/mandos/trunk : revision 777

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos-keygen

Committer: Teddy Hogeborn
Date: 2015-07-20 03:03:33 UTC
Revision ID: teddy@recompile.se-20150720030333-203m2aeblypcsfte

Bug fix for GnuTLS 3: be compatible with old 2048-bit DSA keys.

The mandos-keygen program in Mandos version 1.6.0 and older generated
2048-bit DSA keys, and when GnuTLS uses these it has trouble
connecting using the Mandos default priority string.  This was
previously fixed in Mandos 1.6.2, but the bug reappeared when using
GnuTLS 3, so the default priority string has to change again; this
time also the Mandos client has to change its default, so now the
server and the client should use the same default priority string:

SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA:+SIGN-DSA-SHA256

* mandos (main/server_defaults): Changed default priority string.
* mandos-options.xml (/section/para[id="priority_compat"]): Removed.
  (/section/para[id="priority"]): Changed default priority string.
* mandos.conf ([DEFAULT]/priority): - '' -
* mandos.conf.xml (OPTIONS/priority): Refer to the id "priority"
                                      instead of "priority_compat".
* mandos.xml (OPTIONS/--priority): - '' -
* plugins.d/mandos-client.c (main): Changed default priority string.

files added:
.bzr-builddeb

.bzr-builddeb/default.conf

DBUS-API

INSTALL

NEWS

common.ent

dbus-mandos.conf

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.examples

debian/mandos-client.links

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/po

debian/rules

debian/source

debian/source/format

debian/source/local-options

debian/upstream

debian/upstream/signing-key.asc

debian/watch

initramfs-unpack

intro.xml

mandos-ctl

mandos-ctl.xml

mandos-monitor

mandos-monitor.xml

mandos.lsm

mandos.service

network-hooks.d

network-hooks.d/bridge

network-hooks.d/bridge.conf

network-hooks.d/openvpn

network-hooks.d/openvpn.conf

network-hooks.d/wireless

network-hooks.d/wireless.conf

plugin-helpers

plugin-helpers/mandos-client-iprouteadddel.c

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

files removed:
etc-plugins.d-README

plugins.d/usplash

files modified:
.bzrignore

Makefile

README

TODO

clients.conf

default-mandos

init.d-mandos

initramfs-tools-hook

initramfs-tools-hook-conf

initramfs-tools-script

mandos

mandos-clients.conf.xml

mandos-keygen

mandos-keygen.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.xml

overview.xml

plugin-runner.c

plugin-runner.conf

plugin-runner.xml

plugins.d/mandos-client.c

plugins.d/mandos-client.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

Show diffs side-by-side

added added

removed removed

mandos-keygen

# Mandos key generator - create a new OpenPGP key for a Mandos client

# This program is free software: you can redistribute it and/or modify

# it under the terms of the GNU General Public License as published by

# You should have received a copy of the GNU General Public License

# along with this program. If not, see <http://www.gnu.org/licenses/>.

# Contact the authors at <mandos@fukt.bsnet.se>.

# Contact the authors at <mandos@recompile.se>.

VERSION="1.0"

VERSION="1.6.9"

KEYDIR="/etc/keys/mandos"

KEYTYPE=DSA

KEYLENGTH=2048

SUBKEYTYPE=ELG-E

SUBKEYLENGTH=2048

KEYNAME="`hostname --fqdn`"

KEYTYPE=RSA

KEYLENGTH=4096

SUBKEYTYPE=RSA

SUBKEYLENGTH=4096

KEYNAME="`hostname --fqdn 2>/dev/null || hostname`"

KEYEMAIL=""

KEYCOMMENT="Mandos client key"

KEYCOMMENT=""

KEYEXPIRE=0

FORCE=no

SSH=yes

KEYCOMMENT_ORIG="$KEYCOMMENT"

mode=keygen

if [ ! -d "$KEYDIR" ]; then

KEYDIR="/etc/mandos/keys"

# Parse options

TEMP=`getopt --options vhd:t:l:n:e:c:x:f \

--longoptions version,help,password,dir:,type:,length:,subtype:,sublength:,name:,email:,comment:,expire:,force \

TEMP=`getopt --options vhpF:d:t:l:s:L:n:e:c:x:fS \

--longoptions version,help,password,passfile:,dir:,type:,length:,subtype:,sublength:,name:,email:,comment:,expire:,force,no-ssh \

--name "$0" -- "$@"`

help(){

basename="`basename $0`"

basename="`basename "$0"`"

cat <<EOF

Usage: $basename [ -v | --version ]

$basename [ -h | --help ]

$basename [ OPTIONS ]

Encrypted password creation:

$basename { -p | --password } [ --name NAME ] [ --dir DIR]

$basename { -F | --passfile } FILE [ --name NAME ] [ --dir DIR]

Key creation options:

-v, --version Show program's version number and exit

-h, --help Show this help message and exit

-d DIR, --dir DIR Target directory for key files

-t TYPE, --type TYPE Key type. Default is DSA.

-t TYPE, --type TYPE Key type. Default is RSA.

-l BITS, --length BITS

Key length in bits. Default is 2048.

Key length in bits. Default is 4096.

-s TYPE, --subtype TYPE

Subkey type. Default is ELG-E.

Subkey type. Default is RSA.

-L BITS, --sublength BITS

Subkey length in bits. Default is 2048.

Subkey length in bits. Default is 4096.

-n NAME, --name NAME Name of key. Default is the FQDN.

-e ADDRESS, --email ADDRESS

Email address of key. Default is empty.

-c TEXT, --comment TEXT

Comment field for key. The default value is

"Mandos client key".

Comment field for key. The default is empty.

-x TIME, --expire TIME

Key expire time. Default is no expiration.

See gpg(1) for syntax.

-f, --force Force overwriting old keys.

-f, --force Force overwriting old key files.

Password creation options:

-p, --password Create an encrypted password using the keys in

the key directory. All options other than

--dir and --name are ignored.

-p, --password Create an encrypted password using the key in

the key directory. All options other than

--dir and --name are ignored.

-F FILE, --passfile FILE

Encrypt a password from FILE using the key in

the key directory. All options other than

--dir and --name are ignored.

-S, --no-ssh Don't get SSH key or set "checker" option.

EOF

}

while :; do

case "$1" in

-p|--password) mode=password; shift;;

-F|--passfile) mode=password; PASSFILE="$2"; shift 2;;

-d|--dir) KEYDIR="$2"; shift 2;;

-t|--type) KEYTYPE="$2"; shift 2;;

100

-s|--subtype) SUBKEYTYPE="$2"; shift 2;;

105

-c|--comment) KEYCOMMENT="$2"; shift 2;;

106

-x|--expire) KEYEXPIRE="$2"; shift 2;;

107

-f|--force) FORCE=yes; shift;;

108

-S|--no-ssh) SSH=no; shift;;

109

-v|--version) echo "$0 $VERSION"; exit;;

110

-h|--help) help; exit;;

111

--) shift; break;;

100

113

esac

101

114

done

102

115

if [ "$#" -gt 0 ]; then

103

echo "Unknown arguments: '$@'" >&2

116

echo "Unknown arguments: '$*'" >&2

104

117

exit 1

105

118

106

119

136

149

echo "Invalid key length" >&2

137

150

exit 1

138

151

139

152

140

153

if [ -z "$KEYEXPIRE" ]; then

141

154

echo "Empty key expiration" >&2

142

155

exit 1

161

174

if [ -n "$KEYEMAIL" ]; then

162

175

KEYEMAILLINE="Name-Email: $KEYEMAIL"

163

176

164

177

165

178

# Create temporary gpg batch file

166

179

BATCHFILE="`mktemp -t mandos-keygen-batch.XXXXXXXXXX`"

167

180

178

191

trap "

179

192

set +e; \

180

193

test -n \"$SECFILE\" && shred --remove \"$SECFILE\"; \

181

shred --remove \"$RINGDIR\"/sec*;

194

shred --remove \"$RINGDIR\"/sec* 2>/dev/null;

182

195

test -n \"$BATCHFILE\" && rm --force \"$BATCHFILE\"; \

183

196

rm --recursive --force \"$RINGDIR\";

184

stty echo; \

197

tty --quiet && stty echo; \

185

198

" EXIT

186

199

200

set -e

201

187

202

umask 077

188

203

189

204

if [ "$mode" = keygen ]; then

191

206

cat >"$BATCHFILE" <<-EOF

192

207

Key-Type: $KEYTYPE

193

208

Key-Length: $KEYLENGTH

194

#Key-Usage: encrypt,sign,auth

209

Key-Usage: sign,auth

195

210

Subkey-Type: $SUBKEYTYPE

196

211

Subkey-Length: $SUBKEYLENGTH

197

#Subkey-Usage: encrypt,sign,auth

212

Subkey-Usage: encrypt

198

213

Name-Real: $KEYNAME

199

214

$KEYCOMMENTLINE

200

215

$KEYEMAILLINE

206

221

%commit

207

222

EOF

208

223

224

if tty --quiet; then

225

cat <<-EOF

226

Note: Due to entropy requirements, key generation could take

227

anything from a few minutes to SEVERAL HOURS. Please be

228

patient and/or supply the system with more entropy if needed.

229

EOF

230

echo -n "Started: "

231

date

232

233

234

# Make sure trustdb.gpg exists;

235

# this is a workaround for Debian bug #737128

236

gpg --quiet --batch --no-tty --no-options --enable-dsa2 \

237

--homedir "$RINGDIR" \

238

--import-ownertrust < /dev/null

209

239

# Generate a new key in the key rings

210

240

gpg --quiet --batch --no-tty --no-options --enable-dsa2 \

211

241

--homedir "$RINGDIR" --trust-model always \

212

242

--gen-key "$BATCHFILE"

213

243

rm --force "$BATCHFILE"

214

244

245

if tty --quiet; then

246

echo -n "Finished: "

247

date

248

249

215

250

# Backup any old key files

216

251

if cp --backup=numbered --force "$SECKEYFILE" "$SECKEYFILE" \

217

252

2>/dev/null; then

231

266

FILECOMMENT="$FILECOMMENT <$KEYEMAIL>"

232

267

233

268

234

# Export keys from key rings to key files

269

# Export key from key rings to key files

235

270

gpg --quiet --batch --no-tty --no-options --enable-dsa2 \

236

271

--homedir "$RINGDIR" --armor --export-options export-minimal \

237

272

--comment "$FILECOMMENT" --output "$SECKEYFILE" \

242

277

243

278

244

279

if [ "$mode" = password ]; then

245

# Import keys into temporary key rings

280

281

# Make SSH be 0 or 1

282

case "$SSH" in

283

[Yy][Ee][Ss]|[Tt][Rr][Uu][Ee]) SSH=1;;

284

[Nn][Oo]|[Ff][Aa][Ll][Ss][Ee]|*) SSH=0;;

285

esac

286

287

if [ $SSH -eq 1 ]; then

288

for ssh_keytype in ed25519 rsa; do

289

set +e

290

ssh_fingerprint="`ssh-keyscan -t $ssh_keytype localhost 2>/dev/null`"

291

set -e

292

if [ $? -ne 0 ]; then

293

ssh_fingerprint=""

294

continue

295

296

if [ -n "$ssh_fingerprint" ]; then

297

ssh_fingerprint="${ssh_fingerprint#localhost }"

298

break

299

300

done

301

302

303

# Import key into temporary key rings

246

304

gpg --quiet --batch --no-tty --no-options --enable-dsa2 \

247

305

--homedir "$RINGDIR" --trust-model always --armor \

248

306

--import "$SECKEYFILE"

252

310

253

311

# Get fingerprint of key

254

312

FINGERPRINT="`gpg --quiet --batch --no-tty --no-options \

255

--enable-dsa2 --homedir \"$RINGDIR\" --trust-model always \

313

--enable-dsa2 --homedir "$RINGDIR" --trust-model always \

256

314

--fingerprint --with-colons \

257

315

| sed --quiet \

258

316

--expression='/^fpr:/{s/^fpr:.*:\$[0-9A-Z]*\$:\$/\\1/p;q}'`"

261

319

262

320

FILECOMMENT="Encrypted password for a Mandos client"

263

321

264

stty -echo

265

echo -n "Enter passphrase: " >&2

266

head --lines=1 | tr --delete '\n' \

267

| gpg --quiet --batch --no-tty --no-options --enable-dsa2 \

268

--homedir "$RINGDIR" --trust-model always --armor --encrypt \

269

--recipient "$FINGERPRINT" --comment "$FILECOMMENT" \

270

> "$SECFILE"

271

echo >&2

272

stty echo

322

while [ ! -s "$SECFILE" ]; do

323

if [ -n "$PASSFILE" ]; then

324

cat "$PASSFILE"

325

else

326

tty --quiet && stty -echo

327

echo -n "Enter passphrase: " >&2

328

read first

329

tty --quiet && echo >&2

330

echo -n "Repeat passphrase: " >&2

331

read second

332

if tty --quiet; then

333

echo >&2

334

stty echo

335

336

if [ "$first" != "$second" ]; then

337

echo "Passphrase mismatch" >&2

338

touch "$RINGDIR"/mismatch

339

else

340

echo -n "$first"

341

342

fi | gpg --quiet --batch --no-tty --no-options --enable-dsa2 \

343

--homedir "$RINGDIR" --trust-model always --armor \

344

--encrypt --sign --recipient "$FINGERPRINT" --comment \

345

"$FILECOMMENT" > "$SECFILE"

346

if [ -e "$RINGDIR"/mismatch ]; then

347

rm --force "$RINGDIR"/mismatch

348

if tty --quiet; then

349

> "$SECFILE"

350

else

351

exit 1

352

353

354

done

273

355

274

356

cat <<-EOF

275

357

[$KEYNAME]

276

358

host = $KEYNAME

277

359

fingerprint = $FINGERPRINT

278

360

secret =

279

EOF

361

EOF

280

362

sed --quiet --expression='

281

363

/^-----BEGIN PGP MESSAGE-----$/,/^-----END PGP MESSAGE-----$/{

282

364

/^$/,${

286

368

/^[^-]/s/^/ /p

287

369

}

288

370

}' < "$SECFILE"

371

if [ -n "$ssh_fingerprint" ]; then

372

echo 'checker = ssh-keyscan -t '"$ssh_keytype"' %%(host)s 2>/dev/null | grep --fixed-strings --line-regexp --quiet --regexp=%%(host)s" %(ssh_fingerprint)s"'

373

echo "ssh_fingerprint = ${ssh_fingerprint}"

374

289

375

290

376

291

377

trap - EXIT

296

382

shred --remove "$SECFILE"

297

383

298

384

# Remove the key rings

299

shred --remove "$RINGDIR"/sec*

385

shred --remove "$RINGDIR"/sec* 2>/dev/null

300

386

rm --recursive --force "$RINGDIR"

Older »