diff --git a/src/freedombone-sec b/src/freedombone-sec
index b10629ac2aaab1114381a1f900c7d2a86d6e2a0f..74f51907b44ab33adb407724cfc95dc0c0ab3a47 100755
--- a/src/freedombone-sec
+++ b/src/freedombone-sec
@@ -66,270 +66,270 @@ LETSENCRYPT_SERVER='https://acme-v01.api.letsencrypt.org/directory'
MY_USERNAME=
function get_protocols_from_website {
- if [ ! -f $WEBSITES_DIRECTORY/$1 ]; then
- return
- fi
- SSL_PROTOCOLS=$(cat $WEBSITES_DIRECTORY/$1 | grep 'ssl_protocols ' | awk -F "ssl_protocols " '{print $2}' | awk -F ';' '{print $1}')
+ if [ ! -f $WEBSITES_DIRECTORY/$1 ]; then
+ return
+ fi
+ SSL_PROTOCOLS=$(cat $WEBSITES_DIRECTORY/$1 | grep 'ssl_protocols ' | awk -F "ssl_protocols " '{print $2}' | awk -F ';' '{print $1}')
}
function get_ciphers_from_website {
- if [ ! -f $WEBSITES_DIRECTORY/$1 ]; then
- return
- fi
- SSL_CIPHERS=$(cat $WEBSITES_DIRECTORY/$1 | grep 'ssl_ciphers ' | awk -F "ssl_ciphers " '{print $2}' | awk -F "'" '{print $2}')
+ if [ ! -f $WEBSITES_DIRECTORY/$1 ]; then
+ return
+ fi
+ SSL_CIPHERS=$(cat $WEBSITES_DIRECTORY/$1 | grep 'ssl_ciphers ' | awk -F "ssl_ciphers " '{print $2}' | awk -F "'" '{print $2}')
}
function get_website_settings {
- if [ ! -d $WEBSITES_DIRECTORY ]; then
- return
- fi
-
- cd $WEBSITES_DIRECTORY
- for file in `dir -d *` ; do
- get_protocols_from_website $file
- if [ ${#SSL_PROTOCOLS} -gt $MINIMUM_LENGTH ]; then
- get_ciphers_from_website $file
- if [ ${#SSL_CIPHERS} -gt $MINIMUM_LENGTH ]; then
- break
- else
- SSL_PROTOCOLS=""
- fi
- fi
- done
+ if [ ! -d $WEBSITES_DIRECTORY ]; then
+ return
+ fi
+
+ cd $WEBSITES_DIRECTORY
+ for file in `dir -d *` ; do
+ get_protocols_from_website $file
+ if [ ${#SSL_PROTOCOLS} -gt $MINIMUM_LENGTH ]; then
+ get_ciphers_from_website $file
+ if [ ${#SSL_CIPHERS} -gt $MINIMUM_LENGTH ]; then
+ break
+ else
+ SSL_PROTOCOLS=""
+ fi
+ fi
+ done
}
function get_imap_settings {
- if [ ! -f $DOVECOT_CIPHERS ]; then
- return
- fi
- # clear commented out cipher list
- sed -i "s|#ssl_cipher_list.*||g" $DOVECOT_CIPHERS
- if [ $SSL_CIPHERS ]; then
- return
- fi
- if [ ${#SSL_CIPHERS} -gt $MINIMUM_LENGTH ]; then
- return
- fi
- SSL_CIPHERS=$(cat $DOVECOT_CIPHERS | grep 'ssl_cipher_list' | awk -F '=' '{print $2}' | awk -F "'" '{print $2}')
+ if [ ! -f $DOVECOT_CIPHERS ]; then
+ return
+ fi
+ # clear commented out cipher list
+ sed -i "s|#ssl_cipher_list.*||g" $DOVECOT_CIPHERS
+ if [ $SSL_CIPHERS ]; then
+ return
+ fi
+ if [ ${#SSL_CIPHERS} -gt $MINIMUM_LENGTH ]; then
+ return
+ fi
+ SSL_CIPHERS=$(cat $DOVECOT_CIPHERS | grep 'ssl_cipher_list' | awk -F '=' '{print $2}' | awk -F "'" '{print $2}')
}
function get_xmpp_settings {
- if [ ! -f $XMPP_CONFIG ]; then
- return
- fi
- XMPP_CIPHERS=$(cat $XMPP_CONFIG | grep 'ciphers ' | awk -F '=' '{print $2}' | awk -F '"' '{print $2}')
- XMPP_ECC_CURVE=$(cat $XMPP_CONFIG | grep 'curve ' | awk -F '=' '{print $2}' | awk -F '"' '{print $2}')
+ if [ ! -f $XMPP_CONFIG ]; then
+ return
+ fi
+ XMPP_CIPHERS=$(cat $XMPP_CONFIG | grep 'ciphers ' | awk -F '=' '{print $2}' | awk -F '"' '{print $2}')
+ XMPP_ECC_CURVE=$(cat $XMPP_CONFIG | grep 'curve ' | awk -F '=' '{print $2}' | awk -F '"' '{print $2}')
}
function get_ssh_settings {
- if [ -f $SSH_CONFIG ]; then
- SSH_CIPHERS=$(cat $SSH_CONFIG | grep 'Ciphers ' | awk -F 'Ciphers ' '{print $2}')
- SSH_MACS=$(cat $SSH_CONFIG | grep 'MACs ' | awk -F 'MACs ' '{print $2}')
- SSH_KEX=$(cat $SSH_CONFIG | grep 'KexAlgorithms ' | awk -F 'KexAlgorithms ' '{print $2}')
- SSH_PASSWORDS=$(cat $SSH_CONFIG | grep 'PasswordAuthentication ' | awk -F 'PasswordAuthentication ' '{print $2}')
- fi
- if [ -f /etc/ssh/ssh_config ]; then
- SSH_HOST_KEY_ALGORITHMS=$(cat /etc/ssh/ssh_config | grep 'HostKeyAlgorithms ' | awk -F 'HostKeyAlgorithms ' '{print $2}')
- if [ ! $SSH_CIPHERS ]; then
- SSH_CIPHERS=$(cat /etc/ssh/ssh_config | grep 'Ciphers ' | awk -F 'Ciphers ' '{print $2}')
- fi
- if [ ! $SSH_MACS ]; then
- SSH_MACS=$(cat /etc/ssh/ssh_config | grep 'MACs ' | awk -F 'MACs ' '{print $2}')
- fi
- fi
+ if [ -f $SSH_CONFIG ]; then
+ SSH_CIPHERS=$(cat $SSH_CONFIG | grep 'Ciphers ' | awk -F 'Ciphers ' '{print $2}')
+ SSH_MACS=$(cat $SSH_CONFIG | grep 'MACs ' | awk -F 'MACs ' '{print $2}')
+ SSH_KEX=$(cat $SSH_CONFIG | grep 'KexAlgorithms ' | awk -F 'KexAlgorithms ' '{print $2}')
+ SSH_PASSWORDS=$(cat $SSH_CONFIG | grep 'PasswordAuthentication ' | awk -F 'PasswordAuthentication ' '{print $2}')
+ fi
+ if [ -f /etc/ssh/ssh_config ]; then
+ SSH_HOST_KEY_ALGORITHMS=$(cat /etc/ssh/ssh_config | grep 'HostKeyAlgorithms ' | awk -F 'HostKeyAlgorithms ' '{print $2}')
+ if [ ! $SSH_CIPHERS ]; then
+ SSH_CIPHERS=$(cat /etc/ssh/ssh_config | grep 'Ciphers ' | awk -F 'Ciphers ' '{print $2}')
+ fi
+ if [ ! $SSH_MACS ]; then
+ SSH_MACS=$(cat /etc/ssh/ssh_config | grep 'MACs ' | awk -F 'MACs ' '{print $2}')
+ fi
+ fi
}
function change_website_settings {
- if [ ! "$SSL_PROTOCOLS" ]; then
- return
- fi
- if [ ! $SSL_CIPHERS ]; then
- return
- fi
- if [ ${#SSL_PROTOCOLS} -lt $MINIMUM_LENGTH ]; then
- return
- fi
- if [ ${#SSL_CIPHERS} -lt $MINIMUM_LENGTH ]; then
- return
- fi
- if [ ! -d $WEBSITES_DIRECTORY ]; then
- return
- fi
-
- cd $WEBSITES_DIRECTORY
- for file in `dir -d *` ; do
- sed -i "s|ssl_protocols .*|ssl_protocols $SSL_PROTOCOLS;|g" $WEBSITES_DIRECTORY/$file
- sed -i "s|ssl_ciphers .*|ssl_ciphers '$SSL_CIPHERS';|g" $WEBSITES_DIRECTORY/$file
- done
- systemctl restart nginx
- echo $'Web security settings changed'
+ if [ ! "$SSL_PROTOCOLS" ]; then
+ return
+ fi
+ if [ ! $SSL_CIPHERS ]; then
+ return
+ fi
+ if [ ${#SSL_PROTOCOLS} -lt $MINIMUM_LENGTH ]; then
+ return
+ fi
+ if [ ${#SSL_CIPHERS} -lt $MINIMUM_LENGTH ]; then
+ return
+ fi
+ if [ ! -d $WEBSITES_DIRECTORY ]; then
+ return
+ fi
+
+ cd $WEBSITES_DIRECTORY
+ for file in `dir -d *` ; do
+ sed -i "s|ssl_protocols .*|ssl_protocols $SSL_PROTOCOLS;|g" $WEBSITES_DIRECTORY/$file
+ sed -i "s|ssl_ciphers .*|ssl_ciphers '$SSL_CIPHERS';|g" $WEBSITES_DIRECTORY/$file
+ done
+ systemctl restart nginx
+ echo $'Web security settings changed'
}
function change_imap_settings {
- if [ ! -f $DOVECOT_CIPHERS ]; then
- return
- fi
- if [ ! $SSL_CIPHERS ]; then
- return
- fi
- if [ ${#SSL_CIPHERS} -lt $MINIMUM_LENGTH ]; then
- return
- fi
- sed -i "s|ssl_cipher_list.*|ssl_cipher_list = '$SSL_CIPHERS'|g" $DOVECOT_CIPHERS
- sed -i "s|ssl_protocols.*|ssl_protocols = '$SSL_PROTOCOLS'|g" $DOVECOT_CIPHERS
- systemctl restart dovecot
- echo $'imap security settings changed'
+ if [ ! -f $DOVECOT_CIPHERS ]; then
+ return
+ fi
+ if [ ! $SSL_CIPHERS ]; then
+ return
+ fi
+ if [ ${#SSL_CIPHERS} -lt $MINIMUM_LENGTH ]; then
+ return
+ fi
+ sed -i "s|ssl_cipher_list.*|ssl_cipher_list = '$SSL_CIPHERS'|g" $DOVECOT_CIPHERS
+ sed -i "s|ssl_protocols.*|ssl_protocols = '$SSL_PROTOCOLS'|g" $DOVECOT_CIPHERS
+ systemctl restart dovecot
+ echo $'imap security settings changed'
}
function change_ssh_settings {
- if [ -f /etc/ssh/ssh_config ]; then
- if [ $SSH_HOST_KEY_ALGORITHMS ]; then
- sed -i "s|HostKeyAlgorithms .*|HostKeyAlgorithms $SSH_HOST_KEY_ALGORITHMS|g" /etc/ssh/ssh_config
- echo $'ssh client security settings changed'
- fi
- fi
- if [ -f $SSH_CONFIG ]; then
- if [ ! $SSH_CIPHERS ]; then
- return
- fi
- if [ ! $SSH_MACS ]; then
- return
- fi
- if [ ! $SSH_KEX ]; then
- return
- fi
- if [ ! $SSH_PASSWORDS ]; then
- return
- fi
-
- sed -i "s|Ciphers .*|Ciphers $SSH_CIPHERS|g" $SSH_CONFIG
- sed -i "s|MACs .*|MACs $SSH_MACS|g" $SSH_CONFIG
- sed -i "s|KexAlgorithms .*|KexAlgorithms $SSH_KEX|g" $SSH_CONFIG
- sed -i "s|PasswordAuthentication .*|PasswordAuthentication $SSH_PASSWORDS|g" $SSH_CONFIG
- systemctl restart ssh
- echo $'ssh server security settings changed'
- fi
+ if [ -f /etc/ssh/ssh_config ]; then
+ if [ $SSH_HOST_KEY_ALGORITHMS ]; then
+ sed -i "s|HostKeyAlgorithms .*|HostKeyAlgorithms $SSH_HOST_KEY_ALGORITHMS|g" /etc/ssh/ssh_config
+ echo $'ssh client security settings changed'
+ fi
+ fi
+ if [ -f $SSH_CONFIG ]; then
+ if [ ! $SSH_CIPHERS ]; then
+ return
+ fi
+ if [ ! $SSH_MACS ]; then
+ return
+ fi
+ if [ ! $SSH_KEX ]; then
+ return
+ fi
+ if [ ! $SSH_PASSWORDS ]; then
+ return
+ fi
+
+ sed -i "s|Ciphers .*|Ciphers $SSH_CIPHERS|g" $SSH_CONFIG
+ sed -i "s|MACs .*|MACs $SSH_MACS|g" $SSH_CONFIG
+ sed -i "s|KexAlgorithms .*|KexAlgorithms $SSH_KEX|g" $SSH_CONFIG
+ sed -i "s|PasswordAuthentication .*|PasswordAuthentication $SSH_PASSWORDS|g" $SSH_CONFIG
+ systemctl restart ssh
+ echo $'ssh server security settings changed'
+ fi
}
function change_xmpp_settings {
- if [ ! -f $XMPP_CONFIG ]; then
- return
- fi
- if [ ! $XMPP_CIPHERS ]; then
- return
- fi
- if [ ! $XMPP_ECC_CURVE ]; then
- return
- fi
- sed -i "s|ciphers =.*|ciphers = \"$XMPP_CIPHERS\";|g" $XMPP_CONFIG
- sed -i "s|curve =.*|curve = \"$XMPP_ECC_CURVE\";|g" $XMPP_CONFIG
- systemctl restart prosody
- echo $'xmpp security settings changed'
+ if [ ! -f $XMPP_CONFIG ]; then
+ return
+ fi
+ if [ ! $XMPP_CIPHERS ]; then
+ return
+ fi
+ if [ ! $XMPP_ECC_CURVE ]; then
+ return
+ fi
+ sed -i "s|ciphers =.*|ciphers = \"$XMPP_CIPHERS\";|g" $XMPP_CONFIG
+ sed -i "s|curve =.*|curve = \"$XMPP_ECC_CURVE\";|g" $XMPP_CONFIG
+ systemctl restart prosody
+ echo $'xmpp security settings changed'
}
function interactive_setup {
- if [ $SSL_CIPHERS ]; then
- data=$(tempfile 2>/dev/null)
- trap "rm -f $data" 0 1 2 5 15
- dialog --backtitle $"Freedombone Security Configuration" \
- --form $"\nWeb/IMAP Ciphers:" 10 95 2 \
- $"Protocols:" 1 1 "$SSL_PROTOCOLS" 1 15 90 90 \
- $"Ciphers:" 2 1 "$SSL_CIPHERS" 2 15 90 512 \
- 2> $data
- sel=$?
- case $sel in
- 1) SSL_PROTOCOLS=$(cat $data | sed -n 1p)
- SSL_CIPHERS=$(cat $data | sed -n 2p)
- ;;
- 255) exit 0;;
- esac
- fi
-
- data=$(tempfile 2>/dev/null)
- trap "rm -f $data" 0 1 2 5 15
- if [ $SSH_HOST_KEY_ALGORITHMS ]; then
- dialog --backtitle $"Freedombone Security Configuration" \
- --form $"\nSecure Shell Ciphers:" 13 95 4 \
- $"Ciphers:" 1 1 "$SSH_CIPHERS" 1 15 90 512 \
- $"MACs:" 2 1 "$SSH_MACS" 2 15 90 512 \
- $"KEX:" 3 1 "$SSH_KEX" 3 15 90 512 \
- $"Host key algorithms:" 4 1 "$SSH_HOST_KEY_ALGORITHMS" 4 15 90 512 \
- 2> $data
- sel=$?
- case $sel in
- 1) SSH_CIPHERS=$(cat $data | sed -n 1p)
- SSH_MACS=$(cat $data | sed -n 2p)
- SSH_KEX=$(cat $data | sed -n 3p)
- SSH_HOST_KEY_ALGORITHMS=$(cat $data | sed -n 4p)
- ;;
- 255) exit 0;;
- esac
- else
- dialog --backtitle $"Freedombone Security Configuration" \
- --form $"\nSecure Shell Ciphers:" 11 95 3 \
- $"Ciphers:" 1 1 "$SSH_CIPHERS" 1 15 90 512 \
- $"MACs:" 2 1 "$SSH_MACS" 2 15 90 512 \
- $"KEX:" 3 1 "$SSH_KEX" 3 15 90 512 \
- 2> $data
- sel=$?
- case $sel in
- 1) SSH_CIPHERS=$(cat $data | sed -n 1p)
- SSH_MACS=$(cat $data | sed -n 2p)
- SSH_KEX=$(cat $data | sed -n 3p)
- ;;
- 255) exit 0;;
- esac
- fi
-
- if [[ $SSH_PASSWORDS == "yes" ]]; then
- dialog --title $"SSH Passwords" \
- --backtitle $"Freedombone Security Configuration" \
- --yesno $"\nAllow SSH login using passwords?" 7 60
- else
- dialog --title $"SSH Passwords" \
- --backtitle $"Freedombone Security Configuration" \
- --defaultno \
- --yesno $"\nAllow SSH login using passwords?" 7 60
- fi
- sel=$?
- case $sel in
- 0) SSH_PASSWORDS="yes";;
- 1) SSH_PASSWORDS="no";;
- 255) exit 0;;
- esac
-
- if [ $XMPP_CIPHERS ]; then
- data=$(tempfile 2>/dev/null)
- trap "rm -f $data" 0 1 2 5 15
- dialog --backtitle $"Freedombone Security Configuration" \
- --form $"\nXMPP Ciphers:" 10 95 2 \
- $"Ciphers:" 1 1 "$XMPP_CIPHERS" 1 15 90 512 \
- $"ECC Curve:" 2 1 "$XMPP_ECC_CURVE" 2 15 50 50 \
- 2> $data
- sel=$?
- case $sel in
- 1) XMPP_CIPHERS=$(cat $data | sed -n 1p)
- XMPP_ECC_CURVE=$(cat $data | sed -n 2p)
- ;;
- 255) exit 0;;
- esac
- fi
-
- dialog --title $"Final Confirmation" \
- --backtitle $"Freedombone Security Configuration" \
- --defaultno \
- --yesno $"\nPlease confirm that you wish your security settings to be changed?\n\nWARNING: any mistakes made in the security settings could compromise your system, so be extra careful when answering 'yes'." 12 60
- sel=$?
- case $sel in
- 1) clear
- echo $'Exiting without changing security settings'
- exit 0;;
- 255) clear
+ if [ $SSL_CIPHERS ]; then
+ data=$(tempfile 2>/dev/null)
+ trap "rm -f $data" 0 1 2 5 15
+ dialog --backtitle $"Freedombone Security Configuration" \
+ --form $"\nWeb/IMAP Ciphers:" 10 95 2 \
+ $"Protocols:" 1 1 "$SSL_PROTOCOLS" 1 15 90 90 \
+ $"Ciphers:" 2 1 "$SSL_CIPHERS" 2 15 90 512 \
+ 2> $data
+ sel=$?
+ case $sel in
+ 1) SSL_PROTOCOLS=$(cat $data | sed -n 1p)
+ SSL_CIPHERS=$(cat $data | sed -n 2p)
+ ;;
+ 255) exit 0;;
+ esac
+ fi
+
+ data=$(tempfile 2>/dev/null)
+ trap "rm -f $data" 0 1 2 5 15
+ if [ $SSH_HOST_KEY_ALGORITHMS ]; then
+ dialog --backtitle $"Freedombone Security Configuration" \
+ --form $"\nSecure Shell Ciphers:" 13 95 4 \
+ $"Ciphers:" 1 1 "$SSH_CIPHERS" 1 15 90 512 \
+ $"MACs:" 2 1 "$SSH_MACS" 2 15 90 512 \
+ $"KEX:" 3 1 "$SSH_KEX" 3 15 90 512 \
+ $"Host key algorithms:" 4 1 "$SSH_HOST_KEY_ALGORITHMS" 4 15 90 512 \
+ 2> $data
+ sel=$?
+ case $sel in
+ 1) SSH_CIPHERS=$(cat $data | sed -n 1p)
+ SSH_MACS=$(cat $data | sed -n 2p)
+ SSH_KEX=$(cat $data | sed -n 3p)
+ SSH_HOST_KEY_ALGORITHMS=$(cat $data | sed -n 4p)
+ ;;
+ 255) exit 0;;
+ esac
+ else
+ dialog --backtitle $"Freedombone Security Configuration" \
+ --form $"\nSecure Shell Ciphers:" 11 95 3 \
+ $"Ciphers:" 1 1 "$SSH_CIPHERS" 1 15 90 512 \
+ $"MACs:" 2 1 "$SSH_MACS" 2 15 90 512 \
+ $"KEX:" 3 1 "$SSH_KEX" 3 15 90 512 \
+ 2> $data
+ sel=$?
+ case $sel in
+ 1) SSH_CIPHERS=$(cat $data | sed -n 1p)
+ SSH_MACS=$(cat $data | sed -n 2p)
+ SSH_KEX=$(cat $data | sed -n 3p)
+ ;;
+ 255) exit 0;;
+ esac
+ fi
+
+ if [[ $SSH_PASSWORDS == "yes" ]]; then
+ dialog --title $"SSH Passwords" \
+ --backtitle $"Freedombone Security Configuration" \
+ --yesno $"\nAllow SSH login using passwords?" 7 60
+ else
+ dialog --title $"SSH Passwords" \
+ --backtitle $"Freedombone Security Configuration" \
+ --defaultno \
+ --yesno $"\nAllow SSH login using passwords?" 7 60
+ fi
+ sel=$?
+ case $sel in
+ 0) SSH_PASSWORDS="yes";;
+ 1) SSH_PASSWORDS="no";;
+ 255) exit 0;;
+ esac
+
+ if [ $XMPP_CIPHERS ]; then
+ data=$(tempfile 2>/dev/null)
+ trap "rm -f $data" 0 1 2 5 15
+ dialog --backtitle $"Freedombone Security Configuration" \
+ --form $"\nXMPP Ciphers:" 10 95 2 \
+ $"Ciphers:" 1 1 "$XMPP_CIPHERS" 1 15 90 512 \
+ $"ECC Curve:" 2 1 "$XMPP_ECC_CURVE" 2 15 50 50 \
+ 2> $data
+ sel=$?
+ case $sel in
+ 1) XMPP_CIPHERS=$(cat $data | sed -n 1p)
+ XMPP_ECC_CURVE=$(cat $data | sed -n 2p)
+ ;;
+ 255) exit 0;;
+ esac
+ fi
+
+ dialog --title $"Final Confirmation" \
+ --backtitle $"Freedombone Security Configuration" \
+ --defaultno \
+ --yesno $"\nPlease confirm that you wish your security settings to be changed?\n\nWARNING: any mistakes made in the security settings could compromise your system, so be extra careful when answering 'yes'." 12 60
+ sel=$?
+ case $sel in
+ 1) clear
echo $'Exiting without changing security settings'
exit 0;;
- esac
+ 255) clear
+ echo $'Exiting without changing security settings'
+ exit 0;;
+ esac
- clear
+ clear
}
function send_monkeysphere_server_keys_to_users {
@@ -347,180 +347,180 @@ function send_monkeysphere_server_keys_to_users {
}
function regenerate_ssh_host_keys {
- if [[ $REGENERATE_SSH_HOST_KEYS == "yes" ]]; then
- rm -f /etc/ssh/ssh_host_*
- dpkg-reconfigure openssh-server
- echo $'ssh host keys regenerated'
- # remove small moduli
- awk '$5 > 2000' /etc/ssh/moduli > ~/moduli
- mv ~/moduli /etc/ssh/moduli
- echo $'ssh small moduli removed'
- # update monkeysphere
- DEFAULT_DOMAIN_NAME=
- if grep -q "DEFAULT_DOMAIN_NAME" $CONFIGURATION_FILE; then
- DEFAULT_DOMAIN_NAME=$(grep "DEFAULT_DOMAIN_NAME" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
- fi
- monkeysphere-host import-key /etc/ssh/ssh_host_rsa_key ssh://$DEFAULT_DOMAIN_NAME
- SSH_ONION_HOSTNAME=$(cat ${COMPLETION_FILE} | grep 'ssh onion domain' | awk -F ':' '{print $2}')
- monkeysphere-host import-key /etc/ssh/ssh_host_rsa_key ssh://$SSH_ONION_HOSTNAME
- monkeysphere-host publish-key
- send_monkeysphere_server_keys_to_users
- echo $'updated monkeysphere ssh host key'
- systemctl restart ssh
- fi
+ if [[ $REGENERATE_SSH_HOST_KEYS == "yes" ]]; then
+ rm -f /etc/ssh/ssh_host_*
+ dpkg-reconfigure openssh-server
+ echo $'ssh host keys regenerated'
+ # remove small moduli
+ awk '$5 > 2000' /etc/ssh/moduli > ~/moduli
+ mv ~/moduli /etc/ssh/moduli
+ echo $'ssh small moduli removed'
+ # update monkeysphere
+ DEFAULT_DOMAIN_NAME=
+ if grep -q "DEFAULT_DOMAIN_NAME" $CONFIGURATION_FILE; then
+ DEFAULT_DOMAIN_NAME=$(grep "DEFAULT_DOMAIN_NAME" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+ fi
+ monkeysphere-host import-key /etc/ssh/ssh_host_rsa_key ssh://$DEFAULT_DOMAIN_NAME
+ SSH_ONION_HOSTNAME=$(cat ${COMPLETION_FILE} | grep 'ssh onion domain' | awk -F ':' '{print $2}')
+ monkeysphere-host import-key /etc/ssh/ssh_host_rsa_key ssh://$SSH_ONION_HOSTNAME
+ monkeysphere-host publish-key
+ send_monkeysphere_server_keys_to_users
+ echo $'updated monkeysphere ssh host key'
+ systemctl restart ssh
+ fi
}
function regenerate_dh_keys {
- if [[ $REGENERATE_DH_KEYS == "yes" ]]; then
- if [ ! -d /etc/ssl/mycerts ]; then
- echo $'No dhparam certificates were found'
- return
- fi
-
- data=$(tempfile 2>/dev/null)
- trap "rm -f $data" 0 1 2 5 15
- dialog --backtitle "Freedombone Security Configuration" \
- --title "Diffie-Hellman key length" \
- --radiolist "The smaller length is better suited to low power embedded systems:" 12 40 3 \
- 1 "2048 bits" off \
- 2 "3072 bits" on \
- 3 "4096 bits" off 2> $data
- sel=$?
- case $sel in
- 1) exit 1;;
- 255) exit 1;;
- esac
- case $(cat $data) in
- 1) DH_KEYLENGTH=2048;;
- 2) DH_KEYLENGTH=3072;;
- 3) DH_KEYLENGTH=4096;;
- esac
-
- ${PROJECT_NAME}-dhparam --recalc yes -l ${DH_KEYLENGTH}
- fi
+ if [[ $REGENERATE_DH_KEYS == "yes" ]]; then
+ if [ ! -d /etc/ssl/mycerts ]; then
+ echo $'No dhparam certificates were found'
+ return
+ fi
+
+ data=$(tempfile 2>/dev/null)
+ trap "rm -f $data" 0 1 2 5 15
+ dialog --backtitle "Freedombone Security Configuration" \
+ --title "Diffie-Hellman key length" \
+ --radiolist "The smaller length is better suited to low power embedded systems:" 12 40 3 \
+ 1 "2048 bits" off \
+ 2 "3072 bits" on \
+ 3 "4096 bits" off 2> $data
+ sel=$?
+ case $sel in
+ 1) exit 1;;
+ 255) exit 1;;
+ esac
+ case $(cat $data) in
+ 1) DH_KEYLENGTH=2048;;
+ 2) DH_KEYLENGTH=3072;;
+ 3) DH_KEYLENGTH=4096;;
+ esac
+
+ ${PROJECT_NAME}-dhparam --recalc yes -l ${DH_KEYLENGTH}
+ fi
}
function renew_startssl {
- renew_domain=
- data=$(tempfile 2>/dev/null)
- trap "rm -f $data" 0 1 2 5 15
- dialog --title $"Renew a StartSSL certificate" \
- --backtitle $"Freedombone Security Settings" \
- --inputbox $"Enter the domain name" 8 60 2>$data
- sel=$?
- case $sel in
- 0)
- renew_domain=$(<$data)
- ;;
- esac
-
- if [ ! $renew_domain ]; then
- return
- fi
-
- if [[ $renew_domain == "http"* ]]; then
- dialog --title $"Renew a StartSSL certificate" \
- --msgbox $"Don't include the https://" 6 40
- return
- fi
-
- if [ ! -f /etc/ssl/certs/${renew_domain}.dhparam ]; then
- dialog --title $"Renew a StartSSL certificate" \
- --msgbox $"An existing certificate for $renew_domain was not found" 6 40
- return
- fi
-
- if [[ $renew_domain != *"."* ]]; then
- dialog --title $"Renew a StartSSL certificate" \
- --msgbox $"Invalid domain name: $renew_domain" 6 40
- return
- fi
-
- ${PROJECT_NAME}-renew-cert -h $renew_domain -p startssl
-
- exit 0
+ renew_domain=
+ data=$(tempfile 2>/dev/null)
+ trap "rm -f $data" 0 1 2 5 15
+ dialog --title $"Renew a StartSSL certificate" \
+ --backtitle $"Freedombone Security Settings" \
+ --inputbox $"Enter the domain name" 8 60 2>$data
+ sel=$?
+ case $sel in
+ 0)
+ renew_domain=$(<$data)
+ ;;
+ esac
+
+ if [ ! $renew_domain ]; then
+ return
+ fi
+
+ if [[ $renew_domain == "http"* ]]; then
+ dialog --title $"Renew a StartSSL certificate" \
+ --msgbox $"Don't include the https://" 6 40
+ return
+ fi
+
+ if [ ! -f /etc/ssl/certs/${renew_domain}.dhparam ]; then
+ dialog --title $"Renew a StartSSL certificate" \
+ --msgbox $"An existing certificate for $renew_domain was not found" 6 40
+ return
+ fi
+
+ if [[ $renew_domain != *"."* ]]; then
+ dialog --title $"Renew a StartSSL certificate" \
+ --msgbox $"Invalid domain name: $renew_domain" 6 40
+ return
+ fi
+
+ ${PROJECT_NAME}-renew-cert -h $renew_domain -p startssl
+
+ exit 0
}
function renew_letsencrypt {
- renew_domain=
- data=$(tempfile 2>/dev/null)
- trap "rm -f $data" 0 1 2 5 15
- dialog --title $"Renew a Let's Encrypt certificate" \
- --backtitle $"Freedombone Security Settings" \
- --inputbox $"Enter the domain name" 8 60 2>$data
- sel=$?
- case $sel in
- 0)
- renew_domain=$(<$data)
- ;;
- esac
-
- if [ ! $renew_domain ]; then
- return
- fi
-
- if [[ $renew_domain == "http"* ]]; then
- dialog --title $"Renew a Let's Encrypt certificate" \
- --msgbox $"Don't include the https://" 6 40
- return
- fi
-
- if [ ! -f /etc/ssl/certs/${renew_domain}.dhparam ]; then
- dialog --title $"Renew a Let's Encrypt certificate" \
- --msgbox $"An existing certificate for $renew_domain was not found" 6 40
- return
- fi
-
- if [[ $renew_domain != *"."* ]]; then
- dialog --title $"Renew a Let's Encrypt certificate" \
- --msgbox $"Invalid domain name: $renew_domain" 6 40
- return
- fi
-
- ${PROJECT_NAME}-renew-cert -h $renew_domain -p 'letsencrypt'
-
- exit 0
+ renew_domain=
+ data=$(tempfile 2>/dev/null)
+ trap "rm -f $data" 0 1 2 5 15
+ dialog --title $"Renew a Let's Encrypt certificate" \
+ --backtitle $"Freedombone Security Settings" \
+ --inputbox $"Enter the domain name" 8 60 2>$data
+ sel=$?
+ case $sel in
+ 0)
+ renew_domain=$(<$data)
+ ;;
+ esac
+
+ if [ ! $renew_domain ]; then
+ return
+ fi
+
+ if [[ $renew_domain == "http"* ]]; then
+ dialog --title $"Renew a Let's Encrypt certificate" \
+ --msgbox $"Don't include the https://" 6 40
+ return
+ fi
+
+ if [ ! -f /etc/ssl/certs/${renew_domain}.dhparam ]; then
+ dialog --title $"Renew a Let's Encrypt certificate" \
+ --msgbox $"An existing certificate for $renew_domain was not found" 6 40
+ return
+ fi
+
+ if [[ $renew_domain != *"."* ]]; then
+ dialog --title $"Renew a Let's Encrypt certificate" \
+ --msgbox $"Invalid domain name: $renew_domain" 6 40
+ return
+ fi
+
+ ${PROJECT_NAME}-renew-cert -h $renew_domain -p 'letsencrypt'
+
+ exit 0
}
function create_letsencrypt {
- new_domain=
- data=$(tempfile 2>/dev/null)
- trap "rm -f $data" 0 1 2 5 15
- dialog --title $"Create a new Let's Encrypt certificate" \
- --backtitle $"Freedombone Security Settings" \
- --inputbox $"Enter the domain name" 8 60 2>$data
- sel=$?
- case $sel in
- 0)
- new_domain=$(<$data)
- ;;
- esac
-
- if [ ! $new_domain ]; then
- return
- fi
-
- if [[ $new_domain == "http"* ]]; then
- dialog --title $"Create a new Let's Encrypt certificate" \
- --msgbox $"Don't include the https://" 6 40
- return
- fi
-
- if [[ $new_domain != *"."* ]]; then
- dialog --title $"Create a new Let's Encrypt certificate" \
- --msgbox $"Invalid domain name: $new_domain" 6 40
- return
- fi
-
- if [ ! -d /var/www/${new_domain} ]; then
- dialog --title $"Create a new Let's Encrypt certificate" \
- --msgbox $'Domain not found within /var/www' 6 40
- return
- fi
-
- ${PROJECT_NAME}-addcert -e $new_domain -s $LETSENCRYPT_SERVER --dhkey $DH_KEYLENGTH
-
- exit 0
+ new_domain=
+ data=$(tempfile 2>/dev/null)
+ trap "rm -f $data" 0 1 2 5 15
+ dialog --title $"Create a new Let's Encrypt certificate" \
+ --backtitle $"Freedombone Security Settings" \
+ --inputbox $"Enter the domain name" 8 60 2>$data
+ sel=$?
+ case $sel in
+ 0)
+ new_domain=$(<$data)
+ ;;
+ esac
+
+ if [ ! $new_domain ]; then
+ return
+ fi
+
+ if [[ $new_domain == "http"* ]]; then
+ dialog --title $"Create a new Let's Encrypt certificate" \
+ --msgbox $"Don't include the https://" 6 40
+ return
+ fi
+
+ if [[ $new_domain != *"."* ]]; then
+ dialog --title $"Create a new Let's Encrypt certificate" \
+ --msgbox $"Invalid domain name: $new_domain" 6 40
+ return
+ fi
+
+ if [ ! -d /var/www/${new_domain} ]; then
+ dialog --title $"Create a new Let's Encrypt certificate" \
+ --msgbox $'Domain not found within /var/www' 6 40
+ return
+ fi
+
+ ${PROJECT_NAME}-addcert -e $new_domain -s $LETSENCRYPT_SERVER --dhkey $DH_KEYLENGTH
+
+ exit 0
}
function update_ciphersuite {
@@ -677,249 +677,245 @@ function register_website {
}
function register_website_interactive {
- data=$(tempfile 2>/dev/null)
- trap "rm -f $data" 0 1 2 5 15
- dialog --title $"Register a website with monkeysphere" \
- --backtitle $"Freedombone Security Settings" \
- --inputbox $"Enter the website domain name (without https://)" 8 60 2>$data
- sel=$?
- case $sel in
- 0)
- domain=$(<$data)
- register_website "$domain"
- if [ ! "$?" = "0" ]; then
- dialog --title $"Register a website with monkeysphere" \
- --msgbox "$?" 6 40
- else
- dialog --title $"Register a website with monkeysphere" \
- --msgbox $"$domain has been registered" 6 40
- fi
- ;;
- esac
+ data=$(tempfile 2>/dev/null)
+ trap "rm -f $data" 0 1 2 5 15
+ dialog --title $"Register a website with monkeysphere" \
+ --backtitle $"Freedombone Security Settings" \
+ --inputbox $"Enter the website domain name (without https://)" 8 60 2>$data
+ sel=$?
+ case $sel in
+ 0)
+ domain=$(<$data)
+ register_website "$domain"
+ if [ ! "$?" = "0" ]; then
+ dialog --title $"Register a website with monkeysphere" \
+ --msgbox "$?" 6 40
+ else
+ dialog --title $"Register a website with monkeysphere" \
+ --msgbox $"$domain has been registered" 6 40
+ fi
+ ;;
+ esac
}
function housekeeping {
- cmd=(dialog --separate-output \
- --backtitle "Freedombone Security Configuration" \
- --title "Housekeeping options" \
- --checklist "If you don't need to do any of these things then just press Enter:" 17 76 17)
- options=(1 "Regenerate ssh host keys" off
- 2 "Regenerate Diffie-Hellman keys" off
- 3 "Renew a StartSSL certificate" off
- 4 "Update cipersuite" off
- 5 "Create a new Let's Encrypt certificate" off
- 6 "Renew Let's Encrypt certificate" off
- 7 "Enable GPG based authentication (monkeysphere)" off
- 8 "Register a website with monkeysphere" off
- 9 "Go Back/Exit" on)
- choices=$("${cmd[@]}" "${options[@]}" 2>&1 >/dev/tty)
- clear
- for choice in $choices
- do
- case $choice in
- 1)
- REGENERATE_SSH_HOST_KEYS="yes"
- ;;
- 2)
- REGENERATE_DH_KEYS="yes"
- ;;
- 3)
- renew_startssl
- ;;
- 4)
- update_ciphersuite
- ;;
- 5)
- create_letsencrypt
- ;;
- 6)
- renew_letsencrypt
- ;;
- 7)
- enable_monkeysphere
- ;;
- 8)
- register_website
- ;;
- 9)
- exit 0
- ;;
- esac
- done
+ cmd=(dialog --separate-output \
+ --backtitle "Freedombone Security Configuration" \
+ --title "Housekeeping options" \
+ --checklist "If you don't need to do any of these things then just press Enter:" 17 76 17)
+ options=(1 "Regenerate ssh host keys" off
+ 2 "Regenerate Diffie-Hellman keys" off
+ 3 "Update cipersuite" off
+ 4 "Create a new Let's Encrypt certificate" off
+ 5 "Renew Let's Encrypt certificate" off
+ 6 "Enable GPG based authentication (monkeysphere)" off
+ 7 "Register a website with monkeysphere" off
+ 8 "Go Back/Exit" on)
+ choices=$("${cmd[@]}" "${options[@]}" 2>&1 >/dev/tty)
+ clear
+ for choice in $choices
+ do
+ case $choice in
+ 1)
+ REGENERATE_SSH_HOST_KEYS="yes"
+ ;;
+ 2)
+ REGENERATE_DH_KEYS="yes"
+ ;;
+ 3)
+ update_ciphersuite
+ ;;
+ 4)
+ create_letsencrypt
+ ;;
+ 5)
+ renew_letsencrypt
+ ;;
+ 6)
+ enable_monkeysphere
+ ;;
+ 7)
+ register_website
+ ;;
+ 8)
+ exit 0
+ ;;
+ esac
+ done
}
function import_settings {
- cd $CURRENT_DIR
-
- if [ ! $IMPORT_FILE ]; then
- return
- fi
-
- if [ ! -f $IMPORT_FILE ]; then
- echo $"Import file $IMPORT_FILE not found"
- exit 6393
- fi
-
- if grep -q "SSL_PROTOCOLS" $IMPORT_FILE; then
- TEMP_VALUE=$(grep "SSL_PROTOCOLS" $IMPORT_FILE | awk -F '=' '{print $2}')
- if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then
- SSL_PROTOCOLS=$TEMP_VALUE
- fi
- fi
- if grep -q "SSL_CIPHERS" $IMPORT_FILE; then
- TEMP_VALUE=$(grep "SSL_CIPHERS" $IMPORT_FILE | awk -F '=' '{print $2}')
- if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then
- SSL_CIPHERS=$TEMP_VALUE
- fi
- fi
- if grep -q "SSH_CIPHERS" $IMPORT_FILE; then
- TEMP_VALUE=$(grep "SSH_CIPHERS" $IMPORT_FILE | awk -F '=' '{print $2}')
- if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then
- SSH_CIPHERS=$TEMP_VALUE
- fi
- fi
- if grep -q "SSH_MACS" $IMPORT_FILE; then
- TEMP_VALUE=$(grep "SSH_MACS" $IMPORT_FILE | awk -F '=' '{print $2}')
- if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then
- SSH_MACS=$TEMP_VALUE
- fi
- fi
- if grep -q "SSH_KEX" $IMPORT_FILE; then
- TEMP_VALUE=$(grep "SSH_KEX" $IMPORT_FILE | awk -F '=' '{print $2}')
- if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then
- SSH_KEX=$TEMP_VALUE
- fi
- fi
- if grep -q "SSH_HOST_KEY_ALGORITHMS" $IMPORT_FILE; then
- TEMP_VALUE=$(grep "SSH_HOST_KEY_ALGORITHMS" $IMPORT_FILE | awk -F '=' '{print $2}')
- if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then
- SSH_HOST_KEY_ALGORITHMS=$TEMP_VALUE
- fi
- fi
- if grep -q "SSH_PASSWORDS" $IMPORT_FILE; then
- TEMP_VALUE=$(grep "SSH_PASSWORDS" $IMPORT_FILE | awk -F '=' '{print $2}')
- if [[ $TEMP_VALUE == "yes" || $TEMP_VALUE == "no" ]]; then
- SSH_PASSWORDS=$TEMP_VALUE
- fi
- fi
- if grep -q "XMPP_CIPHERS" $IMPORT_FILE; then
- TEMP_VALUE=$(grep "XMPP_CIPHERS" $IMPORT_FILE | awk -F '=' '{print $2}')
- if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then
- XMPP_CIPHERS=$TEMP_VALUE
- fi
- fi
- if grep -q "XMPP_ECC_CURVE" $IMPORT_FILE; then
- TEMP_VALUE=$(grep "XMPP_ECC_CURVE" $IMPORT_FILE | awk -F '=' '{print $2}')
- if [ ${#TEMP_VALUE} -gt 3 ]; then
- XMPP_ECC_CURVE=$TEMP_VALUE
- fi
- fi
+ cd $CURRENT_DIR
+
+ if [ ! $IMPORT_FILE ]; then
+ return
+ fi
+
+ if [ ! -f $IMPORT_FILE ]; then
+ echo $"Import file $IMPORT_FILE not found"
+ exit 6393
+ fi
+
+ if grep -q "SSL_PROTOCOLS" $IMPORT_FILE; then
+ TEMP_VALUE=$(grep "SSL_PROTOCOLS" $IMPORT_FILE | awk -F '=' '{print $2}')
+ if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then
+ SSL_PROTOCOLS=$TEMP_VALUE
+ fi
+ fi
+ if grep -q "SSL_CIPHERS" $IMPORT_FILE; then
+ TEMP_VALUE=$(grep "SSL_CIPHERS" $IMPORT_FILE | awk -F '=' '{print $2}')
+ if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then
+ SSL_CIPHERS=$TEMP_VALUE
+ fi
+ fi
+ if grep -q "SSH_CIPHERS" $IMPORT_FILE; then
+ TEMP_VALUE=$(grep "SSH_CIPHERS" $IMPORT_FILE | awk -F '=' '{print $2}')
+ if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then
+ SSH_CIPHERS=$TEMP_VALUE
+ fi
+ fi
+ if grep -q "SSH_MACS" $IMPORT_FILE; then
+ TEMP_VALUE=$(grep "SSH_MACS" $IMPORT_FILE | awk -F '=' '{print $2}')
+ if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then
+ SSH_MACS=$TEMP_VALUE
+ fi
+ fi
+ if grep -q "SSH_KEX" $IMPORT_FILE; then
+ TEMP_VALUE=$(grep "SSH_KEX" $IMPORT_FILE | awk -F '=' '{print $2}')
+ if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then
+ SSH_KEX=$TEMP_VALUE
+ fi
+ fi
+ if grep -q "SSH_HOST_KEY_ALGORITHMS" $IMPORT_FILE; then
+ TEMP_VALUE=$(grep "SSH_HOST_KEY_ALGORITHMS" $IMPORT_FILE | awk -F '=' '{print $2}')
+ if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then
+ SSH_HOST_KEY_ALGORITHMS=$TEMP_VALUE
+ fi
+ fi
+ if grep -q "SSH_PASSWORDS" $IMPORT_FILE; then
+ TEMP_VALUE=$(grep "SSH_PASSWORDS" $IMPORT_FILE | awk -F '=' '{print $2}')
+ if [[ $TEMP_VALUE == "yes" || $TEMP_VALUE == "no" ]]; then
+ SSH_PASSWORDS=$TEMP_VALUE
+ fi
+ fi
+ if grep -q "XMPP_CIPHERS" $IMPORT_FILE; then
+ TEMP_VALUE=$(grep "XMPP_CIPHERS" $IMPORT_FILE | awk -F '=' '{print $2}')
+ if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then
+ XMPP_CIPHERS=$TEMP_VALUE
+ fi
+ fi
+ if grep -q "XMPP_ECC_CURVE" $IMPORT_FILE; then
+ TEMP_VALUE=$(grep "XMPP_ECC_CURVE" $IMPORT_FILE | awk -F '=' '{print $2}')
+ if [ ${#TEMP_VALUE} -gt 3 ]; then
+ XMPP_ECC_CURVE=$TEMP_VALUE
+ fi
+ fi
}
function export_settings {
- if [ ! $EXPORT_FILE ]; then
- return
- fi
-
- cd $CURRENT_DIR
-
- if [ ! -f $EXPORT_FILE ]; then
- if [ "$SSL_PROTOCOLS" ]; then
- echo "SSL_PROTOCOLS=$SSL_PROTOCOLS" >> $EXPORT_FILE
- fi
- if [ $SSL_CIPHERS ]; then
- echo "SSL_CIPHERS=$SSL_CIPHERS" >> $EXPORT_FILE
- fi
- if [ $SSH_CIPHERS ]; then
- echo "SSH_CIPHERS=$SSH_CIPHERS" >> $EXPORT_FILE
- fi
- if [ $SSH_MACS ]; then
- echo "SSH_MACS=$SSH_MACS" >> $EXPORT_FILE
- fi
- if [ $SSH_KEX ]; then
- echo "SSH_KEX=$SSH_KEX" >> $EXPORT_FILE
- fi
- if [ $SSH_HOST_KEY_ALGORITHMS ]; then
- echo "SSH_HOST_KEY_ALGORITHMS=$SSH_HOST_KEY_ALGORITHMS" >> $EXPORT_FILE
- fi
- if [ $SSH_PASSWORDS ]; then
- echo "SSH_PASSWORDS=$SSH_PASSWORDS" >> $EXPORT_FILE
- fi
- if [ $XMPP_CIPHERS ]; then
- echo "XMPP_CIPHERS=$XMPP_CIPHERS" >> $EXPORT_FILE
- fi
- if [ $XMPP_ECC_CURVE ]; then
- echo "XMPP_ECC_CURVE=$XMPP_ECC_CURVE" >> $EXPORT_FILE
- fi
- echo "Security settings exported to $EXPORT_FILE"
- exit 0
- fi
-
- if [ "$SSL_PROTOCOLS" ]; then
- if grep -q "SSL_PROTOCOLS" $EXPORT_FILE; then
- sed -i "s|SSL_PROTOCOLS=.*|SSL_PROTOCOLS=$SSL_PROTOCOLS|g" $EXPORT_FILE
- else
- echo "SSL_PROTOCOLS=$SSL_PROTOCOLS" >> $EXPORT_FILE
- fi
- fi
- if [ $SSL_CIPHERS ]; then
- if grep -q "SSL_CIPHERS" $EXPORT_FILE; then
- sed -i "s|SSL_CIPHERS=.*|SSL_CIPHERS=$SSL_CIPHERS|g" $EXPORT_FILE
- else
- echo "SSL_CIPHERS=$SSL_CIPHERS" >> $EXPORT_FILE
- fi
- fi
- if [ $SSH_CIPHERS ]; then
- if grep -q "SSH_CIPHERS" $EXPORT_FILE; then
- sed -i "s|SSH_CIPHERS=.*|SSH_CIPHERS=$SSH_CIPHERS|g" $EXPORT_FILE
- else
- echo "SSH_CIPHERS=$SSH_CIPHERS" >> $EXPORT_FILE
- fi
- fi
- if [ $SSH_MACS ]; then
- if grep -q "SSH_MACS" $EXPORT_FILE; then
- sed -i "s|SSH_MACS=.*|SSH_MACS=$SSH_MACS|g" $EXPORT_FILE
- else
- echo "SSH_MACS=$SSH_MACS" >> $EXPORT_FILE
- fi
- fi
- if [ $SSH_KEX ]; then
- if grep -q "SSH_KEX" $EXPORT_FILE; then
- sed -i "s|SSH_KEX=.*|SSH_KEX=$SSH_KEX|g" $EXPORT_FILE
- else
- echo "SSH_KEX=$SSH_KEX" >> $EXPORT_FILE
- fi
- fi
- if [ $SSH_HOST_KEY_ALGORITHMS ]; then
- if grep -q "SSH_HOST_KEY_ALGORITHMS" $EXPORT_FILE; then
- sed -i "s|SSH_HOST_KEY_ALGORITHMS=.*|SSH_HOST_KEY_ALGORITHMS=$SSH_HOST_KEY_ALGORITHMS|g" $EXPORT_FILE
- else
- echo "SSH_HOST_KEY_ALGORITHMS=$SSH_HOST_KEY_ALGORITHMS" >> $EXPORT_FILE
- fi
- fi
- if [ $SSH_PASSWORDS ]; then
- if grep -q "SSH_PASSWORDS" $EXPORT_FILE; then
- sed -i "s|SSH_PASSWORDS=.*|SSH_PASSWORDS=$SSH_PASSWORDS|g" $EXPORT_FILE
- else
- echo "SSH_PASSWORDS=$SSH_PASSWORDS" >> $EXPORT_FILE
- fi
- fi
- if [ $XMPP_CIPHERS ]; then
- if grep -q "XMPP_CIPHERS" $EXPORT_FILE; then
- sed -i "s|XMPP_CIPHERS=.*|XMPP_CIPHERS=$XMPP_CIPHERS|g" $EXPORT_FILE
- else
- echo "XMPP_CIPHERS=$XMPP_CIPHERS" >> $EXPORT_FILE
- fi
- fi
- if [ $XMPP_ECC_CURVE ]; then
- if grep -q "XMPP_ECC_CURVE" $EXPORT_FILE; then
- sed -i "s|XMPP_ECC_CURVE=.*|XMPP_ECC_CURVE=$XMPP_ECC_CURVE|g" $EXPORT_FILE
- else
- echo "XMPP_ECC_CURVE=$XMPP_ECC_CURVE" >> $EXPORT_FILE
- fi
- fi
- echo $"Security settings exported to $EXPORT_FILE"
- exit 0
+ if [ ! $EXPORT_FILE ]; then
+ return
+ fi
+
+ cd $CURRENT_DIR
+
+ if [ ! -f $EXPORT_FILE ]; then
+ if [ "$SSL_PROTOCOLS" ]; then
+ echo "SSL_PROTOCOLS=$SSL_PROTOCOLS" >> $EXPORT_FILE
+ fi
+ if [ $SSL_CIPHERS ]; then
+ echo "SSL_CIPHERS=$SSL_CIPHERS" >> $EXPORT_FILE
+ fi
+ if [ $SSH_CIPHERS ]; then
+ echo "SSH_CIPHERS=$SSH_CIPHERS" >> $EXPORT_FILE
+ fi
+ if [ $SSH_MACS ]; then
+ echo "SSH_MACS=$SSH_MACS" >> $EXPORT_FILE
+ fi
+ if [ $SSH_KEX ]; then
+ echo "SSH_KEX=$SSH_KEX" >> $EXPORT_FILE
+ fi
+ if [ $SSH_HOST_KEY_ALGORITHMS ]; then
+ echo "SSH_HOST_KEY_ALGORITHMS=$SSH_HOST_KEY_ALGORITHMS" >> $EXPORT_FILE
+ fi
+ if [ $SSH_PASSWORDS ]; then
+ echo "SSH_PASSWORDS=$SSH_PASSWORDS" >> $EXPORT_FILE
+ fi
+ if [ $XMPP_CIPHERS ]; then
+ echo "XMPP_CIPHERS=$XMPP_CIPHERS" >> $EXPORT_FILE
+ fi
+ if [ $XMPP_ECC_CURVE ]; then
+ echo "XMPP_ECC_CURVE=$XMPP_ECC_CURVE" >> $EXPORT_FILE
+ fi
+ echo "Security settings exported to $EXPORT_FILE"
+ exit 0
+ fi
+
+ if [ "$SSL_PROTOCOLS" ]; then
+ if grep -q "SSL_PROTOCOLS" $EXPORT_FILE; then
+ sed -i "s|SSL_PROTOCOLS=.*|SSL_PROTOCOLS=$SSL_PROTOCOLS|g" $EXPORT_FILE
+ else
+ echo "SSL_PROTOCOLS=$SSL_PROTOCOLS" >> $EXPORT_FILE
+ fi
+ fi
+ if [ $SSL_CIPHERS ]; then
+ if grep -q "SSL_CIPHERS" $EXPORT_FILE; then
+ sed -i "s|SSL_CIPHERS=.*|SSL_CIPHERS=$SSL_CIPHERS|g" $EXPORT_FILE
+ else
+ echo "SSL_CIPHERS=$SSL_CIPHERS" >> $EXPORT_FILE
+ fi
+ fi
+ if [ $SSH_CIPHERS ]; then
+ if grep -q "SSH_CIPHERS" $EXPORT_FILE; then
+ sed -i "s|SSH_CIPHERS=.*|SSH_CIPHERS=$SSH_CIPHERS|g" $EXPORT_FILE
+ else
+ echo "SSH_CIPHERS=$SSH_CIPHERS" >> $EXPORT_FILE
+ fi
+ fi
+ if [ $SSH_MACS ]; then
+ if grep -q "SSH_MACS" $EXPORT_FILE; then
+ sed -i "s|SSH_MACS=.*|SSH_MACS=$SSH_MACS|g" $EXPORT_FILE
+ else
+ echo "SSH_MACS=$SSH_MACS" >> $EXPORT_FILE
+ fi
+ fi
+ if [ $SSH_KEX ]; then
+ if grep -q "SSH_KEX" $EXPORT_FILE; then
+ sed -i "s|SSH_KEX=.*|SSH_KEX=$SSH_KEX|g" $EXPORT_FILE
+ else
+ echo "SSH_KEX=$SSH_KEX" >> $EXPORT_FILE
+ fi
+ fi
+ if [ $SSH_HOST_KEY_ALGORITHMS ]; then
+ if grep -q "SSH_HOST_KEY_ALGORITHMS" $EXPORT_FILE; then
+ sed -i "s|SSH_HOST_KEY_ALGORITHMS=.*|SSH_HOST_KEY_ALGORITHMS=$SSH_HOST_KEY_ALGORITHMS|g" $EXPORT_FILE
+ else
+ echo "SSH_HOST_KEY_ALGORITHMS=$SSH_HOST_KEY_ALGORITHMS" >> $EXPORT_FILE
+ fi
+ fi
+ if [ $SSH_PASSWORDS ]; then
+ if grep -q "SSH_PASSWORDS" $EXPORT_FILE; then
+ sed -i "s|SSH_PASSWORDS=.*|SSH_PASSWORDS=$SSH_PASSWORDS|g" $EXPORT_FILE
+ else
+ echo "SSH_PASSWORDS=$SSH_PASSWORDS" >> $EXPORT_FILE
+ fi
+ fi
+ if [ $XMPP_CIPHERS ]; then
+ if grep -q "XMPP_CIPHERS" $EXPORT_FILE; then
+ sed -i "s|XMPP_CIPHERS=.*|XMPP_CIPHERS=$XMPP_CIPHERS|g" $EXPORT_FILE
+ else
+ echo "XMPP_CIPHERS=$XMPP_CIPHERS" >> $EXPORT_FILE
+ fi
+ fi
+ if [ $XMPP_ECC_CURVE ]; then
+ if grep -q "XMPP_ECC_CURVE" $EXPORT_FILE; then
+ sed -i "s|XMPP_ECC_CURVE=.*|XMPP_ECC_CURVE=$XMPP_ECC_CURVE|g" $EXPORT_FILE
+ else
+ echo "XMPP_ECC_CURVE=$XMPP_ECC_CURVE" >> $EXPORT_FILE
+ fi
+ fi
+ echo $"Security settings exported to $EXPORT_FILE"
+ exit 0
}
function refresh_gpg_keys {
@@ -977,69 +973,69 @@ function blog_hash {
}
function show_help {
- echo ''
- echo "${PROJECT_NAME}-sec"
- echo ''
- echo $'Alters the security settings'
- echo ''
- echo ''
- echo $' -h --help Show help'
- echo $' -e --export Export security settings to a file'
- echo $' -i --import Import security settings from a file'
- echo $' -r --refresh Refresh GPG keys for all users'
- echo $' -s --sign Sign monkeysphere server keys'
- echo $' --register [domain] Register a https domain with monkeysphere'
- echo $' -b --bloghash [password] Returns the hash of a password for the blog'
- echo ''
- exit 0
+ echo ''
+ echo "${PROJECT_NAME}-sec"
+ echo ''
+ echo $'Alters the security settings'
+ echo ''
+ echo ''
+ echo $' -h --help Show help'
+ echo $' -e --export Export security settings to a file'
+ echo $' -i --import Import security settings from a file'
+ echo $' -r --refresh Refresh GPG keys for all users'
+ echo $' -s --sign Sign monkeysphere server keys'
+ echo $' --register [domain] Register a https domain with monkeysphere'
+ echo $' -b --bloghash [password] Returns the hash of a password for the blog'
+ echo ''
+ exit 0
}
# Get the commandline options
while [[ $# > 1 ]]
do
-key="$1"
-
-case $key in
- -h|--help)
- show_help
- ;;
- # Export settings
- -e|--export)
- shift
- EXPORT_FILE="$1"
- ;;
- # Export settings
- -i|--import)
- shift
- IMPORT_FILE="$1"
- ;;
- # Refresh GPG keys
- -r|--refresh)
- shift
- refresh_gpg_keys
- ;;
- # register a website
- --register|--reg|--site)
- shift
- register_website "$1"
- ;;
- # user signs monkeysphere server keys
- -s|--sign)
- shift
- monkeysphere_sign_server_keys
- ;;
- # get a hash of the given blog password
- -b|--bloghash)
+ key="$1"
+
+ case $key in
+ -h|--help)
+ show_help
+ ;;
+ # Export settings
+ -e|--export)
+ shift
+ EXPORT_FILE="$1"
+ ;;
+ # Export settings
+ -i|--import)
+ shift
+ IMPORT_FILE="$1"
+ ;;
+ # Refresh GPG keys
+ -r|--refresh)
+ shift
+ refresh_gpg_keys
+ ;;
+ # register a website
+ --register|--reg|--site)
+ shift
+ register_website "$1"
+ ;;
+ # user signs monkeysphere server keys
+ -s|--sign)
+ shift
+ monkeysphere_sign_server_keys
+ ;;
+ # get a hash of the given blog password
+ -b|--bloghash)
+ shift
+ blog_hash "$1"
+ exit 0
+ ;;
+ *)
+ # unknown option
+ ;;
+ esac
shift
- blog_hash "$1"
- exit 0
- ;;
- *)
- # unknown option
- ;;
-esac
-shift
done
housekeeping