/mandos/trunk : revision 951

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos-keygen

Committer: Teddy Hogeborn
Date: 2018-08-15 09:26:02 UTC
Revision ID: teddy@recompile.se-20180815092602-xoyb5s6gf8376i7u

http://bugs.debian.org/894495

mandos-client: Set system clock if necessary

* plugins.d/mandos-client.c (init_gpgme/import_key): If the system
  clock is not set, or set to january 1970, set the system clock to
  the more plausible value that is the mtime of the key file.  This is
  required by GnuPG to be able to import the keys.  (We can't pass the
  --ignore-time-conflict or the --ignore-valid-from options though
  GPGME.)

files added:
bugs.xml

plugin-helpers

plugin-helpers/mandos-client-iprouteadddel.c

tmpfiles.d-mandos.conf

files modified:
DBUS-API

INSTALL

Makefile

NEWS

README

TODO

common.ent

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.dirs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/rules

debian/watch

init.d-mandos

initramfs-tools-hook

initramfs-tools-script

initramfs-unpack

intro.xml

legalnotice.xml

mandos

mandos-clients.conf.xml

mandos-ctl

mandos-ctl.xml

mandos-keygen

mandos-keygen.xml

mandos-monitor

mandos-monitor.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.lsm

mandos.service

mandos.xml

network-hooks.d/bridge

network-hooks.d/openvpn

network-hooks.d/wireless

plugin-runner.c

plugin-runner.xml

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/mandos-client.c

plugins.d/mandos-client.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

Show diffs side-by-side

added added

removed removed

mandos-keygen

# Mandos key generator - create a new OpenPGP key for a Mandos client

# This program is free software: you can redistribute it and/or modify

# it under the terms of the GNU General Public License as published by

# This file is part of Mandos.

# Mandos is free software: you can redistribute it and/or modify it

# under the terms of the GNU General Public License as published by

# the Free Software Foundation, either version 3 of the License, or

# (at your option) any later version.

# This program is distributed in the hope that it will be useful,

# but WITHOUT ANY WARRANTY; without even the implied warranty of

# Mandos is distributed in the hope that it will be useful, but

# WITHOUT ANY WARRANTY; without even the implied warranty of

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

# GNU General Public License for more details.

# You should have received a copy of the GNU General Public License

# along with this program. If not, see <http://www.gnu.org/licenses/>.

# along with Mandos. If not, see <http://www.gnu.org/licenses/>.

# Contact the authors at <mandos@recompile.se>.

VERSION="1.6.5"

VERSION="1.7.19"

KEYDIR="/etc/keys/mandos"

KEYTYPE=RSA

KEYCOMMENT=""

KEYEXPIRE=0

FORCE=no

SSH=yes

KEYCOMMENT_ORIG="$KEYCOMMENT"

mode=keygen

# Parse options

TEMP=`getopt --options vhpF:d:t:l:s:L:n:e:c:x:f \

--longoptions version,help,password,passfile:,dir:,type:,length:,subtype:,sublength:,name:,email:,comment:,expire:,force \

TEMP=`getopt --options vhpF:d:t:l:s:L:n:e:c:x:fS \

--longoptions version,help,password,passfile:,dir:,type:,length:,subtype:,sublength:,name:,email:,comment:,expire:,force,no-ssh \

--name "$0" -- "$@"`

help(){

basename="`basename $0`"

basename="`basename "$0"`"

cat <<EOF

Usage: $basename [ -v | --version ]

$basename [ -h | --help ]

Encrypt a password from FILE using the key in

the key directory. All options other than

--dir and --name are ignored.

-S, --no-ssh Don't get SSH key or set "checker" option.

EOF

}

103

107

-c|--comment) KEYCOMMENT="$2"; shift 2;;

104

108

-x|--expire) KEYEXPIRE="$2"; shift 2;;

105

109

-f|--force) FORCE=yes; shift;;

110

-S|--no-ssh) SSH=no; shift;;

106

111

-v|--version) echo "$0 $VERSION"; exit;;

107

112

-h|--help) help; exit;;

108

113

--) shift; break;;

110

115

esac

111

116

done

112

117

if [ "$#" -gt 0 ]; then

113

echo "Unknown arguments: '$@'" >&2

118

echo "Unknown arguments: '$*'" >&2

114

119

exit 1

115

120

116

121

158

163

[Nn][Oo]|[Ff][Aa][Ll][Ss][Ee]|*) FORCE=0;;

159

164

esac

160

165

161

if [ $ -e "$SECKEYFILE" -o -e "$PUBKEYFILE" $ \

162

-a "$FORCE" -eq 0 ]; then

166

if { [ -e "$SECKEYFILE" ] || [ -e "$PUBKEYFILE" ]; } \

167

&& [ "$FORCE" -eq 0 ]; then

163

168

echo "Refusing to overwrite old key files; use --force" >&2

164

169

exit 1

165

170

188

193

trap "

189

194

set +e; \

190

195

test -n \"$SECFILE\" && shred --remove \"$SECFILE\"; \

191

shred --remove \"$RINGDIR\"/sec*;

196

shred --remove \"$RINGDIR\"/sec* 2>/dev/null;

192

197

test -n \"$BATCHFILE\" && rm --force \"$BATCHFILE\"; \

193

198

rm --recursive --force \"$RINGDIR\";

194

199

tty --quiet && stty echo; \

215

220

#Handle: <no-spaces>

216

221

#%pubring pubring.gpg

217

222

#%secring secring.gpg

223

%no-protection

218

224

%commit

219

225

EOF

220

226

274

280

275

281

276

282

if [ "$mode" = password ]; then

283

284

# Make SSH be 0 or 1

285

case "$SSH" in

286

[Yy][Ee][Ss]|[Tt][Rr][Uu][Ee]) SSH=1;;

287

[Nn][Oo]|[Ff][Aa][Ll][Ss][Ee]|*) SSH=0;;

288

esac

289

290

if [ $SSH -eq 1 ]; then

291

for ssh_keytype in ecdsa-sha2-nistp256 ed25519 rsa; do

292

set +e

293

ssh_fingerprint="`ssh-keyscan -t $ssh_keytype localhost 2>/dev/null`"

294

err=$?

295

set -e

296

if [ $err -ne 0 ]; then

297

ssh_fingerprint=""

298

continue

299

300

if [ -n "$ssh_fingerprint" ]; then

301

ssh_fingerprint="${ssh_fingerprint#localhost }"

302

break

303

304

done

305

306

277

307

# Import key into temporary key rings

278

308

gpg --quiet --batch --no-tty --no-options --enable-dsa2 \

279

309

--homedir "$RINGDIR" --trust-model always --armor \

284

314

285

315

# Get fingerprint of key

286

316

FINGERPRINT="`gpg --quiet --batch --no-tty --no-options \

287

--enable-dsa2 --homedir \"$RINGDIR\" --trust-model always \

317

--enable-dsa2 --homedir "$RINGDIR" --trust-model always \

288

318

--fingerprint --with-colons \

289

319

| sed --quiet \

290

320

--expression='/^fpr:/{s/^fpr:.*:\$[0-9A-Z]*\$:\$/\\1/p;q}'`"

298

328

cat "$PASSFILE"

299

329

else

300

330

tty --quiet && stty -echo

301

echo -n "Enter passphrase: " >&2

302

read first

331

echo -n "Enter passphrase: " >/dev/tty

332

read -r first

303

333

tty --quiet && echo >&2

304

echo -n "Repeat passphrase: " >&2

305

read second

334

echo -n "Repeat passphrase: " >/dev/tty

335

read -r second

306

336

if tty --quiet; then

307

337

echo >&2

308

338

stty echo

342

372

/^[^-]/s/^/ /p

343

373

}

344

374

}' < "$SECFILE"

375

if [ -n "$ssh_fingerprint" ]; then

376

echo 'checker = ssh-keyscan -t '"$ssh_keytype"' %%(host)s 2>/dev/null | grep --fixed-strings --line-regexp --quiet --regexp=%%(host)s" %(ssh_fingerprint)s"'

377

echo "ssh_fingerprint = ${ssh_fingerprint}"

378

345

379

346

380

347

381

trap - EXIT

352

386

shred --remove "$SECFILE"

353

387

354

388

# Remove the key rings

355

shred --remove "$RINGDIR"/sec*

389

shred --remove "$RINGDIR"/sec* 2>/dev/null

356

390

rm --recursive --force "$RINGDIR"

Older »