free
/
freedombone
Watch 1
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
7346 Commits
5 Branches
Tree: 2e630eb991
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '2e630eb991'
${ noResults }
freedombone/src/freedombone-sec

freedombone-sec 42KB
History Raw

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217121812191220122112221223122412251226122712281229123012311232123312341235123612371238123912401241124212431244124512461247124812491250125112521253125412551256125712581259126012611262126312641265126612671268126912701271127212731274127512761277127812791280128112821283128412851286128712881289129012911292129312941295129612971298129913001301130213031304130513061307130813091310131113121313131413151316131713181319132013211322132313241325132613271328132913301331133213331334133513361337133813391340134113421343134413451346134713481349135013511352135313541355135613571358135913601361136213631364136513661367136813691370137113721373137413751376137713781379 
  1. #!/bin/bash

  2. #

  3. # .---.                  .              .

  4. # |                      |              |

  5. # |--- .--. .-.  .-.  .-.|  .-. .--.--. |.-.  .-. .--.  .-.

  6. # |    |   (.-' (.-' (   | (   )|  |  | |   )(   )|  | (.-'

  7. # '    '     --'  --'  -' -  -' '  '   -' -'   -' '   -  --'

  8. #

  9. #                    Freedom in the Cloud

  10. #

  11. # Alters the security settings

  12. #

  13. # License

  14. # =======

  15. #

  16. # Copyright (C) 2015-2016 Bob Mottram <bob@freedombone.net>

  17. #

  18. # This program is free software: you can redistribute it and/or modify

  19. # it under the terms of the GNU Affero General Public License as published by

  20. # the Free Software Foundation, either version 3 of the License, or

  21. # (at your option) any later version.

  22. #

  23. # This program is distributed in the hope that it will be useful,

  24. # but WITHOUT ANY WARRANTY; without even the implied warranty of

  25. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

  26. # GNU Affero General Public License for more details.

  27. #

  28. # You should have received a copy of the GNU Affero General Public License

  29. # along with this program.  If not, see <http://www.gnu.org/licenses/>.

  30. 

  31. PROJECT_NAME='freedombone'

  32. 

  33. export TEXTDOMAIN=${PROJECT_NAME}-sec

  34. export TEXTDOMAINDIR="/usr/share/locale"

  35. 

  36. CONFIGURATION_FILE=$HOME/${PROJECT_NAME}.cfg

  37. COMPLETION_FILE=$HOME/${PROJECT_NAME}-completed.txt

  38. 

  39. UTILS_FILES=/usr/share/${PROJECT_NAME}/utils/${PROJECT_NAME}-utils-*

  40. for f in $UTILS_FILES

  41. do

  42.     source $f

  43. done

  44. 

  45. SSL_PROTOCOLS=

  46. SSL_CIPHERS=

  47. SSH_CIPHERS=

  48. SSH_MACS=

  49. SSH_KEX=

  50. SSH_HOST_KEY_ALGORITHMS=

  51. SSH_PASSWORDS=

  52. XMPP_CIPHERS=

  53. XMPP_ECC_CURVE=

  54. 

  55. WEBSITES_DIRECTORY='/etc/nginx/sites-available'

  56. DOVECOT_CIPHERS='/etc/dovecot/conf.d/10-ssl.conf'

  57. SSH_CONFIG='/etc/ssh/sshd_config'

  58. XMPP_CONFIG='/etc/prosody/conf.avail/xmpp.cfg.lua'

  59. 

  60. MINIMUM_LENGTH=6

  61. 

  62. IMPORT_FILE=

  63. EXPORT_FILE=

  64. 

  65. CURRENT_DIR=$(pwd)

  66. 

  67. DH_KEYLENGTH=2048

  68. LETSENCRYPT_SERVER='https://acme-v01.api.letsencrypt.org/directory'

  69. 

  70. MY_USERNAME=

  71. 

  72. function export_passwords {

  73.     detect_usb_drive

  74.     data=$(tempfile 2>/dev/null)

  75.     trap "rm -f $data" 0 1 2 5 15

  76.     dialog --title $"Export passwords to USB drive $USB_DRIVE" \

  77.            --backtitle $"Security Settings" \

  78.            --defaultno \

  79.            --yesno $"\nPlease confirm that you wish to export passwords to a LUKS formatted USB drive. The drive should be plugged in." 10 60

  80.     sel=$?

  81.     case $sel in

  82.         1) return;;

  83.         255) return;;

  84.     esac

  85. 

  86.     data=$(tempfile 2>/dev/null)

  87.     trap "rm -f $data" 0 1 2 5 15

  88.     dialog --title $"Export passwords to USB drive $USB_DRIVE" \

  89.            --backtitle $"Security Settings" \

  90.            --defaultno \

  91.            --yesno $"\nDo you need to format the drive as LUKS encrypted?" 12 60

  92.     sel=$?

  93.     case $sel in

  94.         0) ${PROJECT_NAME}-format $USB_DRIVE;;

  95.     esac

  96. 

  97.     clear

  98.     backup_mount_drive ${USB_DRIVE}

  99.     ${PROJECT_NAME}-pass --export ${USB_MOUNT}/${PROJECT_NAME}-passwords.xml

  100.     backup_unmount_drive ${USB_DRIVE}

  101. }

  102. 

  103. function get_protocols_from_website {

  104.     if [ ! -f $WEBSITES_DIRECTORY/$1 ]; then

  105.         return

  106.     fi

  107.     SSL_PROTOCOLS=$(cat $WEBSITES_DIRECTORY/$1 | grep 'ssl_protocols ' | awk -F "ssl_protocols " '{print $2}' | awk -F ';' '{print $1}')

  108. }

  109. 

  110. function get_ciphers_from_website {

  111.     if [ ! -f $WEBSITES_DIRECTORY/$1 ]; then

  112.         return

  113.     fi

  114.     SSL_CIPHERS=$(cat $WEBSITES_DIRECTORY/$1 | grep 'ssl_ciphers ' | awk -F "ssl_ciphers " '{print $2}' | awk -F "'" '{print $2}')

  115. }

  116. 

  117. function get_imap_settings {

  118.     if [ ! -f $DOVECOT_CIPHERS ]; then

  119.         return

  120.     fi

  121.     # clear commented out cipher list

  122.     sed -i "s|#ssl_cipher_list.*||g" $DOVECOT_CIPHERS

  123.     if [ $SSL_CIPHERS ]; then

  124.         return

  125.     fi

  126.     if [ ${#SSL_CIPHERS} -gt $MINIMUM_LENGTH ]; then

  127.         return

  128.     fi

  129.     SSL_CIPHERS=$(cat $DOVECOT_CIPHERS | grep 'ssl_cipher_list' | awk -F '=' '{print $2}' | awk -F "'" '{print $2}')

  130. }

  131. 

  132. function get_xmpp_settings {

  133.     if [ ! -f $XMPP_CONFIG ]; then

  134.         return

  135.     fi

  136.     XMPP_CIPHERS=$(cat $XMPP_CONFIG | grep 'ciphers ' | awk -F '=' '{print $2}' | awk -F '"' '{print $2}')

  137.     XMPP_ECC_CURVE=$(cat $XMPP_CONFIG | grep 'curve ' | awk -F '=' '{print $2}' | awk -F '"' '{print $2}')

  138. }

  139. 

  140. function get_ssh_settings {

  141.     if [ -f $SSH_CONFIG ]; then

  142.         SSH_PASSWORDS=$(cat $SSH_CONFIG | grep 'PasswordAuthentication ' | awk -F 'PasswordAuthentication ' '{print $2}')

  143.     fi

  144.     if [ -f /etc/ssh/ssh_config ]; then

  145.         SSH_HOST_KEY_ALGORITHMS=$(cat /etc/ssh/ssh_config | grep 'HostKeyAlgorithms ' | awk -F 'HostKeyAlgorithms ' '{print $2}')

  146.     fi

  147. }

  148. 

  149. function change_website_settings {

  150.     if [ ! "$SSL_PROTOCOLS" ]; then

  151.         return

  152.     fi

  153.     if [ ! $SSL_CIPHERS ]; then

  154.         return

  155.     fi

  156.     if [ ${#SSL_PROTOCOLS} -lt $MINIMUM_LENGTH ]; then

  157.         return

  158.     fi

  159.     if [ ${#SSL_CIPHERS} -lt $MINIMUM_LENGTH ]; then

  160.         return

  161.     fi

  162.     if [ ! -d $WEBSITES_DIRECTORY ]; then

  163.         return

  164.     fi

  165. 

  166.     cd $WEBSITES_DIRECTORY

  167.     for file in `dir -d *` ; do

  168.         sed -i "s|ssl_protocols .*|ssl_protocols $SSL_PROTOCOLS;|g" $WEBSITES_DIRECTORY/$file

  169.         if ! grep -q "Mobile compatible ciphers" $WEBSITES_DIRECTORY/$file; then

  170. 

  171.             sed -i "s|ssl_ciphers .*|ssl_ciphers '$SSL_CIPHERS';|g" $WEBSITES_DIRECTORY/$file

  172.         else

  173.             sed -i "s|ssl_ciphers .*|ssl_ciphers '$SSL_CIPHERS_MOBILE';|g" $WEBSITES_DIRECTORY/$file

  174.         fi

  175.     done

  176.     systemctl restart nginx

  177.     echo $'Web security settings changed'

  178. }

  179. 

  180. function change_imap_settings {

  181.     if [ ! -f $DOVECOT_CIPHERS ]; then

  182.         return

  183.     fi

  184.     if [ ! $SSL_CIPHERS ]; then

  185.         return

  186.     fi

  187.     if [ ${#SSL_CIPHERS} -lt $MINIMUM_LENGTH ]; then

  188.         return

  189.     fi

  190.     sed -i "s|ssl_cipher_list.*|ssl_cipher_list = '$SSL_CIPHERS'|g" $DOVECOT_CIPHERS

  191.     sed -i "s|ssl_protocols.*|ssl_protocols = '$SSL_PROTOCOLS'|g" $DOVECOT_CIPHERS

  192.     systemctl restart dovecot

  193.     echo $'imap security settings changed'

  194. }

  195. 

  196. function change_ssh_settings {

  197.     if [ -f /etc/ssh/ssh_config ]; then

  198.         if [ $SSH_HOST_KEY_ALGORITHMS ]; then

  199.             sed -i "s|HostKeyAlgorithms .*|HostKeyAlgorithms $SSH_HOST_KEY_ALGORITHMS|g" /etc/ssh/ssh_config

  200.             echo $'ssh client security settings changed'

  201.         fi

  202.     fi

  203.     if [ -f $SSH_CONFIG ]; then

  204.         if [ ! $SSH_CIPHERS ]; then

  205.             return

  206.         fi

  207.         if [ ! $SSH_MACS ]; then

  208.             return

  209.         fi

  210.         if [ ! $SSH_KEX ]; then

  211.             return

  212.         fi

  213.         if [ ! $SSH_PASSWORDS ]; then

  214.             SSH_PASSWORDS='yes'

  215.         fi

  216. 

  217.         sed -i "s|Ciphers .*|Ciphers $SSH_CIPHERS|g" $SSH_CONFIG

  218.         sed -i "s|MACs .*|MACs $SSH_MACS|g" $SSH_CONFIG

  219.         sed -i "s|KexAlgorithms .*|KexAlgorithms $SSH_KEX|g" $SSH_CONFIG

  220.         sed -i "s|#PasswordAuthentication .*|PasswordAuthentication $SSH_PASSWORDS|g" $SSH_CONFIG

  221.         sed -i "s|PasswordAuthentication .*|PasswordAuthentication $SSH_PASSWORDS|g" $SSH_CONFIG

  222.         systemctl restart ssh

  223.         echo $'ssh server security settings changed'

  224.     fi

  225. }

  226. 

  227. function change_xmpp_settings {

  228.     if [ ! -f $XMPP_CONFIG ]; then

  229.         return

  230.     fi

  231.     if [ ! $XMPP_CIPHERS ]; then

  232.         return

  233.     fi

  234.     if [ ! $XMPP_ECC_CURVE ]; then

  235.         return

  236.     fi

  237.     sed -i "s|ciphers =.*|ciphers = \"$XMPP_CIPHERS\";|g" $XMPP_CONFIG

  238.     sed -i "s|curve =.*|curve = \"$XMPP_ECC_CURVE\";|g" $XMPP_CONFIG

  239.     systemctl restart prosody

  240.     echo $'xmpp security settings changed'

  241. }

  242. 

  243. function allow_ssh_passwords {

  244.     dialog --title $"SSH Passwords" \

  245.            --backtitle $"Freedombone Security Configuration" \

  246.            --yesno $"\nAllow SSH login using passwords?" 7 60

  247.     sel=$?

  248.     case $sel in

  249.         0) SSH_PASSWORDS="yes";;

  250.         1) SSH_PASSWORDS="no";;

  251.         255) exit 0;;

  252.     esac

  253. }

  254. 

  255. function interactive_setup {

  256.     if [ $SSL_CIPHERS ]; then

  257.         data=$(tempfile 2>/dev/null)

  258.         trap "rm -f $data" 0 1 2 5 15

  259.         dialog --backtitle $"Freedombone Security Configuration" \

  260.                --form $"\nWeb/IMAP Ciphers:" 10 95 2 \

  261.                $"Protocols:" 1 1 "$SSL_PROTOCOLS" 1 15 90 90 \

  262.                $"Ciphers:" 2 1 "$SSL_CIPHERS" 2 15 90 512 \

  263.                2> $data

  264.         sel=$?

  265.         case $sel in

  266.             1) SSL_PROTOCOLS=$(cat $data | sed -n 1p)

  267.                SSL_CIPHERS=$(cat $data | sed -n 2p)

  268.                ;;

  269.             255) exit 0;;

  270.         esac

  271.     fi

  272. 

  273.     data=$(tempfile 2>/dev/null)

  274.     trap "rm -f $data" 0 1 2 5 15

  275.     if [ $SSH_HOST_KEY_ALGORITHMS ]; then

  276.         dialog --backtitle $"Freedombone Security Configuration" \

  277.                --form $"\nSecure Shell Ciphers:" 13 95 4 \

  278.                $"Ciphers:" 1 1 "$SSH_CIPHERS" 1 15 90 512 \

  279.                $"MACs:" 2 1 "$SSH_MACS" 2 15 90 512 \

  280.                $"KEX:" 3 1 "$SSH_KEX" 3 15 90 512 \

  281.                $"Host key algorithms:" 4 1 "$SSH_HOST_KEY_ALGORITHMS" 4 15 90 512 \

  282.                2> $data

  283.         sel=$?

  284.         case $sel in

  285.             1) SSH_CIPHERS=$(cat $data | sed -n 1p)

  286.                SSH_MACS=$(cat $data | sed -n 2p)

  287.                SSH_KEX=$(cat $data | sed -n 3p)

  288.                SSH_HOST_KEY_ALGORITHMS=$(cat $data | sed -n 4p)

  289.                ;;

  290.             255) exit 0;;

  291.         esac

  292.     else

  293.         dialog --backtitle $"Freedombone Security Configuration" \

  294.                --form $"\nSecure Shell Ciphers:" 11 95 3 \

  295.                $"Ciphers:" 1 1 "$SSH_CIPHERS" 1 15 90 512 \

  296.                $"MACs:" 2 1 "$SSH_MACS" 2 15 90 512 \

  297.                $"KEX:" 3 1 "$SSH_KEX" 3 15 90 512 \

  298.                2> $data

  299.         sel=$?

  300.         case $sel in

  301.             1) SSH_CIPHERS=$(cat $data | sed -n 1p)

  302.                SSH_MACS=$(cat $data | sed -n 2p)

  303.                SSH_KEX=$(cat $data | sed -n 3p)

  304.                ;;

  305.             255) exit 0;;

  306.         esac

  307.     fi

  308. 

  309.     if [ $XMPP_CIPHERS ]; then

  310.         data=$(tempfile 2>/dev/null)

  311.         trap "rm -f $data" 0 1 2 5 15

  312.         dialog --backtitle $"Freedombone Security Configuration" \

  313.                --form $"\nXMPP Ciphers:" 10 95 2 \

  314.                $"Ciphers:" 1 1 "$XMPP_CIPHERS" 1 15 90 512 \

  315.                $"ECC Curve:" 2 1 "$XMPP_ECC_CURVE" 2 15 50 50 \

  316.                2> $data

  317.         sel=$?

  318.         case $sel in

  319.             1) XMPP_CIPHERS=$(cat $data | sed -n 1p)

  320.                XMPP_ECC_CURVE=$(cat $data | sed -n 2p)

  321.                ;;

  322.             255) exit 0;;

  323.         esac

  324.     fi

  325. 

  326.     dialog --title $"Final Confirmation" \

  327.            --backtitle $"Freedombone Security Configuration" \

  328.            --defaultno \

  329.            --yesno $"\nPlease confirm that you wish your security settings to be changed?\n\nWARNING: any mistakes made in the security settings could compromise your system, so be extra careful when answering 'yes'." 12 60

  330.     sel=$?

  331.     case $sel in

  332.         1) clear

  333.            echo $'Exiting without changing security settings'

  334.            exit 0;;

  335.         255) clear

  336.              echo $'Exiting without changing security settings'

  337.              exit 0;;

  338.     esac

  339. 

  340.     clear

  341. }

  342. 

  343. function send_monkeysphere_server_keys_to_users {

  344.     monkeysphere_server_keys=$(monkeysphere-host show-key | grep $"OpenPGP fingerprint" | awk -F ' ' '{print $3}')

  345.     for d in /home/*/ ; do

  346.         USERNAME=$(echo "$d" | awk -F '/' '{print $3}')

  347.         if [[ $(is_valid_user "$USERNAME") == "1" ]]; then

  348.             if [ ! -d /home/$USERNAME/.monkeysphere ]; then

  349.                 mkdir /home/$USERNAME/.monkeysphere

  350.             fi

  351.             echo $monkeysphere_server_keys > /home/$USERNAME/.monkeysphere/server_keys

  352.             chown -R $USERNAME:$USERNAME /home/$USERNAME/.monkeysphere

  353.         fi

  354.     done

  355. }

  356. 

  357. function regenerate_ssh_host_keys {

  358.     rm -f /etc/ssh/ssh_host_*

  359.     dpkg-reconfigure openssh-server

  360.     echo $'ssh host keys regenerated'

  361.     # remove small moduli

  362.     awk '$5 > 2000' /etc/ssh/moduli > ~/moduli

  363.     mv ~/moduli /etc/ssh/moduli

  364.     echo $'ssh small moduli removed'

  365.     # update monkeysphere

  366.     DEFAULT_DOMAIN_NAME=

  367.     read_config_param "DEFAULT_DOMAIN_NAME"

  368.     monkeysphere-host import-key /etc/ssh/ssh_host_rsa_key ssh://$DEFAULT_DOMAIN_NAME

  369.     SSH_ONION_HOSTNAME=$(cat ${COMPLETION_FILE} | grep 'ssh onion domain' | awk -F ':' '{print $2}')

  370.     monkeysphere-host import-key /etc/ssh/ssh_host_rsa_key ssh://$SSH_ONION_HOSTNAME

  371.     monkeysphere-host publish-key

  372.     send_monkeysphere_server_keys_to_users

  373.     echo $'updated monkeysphere ssh host key'

  374.     systemctl restart ssh

  375. }

  376. 

  377. function regenerate_dh_keys {

  378.     if [ ! -d /etc/ssl/mycerts ]; then

  379.         echo $'No dhparam certificates were found'

  380.         return

  381.     fi

  382. 

  383.     data=$(tempfile 2>/dev/null)

  384.     trap "rm -f $data" 0 1 2 5 15

  385.     dialog --backtitle "Freedombone Security Configuration" \

  386.            --title "Diffie-Hellman key length" \

  387.            --radiolist "The smaller length is better suited to low power embedded systems:" 12 40 3 \

  388.            1 "2048 bits" off \

  389.            2 "3072 bits" on \

  390.            3 "4096 bits" off 2> $data

  391.     sel=$?

  392.     case $sel in

  393.         1) exit 1;;

  394.         255) exit 1;;

  395.     esac

  396.     case $(cat $data) in

  397.         1) DH_KEYLENGTH=2048;;

  398.         2) DH_KEYLENGTH=3072;;

  399.         3) DH_KEYLENGTH=4096;;

  400.     esac

  401. 

  402.     ${PROJECT_NAME}-dhparam --recalc yes -l ${DH_KEYLENGTH}

  403. }

  404. 

  405. function renew_startssl {

  406.     renew_domain=

  407.     data=$(tempfile 2>/dev/null)

  408.     trap "rm -f $data" 0 1 2 5 15

  409.     dialog --title $"Renew a StartSSL certificate" \

  410.            --backtitle $"Freedombone Security Settings" \

  411.            --inputbox $"Enter the domain name" 8 60 2>$data

  412.     sel=$?

  413.     case $sel in

  414.         0)

  415.             renew_domain=$(<$data)

  416.             ;;

  417.     esac

  418. 

  419.     if [ ! $renew_domain ]; then

  420.         return

  421.     fi

  422. 

  423.     if [[ $renew_domain == "http"* ]]; then

  424.         dialog --title $"Renew a StartSSL certificate" \

  425.                --msgbox $"Don't include the https://" 6 40

  426.         return

  427.     fi

  428. 

  429.     if [ ! -f /etc/ssl/certs/${renew_domain}.dhparam ]; then

  430.         dialog --title $"Renew a StartSSL certificate" \

  431.                --msgbox $"An existing certificate for $renew_domain was not found" 6 40

  432.         return

  433.     fi

  434. 

  435.     if [[ $renew_domain != *"."* ]]; then

  436.         dialog --title $"Renew a StartSSL certificate" \

  437.                --msgbox $"Invalid domain name: $renew_domain" 6 40

  438.         return

  439.     fi

  440. 

  441.     ${PROJECT_NAME}-renew-cert -h $renew_domain -p startssl

  442. 

  443.     exit 0

  444. }

  445. 

  446. function renew_letsencrypt {

  447.     renew_domain=

  448.     data=$(tempfile 2>/dev/null)

  449.     trap "rm -f $data" 0 1 2 5 15

  450.     dialog --title $"Renew a Let's Encrypt certificate" \

  451.            --backtitle $"Freedombone Security Settings" \

  452.            --inputbox $"Enter the domain name" 8 60 2>$data

  453.     sel=$?

  454.     case $sel in

  455.         0)

  456.             renew_domain=$(<$data)

  457.             ;;

  458.     esac

  459. 

  460.     if [ ! $renew_domain ]; then

  461.         return

  462.     fi

  463. 

  464.     if [[ $renew_domain == "http"* ]]; then

  465.         dialog --title $"Renew a Let's Encrypt certificate" \

  466.                --msgbox $"Don't include the https://" 6 40

  467.         return

  468.     fi

  469. 

  470.     if [ ! -f /etc/ssl/certs/${renew_domain}.dhparam ]; then

  471.         dialog --title $"Renew a Let's Encrypt certificate" \

  472.                --msgbox $"An existing certificate for $renew_domain was not found" 6 40

  473.         return

  474.     fi

  475. 

  476.     if [[ $renew_domain != *"."* ]]; then

  477.         dialog --title $"Renew a Let's Encrypt certificate" \

  478.                --msgbox $"Invalid domain name: $renew_domain" 6 40

  479.         return

  480.     fi

  481. 

  482.     ${PROJECT_NAME}-renew-cert -h $renew_domain -p 'letsencrypt'

  483. 

  484.     exit 0

  485. }

  486. 

  487. function delete_letsencrypt {

  488.     delete_domain=

  489.     data=$(tempfile 2>/dev/null)

  490.     trap "rm -f $data" 0 1 2 5 15

  491.     dialog --title $"Delete a Let's Encrypt certificate" \

  492.            --backtitle $"Freedombone Security Settings" \

  493.            --inputbox $"Enter the domain name" 8 60 2>$data

  494.     sel=$?

  495.     case $sel in

  496.         0)

  497.             delete_domain=$(<$data)

  498.             ;;

  499.     esac

  500. 

  501.     if [ ! $delete_domain ]; then

  502.         return

  503.     fi

  504. 

  505.     if [[ $delete_domain == "http"* ]]; then

  506.         dialog --title $"Delete a Let's Encrypt certificate" \

  507.                --msgbox $"Don't include the https://" 6 40

  508.         return

  509.     fi

  510. 

  511.     if [ ! -f /etc/ssl/certs/${delete_domain}.dhparam ]; then

  512.         dialog --title $"Delete a Let's Encrypt certificate" \

  513.                --msgbox $"An existing certificate for $renew_domain was not found" 6 40

  514.         return

  515.     fi

  516. 

  517.     if [[ $delete_domain != *"."* ]]; then

  518.         dialog --title $"Delete a Let's Encrypt certificate" \

  519.                --msgbox $"Invalid domain name: $delete_domain" 6 40

  520.         return

  521.     fi

  522. 

  523.     dialog --title $"Delete a Let's Encrypt certificate" \

  524.            --backtitle $"Freedombone Security Settings" \

  525.            --defaultno \

  526.            --yesno $"\nConfirm deletion of the TLS certificate for $delete_domain ?" 7 60

  527.     sel=$?

  528.     case $sel in

  529.         0) ${PROJECT_NAME}-addcert -r $delete_domain;;

  530.         255) exit 0;;

  531.     esac

  532. 

  533.     exit 0

  534. }

  535. 

  536. function create_letsencrypt {

  537.     new_domain=

  538.     data=$(tempfile 2>/dev/null)

  539.     trap "rm -f $data" 0 1 2 5 15

  540.     dialog --title $"Create a new Let's Encrypt certificate" \

  541.            --backtitle $"Freedombone Security Settings" \

  542.            --inputbox $"Enter the domain name" 8 60 2>$data

  543.     sel=$?

  544.     case $sel in

  545.         0)

  546.             new_domain=$(<$data)

  547.             ;;

  548.     esac

  549. 

  550.     if [ ! $new_domain ]; then

  551.         return

  552.     fi

  553. 

  554.     if [[ $new_domain == "http"* ]]; then

  555.         dialog --title $"Create a new Let's Encrypt certificate" \

  556.                --msgbox $"Don't include the https://" 6 40

  557.         return

  558.     fi

  559. 

  560.     if [[ $new_domain != *"."* ]]; then

  561.         dialog --title $"Create a new Let's Encrypt certificate" \

  562.                --msgbox $"Invalid domain name: $new_domain" 6 40

  563.         return

  564.     fi

  565. 

  566.     if [ ! -d /var/www/${new_domain} ]; then

  567.         domain_found=

  568.         if [ -f /etc/nginx/sites-available/radicale ]; then

  569.             if grep -q "${new_domain}" /etc/nginx/sites-available/radicale; then

  570.                 domain_found=1

  571.             fi

  572.         fi

  573.         if [ -f /etc/nginx/sites-available/${new_domain} ]; then

  574.             domain_found=1

  575.         fi

  576.         if [[ "${new_domain}" == "jitsi"* || "${new_domain}" == "meet"* ]]; then

  577.             domain_found=1

  578.         fi

  579.         if [ ! $domain_found ]; then

  580.             dialog --title $"Create a new Let's Encrypt certificate" \

  581.                    --msgbox $'Domain not found within /var/www' 6 40

  582.             return

  583.         fi

  584.     fi

  585. 

  586.     ${PROJECT_NAME}-addcert -e $new_domain -s $LETSENCRYPT_SERVER --dhkey $DH_KEYLENGTH

  587. 

  588.     exit 0

  589. }

  590. 

  591. function update_ciphersuite {

  592.     RECOMMENDED_SSL_CIPHERS="$SSL_CIPHERS"

  593.     if [ ${#RECOMMENDED_SSL_CIPHERS} -lt 5 ]; then

  594.         return

  595.     fi

  596. 

  597.     RECOMMENDED_SSL_PROTOCOLS="$SSL_PROTOCOLS"

  598.     if [ ${#RECOMMENDED_SSL_PROTOCOLS} -lt 5 ]; then

  599.         return

  600.     fi

  601. 

  602.     RECOMMENDED_SSH_CIPHERS="$SSH_CIPHERS"

  603.     if [ ${#RECOMMENDED_SSH_CIPHERS} -lt 5 ]; then

  604.         return

  605.     fi

  606. 

  607.     RECOMMENDED_SSH_MACS="$SSH_MACS"

  608.     if [ ${#RECOMMENDED_SSH_MACS} -lt 5 ]; then

  609.         return

  610.     fi

  611. 

  612.     RECOMMENDED_SSH_KEX="$SSH_KEX"

  613.     if [ ${#RECOMMENDED_SSH_KEX} -lt 5 ]; then

  614.         return

  615.     fi

  616. 

  617.     cd $WEBSITES_DIRECTORY

  618.     for file in `dir -d *` ; do

  619.         sed -i "s|ssl_protocols .*|ssl_protocols $RECOMMENDED_SSL_PROTOCOLS;|g" $WEBSITES_DIRECTORY/$file

  620.         if ! grep -q "Mobile compatible ciphers" $WEBSITES_DIRECTORY/$file; then

  621.             sed -i "s|ssl_ciphers .*|ssl_ciphers '$RECOMMENDED_SSL_CIPHERS';|g" $WEBSITES_DIRECTORY/$file

  622.         else

  623.             sed -i "s|ssl_ciphers .*|ssl_ciphers '$SSL_CIPHERS_MOBILE';|g" $WEBSITES_DIRECTORY/$file

  624.         fi

  625.     done

  626.     systemctl restart nginx

  627.     write_config_param "SSL_PROTOCOLS" "$RECOMMENDED_SSL_PROTOCOLS"

  628.     write_config_param "SSL_CIPHERS" "$RECOMMENDED_SSL_CIPHERS"

  629. 

  630.     sed -i "s|Ciphers .*|Ciphers $RECOMMENDED_SSH_CIPHERS|g" $SSH_CONFIG

  631.     sed -i "s|MACs .*|MACs $RECOMMENDED_SSH_MACS|g" $SSH_CONFIG

  632.     sed -i "s|KexAlgorithms .*|KexAlgorithms $RECOMMENDED_SSH_KEX|g" $SSH_CONFIG

  633.     systemctl restart ssh

  634. 

  635.     write_config_param "SSH_CIPHERS" "$RECOMMENDED_SSH_CIPHERS"

  636.     write_config_param "SSH_MACS" "$RECOMMENDED_SSH_MACS"

  637.     write_config_param "SSH_KEX" "$RECOMMENDED_SSH_KEX"

  638. 

  639.     dialog --title $"Update ciphersuite" \

  640.            --msgbox $"The ciphersuite has been updated to recommended versions" 6 40

  641.     exit 0

  642. }

  643. 

  644. function enable_monkeysphere {

  645.     monkey=

  646.     dialog --title $"GPG based authentication" \

  647.            --backtitle $"Freedombone Security Configuration" \

  648.            --defaultno \

  649.            --yesno $"\nEnable GPG based authentication with monkeysphere ?" 7 60

  650.     sel=$?

  651.     case $sel in

  652.         0) monkey='yes';;

  653.         255) exit 0;;

  654.     esac

  655. 

  656.     if [ $monkey ]; then

  657.         read_config_param "MY_USERNAME"

  658. 

  659.         if [ ! -f /home/$MY_USERNAME/.monkeysphere/authorized_user_ids ]; then

  660.             dialog --title $"GPG based authentication" \

  661.                    --msgbox $"$MY_USERNAME does not currently have any ids within ~/.monkeysphere/authorized_user_ids" 6 40

  662.             exit 0

  663.         fi

  664. 

  665.         MY_GPG_PUBLIC_KEY_ID=$(gpg_pubkey_from_email "$MY_USERNAME" "$MY_USERNAME@$HOSTNAME")

  666.         if [ ${#MY_GPG_PUBLIC_KEY_ID} -lt 4 ]; then

  667.             echo $"monkeysphere unable to get GPG key ID for user $MY_USERNAME@$HOSTNAME"

  668.             exit 52825

  669.         fi

  670. 

  671.         sed -i 's|#AuthorizedKeysFile|AuthorizedKeysFile|g' /etc/ssh/sshd_config

  672.         sed -i 's|AuthorizedKeysFile.*|AuthorizedKeysFile /var/lib/monkeysphere/authorized_keys/%u|g' /etc/ssh/sshd_config

  673.         monkeysphere-authentication update-users

  674. 

  675.         # The admin user is the identity certifier

  676.         fpr=$(gpg --with-colons --fingerprint $MY_GPG_PUBLIC_KEY_ID | grep fpr | head -n 1 | awk -F ':' '{print $10}')

  677.         monkeysphere-authentication add-identity-certifier $fpr

  678.         monkeysphere-host publish-key

  679.         send_monkeysphere_server_keys_to_users

  680.     else

  681.         sed -i 's|#AuthorizedKeysFile|AuthorizedKeysFile|g' /etc/ssh/sshd_config

  682.         sed -i 's|AuthorizedKeysFile.*|AuthorizedKeysFile %h/.ssh/authorized_keys|g' /etc/ssh/sshd_config

  683.     fi

  684. 

  685.     systemctl restart ssh

  686. 

  687.     if [ $monkey ]; then

  688.         dialog --title $"GPG based authentication" \

  689.                --msgbox $"GPG based authentication was enabled" 6 40

  690.     else

  691.         dialog --title $"GPG based authentication" \

  692.                --msgbox $"GPG based authentication was disabled" 6 40

  693.     fi

  694.     exit 0

  695. }

  696. 

  697. function register_website {

  698.     domain="$1"

  699. 

  700.     if [[ ${domain} == *".local" ]]; then

  701.         echo $"Can't register local domains"

  702.         return

  703.     fi

  704. 

  705.     if [ ! -f /etc/ssl/private/${domain}.key ]; then

  706.         echo $"No SSL/TLS private key found for ${domain}"

  707.         return

  708.     fi

  709. 

  710.     if [ ! -f /etc/nginx/sites-available/${domain} ]; then

  711.         echo $"No virtual host found for ${domain}"

  712.         return

  713.     fi

  714. 

  715.     monkeysphere-host import-key /etc/ssl/private/${domain}.key https://${domain}

  716.     monkeysphere-host publish-key

  717.     echo "0"

  718. }

  719. 

  720. function register_website_interactive {

  721.     data=$(tempfile 2>/dev/null)

  722.     trap "rm -f $data" 0 1 2 5 15

  723.     dialog --title $"Register a website with monkeysphere" \

  724.            --backtitle $"Freedombone Security Settings" \

  725.            --inputbox $"Enter the website domain name (without https://)" 8 60 2>$data

  726.     sel=$?

  727.     case $sel in

  728.         0)

  729.             domain=$(<$data)

  730.             register_website "$domain"

  731.             if [ ! "$?" = "0" ]; then

  732.                 dialog --title $"Register a website with monkeysphere" \

  733.                        --msgbox "$?" 6 40

  734.             else

  735.                 dialog --title $"Register a website with monkeysphere" \

  736.                        --msgbox $"$domain has been registered" 6 40

  737.             fi

  738.             ;;

  739.     esac

  740. }

  741. 

  742. function pin_all_tls_certs {

  743.     ${PROJECT_NAME}-pin-cert all

  744. }

  745. 

  746. function remove_pinning {

  747.     data=$(tempfile 2>/dev/null)

  748.     trap "rm -f $data" 0 1 2 5 15

  749.     dialog --title $"Remove pinning for a domain" \

  750.            --backtitle $"Freedombone Security Settings" \

  751.            --inputbox $"Enter the website domain name (without https://)" 8 60 2>$data

  752.     sel=$?

  753.     case $sel in

  754.         0)

  755.             domain=$(<$data)

  756.             ${PROJECT_NAME}-pin-cert "$domain" remove

  757.             if [ ! "$?" = "0" ]; then

  758.                 dialog --title $"Removed pinning from $domain" \

  759.                        --msgbox "$?" 6 40

  760.             fi

  761.             ;;

  762.     esac

  763. }

  764. 

  765. function store_passwords {

  766.     dialog --title $"Store Passwords" \

  767.            --backtitle $"Freedombone Security Configuration" \

  768.            --yesno $"\nDo you wish to store passwords on the system? Stored passwords are convenient but carry some additional security risk." 10 60

  769.     sel=$?

  770.     case $sel in

  771.         0)

  772.             if [ -f /root/.nostore ]; then

  773.                 read_config_param "MY_USERNAME"

  774.                 if [ ! -f /home/$MY_USERNAME/.ssh/authorized_keys ]; then

  775.                     dialog --title $"Store Passwords" \

  776.                            --msgbox $"\nYou should first enable key based ssh login to improve security" 8 60

  777.                     return

  778.                 fi

  779.                 if [[ $SSH_PASSWORDS == 'yes' ]]; then

  780.                     dialog --title $"Store Passwords" \

  781.                            --msgbox $"\nYou should disable ssh passwords to improve security" 8 60

  782.                     return

  783.                 fi

  784.                 ${PROJECT_NAME}-pass --enable yes

  785.                 dialog --title $"Store Passwords" \

  786.                        --msgbox $"\nUser passwords will now be stored on the system" 8 60

  787.             fi

  788.             return

  789.             ;;

  790.         1)

  791.             ${PROJECT_NAME}-pass --clear yes

  792.             dialog --title $"Passwords were removed and will not be stored" \

  793.                    --msgbox $"\nFor the best security you should now manually change passwords via web interfaces so that there is no possibility of them being recovered from the disk" 9 60

  794.             return

  795.             ;;

  796.         255) return;;

  797.     esac

  798. }

  799. 

  800. function show_tor_bridges {

  801.     clear

  802.     bridges_list=$(grep "Bridge " /etc/tor/torrc | grep -v '##')

  803.     if [ ${#bridges_list} -eq 0 ]; then

  804.         echo $'No Tor bridges have been added'

  805.         return

  806.     fi

  807.     echo "${bridges_list}"

  808. }

  809. 

  810. function add_tor_bridge {

  811.     data=$(tempfile 2>/dev/null)

  812.     trap "rm -f $data" 0 1 2 5 15

  813.     dialog --backtitle $"Freedombone Control Panel" \

  814.            --title $"Add obfs4 Tor bridge" \

  815.            --form "\n" 9 60 4 \

  816.            $"IP address:   " 1 1 "   .   .   .   " 1 17 16 16 \

  817.            $"Port:         " 2 1 "" 2 17 8 8 \

  818.            $"Key/Nickname: " 3 1 "" 3 17 250 250 \

  819.            2> $data

  820.     sel=$?

  821.     case $sel in

  822.         1) return;;

  823.         255) return;;

  824.     esac

  825.     bridge_ip_address=$(cat $data | sed -n 1p)

  826.     bridge_port=$(cat $data | sed -n 2p)

  827.     bridge_key=$(cat $data | sed -n 3p)

  828.     if [[ "${bridge_ip_address}" == *" "* ]]; then

  829.         return

  830.     fi

  831.     if [[ "${bridge_ip_address}" != *"."* ]]; then

  832.         return

  833.     fi

  834.     if [ ${#bridge_port} -eq 0 ]; then

  835.         return

  836.     fi

  837.     if [ ${#bridge_key} -eq 0 ]; then

  838.         return

  839.     fi

  840.     tor_add_bridge "${bridge_ip_address}" "${bridge_port}" "${bridge_key}"

  841.     dialog --title $"Add obfs4 Tor bridge" \

  842.            --msgbox $"Bridge added" 6 40

  843. }

  844. 

  845. function remove_tor_bridge {

  846.     bridge_removed=

  847.     data=$(tempfile 2>/dev/null)

  848.     trap "rm -f $data" 0 1 2 5 15

  849.     dialog --title $"Remove obfs4 Tor bridge" \

  850.            --backtitle $"Freedombone Control Panel" \

  851.            --inputbox $"Enter the IP address, key or Nickname of the bridge" 8 65 2>$data

  852.     sel=$?

  853.     case $sel in

  854.         0)

  855.             response=$(<$data)

  856.             if [ ${#response} -gt 2 ]; then

  857.                 if [[ "${response}" != *" "* ]]; then

  858.                     if [[ "${response}" == *"."* ]]; then

  859.                         if grep -q "Bridge ${response}" /etc/tor/torrc; then

  860.                             tor_remove_bridge "${response}"

  861.                             bridge_removed=1

  862.                         fi

  863.                     else

  864.                         if grep -q " $response" /etc/tor/torrc; then

  865.                             tor_remove_bridge "${response}"

  866.                             bridge_removed=1

  867.                         fi

  868.                     fi

  869.                 fi

  870.             fi

  871.             ;;

  872.     esac

  873.     if [ $bridge_removed ]; then

  874.         dialog --title $"Remove obfs4 Tor bridge" \

  875.                --msgbox $"Bridge removed" 6 40

  876.     fi

  877. }

  878. 

  879. function add_tor_bridge_relay {

  880.     read_config_param 'TOR_BRIDGE_NICKNAME'

  881.     read_config_param 'TOR_BRIDGE_PORT'

  882. 

  883.     # remove any previous bridge port from the firewall

  884.     if [ ${#TOR_BRIDGE_PORT} -gt 0 ]; then

  885.         firewall_remove $TOR_BRIDGE_PORT tcp

  886.     fi

  887. 

  888.     data=$(tempfile 2>/dev/null)

  889.     trap "rm -f $data" 0 1 2 5 15

  890.     dialog --backtitle $"Freedombone Control Panel" \

  891.            --title $"Become an obfs4 Tor bridge relay" \

  892.            --form "\n" 8 60 2 \

  893.            $"Bridge Nickname: " 1 1 "$TOR_BRIDGE_NICKNAME" 1 20 250 250 \

  894.            2> $data

  895.     sel=$?

  896.     case $sel in

  897.         1) return;;

  898.         255) return;;

  899.     esac

  900.     bridge_nickname=$(cat $data | sed -n 1p)

  901.     if [[ "${bridge_nickname}" == *" "* ]]; then

  902.         return

  903.     fi

  904.     if [ ${#bridge_nickname} -eq 0 ]; then

  905.         return

  906.     fi

  907.     TOR_BRIDGE_NICKNAME="$bridge_nickname"

  908.     TOR_BRIDGE_PORT=$((20000 + RANDOM % 40000))

  909.     write_config_param 'TOR_BRIDGE_NICKNAME' "$TOR_BRIDGE_NICKNAME"

  910.     write_config_param 'TOR_BRIDGE_PORT' "$TOR_BRIDGE_PORT"

  911.     tor_create_bridge_relay

  912.     dialog --title $"You are now an obfs4 Tor bridge relay" \

  913.            --msgbox $"\nIP address: $(get_ipv4_address)\n\nPort: ${TOR_BRIDGE_PORT}\n\nNickname: ${TOR_BRIDGE_NICKNAME}" 10 65

  914. }

  915. 

  916. function remove_tor_bridge_relay {

  917.     tor_remove_bridge_relay

  918.     dialog --title $"Remove Tor bridge relay" \

  919.            --msgbox $"Bridge relay removed" 10 60

  920. }

  921. 

  922. function menu_tor_bridges {

  923.     data=$(tempfile 2>/dev/null)

  924.     trap "rm -f $data" 0 1 2 5 15

  925.     dialog --backtitle $"Freedombone Control Panel" \

  926.            --title $"Tor Bridges" \

  927.            --radiolist $"Choose an operation:" 14 50 6 \

  928.            1 $"Show bridges" off \

  929.            2 $"Add a bridge" off \

  930.            3 $"Remove a bridge" off \

  931.            4 $"Make this system into a bridge" off \

  932.            5 $"Stop being a bridge" off \

  933.            6 $"Go Back/Exit" on 2> $data

  934.     sel=$?

  935.     case $sel in

  936.         1) exit 1;;

  937.         255) exit 1;;

  938.     esac

  939. 

  940.     case $(cat $data) in

  941.         1)

  942.             show_tor_bridges

  943.             exit 0

  944.             ;;

  945.         2)

  946.             add_tor_bridge

  947.             exit 0

  948.             ;;

  949.         3)

  950.             remove_tor_bridge

  951.             exit 0

  952.             ;;

  953.         4)

  954.             add_tor_bridge_relay

  955.             exit 0

  956.             ;;

  957.         5)

  958.             remove_tor_bridge_relay

  959.             exit 0

  960.             ;;

  961.         6)

  962.             exit 0

  963.             ;;

  964.     esac

  965. }

  966. 

  967. function menu_security_settings {

  968.     data=$(tempfile 2>/dev/null)

  969.     trap "rm -f $data" 0 1 2 5 15

  970.     dialog --backtitle $"Freedombone Control Panel" \

  971.            --title $"Security Settings" \

  972.            --radiolist $"Choose an operation:" 23 76 23 \

  973.            1 $"Run STIG tests" off \

  974.            2 $"Fix STIG test failures" off \

  975.            3 $"Show ssh host public key" off \

  976.            4 $"Tor bridges" off \

  977.            5 $"Password storage" off \

  978.            6 $"Export passwords" off \

  979.            7 $"Regenerate ssh host keys" off \

  980.            8 $"Regenerate Diffie-Hellman keys" off \

  981.            9 $"Update cipersuite" off \

  982.            10 $"Create a new Let's Encrypt certificate" off \

  983.            11 $"Renew Let's Encrypt certificate" off \

  984.            12 $"Delete a Let's Encrypt certificate" off \

  985.            13 $"Enable GPG based authentication (monkeysphere)" off \

  986.            14 $"Register a website with monkeysphere" off \

  987.            15 $"Allow ssh login with passwords" off \

  988.            16 $"Go Back/Exit" on 2> $data

  989.     sel=$?

  990.     case $sel in

  991.         1) exit 1;;

  992.         255) exit 1;;

  993.     esac

  994. 

  995.     clear

  996. 

  997.     read_config_param SSL_CIPHERS

  998.     read_config_param SSL_PROTOCOLS

  999.     read_config_param SSH_CIPHERS

  1000.     read_config_param SSH_MACS

  1001.     read_config_param SSH_KEX

  1002. 

  1003.     get_imap_settings

  1004.     get_ssh_settings

  1005.     get_xmpp_settings

  1006.     import_settings

  1007.     export_settings

  1008. 

  1009.     case $(cat $data) in

  1010.         1)

  1011.             clear

  1012.             echo $'Running STIG tests...'

  1013.             echo ''

  1014.             ${PROJECT_NAME}-tests --stig showall

  1015.             exit 0

  1016.             ;;

  1017.         2)

  1018.             clear

  1019.             echo $'Fixing any STIG failures...'

  1020.             echo ''

  1021.             ${PROJECT_NAME}-tests --stig fix

  1022.             echo $'Fixes applied. You will need to run the STIG tests again to be sure that they were all fixed.'

  1023.             exit 0

  1024.             ;;

  1025.         3)

  1026.             dialog --title $"SSH host public keys" \

  1027.                    --msgbox "\n$(get_ssh_server_key)" 12 60

  1028.             exit 0

  1029.             ;;

  1030.         4)

  1031.             menu_tor_bridges

  1032.             exit 0

  1033.             ;;

  1034.         5)

  1035.             store_passwords

  1036.             exit 0

  1037.             ;;

  1038.         6)

  1039.             export_passwords

  1040.             exit 0

  1041.             ;;

  1042.         7)

  1043.             regenerate_ssh_host_keys

  1044.             ;;

  1045.         8)

  1046.             regenerate_dh_keys

  1047.             ;;

  1048.         9)

  1049.             interactive_setup

  1050.             update_ciphersuite

  1051.             ;;

  1052.         10)

  1053.             create_letsencrypt

  1054.             ;;

  1055.         11)

  1056.             renew_letsencrypt

  1057.             ;;

  1058.         12)

  1059.             delete_letsencrypt

  1060.             ;;

  1061.         13)

  1062.             enable_monkeysphere

  1063.             ;;

  1064.         14)

  1065.             register_website

  1066.             ;;

  1067.         15)

  1068.             allow_ssh_passwords

  1069.             change_ssh_settings

  1070.             exit 0

  1071.             ;;

  1072.         16)

  1073.             exit 0

  1074.             ;;

  1075.     esac

  1076. 

  1077.     change_website_settings

  1078.     change_imap_settings

  1079.     change_ssh_settings

  1080.     change_xmpp_settings

  1081. }

  1082. 

  1083. function import_settings {

  1084.     cd $CURRENT_DIR

  1085. 

  1086.     if [ ! $IMPORT_FILE ]; then

  1087.         return

  1088.     fi

  1089. 

  1090.     if [ ! -f $IMPORT_FILE ]; then

  1091.         echo $"Import file $IMPORT_FILE not found"

  1092.         exit 6393

  1093.     fi

  1094. 

  1095.     if grep -q "SSL_PROTOCOLS" $IMPORT_FILE; then

  1096.         TEMP_VALUE=$(grep "SSL_PROTOCOLS" $IMPORT_FILE | awk -F '=' '{print $2}')

  1097.         if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then

  1098.             SSL_PROTOCOLS=$TEMP_VALUE

  1099.         fi

  1100.     fi

  1101.     if grep -q "SSL_CIPHERS" $IMPORT_FILE; then

  1102.         TEMP_VALUE=$(grep "SSL_CIPHERS" $IMPORT_FILE | awk -F '=' '{print $2}')

  1103.         if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then

  1104.             SSL_CIPHERS=$TEMP_VALUE

  1105.         fi

  1106.     fi

  1107.     if grep -q "SSH_CIPHERS" $IMPORT_FILE; then

  1108.         TEMP_VALUE=$(grep "SSH_CIPHERS" $IMPORT_FILE | awk -F '=' '{print $2}')

  1109.         if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then

  1110.             SSH_CIPHERS=$TEMP_VALUE

  1111.         fi

  1112.     fi

  1113.     if grep -q "SSH_MACS" $IMPORT_FILE; then

  1114.         TEMP_VALUE=$(grep "SSH_MACS" $IMPORT_FILE | awk -F '=' '{print $2}')

  1115.         if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then

  1116.             SSH_MACS=$TEMP_VALUE

  1117.         fi

  1118.     fi

  1119.     if grep -q "SSH_KEX" $IMPORT_FILE; then

  1120.         TEMP_VALUE=$(grep "SSH_KEX" $IMPORT_FILE | awk -F '=' '{print $2}')

  1121.         if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then

  1122.             SSH_KEX=$TEMP_VALUE

  1123.         fi

  1124.     fi

  1125.     if grep -q "SSH_HOST_KEY_ALGORITHMS" $IMPORT_FILE; then

  1126.         TEMP_VALUE=$(grep "SSH_HOST_KEY_ALGORITHMS" $IMPORT_FILE | awk -F '=' '{print $2}')

  1127.         if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then

  1128.             SSH_HOST_KEY_ALGORITHMS=$TEMP_VALUE

  1129.         fi

  1130.     fi

  1131.     if grep -q "SSH_PASSWORDS" $IMPORT_FILE; then

  1132.         TEMP_VALUE=$(grep "SSH_PASSWORDS" $IMPORT_FILE | awk -F '=' '{print $2}')

  1133.         if [[ $TEMP_VALUE == "yes" || $TEMP_VALUE == "no" ]]; then

  1134.             SSH_PASSWORDS=$TEMP_VALUE

  1135.         fi

  1136.     fi

  1137.     if grep -q "XMPP_CIPHERS" $IMPORT_FILE; then

  1138.         TEMP_VALUE=$(grep "XMPP_CIPHERS" $IMPORT_FILE | awk -F '=' '{print $2}')

  1139.         if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then

  1140.             XMPP_CIPHERS=$TEMP_VALUE

  1141.         fi

  1142.     fi

  1143.     if grep -q "XMPP_ECC_CURVE" $IMPORT_FILE; then

  1144.         TEMP_VALUE=$(grep "XMPP_ECC_CURVE" $IMPORT_FILE | awk -F '=' '{print $2}')

  1145.         if [ ${#TEMP_VALUE} -gt 3 ]; then

  1146.             XMPP_ECC_CURVE=$TEMP_VALUE

  1147.         fi

  1148.     fi

  1149. }

  1150. 

  1151. function export_settings {

  1152.     if [ ! $EXPORT_FILE ]; then

  1153.         return

  1154.     fi

  1155. 

  1156.     cd $CURRENT_DIR

  1157. 

  1158.     if [ ! -f $EXPORT_FILE ]; then

  1159.         if [ "$SSL_PROTOCOLS" ]; then

  1160.             echo "SSL_PROTOCOLS=$SSL_PROTOCOLS" >> $EXPORT_FILE

  1161.         fi

  1162.         if [ $SSL_CIPHERS ]; then

  1163.             echo "SSL_CIPHERS=$SSL_CIPHERS" >> $EXPORT_FILE

  1164.         fi

  1165.         if [ $SSH_CIPHERS ]; then

  1166.             echo "SSH_CIPHERS=$SSH_CIPHERS" >> $EXPORT_FILE

  1167.         fi

  1168.         if [ $SSH_MACS ]; then

  1169.             echo "SSH_MACS=$SSH_MACS" >> $EXPORT_FILE

  1170.         fi

  1171.         if [ $SSH_KEX ]; then

  1172.             echo "SSH_KEX=$SSH_KEX" >> $EXPORT_FILE

  1173.         fi

  1174.         if [ $SSH_HOST_KEY_ALGORITHMS ]; then

  1175.             echo "SSH_HOST_KEY_ALGORITHMS=$SSH_HOST_KEY_ALGORITHMS" >> $EXPORT_FILE

  1176.         fi

  1177.         if [ $SSH_PASSWORDS ]; then

  1178.             echo "SSH_PASSWORDS=$SSH_PASSWORDS" >> $EXPORT_FILE

  1179.         fi

  1180.         if [ $XMPP_CIPHERS ]; then

  1181.             echo "XMPP_CIPHERS=$XMPP_CIPHERS" >> $EXPORT_FILE

  1182.         fi

  1183.         if [ $XMPP_ECC_CURVE ]; then

  1184.             echo "XMPP_ECC_CURVE=$XMPP_ECC_CURVE" >> $EXPORT_FILE

  1185.         fi

  1186.         echo "Security settings exported to $EXPORT_FILE"

  1187.         exit 0

  1188.     fi

  1189. 

  1190.     if [ "$SSL_PROTOCOLS" ]; then

  1191.         if grep -q "SSL_PROTOCOLS" $EXPORT_FILE; then

  1192.             sed -i "s|SSL_PROTOCOLS=.*|SSL_PROTOCOLS=$SSL_PROTOCOLS|g" $EXPORT_FILE

  1193.         else

  1194.             echo "SSL_PROTOCOLS=$SSL_PROTOCOLS" >> $EXPORT_FILE

  1195.         fi

  1196.     fi

  1197.     if [ $SSL_CIPHERS ]; then

  1198.         if grep -q "SSL_CIPHERS" $EXPORT_FILE; then

  1199.             sed -i "s|SSL_CIPHERS=.*|SSL_CIPHERS=$SSL_CIPHERS|g" $EXPORT_FILE

  1200.         else

  1201.             echo "SSL_CIPHERS=$SSL_CIPHERS" >> $EXPORT_FILE

  1202.         fi

  1203.     fi

  1204.     if [ $SSH_CIPHERS ]; then

  1205.         if grep -q "SSH_CIPHERS" $EXPORT_FILE; then

  1206.             sed -i "s|SSH_CIPHERS=.*|SSH_CIPHERS=$SSH_CIPHERS|g" $EXPORT_FILE

  1207.         else

  1208.             echo "SSH_CIPHERS=$SSH_CIPHERS" >> $EXPORT_FILE

  1209.         fi

  1210.     fi

  1211.     if [ $SSH_MACS ]; then

  1212.         if grep -q "SSH_MACS" $EXPORT_FILE; then

  1213.             sed -i "s|SSH_MACS=.*|SSH_MACS=$SSH_MACS|g" $EXPORT_FILE

  1214.         else

  1215.             echo "SSH_MACS=$SSH_MACS" >> $EXPORT_FILE

  1216.         fi

  1217.     fi

  1218.     if [ $SSH_KEX ]; then

  1219.         if grep -q "SSH_KEX" $EXPORT_FILE; then

  1220.             sed -i "s|SSH_KEX=.*|SSH_KEX=$SSH_KEX|g" $EXPORT_FILE

  1221.         else

  1222.             echo "SSH_KEX=$SSH_KEX" >> $EXPORT_FILE

  1223.         fi

  1224.     fi

  1225.     if [ $SSH_HOST_KEY_ALGORITHMS ]; then

  1226.         if grep -q "SSH_HOST_KEY_ALGORITHMS" $EXPORT_FILE; then

  1227.             sed -i "s|SSH_HOST_KEY_ALGORITHMS=.*|SSH_HOST_KEY_ALGORITHMS=$SSH_HOST_KEY_ALGORITHMS|g" $EXPORT_FILE

  1228.         else

  1229.             echo "SSH_HOST_KEY_ALGORITHMS=$SSH_HOST_KEY_ALGORITHMS" >> $EXPORT_FILE

  1230.         fi

  1231.     fi

  1232.     if [ $SSH_PASSWORDS ]; then

  1233.         if grep -q "SSH_PASSWORDS" $EXPORT_FILE; then

  1234.             sed -i "s|SSH_PASSWORDS=.*|SSH_PASSWORDS=$SSH_PASSWORDS|g" $EXPORT_FILE

  1235.         else

  1236.             echo "SSH_PASSWORDS=$SSH_PASSWORDS" >> $EXPORT_FILE

  1237.         fi

  1238.     fi

  1239.     if [ $XMPP_CIPHERS ]; then

  1240.         if grep -q "XMPP_CIPHERS" $EXPORT_FILE; then

  1241.             sed -i "s|XMPP_CIPHERS=.*|XMPP_CIPHERS=$XMPP_CIPHERS|g" $EXPORT_FILE

  1242.         else

  1243.             echo "XMPP_CIPHERS=$XMPP_CIPHERS" >> $EXPORT_FILE

  1244.         fi

  1245.     fi

  1246.     if [ $XMPP_ECC_CURVE ]; then

  1247.         if grep -q "XMPP_ECC_CURVE" $EXPORT_FILE; then

  1248.             sed -i "s|XMPP_ECC_CURVE=.*|XMPP_ECC_CURVE=$XMPP_ECC_CURVE|g" $EXPORT_FILE

  1249.         else

  1250.             echo "XMPP_ECC_CURVE=$XMPP_ECC_CURVE" >> $EXPORT_FILE

  1251.         fi

  1252.     fi

  1253.     echo $"Security settings exported to $EXPORT_FILE"

  1254.     exit 0

  1255. }

  1256. 

  1257. function refresh_gpg_keys {

  1258.     for d in /home/*/ ; do

  1259.         USERNAME=$(echo "$d" | awk -F '/' '{print $3}')

  1260.         if [[ $(is_valid_user "$USERNAME") == "1" ]]; then

  1261.             su -c 'gpg --refresh-keys' - $USERNAME

  1262.         fi

  1263.     done

  1264.     exit 0

  1265. }

  1266. 

  1267. function monkeysphere_sign_server_keys {

  1268.     server_keys_file=/home/$USER/.monkeysphere/server_keys

  1269.     if [ ! -f $server_keys_file ]; then

  1270.         exit 0

  1271.     fi

  1272. 

  1273.     keys_signed=

  1274.     while read line; do

  1275.         echo $line

  1276.         if [ ${#line} -gt 2 ]; then

  1277.             fpr=$(gpg --with-colons --fingerprint "$line" | grep fpr | head -n 1 | awk -F ':' '{print $10}')

  1278.             if [ ${#fpr} -gt 2 ]; then

  1279.                 gpg --sign-key $fpr

  1280.                 if [ "$?" = "0" ]; then

  1281.                     gpg --update-trustdb

  1282.                     keys_signed=1

  1283.                 fi

  1284.             fi

  1285.         fi

  1286.     done <$server_keys_file

  1287. 

  1288.     if [ $keys_signed ]; then

  1289.         rm $server_keys_file

  1290.     fi

  1291.     exit 0

  1292. }

  1293. 

  1294. function htmly_hash {

  1295.     # produces a hash corresponding to a htmly password

  1296.     pass="$1"

  1297.     HTMLYHASH_FILENAME=/usr/bin/htmlyhash

  1298. 

  1299.     echo '<?php' > $HTMLYHASH_FILENAME

  1300.     echo 'parse_str(implode("&", array_slice($argv, 1)), $_GET);' >> $HTMLYHASH_FILENAME

  1301.     echo '$password = $_GET["password"];' >> $HTMLYHASH_FILENAME

  1302.     echo '$hash = password_hash($password, PASSWORD_BCRYPT);' >> $HTMLYHASH_FILENAME

  1303.     echo 'if (password_verify($password, $hash)) {' >> $HTMLYHASH_FILENAME

  1304.     echo '  echo $hash;' >> $HTMLYHASH_FILENAME

  1305.     echo '}' >> $HTMLYHASH_FILENAME

  1306.     echo '?>' >> $HTMLYHASH_FILENAME

  1307. 

  1308.     php $HTMLYHASH_FILENAME password="$pass"

  1309. }

  1310. 

  1311. function show_help {

  1312.     echo ''

  1313.     echo "${PROJECT_NAME}-sec"

  1314.     echo ''

  1315.     echo $'Alters the security settings'

  1316.     echo ''

  1317.     echo ''

  1318.     echo $'  -h --help                 Show help'

  1319.     echo $'  -e --export               Export security settings to a file'

  1320.     echo $'  -i --import               Import security settings from a file'

  1321.     echo $'  -r --refresh              Refresh GPG keys for all users'

  1322.     echo $'  -s --sign                 Sign monkeysphere server keys'

  1323.     echo $'     --register [domain]    Register a https domain with monkeysphere'

  1324.     echo $'  -b --htmlyhash [password] Returns the hash of a password for a htmly blog'

  1325.     echo ''

  1326.     exit 0

  1327. }

  1328. 

  1329. 

  1330. # Get the commandline options

  1331. while [[ $# > 1 ]]

  1332. do

  1333.     key="$1"

  1334. 

  1335.     case $key in

  1336.         -h|--help)

  1337.             show_help

  1338.             ;;

  1339.         # Export settings

  1340.         -e|--export)

  1341.             shift

  1342.             EXPORT_FILE="$1"

  1343.             ;;

  1344.         # Export settings

  1345.         -i|--import)

  1346.             shift

  1347.             IMPORT_FILE="$1"

  1348.             ;;

  1349.         # Refresh GPG keys

  1350.         -r|--refresh)

  1351.             shift

  1352.             refresh_gpg_keys

  1353.             ;;

  1354.         # register a website

  1355.         --register|--reg|--site)

  1356.             shift

  1357.             register_website "$1"

  1358.             ;;

  1359.         # user signs monkeysphere server keys

  1360.         -s|--sign)

  1361.             shift

  1362.             monkeysphere_sign_server_keys

  1363.             ;;

  1364.         # get a hash of the given htmly password

  1365.         -b|--htmlyhash)

  1366.             shift

  1367.             htmly_hash "$1"

  1368.             exit 0

  1369.             ;;

  1370.         *)

  1371.             # unknown option

  1372.             ;;

  1373.     esac

  1374.     shift

  1375. done

  1376. 

  1377. menu_security_settings

  1378. 

  1379. exit 0