freedombone-sec 42KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167116811691170117111721173117411751176117711781179118011811182118311841185118611871188118911901191119211931194119511961197119811991200120112021203120412051206120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233123412351236123712381239124012411242124312441245124612471248124912501251125212531254125512561257125812591260126112621263126412651266126712681269127012711272127312741275127612771278127912801281128212831284128512861287128812891290129112921293129412951296129712981299130013011302130313041305130613071308130913101311131213131314131513161317131813191320132113221323132413251326132713281329133013311332133313341335133613371338133913401341134213431344134513461347134813491350135113521353135413551356135713581359136013611362136313641365
  1. #!/bin/bash
  2. #
  3. # .---. . .
  4. # | | |
  5. # |--- .--. .-. .-. .-.| .-. .--.--. |.-. .-. .--. .-.
  6. # | | (.-' (.-' ( | ( )| | | | )( )| | (.-'
  7. # ' ' --' --' -' - -' ' ' -' -' -' ' - --'
  8. #
  9. # Freedom in the Cloud
  10. #
  11. # Alters the security settings
  12. #
  13. # License
  14. # =======
  15. #
  16. # Copyright (C) 2015-2016 Bob Mottram <bob@freedombone.net>
  17. #
  18. # This program is free software: you can redistribute it and/or modify
  19. # it under the terms of the GNU Affero General Public License as published by
  20. # the Free Software Foundation, either version 3 of the License, or
  21. # (at your option) any later version.
  22. #
  23. # This program is distributed in the hope that it will be useful,
  24. # but WITHOUT ANY WARRANTY; without even the implied warranty of
  25. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  26. # GNU Affero General Public License for more details.
  27. #
  28. # You should have received a copy of the GNU Affero General Public License
  29. # along with this program. If not, see <http://www.gnu.org/licenses/>.
  30. PROJECT_NAME='freedombone'
  31. export TEXTDOMAIN=${PROJECT_NAME}-sec
  32. export TEXTDOMAINDIR="/usr/share/locale"
  33. CONFIGURATION_FILE=$HOME/${PROJECT_NAME}.cfg
  34. COMPLETION_FILE=$HOME/${PROJECT_NAME}-completed.txt
  35. UTILS_FILES=/usr/share/${PROJECT_NAME}/utils/${PROJECT_NAME}-utils-*
  36. for f in $UTILS_FILES
  37. do
  38. source $f
  39. done
  40. SSL_PROTOCOLS=
  41. SSL_CIPHERS=
  42. SSH_CIPHERS=
  43. SSH_MACS=
  44. SSH_KEX=
  45. SSH_HOST_KEY_ALGORITHMS=
  46. SSH_PASSWORDS=
  47. XMPP_CIPHERS=
  48. XMPP_ECC_CURVE=
  49. WEBSITES_DIRECTORY='/etc/nginx/sites-available'
  50. DOVECOT_CIPHERS='/etc/dovecot/conf.d/10-ssl.conf'
  51. SSH_CONFIG='/etc/ssh/sshd_config'
  52. XMPP_CONFIG='/etc/prosody/conf.avail/xmpp.cfg.lua'
  53. MINIMUM_LENGTH=6
  54. IMPORT_FILE=
  55. EXPORT_FILE=
  56. CURRENT_DIR=$(pwd)
  57. DH_KEYLENGTH=2048
  58. LETSENCRYPT_SERVER='https://acme-v01.api.letsencrypt.org/directory'
  59. MY_USERNAME=
  60. function export_passwords {
  61. detect_usb_drive
  62. data=$(tempfile 2>/dev/null)
  63. trap "rm -f $data" 0 1 2 5 15
  64. dialog --title $"Export passwords to USB drive $USB_DRIVE" \
  65. --backtitle $"Security Settings" \
  66. --defaultno \
  67. --yesno $"\nPlease confirm that you wish to export passwords to a LUKS formatted USB drive. The drive should be plugged in." 10 60
  68. sel=$?
  69. case $sel in
  70. 1) return;;
  71. 255) return;;
  72. esac
  73. data=$(tempfile 2>/dev/null)
  74. trap "rm -f $data" 0 1 2 5 15
  75. dialog --title $"Export passwords to USB drive $USB_DRIVE" \
  76. --backtitle $"Security Settings" \
  77. --defaultno \
  78. --yesno $"\nDo you need to format the drive as LUKS encrypted?" 12 60
  79. sel=$?
  80. case $sel in
  81. 0) ${PROJECT_NAME}-format $USB_DRIVE;;
  82. esac
  83. clear
  84. backup_mount_drive ${USB_DRIVE}
  85. ${PROJECT_NAME}-pass --export ${USB_MOUNT}/${PROJECT_NAME}-passwords.xml
  86. backup_unmount_drive ${USB_DRIVE}
  87. }
  88. function get_protocols_from_website {
  89. if [ ! -f $WEBSITES_DIRECTORY/$1 ]; then
  90. return
  91. fi
  92. SSL_PROTOCOLS=$(cat $WEBSITES_DIRECTORY/$1 | grep 'ssl_protocols ' | awk -F "ssl_protocols " '{print $2}' | awk -F ';' '{print $1}')
  93. }
  94. function get_ciphers_from_website {
  95. if [ ! -f $WEBSITES_DIRECTORY/$1 ]; then
  96. return
  97. fi
  98. SSL_CIPHERS=$(cat $WEBSITES_DIRECTORY/$1 | grep 'ssl_ciphers ' | awk -F "ssl_ciphers " '{print $2}' | awk -F "'" '{print $2}')
  99. }
  100. function get_imap_settings {
  101. if [ ! -f $DOVECOT_CIPHERS ]; then
  102. return
  103. fi
  104. # clear commented out cipher list
  105. sed -i "s|#ssl_cipher_list.*||g" $DOVECOT_CIPHERS
  106. if [ $SSL_CIPHERS ]; then
  107. return
  108. fi
  109. if [ ${#SSL_CIPHERS} -gt $MINIMUM_LENGTH ]; then
  110. return
  111. fi
  112. SSL_CIPHERS=$(cat $DOVECOT_CIPHERS | grep 'ssl_cipher_list' | awk -F '=' '{print $2}' | awk -F "'" '{print $2}')
  113. }
  114. function get_xmpp_settings {
  115. if [ ! -f $XMPP_CONFIG ]; then
  116. return
  117. fi
  118. XMPP_CIPHERS=$(cat $XMPP_CONFIG | grep 'ciphers ' | awk -F '=' '{print $2}' | awk -F '"' '{print $2}')
  119. XMPP_ECC_CURVE=$(cat $XMPP_CONFIG | grep 'curve ' | awk -F '=' '{print $2}' | awk -F '"' '{print $2}')
  120. }
  121. function get_ssh_settings {
  122. if [ -f $SSH_CONFIG ]; then
  123. SSH_PASSWORDS=$(cat $SSH_CONFIG | grep 'PasswordAuthentication ' | awk -F 'PasswordAuthentication ' '{print $2}')
  124. fi
  125. if [ -f /etc/ssh/ssh_config ]; then
  126. SSH_HOST_KEY_ALGORITHMS=$(cat /etc/ssh/ssh_config | grep 'HostKeyAlgorithms ' | awk -F 'HostKeyAlgorithms ' '{print $2}')
  127. fi
  128. }
  129. function change_website_settings {
  130. if [ ! "$SSL_PROTOCOLS" ]; then
  131. return
  132. fi
  133. if [ ! $SSL_CIPHERS ]; then
  134. return
  135. fi
  136. if [ ${#SSL_PROTOCOLS} -lt $MINIMUM_LENGTH ]; then
  137. return
  138. fi
  139. if [ ${#SSL_CIPHERS} -lt $MINIMUM_LENGTH ]; then
  140. return
  141. fi
  142. if [ ! -d $WEBSITES_DIRECTORY ]; then
  143. return
  144. fi
  145. cd $WEBSITES_DIRECTORY
  146. for file in `dir -d *` ; do
  147. sed -i "s|ssl_protocols .*|ssl_protocols $SSL_PROTOCOLS;|g" $WEBSITES_DIRECTORY/$file
  148. sed -i "s|ssl_ciphers .*|ssl_ciphers '$SSL_CIPHERS';|g" $WEBSITES_DIRECTORY/$file
  149. done
  150. systemctl restart nginx
  151. echo $'Web security settings changed'
  152. }
  153. function change_imap_settings {
  154. if [ ! -f $DOVECOT_CIPHERS ]; then
  155. return
  156. fi
  157. if [ ! $SSL_CIPHERS ]; then
  158. return
  159. fi
  160. if [ ${#SSL_CIPHERS} -lt $MINIMUM_LENGTH ]; then
  161. return
  162. fi
  163. sed -i "s|ssl_cipher_list.*|ssl_cipher_list = '$SSL_CIPHERS'|g" $DOVECOT_CIPHERS
  164. sed -i "s|ssl_protocols.*|ssl_protocols = '$SSL_PROTOCOLS'|g" $DOVECOT_CIPHERS
  165. systemctl restart dovecot
  166. echo $'imap security settings changed'
  167. }
  168. function change_ssh_settings {
  169. if [ -f /etc/ssh/ssh_config ]; then
  170. if [ $SSH_HOST_KEY_ALGORITHMS ]; then
  171. sed -i "s|HostKeyAlgorithms .*|HostKeyAlgorithms $SSH_HOST_KEY_ALGORITHMS|g" /etc/ssh/ssh_config
  172. echo $'ssh client security settings changed'
  173. fi
  174. fi
  175. if [ -f $SSH_CONFIG ]; then
  176. if [ ! $SSH_CIPHERS ]; then
  177. return
  178. fi
  179. if [ ! $SSH_MACS ]; then
  180. return
  181. fi
  182. if [ ! $SSH_KEX ]; then
  183. return
  184. fi
  185. if [ ! $SSH_PASSWORDS ]; then
  186. SSH_PASSWORDS='yes'
  187. fi
  188. sed -i "s|Ciphers .*|Ciphers $SSH_CIPHERS|g" $SSH_CONFIG
  189. sed -i "s|MACs .*|MACs $SSH_MACS|g" $SSH_CONFIG
  190. sed -i "s|KexAlgorithms .*|KexAlgorithms $SSH_KEX|g" $SSH_CONFIG
  191. sed -i "s|#PasswordAuthentication .*|PasswordAuthentication $SSH_PASSWORDS|g" $SSH_CONFIG
  192. sed -i "s|PasswordAuthentication .*|PasswordAuthentication $SSH_PASSWORDS|g" $SSH_CONFIG
  193. systemctl restart ssh
  194. echo $'ssh server security settings changed'
  195. fi
  196. }
  197. function change_xmpp_settings {
  198. if [ ! -f $XMPP_CONFIG ]; then
  199. return
  200. fi
  201. if [ ! $XMPP_CIPHERS ]; then
  202. return
  203. fi
  204. if [ ! $XMPP_ECC_CURVE ]; then
  205. return
  206. fi
  207. sed -i "s|ciphers =.*|ciphers = \"$XMPP_CIPHERS\";|g" $XMPP_CONFIG
  208. sed -i "s|curve =.*|curve = \"$XMPP_ECC_CURVE\";|g" $XMPP_CONFIG
  209. systemctl restart prosody
  210. echo $'xmpp security settings changed'
  211. }
  212. function allow_ssh_passwords {
  213. dialog --title $"SSH Passwords" \
  214. --backtitle $"Freedombone Security Configuration" \
  215. --yesno $"\nAllow SSH login using passwords?" 7 60
  216. sel=$?
  217. case $sel in
  218. 0) SSH_PASSWORDS="yes";;
  219. 1) SSH_PASSWORDS="no";;
  220. 255) exit 0;;
  221. esac
  222. }
  223. function interactive_setup {
  224. if [ $SSL_CIPHERS ]; then
  225. data=$(tempfile 2>/dev/null)
  226. trap "rm -f $data" 0 1 2 5 15
  227. dialog --backtitle $"Freedombone Security Configuration" \
  228. --form $"\nWeb/IMAP Ciphers:" 10 95 2 \
  229. $"Protocols:" 1 1 "$SSL_PROTOCOLS" 1 15 90 90 \
  230. $"Ciphers:" 2 1 "$SSL_CIPHERS" 2 15 90 512 \
  231. 2> $data
  232. sel=$?
  233. case $sel in
  234. 1) SSL_PROTOCOLS=$(cat $data | sed -n 1p)
  235. SSL_CIPHERS=$(cat $data | sed -n 2p)
  236. ;;
  237. 255) exit 0;;
  238. esac
  239. fi
  240. data=$(tempfile 2>/dev/null)
  241. trap "rm -f $data" 0 1 2 5 15
  242. if [ $SSH_HOST_KEY_ALGORITHMS ]; then
  243. dialog --backtitle $"Freedombone Security Configuration" \
  244. --form $"\nSecure Shell Ciphers:" 13 95 4 \
  245. $"Ciphers:" 1 1 "$SSH_CIPHERS" 1 15 90 512 \
  246. $"MACs:" 2 1 "$SSH_MACS" 2 15 90 512 \
  247. $"KEX:" 3 1 "$SSH_KEX" 3 15 90 512 \
  248. $"Host key algorithms:" 4 1 "$SSH_HOST_KEY_ALGORITHMS" 4 15 90 512 \
  249. 2> $data
  250. sel=$?
  251. case $sel in
  252. 1) SSH_CIPHERS=$(cat $data | sed -n 1p)
  253. SSH_MACS=$(cat $data | sed -n 2p)
  254. SSH_KEX=$(cat $data | sed -n 3p)
  255. SSH_HOST_KEY_ALGORITHMS=$(cat $data | sed -n 4p)
  256. ;;
  257. 255) exit 0;;
  258. esac
  259. else
  260. dialog --backtitle $"Freedombone Security Configuration" \
  261. --form $"\nSecure Shell Ciphers:" 11 95 3 \
  262. $"Ciphers:" 1 1 "$SSH_CIPHERS" 1 15 90 512 \
  263. $"MACs:" 2 1 "$SSH_MACS" 2 15 90 512 \
  264. $"KEX:" 3 1 "$SSH_KEX" 3 15 90 512 \
  265. 2> $data
  266. sel=$?
  267. case $sel in
  268. 1) SSH_CIPHERS=$(cat $data | sed -n 1p)
  269. SSH_MACS=$(cat $data | sed -n 2p)
  270. SSH_KEX=$(cat $data | sed -n 3p)
  271. ;;
  272. 255) exit 0;;
  273. esac
  274. fi
  275. if [ $XMPP_CIPHERS ]; then
  276. data=$(tempfile 2>/dev/null)
  277. trap "rm -f $data" 0 1 2 5 15
  278. dialog --backtitle $"Freedombone Security Configuration" \
  279. --form $"\nXMPP Ciphers:" 10 95 2 \
  280. $"Ciphers:" 1 1 "$XMPP_CIPHERS" 1 15 90 512 \
  281. $"ECC Curve:" 2 1 "$XMPP_ECC_CURVE" 2 15 50 50 \
  282. 2> $data
  283. sel=$?
  284. case $sel in
  285. 1) XMPP_CIPHERS=$(cat $data | sed -n 1p)
  286. XMPP_ECC_CURVE=$(cat $data | sed -n 2p)
  287. ;;
  288. 255) exit 0;;
  289. esac
  290. fi
  291. dialog --title $"Final Confirmation" \
  292. --backtitle $"Freedombone Security Configuration" \
  293. --defaultno \
  294. --yesno $"\nPlease confirm that you wish your security settings to be changed?\n\nWARNING: any mistakes made in the security settings could compromise your system, so be extra careful when answering 'yes'." 12 60
  295. sel=$?
  296. case $sel in
  297. 1) clear
  298. echo $'Exiting without changing security settings'
  299. exit 0;;
  300. 255) clear
  301. echo $'Exiting without changing security settings'
  302. exit 0;;
  303. esac
  304. clear
  305. }
  306. function send_monkeysphere_server_keys_to_users {
  307. monkeysphere_server_keys=$(monkeysphere-host show-key | grep $"OpenPGP fingerprint" | awk -F ' ' '{print $3}')
  308. for d in /home/*/ ; do
  309. USERNAME=$(echo "$d" | awk -F '/' '{print $3}')
  310. if [[ $(is_valid_user "$USERNAME") == "1" ]]; then
  311. if [ ! -d /home/$USERNAME/.monkeysphere ]; then
  312. mkdir /home/$USERNAME/.monkeysphere
  313. fi
  314. echo $monkeysphere_server_keys > /home/$USERNAME/.monkeysphere/server_keys
  315. chown -R $USERNAME:$USERNAME /home/$USERNAME/.monkeysphere
  316. fi
  317. done
  318. }
  319. function regenerate_ssh_host_keys {
  320. rm -f /etc/ssh/ssh_host_*
  321. dpkg-reconfigure openssh-server
  322. echo $'ssh host keys regenerated'
  323. # remove small moduli
  324. awk '$5 > 2000' /etc/ssh/moduli > ~/moduli
  325. mv ~/moduli /etc/ssh/moduli
  326. echo $'ssh small moduli removed'
  327. # update monkeysphere
  328. DEFAULT_DOMAIN_NAME=
  329. read_config_param "DEFAULT_DOMAIN_NAME"
  330. monkeysphere-host import-key /etc/ssh/ssh_host_rsa_key ssh://$DEFAULT_DOMAIN_NAME
  331. SSH_ONION_HOSTNAME=$(cat ${COMPLETION_FILE} | grep 'ssh onion domain' | awk -F ':' '{print $2}')
  332. monkeysphere-host import-key /etc/ssh/ssh_host_rsa_key ssh://$SSH_ONION_HOSTNAME
  333. monkeysphere-host publish-key
  334. send_monkeysphere_server_keys_to_users
  335. echo $'updated monkeysphere ssh host key'
  336. systemctl restart ssh
  337. }
  338. function regenerate_dh_keys {
  339. if [ ! -d /etc/ssl/mycerts ]; then
  340. echo $'No dhparam certificates were found'
  341. return
  342. fi
  343. data=$(tempfile 2>/dev/null)
  344. trap "rm -f $data" 0 1 2 5 15
  345. dialog --backtitle "Freedombone Security Configuration" \
  346. --title "Diffie-Hellman key length" \
  347. --radiolist "The smaller length is better suited to low power embedded systems:" 12 40 3 \
  348. 1 "2048 bits" off \
  349. 2 "3072 bits" on \
  350. 3 "4096 bits" off 2> $data
  351. sel=$?
  352. case $sel in
  353. 1) exit 1;;
  354. 255) exit 1;;
  355. esac
  356. case $(cat $data) in
  357. 1) DH_KEYLENGTH=2048;;
  358. 2) DH_KEYLENGTH=3072;;
  359. 3) DH_KEYLENGTH=4096;;
  360. esac
  361. ${PROJECT_NAME}-dhparam --recalc yes -l ${DH_KEYLENGTH}
  362. }
  363. function renew_startssl {
  364. renew_domain=
  365. data=$(tempfile 2>/dev/null)
  366. trap "rm -f $data" 0 1 2 5 15
  367. dialog --title $"Renew a StartSSL certificate" \
  368. --backtitle $"Freedombone Security Settings" \
  369. --inputbox $"Enter the domain name" 8 60 2>$data
  370. sel=$?
  371. case $sel in
  372. 0)
  373. renew_domain=$(<$data)
  374. ;;
  375. esac
  376. if [ ! $renew_domain ]; then
  377. return
  378. fi
  379. if [[ $renew_domain == "http"* ]]; then
  380. dialog --title $"Renew a StartSSL certificate" \
  381. --msgbox $"Don't include the https://" 6 40
  382. return
  383. fi
  384. if [ ! -f /etc/ssl/certs/${renew_domain}.dhparam ]; then
  385. dialog --title $"Renew a StartSSL certificate" \
  386. --msgbox $"An existing certificate for $renew_domain was not found" 6 40
  387. return
  388. fi
  389. if [[ $renew_domain != *"."* ]]; then
  390. dialog --title $"Renew a StartSSL certificate" \
  391. --msgbox $"Invalid domain name: $renew_domain" 6 40
  392. return
  393. fi
  394. ${PROJECT_NAME}-renew-cert -h $renew_domain -p startssl
  395. exit 0
  396. }
  397. function renew_letsencrypt {
  398. renew_domain=
  399. data=$(tempfile 2>/dev/null)
  400. trap "rm -f $data" 0 1 2 5 15
  401. dialog --title $"Renew a Let's Encrypt certificate" \
  402. --backtitle $"Freedombone Security Settings" \
  403. --inputbox $"Enter the domain name" 8 60 2>$data
  404. sel=$?
  405. case $sel in
  406. 0)
  407. renew_domain=$(<$data)
  408. ;;
  409. esac
  410. if [ ! $renew_domain ]; then
  411. return
  412. fi
  413. if [[ $renew_domain == "http"* ]]; then
  414. dialog --title $"Renew a Let's Encrypt certificate" \
  415. --msgbox $"Don't include the https://" 6 40
  416. return
  417. fi
  418. if [ ! -f /etc/ssl/certs/${renew_domain}.dhparam ]; then
  419. dialog --title $"Renew a Let's Encrypt certificate" \
  420. --msgbox $"An existing certificate for $renew_domain was not found" 6 40
  421. return
  422. fi
  423. if [[ $renew_domain != *"."* ]]; then
  424. dialog --title $"Renew a Let's Encrypt certificate" \
  425. --msgbox $"Invalid domain name: $renew_domain" 6 40
  426. return
  427. fi
  428. ${PROJECT_NAME}-renew-cert -h $renew_domain -p 'letsencrypt'
  429. exit 0
  430. }
  431. function delete_letsencrypt {
  432. delete_domain=
  433. data=$(tempfile 2>/dev/null)
  434. trap "rm -f $data" 0 1 2 5 15
  435. dialog --title $"Delete a Let's Encrypt certificate" \
  436. --backtitle $"Freedombone Security Settings" \
  437. --inputbox $"Enter the domain name" 8 60 2>$data
  438. sel=$?
  439. case $sel in
  440. 0)
  441. delete_domain=$(<$data)
  442. ;;
  443. esac
  444. if [ ! $delete_domain ]; then
  445. return
  446. fi
  447. if [[ $delete_domain == "http"* ]]; then
  448. dialog --title $"Delete a Let's Encrypt certificate" \
  449. --msgbox $"Don't include the https://" 6 40
  450. return
  451. fi
  452. if [ ! -f /etc/ssl/certs/${delete_domain}.dhparam ]; then
  453. dialog --title $"Delete a Let's Encrypt certificate" \
  454. --msgbox $"An existing certificate for $renew_domain was not found" 6 40
  455. return
  456. fi
  457. if [[ $delete_domain != *"."* ]]; then
  458. dialog --title $"Delete a Let's Encrypt certificate" \
  459. --msgbox $"Invalid domain name: $delete_domain" 6 40
  460. return
  461. fi
  462. ${PROJECT_NAME}-addcert -r $delete_domain
  463. exit 0
  464. }
  465. function create_letsencrypt {
  466. new_domain=
  467. data=$(tempfile 2>/dev/null)
  468. trap "rm -f $data" 0 1 2 5 15
  469. dialog --title $"Create a new Let's Encrypt certificate" \
  470. --backtitle $"Freedombone Security Settings" \
  471. --inputbox $"Enter the domain name" 8 60 2>$data
  472. sel=$?
  473. case $sel in
  474. 0)
  475. new_domain=$(<$data)
  476. ;;
  477. esac
  478. if [ ! $new_domain ]; then
  479. return
  480. fi
  481. if [[ $new_domain == "http"* ]]; then
  482. dialog --title $"Create a new Let's Encrypt certificate" \
  483. --msgbox $"Don't include the https://" 6 40
  484. return
  485. fi
  486. if [[ $new_domain != *"."* ]]; then
  487. dialog --title $"Create a new Let's Encrypt certificate" \
  488. --msgbox $"Invalid domain name: $new_domain" 6 40
  489. return
  490. fi
  491. if [ ! -d /var/www/${new_domain} ]; then
  492. domain_found=
  493. if [ -f /etc/nginx/sites-available/radicale ]; then
  494. if grep "${new_domain}" /etc/nginx/sites-available/radicale; then
  495. domain_found=1
  496. fi
  497. fi
  498. if [ -f /etc/nginx/sites-available/${new_domain} ]; then
  499. domain_found=1
  500. fi
  501. if [[ "${new_domain}" == "jitsi"* || "${new_domain}" == "meet"* ]]; then
  502. domain_found=1
  503. fi
  504. if [ ! $domain_found ]; then
  505. dialog --title $"Create a new Let's Encrypt certificate" \
  506. --msgbox $'Domain not found within /var/www' 6 40
  507. return
  508. fi
  509. fi
  510. ${PROJECT_NAME}-addcert -e $new_domain -s $LETSENCRYPT_SERVER --dhkey $DH_KEYLENGTH
  511. exit 0
  512. }
  513. function update_ciphersuite {
  514. RECOMMENDED_SSL_CIPHERS="$SSL_CIPHERS"
  515. if [ ${#RECOMMENDED_SSL_CIPHERS} -lt 5 ]; then
  516. return
  517. fi
  518. RECOMMENDED_SSL_PROTOCOLS="$SSL_PROTOCOLS"
  519. if [ ${#RECOMMENDED_SSL_PROTOCOLS} -lt 5 ]; then
  520. return
  521. fi
  522. RECOMMENDED_SSH_CIPHERS="$SSH_CIPHERS"
  523. if [ ${#RECOMMENDED_SSH_CIPHERS} -lt 5 ]; then
  524. return
  525. fi
  526. RECOMMENDED_SSH_MACS="$SSH_MACS"
  527. if [ ${#RECOMMENDED_SSH_MACS} -lt 5 ]; then
  528. return
  529. fi
  530. RECOMMENDED_SSH_KEX="$SSH_KEX"
  531. if [ ${#RECOMMENDED_SSH_KEX} -lt 5 ]; then
  532. return
  533. fi
  534. cd $WEBSITES_DIRECTORY
  535. for file in `dir -d *` ; do
  536. sed -i "s|ssl_protocols .*|ssl_protocols $RECOMMENDED_SSL_PROTOCOLS;|g" $WEBSITES_DIRECTORY/$file
  537. sed -i "s|ssl_ciphers .*|ssl_ciphers '$RECOMMENDED_SSL_CIPHERS';|g" $WEBSITES_DIRECTORY/$file
  538. done
  539. systemctl restart nginx
  540. write_config_param "SSL_PROTOCOLS" "$RECOMMENDED_SSL_PROTOCOLS"
  541. write_config_param "SSL_CIPHERS" "$RECOMMENDED_SSL_CIPHERS"
  542. sed -i "s|Ciphers .*|Ciphers $RECOMMENDED_SSH_CIPHERS|g" $SSH_CONFIG
  543. sed -i "s|MACs .*|MACs $RECOMMENDED_SSH_MACS|g" $SSH_CONFIG
  544. sed -i "s|KexAlgorithms .*|KexAlgorithms $RECOMMENDED_SSH_KEX|g" $SSH_CONFIG
  545. systemctl restart ssh
  546. write_config_param "SSH_CIPHERS" "$RECOMMENDED_SSH_CIPHERS"
  547. write_config_param "SSH_MACS" "$RECOMMENDED_SSH_MACS"
  548. write_config_param "SSH_KEX" "$RECOMMENDED_SSH_KEX"
  549. dialog --title $"Update ciphersuite" \
  550. --msgbox $"The ciphersuite has been updated to recommended versions" 6 40
  551. exit 0
  552. }
  553. function gpg_pubkey_from_email {
  554. key_owner_username=$1
  555. key_email_address=$2
  556. key_id=
  557. if [[ $key_owner_username != "root" ]]; then
  558. key_id=$(su -c "gpg --list-keys $key_email_address | grep 'pub '" - $key_owner_username | awk -F ' ' '{print $2}' | awk -F '/' '{print $2}')
  559. else
  560. key_id=$(gpg --list-keys $key_email_address | grep 'pub ' | awk -F ' ' '{print $2}' | awk -F '/' '{print $2}')
  561. fi
  562. echo $key_id
  563. }
  564. function enable_monkeysphere {
  565. monkey=
  566. dialog --title $"GPG based authentication" \
  567. --backtitle $"Freedombone Security Configuration" \
  568. --defaultno \
  569. --yesno $"\nEnable GPG based authentication with monkeysphere ?" 7 60
  570. sel=$?
  571. case $sel in
  572. 0) monkey='yes';;
  573. 255) exit 0;;
  574. esac
  575. if [ $monkey ]; then
  576. read_config_param "MY_USERNAME"
  577. if [ ! -f /home/$MY_USERNAME/.monkeysphere/authorized_user_ids ]; then
  578. dialog --title $"GPG based authentication" \
  579. --msgbox $"$MY_USERNAME does not currently have any ids within ~/.monkeysphere/authorized_user_ids" 6 40
  580. exit 0
  581. fi
  582. MY_GPG_PUBLIC_KEY_ID=$(gpg_pubkey_from_email "$MY_USERNAME" "$MY_USERNAME@$HOSTNAME")
  583. if [ ${#MY_GPG_PUBLIC_KEY_ID} -lt 4 ]; then
  584. echo $'monkeysphere unable to get GPG key ID for user $MY_USERNAME'
  585. exit 52825
  586. fi
  587. sed -i 's|#AuthorizedKeysFile|AuthorizedKeysFile|g' /etc/ssh/sshd_config
  588. sed -i 's|AuthorizedKeysFile.*|AuthorizedKeysFile /var/lib/monkeysphere/authorized_keys/%u|g' /etc/ssh/sshd_config
  589. monkeysphere-authentication update-users
  590. # The admin user is the identity certifier
  591. fpr=$(gpg --with-colons --fingerprint $MY_GPG_PUBLIC_KEY_ID | grep fpr | head -n 1 | awk -F ':' '{print $10}')
  592. monkeysphere-authentication add-identity-certifier $fpr
  593. monkeysphere-host publish-key
  594. send_monkeysphere_server_keys_to_users
  595. else
  596. sed -i 's|#AuthorizedKeysFile|AuthorizedKeysFile|g' /etc/ssh/sshd_config
  597. sed -i 's|AuthorizedKeysFile.*|AuthorizedKeysFile %h/.ssh/authorized_keys|g' /etc/ssh/sshd_config
  598. fi
  599. systemctl restart ssh
  600. if [ $monkey ]; then
  601. dialog --title $"GPG based authentication" \
  602. --msgbox $"GPG based authentication was enabled" 6 40
  603. else
  604. dialog --title $"GPG based authentication" \
  605. --msgbox $"GPG based authentication was disabled" 6 40
  606. fi
  607. exit 0
  608. }
  609. function register_website {
  610. domain="$1"
  611. if [[ ${domain} == *".local" ]]; then
  612. echo $"Can't register local domains"
  613. return
  614. fi
  615. if [ ! -f /etc/ssl/private/${domain}.key ]; then
  616. echo $"No SSL/TLS private key found for ${domain}"
  617. return
  618. fi
  619. if [ ! -f /etc/nginx/sites-available/${domain} ]; then
  620. echo $"No virtual host found for ${domain}"
  621. return
  622. fi
  623. monkeysphere-host import-key /etc/ssl/private/${domain}.key https://${domain}
  624. monkeysphere-host publish-key
  625. echo "0"
  626. }
  627. function register_website_interactive {
  628. data=$(tempfile 2>/dev/null)
  629. trap "rm -f $data" 0 1 2 5 15
  630. dialog --title $"Register a website with monkeysphere" \
  631. --backtitle $"Freedombone Security Settings" \
  632. --inputbox $"Enter the website domain name (without https://)" 8 60 2>$data
  633. sel=$?
  634. case $sel in
  635. 0)
  636. domain=$(<$data)
  637. register_website "$domain"
  638. if [ ! "$?" = "0" ]; then
  639. dialog --title $"Register a website with monkeysphere" \
  640. --msgbox "$?" 6 40
  641. else
  642. dialog --title $"Register a website with monkeysphere" \
  643. --msgbox $"$domain has been registered" 6 40
  644. fi
  645. ;;
  646. esac
  647. }
  648. function pin_all_tls_certs {
  649. ${PROJECT_NAME}-pin-cert all
  650. }
  651. function remove_pinning {
  652. data=$(tempfile 2>/dev/null)
  653. trap "rm -f $data" 0 1 2 5 15
  654. dialog --title $"Remove pinning for a domain" \
  655. --backtitle $"Freedombone Security Settings" \
  656. --inputbox $"Enter the website domain name (without https://)" 8 60 2>$data
  657. sel=$?
  658. case $sel in
  659. 0)
  660. domain=$(<$data)
  661. ${PROJECT_NAME}-pin-cert "$domain" remove
  662. if [ ! "$?" = "0" ]; then
  663. dialog --title $"Removed pinning from $domain" \
  664. --msgbox "$?" 6 40
  665. fi
  666. ;;
  667. esac
  668. }
  669. function store_passwords {
  670. dialog --title $"Store Passwords" \
  671. --backtitle $"Freedombone Security Configuration" \
  672. --yesno $"\nDo you wish to store passwords on the system? Stored passwords are convenient but carry some additional security risk." 10 60
  673. sel=$?
  674. case $sel in
  675. 0)
  676. if [ -f /root/.nostore ]; then
  677. read_config_param "MY_USERNAME"
  678. if [ ! -f /home/$MY_USERNAME/.ssh/authorized_keys ]; then
  679. dialog --title $"Store Passwords" \
  680. --msgbox $"\nYou should first enable key based ssh login to improve security" 8 60
  681. return
  682. fi
  683. if [[ $SSH_PASSWORDS == 'yes' ]]; then
  684. dialog --title $"Store Passwords" \
  685. --msgbox $"\nYou should disable ssh passwords to improve security" 8 60
  686. return
  687. fi
  688. ${PROJECT_NAME}-pass --enable yes
  689. dialog --title $"Store Passwords" \
  690. --msgbox $"\nUser passwords will now be stored on the system" 8 60
  691. fi
  692. return
  693. ;;
  694. 1)
  695. ${PROJECT_NAME}-pass --clear yes
  696. dialog --title $"Passwords were removed and will not be stored" \
  697. --msgbox $"\nFor the best security you should now manually change passwords via web interfaces so that there is no possibility of them being recovered from the disk" 9 60
  698. return
  699. ;;
  700. 255) return;;
  701. esac
  702. }
  703. function show_tor_bridges {
  704. clear
  705. bridges_list=$(grep "Bridge " /etc/tor/torrc | grep -v '##')
  706. if [ ${#bridges_list} -eq 0 ]; then
  707. echo $'No Tor bridges have been added'
  708. return
  709. fi
  710. echo "${bridges_list}"
  711. }
  712. function add_tor_bridge {
  713. data=$(tempfile 2>/dev/null)
  714. trap "rm -f $data" 0 1 2 5 15
  715. dialog --backtitle $"Freedombone Control Panel" \
  716. --title $"Add obfs4 Tor bridge" \
  717. --form "\n" 9 60 4 \
  718. $"IP address: " 1 1 " . . . " 1 17 16 16 \
  719. $"Port: " 2 1 "" 2 17 8 8 \
  720. $"Key/Nickname: " 3 1 "" 3 17 250 250 \
  721. 2> $data
  722. sel=$?
  723. case $sel in
  724. 1) return;;
  725. 255) return;;
  726. esac
  727. bridge_ip_address=$(cat $data | sed -n 1p)
  728. bridge_port=$(cat $data | sed -n 2p)
  729. bridge_key=$(cat $data | sed -n 3p)
  730. if [[ "${bridge_ip_address}" == *" "* ]]; then
  731. return
  732. fi
  733. if [[ "${bridge_ip_address}" != *"."* ]]; then
  734. return
  735. fi
  736. if [ ${#bridge_port} -eq 0 ]; then
  737. return
  738. fi
  739. if [ ${#bridge_key} -eq 0 ]; then
  740. return
  741. fi
  742. tor_add_bridge "${bridge_ip_address}" "${bridge_port}" "${bridge_key}"
  743. dialog --title $"Add obfs4 Tor bridge" \
  744. --msgbox $"Bridge added" 6 40
  745. }
  746. function remove_tor_bridge {
  747. bridge_removed=
  748. data=$(tempfile 2>/dev/null)
  749. trap "rm -f $data" 0 1 2 5 15
  750. dialog --title $"Remove obfs4 Tor bridge" \
  751. --backtitle $"Freedombone Control Panel" \
  752. --inputbox $"Enter the IP address, key or Nickname of the bridge" 8 65 2>$data
  753. sel=$?
  754. case $sel in
  755. 0)
  756. response=$(<$data)
  757. if [ ${#response} -gt 2 ]; then
  758. if [[ "${response}" != *" "* ]]; then
  759. if [[ "${response}" == *"."* ]]; then
  760. if grep "Bridge ${response}" /etc/tor/torrc; then
  761. tor_remove_bridge "${response}"
  762. bridge_removed=1
  763. fi
  764. else
  765. if grep " $response" /etc/tor/torrc; then
  766. tor_remove_bridge "${response}"
  767. bridge_removed=1
  768. fi
  769. fi
  770. fi
  771. fi
  772. ;;
  773. esac
  774. if [ $bridge_removed ]; then
  775. dialog --title $"Remove obfs4 Tor bridge" \
  776. --msgbox $"Bridge removed" 6 40
  777. fi
  778. }
  779. function add_tor_bridge_relay {
  780. read_config_param 'TOR_BRIDGE_NICKNAME'
  781. read_config_param 'TOR_BRIDGE_PORT'
  782. # remove any previous bridge port from the firewall
  783. if [ ${#TOR_BRIDGE_PORT} -gt 0 ]; then
  784. firewall_remove $TOR_BRIDGE_PORT tcp
  785. fi
  786. data=$(tempfile 2>/dev/null)
  787. trap "rm -f $data" 0 1 2 5 15
  788. dialog --backtitle $"Freedombone Control Panel" \
  789. --title $"Become an obfs4 Tor bridge relay" \
  790. --form "\n" 8 60 2 \
  791. $"Bridge Nickname: " 1 1 "$TOR_BRIDGE_NICKNAME" 1 20 250 250 \
  792. 2> $data
  793. sel=$?
  794. case $sel in
  795. 1) return;;
  796. 255) return;;
  797. esac
  798. bridge_nickname=$(cat $data | sed -n 1p)
  799. if [[ "${bridge_nickname}" == *" "* ]]; then
  800. return
  801. fi
  802. if [ ${#bridge_nickname} -eq 0 ]; then
  803. return
  804. fi
  805. TOR_BRIDGE_NICKNAME="$bridge_nickname"
  806. TOR_BRIDGE_PORT=$((20000 + RANDOM % 40000))
  807. write_config_param 'TOR_BRIDGE_NICKNAME' "$TOR_BRIDGE_NICKNAME"
  808. write_config_param 'TOR_BRIDGE_PORT' "$TOR_BRIDGE_PORT"
  809. tor_create_bridge_relay
  810. dialog --title $"You are now an obfs4 Tor bridge relay" \
  811. --msgbox $"\nIP address: $(get_ipv4_address)\n\nPort: ${TOR_BRIDGE_PORT}\n\nNickname: ${TOR_BRIDGE_NICKNAME}" 10 65
  812. }
  813. function remove_tor_bridge_relay {
  814. tor_remove_bridge_relay
  815. dialog --title $"Remove Tor bridge relay" \
  816. --msgbox $"Bridge relay removed" 10 60
  817. }
  818. function menu_tor_bridges {
  819. data=$(tempfile 2>/dev/null)
  820. trap "rm -f $data" 0 1 2 5 15
  821. dialog --backtitle $"Freedombone Control Panel" \
  822. --title $"Tor Bridges" \
  823. --radiolist $"Choose an operation:" 14 50 6 \
  824. 1 $"Show bridges" off \
  825. 2 $"Add a bridge" off \
  826. 3 $"Remove a bridge" off \
  827. 4 $"Make this system into a bridge" off \
  828. 5 $"Stop being a bridge" off \
  829. 6 $"Go Back/Exit" on 2> $data
  830. sel=$?
  831. case $sel in
  832. 1) exit 1;;
  833. 255) exit 1;;
  834. esac
  835. case $(cat $data) in
  836. 1)
  837. show_tor_bridges
  838. exit 0
  839. ;;
  840. 2)
  841. add_tor_bridge
  842. exit 0
  843. ;;
  844. 3)
  845. remove_tor_bridge
  846. exit 0
  847. ;;
  848. 4)
  849. add_tor_bridge_relay
  850. exit 0
  851. ;;
  852. 5)
  853. remove_tor_bridge_relay
  854. exit 0
  855. ;;
  856. 6)
  857. exit 0
  858. ;;
  859. esac
  860. }
  861. function menu_security_settings {
  862. data=$(tempfile 2>/dev/null)
  863. trap "rm -f $data" 0 1 2 5 15
  864. dialog --backtitle $"Freedombone Control Panel" \
  865. --title $"Security Settings" \
  866. --radiolist $"Choose an operation:" 22 76 22 \
  867. 1 $"Run STIG tests" off \
  868. 2 $"Show ssh host public key" off \
  869. 3 $"Tor bridges" off \
  870. 4 $"Password storage" off \
  871. 5 $"Export passwords" off \
  872. 6 $"Regenerate ssh host keys" off \
  873. 7 $"Regenerate Diffie-Hellman keys" off \
  874. 8 $"Update cipersuite" off \
  875. 9 $"Create a new Let's Encrypt certificate" off \
  876. 10 $"Renew Let's Encrypt certificate" off \
  877. 11 $"Delete a Let's Encrypt certificate" off \
  878. 12 $"Enable GPG based authentication (monkeysphere)" off \
  879. 13 $"Register a website with monkeysphere" off \
  880. 14 $"Allow ssh login with passwords" off \
  881. 15 $"Go Back/Exit" on 2> $data
  882. sel=$?
  883. case $sel in
  884. 1) exit 1;;
  885. 255) exit 1;;
  886. esac
  887. clear
  888. read_config_param SSL_CIPHERS
  889. read_config_param SSL_PROTOCOLS
  890. read_config_param SSH_CIPHERS
  891. read_config_param SSH_MACS
  892. read_config_param SSH_KEX
  893. get_imap_settings
  894. get_ssh_settings
  895. get_xmpp_settings
  896. import_settings
  897. export_settings
  898. case $(cat $data) in
  899. 1)
  900. clear
  901. echo $'Running STIG tests...'
  902. echo ''
  903. ${PROJECT_NAME}-tests --stig showall
  904. exit 0
  905. ;;
  906. 2)
  907. dialog --title $"SSH host public keys" \
  908. --msgbox "\n$(get_ssh_server_key)" 12 60
  909. exit 0
  910. ;;
  911. 3)
  912. menu_tor_bridges
  913. exit 0
  914. ;;
  915. 4)
  916. store_passwords
  917. exit 0
  918. ;;
  919. 5)
  920. export_passwords
  921. exit 0
  922. ;;
  923. 6)
  924. regenerate_ssh_host_keys
  925. ;;
  926. 7)
  927. regenerate_dh_keys
  928. ;;
  929. 8)
  930. interactive_setup
  931. update_ciphersuite
  932. ;;
  933. 9)
  934. create_letsencrypt
  935. ;;
  936. 10)
  937. renew_letsencrypt
  938. ;;
  939. 11)
  940. delete_letsencrypt
  941. ;;
  942. 12)
  943. enable_monkeysphere
  944. ;;
  945. 13)
  946. register_website
  947. ;;
  948. 14)
  949. allow_ssh_passwords
  950. change_ssh_settings
  951. exit 0
  952. ;;
  953. 15)
  954. exit 0
  955. ;;
  956. esac
  957. change_website_settings
  958. change_imap_settings
  959. change_ssh_settings
  960. change_xmpp_settings
  961. }
  962. function import_settings {
  963. cd $CURRENT_DIR
  964. if [ ! $IMPORT_FILE ]; then
  965. return
  966. fi
  967. if [ ! -f $IMPORT_FILE ]; then
  968. echo $"Import file $IMPORT_FILE not found"
  969. exit 6393
  970. fi
  971. if grep -q "SSL_PROTOCOLS" $IMPORT_FILE; then
  972. TEMP_VALUE=$(grep "SSL_PROTOCOLS" $IMPORT_FILE | awk -F '=' '{print $2}')
  973. if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then
  974. SSL_PROTOCOLS=$TEMP_VALUE
  975. fi
  976. fi
  977. if grep -q "SSL_CIPHERS" $IMPORT_FILE; then
  978. TEMP_VALUE=$(grep "SSL_CIPHERS" $IMPORT_FILE | awk -F '=' '{print $2}')
  979. if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then
  980. SSL_CIPHERS=$TEMP_VALUE
  981. fi
  982. fi
  983. if grep -q "SSH_CIPHERS" $IMPORT_FILE; then
  984. TEMP_VALUE=$(grep "SSH_CIPHERS" $IMPORT_FILE | awk -F '=' '{print $2}')
  985. if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then
  986. SSH_CIPHERS=$TEMP_VALUE
  987. fi
  988. fi
  989. if grep -q "SSH_MACS" $IMPORT_FILE; then
  990. TEMP_VALUE=$(grep "SSH_MACS" $IMPORT_FILE | awk -F '=' '{print $2}')
  991. if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then
  992. SSH_MACS=$TEMP_VALUE
  993. fi
  994. fi
  995. if grep -q "SSH_KEX" $IMPORT_FILE; then
  996. TEMP_VALUE=$(grep "SSH_KEX" $IMPORT_FILE | awk -F '=' '{print $2}')
  997. if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then
  998. SSH_KEX=$TEMP_VALUE
  999. fi
  1000. fi
  1001. if grep -q "SSH_HOST_KEY_ALGORITHMS" $IMPORT_FILE; then
  1002. TEMP_VALUE=$(grep "SSH_HOST_KEY_ALGORITHMS" $IMPORT_FILE | awk -F '=' '{print $2}')
  1003. if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then
  1004. SSH_HOST_KEY_ALGORITHMS=$TEMP_VALUE
  1005. fi
  1006. fi
  1007. if grep -q "SSH_PASSWORDS" $IMPORT_FILE; then
  1008. TEMP_VALUE=$(grep "SSH_PASSWORDS" $IMPORT_FILE | awk -F '=' '{print $2}')
  1009. if [[ $TEMP_VALUE == "yes" || $TEMP_VALUE == "no" ]]; then
  1010. SSH_PASSWORDS=$TEMP_VALUE
  1011. fi
  1012. fi
  1013. if grep -q "XMPP_CIPHERS" $IMPORT_FILE; then
  1014. TEMP_VALUE=$(grep "XMPP_CIPHERS" $IMPORT_FILE | awk -F '=' '{print $2}')
  1015. if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then
  1016. XMPP_CIPHERS=$TEMP_VALUE
  1017. fi
  1018. fi
  1019. if grep -q "XMPP_ECC_CURVE" $IMPORT_FILE; then
  1020. TEMP_VALUE=$(grep "XMPP_ECC_CURVE" $IMPORT_FILE | awk -F '=' '{print $2}')
  1021. if [ ${#TEMP_VALUE} -gt 3 ]; then
  1022. XMPP_ECC_CURVE=$TEMP_VALUE
  1023. fi
  1024. fi
  1025. }
  1026. function export_settings {
  1027. if [ ! $EXPORT_FILE ]; then
  1028. return
  1029. fi
  1030. cd $CURRENT_DIR
  1031. if [ ! -f $EXPORT_FILE ]; then
  1032. if [ "$SSL_PROTOCOLS" ]; then
  1033. echo "SSL_PROTOCOLS=$SSL_PROTOCOLS" >> $EXPORT_FILE
  1034. fi
  1035. if [ $SSL_CIPHERS ]; then
  1036. echo "SSL_CIPHERS=$SSL_CIPHERS" >> $EXPORT_FILE
  1037. fi
  1038. if [ $SSH_CIPHERS ]; then
  1039. echo "SSH_CIPHERS=$SSH_CIPHERS" >> $EXPORT_FILE
  1040. fi
  1041. if [ $SSH_MACS ]; then
  1042. echo "SSH_MACS=$SSH_MACS" >> $EXPORT_FILE
  1043. fi
  1044. if [ $SSH_KEX ]; then
  1045. echo "SSH_KEX=$SSH_KEX" >> $EXPORT_FILE
  1046. fi
  1047. if [ $SSH_HOST_KEY_ALGORITHMS ]; then
  1048. echo "SSH_HOST_KEY_ALGORITHMS=$SSH_HOST_KEY_ALGORITHMS" >> $EXPORT_FILE
  1049. fi
  1050. if [ $SSH_PASSWORDS ]; then
  1051. echo "SSH_PASSWORDS=$SSH_PASSWORDS" >> $EXPORT_FILE
  1052. fi
  1053. if [ $XMPP_CIPHERS ]; then
  1054. echo "XMPP_CIPHERS=$XMPP_CIPHERS" >> $EXPORT_FILE
  1055. fi
  1056. if [ $XMPP_ECC_CURVE ]; then
  1057. echo "XMPP_ECC_CURVE=$XMPP_ECC_CURVE" >> $EXPORT_FILE
  1058. fi
  1059. echo "Security settings exported to $EXPORT_FILE"
  1060. exit 0
  1061. fi
  1062. if [ "$SSL_PROTOCOLS" ]; then
  1063. if grep -q "SSL_PROTOCOLS" $EXPORT_FILE; then
  1064. sed -i "s|SSL_PROTOCOLS=.*|SSL_PROTOCOLS=$SSL_PROTOCOLS|g" $EXPORT_FILE
  1065. else
  1066. echo "SSL_PROTOCOLS=$SSL_PROTOCOLS" >> $EXPORT_FILE
  1067. fi
  1068. fi
  1069. if [ $SSL_CIPHERS ]; then
  1070. if grep -q "SSL_CIPHERS" $EXPORT_FILE; then
  1071. sed -i "s|SSL_CIPHERS=.*|SSL_CIPHERS=$SSL_CIPHERS|g" $EXPORT_FILE
  1072. else
  1073. echo "SSL_CIPHERS=$SSL_CIPHERS" >> $EXPORT_FILE
  1074. fi
  1075. fi
  1076. if [ $SSH_CIPHERS ]; then
  1077. if grep -q "SSH_CIPHERS" $EXPORT_FILE; then
  1078. sed -i "s|SSH_CIPHERS=.*|SSH_CIPHERS=$SSH_CIPHERS|g" $EXPORT_FILE
  1079. else
  1080. echo "SSH_CIPHERS=$SSH_CIPHERS" >> $EXPORT_FILE
  1081. fi
  1082. fi
  1083. if [ $SSH_MACS ]; then
  1084. if grep -q "SSH_MACS" $EXPORT_FILE; then
  1085. sed -i "s|SSH_MACS=.*|SSH_MACS=$SSH_MACS|g" $EXPORT_FILE
  1086. else
  1087. echo "SSH_MACS=$SSH_MACS" >> $EXPORT_FILE
  1088. fi
  1089. fi
  1090. if [ $SSH_KEX ]; then
  1091. if grep -q "SSH_KEX" $EXPORT_FILE; then
  1092. sed -i "s|SSH_KEX=.*|SSH_KEX=$SSH_KEX|g" $EXPORT_FILE
  1093. else
  1094. echo "SSH_KEX=$SSH_KEX" >> $EXPORT_FILE
  1095. fi
  1096. fi
  1097. if [ $SSH_HOST_KEY_ALGORITHMS ]; then
  1098. if grep -q "SSH_HOST_KEY_ALGORITHMS" $EXPORT_FILE; then
  1099. sed -i "s|SSH_HOST_KEY_ALGORITHMS=.*|SSH_HOST_KEY_ALGORITHMS=$SSH_HOST_KEY_ALGORITHMS|g" $EXPORT_FILE
  1100. else
  1101. echo "SSH_HOST_KEY_ALGORITHMS=$SSH_HOST_KEY_ALGORITHMS" >> $EXPORT_FILE
  1102. fi
  1103. fi
  1104. if [ $SSH_PASSWORDS ]; then
  1105. if grep -q "SSH_PASSWORDS" $EXPORT_FILE; then
  1106. sed -i "s|SSH_PASSWORDS=.*|SSH_PASSWORDS=$SSH_PASSWORDS|g" $EXPORT_FILE
  1107. else
  1108. echo "SSH_PASSWORDS=$SSH_PASSWORDS" >> $EXPORT_FILE
  1109. fi
  1110. fi
  1111. if [ $XMPP_CIPHERS ]; then
  1112. if grep -q "XMPP_CIPHERS" $EXPORT_FILE; then
  1113. sed -i "s|XMPP_CIPHERS=.*|XMPP_CIPHERS=$XMPP_CIPHERS|g" $EXPORT_FILE
  1114. else
  1115. echo "XMPP_CIPHERS=$XMPP_CIPHERS" >> $EXPORT_FILE
  1116. fi
  1117. fi
  1118. if [ $XMPP_ECC_CURVE ]; then
  1119. if grep -q "XMPP_ECC_CURVE" $EXPORT_FILE; then
  1120. sed -i "s|XMPP_ECC_CURVE=.*|XMPP_ECC_CURVE=$XMPP_ECC_CURVE|g" $EXPORT_FILE
  1121. else
  1122. echo "XMPP_ECC_CURVE=$XMPP_ECC_CURVE" >> $EXPORT_FILE
  1123. fi
  1124. fi
  1125. echo $"Security settings exported to $EXPORT_FILE"
  1126. exit 0
  1127. }
  1128. function refresh_gpg_keys {
  1129. for d in /home/*/ ; do
  1130. USERNAME=$(echo "$d" | awk -F '/' '{print $3}')
  1131. if [[ $(is_valid_user "$USERNAME") == "1" ]]; then
  1132. su -c 'gpg --refresh-keys' - $USERNAME
  1133. fi
  1134. done
  1135. exit 0
  1136. }
  1137. function monkeysphere_sign_server_keys {
  1138. server_keys_file=/home/$USER/.monkeysphere/server_keys
  1139. if [ ! -f $server_keys_file ]; then
  1140. exit 0
  1141. fi
  1142. keys_signed=
  1143. while read line; do
  1144. echo $line
  1145. if [ ${#line} -gt 2 ]; then
  1146. fpr=$(gpg --with-colons --fingerprint "$line" | grep fpr | head -n 1 | awk -F ':' '{print $10}')
  1147. if [ ${#fpr} -gt 2 ]; then
  1148. gpg --sign-key $fpr
  1149. if [ "$?" = "0" ]; then
  1150. gpg --update-trustdb
  1151. keys_signed=1
  1152. fi
  1153. fi
  1154. fi
  1155. done <$server_keys_file
  1156. if [ $keys_signed ]; then
  1157. rm $server_keys_file
  1158. fi
  1159. exit 0
  1160. }
  1161. function htmly_hash {
  1162. # produces a hash corresponding to a htmly password
  1163. pass="$1"
  1164. HTMLYHASH_FILENAME=/usr/bin/htmlyhash
  1165. echo '<?php' > $HTMLYHASH_FILENAME
  1166. echo 'parse_str(implode("&", array_slice($argv, 1)), $_GET);' >> $HTMLYHASH_FILENAME
  1167. echo '$password = $_GET["password"];' >> $HTMLYHASH_FILENAME
  1168. echo '$hash = password_hash($password, PASSWORD_BCRYPT);' >> $HTMLYHASH_FILENAME
  1169. echo 'if (password_verify($password, $hash)) {' >> $HTMLYHASH_FILENAME
  1170. echo ' echo $hash;' >> $HTMLYHASH_FILENAME
  1171. echo '}' >> $HTMLYHASH_FILENAME
  1172. echo '?>' >> $HTMLYHASH_FILENAME
  1173. php $HTMLYHASH_FILENAME password="$pass"
  1174. }
  1175. function show_help {
  1176. echo ''
  1177. echo "${PROJECT_NAME}-sec"
  1178. echo ''
  1179. echo $'Alters the security settings'
  1180. echo ''
  1181. echo ''
  1182. echo $' -h --help Show help'
  1183. echo $' -e --export Export security settings to a file'
  1184. echo $' -i --import Import security settings from a file'
  1185. echo $' -r --refresh Refresh GPG keys for all users'
  1186. echo $' -s --sign Sign monkeysphere server keys'
  1187. echo $' --register [domain] Register a https domain with monkeysphere'
  1188. echo $' -b --htmlyhash [password] Returns the hash of a password for a htmly blog'
  1189. echo ''
  1190. exit 0
  1191. }
  1192. # Get the commandline options
  1193. while [[ $# > 1 ]]
  1194. do
  1195. key="$1"
  1196. case $key in
  1197. -h|--help)
  1198. show_help
  1199. ;;
  1200. # Export settings
  1201. -e|--export)
  1202. shift
  1203. EXPORT_FILE="$1"
  1204. ;;
  1205. # Export settings
  1206. -i|--import)
  1207. shift
  1208. IMPORT_FILE="$1"
  1209. ;;
  1210. # Refresh GPG keys
  1211. -r|--refresh)
  1212. shift
  1213. refresh_gpg_keys
  1214. ;;
  1215. # register a website
  1216. --register|--reg|--site)
  1217. shift
  1218. register_website "$1"
  1219. ;;
  1220. # user signs monkeysphere server keys
  1221. -s|--sign)
  1222. shift
  1223. monkeysphere_sign_server_keys
  1224. ;;
  1225. # get a hash of the given htmly password
  1226. -b|--htmlyhash)
  1227. shift
  1228. htmly_hash "$1"
  1229. exit 0
  1230. ;;
  1231. *)
  1232. # unknown option
  1233. ;;
  1234. esac
  1235. shift
  1236. done
  1237. menu_security_settings
  1238. exit 0