERSION"; exit;;

110

-h|--help) help; exit;;

111

--) shift; break;;

121

PUBKEYFILE="$KEYDIR/pubkey.txt"

122

123

# Check for some invalid values

if [ -d "$KEYDIR" ]; then :; else

124

if [ ! -d "$KEYDIR" ]; then

125

echo "$KEYDIR not a directory" >&2

126

exit 1

127

if [ -w "$KEYDIR" ]; then :; else

echo "Directory $KEYDIR not writeable" >&2

exit 1

if [ -z "$KEYTYPE" ]; then

100

echo "Empty key type" >&2

101

exit 1

102

103

104

if [ -z "$KEYNAME" ]; then

105

echo "Empty key name" >&2

106

exit 1

107

108

109

if [ -z "$KEYLENGTH" ] || [ "$KEYLENGTH" -lt 512 ]; then

110

echo "Invalid key length" >&2

111

exit 1

112

113

114

if [ -z "$KEYEXPIRE" ]; then

115

echo "Empty key expiration" >&2

116

exit 1

117

118

119

# Make FORCE be 0 or 1

120

case "$FORCE" in

121

[Yy][Ee][Ss]|[Tt][Rr][Uu][Ee]) FORCE=1;;

122

[Nn][Oo]|[Ff][Aa][Ll][Ss][Ee]|*) FORCE=0;;

123

esac

124

125

if { [ -e "$SECKEYFILE" ] || [ -e "$PUBKEYFILE" ]; } \

126

&& [ "$FORCE" -eq 0 ]; then

127

echo "Refusing to overwrite old key files; use --force" >&2

128

exit 1

129

130

131

# Set lines for GnuPG batch file

132

if [ -n "$KEYCOMMENT" ]; then

133

KEYCOMMENTLINE="Name-Comment: $KEYCOMMENT"

134

135

if [ -n "$KEYEMAIL" ]; then

136

KEYEMAILLINE="Name-Email: $KEYEMAIL"

137

138

139

# Create temp files

140

BATCHFILE="`mktemp -t mandos-gpg-batch.XXXXXXXXXX`"

141

SECRING="`mktemp -t mandos-gpg-secring.XXXXXXXXXX`"

142

PUBRING="`mktemp -t mandos-gpg-pubring.XXXXXXXXXX`"

128

if [ ! -r "$KEYDIR" ]; then

129

echo "Directory $KEYDIR not readable" >&2

130

exit 1

131

132

133

if [ "$mode" = keygen ]; then

134

if [ ! -w "$KEYDIR" ]; then

135

echo "Directory $KEYDIR not writeable" >&2

136

exit 1

137

138

if [ -z "$KEYTYPE" ]; then

139

echo "Empty key type" >&2

140

exit 1

141

142

143

if [ -z "$KEYNAME" ]; then

144

echo "Empty key name" >&2

145

exit 1

146

147

148

if [ -z "$KEYLENGTH" ] || [ "$KEYLENGTH" -lt 512 ]; then

149

echo "Invalid key length" >&2

150

exit 1

151

152

153

if [ -z "$KEYEXPIRE" ]; then

154

echo "Empty key expiration" >&2

155

exit 1

156

157

158

# Make FORCE be 0 or 1

159

case "$FORCE" in

160

[Yy][Ee][Ss]|[Tt][Rr][Uu][Ee]) FORCE=1;;

161

[Nn][Oo]|[Ff][Aa][Ll][Ss][Ee]|*) FORCE=0;;

162

esac

163

164

if [ $ -e "$SECKEYFILE" -o -e "$PUBKEYFILE" $ \

165

-a "$FORCE" -eq 0 ]; then

166

echo "Refusing to overwrite old key files; use --force" >&2

167

exit 1

168

169

170

# Set lines for GnuPG batch file

171

if [ -n "$KEYCOMMENT" ]; then

172

KEYCOMMENTLINE="Name-Comment: $KEYCOMMENT"

173

174

if [ -n "$KEYEMAIL" ]; then

175

KEYEMAILLINE="Name-Email: $KEYEMAIL"

176

177

178

# Create temporary gpg batch file

179

BATCHFILE="`mktemp -t mandos-keygen-batch.XXXXXXXXXX`"

180

181

182

if [ "$mode" = password ]; then

183

# Create temporary encrypted password file

184

SECFILE="`mktemp -t mandos-keygen-secfile.XXXXXXXXXX`"

185

186

187

# Create temporary key ring directory

188

RINGDIR="`mktemp -d -t mandos-keygen-keyrings.XXXXXXXXXX`"

143

189

144

190

# Remove temporary files on exit

145

trap "rm --force $PUBRING $BATCHFILE; shred --remove $SECRING" EXIT

146

147

# Create batch file for GnuPG

148

cat >"$BATCHFILE" <<EOF

149

Key-Type: $KEYTYPE

150

Key-Length: $KEYLENGTH

151

#Key-Usage: encrypt,sign,auth

152

Name-Real: $KEYNAME

153

$KEYCOMMENTLINE

154

$KEYEMAILLINE

155

Expire-Date: $KEYEXPIRE

156

%pubring $PUBRING

157

%secring $SECRING

158

%commit

159

EOF

160

161

umask 027

162

163

# Generate a new key in the key rings

164

gpg --no-random-seed-file --quiet --batch --no-tty \

165

--no-default-keyring --no-options --batch \

166

--secret-keyring "$SECRING" --keyring "$PUBRING" \

167

--gen-key "$BATCHFILE"

168

rm --force "$BATCHFILE"

169

170

# Backup any old key files

171

if cp --backup=numbered --force "$SECKEYFILE" "$SECKEYFILE" \

172

2>/dev/null; then

173

shred --remove "$SECKEYFILE"

174

175

if cp --backup=numbered --force "$PUBKEYFILE" "$PUBKEYFILE" \

176

2>/dev/null; then

177

rm --force "$PUBKEYFILE"

178

179

180

FILECOMMENT="Mandos client key for $KEYNAME"

181

if [ "$KEYCOMMENT" != "$KEYCOMMENT_ORIG" ]; then

182

FILECOMMENT="$FILECOMMENT ($KEYCOMMENT)"

183

184

185

if [ -n "$KEYEMAIL" ]; then

186

FILECOMMENT="$FILECOMMENT <$KEYEMAIL>"

187

188

189

# Export keys from key rings to key files

190

gpg --no-random-seed-file --quiet --batch --no-tty --armor \

191

--no-default-keyring --secret-keyring "$SECRING" \

192

--keyring "$PUBRING" --export-options export-minimal \

193

--comment "$FILECOMMENT" --output "$SECKEYFILE" \

194

--export-secret-keys

195

gpg --no-random-seed-file --quiet --batch --no-tty --armor \

196

--no-default-keyring --secret-keyring "$SECRING" \

197

--keyring "$PUBRING" --export-options export-minimal \

198

--comment "$FILECOMMENT" --output "$PUBKEYFILE" \

199

--export

191

trap "

192

set +e; \

193

test -n \"$SECFILE\" && shred --remove \"$SECFILE\"; \

194

shred --remove \"$RINGDIR\"/sec* 2>/dev/null;

195

test -n \"$BATCHFILE\" && rm --force \"$BATCHFILE\"; \

196

rm --recursive --force \"$RINGDIR\";

197

tty --quiet && stty echo; \

198

" EXIT

199

200

set -e

201

202

umask 077

203

204

if [ "$mode" = keygen ]; then

205

# Create batch file for GnuPG

206

cat >"$BATCHFILE" <<-EOF

207

Key-Type: $KEYTYPE

208

Key-Length: $KEYLENGTH

209

Key-Usage: sign,auth

210

Subkey-Type: $SUBKEYTYPE

211

Subkey-Length: $SUBKEYLENGTH

212

Subkey-Usage: encrypt

213

Name-Real: $KEYNAME

214

$KEYCOMMENTLINE

215

$KEYEMAILLINE

216

Expire-Date: $KEYEXPIRE

217

#Preferences: <string>

218

#Handle: <no-spaces>

219

#%pubring pubring.gpg

220

#%secring secring.gpg

221

%commit

222

EOF

223

224

if tty --quiet; then

225

cat <<-EOF

226

Note: Due to entropy requirements, key generation could take

227

anything from a few minutes to SEVERAL HOURS. Please be

228

patient and/or supply the system with more entropy if needed.

229

EOF

230

echo -n "Started: "

231

date

232

233

234

# Make sure trustdb.gpg exists;

235

# this is a workaround for Debian bug #737128

236

gpg --quiet --batch --no-tty --no-options --enable-dsa2 \

237

--homedir "$RINGDIR" \

238

--import-ownertrust < /dev/null

239

# Generate a new key in the key rings

240

gpg --quiet --batch --no-tty --no-options --enable-dsa2 \

241

--homedir "$RINGDIR" --trust-model always \

242

--gen-key "$BATCHFILE"

243

rm --force "$BATCHFILE"

244

245

if tty --quiet; then

246

echo -n "Finished: "

247

date

248

249

250

# Backup any old key files

251

if cp --backup=numbered --force "$SECKEYFILE" "$SECKEYFILE" \

252

2>/dev/null; then

253

shred --remove "$SECKEYFILE"

254

255

if cp --backup=numbered --force "$PUBKEYFILE" "$PUBKEYFILE" \

256

2>/dev/null; then

257

rm --force "$PUBKEYFILE"

258

259

260

FILECOMMENT="Mandos client key for $KEYNAME"

261

if [ "$KEYCOMMENT" != "$KEYCOMMENT_ORIG" ]; then

262

FILECOMMENT="$FILECOMMENT ($KEYCOMMENT)"

263

264

265

if [ -n "$KEYEMAIL" ]; then

266

FILECOMMENT="$FILECOMMENT <$KEYEMAIL>"

267

268

269

# Export key from key rings to key files

270

gpg --quiet --batch --no-tty --no-options --enable-dsa2 \

271

--homedir "$RINGDIR" --armor --export-options export-minimal \

272

--comment "$FILECOMMENT" --output "$SECKEYFILE" \

273

--export-secret-keys

274

gpg --quiet --batch --no-tty --no-options --enable-dsa2 \

275

--homedir "$RINGDIR" --armor --export-options export-minimal \

276

--comment "$FILECOMMENT" --output "$PUBKEYFILE" --export

277

278

279

if [ "$mode" = password ]; then

280

281

# Make SSH be 0 or 1

282

case "$SSH" in

283

[Yy][Ee][Ss]|[Tt][Rr][Uu][Ee]) SSH=1;;

284

[Nn][Oo]|[Ff][Aa][Ll][Ss][Ee]|*) SSH=0;;

285

esac

286

287

if [ $SSH -eq 1 ]; then

288

set +e

289

ssh_fingerprint="`ssh-keyscan localhost 2>/dev/null`"

290

if [ $? -ne 0 ]; then

291

ssh_fingerprint=""

292

293

set -e

294

ssh_fingerprint="${ssh_fingerprint#localhost }"

295

296

297

# Import key into temporary key rings

298

gpg --quiet --batch --no-tty --no-options --enable-dsa2 \

299

--homedir "$RINGDIR" --trust-model always --armor \

300

--import "$SECKEYFILE"

301

gpg --quiet --batch --no-tty --no-options --enable-dsa2 \

302

--homedir "$RINGDIR" --trust-model always --armor \

303

--import "$PUBKEYFILE"

304

305

# Get fingerprint of key

306

FINGERPRINT="`gpg --quiet --batch --no-tty --no-options \

307

--enable-dsa2 --homedir \"$RINGDIR\" --trust-model always \

308

--fingerprint --with-colons \

309

| sed --quiet \

310

--expression='/^fpr:/{s/^fpr:.*:\$[0-9A-Z]*\$:\$/\\1/p;q}'`"

311

312

test -n "$FINGERPRINT"

313

314

FILECOMMENT="Encrypted password for a Mandos client"

315

316

while [ ! -s "$SECFILE" ]; do

317

if [ -n "$PASSFILE" ]; then

318

cat "$PASSFILE"

319

else

320

tty --quiet && stty -echo

321

echo -n "Enter passphrase: " >&2

322

read first

323

tty --quiet && echo >&2

324

echo -n "Repeat passphrase: " >&2

325

read second

326

if tty --quiet; then

327

echo >&2

328

stty echo

329

330

if [ "$first" != "$second" ]; then

331

echo "Passphrase mismatch" >&2

332

touch "$RINGDIR"/mismatch

333

else

334

echo -n "$first"

335

336

fi | gpg --quiet --batch --no-tty --no-options --enable-dsa2 \

337

--homedir "$RINGDIR" --trust-model always --armor \

338

--encrypt --sign --recipient "$FINGERPRINT" --comment \

339

"$FILECOMMENT" > "$SECFILE"

340

if [ -e "$RINGDIR"/mismatch ]; then

341

rm --force "$RINGDIR"/mismatch

342

if tty --quiet; then

343

> "$SECFILE"

344

else

345

exit 1

346

347

348

done

349

350

cat <<-EOF

351

[$KEYNAME]

352

host = $KEYNAME

353

fingerprint = $FINGERPRINT

354

secret =

355

EOF

356

sed --quiet --expression='

357

/^-----BEGIN PGP MESSAGE-----$/,/^-----END PGP MESSAGE-----$/{

358

/^$/,${

359

# Remove 24-bit Radix-64 checksum

360

s/=....$//

361

# Indent four spaces

362

/^[^-]/s/^/ /p

363

}

364

}' < "$SECFILE"

365

if [ -n "$ssh_fingerprint" ]; then

366

echo 'checker = ssh-keyscan %%(host)s 2>/dev/null | grep --fixed-strings --line-regexp --quiet --regexp="%%(host)s %(ssh_fingerprint)s"'

367

echo "ssh_fingerprint = ${ssh_fingerprint}"

368

369

200

370

201

371

trap - EXIT

202

372

373

set +e

374

# Remove the password file, if any

375

if [ -n "$SECFILE" ]; then

376

shred --remove "$SECFILE"

377

203

378

# Remove the key rings

204

shred --remove "$SECRING"

205

rm --force "$PUBRING"

379

shred --remove "$RINGDIR"/sec* 2>/dev/null

380

rm --recursive --force "$RINGDIR"

Older »