Skip to content
Snippets Groups Projects
Commit a3f2fe45 authored by Bob Mottram's avatar Bob Mottram
Browse files

Improve security settings command

parent 691a8159
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
Showing
with 107 additions and 136 deletions
src/freedombone-sec
+ 107
136
View file @ a3f2fe45
......@@ -64,8 +64,6 @@ EXPORT_FILE=
CURRENT_DIR=$(pwd)
REGENERATE_SSH_HOST_KEYS="no"
REGENERATE_DH_KEYS="no"
DH_KEYLENGTH=2048
LETSENCRYPT_SERVER='https://acme-v01.api.letsencrypt.org/directory'
......@@ -85,25 +83,6 @@ function get_ciphers_from_website {
SSL_CIPHERS=$(cat $WEBSITES_DIRECTORY/$1 | grep 'ssl_ciphers ' | awk -F "ssl_ciphers " '{print $2}' | awk -F "'" '{print $2}')
}
function get_website_settings {
if [ ! -d $WEBSITES_DIRECTORY ]; then
return
fi
cd $WEBSITES_DIRECTORY
for file in `dir -d *` ; do
get_protocols_from_website $file
if [ ${#SSL_PROTOCOLS} -gt $MINIMUM_LENGTH ]; then
get_ciphers_from_website $file
if [ ${#SSL_CIPHERS} -gt $MINIMUM_LENGTH ]; then
break
else
SSL_PROTOCOLS=""
fi
fi
done
}
function get_imap_settings {
if [ ! -f $DOVECOT_CIPHERS ]; then
return
......@@ -129,19 +108,10 @@ function get_xmpp_settings {
function get_ssh_settings {
if [ -f $SSH_CONFIG ]; then
SSH_CIPHERS=$(cat $SSH_CONFIG | grep 'Ciphers ' | awk -F 'Ciphers ' '{print $2}')
SSH_MACS=$(cat $SSH_CONFIG | grep 'MACs ' | awk -F 'MACs ' '{print $2}')
SSH_KEX=$(cat $SSH_CONFIG | grep 'KexAlgorithms ' | awk -F 'KexAlgorithms ' '{print $2}')
SSH_PASSWORDS=$(cat $SSH_CONFIG | grep 'PasswordAuthentication ' | awk -F 'PasswordAuthentication ' '{print $2}')
fi
if [ -f /etc/ssh/ssh_config ]; then
SSH_HOST_KEY_ALGORITHMS=$(cat /etc/ssh/ssh_config | grep 'HostKeyAlgorithms ' | awk -F 'HostKeyAlgorithms ' '{print $2}')
if [ ! $SSH_CIPHERS ]; then
SSH_CIPHERS=$(cat /etc/ssh/ssh_config | grep 'Ciphers ' | awk -F 'Ciphers ' '{print $2}')
fi
if [ ! $SSH_MACS ]; then
SSH_MACS=$(cat /etc/ssh/ssh_config | grep 'MACs ' | awk -F 'MACs ' '{print $2}')
fi
fi
}
......@@ -353,55 +323,51 @@ function send_monkeysphere_server_keys_to_users {
}
function regenerate_ssh_host_keys {
if [[ $REGENERATE_SSH_HOST_KEYS == "yes" ]]; then
rm -f /etc/ssh/ssh_host_*
dpkg-reconfigure openssh-server
echo $'ssh host keys regenerated'
# remove small moduli
awk '$5 > 2000' /etc/ssh/moduli > ~/moduli
mv ~/moduli /etc/ssh/moduli
echo $'ssh small moduli removed'
# update monkeysphere
DEFAULT_DOMAIN_NAME=
read_config_param "DEFAULT_DOMAIN_NAME"
monkeysphere-host import-key /etc/ssh/ssh_host_rsa_key ssh://$DEFAULT_DOMAIN_NAME
SSH_ONION_HOSTNAME=$(cat ${COMPLETION_FILE} | grep 'ssh onion domain' | awk -F ':' '{print $2}')
monkeysphere-host import-key /etc/ssh/ssh_host_rsa_key ssh://$SSH_ONION_HOSTNAME
monkeysphere-host publish-key
send_monkeysphere_server_keys_to_users
echo $'updated monkeysphere ssh host key'
systemctl restart ssh
fi
rm -f /etc/ssh/ssh_host_*
dpkg-reconfigure openssh-server
echo $'ssh host keys regenerated'
# remove small moduli
awk '$5 > 2000' /etc/ssh/moduli > ~/moduli
mv ~/moduli /etc/ssh/moduli
echo $'ssh small moduli removed'
# update monkeysphere
DEFAULT_DOMAIN_NAME=
read_config_param "DEFAULT_DOMAIN_NAME"
monkeysphere-host import-key /etc/ssh/ssh_host_rsa_key ssh://$DEFAULT_DOMAIN_NAME
SSH_ONION_HOSTNAME=$(cat ${COMPLETION_FILE} | grep 'ssh onion domain' | awk -F ':' '{print $2}')
monkeysphere-host import-key /etc/ssh/ssh_host_rsa_key ssh://$SSH_ONION_HOSTNAME
monkeysphere-host publish-key
send_monkeysphere_server_keys_to_users
echo $'updated monkeysphere ssh host key'
systemctl restart ssh
}
function regenerate_dh_keys {
if [[ $REGENERATE_DH_KEYS == "yes" ]]; then
if [ ! -d /etc/ssl/mycerts ]; then
echo $'No dhparam certificates were found'
return
fi
if [ ! -d /etc/ssl/mycerts ]; then
echo $'No dhparam certificates were found'
return
fi
data=$(tempfile 2>/dev/null)
trap "rm -f $data" 0 1 2 5 15
dialog --backtitle "Freedombone Security Configuration" \
--title "Diffie-Hellman key length" \
--radiolist "The smaller length is better suited to low power embedded systems:" 12 40 3 \
1 "2048 bits" off \
2 "3072 bits" on \
3 "4096 bits" off 2> $data
sel=$?
case $sel in
1) exit 1;;
255) exit 1;;
esac
case $(cat $data) in
1) DH_KEYLENGTH=2048;;
2) DH_KEYLENGTH=3072;;
3) DH_KEYLENGTH=4096;;
esac
data=$(tempfile 2>/dev/null)
trap "rm -f $data" 0 1 2 5 15
dialog --backtitle "Freedombone Security Configuration" \
--title "Diffie-Hellman key length" \
--radiolist "The smaller length is better suited to low power embedded systems:" 12 40 3 \
1 "2048 bits" off \
2 "3072 bits" on \
3 "4096 bits" off 2> $data
sel=$?
case $sel in
1) exit 1;;
255) exit 1;;
esac
case $(cat $data) in
1) DH_KEYLENGTH=2048;;
2) DH_KEYLENGTH=3072;;
3) DH_KEYLENGTH=4096;;
esac
${PROJECT_NAME}-dhparam --recalc yes -l ${DH_KEYLENGTH}
fi
${PROJECT_NAME}-dhparam --recalc yes -l ${DH_KEYLENGTH}
}
function renew_startssl {
......@@ -528,11 +494,6 @@ function create_letsencrypt {
}
function update_ciphersuite {
read_config_param SSL_CIPHERS
read_config_param SSL_PROTOCOLS
read_config_param SSH_CIPHERS
read_config_param SSH_MACS
RECOMMENDED_SSL_CIPHERS="$SSL_CIPHERS"
if [ ${#RECOMMENDED_SSL_CIPHERS} -lt 5 ]; then
return
......@@ -714,50 +675,72 @@ function remove_pinning {
esac
}
function housekeeping {
cmd=(dialog --separate-output \
--backtitle "Freedombone Security Configuration" \
--title "Housekeeping options" \
--checklist "If you don't need to do any of these things then just press Enter:" 15 76 15)
options=(1 "Regenerate ssh host keys" off
2 "Regenerate Diffie-Hellman keys" off
3 "Update cipersuite" off
4 "Create a new Let's Encrypt certificate" off
5 "Renew Let's Encrypt certificate" off
6 "Enable GPG based authentication (monkeysphere)" off
7 "Register a website with monkeysphere" off
8 "Go Back/Exit" on)
choices=$("${cmd[@]}" "${options[@]}" 2>&1 >/dev/tty)
function menu_security_settings {
data=$(tempfile 2>/dev/null)
trap "rm -f $data" 0 1 2 5 15
dialog --backtitle $"Freedombone Control Panel" \
--title $"Security Settings" \
--radiolist $"Choose an operation:" 15 76 15 \
1 $"Regenerate ssh host keys" off \
2 $"Regenerate Diffie-Hellman keys" off \
3 $"Update cipersuite" off \
4 $"Create a new Let's Encrypt certificate" off \
5 $"Renew Let's Encrypt certificate" off \
6 $"Enable GPG based authentication (monkeysphere)" off \
7 $"Register a website with monkeysphere" off \
8 $"Go Back/Exit" on 2> $data
sel=$?
case $sel in
1) exit 1;;
255) exit 1;;
esac
clear
for choice in $choices
do
case $choice in
1)
REGENERATE_SSH_HOST_KEYS="yes"
;;
2)
REGENERATE_DH_KEYS="yes"
;;
3)
update_ciphersuite
;;
4)
create_letsencrypt
;;
5)
renew_letsencrypt
;;
6)
enable_monkeysphere
;;
7)
register_website
;;
8)
exit 0
;;
esac
done
read_config_param SSL_CIPHERS
read_config_param SSL_PROTOCOLS
read_config_param SSH_CIPHERS
read_config_param SSH_MACS
read_config_param SSH_KEX
get_imap_settings
get_ssh_settings
get_xmpp_settings
import_settings
export_settings
case $(cat $data) in
1)
regenerate_ssh_host_keys
;;
2)
regenerate_dh_keys
;;
3)
interactive_setup
update_ciphersuite
;;
4)
create_letsencrypt
;;
5)
renew_letsencrypt
;;
6)
enable_monkeysphere
;;
7)
register_website
;;
8)
exit 0
;;
esac
change_website_settings
change_imap_settings
change_ssh_settings
change_xmpp_settings
}
function import_settings {
......@@ -1054,18 +1037,6 @@ do
shift
done
housekeeping
get_website_settings
get_imap_settings
get_ssh_settings
get_xmpp_settings
import_settings
export_settings
interactive_setup
change_website_settings
change_imap_settings
change_ssh_settings
change_xmpp_settings
regenerate_ssh_host_keys
regenerate_dh_keys
menu_security_settings
exit 0
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment