/mandos/trunk : revision 777

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos-keygen

Committer: Teddy Hogeborn
Date: 2015-07-20 03:03:33 UTC
Revision ID: teddy@recompile.se-20150720030333-203m2aeblypcsfte

Bug fix for GnuTLS 3: be compatible with old 2048-bit DSA keys.

The mandos-keygen program in Mandos version 1.6.0 and older generated
2048-bit DSA keys, and when GnuTLS uses these it has trouble
connecting using the Mandos default priority string.  This was
previously fixed in Mandos 1.6.2, but the bug reappeared when using
GnuTLS 3, so the default priority string has to change again; this
time also the Mandos client has to change its default, so now the
server and the client should use the same default priority string:

SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA:+SIGN-DSA-SHA256

* mandos (main/server_defaults): Changed default priority string.
* mandos-options.xml (/section/para[id="priority_compat"]): Removed.
  (/section/para[id="priority"]): Changed default priority string.
* mandos.conf ([DEFAULT]/priority): - '' -
* mandos.conf.xml (OPTIONS/priority): Refer to the id "priority"
                                      instead of "priority_compat".
* mandos.xml (OPTIONS/--priority): - '' -
* plugins.d/mandos-client.c (main): Changed default priority string.

files added:
.bzr-builddeb

.bzr-builddeb/default.conf

.bzrignore

DBUS-API

INSTALL

NEWS

README

common.ent

dbus-mandos.conf

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.examples

debian/mandos-client.links

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/po

debian/rules

debian/source

debian/source/format

debian/source/local-options

debian/upstream

debian/upstream/signing-key.asc

debian/watch

default-mandos

init.d-mandos

initramfs-unpack

intro.xml

legalnotice.xml

mandos-ctl

mandos-ctl.xml

mandos-monitor

mandos-monitor.xml

mandos.lsm

mandos.service

network-hooks.d

network-hooks.d/bridge

network-hooks.d/bridge.conf

network-hooks.d/openvpn

network-hooks.d/openvpn.conf

network-hooks.d/wireless

network-hooks.d/wireless.conf

plugin-helpers

plugin-helpers/mandos-client-iprouteadddel.c

plugin-runner.conf

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

files removed:
plugins.d/usplash

files renamed:
plugins.d/password-request.c => plugins.d/mandos-client.c

plugins.d/password-request.xml => plugins.d/mandos-client.xml

files modified:
Makefile

TODO

clients.conf

initramfs-tools-hook

initramfs-tools-hook-conf

initramfs-tools-script

mandos

mandos-clients.conf.xml

mandos-keygen

mandos-keygen.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.xml

overview.xml

plugin-runner.c

plugin-runner.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

Show diffs side-by-side

added added

removed removed

mandos-keygen

# Mandos key generator - create a new OpenPGP key for a Mandos client

# This program is free software: you can redistribute it and/or modify

# it under the terms of the GNU General Public License as published by

# You should have received a copy of the GNU General Public License

# along with this program. If not, see <http://www.gnu.org/licenses/>.

# Contact the authors at <mandos@fukt.bsnet.se>.

# Contact the authors at <mandos@recompile.se>.

VERSION="1.0"

VERSION="1.6.9"

KEYDIR="/etc/mandos"

KEYTYPE=DSA

KEYLENGTH=1024

SUBKEYTYPE=ELG-E

SUBKEYLENGTH=2048

KEYNAME="`hostname --fqdn`"

KEYDIR="/etc/keys/mandos"

KEYTYPE=RSA

KEYLENGTH=4096

SUBKEYTYPE=RSA

SUBKEYLENGTH=4096

KEYNAME="`hostname --fqdn 2>/dev/null || hostname`"

KEYEMAIL=""

KEYCOMMENT="Mandos client key"

KEYCOMMENT=""

KEYEXPIRE=0

FORCE=no

SSH=yes

KEYCOMMENT_ORIG="$KEYCOMMENT"

mode=keygen

if [ ! -d "$KEYDIR" ]; then

KEYDIR="/etc/mandos/keys"

# Parse options

TEMP=`getopt --options vhd:t:l:n:e:c:x:f \

--longoptions version,help,dir:,type:,length:,name:,email:,comment:,expire:,force \

TEMP=`getopt --options vhpF:d:t:l:s:L:n:e:c:x:fS \

--longoptions version,help,password,passfile:,dir:,type:,length:,subtype:,sublength:,name:,email:,comment:,expire:,force,no-ssh \

--name "$0" -- "$@"`

help(){

basename="`basename "$0"`"

cat <<EOF

Usage: `basename $0` [options]

Usage: $basename [ -v | --version ]

$basename [ -h | --help ]

Key creation:

$basename [ OPTIONS ]

Encrypted password creation:

$basename { -p | --password } [ --name NAME ] [ --dir DIR]

$basename { -F | --passfile } FILE [ --name NAME ] [ --dir DIR]

Options:

Key creation options:

-v, --version Show program's version number and exit

-h, --help Show this help message and exit

-d DIR, --dir DIR Target directory for key files

-t TYPE, --type TYPE Key type. Default is DSA.

-t TYPE, --type TYPE Key type. Default is RSA.

-l BITS, --length BITS

Key length in bits. Default is 1024.

Key length in bits. Default is 4096.

-s TYPE, --subtype TYPE

Subkey type. Default is ELG-E.

Subkey type. Default is RSA.

-L BITS, --sublength BITS

Subkey length in bits. Default is 2048.

Subkey length in bits. Default is 4096.

-n NAME, --name NAME Name of key. Default is the FQDN.

-e EMAIL, --email EMAIL

-e ADDRESS, --email ADDRESS

Email address of key. Default is empty.

-c COMMENT, --comment COMMENT

Comment field for key. The default value is

"Mandos client key".

-c TEXT, --comment TEXT

Comment field for key. The default is empty.

-x TIME, --expire TIME

Key expire time. Default is no expiration.

See gpg(1) for syntax.

-f, --force Force overwriting old keys.

-f, --force Force overwriting old key files.

Password creation options:

-p, --password Create an encrypted password using the key in

the key directory. All options other than

--dir and --name are ignored.

-F FILE, --passfile FILE

Encrypt a password from FILE using the key in

the key directory. All options other than

--dir and --name are ignored.

-S, --no-ssh Don't get SSH key or set "checker" option.

EOF

}

eval set -- "$TEMP"

while :; do

case "$1" in

-p|--password) mode=password; shift;;

-F|--passfile) mode=password; PASSFILE="$2"; shift 2;;

-d|--dir) KEYDIR="$2"; shift 2;;

-t|--type) KEYTYPE="$2"; shift 2;;

100

-s|--subtype) SUBKEYTYPE="$2"; shift 2;;

105

-c|--comment) KEYCOMMENT="$2"; shift 2;;

106

-x|--expire) KEYEXPIRE="$2"; shift 2;;

107

-f|--force) FORCE=yes; shift;;

108

-S|--no-ssh) SSH=no; shift;;

109

-v|--version) echo "$0 $VERSION"; exit;;

110

-h|--help) help; exit;;

111

--) shift; break;;

113

esac

114

done

115

if [ "$#" -gt 0 ]; then

echo "Unknown arguments: '$@'" >&2

116

echo "Unknown arguments: '$*'" >&2

117

exit 1

118

119

121

PUBKEYFILE="$KEYDIR/pubkey.txt"

122

123

# Check for some invalid values

if [ -d "$KEYDIR" ]; then :; else

124

if [ ! -d "$KEYDIR" ]; then

125

echo "$KEYDIR not a directory" >&2

100

126

exit 1

101

127

102

if [ -w "$KEYDIR" ]; then :; else

103

echo "Directory $KEYDIR not writeable" >&2

104

exit 1

105

106

107

if [ -z "$KEYTYPE" ]; then

108

echo "Empty key type" >&2

109

exit 1

110

111

112

if [ -z "$KEYNAME" ]; then

113

echo "Empty key name" >&2

114

exit 1

115

116

117

if [ -z "$KEYLENGTH" ] || [ "$KEYLENGTH" -lt 512 ]; then

118

echo "Invalid key length" >&2

119

exit 1

120

121

122

if [ -z "$KEYEXPIRE" ]; then

123

echo "Empty key expiration" >&2

124

exit 1

125

126

127

# Make FORCE be 0 or 1

128

case "$FORCE" in

129

[Yy][Ee][Ss]|[Tt][Rr][Uu][Ee]) FORCE=1;;

130

[Nn][Oo]|[Ff][Aa][Ll][Ss][Ee]|*) FORCE=0;;

131

esac

132

133

if { [ -e "$SECKEYFILE" ] || [ -e "$PUBKEYFILE" ]; } \

134

&& [ "$FORCE" -eq 0 ]; then

135

echo "Refusing to overwrite old key files; use --force" >&2

136

exit 1

137

138

139

# Set lines for GnuPG batch file

140

if [ -n "$KEYCOMMENT" ]; then

141

KEYCOMMENTLINE="Name-Comment: $KEYCOMMENT"

142

143

if [ -n "$KEYEMAIL" ]; then

144

KEYEMAILLINE="Name-Email: $KEYEMAIL"

145

146

147

# Create temp files

148

BATCHFILE="`mktemp -t mandos-gpg-batch.XXXXXXXXXX`"

149

SECRING="`mktemp -t mandos-gpg-secring.XXXXXXXXXX`"

150

PUBRING="`mktemp -t mandos-gpg-pubring.XXXXXXXXXX`"

128

if [ ! -r "$KEYDIR" ]; then

129

echo "Directory $KEYDIR not readable" >&2

130

exit 1

131

132

133

if [ "$mode" = keygen ]; then

134

if [ ! -w "$KEYDIR" ]; then

135

echo "Directory $KEYDIR not writeable" >&2

136

exit 1

137

138

if [ -z "$KEYTYPE" ]; then

139

echo "Empty key type" >&2

140

exit 1

141

142

143

if [ -z "$KEYNAME" ]; then

144

echo "Empty key name" >&2

145

exit 1

146

147

148

if [ -z "$KEYLENGTH" ] || [ "$KEYLENGTH" -lt 512 ]; then

149

echo "Invalid key length" >&2

150

exit 1

151

152

153

if [ -z "$KEYEXPIRE" ]; then

154

echo "Empty key expiration" >&2

155

exit 1

156

157

158

# Make FORCE be 0 or 1

159

case "$FORCE" in

160

[Yy][Ee][Ss]|[Tt][Rr][Uu][Ee]) FORCE=1;;

161

[Nn][Oo]|[Ff][Aa][Ll][Ss][Ee]|*) FORCE=0;;

162

esac

163

164

if [ $ -e "$SECKEYFILE" -o -e "$PUBKEYFILE" $ \

165

-a "$FORCE" -eq 0 ]; then

166

echo "Refusing to overwrite old key files; use --force" >&2

167

exit 1

168

169

170

# Set lines for GnuPG batch file

171

if [ -n "$KEYCOMMENT" ]; then

172

KEYCOMMENTLINE="Name-Comment: $KEYCOMMENT"

173

174

if [ -n "$KEYEMAIL" ]; then

175

KEYEMAILLINE="Name-Email: $KEYEMAIL"

176

177

178

# Create temporary gpg batch file

179

BATCHFILE="`mktemp -t mandos-keygen-batch.XXXXXXXXXX`"

180

181

182

if [ "$mode" = password ]; then

183

# Create temporary encrypted password file

184

SECFILE="`mktemp -t mandos-keygen-secfile.XXXXXXXXXX`"

185

186

187

# Create temporary key ring directory

188

RINGDIR="`mktemp -d -t mandos-keygen-keyrings.XXXXXXXXXX`"

151

189

152

190

# Remove temporary files on exit

153

191

trap "

154

192

set +e; \

155

rm --force $PUBRING $BATCHFILE; \

156

shred --remove $SECRING; \

157

stty echo; \

193

test -n \"$SECFILE\" && shred --remove \"$SECFILE\"; \

194

shred --remove \"$RINGDIR\"/sec* 2>/dev/null;

195

test -n \"$BATCHFILE\" && rm --force \"$BATCHFILE\"; \

196

rm --recursive --force \"$RINGDIR\";

197

tty --quiet && stty echo; \

158

198

" EXIT

159

199

160

# Create batch file for GnuPG

161

cat >"$BATCHFILE" <<EOF

162

Key-Type: $KEYTYPE

163

Key-Length: $KEYLENGTH

164

#Key-Usage: encrypt,sign,auth

165

Subkey-Type: $SUBKEYTYPE

166

Subkey-Length: $SUBKEYLENGTH

167

#Subkey-Usage: encrypt,sign,auth

168

Name-Real: $KEYNAME

169

$KEYCOMMENTLINE

170

$KEYEMAILLINE

171

Expire-Date: $KEYEXPIRE

172

#Preferences: <string>

173

#Handle: <no-spaces>

174

%pubring $PUBRING

175

%secring $SECRING

176

%commit

177

EOF

178

179

umask 027

180

181

# Generate a new key in the key rings

182

gpg --no-random-seed-file --quiet --batch --no-tty \

183

--no-default-keyring --no-options --enable-dsa2 \

184

--secret-keyring "$SECRING" --keyring "$PUBRING" \

185

--gen-key "$BATCHFILE"

186

rm --force "$BATCHFILE"

187

188

# Backup any old key files

189

if cp --backup=numbered --force "$SECKEYFILE" "$SECKEYFILE" \

190

2>/dev/null; then

191

shred --remove "$SECKEYFILE"

192

193

if cp --backup=numbered --force "$PUBKEYFILE" "$PUBKEYFILE" \

194

2>/dev/null; then

195

rm --force "$PUBKEYFILE"

196

197

198

FILECOMMENT="Mandos client key for $KEYNAME"

199

if [ "$KEYCOMMENT" != "$KEYCOMMENT_ORIG" ]; then

200

FILECOMMENT="$FILECOMMENT ($KEYCOMMENT)"

201

202

203

if [ -n "$KEYEMAIL" ]; then

204

FILECOMMENT="$FILECOMMENT <$KEYEMAIL>"

205

206

207

# Export keys from key rings to key files

208

gpg --no-random-seed-file --quiet --batch --no-tty --armor \

209

--no-default-keyring --no-options --enable-dsa2 \

210

--secret-keyring "$SECRING" --keyring "$PUBRING" \

211

--export-options export-minimal --comment "$FILECOMMENT" \

212

--output "$SECKEYFILE" --export-secret-keys

213

gpg --no-random-seed-file --quiet --batch --no-tty --armor \

214

--no-default-keyring --no-options --enable-dsa2 \

215

--secret-keyring "$SECRING" --keyring "$PUBRING" \

216

--export-options export-minimal --comment "$FILECOMMENT" \

217

--output "$PUBKEYFILE" --export

200

set -e

201

202

umask 077

203

204

if [ "$mode" = keygen ]; then

205

# Create batch file for GnuPG

206

cat >"$BATCHFILE" <<-EOF

207

Key-Type: $KEYTYPE

208

Key-Length: $KEYLENGTH

209

Key-Usage: sign,auth

210

Subkey-Type: $SUBKEYTYPE

211

Subkey-Length: $SUBKEYLENGTH

212

Subkey-Usage: encrypt

213

Name-Real: $KEYNAME

214

$KEYCOMMENTLINE

215

$KEYEMAILLINE

216

Expire-Date: $KEYEXPIRE

217

#Preferences: <string>

218

#Handle: <no-spaces>

219

#%pubring pubring.gpg

220

#%secring secring.gpg

221

%commit

222

EOF

223

224

if tty --quiet; then

225

cat <<-EOF

226

Note: Due to entropy requirements, key generation could take

227

anything from a few minutes to SEVERAL HOURS. Please be

228

patient and/or supply the system with more entropy if needed.

229

EOF

230

echo -n "Started: "

231

date

232

233

234

# Make sure trustdb.gpg exists;

235

# this is a workaround for Debian bug #737128

236

gpg --quiet --batch --no-tty --no-options --enable-dsa2 \

237

--homedir "$RINGDIR" \

238

--import-ownertrust < /dev/null

239

# Generate a new key in the key rings

240

gpg --quiet --batch --no-tty --no-options --enable-dsa2 \

241

--homedir "$RINGDIR" --trust-model always \

242

--gen-key "$BATCHFILE"

243

rm --force "$BATCHFILE"

244

245

if tty --quiet; then

246

echo -n "Finished: "

247

date

248

249

250

# Backup any old key files

251

if cp --backup=numbered --force "$SECKEYFILE" "$SECKEYFILE" \

252

2>/dev/null; then

253

shred --remove "$SECKEYFILE"

254

255

if cp --backup=numbered --force "$PUBKEYFILE" "$PUBKEYFILE" \

256

2>/dev/null; then

257

rm --force "$PUBKEYFILE"

258

259

260

FILECOMMENT="Mandos client key for $KEYNAME"

261

if [ "$KEYCOMMENT" != "$KEYCOMMENT_ORIG" ]; then

262

FILECOMMENT="$FILECOMMENT ($KEYCOMMENT)"

263

264

265

if [ -n "$KEYEMAIL" ]; then

266

FILECOMMENT="$FILECOMMENT <$KEYEMAIL>"

267

268

269

# Export key from key rings to key files

270

gpg --quiet --batch --no-tty --no-options --enable-dsa2 \

271

--homedir "$RINGDIR" --armor --export-options export-minimal \

272

--comment "$FILECOMMENT" --output "$SECKEYFILE" \

273

--export-secret-keys

274

gpg --quiet --batch --no-tty --no-options --enable-dsa2 \

275

--homedir "$RINGDIR" --armor --export-options export-minimal \

276

--comment "$FILECOMMENT" --output "$PUBKEYFILE" --export

277

278

279

if [ "$mode" = password ]; then

280

281

# Make SSH be 0 or 1

282

case "$SSH" in

283

[Yy][Ee][Ss]|[Tt][Rr][Uu][Ee]) SSH=1;;

284

[Nn][Oo]|[Ff][Aa][Ll][Ss][Ee]|*) SSH=0;;

285

esac

286

287

if [ $SSH -eq 1 ]; then

288

for ssh_keytype in ed25519 rsa; do

289

set +e

290

ssh_fingerprint="`ssh-keyscan -t $ssh_keytype localhost 2>/dev/null`"

291

set -e

292

if [ $? -ne 0 ]; then

293

ssh_fingerprint=""

294

continue

295

296

if [ -n "$ssh_fingerprint" ]; then

297

ssh_fingerprint="${ssh_fingerprint#localhost }"

298

break

299

300

done

301

302

303

# Import key into temporary key rings

304

gpg --quiet --batch --no-tty --no-options --enable-dsa2 \

305

--homedir "$RINGDIR" --trust-model always --armor \

306

--import "$SECKEYFILE"

307

gpg --quiet --batch --no-tty --no-options --enable-dsa2 \

308

--homedir "$RINGDIR" --trust-model always --armor \

309

--import "$PUBKEYFILE"

310

311

# Get fingerprint of key

312

FINGERPRINT="`gpg --quiet --batch --no-tty --no-options \

313

--enable-dsa2 --homedir "$RINGDIR" --trust-model always \

314

--fingerprint --with-colons \

315

| sed --quiet \

316

--expression='/^fpr:/{s/^fpr:.*:\$[0-9A-Z]*\$:\$/\\1/p;q}'`"

317

318

test -n "$FINGERPRINT"

319

320

FILECOMMENT="Encrypted password for a Mandos client"

321

322

while [ ! -s "$SECFILE" ]; do

323

if [ -n "$PASSFILE" ]; then

324

cat "$PASSFILE"

325

else

326

tty --quiet && stty -echo

327

echo -n "Enter passphrase: " >&2

328

read first

329

tty --quiet && echo >&2

330

echo -n "Repeat passphrase: " >&2

331

read second

332

if tty --quiet; then

333

echo >&2

334

stty echo

335

336

if [ "$first" != "$second" ]; then

337

echo "Passphrase mismatch" >&2

338

touch "$RINGDIR"/mismatch

339

else

340

echo -n "$first"

341

342

fi | gpg --quiet --batch --no-tty --no-options --enable-dsa2 \

343

--homedir "$RINGDIR" --trust-model always --armor \

344

--encrypt --sign --recipient "$FINGERPRINT" --comment \

345

"$FILECOMMENT" > "$SECFILE"

346

if [ -e "$RINGDIR"/mismatch ]; then

347

rm --force "$RINGDIR"/mismatch

348

if tty --quiet; then

349

> "$SECFILE"

350

else

351

exit 1

352

353

354

done

355

356

cat <<-EOF

357

[$KEYNAME]

358

host = $KEYNAME

359

fingerprint = $FINGERPRINT

360

secret =

361

EOF

362

sed --quiet --expression='

363

/^-----BEGIN PGP MESSAGE-----$/,/^-----END PGP MESSAGE-----$/{

364

/^$/,${

365

# Remove 24-bit Radix-64 checksum

366

s/=....$//

367

# Indent four spaces

368

/^[^-]/s/^/ /p

369

}

370

}' < "$SECFILE"

371

if [ -n "$ssh_fingerprint" ]; then

372

echo 'checker = ssh-keyscan -t '"$ssh_keytype"' %%(host)s 2>/dev/null | grep --fixed-strings --line-regexp --quiet --regexp=%%(host)s" %(ssh_fingerprint)s"'

373

echo "ssh_fingerprint = ${ssh_fingerprint}"

374

375

218

376

219

377

trap - EXIT

220

378

379

set +e

380

# Remove the password file, if any

381

if [ -n "$SECFILE" ]; then

382

shred --remove "$SECFILE"

383

221

384

# Remove the key rings

222

shred --remove "$SECRING"

223

rm --force "$PUBRING"

385

shred --remove "$RINGDIR"/sec* 2>/dev/null

386

rm --recursive --force "$RINGDIR"

Older »