From a3f2fe45399ac00532e24aecfa8b8ab220a58c9a Mon Sep 17 00:00:00 2001
From: Bob Mottram <bob@robotics.uk.to>
Date: Sun, 30 Oct 2016 09:56:32 +0000
Subject: [PATCH] Improve security settings command
---
src/freedombone-sec | 243 +++++++++++++++++++-------------------------
1 file changed, 107 insertions(+), 136 deletions(-)
diff --git a/src/freedombone-sec b/src/freedombone-sec
index e23356e8a..868a43d24 100755
--- a/src/freedombone-sec
+++ b/src/freedombone-sec
@@ -64,8 +64,6 @@ EXPORT_FILE=
CURRENT_DIR=$(pwd)
-REGENERATE_SSH_HOST_KEYS="no"
-REGENERATE_DH_KEYS="no"
DH_KEYLENGTH=2048
LETSENCRYPT_SERVER='https://acme-v01.api.letsencrypt.org/directory'
@@ -85,25 +83,6 @@ function get_ciphers_from_website {
SSL_CIPHERS=$(cat $WEBSITES_DIRECTORY/$1 | grep 'ssl_ciphers ' | awk -F "ssl_ciphers " '{print $2}' | awk -F "'" '{print $2}')
}
-function get_website_settings {
- if [ ! -d $WEBSITES_DIRECTORY ]; then
- return
- fi
-
- cd $WEBSITES_DIRECTORY
- for file in `dir -d *` ; do
- get_protocols_from_website $file
- if [ ${#SSL_PROTOCOLS} -gt $MINIMUM_LENGTH ]; then
- get_ciphers_from_website $file
- if [ ${#SSL_CIPHERS} -gt $MINIMUM_LENGTH ]; then
- break
- else
- SSL_PROTOCOLS=""
- fi
- fi
- done
-}
-
function get_imap_settings {
if [ ! -f $DOVECOT_CIPHERS ]; then
return
@@ -129,19 +108,10 @@ function get_xmpp_settings {
function get_ssh_settings {
if [ -f $SSH_CONFIG ]; then
- SSH_CIPHERS=$(cat $SSH_CONFIG | grep 'Ciphers ' | awk -F 'Ciphers ' '{print $2}')
- SSH_MACS=$(cat $SSH_CONFIG | grep 'MACs ' | awk -F 'MACs ' '{print $2}')
- SSH_KEX=$(cat $SSH_CONFIG | grep 'KexAlgorithms ' | awk -F 'KexAlgorithms ' '{print $2}')
SSH_PASSWORDS=$(cat $SSH_CONFIG | grep 'PasswordAuthentication ' | awk -F 'PasswordAuthentication ' '{print $2}')
fi
if [ -f /etc/ssh/ssh_config ]; then
SSH_HOST_KEY_ALGORITHMS=$(cat /etc/ssh/ssh_config | grep 'HostKeyAlgorithms ' | awk -F 'HostKeyAlgorithms ' '{print $2}')
- if [ ! $SSH_CIPHERS ]; then
- SSH_CIPHERS=$(cat /etc/ssh/ssh_config | grep 'Ciphers ' | awk -F 'Ciphers ' '{print $2}')
- fi
- if [ ! $SSH_MACS ]; then
- SSH_MACS=$(cat /etc/ssh/ssh_config | grep 'MACs ' | awk -F 'MACs ' '{print $2}')
- fi
fi
}
@@ -353,55 +323,51 @@ function send_monkeysphere_server_keys_to_users {
}
function regenerate_ssh_host_keys {
- if [[ $REGENERATE_SSH_HOST_KEYS == "yes" ]]; then
- rm -f /etc/ssh/ssh_host_*
- dpkg-reconfigure openssh-server
- echo $'ssh host keys regenerated'
- # remove small moduli
- awk '$5 > 2000' /etc/ssh/moduli > ~/moduli
- mv ~/moduli /etc/ssh/moduli
- echo $'ssh small moduli removed'
- # update monkeysphere
- DEFAULT_DOMAIN_NAME=
- read_config_param "DEFAULT_DOMAIN_NAME"
- monkeysphere-host import-key /etc/ssh/ssh_host_rsa_key ssh://$DEFAULT_DOMAIN_NAME
- SSH_ONION_HOSTNAME=$(cat ${COMPLETION_FILE} | grep 'ssh onion domain' | awk -F ':' '{print $2}')
- monkeysphere-host import-key /etc/ssh/ssh_host_rsa_key ssh://$SSH_ONION_HOSTNAME
- monkeysphere-host publish-key
- send_monkeysphere_server_keys_to_users
- echo $'updated monkeysphere ssh host key'
- systemctl restart ssh
- fi
+ rm -f /etc/ssh/ssh_host_*
+ dpkg-reconfigure openssh-server
+ echo $'ssh host keys regenerated'
+ # remove small moduli
+ awk '$5 > 2000' /etc/ssh/moduli > ~/moduli
+ mv ~/moduli /etc/ssh/moduli
+ echo $'ssh small moduli removed'
+ # update monkeysphere
+ DEFAULT_DOMAIN_NAME=
+ read_config_param "DEFAULT_DOMAIN_NAME"
+ monkeysphere-host import-key /etc/ssh/ssh_host_rsa_key ssh://$DEFAULT_DOMAIN_NAME
+ SSH_ONION_HOSTNAME=$(cat ${COMPLETION_FILE} | grep 'ssh onion domain' | awk -F ':' '{print $2}')
+ monkeysphere-host import-key /etc/ssh/ssh_host_rsa_key ssh://$SSH_ONION_HOSTNAME
+ monkeysphere-host publish-key
+ send_monkeysphere_server_keys_to_users
+ echo $'updated monkeysphere ssh host key'
+ systemctl restart ssh
}
function regenerate_dh_keys {
- if [[ $REGENERATE_DH_KEYS == "yes" ]]; then
- if [ ! -d /etc/ssl/mycerts ]; then
- echo $'No dhparam certificates were found'
- return
- fi
+ if [ ! -d /etc/ssl/mycerts ]; then
+ echo $'No dhparam certificates were found'
+ return
+ fi
- data=$(tempfile 2>/dev/null)
- trap "rm -f $data" 0 1 2 5 15
- dialog --backtitle "Freedombone Security Configuration" \
- --title "Diffie-Hellman key length" \
- --radiolist "The smaller length is better suited to low power embedded systems:" 12 40 3 \
- 1 "2048 bits" off \
- 2 "3072 bits" on \
- 3 "4096 bits" off 2> $data
- sel=$?
- case $sel in
- 1) exit 1;;
- 255) exit 1;;
- esac
- case $(cat $data) in
- 1) DH_KEYLENGTH=2048;;
- 2) DH_KEYLENGTH=3072;;
- 3) DH_KEYLENGTH=4096;;
- esac
+ data=$(tempfile 2>/dev/null)
+ trap "rm -f $data" 0 1 2 5 15
+ dialog --backtitle "Freedombone Security Configuration" \
+ --title "Diffie-Hellman key length" \
+ --radiolist "The smaller length is better suited to low power embedded systems:" 12 40 3 \
+ 1 "2048 bits" off \
+ 2 "3072 bits" on \
+ 3 "4096 bits" off 2> $data
+ sel=$?
+ case $sel in
+ 1) exit 1;;
+ 255) exit 1;;
+ esac
+ case $(cat $data) in
+ 1) DH_KEYLENGTH=2048;;
+ 2) DH_KEYLENGTH=3072;;
+ 3) DH_KEYLENGTH=4096;;
+ esac
- ${PROJECT_NAME}-dhparam --recalc yes -l ${DH_KEYLENGTH}
- fi
+ ${PROJECT_NAME}-dhparam --recalc yes -l ${DH_KEYLENGTH}
}
function renew_startssl {
@@ -528,11 +494,6 @@ function create_letsencrypt {
}
function update_ciphersuite {
- read_config_param SSL_CIPHERS
- read_config_param SSL_PROTOCOLS
- read_config_param SSH_CIPHERS
- read_config_param SSH_MACS
-
RECOMMENDED_SSL_CIPHERS="$SSL_CIPHERS"
if [ ${#RECOMMENDED_SSL_CIPHERS} -lt 5 ]; then
return
@@ -714,50 +675,72 @@ function remove_pinning {
esac
}
-function housekeeping {
- cmd=(dialog --separate-output \
- --backtitle "Freedombone Security Configuration" \
- --title "Housekeeping options" \
- --checklist "If you don't need to do any of these things then just press Enter:" 15 76 15)
- options=(1 "Regenerate ssh host keys" off
- 2 "Regenerate Diffie-Hellman keys" off
- 3 "Update cipersuite" off
- 4 "Create a new Let's Encrypt certificate" off
- 5 "Renew Let's Encrypt certificate" off
- 6 "Enable GPG based authentication (monkeysphere)" off
- 7 "Register a website with monkeysphere" off
- 8 "Go Back/Exit" on)
- choices=$("${cmd[@]}" "${options[@]}" 2>&1 >/dev/tty)
+function menu_security_settings {
+ data=$(tempfile 2>/dev/null)
+ trap "rm -f $data" 0 1 2 5 15
+ dialog --backtitle $"Freedombone Control Panel" \
+ --title $"Security Settings" \
+ --radiolist $"Choose an operation:" 15 76 15 \
+ 1 $"Regenerate ssh host keys" off \
+ 2 $"Regenerate Diffie-Hellman keys" off \
+ 3 $"Update cipersuite" off \
+ 4 $"Create a new Let's Encrypt certificate" off \
+ 5 $"Renew Let's Encrypt certificate" off \
+ 6 $"Enable GPG based authentication (monkeysphere)" off \
+ 7 $"Register a website with monkeysphere" off \
+ 8 $"Go Back/Exit" on 2> $data
+ sel=$?
+ case $sel in
+ 1) exit 1;;
+ 255) exit 1;;
+ esac
+
clear
- for choice in $choices
- do
- case $choice in
- 1)
- REGENERATE_SSH_HOST_KEYS="yes"
- ;;
- 2)
- REGENERATE_DH_KEYS="yes"
- ;;
- 3)
- update_ciphersuite
- ;;
- 4)
- create_letsencrypt
- ;;
- 5)
- renew_letsencrypt
- ;;
- 6)
- enable_monkeysphere
- ;;
- 7)
- register_website
- ;;
- 8)
- exit 0
- ;;
- esac
- done
+
+ read_config_param SSL_CIPHERS
+ read_config_param SSL_PROTOCOLS
+ read_config_param SSH_CIPHERS
+ read_config_param SSH_MACS
+ read_config_param SSH_KEX
+
+ get_imap_settings
+ get_ssh_settings
+ get_xmpp_settings
+ import_settings
+ export_settings
+
+ case $(cat $data) in
+ 1)
+ regenerate_ssh_host_keys
+ ;;
+ 2)
+ regenerate_dh_keys
+ ;;
+ 3)
+ interactive_setup
+ update_ciphersuite
+ ;;
+ 4)
+ create_letsencrypt
+ ;;
+ 5)
+ renew_letsencrypt
+ ;;
+ 6)
+ enable_monkeysphere
+ ;;
+ 7)
+ register_website
+ ;;
+ 8)
+ exit 0
+ ;;
+ esac
+
+ change_website_settings
+ change_imap_settings
+ change_ssh_settings
+ change_xmpp_settings
}
function import_settings {
@@ -1054,18 +1037,6 @@ do
shift
done
-housekeeping
-get_website_settings
-get_imap_settings
-get_ssh_settings
-get_xmpp_settings
-import_settings
-export_settings
-interactive_setup
-change_website_settings
-change_imap_settings
-change_ssh_settings
-change_xmpp_settings
-regenerate_ssh_host_keys
-regenerate_dh_keys
+menu_security_settings
+
exit 0
--
GitLab