/mandos/trunk : revision 777

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos-keygen

Committer: Teddy Hogeborn
Date: 2015-07-20 03:03:33 UTC
Revision ID: teddy@recompile.se-20150720030333-203m2aeblypcsfte

Bug fix for GnuTLS 3: be compatible with old 2048-bit DSA keys.

The mandos-keygen program in Mandos version 1.6.0 and older generated
2048-bit DSA keys, and when GnuTLS uses these it has trouble
connecting using the Mandos default priority string.  This was
previously fixed in Mandos 1.6.2, but the bug reappeared when using
GnuTLS 3, so the default priority string has to change again; this
time also the Mandos client has to change its default, so now the
server and the client should use the same default priority string:

SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA:+SIGN-DSA-SHA256

* mandos (main/server_defaults): Changed default priority string.
* mandos-options.xml (/section/para[id="priority_compat"]): Removed.
  (/section/para[id="priority"]): Changed default priority string.
* mandos.conf ([DEFAULT]/priority): - '' -
* mandos.conf.xml (OPTIONS/priority): Refer to the id "priority"
                                      instead of "priority_compat".
* mandos.xml (OPTIONS/--priority): - '' -
* plugins.d/mandos-client.c (main): Changed default priority string.

files added:
debian/mandos-client.examples

debian/upstream

debian/upstream/signing-key.asc

initramfs-unpack

mandos.service

network-hooks.d/openvpn

network-hooks.d/openvpn.conf

network-hooks.d/wireless

network-hooks.d/wireless.conf

plugin-helpers

plugin-helpers/mandos-client-iprouteadddel.c

files modified:
.bzrignore

DBUS-API

INSTALL

Makefile

NEWS

README

TODO

clients.conf

common.ent

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.dirs

debian/mandos.postinst

debian/mandos.prerm

debian/rules

debian/watch

init.d-mandos

initramfs-tools-hook

intro.xml

mandos

mandos-clients.conf.xml

mandos-ctl

mandos-ctl.xml

mandos-keygen

mandos-keygen.xml

mandos-monitor

mandos-monitor.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.lsm

mandos.xml

network-hooks.d/bridge

network-hooks.d/bridge.conf

plugin-runner.c

plugin-runner.xml

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/mandos-client.c

plugins.d/mandos-client.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

Show diffs side-by-side

added added

removed removed

mandos-keygen

# Mandos key generator - create a new OpenPGP key for a Mandos client

# This program is free software: you can redistribute it and/or modify

# it under the terms of the GNU General Public License as published by

# Contact the authors at <mandos@recompile.se>.

VERSION="1.4.1"

VERSION="1.6.9"

KEYDIR="/etc/keys/mandos"

KEYTYPE=DSA

KEYLENGTH=2048

SUBKEYTYPE=ELG-E

SUBKEYLENGTH=2048

KEYTYPE=RSA

KEYLENGTH=4096

SUBKEYTYPE=RSA

SUBKEYLENGTH=4096

KEYNAME="`hostname --fqdn 2>/dev/null || hostname`"

KEYEMAIL=""

KEYCOMMENT="Mandos client key"

KEYCOMMENT=""

KEYEXPIRE=0

FORCE=no

SSH=yes

KEYCOMMENT_ORIG="$KEYCOMMENT"

mode=keygen

# Parse options

TEMP=`getopt --options vhpF:d:t:l:s:L:n:e:c:x:f \

--longoptions version,help,password,passfile:,dir:,type:,length:,subtype:,sublength:,name:,email:,comment:,expire:,force \

TEMP=`getopt --options vhpF:d:t:l:s:L:n:e:c:x:fS \

--longoptions version,help,password,passfile:,dir:,type:,length:,subtype:,sublength:,name:,email:,comment:,expire:,force,no-ssh \

--name "$0" -- "$@"`

help(){

basename="`basename $0`"

basename="`basename "$0"`"

cat <<EOF

Usage: $basename [ -v | --version ]

$basename [ -h | --help ]

-v, --version Show program's version number and exit

-h, --help Show this help message and exit

-d DIR, --dir DIR Target directory for key files

-t TYPE, --type TYPE Key type. Default is DSA.

-t TYPE, --type TYPE Key type. Default is RSA.

-l BITS, --length BITS

Key length in bits. Default is 2048.

Key length in bits. Default is 4096.

-s TYPE, --subtype TYPE

Subkey type. Default is ELG-E.

Subkey type. Default is RSA.

-L BITS, --sublength BITS

Subkey length in bits. Default is 2048.

Subkey length in bits. Default is 4096.

-n NAME, --name NAME Name of key. Default is the FQDN.

-e ADDRESS, --email ADDRESS

Email address of key. Default is empty.

-c TEXT, --comment TEXT

Comment field for key. The default value is

"Mandos client key".

Comment field for key. The default is empty.

-x TIME, --expire TIME

Key expire time. Default is no expiration.

See gpg(1) for syntax.

Encrypt a password from FILE using the key in

the key directory. All options other than

--dir and --name are ignored.

-S, --no-ssh Don't get SSH key or set "checker" option.

EOF

}

104

105

-c|--comment) KEYCOMMENT="$2"; shift 2;;

105

106

-x|--expire) KEYEXPIRE="$2"; shift 2;;

106

107

-f|--force) FORCE=yes; shift;;

108

-S|--no-ssh) SSH=no; shift;;

107

109

-v|--version) echo "$0 $VERSION"; exit;;

108

110

-h|--help) help; exit;;

109

111

--) shift; break;;

111

113

esac

112

114

done

113

115

if [ "$#" -gt 0 ]; then

114

echo "Unknown arguments: '$@'" >&2

116

echo "Unknown arguments: '$*'" >&2

115

117

exit 1

116

118

117

119

189

191

trap "

190

192

set +e; \

191

193

test -n \"$SECFILE\" && shred --remove \"$SECFILE\"; \

192

shred --remove \"$RINGDIR\"/sec*;

194

shred --remove \"$RINGDIR\"/sec* 2>/dev/null;

193

195

test -n \"$BATCHFILE\" && rm --force \"$BATCHFILE\"; \

194

196

rm --recursive --force \"$RINGDIR\";

195

197

tty --quiet && stty echo; \

204

206

cat >"$BATCHFILE" <<-EOF

205

207

Key-Type: $KEYTYPE

206

208

Key-Length: $KEYLENGTH

207

#Key-Usage: encrypt,sign,auth

209

Key-Usage: sign,auth

208

210

Subkey-Type: $SUBKEYTYPE

209

211

Subkey-Length: $SUBKEYLENGTH

210

#Subkey-Usage: encrypt,sign,auth

212

Subkey-Usage: encrypt

211

213

Name-Real: $KEYNAME

212

214

$KEYCOMMENTLINE

213

215

$KEYEMAILLINE

229

231

date

230

232

231

233

234

# Make sure trustdb.gpg exists;

235

# this is a workaround for Debian bug #737128

236

gpg --quiet --batch --no-tty --no-options --enable-dsa2 \

237

--homedir "$RINGDIR" \

238

--import-ownertrust < /dev/null

232

239

# Generate a new key in the key rings

233

240

gpg --quiet --batch --no-tty --no-options --enable-dsa2 \

234

241

--homedir "$RINGDIR" --trust-model always \

270

277

271

278

272

279

if [ "$mode" = password ]; then

280

281

# Make SSH be 0 or 1

282

case "$SSH" in

283

[Yy][Ee][Ss]|[Tt][Rr][Uu][Ee]) SSH=1;;

284

[Nn][Oo]|[Ff][Aa][Ll][Ss][Ee]|*) SSH=0;;

285

esac

286

287

if [ $SSH -eq 1 ]; then

288

for ssh_keytype in ed25519 rsa; do

289

set +e

290

ssh_fingerprint="`ssh-keyscan -t $ssh_keytype localhost 2>/dev/null`"

291

set -e

292

if [ $? -ne 0 ]; then

293

ssh_fingerprint=""

294

continue

295

296

if [ -n "$ssh_fingerprint" ]; then

297

ssh_fingerprint="${ssh_fingerprint#localhost }"

298

break

299

300

done

301

302

273

303

# Import key into temporary key rings

274

304

gpg --quiet --batch --no-tty --no-options --enable-dsa2 \

275

305

--homedir "$RINGDIR" --trust-model always --armor \

280

310

281

311

# Get fingerprint of key

282

312

FINGERPRINT="`gpg --quiet --batch --no-tty --no-options \

283

--enable-dsa2 --homedir \"$RINGDIR\" --trust-model always \

313

--enable-dsa2 --homedir "$RINGDIR" --trust-model always \

284

314

--fingerprint --with-colons \

285

315

| sed --quiet \

286

316

--expression='/^fpr:/{s/^fpr:.*:\$[0-9A-Z]*\$:\$/\\1/p;q}'`"

294

324

cat "$PASSFILE"

295

325

else

296

326

tty --quiet && stty -echo

297

read -p "Enter passphrase: " first

327

echo -n "Enter passphrase: " >&2

328

read first

298

329

tty --quiet && echo >&2

299

read -p "Repeat passphrase: " second

330

echo -n "Repeat passphrase: " >&2

331

read second

300

332

if tty --quiet; then

301

333

echo >&2

302

334

stty echo

336

368

/^[^-]/s/^/ /p

337

369

}

338

370

}' < "$SECFILE"

371

if [ -n "$ssh_fingerprint" ]; then

372

echo 'checker = ssh-keyscan -t '"$ssh_keytype"' %%(host)s 2>/dev/null | grep --fixed-strings --line-regexp --quiet --regexp=%%(host)s" %(ssh_fingerprint)s"'

373

echo "ssh_fingerprint = ${ssh_fingerprint}"

374

339

375

340

376

341

377

trap - EXIT

346

382

shred --remove "$SECFILE"

347

383

348

384

# Remove the key rings

349

shred --remove "$RINGDIR"/sec*

385

shred --remove "$RINGDIR"/sec* 2>/dev/null

350

386

rm --recursive --force "$RINGDIR"

Older »