/mandos/trunk : revision 967

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos-keygen

Committer: Teddy Hogeborn
Date: 2019-02-10 03:50:20 UTC
Revision ID: teddy@recompile.se-20190210035020-nttr1tybgwwixueu

http://bugs.debian.org/879538

http://bugs.debian.org/916673

Show debconf note about new TLS key IDs

If mandos-client did not see TLS keys and had to create them, or if
mandos sees GnuTLS version 3.6.6 or later, show an important notice on
package installation about the importance of adding the new key_id
options to clients.conf on the Mandos server.

* debian/control (Package: mandos, Package: mandos-client): Depend on
                                                            debconf.
* debian/mandos-client.lintian-overrides: Override warnings.
* debian/mandos-client.postinst (create_keys): Show notice if new TLS
                                               key files were created.
* debian/mandos-client.templates: New.
* debian/mandos.lintian-overrides: Override warnings.
* debian/mandos.postinst (configure): If GnuTLS 3.6.6 or later is
                                      detected, show an important
                                      notice (once) about the new
                                      key_id option required in
                                      clients.conf.
* debian/mandos.templates: New.

files added:
.bzr-builddeb

.bzr-builddeb/default.conf

.bzrignore

COPYING

DBUS-API

INSTALL

NEWS

README

bugs.xml

common.ent

dbus-mandos.conf

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.examples

debian/mandos-client.links

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos-client.templates

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/mandos.templates

debian/po

debian/rules

debian/source

debian/source/format

debian/source/local-options

debian/upstream

debian/upstream/signing-key.asc

debian/watch

default-mandos

init.d-mandos

initramfs-tools-conf

initramfs-tools-script-stop

initramfs-unpack

intro.xml

legalnotice.xml

mandos-ctl

mandos-ctl.xml

mandos-keygen.xml

mandos-monitor

mandos-monitor.xml

mandos-options.xml

mandos-to-cryptroot-unlock

mandos.lsm

mandos.service

network-hooks.d

network-hooks.d/bridge

network-hooks.d/bridge.conf

network-hooks.d/openvpn

network-hooks.d/openvpn.conf

network-hooks.d/wireless

network-hooks.d/wireless.conf

overview.xml

plugin-helpers

plugin-helpers/mandos-client-iprouteadddel.c

plugin-runner.conf

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

tmpfiles.d-mandos.conf

files removed:
initramfs-tools-hook-conf

network-protocol.txt

plugins.d/usplash

files renamed:
plugins.d/password-request.c => plugins.d/mandos-client.c

plugins.d/password-request.xml => plugins.d/mandos-client.xml

files modified:
Makefile

TODO

clients.conf

initramfs-tools-hook

initramfs-tools-script

mandos

mandos-clients.conf.xml

mandos-keygen

mandos.conf

mandos.conf.xml

mandos.xml

plugin-runner.c

plugin-runner.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

Show diffs side-by-side

added added

removed removed

mandos-keygen

#!/bin/sh -e

# Mandos key generator - create a new OpenPGP key for a Mandos client

# This program is free software: you can redistribute it and/or modify

# it under the terms of the GNU General Public License as published by

# Mandos key generator - create new keys for a Mandos client

# This file is part of Mandos.

# Mandos is free software: you can redistribute it and/or modify it

# under the terms of the GNU General Public License as published by

# the Free Software Foundation, either version 3 of the License, or

# (at your option) any later version.

# This program is distributed in the hope that it will be useful,

# but WITHOUT ANY WARRANTY; without even the implied warranty of

# Mandos is distributed in the hope that it will be useful, but

# WITHOUT ANY WARRANTY; without even the implied warranty of

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

# GNU General Public License for more details.

# You should have received a copy of the GNU General Public License

# along with this program. If not, see <http://www.gnu.org/licenses/>.

# Contact the authors at <mandos@fukt.bsnet.se>.

VERSION="1.0"

KEYDIR="/etc/mandos"

KEYTYPE=DSA

KEYLENGTH=1024

KEYNAME="`hostname --fqdn`"

# along with Mandos. If not, see <http://www.gnu.org/licenses/>.

# Contact the authors at <mandos@recompile.se>.

VERSION="1.7.20"

KEYDIR="/etc/keys/mandos"

KEYTYPE=RSA

KEYLENGTH=4096

SUBKEYTYPE=RSA

SUBKEYLENGTH=4096

KEYNAME="`hostname --fqdn 2>/dev/null || hostname`"

KEYEMAIL=""

KEYCOMMENT="Mandos client key"

KEYCOMMENT=""

KEYEXPIRE=0

TLS_KEYTYPE=ed25519

FORCE=no

SSH=yes

KEYCOMMENT_ORIG="$KEYCOMMENT"

mode=keygen

if [ ! -d "$KEYDIR" ]; then

KEYDIR="/etc/mandos/keys"

# Parse options

TEMP=`getopt --options vhd:t:l:n:e:c:x:f \

--longoptions version,help,dir:,type:,length:,name:,email:,comment:,expire:,force \

TEMP=`getopt --options vhpF:d:t:l:s:L:n:e:c:x:T:fS \

--longoptions version,help,password,passfile:,dir:,type:,length:,subtype:,sublength:,name:,email:,comment:,expire:,tls-keytype:,force,no-ssh \

--name "$0" -- "$@"`

help(){

basename="`basename "$0"`"

cat <<EOF

Usage: `basename $0` [options]

Usage: $basename [ -v | --version ]

$basename [ -h | --help ]

Key creation:

$basename [ OPTIONS ]

Encrypted password creation:

$basename { -p | --password } [ --name NAME ] [ --dir DIR]

$basename { -F | --passfile } FILE [ --name NAME ] [ --dir DIR]

Options:

Key creation options:

-v, --version Show program's version number and exit

-h, --help Show this help message and exit

-d DIR, --dir DIR Target directory for key files

-t TYPE, --type TYPE Key type. Default is DSA.

-t TYPE, --type TYPE OpenPGP key type. Default is RSA.

-l BITS, --length BITS

Key length in bits. Default is 1024.

OpenPGP key length in bits. Default is 4096.

-s TYPE, --subtype TYPE

OpenPGP subkey type. Default is RSA.

-L BITS, --sublength BITS

OpenPGP subkey length in bits. Default 4096.

-n NAME, --name NAME Name of key. Default is the FQDN.

-e EMAIL, --email EMAIL

Email address of key. Default is empty.

-c COMMENT, --comment COMMENT

Comment field for key. The default value is

"Mandos client key".

-e ADDRESS, --email ADDRESS

Email address of OpenPGP key. Default empty.

-c TEXT, --comment TEXT

Comment field for OpenPGP key. Default empty.

-x TIME, --expire TIME

Key expire time. Default is no expiration.

OpenPGP key expire time. Default is none.

See gpg(1) for syntax.

-f, --force Force overwriting old keys.

-T TYPE, --tls-keytype TYPE

TLS key type. Default is ed25519.

-f, --force Force overwriting old key files.

Password creation options:

-p, --password Create an encrypted password using the key in

the key directory. All options other than

--dir and --name are ignored.

-F FILE, --passfile FILE

Encrypt a password from FILE using the key in

the key directory. All options other than

--dir and --name are ignored.

-S, --no-ssh Don't get SSH key or set "checker" option.

EOF

}

eval set -- "$TEMP"

while :; do

100

case "$1" in

101

-p|--password) mode=password; shift;;

102

-F|--passfile) mode=password; PASSFILE="$2"; shift 2;;

103

-d|--dir) KEYDIR="$2"; shift 2;;

104

-t|--type) KEYTYPE="$2"; shift 2;;

105

-s|--subtype) SUBKEYTYPE="$2"; shift 2;;

106

-l|--length) KEYLENGTH="$2"; shift 2;;

107

-L|--sublength) SUBKEYLENGTH="$2"; shift 2;;

108

-n|--name) KEYNAME="$2"; shift 2;;

109

-e|--email) KEYEMAIL="$2"; shift 2;;

110

-c|--comment) KEYCOMMENT="$2"; shift 2;;

-x|--expire) KEYCOMMENT="$2"; shift 2;;

111

-x|--expire) KEYEXPIRE="$2"; shift 2;;

112

-T|--tls-keytype) TLS_KEYTYPE="$2"; shift 2;;

113

-f|--force) FORCE=yes; shift;;

114

-S|--no-ssh) SSH=no; shift;;

115

-v|--version) echo "$0 $VERSION"; exit;;

116

-h|--help) help; exit;;

117

--) shift; break;;

119

esac

120

done

121

if [ "$#" -gt 0 ]; then

echo "Unknown arguments: '$@'" >&2

122

echo "Unknown arguments: '$*'" >&2

123

exit 1

124

125

126

SECKEYFILE="$KEYDIR/seckey.txt"

127

PUBKEYFILE="$KEYDIR/pubkey.txt"

128

TLS_PRIVKEYFILE="$KEYDIR/tls-privkey.pem"

129

TLS_PUBKEYFILE="$KEYDIR/tls-pubkey.pem"

130

131

# Check for some invalid values

if [ -d "$KEYDIR" ]; then :; else

132

if [ ! -d "$KEYDIR" ]; then

133

echo "$KEYDIR not a directory" >&2

134

exit 1

135

if [ -w "$KEYDIR" ]; then :; else

echo "Directory $KEYDIR not writeable" >&2

exit 1

if [ -z "$KEYTYPE" ]; then

100

echo "Empty key type" >&2

101

exit 1

102

103

104

if [ -z "$KEYNAME" ]; then

105

echo "Empty key name" >&2

106

exit 1

107

108

109

if [ -z "$KEYLENGTH" ] || [ "$KEYLENGTH" -lt 512 ]; then

110

echo "Invalid key length" >&2

111

exit 1

112

113

114

if [ -z "$KEYEXPIRE" ]; then

115

echo "Empty key expiration" >&2

116

exit 1

117

118

119

# Make FORCE be 0 or 1

120

case "$FORCE" in

121

[Yy][Ee][Ss]|[Tt][Rr][Uu][Ee]) FORCE=1;;

122

[Nn][Oo]|[Ff][Aa][Ll][Ss][Ee]|*) FORCE=0;;

123

esac

124

125

if { [ -e "$SECKEYFILE" ] || [ -e "$PUBKEYFILE" ]; } \

126

&& [ "$FORCE" -eq 0 ]; then

127

echo "Refusing to overwrite old key files; use --force" >&2

128

exit 1

129

130

131

# Set lines for GnuPG batch file

132

if [ -n "$KEYCOMMENT" ]; then

133

KEYCOMMENTLINE="Name-Comment: $KEYCOMMENT"

134

135

if [ -n "$KEYEMAIL" ]; then

136

KEYEMAILLINE="Name-Email: $KEYEMAIL"

137

138

139

# Create temp files

140

BATCHFILE="`mktemp -t mandos-gpg-batch.XXXXXXXXXX`"

141

SECRING="`mktemp -t mandos-gpg-secring.XXXXXXXXXX`"

142

PUBRING="`mktemp -t mandos-gpg-pubring.XXXXXXXXXX`"

136

if [ ! -r "$KEYDIR" ]; then

137

echo "Directory $KEYDIR not readable" >&2

138

exit 1

139

140

141

if [ "$mode" = keygen ]; then

142

if [ ! -w "$KEYDIR" ]; then

143

echo "Directory $KEYDIR not writeable" >&2

144

exit 1

145

146

if [ -z "$KEYTYPE" ]; then

147

echo "Empty key type" >&2

148

exit 1

149

150

151

if [ -z "$KEYNAME" ]; then

152

echo "Empty key name" >&2

153

exit 1

154

155

156

if [ -z "$KEYLENGTH" ] || [ "$KEYLENGTH" -lt 512 ]; then

157

echo "Invalid key length" >&2

158

exit 1

159

160

161

if [ -z "$KEYEXPIRE" ]; then

162

echo "Empty key expiration" >&2

163

exit 1

164

165

166

# Make FORCE be 0 or 1

167

case "$FORCE" in

168

[Yy][Ee][Ss]|[Tt][Rr][Uu][Ee]) FORCE=1;;

169

[Nn][Oo]|[Ff][Aa][Ll][Ss][Ee]|*) FORCE=0;;

170

esac

171

172

if { [ -e "$SECKEYFILE" ] || [ -e "$PUBKEYFILE" ] \

173

|| [ -e "$TLS_PRIVKEYFILE" ] \

174

|| [ -e "$TLS_PUBKEYFILE" ]; } \

175

&& [ "$FORCE" -eq 0 ]; then

176

echo "Refusing to overwrite old key files; use --force" >&2

177

exit 1

178

179

180

# Set lines for GnuPG batch file

181

if [ -n "$KEYCOMMENT" ]; then

182

KEYCOMMENTLINE="Name-Comment: $KEYCOMMENT"

183

184

if [ -n "$KEYEMAIL" ]; then

185

KEYEMAILLINE="Name-Email: $KEYEMAIL"

186

187

188

# Create temporary gpg batch file

189

BATCHFILE="`mktemp -t mandos-keygen-batch.XXXXXXXXXX`"

190

191

192

if [ "$mode" = password ]; then

193

# Create temporary encrypted password file

194

SECFILE="`mktemp -t mandos-keygen-secfile.XXXXXXXXXX`"

195

196

197

# Create temporary key ring directory

198

RINGDIR="`mktemp -d -t mandos-keygen-keyrings.XXXXXXXXXX`"

143

199

144

200

# Remove temporary files on exit

145

trap "rm --force $PUBRING $BATCHFILE; shred --remove $SECRING" EXIT

146

147

# Create batch file for GnuPG

148

cat >"$BATCHFILE" <<EOF

149

Key-Type: $KEYTYPE

150

Key-Length: $KEYLENGTH

151

#Key-Usage: encrypt,sign,auth

152

Name-Real: $KEYNAME

153

$KEYCOMMENTLINE

154

$KEYEMAILLINE

155

Expire-Date: $KEYEXPIRE

156

%pubring $PUBRING

157

%secring $SECRING

158

%commit

159

EOF

160

161

umask 027

162

163

# Generate a new key in the key rings

164

gpg --no-random-seed-file --quiet --batch --no-tty \

165

--no-default-keyring --no-options --batch \

166

--secret-keyring "$SECRING" --keyring "$PUBRING" \

167

--gen-key "$BATCHFILE"

168

rm --force "$BATCHFILE"

169

170

# Backup any old key files

171

if cp --backup=numbered --force "$SECKEYFILE" "$SECKEYFILE" \

172

2>/dev/null; then

173

shred --remove "$SECKEYFILE"

174

175

if cp --backup=numbered --force "$PUBKEYFILE" "$PUBKEYFILE" \

176

2>/dev/null; then

177

rm --force "$PUBKEYFILE"

178

179

180

FILECOMMENT="Mandos client key for $KEYNAME"

181

if [ "$KEYCOMMENT" != "$KEYCOMMENT_ORIG" ]; then

182

FILECOMMENT="$FILECOMMENT ($KEYCOMMENT)"

183

184

185

if [ -n "$KEYEMAIL" ]; then

186

FILECOMMENT="$FILECOMMENT <$KEYEMAIL>"

187

188

189

# Export keys from key rings to key files

190

gpg --no-random-seed-file --quiet --batch --no-tty --armor \

191

--no-default-keyring --secret-keyring "$SECRING" \

192

--keyring "$PUBRING" --export-options export-minimal \

193

--comment "$FILECOMMENT" --output "$SECKEYFILE" \

194

--export-secret-keys

195

gpg --no-random-seed-file --quiet --batch --no-tty --armor \

196

--no-default-keyring --secret-keyring "$SECRING" \

197

--keyring "$PUBRING" --export-options export-minimal \

198

--comment "$FILECOMMENT" --output "$PUBKEYFILE" \

199

--export

201

trap "

202

set +e; \

203

test -n \"$SECFILE\" && shred --remove \"$SECFILE\"; \

204

shred --remove \"$RINGDIR\"/sec* 2>/dev/null;

205

test -n \"$BATCHFILE\" && rm --force \"$BATCHFILE\"; \

206

rm --recursive --force \"$RINGDIR\";

207

tty --quiet && stty echo; \

208

" EXIT

209

210

set -e

211

212

umask 077

213

214

if [ "$mode" = keygen ]; then

215

# Create batch file for GnuPG

216

cat >"$BATCHFILE" <<-EOF

217

Key-Type: $KEYTYPE

218

Key-Length: $KEYLENGTH

219

Key-Usage: sign,auth

220

Subkey-Type: $SUBKEYTYPE

221

Subkey-Length: $SUBKEYLENGTH

222

Subkey-Usage: encrypt

223

Name-Real: $KEYNAME

224

$KEYCOMMENTLINE

225

$KEYEMAILLINE

226

Expire-Date: $KEYEXPIRE

227

#Preferences: <string>

228

#Handle: <no-spaces>

229

#%pubring pubring.gpg

230

#%secring secring.gpg

231

%no-protection

232

%commit

233

EOF

234

235

if tty --quiet; then

236

cat <<-EOF

237

Note: Due to entropy requirements, key generation could take

238

anything from a few minutes to SEVERAL HOURS. Please be

239

patient and/or supply the system with more entropy if needed.

240

EOF

241

echo -n "Started: "

242

date

243

244

245

# Backup any old key files

246

if cp --backup=numbered --force "$TLS_PRIVKEYFILE" "$TLS_PRIVKEYFILE" \

247

2>/dev/null; then

248

shred --remove "$TLS_PRIVKEYFILE"

249

250

if cp --backup=numbered --force "$TLS_PUBKEYFILE" "$TLS_PUBKEYFILE" \

251

2>/dev/null; then

252

rm --force "$TLS_PUBKEYFILE"

253

254

255

## Generate TLS private key

256

257

# First try certtool from GnuTLS

258

if ! certtool --generate-privkey --password='' \

259

--outfile "$TLS_PRIVKEYFILE" --sec-param ultra \

260

--key-type="$TLS_KEYTYPE" --pkcs8 --no-text 2>/dev/null; then

261

# Otherwise try OpenSSL

262

if ! openssl genpkey -algorithm X25519 -out \

263

/etc/keys/mandos/tls-privkey.pem; then

264

rm --force /etc/keys/mandos/tls-privkey.pem

265

# None of the commands succeded; give up

266

return 1

267

268

269

270

## TLS public key

271

272

# First try certtool from GnuTLS

273

if ! certtool --password='' --load-privkey="$TLS_PRIVKEYFILE" \

274

--outfile="$TLS_PUBKEYFILE" --pubkey-info --no-text \

275

2>/dev/null; then

276

# Otherwise try OpenSSL

277

if ! openssl pkey -in "$TLS_PRIVKEYFILE" \

278

-out "$TLS_PUBKEYFILE" -pubout; then

279

rm --force "$TLS_PUBKEYFILE"

280

# None of the commands succeded; give up

281

return 1

282

283

284

285

# Make sure trustdb.gpg exists;

286

# this is a workaround for Debian bug #737128

287

gpg --quiet --batch --no-tty --no-options --enable-dsa2 \

288

--homedir "$RINGDIR" \

289

--import-ownertrust < /dev/null

290

# Generate a new key in the key rings

291

gpg --quiet --batch --no-tty --no-options --enable-dsa2 \

292

--homedir "$RINGDIR" --trust-model always \

293

--gen-key "$BATCHFILE"

294

rm --force "$BATCHFILE"

295

296

if tty --quiet; then

297

echo -n "Finished: "

298

date

299

300

301

# Backup any old key files

302

if cp --backup=numbered --force "$SECKEYFILE" "$SECKEYFILE" \

303

2>/dev/null; then

304

shred --remove "$SECKEYFILE"

305

306

if cp --backup=numbered --force "$PUBKEYFILE" "$PUBKEYFILE" \

307

2>/dev/null; then

308

rm --force "$PUBKEYFILE"

309

310

311

FILECOMMENT="Mandos client key for $KEYNAME"

312

if [ "$KEYCOMMENT" != "$KEYCOMMENT_ORIG" ]; then

313

FILECOMMENT="$FILECOMMENT ($KEYCOMMENT)"

314

315

316

if [ -n "$KEYEMAIL" ]; then

317

FILECOMMENT="$FILECOMMENT <$KEYEMAIL>"

318

319

320

# Export key from key rings to key files

321

gpg --quiet --batch --no-tty --no-options --enable-dsa2 \

322

--homedir "$RINGDIR" --armor --export-options export-minimal \

323

--comment "$FILECOMMENT" --output "$SECKEYFILE" \

324

--export-secret-keys

325

gpg --quiet --batch --no-tty --no-options --enable-dsa2 \

326

--homedir "$RINGDIR" --armor --export-options export-minimal \

327

--comment "$FILECOMMENT" --output "$PUBKEYFILE" --export

328

329

330

if [ "$mode" = password ]; then

331

332

# Make SSH be 0 or 1

333

case "$SSH" in

334

[Yy][Ee][Ss]|[Tt][Rr][Uu][Ee]) SSH=1;;

335

[Nn][Oo]|[Ff][Aa][Ll][Ss][Ee]|*) SSH=0;;

336

esac

337

338

if [ $SSH -eq 1 ]; then

339

for ssh_keytype in ecdsa-sha2-nistp256 ed25519 rsa; do

340

set +e

341

ssh_fingerprint="`ssh-keyscan -t $ssh_keytype localhost 2>/dev/null`"

342

err=$?

343

set -e

344

if [ $err -ne 0 ]; then

345

ssh_fingerprint=""

346

continue

347

348

if [ -n "$ssh_fingerprint" ]; then

349

ssh_fingerprint="${ssh_fingerprint#localhost }"

350

break

351

352

done

353

354

355

# Import key into temporary key rings

356

gpg --quiet --batch --no-tty --no-options --enable-dsa2 \

357

--homedir "$RINGDIR" --trust-model always --armor \

358

--import "$SECKEYFILE"

359

gpg --quiet --batch --no-tty --no-options --enable-dsa2 \

360

--homedir "$RINGDIR" --trust-model always --armor \

361

--import "$PUBKEYFILE"

362

363

# Get fingerprint of key

364

FINGERPRINT="`gpg --quiet --batch --no-tty --no-options \

365

--enable-dsa2 --homedir "$RINGDIR" --trust-model always \

366

--fingerprint --with-colons \

367

| sed --quiet \

368

--expression='/^fpr:/{s/^fpr:.*:\$[0-9A-Z]*\$:\$/\\1/p;q}'`"

369

370

test -n "$FINGERPRINT"

371

372

KEY_ID="$(certtool --key-id --hash=sha256 \

373

--infile="$TLS_PUBKEYFILE" 2>/dev/null || :)"

374

375

if [ -z "$KEY_ID" ]; then

376

KEY_ID=$(openssl pkey -pubin -in /tmp/tls-pubkey.pem \

377

-outform der \

378

| openssl sha256 \

379

| sed --expression='s/^.*[^[:xdigit:]]//')

380

381

test -n "$KEY_ID"

382

383

FILECOMMENT="Encrypted password for a Mandos client"

384

385

while [ ! -s "$SECFILE" ]; do

386

if [ -n "$PASSFILE" ]; then

387

cat "$PASSFILE"

388

else

389

tty --quiet && stty -echo

390

echo -n "Enter passphrase: " >/dev/tty

391

read -r first

392

tty --quiet && echo >&2

393

echo -n "Repeat passphrase: " >/dev/tty

394

read -r second

395

if tty --quiet; then

396

echo >&2

397

stty echo

398

399

if [ "$first" != "$second" ]; then

400

echo "Passphrase mismatch" >&2

401

touch "$RINGDIR"/mismatch

402

else

403

echo -n "$first"

404

405

fi | gpg --quiet --batch --no-tty --no-options --enable-dsa2 \

406

--homedir "$RINGDIR" --trust-model always --armor \

407

--encrypt --sign --recipient "$FINGERPRINT" --comment \

408

"$FILECOMMENT" > "$SECFILE"

409

if [ -e "$RINGDIR"/mismatch ]; then

410

rm --force "$RINGDIR"/mismatch

411

if tty --quiet; then

412

> "$SECFILE"

413

else

414

exit 1

415

416

417

done

418

419

cat <<-EOF

420

[$KEYNAME]

421

host = $KEYNAME

422

key_id = $KEY_ID

423

fingerprint = $FINGERPRINT

424

secret =

425

EOF

426

sed --quiet --expression='

427

/^-----BEGIN PGP MESSAGE-----$/,/^-----END PGP MESSAGE-----$/{

428

/^$/,${

429

# Remove 24-bit Radix-64 checksum

430

s/=....$//

431

# Indent four spaces

432

/^[^-]/s/^/ /p

433

}

434

}' < "$SECFILE"

435

if [ -n "$ssh_fingerprint" ]; then

436

echo 'checker = ssh-keyscan -t '"$ssh_keytype"' %%(host)s 2>/dev/null | grep --fixed-strings --line-regexp --quiet --regexp=%%(host)s" %(ssh_fingerprint)s"'

437

echo "ssh_fingerprint = ${ssh_fingerprint}"

438

439

200

440

201

441

trap - EXIT

202

442

443

set +e

444

# Remove the password file, if any

445

if [ -n "$SECFILE" ]; then

446

shred --remove "$SECFILE"

447

203

448

# Remove the key rings

204

shred --remove "$SECRING"

205

rm --force "$PUBRING"

449

shred --remove "$RINGDIR"/sec* 2>/dev/null

450

rm --recursive --force "$RINGDIR"

Older »