diff --git a/src/freedombone-pin-cert b/src/freedombone-pin-cert
index d74b2be758a08c311dea59406ad844fcfe53aafb..bbf3969bd51906854b221f33f86f5b0f5eb9b573 100755
--- a/src/freedombone-pin-cert
+++ b/src/freedombone-pin-cert
@@ -33,10 +33,49 @@ PROJECT_NAME='freedombone'
export TEXTDOMAIN=${PROJECT_NAME}-pin-cert
export TEXTDOMAINDIR="/usr/share/locale"
+WEBSITES_DIRECTORY=/etc/nginx/sites-available
+
+function pin_all_certs {
+ if [ ! -d $WEBSITES_DIRECTORY ]; then
+ return
+ fi
+
+ cd $WEBSITES_DIRECTORY
+ for file in `dir -d *` ; do
+ if grep -q "Public-Key-Pins" $file; then
+ DOMAIN_NAME=$file
+ KEY_FILENAME=/etc/ssl/private/${DOMAIN_NAME}.key
+ if [ -f $KEY_FILENAME ]; then
+ BACKUP_KEY_FILENAME=/etc/ssl/certs/${DOMAIN_NAME}.pem
+ if [ -f $BACKUP_KEY_FILENAME ]; then
+ KEY_HASH=$(openssl rsa -in $KEY_FILENAME -outform der -pubout | openssl dgst -sha256 -binary | openssl enc -base64)
+ BACKUP_KEY_HASH=$(openssl rsa -in $BACKUP_KEY_FILENAME -outform der -pubout | openssl dgst -sha256 -binary | openssl enc -base64)
+ if [ ${#BACKUP_KEY_HASH} -gt 5 ]; then
+
+ PIN_HEADER="Public-Key-Pins 'pin-sha256=\"${KEY_HASH}\"; pin-sha256=\"${BACKUP_KEY_HASH}\"; max-age=5184000; includeSubDomains';"
+ sed -i "s|Public-Key-Pins.*|${PIN_HEADER}|g" $file
+ echo "Pinned $DOMAIN_NAME"
+ fi
+ fi
+ fi
+ fi
+ done
+}
+
+if [[ $1 == "all" ]]; then
+ pin_all_certs
+ systemctl restart nginx
+ exit 0
+fi
+
DOMAIN_NAME=$1
KEY_FILENAME=/etc/ssl/private/${DOMAIN_NAME}.key
BACKUP_KEY_FILENAME=/etc/ssl/certs/${DOMAIN_NAME}.pem
-SITE_FILENAME=/etc/nginx/sites-available/${DOMAIN_NAME}
+SITE_FILENAME=$WEBSITES_DIRECTORY/${DOMAIN_NAME}
+
+if [ ! -f "$SITE_FILENAME" ]; then
+ exit 0
+fi
if [ ! -f "$KEY_FILENAME" ]; then
echo $"No private key certificate found for $DOMAIN_NAME"
@@ -45,16 +84,22 @@ fi
if [ ! -f "$BACKUP_KEY_FILENAME" ]; then
echo $"No fullchain certificate found for $DOMAIN_NAME"
- exit 1
-fi
-
-if [ ! -f "$SITE_FILENAME" ]; then
- exit 0
+ exit 2
fi
KEY_HASH=$(openssl rsa -in $KEY_FILENAME -outform der -pubout | openssl dgst -sha256 -binary | openssl enc -base64)
BACKUP_KEY_HASH=$(openssl rsa -in $BACKUP_KEY_FILENAME -outform der -pubout | openssl dgst -sha256 -binary | openssl enc -base64)
+if [ ${#KEY_HASH} -lt 5 ]; then
+ echo 'Pin hash unexpectedly short'
+ exit 3
+fi
+
+if [ ${#BACKUP_KEY_HASH} -lt 5 ]; then
+ echo 'Backup pin hash unexpectedly short'
+ exit 4
+fi
+
PIN_HEADER="Public-Key-Pins 'pin-sha256=\"${KEY_HASH}\"; pin-sha256=\"${BACKUP_KEY_HASH}\"; max-age=5184000; includeSubDomains';"
if ! grep -q "Public-Key-Pins" $SITE_FILENAME; then
sed -i "/ssl_ciphers.*/a add_header ${PIN_HEADER}" $SITE_FILENAME
diff --git a/src/freedombone-sec b/src/freedombone-sec
index 74f51907b44ab33adb407724cfc95dc0c0ab3a47..bd867ba085210659606d435cf6ee1abf718b650c 100755
--- a/src/freedombone-sec
+++ b/src/freedombone-sec
@@ -66,976 +66,976 @@ LETSENCRYPT_SERVER='https://acme-v01.api.letsencrypt.org/directory'
MY_USERNAME=
function get_protocols_from_website {
- if [ ! -f $WEBSITES_DIRECTORY/$1 ]; then
- return
- fi
- SSL_PROTOCOLS=$(cat $WEBSITES_DIRECTORY/$1 | grep 'ssl_protocols ' | awk -F "ssl_protocols " '{print $2}' | awk -F ';' '{print $1}')
+ if [ ! -f $WEBSITES_DIRECTORY/$1 ]; then
+ return
+ fi
+ SSL_PROTOCOLS=$(cat $WEBSITES_DIRECTORY/$1 | grep 'ssl_protocols ' | awk -F "ssl_protocols " '{print $2}' | awk -F ';' '{print $1}')
}
function get_ciphers_from_website {
- if [ ! -f $WEBSITES_DIRECTORY/$1 ]; then
- return
- fi
- SSL_CIPHERS=$(cat $WEBSITES_DIRECTORY/$1 | grep 'ssl_ciphers ' | awk -F "ssl_ciphers " '{print $2}' | awk -F "'" '{print $2}')
+ if [ ! -f $WEBSITES_DIRECTORY/$1 ]; then
+ return
+ fi
+ SSL_CIPHERS=$(cat $WEBSITES_DIRECTORY/$1 | grep 'ssl_ciphers ' | awk -F "ssl_ciphers " '{print $2}' | awk -F "'" '{print $2}')
}
function get_website_settings {
- if [ ! -d $WEBSITES_DIRECTORY ]; then
- return
- fi
-
- cd $WEBSITES_DIRECTORY
- for file in `dir -d *` ; do
- get_protocols_from_website $file
- if [ ${#SSL_PROTOCOLS} -gt $MINIMUM_LENGTH ]; then
- get_ciphers_from_website $file
- if [ ${#SSL_CIPHERS} -gt $MINIMUM_LENGTH ]; then
- break
- else
- SSL_PROTOCOLS=""
- fi
- fi
- done
+ if [ ! -d $WEBSITES_DIRECTORY ]; then
+ return
+ fi
+
+ cd $WEBSITES_DIRECTORY
+ for file in `dir -d *` ; do
+ get_protocols_from_website $file
+ if [ ${#SSL_PROTOCOLS} -gt $MINIMUM_LENGTH ]; then
+ get_ciphers_from_website $file
+ if [ ${#SSL_CIPHERS} -gt $MINIMUM_LENGTH ]; then
+ break
+ else
+ SSL_PROTOCOLS=""
+ fi
+ fi
+ done
}
function get_imap_settings {
- if [ ! -f $DOVECOT_CIPHERS ]; then
- return
- fi
- # clear commented out cipher list
- sed -i "s|#ssl_cipher_list.*||g" $DOVECOT_CIPHERS
- if [ $SSL_CIPHERS ]; then
- return
- fi
- if [ ${#SSL_CIPHERS} -gt $MINIMUM_LENGTH ]; then
- return
- fi
- SSL_CIPHERS=$(cat $DOVECOT_CIPHERS | grep 'ssl_cipher_list' | awk -F '=' '{print $2}' | awk -F "'" '{print $2}')
+ if [ ! -f $DOVECOT_CIPHERS ]; then
+ return
+ fi
+ # clear commented out cipher list
+ sed -i "s|#ssl_cipher_list.*||g" $DOVECOT_CIPHERS
+ if [ $SSL_CIPHERS ]; then
+ return
+ fi
+ if [ ${#SSL_CIPHERS} -gt $MINIMUM_LENGTH ]; then
+ return
+ fi
+ SSL_CIPHERS=$(cat $DOVECOT_CIPHERS | grep 'ssl_cipher_list' | awk -F '=' '{print $2}' | awk -F "'" '{print $2}')
}
function get_xmpp_settings {
- if [ ! -f $XMPP_CONFIG ]; then
- return
- fi
- XMPP_CIPHERS=$(cat $XMPP_CONFIG | grep 'ciphers ' | awk -F '=' '{print $2}' | awk -F '"' '{print $2}')
- XMPP_ECC_CURVE=$(cat $XMPP_CONFIG | grep 'curve ' | awk -F '=' '{print $2}' | awk -F '"' '{print $2}')
+ if [ ! -f $XMPP_CONFIG ]; then
+ return
+ fi
+ XMPP_CIPHERS=$(cat $XMPP_CONFIG | grep 'ciphers ' | awk -F '=' '{print $2}' | awk -F '"' '{print $2}')
+ XMPP_ECC_CURVE=$(cat $XMPP_CONFIG | grep 'curve ' | awk -F '=' '{print $2}' | awk -F '"' '{print $2}')
}
function get_ssh_settings {
- if [ -f $SSH_CONFIG ]; then
- SSH_CIPHERS=$(cat $SSH_CONFIG | grep 'Ciphers ' | awk -F 'Ciphers ' '{print $2}')
- SSH_MACS=$(cat $SSH_CONFIG | grep 'MACs ' | awk -F 'MACs ' '{print $2}')
- SSH_KEX=$(cat $SSH_CONFIG | grep 'KexAlgorithms ' | awk -F 'KexAlgorithms ' '{print $2}')
- SSH_PASSWORDS=$(cat $SSH_CONFIG | grep 'PasswordAuthentication ' | awk -F 'PasswordAuthentication ' '{print $2}')
- fi
- if [ -f /etc/ssh/ssh_config ]; then
- SSH_HOST_KEY_ALGORITHMS=$(cat /etc/ssh/ssh_config | grep 'HostKeyAlgorithms ' | awk -F 'HostKeyAlgorithms ' '{print $2}')
- if [ ! $SSH_CIPHERS ]; then
- SSH_CIPHERS=$(cat /etc/ssh/ssh_config | grep 'Ciphers ' | awk -F 'Ciphers ' '{print $2}')
- fi
- if [ ! $SSH_MACS ]; then
- SSH_MACS=$(cat /etc/ssh/ssh_config | grep 'MACs ' | awk -F 'MACs ' '{print $2}')
- fi
- fi
+ if [ -f $SSH_CONFIG ]; then
+ SSH_CIPHERS=$(cat $SSH_CONFIG | grep 'Ciphers ' | awk -F 'Ciphers ' '{print $2}')
+ SSH_MACS=$(cat $SSH_CONFIG | grep 'MACs ' | awk -F 'MACs ' '{print $2}')
+ SSH_KEX=$(cat $SSH_CONFIG | grep 'KexAlgorithms ' | awk -F 'KexAlgorithms ' '{print $2}')
+ SSH_PASSWORDS=$(cat $SSH_CONFIG | grep 'PasswordAuthentication ' | awk -F 'PasswordAuthentication ' '{print $2}')
+ fi
+ if [ -f /etc/ssh/ssh_config ]; then
+ SSH_HOST_KEY_ALGORITHMS=$(cat /etc/ssh/ssh_config | grep 'HostKeyAlgorithms ' | awk -F 'HostKeyAlgorithms ' '{print $2}')
+ if [ ! $SSH_CIPHERS ]; then
+ SSH_CIPHERS=$(cat /etc/ssh/ssh_config | grep 'Ciphers ' | awk -F 'Ciphers ' '{print $2}')
+ fi
+ if [ ! $SSH_MACS ]; then
+ SSH_MACS=$(cat /etc/ssh/ssh_config | grep 'MACs ' | awk -F 'MACs ' '{print $2}')
+ fi
+ fi
}
function change_website_settings {
- if [ ! "$SSL_PROTOCOLS" ]; then
- return
- fi
- if [ ! $SSL_CIPHERS ]; then
- return
- fi
- if [ ${#SSL_PROTOCOLS} -lt $MINIMUM_LENGTH ]; then
- return
- fi
- if [ ${#SSL_CIPHERS} -lt $MINIMUM_LENGTH ]; then
- return
- fi
- if [ ! -d $WEBSITES_DIRECTORY ]; then
- return
- fi
-
- cd $WEBSITES_DIRECTORY
- for file in `dir -d *` ; do
- sed -i "s|ssl_protocols .*|ssl_protocols $SSL_PROTOCOLS;|g" $WEBSITES_DIRECTORY/$file
- sed -i "s|ssl_ciphers .*|ssl_ciphers '$SSL_CIPHERS';|g" $WEBSITES_DIRECTORY/$file
- done
- systemctl restart nginx
- echo $'Web security settings changed'
+ if [ ! "$SSL_PROTOCOLS" ]; then
+ return
+ fi
+ if [ ! $SSL_CIPHERS ]; then
+ return
+ fi
+ if [ ${#SSL_PROTOCOLS} -lt $MINIMUM_LENGTH ]; then
+ return
+ fi
+ if [ ${#SSL_CIPHERS} -lt $MINIMUM_LENGTH ]; then
+ return
+ fi
+ if [ ! -d $WEBSITES_DIRECTORY ]; then
+ return
+ fi
+
+ cd $WEBSITES_DIRECTORY
+ for file in `dir -d *` ; do
+ sed -i "s|ssl_protocols .*|ssl_protocols $SSL_PROTOCOLS;|g" $WEBSITES_DIRECTORY/$file
+ sed -i "s|ssl_ciphers .*|ssl_ciphers '$SSL_CIPHERS';|g" $WEBSITES_DIRECTORY/$file
+ done
+ systemctl restart nginx
+ echo $'Web security settings changed'
}
function change_imap_settings {
- if [ ! -f $DOVECOT_CIPHERS ]; then
- return
- fi
- if [ ! $SSL_CIPHERS ]; then
- return
- fi
- if [ ${#SSL_CIPHERS} -lt $MINIMUM_LENGTH ]; then
- return
- fi
- sed -i "s|ssl_cipher_list.*|ssl_cipher_list = '$SSL_CIPHERS'|g" $DOVECOT_CIPHERS
- sed -i "s|ssl_protocols.*|ssl_protocols = '$SSL_PROTOCOLS'|g" $DOVECOT_CIPHERS
- systemctl restart dovecot
- echo $'imap security settings changed'
+ if [ ! -f $DOVECOT_CIPHERS ]; then
+ return
+ fi
+ if [ ! $SSL_CIPHERS ]; then
+ return
+ fi
+ if [ ${#SSL_CIPHERS} -lt $MINIMUM_LENGTH ]; then
+ return
+ fi
+ sed -i "s|ssl_cipher_list.*|ssl_cipher_list = '$SSL_CIPHERS'|g" $DOVECOT_CIPHERS
+ sed -i "s|ssl_protocols.*|ssl_protocols = '$SSL_PROTOCOLS'|g" $DOVECOT_CIPHERS
+ systemctl restart dovecot
+ echo $'imap security settings changed'
}
function change_ssh_settings {
- if [ -f /etc/ssh/ssh_config ]; then
- if [ $SSH_HOST_KEY_ALGORITHMS ]; then
- sed -i "s|HostKeyAlgorithms .*|HostKeyAlgorithms $SSH_HOST_KEY_ALGORITHMS|g" /etc/ssh/ssh_config
- echo $'ssh client security settings changed'
- fi
- fi
- if [ -f $SSH_CONFIG ]; then
- if [ ! $SSH_CIPHERS ]; then
- return
- fi
- if [ ! $SSH_MACS ]; then
- return
- fi
- if [ ! $SSH_KEX ]; then
- return
- fi
- if [ ! $SSH_PASSWORDS ]; then
- return
- fi
-
- sed -i "s|Ciphers .*|Ciphers $SSH_CIPHERS|g" $SSH_CONFIG
- sed -i "s|MACs .*|MACs $SSH_MACS|g" $SSH_CONFIG
- sed -i "s|KexAlgorithms .*|KexAlgorithms $SSH_KEX|g" $SSH_CONFIG
- sed -i "s|PasswordAuthentication .*|PasswordAuthentication $SSH_PASSWORDS|g" $SSH_CONFIG
- systemctl restart ssh
- echo $'ssh server security settings changed'
- fi
+ if [ -f /etc/ssh/ssh_config ]; then
+ if [ $SSH_HOST_KEY_ALGORITHMS ]; then
+ sed -i "s|HostKeyAlgorithms .*|HostKeyAlgorithms $SSH_HOST_KEY_ALGORITHMS|g" /etc/ssh/ssh_config
+ echo $'ssh client security settings changed'
+ fi
+ fi
+ if [ -f $SSH_CONFIG ]; then
+ if [ ! $SSH_CIPHERS ]; then
+ return
+ fi
+ if [ ! $SSH_MACS ]; then
+ return
+ fi
+ if [ ! $SSH_KEX ]; then
+ return
+ fi
+ if [ ! $SSH_PASSWORDS ]; then
+ return
+ fi
+
+ sed -i "s|Ciphers .*|Ciphers $SSH_CIPHERS|g" $SSH_CONFIG
+ sed -i "s|MACs .*|MACs $SSH_MACS|g" $SSH_CONFIG
+ sed -i "s|KexAlgorithms .*|KexAlgorithms $SSH_KEX|g" $SSH_CONFIG
+ sed -i "s|PasswordAuthentication .*|PasswordAuthentication $SSH_PASSWORDS|g" $SSH_CONFIG
+ systemctl restart ssh
+ echo $'ssh server security settings changed'
+ fi
}
function change_xmpp_settings {
- if [ ! -f $XMPP_CONFIG ]; then
- return
- fi
- if [ ! $XMPP_CIPHERS ]; then
- return
- fi
- if [ ! $XMPP_ECC_CURVE ]; then
- return
- fi
- sed -i "s|ciphers =.*|ciphers = \"$XMPP_CIPHERS\";|g" $XMPP_CONFIG
- sed -i "s|curve =.*|curve = \"$XMPP_ECC_CURVE\";|g" $XMPP_CONFIG
- systemctl restart prosody
- echo $'xmpp security settings changed'
+ if [ ! -f $XMPP_CONFIG ]; then
+ return
+ fi
+ if [ ! $XMPP_CIPHERS ]; then
+ return
+ fi
+ if [ ! $XMPP_ECC_CURVE ]; then
+ return
+ fi
+ sed -i "s|ciphers =.*|ciphers = \"$XMPP_CIPHERS\";|g" $XMPP_CONFIG
+ sed -i "s|curve =.*|curve = \"$XMPP_ECC_CURVE\";|g" $XMPP_CONFIG
+ systemctl restart prosody
+ echo $'xmpp security settings changed'
}
function interactive_setup {
- if [ $SSL_CIPHERS ]; then
- data=$(tempfile 2>/dev/null)
- trap "rm -f $data" 0 1 2 5 15
- dialog --backtitle $"Freedombone Security Configuration" \
- --form $"\nWeb/IMAP Ciphers:" 10 95 2 \
- $"Protocols:" 1 1 "$SSL_PROTOCOLS" 1 15 90 90 \
- $"Ciphers:" 2 1 "$SSL_CIPHERS" 2 15 90 512 \
- 2> $data
- sel=$?
- case $sel in
- 1) SSL_PROTOCOLS=$(cat $data | sed -n 1p)
- SSL_CIPHERS=$(cat $data | sed -n 2p)
- ;;
- 255) exit 0;;
- esac
- fi
-
- data=$(tempfile 2>/dev/null)
- trap "rm -f $data" 0 1 2 5 15
- if [ $SSH_HOST_KEY_ALGORITHMS ]; then
- dialog --backtitle $"Freedombone Security Configuration" \
- --form $"\nSecure Shell Ciphers:" 13 95 4 \
- $"Ciphers:" 1 1 "$SSH_CIPHERS" 1 15 90 512 \
- $"MACs:" 2 1 "$SSH_MACS" 2 15 90 512 \
- $"KEX:" 3 1 "$SSH_KEX" 3 15 90 512 \
- $"Host key algorithms:" 4 1 "$SSH_HOST_KEY_ALGORITHMS" 4 15 90 512 \
- 2> $data
- sel=$?
- case $sel in
- 1) SSH_CIPHERS=$(cat $data | sed -n 1p)
- SSH_MACS=$(cat $data | sed -n 2p)
- SSH_KEX=$(cat $data | sed -n 3p)
- SSH_HOST_KEY_ALGORITHMS=$(cat $data | sed -n 4p)
- ;;
- 255) exit 0;;
- esac
- else
- dialog --backtitle $"Freedombone Security Configuration" \
- --form $"\nSecure Shell Ciphers:" 11 95 3 \
- $"Ciphers:" 1 1 "$SSH_CIPHERS" 1 15 90 512 \
- $"MACs:" 2 1 "$SSH_MACS" 2 15 90 512 \
- $"KEX:" 3 1 "$SSH_KEX" 3 15 90 512 \
- 2> $data
- sel=$?
- case $sel in
- 1) SSH_CIPHERS=$(cat $data | sed -n 1p)
- SSH_MACS=$(cat $data | sed -n 2p)
- SSH_KEX=$(cat $data | sed -n 3p)
- ;;
- 255) exit 0;;
- esac
- fi
-
- if [[ $SSH_PASSWORDS == "yes" ]]; then
- dialog --title $"SSH Passwords" \
- --backtitle $"Freedombone Security Configuration" \
- --yesno $"\nAllow SSH login using passwords?" 7 60
- else
- dialog --title $"SSH Passwords" \
- --backtitle $"Freedombone Security Configuration" \
- --defaultno \
- --yesno $"\nAllow SSH login using passwords?" 7 60
- fi
- sel=$?
- case $sel in
- 0) SSH_PASSWORDS="yes";;
- 1) SSH_PASSWORDS="no";;
- 255) exit 0;;
- esac
-
- if [ $XMPP_CIPHERS ]; then
- data=$(tempfile 2>/dev/null)
- trap "rm -f $data" 0 1 2 5 15
- dialog --backtitle $"Freedombone Security Configuration" \
- --form $"\nXMPP Ciphers:" 10 95 2 \
- $"Ciphers:" 1 1 "$XMPP_CIPHERS" 1 15 90 512 \
- $"ECC Curve:" 2 1 "$XMPP_ECC_CURVE" 2 15 50 50 \
- 2> $data
- sel=$?
- case $sel in
- 1) XMPP_CIPHERS=$(cat $data | sed -n 1p)
- XMPP_ECC_CURVE=$(cat $data | sed -n 2p)
- ;;
- 255) exit 0;;
- esac
- fi
-
- dialog --title $"Final Confirmation" \
- --backtitle $"Freedombone Security Configuration" \
- --defaultno \
- --yesno $"\nPlease confirm that you wish your security settings to be changed?\n\nWARNING: any mistakes made in the security settings could compromise your system, so be extra careful when answering 'yes'." 12 60
- sel=$?
- case $sel in
- 1) clear
- echo $'Exiting without changing security settings'
- exit 0;;
- 255) clear
- echo $'Exiting without changing security settings'
- exit 0;;
- esac
-
- clear
+ if [ $SSL_CIPHERS ]; then
+ data=$(tempfile 2>/dev/null)
+ trap "rm -f $data" 0 1 2 5 15
+ dialog --backtitle $"Freedombone Security Configuration" \
+ --form $"\nWeb/IMAP Ciphers:" 10 95 2 \
+ $"Protocols:" 1 1 "$SSL_PROTOCOLS" 1 15 90 90 \
+ $"Ciphers:" 2 1 "$SSL_CIPHERS" 2 15 90 512 \
+ 2> $data
+ sel=$?
+ case $sel in
+ 1) SSL_PROTOCOLS=$(cat $data | sed -n 1p)
+ SSL_CIPHERS=$(cat $data | sed -n 2p)
+ ;;
+ 255) exit 0;;
+ esac
+ fi
+
+ data=$(tempfile 2>/dev/null)
+ trap "rm -f $data" 0 1 2 5 15
+ if [ $SSH_HOST_KEY_ALGORITHMS ]; then
+ dialog --backtitle $"Freedombone Security Configuration" \
+ --form $"\nSecure Shell Ciphers:" 13 95 4 \
+ $"Ciphers:" 1 1 "$SSH_CIPHERS" 1 15 90 512 \
+ $"MACs:" 2 1 "$SSH_MACS" 2 15 90 512 \
+ $"KEX:" 3 1 "$SSH_KEX" 3 15 90 512 \
+ $"Host key algorithms:" 4 1 "$SSH_HOST_KEY_ALGORITHMS" 4 15 90 512 \
+ 2> $data
+ sel=$?
+ case $sel in
+ 1) SSH_CIPHERS=$(cat $data | sed -n 1p)
+ SSH_MACS=$(cat $data | sed -n 2p)
+ SSH_KEX=$(cat $data | sed -n 3p)
+ SSH_HOST_KEY_ALGORITHMS=$(cat $data | sed -n 4p)
+ ;;
+ 255) exit 0;;
+ esac
+ else
+ dialog --backtitle $"Freedombone Security Configuration" \
+ --form $"\nSecure Shell Ciphers:" 11 95 3 \
+ $"Ciphers:" 1 1 "$SSH_CIPHERS" 1 15 90 512 \
+ $"MACs:" 2 1 "$SSH_MACS" 2 15 90 512 \
+ $"KEX:" 3 1 "$SSH_KEX" 3 15 90 512 \
+ 2> $data
+ sel=$?
+ case $sel in
+ 1) SSH_CIPHERS=$(cat $data | sed -n 1p)
+ SSH_MACS=$(cat $data | sed -n 2p)
+ SSH_KEX=$(cat $data | sed -n 3p)
+ ;;
+ 255) exit 0;;
+ esac
+ fi
+
+ if [[ $SSH_PASSWORDS == "yes" ]]; then
+ dialog --title $"SSH Passwords" \
+ --backtitle $"Freedombone Security Configuration" \
+ --yesno $"\nAllow SSH login using passwords?" 7 60
+ else
+ dialog --title $"SSH Passwords" \
+ --backtitle $"Freedombone Security Configuration" \
+ --defaultno \
+ --yesno $"\nAllow SSH login using passwords?" 7 60
+ fi
+ sel=$?
+ case $sel in
+ 0) SSH_PASSWORDS="yes";;
+ 1) SSH_PASSWORDS="no";;
+ 255) exit 0;;
+ esac
+
+ if [ $XMPP_CIPHERS ]; then
+ data=$(tempfile 2>/dev/null)
+ trap "rm -f $data" 0 1 2 5 15
+ dialog --backtitle $"Freedombone Security Configuration" \
+ --form $"\nXMPP Ciphers:" 10 95 2 \
+ $"Ciphers:" 1 1 "$XMPP_CIPHERS" 1 15 90 512 \
+ $"ECC Curve:" 2 1 "$XMPP_ECC_CURVE" 2 15 50 50 \
+ 2> $data
+ sel=$?
+ case $sel in
+ 1) XMPP_CIPHERS=$(cat $data | sed -n 1p)
+ XMPP_ECC_CURVE=$(cat $data | sed -n 2p)
+ ;;
+ 255) exit 0;;
+ esac
+ fi
+
+ dialog --title $"Final Confirmation" \
+ --backtitle $"Freedombone Security Configuration" \
+ --defaultno \
+ --yesno $"\nPlease confirm that you wish your security settings to be changed?\n\nWARNING: any mistakes made in the security settings could compromise your system, so be extra careful when answering 'yes'." 12 60
+ sel=$?
+ case $sel in
+ 1) clear
+ echo $'Exiting without changing security settings'
+ exit 0;;
+ 255) clear
+ echo $'Exiting without changing security settings'
+ exit 0;;
+ esac
+
+ clear
}
function send_monkeysphere_server_keys_to_users {
- monkeysphere_server_keys=$(monkeysphere-host show-key | grep $"OpenPGP fingerprint" | awk -F ' ' '{print $3}')
- for d in /home/*/ ; do
- USERNAME=$(echo "$d" | awk -F '/' '{print $3}')
- if [[ $USERNAME != "git" && $USERNAME != "mirrors" && $USERNAME != "sync" ]]; then
- if [ ! -d /home/$USERNAME/.monkeysphere ]; then
- mkdir /home/$USERNAME/.monkeysphere
- fi
- echo $monkeysphere_server_keys > /home/$USERNAME/.monkeysphere/server_keys
- chown -R $USERNAME:$USERNAME /home/$USERNAME/.monkeysphere
- fi
- done
+ monkeysphere_server_keys=$(monkeysphere-host show-key | grep $"OpenPGP fingerprint" | awk -F ' ' '{print $3}')
+ for d in /home/*/ ; do
+ USERNAME=$(echo "$d" | awk -F '/' '{print $3}')
+ if [[ $USERNAME != "git" && $USERNAME != "mirrors" && $USERNAME != "sync" ]]; then
+ if [ ! -d /home/$USERNAME/.monkeysphere ]; then
+ mkdir /home/$USERNAME/.monkeysphere
+ fi
+ echo $monkeysphere_server_keys > /home/$USERNAME/.monkeysphere/server_keys
+ chown -R $USERNAME:$USERNAME /home/$USERNAME/.monkeysphere
+ fi
+ done
}
function regenerate_ssh_host_keys {
- if [[ $REGENERATE_SSH_HOST_KEYS == "yes" ]]; then
- rm -f /etc/ssh/ssh_host_*
- dpkg-reconfigure openssh-server
- echo $'ssh host keys regenerated'
- # remove small moduli
- awk '$5 > 2000' /etc/ssh/moduli > ~/moduli
- mv ~/moduli /etc/ssh/moduli
- echo $'ssh small moduli removed'
- # update monkeysphere
- DEFAULT_DOMAIN_NAME=
- if grep -q "DEFAULT_DOMAIN_NAME" $CONFIGURATION_FILE; then
- DEFAULT_DOMAIN_NAME=$(grep "DEFAULT_DOMAIN_NAME" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
- fi
- monkeysphere-host import-key /etc/ssh/ssh_host_rsa_key ssh://$DEFAULT_DOMAIN_NAME
- SSH_ONION_HOSTNAME=$(cat ${COMPLETION_FILE} | grep 'ssh onion domain' | awk -F ':' '{print $2}')
- monkeysphere-host import-key /etc/ssh/ssh_host_rsa_key ssh://$SSH_ONION_HOSTNAME
- monkeysphere-host publish-key
- send_monkeysphere_server_keys_to_users
- echo $'updated monkeysphere ssh host key'
- systemctl restart ssh
- fi
+ if [[ $REGENERATE_SSH_HOST_KEYS == "yes" ]]; then
+ rm -f /etc/ssh/ssh_host_*
+ dpkg-reconfigure openssh-server
+ echo $'ssh host keys regenerated'
+ # remove small moduli
+ awk '$5 > 2000' /etc/ssh/moduli > ~/moduli
+ mv ~/moduli /etc/ssh/moduli
+ echo $'ssh small moduli removed'
+ # update monkeysphere
+ DEFAULT_DOMAIN_NAME=
+ if grep -q "DEFAULT_DOMAIN_NAME" $CONFIGURATION_FILE; then
+ DEFAULT_DOMAIN_NAME=$(grep "DEFAULT_DOMAIN_NAME" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+ fi
+ monkeysphere-host import-key /etc/ssh/ssh_host_rsa_key ssh://$DEFAULT_DOMAIN_NAME
+ SSH_ONION_HOSTNAME=$(cat ${COMPLETION_FILE} | grep 'ssh onion domain' | awk -F ':' '{print $2}')
+ monkeysphere-host import-key /etc/ssh/ssh_host_rsa_key ssh://$SSH_ONION_HOSTNAME
+ monkeysphere-host publish-key
+ send_monkeysphere_server_keys_to_users
+ echo $'updated monkeysphere ssh host key'
+ systemctl restart ssh
+ fi
}
function regenerate_dh_keys {
- if [[ $REGENERATE_DH_KEYS == "yes" ]]; then
- if [ ! -d /etc/ssl/mycerts ]; then
- echo $'No dhparam certificates were found'
- return
- fi
-
- data=$(tempfile 2>/dev/null)
- trap "rm -f $data" 0 1 2 5 15
- dialog --backtitle "Freedombone Security Configuration" \
- --title "Diffie-Hellman key length" \
- --radiolist "The smaller length is better suited to low power embedded systems:" 12 40 3 \
- 1 "2048 bits" off \
- 2 "3072 bits" on \
- 3 "4096 bits" off 2> $data
- sel=$?
- case $sel in
- 1) exit 1;;
- 255) exit 1;;
- esac
- case $(cat $data) in
- 1) DH_KEYLENGTH=2048;;
- 2) DH_KEYLENGTH=3072;;
- 3) DH_KEYLENGTH=4096;;
- esac
-
- ${PROJECT_NAME}-dhparam --recalc yes -l ${DH_KEYLENGTH}
- fi
+ if [[ $REGENERATE_DH_KEYS == "yes" ]]; then
+ if [ ! -d /etc/ssl/mycerts ]; then
+ echo $'No dhparam certificates were found'
+ return
+ fi
+
+ data=$(tempfile 2>/dev/null)
+ trap "rm -f $data" 0 1 2 5 15
+ dialog --backtitle "Freedombone Security Configuration" \
+ --title "Diffie-Hellman key length" \
+ --radiolist "The smaller length is better suited to low power embedded systems:" 12 40 3 \
+ 1 "2048 bits" off \
+ 2 "3072 bits" on \
+ 3 "4096 bits" off 2> $data
+ sel=$?
+ case $sel in
+ 1) exit 1;;
+ 255) exit 1;;
+ esac
+ case $(cat $data) in
+ 1) DH_KEYLENGTH=2048;;
+ 2) DH_KEYLENGTH=3072;;
+ 3) DH_KEYLENGTH=4096;;
+ esac
+
+ ${PROJECT_NAME}-dhparam --recalc yes -l ${DH_KEYLENGTH}
+ fi
}
function renew_startssl {
- renew_domain=
- data=$(tempfile 2>/dev/null)
- trap "rm -f $data" 0 1 2 5 15
- dialog --title $"Renew a StartSSL certificate" \
- --backtitle $"Freedombone Security Settings" \
- --inputbox $"Enter the domain name" 8 60 2>$data
- sel=$?
- case $sel in
- 0)
- renew_domain=$(<$data)
- ;;
- esac
-
- if [ ! $renew_domain ]; then
- return
- fi
-
- if [[ $renew_domain == "http"* ]]; then
- dialog --title $"Renew a StartSSL certificate" \
- --msgbox $"Don't include the https://" 6 40
- return
- fi
-
- if [ ! -f /etc/ssl/certs/${renew_domain}.dhparam ]; then
- dialog --title $"Renew a StartSSL certificate" \
- --msgbox $"An existing certificate for $renew_domain was not found" 6 40
- return
- fi
-
- if [[ $renew_domain != *"."* ]]; then
- dialog --title $"Renew a StartSSL certificate" \
- --msgbox $"Invalid domain name: $renew_domain" 6 40
- return
- fi
-
- ${PROJECT_NAME}-renew-cert -h $renew_domain -p startssl
-
- exit 0
+ renew_domain=
+ data=$(tempfile 2>/dev/null)
+ trap "rm -f $data" 0 1 2 5 15
+ dialog --title $"Renew a StartSSL certificate" \
+ --backtitle $"Freedombone Security Settings" \
+ --inputbox $"Enter the domain name" 8 60 2>$data
+ sel=$?
+ case $sel in
+ 0)
+ renew_domain=$(<$data)
+ ;;
+ esac
+
+ if [ ! $renew_domain ]; then
+ return
+ fi
+
+ if [[ $renew_domain == "http"* ]]; then
+ dialog --title $"Renew a StartSSL certificate" \
+ --msgbox $"Don't include the https://" 6 40
+ return
+ fi
+
+ if [ ! -f /etc/ssl/certs/${renew_domain}.dhparam ]; then
+ dialog --title $"Renew a StartSSL certificate" \
+ --msgbox $"An existing certificate for $renew_domain was not found" 6 40
+ return
+ fi
+
+ if [[ $renew_domain != *"."* ]]; then
+ dialog --title $"Renew a StartSSL certificate" \
+ --msgbox $"Invalid domain name: $renew_domain" 6 40
+ return
+ fi
+
+ ${PROJECT_NAME}-renew-cert -h $renew_domain -p startssl
+
+ exit 0
}
function renew_letsencrypt {
- renew_domain=
- data=$(tempfile 2>/dev/null)
- trap "rm -f $data" 0 1 2 5 15
- dialog --title $"Renew a Let's Encrypt certificate" \
- --backtitle $"Freedombone Security Settings" \
- --inputbox $"Enter the domain name" 8 60 2>$data
- sel=$?
- case $sel in
- 0)
- renew_domain=$(<$data)
- ;;
- esac
-
- if [ ! $renew_domain ]; then
- return
- fi
-
- if [[ $renew_domain == "http"* ]]; then
- dialog --title $"Renew a Let's Encrypt certificate" \
- --msgbox $"Don't include the https://" 6 40
- return
- fi
-
- if [ ! -f /etc/ssl/certs/${renew_domain}.dhparam ]; then
- dialog --title $"Renew a Let's Encrypt certificate" \
- --msgbox $"An existing certificate for $renew_domain was not found" 6 40
- return
- fi
-
- if [[ $renew_domain != *"."* ]]; then
- dialog --title $"Renew a Let's Encrypt certificate" \
- --msgbox $"Invalid domain name: $renew_domain" 6 40
- return
- fi
-
- ${PROJECT_NAME}-renew-cert -h $renew_domain -p 'letsencrypt'
-
- exit 0
+ renew_domain=
+ data=$(tempfile 2>/dev/null)
+ trap "rm -f $data" 0 1 2 5 15
+ dialog --title $"Renew a Let's Encrypt certificate" \
+ --backtitle $"Freedombone Security Settings" \
+ --inputbox $"Enter the domain name" 8 60 2>$data
+ sel=$?
+ case $sel in
+ 0)
+ renew_domain=$(<$data)
+ ;;
+ esac
+
+ if [ ! $renew_domain ]; then
+ return
+ fi
+
+ if [[ $renew_domain == "http"* ]]; then
+ dialog --title $"Renew a Let's Encrypt certificate" \
+ --msgbox $"Don't include the https://" 6 40
+ return
+ fi
+
+ if [ ! -f /etc/ssl/certs/${renew_domain}.dhparam ]; then
+ dialog --title $"Renew a Let's Encrypt certificate" \
+ --msgbox $"An existing certificate for $renew_domain was not found" 6 40
+ return
+ fi
+
+ if [[ $renew_domain != *"."* ]]; then
+ dialog --title $"Renew a Let's Encrypt certificate" \
+ --msgbox $"Invalid domain name: $renew_domain" 6 40
+ return
+ fi
+
+ ${PROJECT_NAME}-renew-cert -h $renew_domain -p 'letsencrypt'
+
+ exit 0
}
function create_letsencrypt {
- new_domain=
- data=$(tempfile 2>/dev/null)
- trap "rm -f $data" 0 1 2 5 15
- dialog --title $"Create a new Let's Encrypt certificate" \
- --backtitle $"Freedombone Security Settings" \
- --inputbox $"Enter the domain name" 8 60 2>$data
- sel=$?
- case $sel in
- 0)
- new_domain=$(<$data)
- ;;
- esac
-
- if [ ! $new_domain ]; then
- return
- fi
-
- if [[ $new_domain == "http"* ]]; then
- dialog --title $"Create a new Let's Encrypt certificate" \
- --msgbox $"Don't include the https://" 6 40
- return
- fi
-
- if [[ $new_domain != *"."* ]]; then
- dialog --title $"Create a new Let's Encrypt certificate" \
- --msgbox $"Invalid domain name: $new_domain" 6 40
- return
- fi
-
- if [ ! -d /var/www/${new_domain} ]; then
- dialog --title $"Create a new Let's Encrypt certificate" \
- --msgbox $'Domain not found within /var/www' 6 40
- return
- fi
-
- ${PROJECT_NAME}-addcert -e $new_domain -s $LETSENCRYPT_SERVER --dhkey $DH_KEYLENGTH
-
- exit 0
+ new_domain=
+ data=$(tempfile 2>/dev/null)
+ trap "rm -f $data" 0 1 2 5 15
+ dialog --title $"Create a new Let's Encrypt certificate" \
+ --backtitle $"Freedombone Security Settings" \
+ --inputbox $"Enter the domain name" 8 60 2>$data
+ sel=$?
+ case $sel in
+ 0)
+ new_domain=$(<$data)
+ ;;
+ esac
+
+ if [ ! $new_domain ]; then
+ return
+ fi
+
+ if [[ $new_domain == "http"* ]]; then
+ dialog --title $"Create a new Let's Encrypt certificate" \
+ --msgbox $"Don't include the https://" 6 40
+ return
+ fi
+
+ if [[ $new_domain != *"."* ]]; then
+ dialog --title $"Create a new Let's Encrypt certificate" \
+ --msgbox $"Invalid domain name: $new_domain" 6 40
+ return
+ fi
+
+ if [ ! -d /var/www/${new_domain} ]; then
+ dialog --title $"Create a new Let's Encrypt certificate" \
+ --msgbox $'Domain not found within /var/www' 6 40
+ return
+ fi
+
+ ${PROJECT_NAME}-addcert -e $new_domain -s $LETSENCRYPT_SERVER --dhkey $DH_KEYLENGTH
+
+ exit 0
}
function update_ciphersuite {
- project_filename=/usr/local/bin/${PROJECT_NAME}
- if [ ! -f $project_filename ]; then
- project_filename=/usr/bin/${PROJECT_NAME}
- fi
-
- RECOMMENDED_SSL_CIPHERS=$(cat $project_filename | grep 'SSL_CIPHERS=' | head -n 1 | awk -F '=' '{print $2}' | awk -F '"' '{print $2}')
- if [ ! "$RECOMMENDED_SSL_CIPHERS" ]; then
- return
- fi
- if [ ${#RECOMMENDED_SSL_CIPHERS} -lt 5 ]; then
- return
- fi
-
- RECOMMENDED_SSL_PROTOCOLS=$(cat $project_filename | grep 'SSL_PROTOCOLS=' | head -n 1 | awk -F '=' '{print $2}' | awk -F '"' '{print $2}')
- if [ ! "$RECOMMENDED_SSL_PROTOCOLS" ]; then
- return
- fi
- if [ ${#RECOMMENDED_SSL_PROTOCOLS} -lt 5 ]; then
- return
- fi
-
- RECOMMENDED_SSH_CIPHERS=$(cat $project_filename | grep 'SSH_CIPHERS=' | head -n 1 | awk -F '=' '{print $2}' | awk -F '"' '{print $2}')
- if [ ! "$RECOMMENDED_SSH_CIPHERS" ]; then
- return
- fi
- if [ ${#RECOMMENDED_SSH_CIPHERS} -lt 5 ]; then
- return
- fi
-
- RECOMMENDED_SSH_MACS=$(cat $project_filename | grep 'SSH_MACS=' | head -n 1 | awk -F '=' '{print $2}' | awk -F '"' '{print $2}')
- if [ ! "$RECOMMENDED_SSH_MACS" ]; then
- return
- fi
- if [ ${#RECOMMENDED_SSH_MACS} -lt 5 ]; then
- return
- fi
-
- RECOMMENDED_SSH_KEX=$(cat $project_filename | grep 'SSH_KEX=' | head -n 1 | awk -F '=' '{print $2}' | awk -F '"' '{print $2}')
- if [ ! "$RECOMMENDED_SSH_KEX" ]; then
- return
- fi
- if [ ${#RECOMMENDED_SSH_KEX} -lt 5 ]; then
- return
- fi
-
- cd $WEBSITES_DIRECTORY
- for file in `dir -d *` ; do
- sed -i "s|ssl_protocols .*|ssl_protocols $RECOMMENDED_SSL_PROTOCOLS;|g" $WEBSITES_DIRECTORY/$file
- sed -i "s|ssl_ciphers .*|ssl_ciphers '$RECOMMENDED_SSL_CIPHERS';|g" $WEBSITES_DIRECTORY/$file
- done
- systemctl restart nginx
-
- sed -i "s|Ciphers .*|Ciphers $RECOMMENDED_SSH_CIPHERS|g" $SSH_CONFIG
- sed -i "s|MACs .*|MACs $RECOMMENDED_SSH_MACS|g" $SSH_CONFIG
- sed -i "s|KexAlgorithms .*|KexAlgorithms $RECOMMENDED_SSH_KEX|g" $SSH_CONFIG
- systemctl restart ssh
-
- dialog --title $"Update ciphersuite" \
- --msgbox $"The ciphersuite has been updated to recommended versions" 6 40
- exit 0
+ project_filename=/usr/local/bin/${PROJECT_NAME}
+ if [ ! -f $project_filename ]; then
+ project_filename=/usr/bin/${PROJECT_NAME}
+ fi
+
+ RECOMMENDED_SSL_CIPHERS=$(cat $project_filename | grep 'SSL_CIPHERS=' | head -n 1 | awk -F '=' '{print $2}' | awk -F '"' '{print $2}')
+ if [ ! "$RECOMMENDED_SSL_CIPHERS" ]; then
+ return
+ fi
+ if [ ${#RECOMMENDED_SSL_CIPHERS} -lt 5 ]; then
+ return
+ fi
+
+ RECOMMENDED_SSL_PROTOCOLS=$(cat $project_filename | grep 'SSL_PROTOCOLS=' | head -n 1 | awk -F '=' '{print $2}' | awk -F '"' '{print $2}')
+ if [ ! "$RECOMMENDED_SSL_PROTOCOLS" ]; then
+ return
+ fi
+ if [ ${#RECOMMENDED_SSL_PROTOCOLS} -lt 5 ]; then
+ return
+ fi
+
+ RECOMMENDED_SSH_CIPHERS=$(cat $project_filename | grep 'SSH_CIPHERS=' | head -n 1 | awk -F '=' '{print $2}' | awk -F '"' '{print $2}')
+ if [ ! "$RECOMMENDED_SSH_CIPHERS" ]; then
+ return
+ fi
+ if [ ${#RECOMMENDED_SSH_CIPHERS} -lt 5 ]; then
+ return
+ fi
+
+ RECOMMENDED_SSH_MACS=$(cat $project_filename | grep 'SSH_MACS=' | head -n 1 | awk -F '=' '{print $2}' | awk -F '"' '{print $2}')
+ if [ ! "$RECOMMENDED_SSH_MACS" ]; then
+ return
+ fi
+ if [ ${#RECOMMENDED_SSH_MACS} -lt 5 ]; then
+ return
+ fi
+
+ RECOMMENDED_SSH_KEX=$(cat $project_filename | grep 'SSH_KEX=' | head -n 1 | awk -F '=' '{print $2}' | awk -F '"' '{print $2}')
+ if [ ! "$RECOMMENDED_SSH_KEX" ]; then
+ return
+ fi
+ if [ ${#RECOMMENDED_SSH_KEX} -lt 5 ]; then
+ return
+ fi
+
+ cd $WEBSITES_DIRECTORY
+ for file in `dir -d *` ; do
+ sed -i "s|ssl_protocols .*|ssl_protocols $RECOMMENDED_SSL_PROTOCOLS;|g" $WEBSITES_DIRECTORY/$file
+ sed -i "s|ssl_ciphers .*|ssl_ciphers '$RECOMMENDED_SSL_CIPHERS';|g" $WEBSITES_DIRECTORY/$file
+ done
+ systemctl restart nginx
+
+ sed -i "s|Ciphers .*|Ciphers $RECOMMENDED_SSH_CIPHERS|g" $SSH_CONFIG
+ sed -i "s|MACs .*|MACs $RECOMMENDED_SSH_MACS|g" $SSH_CONFIG
+ sed -i "s|KexAlgorithms .*|KexAlgorithms $RECOMMENDED_SSH_KEX|g" $SSH_CONFIG
+ systemctl restart ssh
+
+ dialog --title $"Update ciphersuite" \
+ --msgbox $"The ciphersuite has been updated to recommended versions" 6 40
+ exit 0
}
function gpg_pubkey_from_email {
- key_owner_username=$1
- key_email_address=$2
- key_id=
- if [[ $key_owner_username != "root" ]]; then
- key_id=$(su -c "gpg --list-keys $key_email_address | grep 'pub '" - $key_owner_username | awk -F ' ' '{print $2}' | awk -F '/' '{print $2}')
- else
- key_id=$(gpg --list-keys $key_email_address | grep 'pub ' | awk -F ' ' '{print $2}' | awk -F '/' '{print $2}')
- fi
- echo $key_id
+ key_owner_username=$1
+ key_email_address=$2
+ key_id=
+ if [[ $key_owner_username != "root" ]]; then
+ key_id=$(su -c "gpg --list-keys $key_email_address | grep 'pub '" - $key_owner_username | awk -F ' ' '{print $2}' | awk -F '/' '{print $2}')
+ else
+ key_id=$(gpg --list-keys $key_email_address | grep 'pub ' | awk -F ' ' '{print $2}' | awk -F '/' '{print $2}')
+ fi
+ echo $key_id
}
function enable_monkeysphere {
- monkey=
- dialog --title $"GPG based authentication" \
- --backtitle $"Freedombone Security Configuration" \
- --defaultno \
- --yesno $"\nEnable GPG based authentication with monkeysphere ?" 7 60
- sel=$?
- case $sel in
- 0) monkey='yes';;
- 255) exit 0;;
- esac
-
- if [ $monkey ]; then
- if grep -q "MY_USERNAME" $CONFIGURATION_FILE; then
- MY_USERNAME=$(grep "MY_USERNAME" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
- fi
-
- if [ ! -f /home/$MY_USERNAME/.monkeysphere/authorized_user_ids ]; then
- dialog --title $"GPG based authentication" \
- --msgbox $"$MY_USERNAME does not currently have any ids within ~/.monkeysphere/authorized_user_ids" 6 40
- exit 0
- fi
-
- MY_GPG_PUBLIC_KEY_ID=$(gpg_pubkey_from_email "$MY_USERNAME" "$MY_USERNAME@$HOSTNAME")
- if [ ${#MY_GPG_PUBLIC_KEY_ID} -lt 4 ]; then
- echo $'monkeysphere unable to get GPG key ID for user $MY_USERNAME'
- exit 52825
- fi
-
- sed -i 's|#AuthorizedKeysFile|AuthorizedKeysFile|g' /etc/ssh/sshd_config
- sed -i 's|AuthorizedKeysFile.*|AuthorizedKeysFile /var/lib/monkeysphere/authorized_keys/%u|g' /etc/ssh/sshd_config
- monkeysphere-authentication update-users
-
- # The admin user is the identity certifier
- fpr=$(gpg --with-colons --fingerprint $MY_GPG_PUBLIC_KEY_ID | grep fpr | head -n 1 | awk -F ':' '{print $10}')
- monkeysphere-authentication add-identity-certifier $fpr
- monkeysphere-host publish-key
- send_monkeysphere_server_keys_to_users
- else
- sed -i 's|#AuthorizedKeysFile|AuthorizedKeysFile|g' /etc/ssh/sshd_config
- sed -i 's|AuthorizedKeysFile.*|AuthorizedKeysFile %h/.ssh/authorized_keys|g' /etc/ssh/sshd_config
- fi
-
- systemctl restart ssh
-
- if [ $monkey ]; then
- dialog --title $"GPG based authentication" \
- --msgbox $"GPG based authentication was enabled" 6 40
- else
- dialog --title $"GPG based authentication" \
- --msgbox $"GPG based authentication was disabled" 6 40
- fi
- exit 0
+ monkey=
+ dialog --title $"GPG based authentication" \
+ --backtitle $"Freedombone Security Configuration" \
+ --defaultno \
+ --yesno $"\nEnable GPG based authentication with monkeysphere ?" 7 60
+ sel=$?
+ case $sel in
+ 0) monkey='yes';;
+ 255) exit 0;;
+ esac
+
+ if [ $monkey ]; then
+ if grep -q "MY_USERNAME" $CONFIGURATION_FILE; then
+ MY_USERNAME=$(grep "MY_USERNAME" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+ fi
+
+ if [ ! -f /home/$MY_USERNAME/.monkeysphere/authorized_user_ids ]; then
+ dialog --title $"GPG based authentication" \
+ --msgbox $"$MY_USERNAME does not currently have any ids within ~/.monkeysphere/authorized_user_ids" 6 40
+ exit 0
+ fi
+
+ MY_GPG_PUBLIC_KEY_ID=$(gpg_pubkey_from_email "$MY_USERNAME" "$MY_USERNAME@$HOSTNAME")
+ if [ ${#MY_GPG_PUBLIC_KEY_ID} -lt 4 ]; then
+ echo $'monkeysphere unable to get GPG key ID for user $MY_USERNAME'
+ exit 52825
+ fi
+
+ sed -i 's|#AuthorizedKeysFile|AuthorizedKeysFile|g' /etc/ssh/sshd_config
+ sed -i 's|AuthorizedKeysFile.*|AuthorizedKeysFile /var/lib/monkeysphere/authorized_keys/%u|g' /etc/ssh/sshd_config
+ monkeysphere-authentication update-users
+
+ # The admin user is the identity certifier
+ fpr=$(gpg --with-colons --fingerprint $MY_GPG_PUBLIC_KEY_ID | grep fpr | head -n 1 | awk -F ':' '{print $10}')
+ monkeysphere-authentication add-identity-certifier $fpr
+ monkeysphere-host publish-key
+ send_monkeysphere_server_keys_to_users
+ else
+ sed -i 's|#AuthorizedKeysFile|AuthorizedKeysFile|g' /etc/ssh/sshd_config
+ sed -i 's|AuthorizedKeysFile.*|AuthorizedKeysFile %h/.ssh/authorized_keys|g' /etc/ssh/sshd_config
+ fi
+
+ systemctl restart ssh
+
+ if [ $monkey ]; then
+ dialog --title $"GPG based authentication" \
+ --msgbox $"GPG based authentication was enabled" 6 40
+ else
+ dialog --title $"GPG based authentication" \
+ --msgbox $"GPG based authentication was disabled" 6 40
+ fi
+ exit 0
}
function register_website {
- domain="$1"
-
- if [[ ${domain} == *".local" ]]; then
- echo $"Can't register local domains"
- return
- fi
-
- if [ ! -f /etc/ssl/private/${domain}.key ]; then
- echo $"No SSL/TLS private key found for ${domain}"
- return
- fi
-
- if [ ! -f /etc/nginx/sites-available/${domain} ]; then
- echo $"No virtual host found for ${domain}"
- return
- fi
-
- monkeysphere-host import-key /etc/ssl/private/${domain}.key https://${domain}
- monkeysphere-host publish-key
- echo "0"
+ domain="$1"
+
+ if [[ ${domain} == *".local" ]]; then
+ echo $"Can't register local domains"
+ return
+ fi
+
+ if [ ! -f /etc/ssl/private/${domain}.key ]; then
+ echo $"No SSL/TLS private key found for ${domain}"
+ return
+ fi
+
+ if [ ! -f /etc/nginx/sites-available/${domain} ]; then
+ echo $"No virtual host found for ${domain}"
+ return
+ fi
+
+ monkeysphere-host import-key /etc/ssl/private/${domain}.key https://${domain}
+ monkeysphere-host publish-key
+ echo "0"
}
function register_website_interactive {
- data=$(tempfile 2>/dev/null)
- trap "rm -f $data" 0 1 2 5 15
- dialog --title $"Register a website with monkeysphere" \
- --backtitle $"Freedombone Security Settings" \
- --inputbox $"Enter the website domain name (without https://)" 8 60 2>$data
- sel=$?
- case $sel in
- 0)
- domain=$(<$data)
- register_website "$domain"
- if [ ! "$?" = "0" ]; then
- dialog --title $"Register a website with monkeysphere" \
- --msgbox "$?" 6 40
- else
- dialog --title $"Register a website with monkeysphere" \
- --msgbox $"$domain has been registered" 6 40
- fi
- ;;
- esac
+ data=$(tempfile 2>/dev/null)
+ trap "rm -f $data" 0 1 2 5 15
+ dialog --title $"Register a website with monkeysphere" \
+ --backtitle $"Freedombone Security Settings" \
+ --inputbox $"Enter the website domain name (without https://)" 8 60 2>$data
+ sel=$?
+ case $sel in
+ 0)
+ domain=$(<$data)
+ register_website "$domain"
+ if [ ! "$?" = "0" ]; then
+ dialog --title $"Register a website with monkeysphere" \
+ --msgbox "$?" 6 40
+ else
+ dialog --title $"Register a website with monkeysphere" \
+ --msgbox $"$domain has been registered" 6 40
+ fi
+ ;;
+ esac
}
function housekeeping {
- cmd=(dialog --separate-output \
- --backtitle "Freedombone Security Configuration" \
- --title "Housekeeping options" \
- --checklist "If you don't need to do any of these things then just press Enter:" 17 76 17)
- options=(1 "Regenerate ssh host keys" off
- 2 "Regenerate Diffie-Hellman keys" off
- 3 "Update cipersuite" off
- 4 "Create a new Let's Encrypt certificate" off
- 5 "Renew Let's Encrypt certificate" off
- 6 "Enable GPG based authentication (monkeysphere)" off
- 7 "Register a website with monkeysphere" off
- 8 "Go Back/Exit" on)
- choices=$("${cmd[@]}" "${options[@]}" 2>&1 >/dev/tty)
- clear
- for choice in $choices
- do
- case $choice in
- 1)
- REGENERATE_SSH_HOST_KEYS="yes"
- ;;
- 2)
- REGENERATE_DH_KEYS="yes"
- ;;
- 3)
- update_ciphersuite
- ;;
- 4)
- create_letsencrypt
- ;;
- 5)
- renew_letsencrypt
- ;;
- 6)
- enable_monkeysphere
- ;;
- 7)
- register_website
- ;;
- 8)
- exit 0
- ;;
- esac
- done
+ cmd=(dialog --separate-output \
+ --backtitle "Freedombone Security Configuration" \
+ --title "Housekeeping options" \
+ --checklist "If you don't need to do any of these things then just press Enter:" 17 76 17)
+ options=(1 "Regenerate ssh host keys" off
+ 2 "Regenerate Diffie-Hellman keys" off
+ 3 "Update cipersuite" off
+ 4 "Create a new Let's Encrypt certificate" off
+ 5 "Renew Let's Encrypt certificate" off
+ 6 "Enable GPG based authentication (monkeysphere)" off
+ 7 "Register a website with monkeysphere" off
+ 8 "Go Back/Exit" on)
+ choices=$("${cmd[@]}" "${options[@]}" 2>&1 >/dev/tty)
+ clear
+ for choice in $choices
+ do
+ case $choice in
+ 1)
+ REGENERATE_SSH_HOST_KEYS="yes"
+ ;;
+ 2)
+ REGENERATE_DH_KEYS="yes"
+ ;;
+ 3)
+ update_ciphersuite
+ ;;
+ 4)
+ create_letsencrypt
+ ;;
+ 5)
+ renew_letsencrypt
+ ;;
+ 6)
+ enable_monkeysphere
+ ;;
+ 7)
+ register_website
+ ;;
+ 8)
+ exit 0
+ ;;
+ esac
+ done
}
function import_settings {
- cd $CURRENT_DIR
-
- if [ ! $IMPORT_FILE ]; then
- return
- fi
-
- if [ ! -f $IMPORT_FILE ]; then
- echo $"Import file $IMPORT_FILE not found"
- exit 6393
- fi
-
- if grep -q "SSL_PROTOCOLS" $IMPORT_FILE; then
- TEMP_VALUE=$(grep "SSL_PROTOCOLS" $IMPORT_FILE | awk -F '=' '{print $2}')
- if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then
- SSL_PROTOCOLS=$TEMP_VALUE
- fi
- fi
- if grep -q "SSL_CIPHERS" $IMPORT_FILE; then
- TEMP_VALUE=$(grep "SSL_CIPHERS" $IMPORT_FILE | awk -F '=' '{print $2}')
- if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then
- SSL_CIPHERS=$TEMP_VALUE
- fi
- fi
- if grep -q "SSH_CIPHERS" $IMPORT_FILE; then
- TEMP_VALUE=$(grep "SSH_CIPHERS" $IMPORT_FILE | awk -F '=' '{print $2}')
- if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then
- SSH_CIPHERS=$TEMP_VALUE
- fi
- fi
- if grep -q "SSH_MACS" $IMPORT_FILE; then
- TEMP_VALUE=$(grep "SSH_MACS" $IMPORT_FILE | awk -F '=' '{print $2}')
- if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then
- SSH_MACS=$TEMP_VALUE
- fi
- fi
- if grep -q "SSH_KEX" $IMPORT_FILE; then
- TEMP_VALUE=$(grep "SSH_KEX" $IMPORT_FILE | awk -F '=' '{print $2}')
- if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then
- SSH_KEX=$TEMP_VALUE
- fi
- fi
- if grep -q "SSH_HOST_KEY_ALGORITHMS" $IMPORT_FILE; then
- TEMP_VALUE=$(grep "SSH_HOST_KEY_ALGORITHMS" $IMPORT_FILE | awk -F '=' '{print $2}')
- if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then
- SSH_HOST_KEY_ALGORITHMS=$TEMP_VALUE
- fi
- fi
- if grep -q "SSH_PASSWORDS" $IMPORT_FILE; then
- TEMP_VALUE=$(grep "SSH_PASSWORDS" $IMPORT_FILE | awk -F '=' '{print $2}')
- if [[ $TEMP_VALUE == "yes" || $TEMP_VALUE == "no" ]]; then
- SSH_PASSWORDS=$TEMP_VALUE
- fi
- fi
- if grep -q "XMPP_CIPHERS" $IMPORT_FILE; then
- TEMP_VALUE=$(grep "XMPP_CIPHERS" $IMPORT_FILE | awk -F '=' '{print $2}')
- if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then
- XMPP_CIPHERS=$TEMP_VALUE
- fi
- fi
- if grep -q "XMPP_ECC_CURVE" $IMPORT_FILE; then
- TEMP_VALUE=$(grep "XMPP_ECC_CURVE" $IMPORT_FILE | awk -F '=' '{print $2}')
- if [ ${#TEMP_VALUE} -gt 3 ]; then
- XMPP_ECC_CURVE=$TEMP_VALUE
- fi
- fi
+ cd $CURRENT_DIR
+
+ if [ ! $IMPORT_FILE ]; then
+ return
+ fi
+
+ if [ ! -f $IMPORT_FILE ]; then
+ echo $"Import file $IMPORT_FILE not found"
+ exit 6393
+ fi
+
+ if grep -q "SSL_PROTOCOLS" $IMPORT_FILE; then
+ TEMP_VALUE=$(grep "SSL_PROTOCOLS" $IMPORT_FILE | awk -F '=' '{print $2}')
+ if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then
+ SSL_PROTOCOLS=$TEMP_VALUE
+ fi
+ fi
+ if grep -q "SSL_CIPHERS" $IMPORT_FILE; then
+ TEMP_VALUE=$(grep "SSL_CIPHERS" $IMPORT_FILE | awk -F '=' '{print $2}')
+ if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then
+ SSL_CIPHERS=$TEMP_VALUE
+ fi
+ fi
+ if grep -q "SSH_CIPHERS" $IMPORT_FILE; then
+ TEMP_VALUE=$(grep "SSH_CIPHERS" $IMPORT_FILE | awk -F '=' '{print $2}')
+ if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then
+ SSH_CIPHERS=$TEMP_VALUE
+ fi
+ fi
+ if grep -q "SSH_MACS" $IMPORT_FILE; then
+ TEMP_VALUE=$(grep "SSH_MACS" $IMPORT_FILE | awk -F '=' '{print $2}')
+ if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then
+ SSH_MACS=$TEMP_VALUE
+ fi
+ fi
+ if grep -q "SSH_KEX" $IMPORT_FILE; then
+ TEMP_VALUE=$(grep "SSH_KEX" $IMPORT_FILE | awk -F '=' '{print $2}')
+ if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then
+ SSH_KEX=$TEMP_VALUE
+ fi
+ fi
+ if grep -q "SSH_HOST_KEY_ALGORITHMS" $IMPORT_FILE; then
+ TEMP_VALUE=$(grep "SSH_HOST_KEY_ALGORITHMS" $IMPORT_FILE | awk -F '=' '{print $2}')
+ if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then
+ SSH_HOST_KEY_ALGORITHMS=$TEMP_VALUE
+ fi
+ fi
+ if grep -q "SSH_PASSWORDS" $IMPORT_FILE; then
+ TEMP_VALUE=$(grep "SSH_PASSWORDS" $IMPORT_FILE | awk -F '=' '{print $2}')
+ if [[ $TEMP_VALUE == "yes" || $TEMP_VALUE == "no" ]]; then
+ SSH_PASSWORDS=$TEMP_VALUE
+ fi
+ fi
+ if grep -q "XMPP_CIPHERS" $IMPORT_FILE; then
+ TEMP_VALUE=$(grep "XMPP_CIPHERS" $IMPORT_FILE | awk -F '=' '{print $2}')
+ if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then
+ XMPP_CIPHERS=$TEMP_VALUE
+ fi
+ fi
+ if grep -q "XMPP_ECC_CURVE" $IMPORT_FILE; then
+ TEMP_VALUE=$(grep "XMPP_ECC_CURVE" $IMPORT_FILE | awk -F '=' '{print $2}')
+ if [ ${#TEMP_VALUE} -gt 3 ]; then
+ XMPP_ECC_CURVE=$TEMP_VALUE
+ fi
+ fi
}
function export_settings {
- if [ ! $EXPORT_FILE ]; then
- return
- fi
-
- cd $CURRENT_DIR
-
- if [ ! -f $EXPORT_FILE ]; then
- if [ "$SSL_PROTOCOLS" ]; then
- echo "SSL_PROTOCOLS=$SSL_PROTOCOLS" >> $EXPORT_FILE
- fi
- if [ $SSL_CIPHERS ]; then
- echo "SSL_CIPHERS=$SSL_CIPHERS" >> $EXPORT_FILE
- fi
- if [ $SSH_CIPHERS ]; then
- echo "SSH_CIPHERS=$SSH_CIPHERS" >> $EXPORT_FILE
- fi
- if [ $SSH_MACS ]; then
- echo "SSH_MACS=$SSH_MACS" >> $EXPORT_FILE
- fi
- if [ $SSH_KEX ]; then
- echo "SSH_KEX=$SSH_KEX" >> $EXPORT_FILE
- fi
- if [ $SSH_HOST_KEY_ALGORITHMS ]; then
- echo "SSH_HOST_KEY_ALGORITHMS=$SSH_HOST_KEY_ALGORITHMS" >> $EXPORT_FILE
- fi
- if [ $SSH_PASSWORDS ]; then
- echo "SSH_PASSWORDS=$SSH_PASSWORDS" >> $EXPORT_FILE
- fi
- if [ $XMPP_CIPHERS ]; then
- echo "XMPP_CIPHERS=$XMPP_CIPHERS" >> $EXPORT_FILE
- fi
- if [ $XMPP_ECC_CURVE ]; then
- echo "XMPP_ECC_CURVE=$XMPP_ECC_CURVE" >> $EXPORT_FILE
- fi
- echo "Security settings exported to $EXPORT_FILE"
- exit 0
- fi
-
- if [ "$SSL_PROTOCOLS" ]; then
- if grep -q "SSL_PROTOCOLS" $EXPORT_FILE; then
- sed -i "s|SSL_PROTOCOLS=.*|SSL_PROTOCOLS=$SSL_PROTOCOLS|g" $EXPORT_FILE
- else
- echo "SSL_PROTOCOLS=$SSL_PROTOCOLS" >> $EXPORT_FILE
- fi
- fi
- if [ $SSL_CIPHERS ]; then
- if grep -q "SSL_CIPHERS" $EXPORT_FILE; then
- sed -i "s|SSL_CIPHERS=.*|SSL_CIPHERS=$SSL_CIPHERS|g" $EXPORT_FILE
- else
- echo "SSL_CIPHERS=$SSL_CIPHERS" >> $EXPORT_FILE
- fi
- fi
- if [ $SSH_CIPHERS ]; then
- if grep -q "SSH_CIPHERS" $EXPORT_FILE; then
- sed -i "s|SSH_CIPHERS=.*|SSH_CIPHERS=$SSH_CIPHERS|g" $EXPORT_FILE
- else
- echo "SSH_CIPHERS=$SSH_CIPHERS" >> $EXPORT_FILE
- fi
- fi
- if [ $SSH_MACS ]; then
- if grep -q "SSH_MACS" $EXPORT_FILE; then
- sed -i "s|SSH_MACS=.*|SSH_MACS=$SSH_MACS|g" $EXPORT_FILE
- else
- echo "SSH_MACS=$SSH_MACS" >> $EXPORT_FILE
- fi
- fi
- if [ $SSH_KEX ]; then
- if grep -q "SSH_KEX" $EXPORT_FILE; then
- sed -i "s|SSH_KEX=.*|SSH_KEX=$SSH_KEX|g" $EXPORT_FILE
- else
- echo "SSH_KEX=$SSH_KEX" >> $EXPORT_FILE
- fi
- fi
- if [ $SSH_HOST_KEY_ALGORITHMS ]; then
- if grep -q "SSH_HOST_KEY_ALGORITHMS" $EXPORT_FILE; then
- sed -i "s|SSH_HOST_KEY_ALGORITHMS=.*|SSH_HOST_KEY_ALGORITHMS=$SSH_HOST_KEY_ALGORITHMS|g" $EXPORT_FILE
- else
- echo "SSH_HOST_KEY_ALGORITHMS=$SSH_HOST_KEY_ALGORITHMS" >> $EXPORT_FILE
- fi
- fi
- if [ $SSH_PASSWORDS ]; then
- if grep -q "SSH_PASSWORDS" $EXPORT_FILE; then
- sed -i "s|SSH_PASSWORDS=.*|SSH_PASSWORDS=$SSH_PASSWORDS|g" $EXPORT_FILE
- else
- echo "SSH_PASSWORDS=$SSH_PASSWORDS" >> $EXPORT_FILE
- fi
- fi
- if [ $XMPP_CIPHERS ]; then
- if grep -q "XMPP_CIPHERS" $EXPORT_FILE; then
- sed -i "s|XMPP_CIPHERS=.*|XMPP_CIPHERS=$XMPP_CIPHERS|g" $EXPORT_FILE
- else
- echo "XMPP_CIPHERS=$XMPP_CIPHERS" >> $EXPORT_FILE
- fi
- fi
- if [ $XMPP_ECC_CURVE ]; then
- if grep -q "XMPP_ECC_CURVE" $EXPORT_FILE; then
- sed -i "s|XMPP_ECC_CURVE=.*|XMPP_ECC_CURVE=$XMPP_ECC_CURVE|g" $EXPORT_FILE
- else
- echo "XMPP_ECC_CURVE=$XMPP_ECC_CURVE" >> $EXPORT_FILE
- fi
- fi
- echo $"Security settings exported to $EXPORT_FILE"
- exit 0
+ if [ ! $EXPORT_FILE ]; then
+ return
+ fi
+
+ cd $CURRENT_DIR
+
+ if [ ! -f $EXPORT_FILE ]; then
+ if [ "$SSL_PROTOCOLS" ]; then
+ echo "SSL_PROTOCOLS=$SSL_PROTOCOLS" >> $EXPORT_FILE
+ fi
+ if [ $SSL_CIPHERS ]; then
+ echo "SSL_CIPHERS=$SSL_CIPHERS" >> $EXPORT_FILE
+ fi
+ if [ $SSH_CIPHERS ]; then
+ echo "SSH_CIPHERS=$SSH_CIPHERS" >> $EXPORT_FILE
+ fi
+ if [ $SSH_MACS ]; then
+ echo "SSH_MACS=$SSH_MACS" >> $EXPORT_FILE
+ fi
+ if [ $SSH_KEX ]; then
+ echo "SSH_KEX=$SSH_KEX" >> $EXPORT_FILE
+ fi
+ if [ $SSH_HOST_KEY_ALGORITHMS ]; then
+ echo "SSH_HOST_KEY_ALGORITHMS=$SSH_HOST_KEY_ALGORITHMS" >> $EXPORT_FILE
+ fi
+ if [ $SSH_PASSWORDS ]; then
+ echo "SSH_PASSWORDS=$SSH_PASSWORDS" >> $EXPORT_FILE
+ fi
+ if [ $XMPP_CIPHERS ]; then
+ echo "XMPP_CIPHERS=$XMPP_CIPHERS" >> $EXPORT_FILE
+ fi
+ if [ $XMPP_ECC_CURVE ]; then
+ echo "XMPP_ECC_CURVE=$XMPP_ECC_CURVE" >> $EXPORT_FILE
+ fi
+ echo "Security settings exported to $EXPORT_FILE"
+ exit 0
+ fi
+
+ if [ "$SSL_PROTOCOLS" ]; then
+ if grep -q "SSL_PROTOCOLS" $EXPORT_FILE; then
+ sed -i "s|SSL_PROTOCOLS=.*|SSL_PROTOCOLS=$SSL_PROTOCOLS|g" $EXPORT_FILE
+ else
+ echo "SSL_PROTOCOLS=$SSL_PROTOCOLS" >> $EXPORT_FILE
+ fi
+ fi
+ if [ $SSL_CIPHERS ]; then
+ if grep -q "SSL_CIPHERS" $EXPORT_FILE; then
+ sed -i "s|SSL_CIPHERS=.*|SSL_CIPHERS=$SSL_CIPHERS|g" $EXPORT_FILE
+ else
+ echo "SSL_CIPHERS=$SSL_CIPHERS" >> $EXPORT_FILE
+ fi
+ fi
+ if [ $SSH_CIPHERS ]; then
+ if grep -q "SSH_CIPHERS" $EXPORT_FILE; then
+ sed -i "s|SSH_CIPHERS=.*|SSH_CIPHERS=$SSH_CIPHERS|g" $EXPORT_FILE
+ else
+ echo "SSH_CIPHERS=$SSH_CIPHERS" >> $EXPORT_FILE
+ fi
+ fi
+ if [ $SSH_MACS ]; then
+ if grep -q "SSH_MACS" $EXPORT_FILE; then
+ sed -i "s|SSH_MACS=.*|SSH_MACS=$SSH_MACS|g" $EXPORT_FILE
+ else
+ echo "SSH_MACS=$SSH_MACS" >> $EXPORT_FILE
+ fi
+ fi
+ if [ $SSH_KEX ]; then
+ if grep -q "SSH_KEX" $EXPORT_FILE; then
+ sed -i "s|SSH_KEX=.*|SSH_KEX=$SSH_KEX|g" $EXPORT_FILE
+ else
+ echo "SSH_KEX=$SSH_KEX" >> $EXPORT_FILE
+ fi
+ fi
+ if [ $SSH_HOST_KEY_ALGORITHMS ]; then
+ if grep -q "SSH_HOST_KEY_ALGORITHMS" $EXPORT_FILE; then
+ sed -i "s|SSH_HOST_KEY_ALGORITHMS=.*|SSH_HOST_KEY_ALGORITHMS=$SSH_HOST_KEY_ALGORITHMS|g" $EXPORT_FILE
+ else
+ echo "SSH_HOST_KEY_ALGORITHMS=$SSH_HOST_KEY_ALGORITHMS" >> $EXPORT_FILE
+ fi
+ fi
+ if [ $SSH_PASSWORDS ]; then
+ if grep -q "SSH_PASSWORDS" $EXPORT_FILE; then
+ sed -i "s|SSH_PASSWORDS=.*|SSH_PASSWORDS=$SSH_PASSWORDS|g" $EXPORT_FILE
+ else
+ echo "SSH_PASSWORDS=$SSH_PASSWORDS" >> $EXPORT_FILE
+ fi
+ fi
+ if [ $XMPP_CIPHERS ]; then
+ if grep -q "XMPP_CIPHERS" $EXPORT_FILE; then
+ sed -i "s|XMPP_CIPHERS=.*|XMPP_CIPHERS=$XMPP_CIPHERS|g" $EXPORT_FILE
+ else
+ echo "XMPP_CIPHERS=$XMPP_CIPHERS" >> $EXPORT_FILE
+ fi
+ fi
+ if [ $XMPP_ECC_CURVE ]; then
+ if grep -q "XMPP_ECC_CURVE" $EXPORT_FILE; then
+ sed -i "s|XMPP_ECC_CURVE=.*|XMPP_ECC_CURVE=$XMPP_ECC_CURVE|g" $EXPORT_FILE
+ else
+ echo "XMPP_ECC_CURVE=$XMPP_ECC_CURVE" >> $EXPORT_FILE
+ fi
+ fi
+ echo $"Security settings exported to $EXPORT_FILE"
+ exit 0
}
function refresh_gpg_keys {
- for d in /home/*/ ; do
- USERNAME=$(echo "$d" | awk -F '/' '{print $3}')
- if [[ $USERNAME != "git" && $USERNAME != "mirrors" && $USERNAME != "sync" ]]; then
- su -c 'gpg --refresh-keys' - $USERNAME
- fi
- done
- exit 0
+ for d in /home/*/ ; do
+ USERNAME=$(echo "$d" | awk -F '/' '{print $3}')
+ if [[ $USERNAME != "git" && $USERNAME != "mirrors" && $USERNAME != "sync" ]]; then
+ su -c 'gpg --refresh-keys' - $USERNAME
+ fi
+ done
+ exit 0
}
function monkeysphere_sign_server_keys {
- server_keys_file=/home/$USER/.monkeysphere/server_keys
- if [ ! -f $server_keys_file ]; then
- exit 0
- fi
-
- keys_signed=
- while read line; do
- echo $line
- if [ ${#line} -gt 2 ]; then
- fpr=$(gpg --with-colons --fingerprint "$line" | grep fpr | head -n 1 | awk -F ':' '{print $10}')
- if [ ${#fpr} -gt 2 ]; then
- gpg --sign-key $fpr
- if [ "$?" = "0" ]; then
- gpg --update-trustdb
- keys_signed=1
- fi
- fi
- fi
- done <$server_keys_file
-
- if [ $keys_signed ]; then
- rm $server_keys_file
- fi
- exit 0
+ server_keys_file=/home/$USER/.monkeysphere/server_keys
+ if [ ! -f $server_keys_file ]; then
+ exit 0
+ fi
+
+ keys_signed=
+ while read line; do
+ echo $line
+ if [ ${#line} -gt 2 ]; then
+ fpr=$(gpg --with-colons --fingerprint "$line" | grep fpr | head -n 1 | awk -F ':' '{print $10}')
+ if [ ${#fpr} -gt 2 ]; then
+ gpg --sign-key $fpr
+ if [ "$?" = "0" ]; then
+ gpg --update-trustdb
+ keys_signed=1
+ fi
+ fi
+ fi
+ done <$server_keys_file
+
+ if [ $keys_signed ]; then
+ rm $server_keys_file
+ fi
+ exit 0
}
function blog_hash {
- # produces a hash corresponding to a blog password
- pass="$1"
- BLOGHASH_FILENAME=/usr/bin/bloghash
-
- echo '<?php' > $BLOGHASH_FILENAME
- echo 'parse_str(implode("&", array_slice($argv, 1)), $_GET);' >> $BLOGHASH_FILENAME
- echo '$password = $_GET["password"];' >> $BLOGHASH_FILENAME
- echo '$hash = password_hash($password, PASSWORD_BCRYPT);' >> $BLOGHASH_FILENAME
- echo 'if (password_verify($password, $hash)) {' >> $BLOGHASH_FILENAME
- echo ' echo $hash;' >> $BLOGHASH_FILENAME
- echo '}' >> $BLOGHASH_FILENAME
- echo '?>' >> $BLOGHASH_FILENAME
-
- php $BLOGHASH_FILENAME password="$pass"
+ # produces a hash corresponding to a blog password
+ pass="$1"
+ BLOGHASH_FILENAME=/usr/bin/bloghash
+
+ echo '<?php' > $BLOGHASH_FILENAME
+ echo 'parse_str(implode("&", array_slice($argv, 1)), $_GET);' >> $BLOGHASH_FILENAME
+ echo '$password = $_GET["password"];' >> $BLOGHASH_FILENAME
+ echo '$hash = password_hash($password, PASSWORD_BCRYPT);' >> $BLOGHASH_FILENAME
+ echo 'if (password_verify($password, $hash)) {' >> $BLOGHASH_FILENAME
+ echo ' echo $hash;' >> $BLOGHASH_FILENAME
+ echo '}' >> $BLOGHASH_FILENAME
+ echo '?>' >> $BLOGHASH_FILENAME
+
+ php $BLOGHASH_FILENAME password="$pass"
}
function show_help {
- echo ''
- echo "${PROJECT_NAME}-sec"
- echo ''
- echo $'Alters the security settings'
- echo ''
- echo ''
- echo $' -h --help Show help'
- echo $' -e --export Export security settings to a file'
- echo $' -i --import Import security settings from a file'
- echo $' -r --refresh Refresh GPG keys for all users'
- echo $' -s --sign Sign monkeysphere server keys'
- echo $' --register [domain] Register a https domain with monkeysphere'
- echo $' -b --bloghash [password] Returns the hash of a password for the blog'
- echo ''
- exit 0
+ echo ''
+ echo "${PROJECT_NAME}-sec"
+ echo ''
+ echo $'Alters the security settings'
+ echo ''
+ echo ''
+ echo $' -h --help Show help'
+ echo $' -e --export Export security settings to a file'
+ echo $' -i --import Import security settings from a file'
+ echo $' -r --refresh Refresh GPG keys for all users'
+ echo $' -s --sign Sign monkeysphere server keys'
+ echo $' --register [domain] Register a https domain with monkeysphere'
+ echo $' -b --bloghash [password] Returns the hash of a password for the blog'
+ echo ''
+ exit 0
}
# Get the commandline options
while [[ $# > 1 ]]
do
- key="$1"
-
- case $key in
- -h|--help)
- show_help
- ;;
- # Export settings
- -e|--export)
- shift
- EXPORT_FILE="$1"
- ;;
- # Export settings
- -i|--import)
- shift
- IMPORT_FILE="$1"
- ;;
- # Refresh GPG keys
- -r|--refresh)
- shift
- refresh_gpg_keys
- ;;
- # register a website
- --register|--reg|--site)
- shift
- register_website "$1"
- ;;
- # user signs monkeysphere server keys
- -s|--sign)
- shift
- monkeysphere_sign_server_keys
- ;;
- # get a hash of the given blog password
- -b|--bloghash)
- shift
- blog_hash "$1"
- exit 0
- ;;
- *)
- # unknown option
- ;;
- esac
- shift
+ key="$1"
+
+ case $key in
+ -h|--help)
+ show_help
+ ;;
+ # Export settings
+ -e|--export)
+ shift
+ EXPORT_FILE="$1"
+ ;;
+ # Export settings
+ -i|--import)
+ shift
+ IMPORT_FILE="$1"
+ ;;
+ # Refresh GPG keys
+ -r|--refresh)
+ shift
+ refresh_gpg_keys
+ ;;
+ # register a website
+ --register|--reg|--site)
+ shift
+ register_website "$1"
+ ;;
+ # user signs monkeysphere server keys
+ -s|--sign)
+ shift
+ monkeysphere_sign_server_keys
+ ;;
+ # get a hash of the given blog password
+ -b|--bloghash)
+ shift
+ blog_hash "$1"
+ exit 0
+ ;;
+ *)
+ # unknown option
+ ;;
+ esac
+ shift
done
housekeeping