/mandos/trunk : revision 951

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos-keygen

Committer: Teddy Hogeborn
Date: 2018-08-15 09:26:02 UTC
Revision ID: teddy@recompile.se-20180815092602-xoyb5s6gf8376i7u

http://bugs.debian.org/894495

mandos-client: Set system clock if necessary

* plugins.d/mandos-client.c (init_gpgme/import_key): If the system
  clock is not set, or set to january 1970, set the system clock to
  the more plausible value that is the mtime of the key file.  This is
  required by GnuPG to be able to import the keys.  (We can't pass the
  --ignore-time-conflict or the --ignore-valid-from options though
  GPGME.)

files added:
.bzr-builddeb

.bzr-builddeb/default.conf

.bzrignore

DBUS-API

INSTALL

NEWS

README

bugs.xml

common.ent

dbus-mandos.conf

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.examples

debian/mandos-client.links

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/po

debian/rules

debian/source

debian/source/format

debian/source/local-options

debian/upstream

debian/upstream/signing-key.asc

debian/watch

default-mandos

init.d-mandos

initramfs-unpack

intro.xml

legalnotice.xml

mandos-ctl

mandos-ctl.xml

mandos-monitor

mandos-monitor.xml

mandos.lsm

mandos.service

network-hooks.d

network-hooks.d/bridge

network-hooks.d/bridge.conf

network-hooks.d/openvpn

network-hooks.d/openvpn.conf

network-hooks.d/wireless

network-hooks.d/wireless.conf

plugin-helpers

plugin-helpers/mandos-client-iprouteadddel.c

plugin-runner.conf

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

tmpfiles.d-mandos.conf

files removed:
plugins.d/usplash

files renamed:
plugins.d/password-request.c => plugins.d/mandos-client.c

plugins.d/password-request.xml => plugins.d/mandos-client.xml

files modified:
Makefile

TODO

clients.conf

initramfs-tools-hook

initramfs-tools-hook-conf

initramfs-tools-script

mandos

mandos-clients.conf.xml

mandos-keygen

mandos-keygen.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.xml

overview.xml

plugin-runner.c

plugin-runner.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

Show diffs side-by-side

added added

removed removed

mandos-keygen

# Mandos key generator - create a new OpenPGP key for a Mandos client

# This program is free software: you can redistribute it and/or modify

# it under the terms of the GNU General Public License as published by

# This file is part of Mandos.

# Mandos is free software: you can redistribute it and/or modify it

# under the terms of the GNU General Public License as published by

# the Free Software Foundation, either version 3 of the License, or

# (at your option) any later version.

# This program is distributed in the hope that it will be useful,

# but WITHOUT ANY WARRANTY; without even the implied warranty of

# Mandos is distributed in the hope that it will be useful, but

# WITHOUT ANY WARRANTY; without even the implied warranty of

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

# GNU General Public License for more details.

# You should have received a copy of the GNU General Public License

# along with this program. If not, see <http://www.gnu.org/licenses/>.

# Contact the authors at <mandos@fukt.bsnet.se>.

VERSION="1.0"

KEYDIR="/etc/mandos"

KEYTYPE=DSA

KEYLENGTH=1024

SUBKEYTYPE=ELG-E

SUBKEYLENGTH=2048

KEYNAME="`hostname --fqdn`"

# along with Mandos. If not, see <http://www.gnu.org/licenses/>.

# Contact the authors at <mandos@recompile.se>.

VERSION="1.7.19"

KEYDIR="/etc/keys/mandos"

KEYTYPE=RSA

KEYLENGTH=4096

SUBKEYTYPE=RSA

SUBKEYLENGTH=4096

KEYNAME="`hostname --fqdn 2>/dev/null || hostname`"

KEYEMAIL=""

KEYCOMMENT="Mandos client key"

KEYCOMMENT=""

KEYEXPIRE=0

FORCE=no

SSH=yes

KEYCOMMENT_ORIG="$KEYCOMMENT"

mode=keygen

if [ ! -d "$KEYDIR" ]; then

KEYDIR="/etc/mandos/keys"

# Parse options

TEMP=`getopt --options vhd:t:l:n:e:c:x:f \

--longoptions version,help,password,dir:,type:,length:,subtype:,sublength:,name:,email:,comment:,expire:,force \

TEMP=`getopt --options vhpF:d:t:l:s:L:n:e:c:x:fS \

--longoptions version,help,password,passfile:,dir:,type:,length:,subtype:,sublength:,name:,email:,comment:,expire:,force,no-ssh \

--name "$0" -- "$@"`

help(){

basename="`basename $0`"

basename="`basename "$0"`"

cat <<EOF

Usage: $basename [ -v | --version ]

$basename [ -h | --help ]

$basename [ OPTIONS ]

Encrypted password creation:

$basename { -p | --password } [ --name NAME ] [ --dir DIR]

$basename { -F | --passfile } FILE [ --name NAME ] [ --dir DIR]

Key creation options:

-v, --version Show program's version number and exit

-h, --help Show this help message and exit

-d DIR, --dir DIR Target directory for key files

-t TYPE, --type TYPE Key type. Default is DSA.

-t TYPE, --type TYPE Key type. Default is RSA.

-l BITS, --length BITS

Key length in bits. Default is 1024.

Key length in bits. Default is 4096.

-s TYPE, --subtype TYPE

Subkey type. Default is ELG-E.

Subkey type. Default is RSA.

-L BITS, --sublength BITS

Subkey length in bits. Default is 2048.

Subkey length in bits. Default is 4096.

-n NAME, --name NAME Name of key. Default is the FQDN.

-e ADDRESS, --email ADDRESS

Email address of key. Default is empty.

-c COMMENT, --comment COMMENT

Comment field for key. The default value is

"Mandos client key".

-c TEXT, --comment TEXT

Comment field for key. The default is empty.

-x TIME, --expire TIME

Key expire time. Default is no expiration.

See gpg(1) for syntax.

-f, --force Force overwriting old keys.

-f, --force Force overwriting old key files.

Password creation options:

-p, --password Create an encrypted password using the keys in

the key directory. All options other than

--keydir and --name are ignored.

-p, --password Create an encrypted password using the key in

the key directory. All options other than

--dir and --name are ignored.

-F FILE, --passfile FILE

Encrypt a password from FILE using the key in

the key directory. All options other than

--dir and --name are ignored.

-S, --no-ssh Don't get SSH key or set "checker" option.

EOF

}

while :; do

case "$1" in

-p|--password) mode=password; shift;;

-F|--passfile) mode=password; PASSFILE="$2"; shift 2;;

100

-d|--dir) KEYDIR="$2"; shift 2;;

101

-t|--type) KEYTYPE="$2"; shift 2;;

102

-s|--subtype) SUBKEYTYPE="$2"; shift 2;;

107

-c|--comment) KEYCOMMENT="$2"; shift 2;;

108

-x|--expire) KEYEXPIRE="$2"; shift 2;;

109

-f|--force) FORCE=yes; shift;;

110

-S|--no-ssh) SSH=no; shift;;

111

-v|--version) echo "$0 $VERSION"; exit;;

112

-h|--help) help; exit;;

113

--) shift; break;;

100

115

esac

101

116

done

102

117

if [ "$#" -gt 0 ]; then

103

echo "Unknown arguments: '$@'" >&2

118

echo "Unknown arguments: '$*'" >&2

104

119

exit 1

105

120

106

121

108

123

PUBKEYFILE="$KEYDIR/pubkey.txt"

109

124

110

125

# Check for some invalid values

111

if [ -d "$KEYDIR" ]; then :; else

126

if [ ! -d "$KEYDIR" ]; then

112

127

echo "$KEYDIR not a directory" >&2

113

128

exit 1

114

129

115

if [ -w "$KEYDIR" ]; then :; else

116

echo "Directory $KEYDIR not writeable" >&2

117

exit 1

118

119

120

if [ "$mode" = password -a -e "$KEYDIR/trustdb.gpg.lock" ]; then

121

echo "Key directory has locked trustdb; aborting." >&2

130

if [ ! -r "$KEYDIR" ]; then

131

echo "Directory $KEYDIR not readable" >&2

122

132

exit 1

123

133

124

134

125

135

if [ "$mode" = keygen ]; then

136

if [ ! -w "$KEYDIR" ]; then

137

echo "Directory $KEYDIR not writeable" >&2

138

exit 1

139

126

140

if [ -z "$KEYTYPE" ]; then

127

141

echo "Empty key type" >&2

128

142

exit 1

137

151

echo "Invalid key length" >&2

138

152

exit 1

139

153

140

154

141

155

if [ -z "$KEYEXPIRE" ]; then

142

156

echo "Empty key expiration" >&2

143

157

exit 1

162

176

if [ -n "$KEYEMAIL" ]; then

163

177

KEYEMAILLINE="Name-Email: $KEYEMAIL"

164

178

165

179

166

180

# Create temporary gpg batch file

167

BATCHFILE="`mktemp -t mandos-gpg-batch.XXXXXXXXXX`"

181

BATCHFILE="`mktemp -t mandos-keygen-batch.XXXXXXXXXX`"

168

182

169

183

170

184

if [ "$mode" = password ]; then

171

185

# Create temporary encrypted password file

172

SECFILE="`mktemp -t mandos-gpg-secfile.XXXXXXXXXX`"

173

174

175

# Create temporary key rings

176

SECRING="`mktemp -t mandos-gpg-secring.XXXXXXXXXX`"

177

PUBRING="`mktemp -t mandos-gpg-pubring.XXXXXXXXXX`"

178

179

if [ "$mode" = password ]; then

180

# If a trustdb.gpg file does not already exist, schedule it for

181

# deletion when we are done.

182

if ! [ -e "$KEYDIR/trustdb.gpg" ]; then

183

TRUSTDB="$KEYDIR/trustdb.gpg"

184

185

186

SECFILE="`mktemp -t mandos-keygen-secfile.XXXXXXXXXX`"

187

188

189

# Create temporary key ring directory

190

RINGDIR="`mktemp -d -t mandos-keygen-keyrings.XXXXXXXXXX`"

186

191

187

192

# Remove temporary files on exit

188

193

trap "

189

194

set +e; \

190

rm --force $PUBRING ${PUBRING}~ $BATCHFILE $TRUSTDB; \

191

shred --remove $SECRING $SECFILE; \

192

stty echo; \

195

test -n \"$SECFILE\" && shred --remove \"$SECFILE\"; \

196

shred --remove \"$RINGDIR\"/sec* 2>/dev/null;

197

test -n \"$BATCHFILE\" && rm --force \"$BATCHFILE\"; \

198

rm --recursive --force \"$RINGDIR\";

199

tty --quiet && stty echo; \

193

200

" EXIT

194

201

195

umask 027

202

set -e

203

204

umask 077

196

205

197

206

if [ "$mode" = keygen ]; then

198

207

# Create batch file for GnuPG

199

208

cat >"$BATCHFILE" <<-EOF

200

209

Key-Type: $KEYTYPE

201

210

Key-Length: $KEYLENGTH

202

#Key-Usage: encrypt,sign,auth

211

Key-Usage: sign,auth

203

212

Subkey-Type: $SUBKEYTYPE

204

213

Subkey-Length: $SUBKEYLENGTH

205

#Subkey-Usage: encrypt,sign,auth

214

Subkey-Usage: encrypt

206

215

Name-Real: $KEYNAME

207

216

$KEYCOMMENTLINE

208

217

$KEYEMAILLINE

209

218

Expire-Date: $KEYEXPIRE

210

219

#Preferences: <string>

211

220

#Handle: <no-spaces>

212

%pubring $PUBRING

213

%secring $SECRING

221

#%pubring pubring.gpg

222

#%secring secring.gpg

223

%no-protection

214

224

%commit

215

225

EOF

216

226

227

if tty --quiet; then

228

cat <<-EOF

229

Note: Due to entropy requirements, key generation could take

230

anything from a few minutes to SEVERAL HOURS. Please be

231

patient and/or supply the system with more entropy if needed.

232

EOF

233

echo -n "Started: "

234

date

235

236

237

# Make sure trustdb.gpg exists;

238

# this is a workaround for Debian bug #737128

239

gpg --quiet --batch --no-tty --no-options --enable-dsa2 \

240

--homedir "$RINGDIR" \

241

--import-ownertrust < /dev/null

217

242

# Generate a new key in the key rings

218

gpg --no-random-seed-file --quiet --batch --no-tty \

219

--no-default-keyring --no-options --enable-dsa2 \

220

--secret-keyring "$SECRING" --keyring "$PUBRING" \

243

gpg --quiet --batch --no-tty --no-options --enable-dsa2 \

244

--homedir "$RINGDIR" --trust-model always \

221

245

--gen-key "$BATCHFILE"

222

246

rm --force "$BATCHFILE"

223

247

248

if tty --quiet; then

249

echo -n "Finished: "

250

date

251

252

224

253

# Backup any old key files

225

254

if cp --backup=numbered --force "$SECKEYFILE" "$SECKEYFILE" \

226

255

2>/dev/null; then

240

269

FILECOMMENT="$FILECOMMENT <$KEYEMAIL>"

241

270

242

271

243

# Export keys from key rings to key files

244

gpg --no-random-seed-file --quiet --batch --no-tty --armor \

245

--no-default-keyring --no-options --enable-dsa2 \

246

--secret-keyring "$SECRING" --keyring "$PUBRING" \

247

--export-options export-minimal --comment "$FILECOMMENT" \

248

--output "$SECKEYFILE" --export-secret-keys

249

gpg --no-random-seed-file --quiet --batch --no-tty --armor \

250

--no-default-keyring --no-options --enable-dsa2 \

251

--secret-keyring "$SECRING" --keyring "$PUBRING" \

252

--export-options export-minimal --comment "$FILECOMMENT" \

253

--output "$PUBKEYFILE" --export

272

# Export key from key rings to key files

273

gpg --quiet --batch --no-tty --no-options --enable-dsa2 \

274

--homedir "$RINGDIR" --armor --export-options export-minimal \

275

--comment "$FILECOMMENT" --output "$SECKEYFILE" \

276

--export-secret-keys

277

gpg --quiet --batch --no-tty --no-options --enable-dsa2 \

278

--homedir "$RINGDIR" --armor --export-options export-minimal \

279

--comment "$FILECOMMENT" --output "$PUBKEYFILE" --export

254

280

255

281

256

282

if [ "$mode" = password ]; then

257

# Import keys into temporary key rings

258

gpg --no-random-seed-file --quiet --batch --no-tty --armor \

259

--no-default-keyring --no-options --enable-dsa2 \

260

--homedir "$KEYDIR" --no-permission-warning \

261

--secret-keyring "$SECRING" --keyring "$PUBRING" \

262

--trust-model always --import "$SECKEYFILE"

263

gpg --no-random-seed-file --quiet --batch --no-tty --armor \

264

--no-default-keyring --no-options --enable-dsa2 \

265

--homedir "$KEYDIR" --no-permission-warning \

266

--secret-keyring "$SECRING" --keyring "$PUBRING" \

267

--trust-model always --import "$PUBKEYFILE"

268

283

284

# Make SSH be 0 or 1

285

case "$SSH" in

286

[Yy][Ee][Ss]|[Tt][Rr][Uu][Ee]) SSH=1;;

287

[Nn][Oo]|[Ff][Aa][Ll][Ss][Ee]|*) SSH=0;;

288

esac

289

290

if [ $SSH -eq 1 ]; then

291

for ssh_keytype in ecdsa-sha2-nistp256 ed25519 rsa; do

292

set +e

293

ssh_fingerprint="`ssh-keyscan -t $ssh_keytype localhost 2>/dev/null`"

294

err=$?

295

set -e

296

if [ $err -ne 0 ]; then

297

ssh_fingerprint=""

298

continue

299

300

if [ -n "$ssh_fingerprint" ]; then

301

ssh_fingerprint="${ssh_fingerprint#localhost }"

302

break

303

304

done

305

306

307

# Import key into temporary key rings

308

gpg --quiet --batch --no-tty --no-options --enable-dsa2 \

309

--homedir "$RINGDIR" --trust-model always --armor \

310

--import "$SECKEYFILE"

311

gpg --quiet --batch --no-tty --no-options --enable-dsa2 \

312

--homedir "$RINGDIR" --trust-model always --armor \

313

--import "$PUBKEYFILE"

314

269

315

# Get fingerprint of key

270

FINGERPRINT="`gpg --no-random-seed-file --quiet --batch --no-tty \

271

--armor --no-default-keyring --no-options --enable-dsa2 \

272

--homedir \"$KEYDIR\" --no-permission-warning \

273

--secret-keyring \"$SECRING\" --keyring \"$PUBRING\" \

274

--trust-model always --fingerprint --with-colons \

275

| sed -n -e '/^fpr:/{s/^fpr:.*:\$[0-9A-Z]*\$:\$/\\1/p;q}'`"

316

FINGERPRINT="`gpg --quiet --batch --no-tty --no-options \

317

--enable-dsa2 --homedir "$RINGDIR" --trust-model always \

318

--fingerprint --with-colons \

319

| sed --quiet \

320

--expression='/^fpr:/{s/^fpr:.*:\$[0-9A-Z]*\$:\$/\\1/p;q}'`"

276

321

277

322

test -n "$FINGERPRINT"

278

323

279

324

FILECOMMENT="Encrypted password for a Mandos client"

280

325

281

stty -echo

282

echo -n "Enter passphrase: " >&2

283

sed -e '1q' \

284

| gpg --no-random-seed-file --batch --no-tty --armor \

285

--no-default-keyring --no-options --enable-dsa2 \

286

--homedir "$KEYDIR" --no-permission-warning \

287

--secret-keyring "$SECRING" --keyring "$PUBRING" \

288

--trust-model always --encrypt --recipient "$FINGERPRINT" \

289

--comment "$FILECOMMENT" \

290

> "$SECFILE"

291

echo >&2

292

stty echo

326

while [ ! -s "$SECFILE" ]; do

327

if [ -n "$PASSFILE" ]; then

328

cat "$PASSFILE"

329

else

330

tty --quiet && stty -echo

331

echo -n "Enter passphrase: " >/dev/tty

332

read -r first

333

tty --quiet && echo >&2

334

echo -n "Repeat passphrase: " >/dev/tty

335

read -r second

336

if tty --quiet; then

337

echo >&2

338

stty echo

339

340

if [ "$first" != "$second" ]; then

341

echo "Passphrase mismatch" >&2

342

touch "$RINGDIR"/mismatch

343

else

344

echo -n "$first"

345

346

fi | gpg --quiet --batch --no-tty --no-options --enable-dsa2 \

347

--homedir "$RINGDIR" --trust-model always --armor \

348

--encrypt --sign --recipient "$FINGERPRINT" --comment \

349

"$FILECOMMENT" > "$SECFILE"

350

if [ -e "$RINGDIR"/mismatch ]; then

351

rm --force "$RINGDIR"/mismatch

352

if tty --quiet; then

353

> "$SECFILE"

354

else

355

exit 1

356

357

358

done

293

359

294

360

cat <<-EOF

295

361

[$KEYNAME]

296

362

host = $KEYNAME

297

363

fingerprint = $FINGERPRINT

298

364

secret =

299

EOF

300

sed -n -e '

365

EOF

366

sed --quiet --expression='

301

367

/^-----BEGIN PGP MESSAGE-----$/,/^-----END PGP MESSAGE-----$/{

302

368

/^$/,${

369

# Remove 24-bit Radix-64 checksum

370

s/=....$//

303

371

# Indent four spaces

304

372

/^[^-]/s/^/ /p

305

373

}

306

374

}' < "$SECFILE"

375

if [ -n "$ssh_fingerprint" ]; then

376

echo 'checker = ssh-keyscan -t '"$ssh_keytype"' %%(host)s 2>/dev/null | grep --fixed-strings --line-regexp --quiet --regexp=%%(host)s" %(ssh_fingerprint)s"'

377

echo "ssh_fingerprint = ${ssh_fingerprint}"

378

307

379

308

380

309

381

trap - EXIT

314

386

shred --remove "$SECFILE"

315

387

316

388

# Remove the key rings

317

shred --remove "$SECRING"

318

rm --force "$PUBRING" "${PUBRING}~"

319

# Remove the trustdb, if one did not exist when we started

320

if [ -n "$TRUSTDB" ]; then

321

rm --force "$TRUSTDB"

322

389

shred --remove "$RINGDIR"/sec* 2>/dev/null

390

rm --recursive --force "$RINGDIR"

Older »