/mandos/trunk : revision 777

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos-keygen

Committer: Teddy Hogeborn
Date: 2015-07-20 03:03:33 UTC
Revision ID: teddy@recompile.se-20150720030333-203m2aeblypcsfte

Bug fix for GnuTLS 3: be compatible with old 2048-bit DSA keys.

The mandos-keygen program in Mandos version 1.6.0 and older generated
2048-bit DSA keys, and when GnuTLS uses these it has trouble
connecting using the Mandos default priority string.  This was
previously fixed in Mandos 1.6.2, but the bug reappeared when using
GnuTLS 3, so the default priority string has to change again; this
time also the Mandos client has to change its default, so now the
server and the client should use the same default priority string:

SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA:+SIGN-DSA-SHA256

* mandos (main/server_defaults): Changed default priority string.
* mandos-options.xml (/section/para[id="priority_compat"]): Removed.
  (/section/para[id="priority"]): Changed default priority string.
* mandos.conf ([DEFAULT]/priority): - '' -
* mandos.conf.xml (OPTIONS/priority): Refer to the id "priority"
                                      instead of "priority_compat".
* mandos.xml (OPTIONS/--priority): - '' -
* plugins.d/mandos-client.c (main): Changed default priority string.

files added:
DBUS-API

dbus-mandos.conf

debian/mandos-client.examples

debian/source

debian/source/format

debian/source/local-options

debian/upstream

debian/upstream/signing-key.asc

debian/watch

initramfs-unpack

intro.xml

mandos-ctl

mandos-ctl.xml

mandos-monitor

mandos-monitor.xml

mandos.service

network-hooks.d

network-hooks.d/bridge

network-hooks.d/bridge.conf

network-hooks.d/openvpn

network-hooks.d/openvpn.conf

network-hooks.d/wireless

network-hooks.d/wireless.conf

plugin-helpers

plugin-helpers/mandos-client-iprouteadddel.c

plugins.d/plymouth.c

plugins.d/plymouth.xml

files removed:
debian/mandos-client.config

debian/mandos-client.templates

debian/mandos.config

debian/mandos.templates

debian/po/POTFILES.in

debian/po/sv.po

files modified:
.bzrignore

INSTALL

Makefile

NEWS

README

TODO

clients.conf

common.ent

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.docs

debian/mandos.postinst

debian/mandos.prerm

debian/rules

init.d-mandos

initramfs-tools-hook

initramfs-tools-hook-conf

initramfs-tools-script

mandos

mandos-clients.conf.xml

mandos-keygen

mandos-keygen.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.lsm

mandos.xml

plugin-runner.c

plugin-runner.conf

plugin-runner.xml

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/mandos-client.c

plugins.d/mandos-client.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

Show diffs side-by-side

added added

removed removed

mandos-keygen

# Mandos key generator - create a new OpenPGP key for a Mandos client

# This program is free software: you can redistribute it and/or modify

# it under the terms of the GNU General Public License as published by

# You should have received a copy of the GNU General Public License

# along with this program. If not, see <http://www.gnu.org/licenses/>.

# Contact the authors at <mandos@fukt.bsnet.se>.

# Contact the authors at <mandos@recompile.se>.

VERSION="1.0.2"

VERSION="1.6.9"

KEYDIR="/etc/keys/mandos"

KEYTYPE=DSA

KEYLENGTH=2048

SUBKEYTYPE=ELG-E

SUBKEYLENGTH=2048

KEYTYPE=RSA

KEYLENGTH=4096

SUBKEYTYPE=RSA

SUBKEYLENGTH=4096

KEYNAME="`hostname --fqdn 2>/dev/null || hostname`"

KEYEMAIL=""

KEYCOMMENT="Mandos client key"

KEYCOMMENT=""

KEYEXPIRE=0

FORCE=no

SSH=yes

KEYCOMMENT_ORIG="$KEYCOMMENT"

mode=keygen

# Parse options

TEMP=`getopt --options vhpF:d:t:l:s:L:n:e:c:x:f \

--longoptions version,help,password,passfile:,dir:,type:,length:,subtype:,sublength:,name:,email:,comment:,expire:,force \

TEMP=`getopt --options vhpF:d:t:l:s:L:n:e:c:x:fS \

--longoptions version,help,password,passfile:,dir:,type:,length:,subtype:,sublength:,name:,email:,comment:,expire:,force,no-ssh \

--name "$0" -- "$@"`

help(){

basename="`basename $0`"

basename="`basename "$0"`"

cat <<EOF

Usage: $basename [ -v | --version ]

$basename [ -h | --help ]

-v, --version Show program's version number and exit

-h, --help Show this help message and exit

-d DIR, --dir DIR Target directory for key files

-t TYPE, --type TYPE Key type. Default is DSA.

-t TYPE, --type TYPE Key type. Default is RSA.

-l BITS, --length BITS

Key length in bits. Default is 2048.

Key length in bits. Default is 4096.

-s TYPE, --subtype TYPE

Subkey type. Default is ELG-E.

Subkey type. Default is RSA.

-L BITS, --sublength BITS

Subkey length in bits. Default is 2048.

Subkey length in bits. Default is 4096.

-n NAME, --name NAME Name of key. Default is the FQDN.

-e ADDRESS, --email ADDRESS

Email address of key. Default is empty.

-c TEXT, --comment TEXT

Comment field for key. The default value is

"Mandos client key".

Comment field for key. The default is empty.

-x TIME, --expire TIME

Key expire time. Default is no expiration.

See gpg(1) for syntax.

Encrypt a password from FILE using the key in

the key directory. All options other than

--dir and --name are ignored.

-S, --no-ssh Don't get SSH key or set "checker" option.

EOF

}

103

105

-c|--comment) KEYCOMMENT="$2"; shift 2;;

104

106

-x|--expire) KEYEXPIRE="$2"; shift 2;;

105

107

-f|--force) FORCE=yes; shift;;

108

-S|--no-ssh) SSH=no; shift;;

106

109

-v|--version) echo "$0 $VERSION"; exit;;

107

110

-h|--help) help; exit;;

108

111

--) shift; break;;

110

113

esac

111

114

done

112

115

if [ "$#" -gt 0 ]; then

113

echo "Unknown arguments: '$@'" >&2

116

echo "Unknown arguments: '$*'" >&2

114

117

exit 1

115

118

116

119

146

149

echo "Invalid key length" >&2

147

150

exit 1

148

151

149

152

150

153

if [ -z "$KEYEXPIRE" ]; then

151

154

echo "Empty key expiration" >&2

152

155

exit 1

171

174

if [ -n "$KEYEMAIL" ]; then

172

175

KEYEMAILLINE="Name-Email: $KEYEMAIL"

173

176

174

177

175

178

# Create temporary gpg batch file

176

179

BATCHFILE="`mktemp -t mandos-keygen-batch.XXXXXXXXXX`"

177

180

188

191

trap "

189

192

set +e; \

190

193

test -n \"$SECFILE\" && shred --remove \"$SECFILE\"; \

191

shred --remove \"$RINGDIR\"/sec*;

194

shred --remove \"$RINGDIR\"/sec* 2>/dev/null;

192

195

test -n \"$BATCHFILE\" && rm --force \"$BATCHFILE\"; \

193

196

rm --recursive --force \"$RINGDIR\";

194

stty echo; \

197

tty --quiet && stty echo; \

195

198

" EXIT

196

199

200

set -e

201

197

202

umask 077

198

203

199

204

if [ "$mode" = keygen ]; then

201

206

cat >"$BATCHFILE" <<-EOF

202

207

Key-Type: $KEYTYPE

203

208

Key-Length: $KEYLENGTH

204

#Key-Usage: encrypt,sign,auth

209

Key-Usage: sign,auth

205

210

Subkey-Type: $SUBKEYTYPE

206

211

Subkey-Length: $SUBKEYLENGTH

207

#Subkey-Usage: encrypt,sign,auth

212

Subkey-Usage: encrypt

208

213

Name-Real: $KEYNAME

209

214

$KEYCOMMENTLINE

210

215

$KEYEMAILLINE

216

221

%commit

217

222

EOF

218

223

224

if tty --quiet; then

225

cat <<-EOF

226

Note: Due to entropy requirements, key generation could take

227

anything from a few minutes to SEVERAL HOURS. Please be

228

patient and/or supply the system with more entropy if needed.

229

EOF

230

echo -n "Started: "

231

date

232

233

234

# Make sure trustdb.gpg exists;

235

# this is a workaround for Debian bug #737128

236

gpg --quiet --batch --no-tty --no-options --enable-dsa2 \

237

--homedir "$RINGDIR" \

238

--import-ownertrust < /dev/null

219

239

# Generate a new key in the key rings

220

240

gpg --quiet --batch --no-tty --no-options --enable-dsa2 \

221

241

--homedir "$RINGDIR" --trust-model always \

222

242

--gen-key "$BATCHFILE"

223

243

rm --force "$BATCHFILE"

224

244

245

if tty --quiet; then

246

echo -n "Finished: "

247

date

248

249

225

250

# Backup any old key files

226

251

if cp --backup=numbered --force "$SECKEYFILE" "$SECKEYFILE" \

227

252

2>/dev/null; then

252

277

253

278

254

279

if [ "$mode" = password ]; then

280

281

# Make SSH be 0 or 1

282

case "$SSH" in

283

[Yy][Ee][Ss]|[Tt][Rr][Uu][Ee]) SSH=1;;

284

[Nn][Oo]|[Ff][Aa][Ll][Ss][Ee]|*) SSH=0;;

285

esac

286

287

if [ $SSH -eq 1 ]; then

288

for ssh_keytype in ed25519 rsa; do

289

set +e

290

ssh_fingerprint="`ssh-keyscan -t $ssh_keytype localhost 2>/dev/null`"

291

set -e

292

if [ $? -ne 0 ]; then

293

ssh_fingerprint=""

294

continue

295

296

if [ -n "$ssh_fingerprint" ]; then

297

ssh_fingerprint="${ssh_fingerprint#localhost }"

298

break

299

300

done

301

302

255

303

# Import key into temporary key rings

256

304

gpg --quiet --batch --no-tty --no-options --enable-dsa2 \

257

305

--homedir "$RINGDIR" --trust-model always --armor \

262

310

263

311

# Get fingerprint of key

264

312

FINGERPRINT="`gpg --quiet --batch --no-tty --no-options \

265

--enable-dsa2 --homedir \"$RINGDIR\" --trust-model always \

313

--enable-dsa2 --homedir "$RINGDIR" --trust-model always \

266

314

--fingerprint --with-colons \

267

315

| sed --quiet \

268

316

--expression='/^fpr:/{s/^fpr:.*:\$[0-9A-Z]*\$:\$/\\1/p;q}'`"

271

319

272

320

FILECOMMENT="Encrypted password for a Mandos client"

273

321

274

if [ -n "$PASSFILE" ]; then

275

cat "$PASSFILE"

276

else

277

stty -echo

278

echo -n "Enter passphrase: " >&2

279

first="$(head --lines=1 | tr --delete '\n')"

280

echo -n -e "\nRepeat passphrase: " >&2

281

second="$(head --lines=1 | tr --delete '\n')"

282

echo >&2

283

stty echo

284

if [ "$first" != "$second" ]; then

285

echo -e "Passphrase mismatch" >&2

286

false

322

while [ ! -s "$SECFILE" ]; do

323

if [ -n "$PASSFILE" ]; then

324

cat "$PASSFILE"

287

325

else

288

echo -n "$first"

326

tty --quiet && stty -echo

327

echo -n "Enter passphrase: " >&2

328

read first

329

tty --quiet && echo >&2

330

echo -n "Repeat passphrase: " >&2

331

read second

332

if tty --quiet; then

333

echo >&2

334

stty echo

335

336

if [ "$first" != "$second" ]; then

337

echo "Passphrase mismatch" >&2

338

touch "$RINGDIR"/mismatch

339

else

340

echo -n "$first"

341

342

fi | gpg --quiet --batch --no-tty --no-options --enable-dsa2 \

343

--homedir "$RINGDIR" --trust-model always --armor \

344

--encrypt --sign --recipient "$FINGERPRINT" --comment \

345

"$FILECOMMENT" > "$SECFILE"

346

if [ -e "$RINGDIR"/mismatch ]; then

347

rm --force "$RINGDIR"/mismatch

348

if tty --quiet; then

349

> "$SECFILE"

350

else

351

exit 1

352

289

353

290

fi | gpg --quiet --batch --no-tty --no-options --enable-dsa2 \

291

--homedir "$RINGDIR" --trust-model always --armor --encrypt \

292

--sign --recipient "$FINGERPRINT" --comment "$FILECOMMENT" \

293

> "$SECFILE"

294

status="${PIPESTATUS[0]}"

295

if [ "$status" -ne 0 ]; then

296

exit "$status"

297

354

done

298

355

299

356

cat <<-EOF

300

357

[$KEYNAME]

311

368

/^[^-]/s/^/ /p

312

369

}

313

370

}' < "$SECFILE"

371

if [ -n "$ssh_fingerprint" ]; then

372

echo 'checker = ssh-keyscan -t '"$ssh_keytype"' %%(host)s 2>/dev/null | grep --fixed-strings --line-regexp --quiet --regexp=%%(host)s" %(ssh_fingerprint)s"'

373

echo "ssh_fingerprint = ${ssh_fingerprint}"

374

314

375

315

376

316

377

trap - EXIT

321

382

shred --remove "$SECFILE"

322

383

323

384

# Remove the key rings

324

shred --remove "$RINGDIR"/sec*

385

shred --remove "$RINGDIR"/sec* 2>/dev/null

325

386

rm --recursive --force "$RINGDIR"

Older »