free
/
freedombone
Watch 1
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
Browse Source

Regenerate keys

Bob Mottram 9 years ago
parent
1e28a68487
commit
2a46fd3121
1 changed files with 75 additions and 0 deletions
Split View Show Diff Stats
  1. 75
    0
      src/freedombone-sec

+ 75
- 0
src/freedombone-sec View File 

@@ -50,6 +50,10 @@ EXPORT_FILE=
50 50
51 51 
 CURRENT_DIR=$(pwd)
52 52
53 
+REGENERATE_SSH_HOST_KEYS="no"
54 
+REGENERATE_DH_KEYS="no"
55 
+DH_KEYLENGTH=3072
56 
+
53 57 
 function get_protocols_from_website {
54 58 
   if [ ! -f $WEBSITES_DIRECTORY/$1 ]; then
55 59 
       return
 
@@ -317,6 +321,74 @@ function interactive_setup {
317 321 
   clear
318 322 
 }
319 323
324 
+function regenerate_ssh_host_keys {
325 
+  if [[ $REGENERATE_SSH_HOST_KEYS == "yes" ]]; then
326 
+      rm -f /etc/ssh/ssh_host_*
327 
+      dpkg-reconfigure openssh-server
328 
+      echo 'ssh host keys regenerated'
329 
+      # remove small moduli
330 
+      awk '$5 > 2000' /etc/ssh/moduli > ~/moduli
331 
+      mv ~/moduli /etc/ssh/moduli
332 
+      echo 'ssh small moduli removed'
333 
+      systemctl restart ssh
334 
+  fi
335 
+}
336 
+
337 
+function regenerate_dh_keys {
338 
+  if [[ $REGENERATE_DH_KEYS == "yes" ]]; then
339 
+      if [ ! -d /etc/ssl/mycerts ]; then
340 
+          return
341 
+      fi
342 
+
343 
+      data=$(tempfile 2>/dev/null)
344 
+      trap "rm -f $data" 0 1 2 5 15
345 
+      dialog --backtitle "Freedombone Security Configuration" \
346 
+             --radiolist "Select a key length:" 10 40 2 \
347 
+             1 "1024 bits" off \
348 
+             2 "3072 bits" on 2> $data
349 
+      sel=$?
350 
+      case $sel in
351 
+          1) exit 1;;
352 
+          255) exit 1;;
353 
+      esac
354 
+      case $(cat $data) in
355 
+          1) DH_KEYLENGTH=1024;;
356 
+          2) DH_KEYLENGTH=3072;;
357 
+      esac
358 
+
359 
+      for file in /etc/ssl/mycerts/*
360 
+      do
361 
+          if [[ -f $file ]]; then
362 
+              filename=/etc/ssl/certs/$(echo $file | awk -F '/etc/ssl/mycerts/' '{print $2}' | awk -F '.crt' '{print $1}').dhparam
363 
+              if [ -f $filename ]; then
364 
+                  openssl dhparam -check -text -5 $DH_KEYLENGTH -out $filename
365 
+              fi
366 
+          fi
367 
+      done
368 
+  fi
369 
+}
370 
+
371 
+function housekeeping {
372 
+  cmd=(dialog --separate-output \
373 
+              --backtitle "Freedombone Security Configuration" \
374 
+              --checklist "Housekeeping options. If you don't need to do any of these things then just press Enter:" 10 76 16)
375 
+  options=(1 "Regenerate ssh host keys" off
376 
+           2 "Regenerate Diffie-Hellman keys" off)
377 
+  choices=$("${cmd[@]}" "${options[@]}" 2>&1 >/dev/tty)
378 
+  clear
379 
+  for choice in $choices
380 
+  do
381 
+    case $choice in
382 
+      1)
383 
+        REGENERATE_SSH_HOST_KEYS="yes"
384 
+        ;;
385 
+      2)
386 
+        REGENERATE_DH_KEYS="yes"
387 
+        ;;
388 
+    esac
389 
+  done
390 
+}
391 
+
320 392 
 function import_settings {
321 393 
   cd $CURRENT_DIR
322 394 
 
@@ -532,6 +604,7 @@ esac
532 604 
 shift
533 605 
 done
534 606
607 
+housekeeping
535 608 
 get_website_settings
536 609 
 get_imap_settings
537 610 
 get_ssh_settings
 
@@ -543,4 +616,6 @@ change_website_settings
543 616 
 change_imap_settings
544 617 
 change_ssh_settings
545 618 
 change_xmpp_settings
619 
+regenerate_ssh_host_keys
620 
+regenerate_dh_keys
546 621 
 exit 0