free
/
freedombone
Watch 1
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
6042 Commits
5 Branches
Tree: 047ca9979a
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '047ca9979a'
${ noResults }
freedombone/src/freedombone-sec

freedombone-sec 42KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167116811691170117111721173117411751176117711781179118011811182118311841185118611871188118911901191119211931194119511961197119811991200120112021203120412051206120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233123412351236123712381239124012411242124312441245124612471248124912501251125212531254125512561257125812591260126112621263126412651266126712681269127012711272127312741275127612771278127912801281128212831284128512861287128812891290129112921293129412951296129712981299130013011302130313041305130613071308130913101311131213131314131513161317131813191320132113221323132413251326132713281329133013311332133313341335133613371338133913401341134213431344134513461347134813491350135113521353135413551356135713581359136013611362136313641365 
  1. #!/bin/bash

  2. #

  3. # .---.                  .              .

  4. # |                      |              |

  5. # |--- .--. .-.  .-.  .-.|  .-. .--.--. |.-.  .-. .--.  .-.

  6. # |    |   (.-' (.-' (   | (   )|  |  | |   )(   )|  | (.-'

  7. # '    '     --'  --'  -' -  -' '  '   -' -'   -' '   -  --'

  8. #

  9. #                    Freedom in the Cloud

  10. #

  11. # Alters the security settings

  12. #

  13. # License

  14. # =======

  15. #

  16. # Copyright (C) 2015-2016 Bob Mottram <bob@freedombone.net>

  17. #

  18. # This program is free software: you can redistribute it and/or modify

  19. # it under the terms of the GNU Affero General Public License as published by

  20. # the Free Software Foundation, either version 3 of the License, or

  21. # (at your option) any later version.

  22. #

  23. # This program is distributed in the hope that it will be useful,

  24. # but WITHOUT ANY WARRANTY; without even the implied warranty of

  25. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

  26. # GNU Affero General Public License for more details.

  27. #

  28. # You should have received a copy of the GNU Affero General Public License

  29. # along with this program.  If not, see <http://www.gnu.org/licenses/>.

  30. 

  31. PROJECT_NAME='freedombone'

  32. 

  33. export TEXTDOMAIN=${PROJECT_NAME}-sec

  34. export TEXTDOMAINDIR="/usr/share/locale"

  35. 

  36. CONFIGURATION_FILE=$HOME/${PROJECT_NAME}.cfg

  37. COMPLETION_FILE=$HOME/${PROJECT_NAME}-completed.txt

  38. 

  39. UTILS_FILES=/usr/share/${PROJECT_NAME}/utils/${PROJECT_NAME}-utils-*

  40. for f in $UTILS_FILES

  41. do

  42.     source $f

  43. done

  44. 

  45. SSL_PROTOCOLS=

  46. SSL_CIPHERS=

  47. SSH_CIPHERS=

  48. SSH_MACS=

  49. SSH_KEX=

  50. SSH_HOST_KEY_ALGORITHMS=

  51. SSH_PASSWORDS=

  52. XMPP_CIPHERS=

  53. XMPP_ECC_CURVE=

  54. 

  55. WEBSITES_DIRECTORY='/etc/nginx/sites-available'

  56. DOVECOT_CIPHERS='/etc/dovecot/conf.d/10-ssl.conf'

  57. SSH_CONFIG='/etc/ssh/sshd_config'

  58. XMPP_CONFIG='/etc/prosody/conf.avail/xmpp.cfg.lua'

  59. 

  60. MINIMUM_LENGTH=6

  61. 

  62. IMPORT_FILE=

  63. EXPORT_FILE=

  64. 

  65. CURRENT_DIR=$(pwd)

  66. 

  67. DH_KEYLENGTH=2048

  68. LETSENCRYPT_SERVER='https://acme-v01.api.letsencrypt.org/directory'

  69. 

  70. MY_USERNAME=

  71. 

  72. function export_passwords {

  73.     detect_usb_drive

  74.     data=$(tempfile 2>/dev/null)

  75.     trap "rm -f $data" 0 1 2 5 15

  76.     dialog --title $"Export passwords to USB drive $USB_DRIVE" \

  77.            --backtitle $"Security Settings" \

  78.            --defaultno \

  79.            --yesno $"\nPlease confirm that you wish to export passwords to a LUKS formatted USB drive. The drive should be plugged in." 10 60

  80.     sel=$?

  81.     case $sel in

  82.         1) return;;

  83.         255) return;;

  84.     esac

  85. 

  86.     data=$(tempfile 2>/dev/null)

  87.     trap "rm -f $data" 0 1 2 5 15

  88.     dialog --title $"Export passwords to USB drive $USB_DRIVE" \

  89.            --backtitle $"Security Settings" \

  90.            --defaultno \

  91.            --yesno $"\nDo you need to format the drive as LUKS encrypted?" 12 60

  92.     sel=$?

  93.     case $sel in

  94.         0) ${PROJECT_NAME}-format $USB_DRIVE;;

  95.     esac

  96. 

  97.     clear

  98.     backup_mount_drive ${USB_DRIVE}

  99.     ${PROJECT_NAME}-pass --export ${USB_MOUNT}/${PROJECT_NAME}-passwords.xml

  100.     backup_unmount_drive ${USB_DRIVE}

  101. }

  102. 

  103. function get_protocols_from_website {

  104.     if [ ! -f $WEBSITES_DIRECTORY/$1 ]; then

  105.         return

  106.     fi

  107.     SSL_PROTOCOLS=$(cat $WEBSITES_DIRECTORY/$1 | grep 'ssl_protocols ' | awk -F "ssl_protocols " '{print $2}' | awk -F ';' '{print $1}')

  108. }

  109. 

  110. function get_ciphers_from_website {

  111.     if [ ! -f $WEBSITES_DIRECTORY/$1 ]; then

  112.         return

  113.     fi

  114.     SSL_CIPHERS=$(cat $WEBSITES_DIRECTORY/$1 | grep 'ssl_ciphers ' | awk -F "ssl_ciphers " '{print $2}' | awk -F "'" '{print $2}')

  115. }

  116. 

  117. function get_imap_settings {

  118.     if [ ! -f $DOVECOT_CIPHERS ]; then

  119.         return

  120.     fi

  121.     # clear commented out cipher list

  122.     sed -i "s|#ssl_cipher_list.*||g" $DOVECOT_CIPHERS

  123.     if [ $SSL_CIPHERS ]; then

  124.         return

  125.     fi

  126.     if [ ${#SSL_CIPHERS} -gt $MINIMUM_LENGTH ]; then

  127.         return

  128.     fi

  129.     SSL_CIPHERS=$(cat $DOVECOT_CIPHERS | grep 'ssl_cipher_list' | awk -F '=' '{print $2}' | awk -F "'" '{print $2}')

  130. }

  131. 

  132. function get_xmpp_settings {

  133.     if [ ! -f $XMPP_CONFIG ]; then

  134.         return

  135.     fi

  136.     XMPP_CIPHERS=$(cat $XMPP_CONFIG | grep 'ciphers ' | awk -F '=' '{print $2}' | awk -F '"' '{print $2}')

  137.     XMPP_ECC_CURVE=$(cat $XMPP_CONFIG | grep 'curve ' | awk -F '=' '{print $2}' | awk -F '"' '{print $2}')

  138. }

  139. 

  140. function get_ssh_settings {

  141.     if [ -f $SSH_CONFIG ]; then

  142.         SSH_PASSWORDS=$(cat $SSH_CONFIG | grep 'PasswordAuthentication ' | awk -F 'PasswordAuthentication ' '{print $2}')

  143.     fi

  144.     if [ -f /etc/ssh/ssh_config ]; then

  145.         SSH_HOST_KEY_ALGORITHMS=$(cat /etc/ssh/ssh_config | grep 'HostKeyAlgorithms ' | awk -F 'HostKeyAlgorithms ' '{print $2}')

  146.     fi

  147. }

  148. 

  149. function change_website_settings {

  150.     if [ ! "$SSL_PROTOCOLS" ]; then

  151.         return

  152.     fi

  153.     if [ ! $SSL_CIPHERS ]; then

  154.         return

  155.     fi

  156.     if [ ${#SSL_PROTOCOLS} -lt $MINIMUM_LENGTH ]; then

  157.         return

  158.     fi

  159.     if [ ${#SSL_CIPHERS} -lt $MINIMUM_LENGTH ]; then

  160.         return

  161.     fi

  162.     if [ ! -d $WEBSITES_DIRECTORY ]; then

  163.         return

  164.     fi

  165. 

  166.     cd $WEBSITES_DIRECTORY

  167.     for file in `dir -d *` ; do

  168.         sed -i "s|ssl_protocols .*|ssl_protocols $SSL_PROTOCOLS;|g" $WEBSITES_DIRECTORY/$file

  169.         sed -i "s|ssl_ciphers .*|ssl_ciphers '$SSL_CIPHERS';|g" $WEBSITES_DIRECTORY/$file

  170.     done

  171.     systemctl restart nginx

  172.     echo $'Web security settings changed'

  173. }

  174. 

  175. function change_imap_settings {

  176.     if [ ! -f $DOVECOT_CIPHERS ]; then

  177.         return

  178.     fi

  179.     if [ ! $SSL_CIPHERS ]; then

  180.         return

  181.     fi

  182.     if [ ${#SSL_CIPHERS} -lt $MINIMUM_LENGTH ]; then

  183.         return

  184.     fi

  185.     sed -i "s|ssl_cipher_list.*|ssl_cipher_list = '$SSL_CIPHERS'|g" $DOVECOT_CIPHERS

  186.     sed -i "s|ssl_protocols.*|ssl_protocols = '$SSL_PROTOCOLS'|g" $DOVECOT_CIPHERS

  187.     systemctl restart dovecot

  188.     echo $'imap security settings changed'

  189. }

  190. 

  191. function change_ssh_settings {

  192.     if [ -f /etc/ssh/ssh_config ]; then

  193.         if [ $SSH_HOST_KEY_ALGORITHMS ]; then

  194.             sed -i "s|HostKeyAlgorithms .*|HostKeyAlgorithms $SSH_HOST_KEY_ALGORITHMS|g" /etc/ssh/ssh_config

  195.             echo $'ssh client security settings changed'

  196.         fi

  197.     fi

  198.     if [ -f $SSH_CONFIG ]; then

  199.         if [ ! $SSH_CIPHERS ]; then

  200.             return

  201.         fi

  202.         if [ ! $SSH_MACS ]; then

  203.             return

  204.         fi

  205.         if [ ! $SSH_KEX ]; then

  206.             return

  207.         fi

  208.         if [ ! $SSH_PASSWORDS ]; then

  209.             SSH_PASSWORDS='yes'

  210.         fi

  211. 

  212.         sed -i "s|Ciphers .*|Ciphers $SSH_CIPHERS|g" $SSH_CONFIG

  213.         sed -i "s|MACs .*|MACs $SSH_MACS|g" $SSH_CONFIG

  214.         sed -i "s|KexAlgorithms .*|KexAlgorithms $SSH_KEX|g" $SSH_CONFIG

  215.         sed -i "s|#PasswordAuthentication .*|PasswordAuthentication $SSH_PASSWORDS|g" $SSH_CONFIG

  216.         sed -i "s|PasswordAuthentication .*|PasswordAuthentication $SSH_PASSWORDS|g" $SSH_CONFIG

  217.         systemctl restart ssh

  218.         echo $'ssh server security settings changed'

  219.     fi

  220. }

  221. 

  222. function change_xmpp_settings {

  223.     if [ ! -f $XMPP_CONFIG ]; then

  224.         return

  225.     fi

  226.     if [ ! $XMPP_CIPHERS ]; then

  227.         return

  228.     fi

  229.     if [ ! $XMPP_ECC_CURVE ]; then

  230.         return

  231.     fi

  232.     sed -i "s|ciphers =.*|ciphers = \"$XMPP_CIPHERS\";|g" $XMPP_CONFIG

  233.     sed -i "s|curve =.*|curve = \"$XMPP_ECC_CURVE\";|g" $XMPP_CONFIG

  234.     systemctl restart prosody

  235.     echo $'xmpp security settings changed'

  236. }

  237. 

  238. function allow_ssh_passwords {

  239.     dialog --title $"SSH Passwords" \

  240.            --backtitle $"Freedombone Security Configuration" \

  241.            --yesno $"\nAllow SSH login using passwords?" 7 60

  242.     sel=$?

  243.     case $sel in

  244.         0) SSH_PASSWORDS="yes";;

  245.         1) SSH_PASSWORDS="no";;

  246.         255) exit 0;;

  247.     esac

  248. }

  249. 

  250. function interactive_setup {

  251.     if [ $SSL_CIPHERS ]; then

  252.         data=$(tempfile 2>/dev/null)

  253.         trap "rm -f $data" 0 1 2 5 15

  254.         dialog --backtitle $"Freedombone Security Configuration" \

  255.                --form $"\nWeb/IMAP Ciphers:" 10 95 2 \

  256.                $"Protocols:" 1 1 "$SSL_PROTOCOLS" 1 15 90 90 \

  257.                $"Ciphers:" 2 1 "$SSL_CIPHERS" 2 15 90 512 \

  258.                2> $data

  259.         sel=$?

  260.         case $sel in

  261.             1) SSL_PROTOCOLS=$(cat $data | sed -n 1p)

  262.                SSL_CIPHERS=$(cat $data | sed -n 2p)

  263.                ;;

  264.             255) exit 0;;

  265.         esac

  266.     fi

  267. 

  268.     data=$(tempfile 2>/dev/null)

  269.     trap "rm -f $data" 0 1 2 5 15

  270.     if [ $SSH_HOST_KEY_ALGORITHMS ]; then

  271.         dialog --backtitle $"Freedombone Security Configuration" \

  272.                --form $"\nSecure Shell Ciphers:" 13 95 4 \

  273.                $"Ciphers:" 1 1 "$SSH_CIPHERS" 1 15 90 512 \

  274.                $"MACs:" 2 1 "$SSH_MACS" 2 15 90 512 \

  275.                $"KEX:" 3 1 "$SSH_KEX" 3 15 90 512 \

  276.                $"Host key algorithms:" 4 1 "$SSH_HOST_KEY_ALGORITHMS" 4 15 90 512 \

  277.                2> $data

  278.         sel=$?

  279.         case $sel in

  280.             1) SSH_CIPHERS=$(cat $data | sed -n 1p)

  281.                SSH_MACS=$(cat $data | sed -n 2p)

  282.                SSH_KEX=$(cat $data | sed -n 3p)

  283.                SSH_HOST_KEY_ALGORITHMS=$(cat $data | sed -n 4p)

  284.                ;;

  285.             255) exit 0;;

  286.         esac

  287.     else

  288.         dialog --backtitle $"Freedombone Security Configuration" \

  289.                --form $"\nSecure Shell Ciphers:" 11 95 3 \

  290.                $"Ciphers:" 1 1 "$SSH_CIPHERS" 1 15 90 512 \

  291.                $"MACs:" 2 1 "$SSH_MACS" 2 15 90 512 \

  292.                $"KEX:" 3 1 "$SSH_KEX" 3 15 90 512 \

  293.                2> $data

  294.         sel=$?

  295.         case $sel in

  296.             1) SSH_CIPHERS=$(cat $data | sed -n 1p)

  297.                SSH_MACS=$(cat $data | sed -n 2p)

  298.                SSH_KEX=$(cat $data | sed -n 3p)

  299.                ;;

  300.             255) exit 0;;

  301.         esac

  302.     fi

  303. 

  304.     if [ $XMPP_CIPHERS ]; then

  305.         data=$(tempfile 2>/dev/null)

  306.         trap "rm -f $data" 0 1 2 5 15

  307.         dialog --backtitle $"Freedombone Security Configuration" \

  308.                --form $"\nXMPP Ciphers:" 10 95 2 \

  309.                $"Ciphers:" 1 1 "$XMPP_CIPHERS" 1 15 90 512 \

  310.                $"ECC Curve:" 2 1 "$XMPP_ECC_CURVE" 2 15 50 50 \

  311.                2> $data

  312.         sel=$?

  313.         case $sel in

  314.             1) XMPP_CIPHERS=$(cat $data | sed -n 1p)

  315.                XMPP_ECC_CURVE=$(cat $data | sed -n 2p)

  316.                ;;

  317.             255) exit 0;;

  318.         esac

  319.     fi

  320. 

  321.     dialog --title $"Final Confirmation" \

  322.            --backtitle $"Freedombone Security Configuration" \

  323.            --defaultno \

  324.            --yesno $"\nPlease confirm that you wish your security settings to be changed?\n\nWARNING: any mistakes made in the security settings could compromise your system, so be extra careful when answering 'yes'." 12 60

  325.     sel=$?

  326.     case $sel in

  327.         1) clear

  328.            echo $'Exiting without changing security settings'

  329.            exit 0;;

  330.         255) clear

  331.              echo $'Exiting without changing security settings'

  332.              exit 0;;

  333.     esac

  334. 

  335.     clear

  336. }

  337. 

  338. function send_monkeysphere_server_keys_to_users {

  339.     monkeysphere_server_keys=$(monkeysphere-host show-key | grep $"OpenPGP fingerprint" | awk -F ' ' '{print $3}')

  340.     for d in /home/*/ ; do

  341.         USERNAME=$(echo "$d" | awk -F '/' '{print $3}')

  342.         if [[ $(is_valid_user "$USERNAME") == "1" ]]; then

  343.             if [ ! -d /home/$USERNAME/.monkeysphere ]; then

  344.                 mkdir /home/$USERNAME/.monkeysphere

  345.             fi

  346.             echo $monkeysphere_server_keys > /home/$USERNAME/.monkeysphere/server_keys

  347.             chown -R $USERNAME:$USERNAME /home/$USERNAME/.monkeysphere

  348.         fi

  349.     done

  350. }

  351. 

  352. function regenerate_ssh_host_keys {

  353.     rm -f /etc/ssh/ssh_host_*

  354.     dpkg-reconfigure openssh-server

  355.     echo $'ssh host keys regenerated'

  356.     # remove small moduli

  357.     awk '$5 > 2000' /etc/ssh/moduli > ~/moduli

  358.     mv ~/moduli /etc/ssh/moduli

  359.     echo $'ssh small moduli removed'

  360.     # update monkeysphere

  361.     DEFAULT_DOMAIN_NAME=

  362.     read_config_param "DEFAULT_DOMAIN_NAME"

  363.     monkeysphere-host import-key /etc/ssh/ssh_host_rsa_key ssh://$DEFAULT_DOMAIN_NAME

  364.     SSH_ONION_HOSTNAME=$(cat ${COMPLETION_FILE} | grep 'ssh onion domain' | awk -F ':' '{print $2}')

  365.     monkeysphere-host import-key /etc/ssh/ssh_host_rsa_key ssh://$SSH_ONION_HOSTNAME

  366.     monkeysphere-host publish-key

  367.     send_monkeysphere_server_keys_to_users

  368.     echo $'updated monkeysphere ssh host key'

  369.     systemctl restart ssh

  370. }

  371. 

  372. function regenerate_dh_keys {

  373.     if [ ! -d /etc/ssl/mycerts ]; then

  374.         echo $'No dhparam certificates were found'

  375.         return

  376.     fi

  377. 

  378.     data=$(tempfile 2>/dev/null)

  379.     trap "rm -f $data" 0 1 2 5 15

  380.     dialog --backtitle "Freedombone Security Configuration" \

  381.            --title "Diffie-Hellman key length" \

  382.            --radiolist "The smaller length is better suited to low power embedded systems:" 12 40 3 \

  383.            1 "2048 bits" off \

  384.            2 "3072 bits" on \

  385.            3 "4096 bits" off 2> $data

  386.     sel=$?

  387.     case $sel in

  388.         1) exit 1;;

  389.         255) exit 1;;

  390.     esac

  391.     case $(cat $data) in

  392.         1) DH_KEYLENGTH=2048;;

  393.         2) DH_KEYLENGTH=3072;;

  394.         3) DH_KEYLENGTH=4096;;

  395.     esac

  396. 

  397.     ${PROJECT_NAME}-dhparam --recalc yes -l ${DH_KEYLENGTH}

  398. }

  399. 

  400. function renew_startssl {

  401.     renew_domain=

  402.     data=$(tempfile 2>/dev/null)

  403.     trap "rm -f $data" 0 1 2 5 15

  404.     dialog --title $"Renew a StartSSL certificate" \

  405.            --backtitle $"Freedombone Security Settings" \

  406.            --inputbox $"Enter the domain name" 8 60 2>$data

  407.     sel=$?

  408.     case $sel in

  409.         0)

  410.             renew_domain=$(<$data)

  411.             ;;

  412.     esac

  413. 

  414.     if [ ! $renew_domain ]; then

  415.         return

  416.     fi

  417. 

  418.     if [[ $renew_domain == "http"* ]]; then

  419.         dialog --title $"Renew a StartSSL certificate" \

  420.                --msgbox $"Don't include the https://" 6 40

  421.         return

  422.     fi

  423. 

  424.     if [ ! -f /etc/ssl/certs/${renew_domain}.dhparam ]; then

  425.         dialog --title $"Renew a StartSSL certificate" \

  426.                --msgbox $"An existing certificate for $renew_domain was not found" 6 40

  427.         return

  428.     fi

  429. 

  430.     if [[ $renew_domain != *"."* ]]; then

  431.         dialog --title $"Renew a StartSSL certificate" \

  432.                --msgbox $"Invalid domain name: $renew_domain" 6 40

  433.         return

  434.     fi

  435. 

  436.     ${PROJECT_NAME}-renew-cert -h $renew_domain -p startssl

  437. 

  438.     exit 0

  439. }

  440. 

  441. function renew_letsencrypt {

  442.     renew_domain=

  443.     data=$(tempfile 2>/dev/null)

  444.     trap "rm -f $data" 0 1 2 5 15

  445.     dialog --title $"Renew a Let's Encrypt certificate" \

  446.            --backtitle $"Freedombone Security Settings" \

  447.            --inputbox $"Enter the domain name" 8 60 2>$data

  448.     sel=$?

  449.     case $sel in

  450.         0)

  451.             renew_domain=$(<$data)

  452.             ;;

  453.     esac

  454. 

  455.     if [ ! $renew_domain ]; then

  456.         return

  457.     fi

  458. 

  459.     if [[ $renew_domain == "http"* ]]; then

  460.         dialog --title $"Renew a Let's Encrypt certificate" \

  461.                --msgbox $"Don't include the https://" 6 40

  462.         return

  463.     fi

  464. 

  465.     if [ ! -f /etc/ssl/certs/${renew_domain}.dhparam ]; then

  466.         dialog --title $"Renew a Let's Encrypt certificate" \

  467.                --msgbox $"An existing certificate for $renew_domain was not found" 6 40

  468.         return

  469.     fi

  470. 

  471.     if [[ $renew_domain != *"."* ]]; then

  472.         dialog --title $"Renew a Let's Encrypt certificate" \

  473.                --msgbox $"Invalid domain name: $renew_domain" 6 40

  474.         return

  475.     fi

  476. 

  477.     ${PROJECT_NAME}-renew-cert -h $renew_domain -p 'letsencrypt'

  478. 

  479.     exit 0

  480. }

  481. 

  482. function delete_letsencrypt {

  483.     delete_domain=

  484.     data=$(tempfile 2>/dev/null)

  485.     trap "rm -f $data" 0 1 2 5 15

  486.     dialog --title $"Delete a Let's Encrypt certificate" \

  487.            --backtitle $"Freedombone Security Settings" \

  488.            --inputbox $"Enter the domain name" 8 60 2>$data

  489.     sel=$?

  490.     case $sel in

  491.         0)

  492.             delete_domain=$(<$data)

  493.             ;;

  494.     esac

  495. 

  496.     if [ ! $delete_domain ]; then

  497.         return

  498.     fi

  499. 

  500.     if [[ $delete_domain == "http"* ]]; then

  501.         dialog --title $"Delete a Let's Encrypt certificate" \

  502.                --msgbox $"Don't include the https://" 6 40

  503.         return

  504.     fi

  505. 

  506.     if [ ! -f /etc/ssl/certs/${delete_domain}.dhparam ]; then

  507.         dialog --title $"Delete a Let's Encrypt certificate" \

  508.                --msgbox $"An existing certificate for $renew_domain was not found" 6 40

  509.         return

  510.     fi

  511. 

  512.     if [[ $delete_domain != *"."* ]]; then

  513.         dialog --title $"Delete a Let's Encrypt certificate" \

  514.                --msgbox $"Invalid domain name: $delete_domain" 6 40

  515.         return

  516.     fi

  517. 

  518.     ${PROJECT_NAME}-addcert -r $delete_domain

  519. 

  520.     exit 0

  521. }

  522. 

  523. function create_letsencrypt {

  524.     new_domain=

  525.     data=$(tempfile 2>/dev/null)

  526.     trap "rm -f $data" 0 1 2 5 15

  527.     dialog --title $"Create a new Let's Encrypt certificate" \

  528.            --backtitle $"Freedombone Security Settings" \

  529.            --inputbox $"Enter the domain name" 8 60 2>$data

  530.     sel=$?

  531.     case $sel in

  532.         0)

  533.             new_domain=$(<$data)

  534.             ;;

  535.     esac

  536. 

  537.     if [ ! $new_domain ]; then

  538.         return

  539.     fi

  540. 

  541.     if [[ $new_domain == "http"* ]]; then

  542.         dialog --title $"Create a new Let's Encrypt certificate" \

  543.                --msgbox $"Don't include the https://" 6 40

  544.         return

  545.     fi

  546. 

  547.     if [[ $new_domain != *"."* ]]; then

  548.         dialog --title $"Create a new Let's Encrypt certificate" \

  549.                --msgbox $"Invalid domain name: $new_domain" 6 40

  550.         return

  551.     fi

  552. 

  553.     if [ ! -d /var/www/${new_domain} ]; then

  554.         domain_found=

  555.         if [ -f /etc/nginx/sites-available/radicale ]; then

  556.             if grep "${new_domain}" /etc/nginx/sites-available/radicale; then

  557.                 domain_found=1

  558.             fi

  559.         fi

  560.         if [ -f /etc/nginx/sites-available/${new_domain} ]; then

  561.             domain_found=1

  562.         fi

  563.         if [[ "${new_domain}" == "jitsi"* || "${new_domain}" == "meet"* ]]; then

  564.             domain_found=1

  565.         fi

  566.         if [ ! $domain_found ]; then

  567.             dialog --title $"Create a new Let's Encrypt certificate" \

  568.                    --msgbox $'Domain not found within /var/www' 6 40

  569.             return

  570.         fi

  571.     fi

  572. 

  573.     ${PROJECT_NAME}-addcert -e $new_domain -s $LETSENCRYPT_SERVER --dhkey $DH_KEYLENGTH

  574. 

  575.     exit 0

  576. }

  577. 

  578. function update_ciphersuite {

  579.     RECOMMENDED_SSL_CIPHERS="$SSL_CIPHERS"

  580.     if [ ${#RECOMMENDED_SSL_CIPHERS} -lt 5 ]; then

  581.         return

  582.     fi

  583. 

  584.     RECOMMENDED_SSL_PROTOCOLS="$SSL_PROTOCOLS"

  585.     if [ ${#RECOMMENDED_SSL_PROTOCOLS} -lt 5 ]; then

  586.         return

  587.     fi

  588. 

  589.     RECOMMENDED_SSH_CIPHERS="$SSH_CIPHERS"

  590.     if [ ${#RECOMMENDED_SSH_CIPHERS} -lt 5 ]; then

  591.         return

  592.     fi

  593. 

  594.     RECOMMENDED_SSH_MACS="$SSH_MACS"

  595.     if [ ${#RECOMMENDED_SSH_MACS} -lt 5 ]; then

  596.         return

  597.     fi

  598. 

  599.     RECOMMENDED_SSH_KEX="$SSH_KEX"

  600.     if [ ${#RECOMMENDED_SSH_KEX} -lt 5 ]; then

  601.         return

  602.     fi

  603. 

  604.     cd $WEBSITES_DIRECTORY

  605.     for file in `dir -d *` ; do

  606.         sed -i "s|ssl_protocols .*|ssl_protocols $RECOMMENDED_SSL_PROTOCOLS;|g" $WEBSITES_DIRECTORY/$file

  607.         sed -i "s|ssl_ciphers .*|ssl_ciphers '$RECOMMENDED_SSL_CIPHERS';|g" $WEBSITES_DIRECTORY/$file

  608.     done

  609.     systemctl restart nginx

  610.     write_config_param "SSL_PROTOCOLS" "$RECOMMENDED_SSL_PROTOCOLS"

  611.     write_config_param "SSL_CIPHERS" "$RECOMMENDED_SSL_CIPHERS"

  612. 

  613.     sed -i "s|Ciphers .*|Ciphers $RECOMMENDED_SSH_CIPHERS|g" $SSH_CONFIG

  614.     sed -i "s|MACs .*|MACs $RECOMMENDED_SSH_MACS|g" $SSH_CONFIG

  615.     sed -i "s|KexAlgorithms .*|KexAlgorithms $RECOMMENDED_SSH_KEX|g" $SSH_CONFIG

  616.     systemctl restart ssh

  617. 

  618.     write_config_param "SSH_CIPHERS" "$RECOMMENDED_SSH_CIPHERS"

  619.     write_config_param "SSH_MACS" "$RECOMMENDED_SSH_MACS"

  620.     write_config_param "SSH_KEX" "$RECOMMENDED_SSH_KEX"

  621. 

  622.     dialog --title $"Update ciphersuite" \

  623.            --msgbox $"The ciphersuite has been updated to recommended versions" 6 40

  624.     exit 0

  625. }

  626. 

  627. function gpg_pubkey_from_email {

  628.     key_owner_username=$1

  629.     key_email_address=$2

  630.     key_id=

  631.     if [[ $key_owner_username != "root" ]]; then

  632.         key_id=$(su -c "gpg --list-keys $key_email_address | grep 'pub '" - $key_owner_username | awk -F ' ' '{print $2}' | awk -F '/' '{print $2}')

  633.     else

  634.         key_id=$(gpg --list-keys $key_email_address | grep 'pub ' | awk -F ' ' '{print $2}' | awk -F '/' '{print $2}')

  635.     fi

  636.     echo $key_id

  637. }

  638. 

  639. function enable_monkeysphere {

  640.     monkey=

  641.     dialog --title $"GPG based authentication" \

  642.            --backtitle $"Freedombone Security Configuration" \

  643.            --defaultno \

  644.            --yesno $"\nEnable GPG based authentication with monkeysphere ?" 7 60

  645.     sel=$?

  646.     case $sel in

  647.         0) monkey='yes';;

  648.         255) exit 0;;

  649.     esac

  650. 

  651.     if [ $monkey ]; then

  652.         read_config_param "MY_USERNAME"

  653. 

  654.         if [ ! -f /home/$MY_USERNAME/.monkeysphere/authorized_user_ids ]; then

  655.             dialog --title $"GPG based authentication" \

  656.                    --msgbox $"$MY_USERNAME does not currently have any ids within ~/.monkeysphere/authorized_user_ids" 6 40

  657.             exit 0

  658.         fi

  659. 

  660.         MY_GPG_PUBLIC_KEY_ID=$(gpg_pubkey_from_email "$MY_USERNAME" "$MY_USERNAME@$HOSTNAME")

  661.         if [ ${#MY_GPG_PUBLIC_KEY_ID} -lt 4 ]; then

  662.             echo $'monkeysphere unable to get GPG key ID for user $MY_USERNAME'

  663.             exit 52825

  664.         fi

  665. 

  666.         sed -i 's|#AuthorizedKeysFile|AuthorizedKeysFile|g' /etc/ssh/sshd_config

  667.         sed -i 's|AuthorizedKeysFile.*|AuthorizedKeysFile /var/lib/monkeysphere/authorized_keys/%u|g' /etc/ssh/sshd_config

  668.         monkeysphere-authentication update-users

  669. 

  670.         # The admin user is the identity certifier

  671.         fpr=$(gpg --with-colons --fingerprint $MY_GPG_PUBLIC_KEY_ID | grep fpr | head -n 1 | awk -F ':' '{print $10}')

  672.         monkeysphere-authentication add-identity-certifier $fpr

  673.         monkeysphere-host publish-key

  674.         send_monkeysphere_server_keys_to_users

  675.     else

  676.         sed -i 's|#AuthorizedKeysFile|AuthorizedKeysFile|g' /etc/ssh/sshd_config

  677.         sed -i 's|AuthorizedKeysFile.*|AuthorizedKeysFile %h/.ssh/authorized_keys|g' /etc/ssh/sshd_config

  678.     fi

  679. 

  680.     systemctl restart ssh

  681. 

  682.     if [ $monkey ]; then

  683.         dialog --title $"GPG based authentication" \

  684.                --msgbox $"GPG based authentication was enabled" 6 40

  685.     else

  686.         dialog --title $"GPG based authentication" \

  687.                --msgbox $"GPG based authentication was disabled" 6 40

  688.     fi

  689.     exit 0

  690. }

  691. 

  692. function register_website {

  693.     domain="$1"

  694. 

  695.     if [[ ${domain} == *".local" ]]; then

  696.         echo $"Can't register local domains"

  697.         return

  698.     fi

  699. 

  700.     if [ ! -f /etc/ssl/private/${domain}.key ]; then

  701.         echo $"No SSL/TLS private key found for ${domain}"

  702.         return

  703.     fi

  704. 

  705.     if [ ! -f /etc/nginx/sites-available/${domain} ]; then

  706.         echo $"No virtual host found for ${domain}"

  707.         return

  708.     fi

  709. 

  710.     monkeysphere-host import-key /etc/ssl/private/${domain}.key https://${domain}

  711.     monkeysphere-host publish-key

  712.     echo "0"

  713. }

  714. 

  715. function register_website_interactive {

  716.     data=$(tempfile 2>/dev/null)

  717.     trap "rm -f $data" 0 1 2 5 15

  718.     dialog --title $"Register a website with monkeysphere" \

  719.            --backtitle $"Freedombone Security Settings" \

  720.            --inputbox $"Enter the website domain name (without https://)" 8 60 2>$data

  721.     sel=$?

  722.     case $sel in

  723.         0)

  724.             domain=$(<$data)

  725.             register_website "$domain"

  726.             if [ ! "$?" = "0" ]; then

  727.                 dialog --title $"Register a website with monkeysphere" \

  728.                        --msgbox "$?" 6 40

  729.             else

  730.                 dialog --title $"Register a website with monkeysphere" \

  731.                        --msgbox $"$domain has been registered" 6 40

  732.             fi

  733.             ;;

  734.     esac

  735. }

  736. 

  737. function pin_all_tls_certs {

  738.     ${PROJECT_NAME}-pin-cert all

  739. }

  740. 

  741. function remove_pinning {

  742.     data=$(tempfile 2>/dev/null)

  743.     trap "rm -f $data" 0 1 2 5 15

  744.     dialog --title $"Remove pinning for a domain" \

  745.            --backtitle $"Freedombone Security Settings" \

  746.            --inputbox $"Enter the website domain name (without https://)" 8 60 2>$data

  747.     sel=$?

  748.     case $sel in

  749.         0)

  750.             domain=$(<$data)

  751.             ${PROJECT_NAME}-pin-cert "$domain" remove

  752.             if [ ! "$?" = "0" ]; then

  753.                 dialog --title $"Removed pinning from $domain" \

  754.                        --msgbox "$?" 6 40

  755.             fi

  756.             ;;

  757.     esac

  758. }

  759. 

  760. function store_passwords {

  761.     dialog --title $"Store Passwords" \

  762.            --backtitle $"Freedombone Security Configuration" \

  763.            --yesno $"\nDo you wish to store passwords on the system? Stored passwords are convenient but carry some additional security risk." 10 60

  764.     sel=$?

  765.     case $sel in

  766.         0)

  767.             if [ -f /root/.nostore ]; then

  768.                 read_config_param "MY_USERNAME"

  769.                 if [ ! -f /home/$MY_USERNAME/.ssh/authorized_keys ]; then

  770.                     dialog --title $"Store Passwords" \

  771.                            --msgbox $"\nYou should first enable key based ssh login to improve security" 8 60

  772.                     return

  773.                 fi

  774.                 if [[ $SSH_PASSWORDS == 'yes' ]]; then

  775.                     dialog --title $"Store Passwords" \

  776.                            --msgbox $"\nYou should disable ssh passwords to improve security" 8 60

  777.                     return

  778.                 fi

  779.                 ${PROJECT_NAME}-pass --enable yes

  780.                 dialog --title $"Store Passwords" \

  781.                        --msgbox $"\nUser passwords will now be stored on the system" 8 60

  782.             fi

  783.             return

  784.             ;;

  785.         1)

  786.             ${PROJECT_NAME}-pass --clear yes

  787.             dialog --title $"Passwords were removed and will not be stored" \

  788.                    --msgbox $"\nFor the best security you should now manually change passwords via web interfaces so that there is no possibility of them being recovered from the disk" 9 60

  789.             return

  790.             ;;

  791.         255) return;;

  792.     esac

  793. }

  794. 

  795. function show_tor_bridges {

  796.     clear

  797.     bridges_list=$(grep "Bridge " /etc/tor/torrc | grep -v '##')

  798.     if [ ${#bridges_list} -eq 0 ]; then

  799.         echo $'No Tor bridges have been added'

  800.         return

  801.     fi

  802.     echo "${bridges_list}"

  803. }

  804. 

  805. function add_tor_bridge {

  806.     data=$(tempfile 2>/dev/null)

  807.     trap "rm -f $data" 0 1 2 5 15

  808.     dialog --backtitle $"Freedombone Control Panel" \

  809.            --title $"Add obfs4 Tor bridge" \

  810.            --form "\n" 9 60 4 \

  811.            $"IP address:   " 1 1 "   .   .   .   " 1 17 16 16 \

  812.            $"Port:         " 2 1 "" 2 17 8 8 \

  813.            $"Key/Nickname: " 3 1 "" 3 17 250 250 \

  814.            2> $data

  815.     sel=$?

  816.     case $sel in

  817.         1) return;;

  818.         255) return;;

  819.     esac

  820.     bridge_ip_address=$(cat $data | sed -n 1p)

  821.     bridge_port=$(cat $data | sed -n 2p)

  822.     bridge_key=$(cat $data | sed -n 3p)

  823.     if [[ "${bridge_ip_address}" == *" "* ]]; then

  824.         return

  825.     fi

  826.     if [[ "${bridge_ip_address}" != *"."* ]]; then

  827.         return

  828.     fi

  829.     if [ ${#bridge_port} -eq 0 ]; then

  830.         return

  831.     fi

  832.     if [ ${#bridge_key} -eq 0 ]; then

  833.         return

  834.     fi

  835.     tor_add_bridge "${bridge_ip_address}" "${bridge_port}" "${bridge_key}"

  836.     dialog --title $"Add obfs4 Tor bridge" \

  837.            --msgbox $"Bridge added" 6 40

  838. }

  839. 

  840. function remove_tor_bridge {

  841.     bridge_removed=

  842.     data=$(tempfile 2>/dev/null)

  843.     trap "rm -f $data" 0 1 2 5 15

  844.     dialog --title $"Remove obfs4 Tor bridge" \

  845.            --backtitle $"Freedombone Control Panel" \

  846.            --inputbox $"Enter the IP address, key or Nickname of the bridge" 8 65 2>$data

  847.     sel=$?

  848.     case $sel in

  849.         0)

  850.             response=$(<$data)

  851.             if [ ${#response} -gt 2 ]; then

  852.                 if [[ "${response}" != *" "* ]]; then

  853.                     if [[ "${response}" == *"."* ]]; then

  854.                         if grep "Bridge ${response}" /etc/tor/torrc; then

  855.                             tor_remove_bridge "${response}"

  856.                             bridge_removed=1

  857.                         fi

  858.                     else

  859.                         if grep " $response" /etc/tor/torrc; then

  860.                             tor_remove_bridge "${response}"

  861.                             bridge_removed=1

  862.                         fi

  863.                     fi

  864.                 fi

  865.             fi

  866.             ;;

  867.     esac

  868.     if [ $bridge_removed ]; then

  869.         dialog --title $"Remove obfs4 Tor bridge" \

  870.                --msgbox $"Bridge removed" 6 40

  871.     fi

  872. }

  873. 

  874. function add_tor_bridge_relay {

  875.     read_config_param 'TOR_BRIDGE_NICKNAME'

  876.     read_config_param 'TOR_BRIDGE_PORT'

  877. 

  878.     # remove any previous bridge port from the firewall

  879.     if [ ${#TOR_BRIDGE_PORT} -gt 0 ]; then

  880.         firewall_remove $TOR_BRIDGE_PORT tcp

  881.     fi

  882. 

  883.     data=$(tempfile 2>/dev/null)

  884.     trap "rm -f $data" 0 1 2 5 15

  885.     dialog --backtitle $"Freedombone Control Panel" \

  886.            --title $"Become an obfs4 Tor bridge relay" \

  887.            --form "\n" 8 60 2 \

  888.            $"Bridge Nickname: " 1 1 "$TOR_BRIDGE_NICKNAME" 1 20 250 250 \

  889.            2> $data

  890.     sel=$?

  891.     case $sel in

  892.         1) return;;

  893.         255) return;;

  894.     esac

  895.     bridge_nickname=$(cat $data | sed -n 1p)

  896.     if [[ "${bridge_nickname}" == *" "* ]]; then

  897.         return

  898.     fi

  899.     if [ ${#bridge_nickname} -eq 0 ]; then

  900.         return

  901.     fi

  902.     TOR_BRIDGE_NICKNAME="$bridge_nickname"

  903.     TOR_BRIDGE_PORT=$((20000 + RANDOM % 40000))

  904.     write_config_param 'TOR_BRIDGE_NICKNAME' "$TOR_BRIDGE_NICKNAME"

  905.     write_config_param 'TOR_BRIDGE_PORT' "$TOR_BRIDGE_PORT"

  906.     tor_create_bridge_relay

  907.     dialog --title $"You are now an obfs4 Tor bridge relay" \

  908.            --msgbox $"\nIP address: $(get_ipv4_address)\n\nPort: ${TOR_BRIDGE_PORT}\n\nNickname: ${TOR_BRIDGE_NICKNAME}" 10 65

  909. }

  910. 

  911. function remove_tor_bridge_relay {

  912.     tor_remove_bridge_relay

  913.     dialog --title $"Remove Tor bridge relay" \

  914.            --msgbox $"Bridge relay removed" 10 60

  915. }

  916. 

  917. function menu_tor_bridges {

  918.     data=$(tempfile 2>/dev/null)

  919.     trap "rm -f $data" 0 1 2 5 15

  920.     dialog --backtitle $"Freedombone Control Panel" \

  921.            --title $"Tor Bridges" \

  922.            --radiolist $"Choose an operation:" 14 50 6 \

  923.            1 $"Show bridges" off \

  924.            2 $"Add a bridge" off \

  925.            3 $"Remove a bridge" off \

  926.            4 $"Make this system into a bridge" off \

  927.            5 $"Stop being a bridge" off \

  928.            6 $"Go Back/Exit" on 2> $data

  929.     sel=$?

  930.     case $sel in

  931.         1) exit 1;;

  932.         255) exit 1;;

  933.     esac

  934. 

  935.     case $(cat $data) in

  936.         1)

  937.             show_tor_bridges

  938.             exit 0

  939.             ;;

  940.         2)

  941.             add_tor_bridge

  942.             exit 0

  943.             ;;

  944.         3)

  945.             remove_tor_bridge

  946.             exit 0

  947.             ;;

  948.         4)

  949.             add_tor_bridge_relay

  950.             exit 0

  951.             ;;

  952.         5)

  953.             remove_tor_bridge_relay

  954.             exit 0

  955.             ;;

  956.         6)

  957.             exit 0

  958.             ;;

  959.     esac

  960. }

  961. 

  962. function menu_security_settings {

  963.     data=$(tempfile 2>/dev/null)

  964.     trap "rm -f $data" 0 1 2 5 15

  965.     dialog --backtitle $"Freedombone Control Panel" \

  966.            --title $"Security Settings" \

  967.            --radiolist $"Choose an operation:" 22 76 22 \

  968.            1 $"Run STIG tests" off \

  969.            2 $"Show ssh host public key" off \

  970.            3 $"Tor bridges" off \

  971.            4 $"Password storage" off \

  972.            5 $"Export passwords" off \

  973.            6 $"Regenerate ssh host keys" off \

  974.            7 $"Regenerate Diffie-Hellman keys" off \

  975.            8 $"Update cipersuite" off \

  976.            9 $"Create a new Let's Encrypt certificate" off \

  977.            10 $"Renew Let's Encrypt certificate" off \

  978.            11 $"Delete a Let's Encrypt certificate" off \

  979.            12 $"Enable GPG based authentication (monkeysphere)" off \

  980.            13 $"Register a website with monkeysphere" off \

  981.            14 $"Allow ssh login with passwords" off \

  982.            15 $"Go Back/Exit" on 2> $data

  983.     sel=$?

  984.     case $sel in

  985.         1) exit 1;;

  986.         255) exit 1;;

  987.     esac

  988. 

  989.     clear

  990. 

  991.     read_config_param SSL_CIPHERS

  992.     read_config_param SSL_PROTOCOLS

  993.     read_config_param SSH_CIPHERS

  994.     read_config_param SSH_MACS

  995.     read_config_param SSH_KEX

  996. 

  997.     get_imap_settings

  998.     get_ssh_settings

  999.     get_xmpp_settings

  1000.     import_settings

  1001.     export_settings

  1002. 

  1003.     case $(cat $data) in

  1004.         1)

  1005.             clear

  1006.             echo $'Running STIG tests...'

  1007.             echo ''

  1008.             ${PROJECT_NAME}-tests --stig showall

  1009.             exit 0

  1010.             ;;

  1011.         2)

  1012.             dialog --title $"SSH host public keys" \

  1013.                    --msgbox "\n$(get_ssh_server_key)" 12 60

  1014.             exit 0

  1015.             ;;

  1016.         3)

  1017.             menu_tor_bridges

  1018.             exit 0

  1019.             ;;

  1020.         4)

  1021.             store_passwords

  1022.             exit 0

  1023.             ;;

  1024.         5)

  1025.             export_passwords

  1026.             exit 0

  1027.             ;;

  1028.         6)

  1029.             regenerate_ssh_host_keys

  1030.             ;;

  1031.         7)

  1032.             regenerate_dh_keys

  1033.             ;;

  1034.         8)

  1035.             interactive_setup

  1036.             update_ciphersuite

  1037.             ;;

  1038.         9)

  1039.             create_letsencrypt

  1040.             ;;

  1041.         10)

  1042.             renew_letsencrypt

  1043.             ;;

  1044.         11)

  1045.             delete_letsencrypt

  1046.             ;;

  1047.         12)

  1048.             enable_monkeysphere

  1049.             ;;

  1050.         13)

  1051.             register_website

  1052.             ;;

  1053.         14)

  1054.             allow_ssh_passwords

  1055.             change_ssh_settings

  1056.             exit 0

  1057.             ;;

  1058.         15)

  1059.             exit 0

  1060.             ;;

  1061.     esac

  1062. 

  1063.     change_website_settings

  1064.     change_imap_settings

  1065.     change_ssh_settings

  1066.     change_xmpp_settings

  1067. }

  1068. 

  1069. function import_settings {

  1070.     cd $CURRENT_DIR

  1071. 

  1072.     if [ ! $IMPORT_FILE ]; then

  1073.         return

  1074.     fi

  1075. 

  1076.     if [ ! -f $IMPORT_FILE ]; then

  1077.         echo $"Import file $IMPORT_FILE not found"

  1078.         exit 6393

  1079.     fi

  1080. 

  1081.     if grep -q "SSL_PROTOCOLS" $IMPORT_FILE; then

  1082.         TEMP_VALUE=$(grep "SSL_PROTOCOLS" $IMPORT_FILE | awk -F '=' '{print $2}')

  1083.         if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then

  1084.             SSL_PROTOCOLS=$TEMP_VALUE

  1085.         fi

  1086.     fi

  1087.     if grep -q "SSL_CIPHERS" $IMPORT_FILE; then

  1088.         TEMP_VALUE=$(grep "SSL_CIPHERS" $IMPORT_FILE | awk -F '=' '{print $2}')

  1089.         if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then

  1090.             SSL_CIPHERS=$TEMP_VALUE

  1091.         fi

  1092.     fi

  1093.     if grep -q "SSH_CIPHERS" $IMPORT_FILE; then

  1094.         TEMP_VALUE=$(grep "SSH_CIPHERS" $IMPORT_FILE | awk -F '=' '{print $2}')

  1095.         if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then

  1096.             SSH_CIPHERS=$TEMP_VALUE

  1097.         fi

  1098.     fi

  1099.     if grep -q "SSH_MACS" $IMPORT_FILE; then

  1100.         TEMP_VALUE=$(grep "SSH_MACS" $IMPORT_FILE | awk -F '=' '{print $2}')

  1101.         if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then

  1102.             SSH_MACS=$TEMP_VALUE

  1103.         fi

  1104.     fi

  1105.     if grep -q "SSH_KEX" $IMPORT_FILE; then

  1106.         TEMP_VALUE=$(grep "SSH_KEX" $IMPORT_FILE | awk -F '=' '{print $2}')

  1107.         if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then

  1108.             SSH_KEX=$TEMP_VALUE

  1109.         fi

  1110.     fi

  1111.     if grep -q "SSH_HOST_KEY_ALGORITHMS" $IMPORT_FILE; then

  1112.         TEMP_VALUE=$(grep "SSH_HOST_KEY_ALGORITHMS" $IMPORT_FILE | awk -F '=' '{print $2}')

  1113.         if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then

  1114.             SSH_HOST_KEY_ALGORITHMS=$TEMP_VALUE

  1115.         fi

  1116.     fi

  1117.     if grep -q "SSH_PASSWORDS" $IMPORT_FILE; then

  1118.         TEMP_VALUE=$(grep "SSH_PASSWORDS" $IMPORT_FILE | awk -F '=' '{print $2}')

  1119.         if [[ $TEMP_VALUE == "yes" || $TEMP_VALUE == "no" ]]; then

  1120.             SSH_PASSWORDS=$TEMP_VALUE

  1121.         fi

  1122.     fi

  1123.     if grep -q "XMPP_CIPHERS" $IMPORT_FILE; then

  1124.         TEMP_VALUE=$(grep "XMPP_CIPHERS" $IMPORT_FILE | awk -F '=' '{print $2}')

  1125.         if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then

  1126.             XMPP_CIPHERS=$TEMP_VALUE

  1127.         fi

  1128.     fi

  1129.     if grep -q "XMPP_ECC_CURVE" $IMPORT_FILE; then

  1130.         TEMP_VALUE=$(grep "XMPP_ECC_CURVE" $IMPORT_FILE | awk -F '=' '{print $2}')

  1131.         if [ ${#TEMP_VALUE} -gt 3 ]; then

  1132.             XMPP_ECC_CURVE=$TEMP_VALUE

  1133.         fi

  1134.     fi

  1135. }

  1136. 

  1137. function export_settings {

  1138.     if [ ! $EXPORT_FILE ]; then

  1139.         return

  1140.     fi

  1141. 

  1142.     cd $CURRENT_DIR

  1143. 

  1144.     if [ ! -f $EXPORT_FILE ]; then

  1145.         if [ "$SSL_PROTOCOLS" ]; then

  1146.             echo "SSL_PROTOCOLS=$SSL_PROTOCOLS" >> $EXPORT_FILE

  1147.         fi

  1148.         if [ $SSL_CIPHERS ]; then

  1149.             echo "SSL_CIPHERS=$SSL_CIPHERS" >> $EXPORT_FILE

  1150.         fi

  1151.         if [ $SSH_CIPHERS ]; then

  1152.             echo "SSH_CIPHERS=$SSH_CIPHERS" >> $EXPORT_FILE

  1153.         fi

  1154.         if [ $SSH_MACS ]; then

  1155.             echo "SSH_MACS=$SSH_MACS" >> $EXPORT_FILE

  1156.         fi

  1157.         if [ $SSH_KEX ]; then

  1158.             echo "SSH_KEX=$SSH_KEX" >> $EXPORT_FILE

  1159.         fi

  1160.         if [ $SSH_HOST_KEY_ALGORITHMS ]; then

  1161.             echo "SSH_HOST_KEY_ALGORITHMS=$SSH_HOST_KEY_ALGORITHMS" >> $EXPORT_FILE

  1162.         fi

  1163.         if [ $SSH_PASSWORDS ]; then

  1164.             echo "SSH_PASSWORDS=$SSH_PASSWORDS" >> $EXPORT_FILE

  1165.         fi

  1166.         if [ $XMPP_CIPHERS ]; then

  1167.             echo "XMPP_CIPHERS=$XMPP_CIPHERS" >> $EXPORT_FILE

  1168.         fi

  1169.         if [ $XMPP_ECC_CURVE ]; then

  1170.             echo "XMPP_ECC_CURVE=$XMPP_ECC_CURVE" >> $EXPORT_FILE

  1171.         fi

  1172.         echo "Security settings exported to $EXPORT_FILE"

  1173.         exit 0

  1174.     fi

  1175. 

  1176.     if [ "$SSL_PROTOCOLS" ]; then

  1177.         if grep -q "SSL_PROTOCOLS" $EXPORT_FILE; then

  1178.             sed -i "s|SSL_PROTOCOLS=.*|SSL_PROTOCOLS=$SSL_PROTOCOLS|g" $EXPORT_FILE

  1179.         else

  1180.             echo "SSL_PROTOCOLS=$SSL_PROTOCOLS" >> $EXPORT_FILE

  1181.         fi

  1182.     fi

  1183.     if [ $SSL_CIPHERS ]; then

  1184.         if grep -q "SSL_CIPHERS" $EXPORT_FILE; then

  1185.             sed -i "s|SSL_CIPHERS=.*|SSL_CIPHERS=$SSL_CIPHERS|g" $EXPORT_FILE

  1186.         else

  1187.             echo "SSL_CIPHERS=$SSL_CIPHERS" >> $EXPORT_FILE

  1188.         fi

  1189.     fi

  1190.     if [ $SSH_CIPHERS ]; then

  1191.         if grep -q "SSH_CIPHERS" $EXPORT_FILE; then

  1192.             sed -i "s|SSH_CIPHERS=.*|SSH_CIPHERS=$SSH_CIPHERS|g" $EXPORT_FILE

  1193.         else

  1194.             echo "SSH_CIPHERS=$SSH_CIPHERS" >> $EXPORT_FILE

  1195.         fi

  1196.     fi

  1197.     if [ $SSH_MACS ]; then

  1198.         if grep -q "SSH_MACS" $EXPORT_FILE; then

  1199.             sed -i "s|SSH_MACS=.*|SSH_MACS=$SSH_MACS|g" $EXPORT_FILE

  1200.         else

  1201.             echo "SSH_MACS=$SSH_MACS" >> $EXPORT_FILE

  1202.         fi

  1203.     fi

  1204.     if [ $SSH_KEX ]; then

  1205.         if grep -q "SSH_KEX" $EXPORT_FILE; then

  1206.             sed -i "s|SSH_KEX=.*|SSH_KEX=$SSH_KEX|g" $EXPORT_FILE

  1207.         else

  1208.             echo "SSH_KEX=$SSH_KEX" >> $EXPORT_FILE

  1209.         fi

  1210.     fi

  1211.     if [ $SSH_HOST_KEY_ALGORITHMS ]; then

  1212.         if grep -q "SSH_HOST_KEY_ALGORITHMS" $EXPORT_FILE; then

  1213.             sed -i "s|SSH_HOST_KEY_ALGORITHMS=.*|SSH_HOST_KEY_ALGORITHMS=$SSH_HOST_KEY_ALGORITHMS|g" $EXPORT_FILE

  1214.         else

  1215.             echo "SSH_HOST_KEY_ALGORITHMS=$SSH_HOST_KEY_ALGORITHMS" >> $EXPORT_FILE

  1216.         fi

  1217.     fi

  1218.     if [ $SSH_PASSWORDS ]; then

  1219.         if grep -q "SSH_PASSWORDS" $EXPORT_FILE; then

  1220.             sed -i "s|SSH_PASSWORDS=.*|SSH_PASSWORDS=$SSH_PASSWORDS|g" $EXPORT_FILE

  1221.         else

  1222.             echo "SSH_PASSWORDS=$SSH_PASSWORDS" >> $EXPORT_FILE

  1223.         fi

  1224.     fi

  1225.     if [ $XMPP_CIPHERS ]; then

  1226.         if grep -q "XMPP_CIPHERS" $EXPORT_FILE; then

  1227.             sed -i "s|XMPP_CIPHERS=.*|XMPP_CIPHERS=$XMPP_CIPHERS|g" $EXPORT_FILE

  1228.         else

  1229.             echo "XMPP_CIPHERS=$XMPP_CIPHERS" >> $EXPORT_FILE

  1230.         fi

  1231.     fi

  1232.     if [ $XMPP_ECC_CURVE ]; then

  1233.         if grep -q "XMPP_ECC_CURVE" $EXPORT_FILE; then

  1234.             sed -i "s|XMPP_ECC_CURVE=.*|XMPP_ECC_CURVE=$XMPP_ECC_CURVE|g" $EXPORT_FILE

  1235.         else

  1236.             echo "XMPP_ECC_CURVE=$XMPP_ECC_CURVE" >> $EXPORT_FILE

  1237.         fi

  1238.     fi

  1239.     echo $"Security settings exported to $EXPORT_FILE"

  1240.     exit 0

  1241. }

  1242. 

  1243. function refresh_gpg_keys {

  1244.     for d in /home/*/ ; do

  1245.         USERNAME=$(echo "$d" | awk -F '/' '{print $3}')

  1246.         if [[ $(is_valid_user "$USERNAME") == "1" ]]; then

  1247.             su -c 'gpg --refresh-keys' - $USERNAME

  1248.         fi

  1249.     done

  1250.     exit 0

  1251. }

  1252. 

  1253. function monkeysphere_sign_server_keys {

  1254.     server_keys_file=/home/$USER/.monkeysphere/server_keys

  1255.     if [ ! -f $server_keys_file ]; then

  1256.         exit 0

  1257.     fi

  1258. 

  1259.     keys_signed=

  1260.     while read line; do

  1261.         echo $line

  1262.         if [ ${#line} -gt 2 ]; then

  1263.             fpr=$(gpg --with-colons --fingerprint "$line" | grep fpr | head -n 1 | awk -F ':' '{print $10}')

  1264.             if [ ${#fpr} -gt 2 ]; then

  1265.                 gpg --sign-key $fpr

  1266.                 if [ "$?" = "0" ]; then

  1267.                     gpg --update-trustdb

  1268.                     keys_signed=1

  1269.                 fi

  1270.             fi

  1271.         fi

  1272.     done <$server_keys_file

  1273. 

  1274.     if [ $keys_signed ]; then

  1275.         rm $server_keys_file

  1276.     fi

  1277.     exit 0

  1278. }

  1279. 

  1280. function htmly_hash {

  1281.     # produces a hash corresponding to a htmly password

  1282.     pass="$1"

  1283.     HTMLYHASH_FILENAME=/usr/bin/htmlyhash

  1284. 

  1285.     echo '<?php' > $HTMLYHASH_FILENAME

  1286.     echo 'parse_str(implode("&", array_slice($argv, 1)), $_GET);' >> $HTMLYHASH_FILENAME

  1287.     echo '$password = $_GET["password"];' >> $HTMLYHASH_FILENAME

  1288.     echo '$hash = password_hash($password, PASSWORD_BCRYPT);' >> $HTMLYHASH_FILENAME

  1289.     echo 'if (password_verify($password, $hash)) {' >> $HTMLYHASH_FILENAME

  1290.     echo '  echo $hash;' >> $HTMLYHASH_FILENAME

  1291.     echo '}' >> $HTMLYHASH_FILENAME

  1292.     echo '?>' >> $HTMLYHASH_FILENAME

  1293. 

  1294.     php $HTMLYHASH_FILENAME password="$pass"

  1295. }

  1296. 

  1297. function show_help {

  1298.     echo ''

  1299.     echo "${PROJECT_NAME}-sec"

  1300.     echo ''

  1301.     echo $'Alters the security settings'

  1302.     echo ''

  1303.     echo ''

  1304.     echo $'  -h --help                 Show help'

  1305.     echo $'  -e --export               Export security settings to a file'

  1306.     echo $'  -i --import               Import security settings from a file'

  1307.     echo $'  -r --refresh              Refresh GPG keys for all users'

  1308.     echo $'  -s --sign                 Sign monkeysphere server keys'

  1309.     echo $'     --register [domain]    Register a https domain with monkeysphere'

  1310.     echo $'  -b --htmlyhash [password] Returns the hash of a password for a htmly blog'

  1311.     echo ''

  1312.     exit 0

  1313. }

  1314. 

  1315. 

  1316. # Get the commandline options

  1317. while [[ $# > 1 ]]

  1318. do

  1319.     key="$1"

  1320. 

  1321.     case $key in

  1322.         -h|--help)

  1323.             show_help

  1324.             ;;

  1325.         # Export settings

  1326.         -e|--export)

  1327.             shift

  1328.             EXPORT_FILE="$1"

  1329.             ;;

  1330.         # Export settings

  1331.         -i|--import)

  1332.             shift

  1333.             IMPORT_FILE="$1"

  1334.             ;;

  1335.         # Refresh GPG keys

  1336.         -r|--refresh)

  1337.             shift

  1338.             refresh_gpg_keys

  1339.             ;;

  1340.         # register a website

  1341.         --register|--reg|--site)

  1342.             shift

  1343.             register_website "$1"

  1344.             ;;

  1345.         # user signs monkeysphere server keys

  1346.         -s|--sign)

  1347.             shift

  1348.             monkeysphere_sign_server_keys

  1349.             ;;

  1350.         # get a hash of the given htmly password

  1351.         -b|--htmlyhash)

  1352.             shift

  1353.             htmly_hash "$1"

  1354.             exit 0

  1355.             ;;

  1356.         *)

  1357.             # unknown option

  1358.             ;;

  1359.     esac

  1360.     shift

  1361. done

  1362. 

  1363. menu_security_settings

  1364. 

  1365. exit 0