/mandos/trunk : revision 1131

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos-keygen

Committer: Teddy Hogeborn
Date: 2019-07-29 16:35:53 UTC
Revision ID: teddy@recompile.se-20190729163553-1i442i2cbx64c537

Make tests and man page examples match

Make the tests test_manual_page_example[1-5] match exactly what is
written in the manual page, and add comments to manual page as
reminders to keep tests and manual page examples in sync.

* mandos-ctl (Test_commands_from_options.test_manual_page_example_1):
  Remove "--verbose" option, since the manual does not have it as the
  first example, and change assertion to match.
* mandos-ctl.xml (EXAMPLE): Add comments to all examples documenting
  which test function they correspond to.  Also remove unnecessary
  quotes from option arguments in fourth example, and clarify language
  slightly in fifth example.

files added:
bugs.xml

debian/mandos-client.examples

debian/mandos-client.templates

debian/mandos.templates

debian/po/POTFILES.in

debian/po/templates.pot

debian/source/lintian-overrides

debian/tests

debian/tests/control

debian/upstream

debian/upstream/signing-key.asc

dracut-module

dracut-module/ask-password-mandos.path

dracut-module/ask-password-mandos.service

dracut-module/cmdline-mandos.sh

dracut-module/module-setup.sh

dracut-module/password-agent.c

dracut-module/password-agent.xml

initramfs-tools-conf

initramfs-tools-conf-hook

initramfs-tools-script-stop

initramfs-unpack

mandos-to-cryptroot-unlock

mandos.service

plugin-helpers

plugin-helpers/mandos-client-iprouteadddel.c

tmpfiles.d-mandos.conf

files removed:
initramfs-tools-hook-conf

files modified:
.bzrignore

DBUS-API

INSTALL

Makefile

NEWS

README

TODO

clients.conf

common.ent

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.dirs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/rules

debian/watch

init.d-mandos

initramfs-tools-hook

initramfs-tools-script

intro.xml

legalnotice.xml

mandos

mandos-clients.conf.xml

mandos-ctl

mandos-ctl.xml

mandos-keygen

mandos-keygen.xml

mandos-monitor

mandos-monitor.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.lsm

mandos.xml

network-hooks.d/bridge

network-hooks.d/openvpn

network-hooks.d/wireless

overview.xml

plugin-runner.c

plugin-runner.xml

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/mandos-client.c

plugins.d/mandos-client.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

Show diffs side-by-side

added added

removed removed

mandos-keygen

#!/bin/sh -e

# Mandos key generator - create a new OpenPGP key for a Mandos client

# This program is free software: you can redistribute it and/or modify

# it under the terms of the GNU General Public License as published by

# Mandos key generator - create new keys for a Mandos client

# This file is part of Mandos.

# Mandos is free software: you can redistribute it and/or modify it

# under the terms of the GNU General Public License as published by

# the Free Software Foundation, either version 3 of the License, or

# (at your option) any later version.

# This program is distributed in the hope that it will be useful,

# but WITHOUT ANY WARRANTY; without even the implied warranty of

# Mandos is distributed in the hope that it will be useful, but

# WITHOUT ANY WARRANTY; without even the implied warranty of

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

# GNU General Public License for more details.

# You should have received a copy of the GNU General Public License

# along with this program. If not, see <http://www.gnu.org/licenses/>.

# along with Mandos. If not, see <http://www.gnu.org/licenses/>.

# Contact the authors at <mandos@recompile.se>.

VERSION="1.5.3"

VERSION="1.8.4"

KEYDIR="/etc/keys/mandos"

KEYTYPE=DSA

KEYLENGTH=2048

SUBKEYTYPE=ELG-E

SUBKEYLENGTH=2048

KEYTYPE=RSA

KEYLENGTH=4096

SUBKEYTYPE=RSA

SUBKEYLENGTH=4096

KEYNAME="`hostname --fqdn 2>/dev/null || hostname`"

KEYEMAIL=""

KEYCOMMENT="Mandos client key"

KEYCOMMENT=""

KEYEXPIRE=0

TLS_KEYTYPE=ed25519

FORCE=no

SSH=yes

KEYCOMMENT_ORIG="$KEYCOMMENT"

mode=keygen

# Parse options

TEMP=`getopt --options vhpF:d:t:l:s:L:n:e:c:x:f \

--longoptions version,help,password,passfile:,dir:,type:,length:,subtype:,sublength:,name:,email:,comment:,expire:,force \

TEMP=`getopt --options vhpF:d:t:l:s:L:n:e:c:x:T:fS \

--longoptions version,help,password,passfile:,dir:,type:,length:,subtype:,sublength:,name:,email:,comment:,expire:,tls-keytype:,force,no-ssh \

--name "$0" -- "$@"`

help(){

basename="`basename $0`"

basename="`basename "$0"`"

cat <<EOF

Usage: $basename [ -v | --version ]

$basename [ -h | --help ]

-v, --version Show program's version number and exit

-h, --help Show this help message and exit

-d DIR, --dir DIR Target directory for key files

-t TYPE, --type TYPE Key type. Default is DSA.

-t TYPE, --type TYPE OpenPGP key type. Default is RSA.

-l BITS, --length BITS

Key length in bits. Default is 2048.

OpenPGP key length in bits. Default is 4096.

-s TYPE, --subtype TYPE

Subkey type. Default is ELG-E.

OpenPGP subkey type. Default is RSA.

-L BITS, --sublength BITS

Subkey length in bits. Default is 2048.

OpenPGP subkey length in bits. Default 4096.

-n NAME, --name NAME Name of key. Default is the FQDN.

-e ADDRESS, --email ADDRESS

Email address of key. Default is empty.

Email address of OpenPGP key. Default empty.

-c TEXT, --comment TEXT

Comment field for key. The default value is

"Mandos client key".

Comment field for OpenPGP key. Default empty.

-x TIME, --expire TIME

Key expire time. Default is no expiration.

OpenPGP key expire time. Default is none.

See gpg(1) for syntax.

-T TYPE, --tls-keytype TYPE

TLS key type. Default is ed25519.

-f, --force Force overwriting old key files.

Password creation options:

Encrypt a password from FILE using the key in

the key directory. All options other than

--dir and --name are ignored.

-S, --no-ssh Don't get SSH key or set "checker" option.

EOF

}

103

109

-e|--email) KEYEMAIL="$2"; shift 2;;

104

110

-c|--comment) KEYCOMMENT="$2"; shift 2;;

105

111

-x|--expire) KEYEXPIRE="$2"; shift 2;;

112

-T|--tls-keytype) TLS_KEYTYPE="$2"; shift 2;;

106

113

-f|--force) FORCE=yes; shift;;

114

-S|--no-ssh) SSH=no; shift;;

107

115

-v|--version) echo "$0 $VERSION"; exit;;

108

116

-h|--help) help; exit;;

109

117

--) shift; break;;

111

119

esac

112

120

done

113

121

if [ "$#" -gt 0 ]; then

114

echo "Unknown arguments: '$@'" >&2

122

echo "Unknown arguments: '$*'" >&2

115

123

exit 1

116

124

117

125

118

126

SECKEYFILE="$KEYDIR/seckey.txt"

119

127

PUBKEYFILE="$KEYDIR/pubkey.txt"

128

TLS_PRIVKEYFILE="$KEYDIR/tls-privkey.pem"

129

TLS_PUBKEYFILE="$KEYDIR/tls-pubkey.pem"

120

130

121

131

# Check for some invalid values

122

132

if [ ! -d "$KEYDIR" ]; then

159

169

[Nn][Oo]|[Ff][Aa][Ll][Ss][Ee]|*) FORCE=0;;

160

170

esac

161

171

162

if [ $ -e "$SECKEYFILE" -o -e "$PUBKEYFILE" $ \

163

-a "$FORCE" -eq 0 ]; then

172

if { [ -e "$SECKEYFILE" ] || [ -e "$PUBKEYFILE" ] \

173

|| [ -e "$TLS_PRIVKEYFILE" ] \

174

|| [ -e "$TLS_PUBKEYFILE" ]; } \

175

&& [ "$FORCE" -eq 0 ]; then

164

176

echo "Refusing to overwrite old key files; use --force" >&2

165

177

exit 1

166

178

175

187

176

188

# Create temporary gpg batch file

177

189

BATCHFILE="`mktemp -t mandos-keygen-batch.XXXXXXXXXX`"

190

TLS_PRIVKEYTMP="`mktemp -t mandos-keygen-privkey.XXXXXXXXXX`"

178

191

179

192

180

193

if [ "$mode" = password ]; then

189

202

trap "

190

203

set +e; \

191

204

test -n \"$SECFILE\" && shred --remove \"$SECFILE\"; \

192

shred --remove \"$RINGDIR\"/sec*;

205

test -n \"$TLS_PRIVKEYTMP\" && shred --remove \"$TLS_PRIVKEYTMP\"; \

206

shred --remove \"$RINGDIR\"/sec* 2>/dev/null;

193

207

test -n \"$BATCHFILE\" && rm --force \"$BATCHFILE\"; \

194

208

rm --recursive --force \"$RINGDIR\";

195

209

tty --quiet && stty echo; \

204

218

cat >"$BATCHFILE" <<-EOF

205

219

Key-Type: $KEYTYPE

206

220

Key-Length: $KEYLENGTH

207

#Key-Usage: encrypt,sign,auth

221

Key-Usage: sign,auth

208

222

Subkey-Type: $SUBKEYTYPE

209

223

Subkey-Length: $SUBKEYLENGTH

210

#Subkey-Usage: encrypt,sign,auth

224

Subkey-Usage: encrypt

211

225

Name-Real: $KEYNAME

212

226

$KEYCOMMENTLINE

213

227

$KEYEMAILLINE

216

230

#Handle: <no-spaces>

217

231

#%pubring pubring.gpg

218

232

#%secring secring.gpg

233

%no-protection

219

234

%commit

220

235

EOF

221

236

228

243

echo -n "Started: "

229

244

date

230

245

246

247

# Generate TLS private key

248

if certtool --generate-privkey --password='' \

249

--outfile "$TLS_PRIVKEYTMP" --sec-param ultra \

250

--key-type="$TLS_KEYTYPE" --pkcs8 --no-text 2>/dev/null; then

251

252

# Backup any old key files

253

if cp --backup=numbered --force "$TLS_PRIVKEYFILE" "$TLS_PRIVKEYFILE" \

254

2>/dev/null; then

255

shred --remove "$TLS_PRIVKEYFILE" 2>/dev/null || :

256

257

if cp --backup=numbered --force "$TLS_PUBKEYFILE" "$TLS_PUBKEYFILE" \

258

2>/dev/null; then

259

rm --force "$TLS_PUBKEYFILE"

260

261

cp --archive "$TLS_PRIVKEYTMP" "$TLS_PRIVKEYFILE"

262

shred --remove "$TLS_PRIVKEYTMP" 2>/dev/null || :

263

264

## TLS public key

265

266

# First try certtool from GnuTLS

267

if ! certtool --password='' --load-privkey="$TLS_PRIVKEYFILE" \

268

--outfile="$TLS_PUBKEYFILE" --pubkey-info --no-text \

269

2>/dev/null; then

270

# Otherwise try OpenSSL

271

if ! openssl pkey -in "$TLS_PRIVKEYFILE" \

272

-out "$TLS_PUBKEYFILE" -pubout; then

273

rm --force "$TLS_PUBKEYFILE"

274

# None of the commands succeded; give up

275

return 1

276

277

278

231

279

280

# Make sure trustdb.gpg exists;

281

# this is a workaround for Debian bug #737128

282

gpg --quiet --batch --no-tty --no-options --enable-dsa2 \

283

--homedir "$RINGDIR" \

284

--import-ownertrust < /dev/null

232

285

# Generate a new key in the key rings

233

286

gpg --quiet --batch --no-tty --no-options --enable-dsa2 \

234

287

--homedir "$RINGDIR" --trust-model always \

243

296

# Backup any old key files

244

297

if cp --backup=numbered --force "$SECKEYFILE" "$SECKEYFILE" \

245

298

2>/dev/null; then

246

shred --remove "$SECKEYFILE"

299

shred --remove "$SECKEYFILE" 2>/dev/null || :

247

300

248

301

if cp --backup=numbered --force "$PUBKEYFILE" "$PUBKEYFILE" \

249

302

2>/dev/null; then

270

323

271

324

272

325

if [ "$mode" = password ]; then

326

327

# Make SSH be 0 or 1

328

case "$SSH" in

329

[Yy][Ee][Ss]|[Tt][Rr][Uu][Ee]) SSH=1;;

330

[Nn][Oo]|[Ff][Aa][Ll][Ss][Ee]|*) SSH=0;;

331

esac

332

333

if [ $SSH -eq 1 ]; then

334

for ssh_keytype in ecdsa-sha2-nistp256 ed25519 rsa; do

335

set +e

336

ssh_fingerprint="`ssh-keyscan -t $ssh_keytype localhost 2>/dev/null`"

337

err=$?

338

set -e

339

if [ $err -ne 0 ]; then

340

ssh_fingerprint=""

341

continue

342

343

if [ -n "$ssh_fingerprint" ]; then

344

ssh_fingerprint="${ssh_fingerprint#localhost }"

345

break

346

347

done

348

349

273

350

# Import key into temporary key rings

274

351

gpg --quiet --batch --no-tty --no-options --enable-dsa2 \

275

352

--homedir "$RINGDIR" --trust-model always --armor \

280

357

281

358

# Get fingerprint of key

282

359

FINGERPRINT="`gpg --quiet --batch --no-tty --no-options \

283

--enable-dsa2 --homedir \"$RINGDIR\" --trust-model always \

360

--enable-dsa2 --homedir "$RINGDIR" --trust-model always \

284

361

--fingerprint --with-colons \

285

362

| sed --quiet \

286

363

--expression='/^fpr:/{s/^fpr:.*:\$[0-9A-Z]*\$:\$/\\1/p;q}'`"

287

364

288

365

test -n "$FINGERPRINT"

289

366

367

if [ -r "$TLS_PUBKEYFILE" ]; then

368

KEY_ID="$(certtool --key-id --hash=sha256 \

369

--infile="$TLS_PUBKEYFILE" 2>/dev/null || :)"

370

371

if [ -z "$KEY_ID" ]; then

372

KEY_ID=$(openssl pkey -pubin -in "$TLS_PUBKEYFILE" \

373

-outform der \

374

| openssl sha256 \

375

| sed --expression='s/^.*[^[:xdigit:]]//')

376

377

test -n "$KEY_ID"

378

379

290

380

FILECOMMENT="Encrypted password for a Mandos client"

291

381

292

382

while [ ! -s "$SECFILE" ]; do

293

383

if [ -n "$PASSFILE" ]; then

294

cat "$PASSFILE"

384

cat -- "$PASSFILE"

295

385

else

296

386

tty --quiet && stty -echo

297

read -p "Enter passphrase: " first

387

echo -n "Enter passphrase: " >/dev/tty

388

read -r first

298

389

tty --quiet && echo >&2

299

read -p "Repeat passphrase: " second

390

echo -n "Repeat passphrase: " >/dev/tty

391

read -r second

300

392

if tty --quiet; then

301

393

echo >&2

302

394

stty echo

324

416

cat <<-EOF

325

417

[$KEYNAME]

326

418

host = $KEYNAME

419

EOF

420

if [ -n "$KEY_ID" ]; then

421

echo "key_id = $KEY_ID"

422

423

cat <<-EOF

327

424

fingerprint = $FINGERPRINT

328

425

secret =

329

426

EOF

336

433

/^[^-]/s/^/ /p

337

434

}

338

435

}' < "$SECFILE"

436

if [ -n "$ssh_fingerprint" ]; then

437

echo 'checker = ssh-keyscan -t '"$ssh_keytype"' %%(host)s 2>/dev/null | grep --fixed-strings --line-regexp --quiet --regexp=%%(host)s" %(ssh_fingerprint)s"'

438

echo "ssh_fingerprint = ${ssh_fingerprint}"

439

339

440

340

441

341

442

trap - EXIT

343

444

set +e

344

445

# Remove the password file, if any

345

446

if [ -n "$SECFILE" ]; then

346

shred --remove "$SECFILE"

447

shred --remove "$SECFILE" 2>/dev/null

347

448

348

449

# Remove the key rings

349

shred --remove "$RINGDIR"/sec*

450

shred --remove "$RINGDIR"/sec* 2>/dev/null

350

451

rm --recursive --force "$RINGDIR"

Older »