freedombone/src/freedombone-sec

#!/bin/bash
#
# .---.                  .              .
# |                      |              |
# |--- .--. .-.  .-.  .-.|  .-. .--.--. |.-.  .-. .--.  .-.
# |    |   (.-' (.-' (   | (   )|  |  | |   )(   )|  | (.-'
# '    '     --'  --'  -' -  -' '  '   -' -'   -' '   -  --'
#
#                    Freedom in the Cloud
#
# Alters the security settings
#
# License
# =======
#
# Copyright (C) 2015-2016 Bob Mottram <bob@freedombone.net>
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.

PROJECT_NAME='freedombone'

export TEXTDOMAIN=${PROJECT_NAME}-sec
export TEXTDOMAINDIR="/usr/share/locale"

CONFIGURATION_FILE=$HOME/${PROJECT_NAME}.cfg
COMPLETION_FILE=$HOME/${PROJECT_NAME}-completed.txt

UTILS_FILES=/usr/share/${PROJECT_NAME}/utils/${PROJECT_NAME}-utils-*
for f in $UTILS_FILES
do
    source $f
done

SSL_PROTOCOLS=
SSL_CIPHERS=
SSH_CIPHERS=
SSH_MACS=
SSH_KEX=
SSH_HOST_KEY_ALGORITHMS=
SSH_PASSWORDS=
XMPP_CIPHERS=
XMPP_ECC_CURVE=

WEBSITES_DIRECTORY='/etc/nginx/sites-available'
DOVECOT_CIPHERS='/etc/dovecot/conf.d/10-ssl.conf'
SSH_CONFIG='/etc/ssh/sshd_config'
XMPP_CONFIG='/etc/prosody/conf.avail/xmpp.cfg.lua'

MINIMUM_LENGTH=6

IMPORT_FILE=
EXPORT_FILE=

CURRENT_DIR=$(pwd)

DH_KEYLENGTH=2048
LETSENCRYPT_SERVER='https://acme-v01.api.letsencrypt.org/directory'

MY_USERNAME=

function export_passwords {
    detect_usb_drive
    data=$(tempfile 2>/dev/null)
    trap "rm -f $data" 0 1 2 5 15
    dialog --title $"Export passwords to USB drive $USB_DRIVE" \
           --backtitle $"Security Settings" \
           --defaultno \
           --yesno $"\nPlease confirm that you wish to export passwords to a LUKS formatted USB drive. The drive should be plugged in." 10 60
    sel=$?
    case $sel in
        1) return;;
        255) return;;
    esac

    data=$(tempfile 2>/dev/null)
    trap "rm -f $data" 0 1 2 5 15
    dialog --title $"Export passwords to USB drive $USB_DRIVE" \
           --backtitle $"Security Settings" \
           --defaultno \
           --yesno $"\nDo you need to format the drive as LUKS encrypted?" 12 60
    sel=$?
    case $sel in
        0) ${PROJECT_NAME}-format $USB_DRIVE;;
    esac

    clear
    backup_mount_drive ${USB_DRIVE}
    ${PROJECT_NAME}-pass --export ${USB_MOUNT}/${PROJECT_NAME}-passwords.xml
    backup_unmount_drive ${USB_DRIVE}
}

function get_protocols_from_website {
    if [ ! -f $WEBSITES_DIRECTORY/$1 ]; then
        return
    fi
    SSL_PROTOCOLS=$(cat $WEBSITES_DIRECTORY/$1 | grep 'ssl_protocols ' | awk -F "ssl_protocols " '{print $2}' | awk -F ';' '{print $1}')
}

function get_ciphers_from_website {
    if [ ! -f $WEBSITES_DIRECTORY/$1 ]; then
        return
    fi
    SSL_CIPHERS=$(cat $WEBSITES_DIRECTORY/$1 | grep 'ssl_ciphers ' | awk -F "ssl_ciphers " '{print $2}' | awk -F "'" '{print $2}')
}

function get_imap_settings {
    if [ ! -f $DOVECOT_CIPHERS ]; then
        return
    fi
    # clear commented out cipher list
    sed -i "s|#ssl_cipher_list.*||g" $DOVECOT_CIPHERS
    if [ $SSL_CIPHERS ]; then
        return
    fi
    if [ ${#SSL_CIPHERS} -gt $MINIMUM_LENGTH ]; then
        return
    fi
    SSL_CIPHERS=$(cat $DOVECOT_CIPHERS | grep 'ssl_cipher_list' | awk -F '=' '{print $2}' | awk -F "'" '{print $2}')
}

function get_xmpp_settings {
    if [ ! -f $XMPP_CONFIG ]; then
        return
    fi
    XMPP_CIPHERS=$(cat $XMPP_CONFIG | grep 'ciphers ' | awk -F '=' '{print $2}' | awk -F '"' '{print $2}')
    XMPP_ECC_CURVE=$(cat $XMPP_CONFIG | grep 'curve ' | awk -F '=' '{print $2}' | awk -F '"' '{print $2}')
}

function get_ssh_settings {
    if [ -f $SSH_CONFIG ]; then
        SSH_PASSWORDS=$(cat $SSH_CONFIG | grep 'PasswordAuthentication ' | awk -F 'PasswordAuthentication ' '{print $2}')
    fi
    if [ -f /etc/ssh/ssh_config ]; then
        SSH_HOST_KEY_ALGORITHMS=$(cat /etc/ssh/ssh_config | grep 'HostKeyAlgorithms ' | awk -F 'HostKeyAlgorithms ' '{print $2}')
    fi
}

function change_website_settings {
    if [ ! "$SSL_PROTOCOLS" ]; then
        return
    fi
    if [ ! $SSL_CIPHERS ]; then
        return
    fi
    if [ ${#SSL_PROTOCOLS} -lt $MINIMUM_LENGTH ]; then
        return
    fi
    if [ ${#SSL_CIPHERS} -lt $MINIMUM_LENGTH ]; then
        return
    fi
    if [ ! -d $WEBSITES_DIRECTORY ]; then
        return
    fi

    cd $WEBSITES_DIRECTORY
    for file in `dir -d *` ; do
        sed -i "s|ssl_protocols .*|ssl_protocols $SSL_PROTOCOLS;|g" $WEBSITES_DIRECTORY/$file
        sed -i "s|ssl_ciphers .*|ssl_ciphers '$SSL_CIPHERS';|g" $WEBSITES_DIRECTORY/$file
    done
    systemctl restart nginx
    echo $'Web security settings changed'
}

function change_imap_settings {
    if [ ! -f $DOVECOT_CIPHERS ]; then
        return
    fi
    if [ ! $SSL_CIPHERS ]; then
        return
    fi
    if [ ${#SSL_CIPHERS} -lt $MINIMUM_LENGTH ]; then
        return
    fi
    sed -i "s|ssl_cipher_list.*|ssl_cipher_list = '$SSL_CIPHERS'|g" $DOVECOT_CIPHERS
    sed -i "s|ssl_protocols.*|ssl_protocols = '$SSL_PROTOCOLS'|g" $DOVECOT_CIPHERS
    systemctl restart dovecot
    echo $'imap security settings changed'
}

function change_ssh_settings {
    if [ -f /etc/ssh/ssh_config ]; then
        if [ $SSH_HOST_KEY_ALGORITHMS ]; then
            sed -i "s|HostKeyAlgorithms .*|HostKeyAlgorithms $SSH_HOST_KEY_ALGORITHMS|g" /etc/ssh/ssh_config
            echo $'ssh client security settings changed'
        fi
    fi
    if [ -f $SSH_CONFIG ]; then
        if [ ! $SSH_CIPHERS ]; then
            return
        fi
        if [ ! $SSH_MACS ]; then
            return
        fi
        if [ ! $SSH_KEX ]; then
            return
        fi
        if [ ! $SSH_PASSWORDS ]; then
            SSH_PASSWORDS='yes'
        fi

        sed -i "s|Ciphers .*|Ciphers $SSH_CIPHERS|g" $SSH_CONFIG
        sed -i "s|MACs .*|MACs $SSH_MACS|g" $SSH_CONFIG
        sed -i "s|KexAlgorithms .*|KexAlgorithms $SSH_KEX|g" $SSH_CONFIG
        sed -i "s|#PasswordAuthentication .*|PasswordAuthentication $SSH_PASSWORDS|g" $SSH_CONFIG
        sed -i "s|PasswordAuthentication .*|PasswordAuthentication $SSH_PASSWORDS|g" $SSH_CONFIG
        systemctl restart ssh
        echo $'ssh server security settings changed'
    fi
}

function change_xmpp_settings {
    if [ ! -f $XMPP_CONFIG ]; then
        return
    fi
    if [ ! $XMPP_CIPHERS ]; then
        return
    fi
    if [ ! $XMPP_ECC_CURVE ]; then
        return
    fi
    sed -i "s|ciphers =.*|ciphers = \"$XMPP_CIPHERS\";|g" $XMPP_CONFIG
    sed -i "s|curve =.*|curve = \"$XMPP_ECC_CURVE\";|g" $XMPP_CONFIG
    systemctl restart prosody
    echo $'xmpp security settings changed'
}

function allow_ssh_passwords {
    dialog --title $"SSH Passwords" \
           --backtitle $"Freedombone Security Configuration" \
           --yesno $"\nAllow SSH login using passwords?" 7 60
    sel=$?
    case $sel in
        0) SSH_PASSWORDS="yes";;
        1) SSH_PASSWORDS="no";;
        255) exit 0;;
    esac
}

function interactive_setup {
    if [ $SSL_CIPHERS ]; then
        data=$(tempfile 2>/dev/null)
        trap "rm -f $data" 0 1 2 5 15
        dialog --backtitle $"Freedombone Security Configuration" \
               --form $"\nWeb/IMAP Ciphers:" 10 95 2 \
               $"Protocols:" 1 1 "$SSL_PROTOCOLS" 1 15 90 90 \
               $"Ciphers:" 2 1 "$SSL_CIPHERS" 2 15 90 512 \
               2> $data
        sel=$?
        case $sel in
            1) SSL_PROTOCOLS=$(cat $data | sed -n 1p)
               SSL_CIPHERS=$(cat $data | sed -n 2p)
               ;;
            255) exit 0;;
        esac
    fi

    data=$(tempfile 2>/dev/null)
    trap "rm -f $data" 0 1 2 5 15
    if [ $SSH_HOST_KEY_ALGORITHMS ]; then
        dialog --backtitle $"Freedombone Security Configuration" \
               --form $"\nSecure Shell Ciphers:" 13 95 4 \
               $"Ciphers:" 1 1 "$SSH_CIPHERS" 1 15 90 512 \
               $"MACs:" 2 1 "$SSH_MACS" 2 15 90 512 \
               $"KEX:" 3 1 "$SSH_KEX" 3 15 90 512 \
               $"Host key algorithms:" 4 1 "$SSH_HOST_KEY_ALGORITHMS" 4 15 90 512 \
               2> $data
        sel=$?
        case $sel in
            1) SSH_CIPHERS=$(cat $data | sed -n 1p)
               SSH_MACS=$(cat $data | sed -n 2p)
               SSH_KEX=$(cat $data | sed -n 3p)
               SSH_HOST_KEY_ALGORITHMS=$(cat $data | sed -n 4p)
               ;;
            255) exit 0;;
        esac
    else
        dialog --backtitle $"Freedombone Security Configuration" \
               --form $"\nSecure Shell Ciphers:" 11 95 3 \
               $"Ciphers:" 1 1 "$SSH_CIPHERS" 1 15 90 512 \
               $"MACs:" 2 1 "$SSH_MACS" 2 15 90 512 \
               $"KEX:" 3 1 "$SSH_KEX" 3 15 90 512 \
               2> $data
        sel=$?
        case $sel in
            1) SSH_CIPHERS=$(cat $data | sed -n 1p)
               SSH_MACS=$(cat $data | sed -n 2p)
               SSH_KEX=$(cat $data | sed -n 3p)
               ;;
            255) exit 0;;
        esac
    fi

    if [ $XMPP_CIPHERS ]; then
        data=$(tempfile 2>/dev/null)
        trap "rm -f $data" 0 1 2 5 15
        dialog --backtitle $"Freedombone Security Configuration" \
               --form $"\nXMPP Ciphers:" 10 95 2 \
               $"Ciphers:" 1 1 "$XMPP_CIPHERS" 1 15 90 512 \
               $"ECC Curve:" 2 1 "$XMPP_ECC_CURVE" 2 15 50 50 \
               2> $data
        sel=$?
        case $sel in
            1) XMPP_CIPHERS=$(cat $data | sed -n 1p)
               XMPP_ECC_CURVE=$(cat $data | sed -n 2p)
               ;;
            255) exit 0;;
        esac
    fi

    dialog --title $"Final Confirmation" \
           --backtitle $"Freedombone Security Configuration" \
           --defaultno \
           --yesno $"\nPlease confirm that you wish your security settings to be changed?\n\nWARNING: any mistakes made in the security settings could compromise your system, so be extra careful when answering 'yes'." 12 60
    sel=$?
    case $sel in
        1) clear
           echo $'Exiting without changing security settings'
           exit 0;;
        255) clear
             echo $'Exiting without changing security settings'
             exit 0;;
    esac

    clear
}

function send_monkeysphere_server_keys_to_users {
    monkeysphere_server_keys=$(monkeysphere-host show-key | grep $"OpenPGP fingerprint" | awk -F ' ' '{print $3}')
    for d in /home/*/ ; do
        USERNAME=$(echo "$d" | awk -F '/' '{print $3}')
        if [[ $(is_valid_user "$USERNAME") == "1" ]]; then
            if [ ! -d /home/$USERNAME/.monkeysphere ]; then
                mkdir /home/$USERNAME/.monkeysphere
            fi
            echo $monkeysphere_server_keys > /home/$USERNAME/.monkeysphere/server_keys
            chown -R $USERNAME:$USERNAME /home/$USERNAME/.monkeysphere
        fi
    done
}

function regenerate_ssh_host_keys {
    rm -f /etc/ssh/ssh_host_*
    dpkg-reconfigure openssh-server
    echo $'ssh host keys regenerated'
    # remove small moduli
    awk '$5 > 2000' /etc/ssh/moduli > ~/moduli
    mv ~/moduli /etc/ssh/moduli
    echo $'ssh small moduli removed'
    # update monkeysphere
    DEFAULT_DOMAIN_NAME=
    read_config_param "DEFAULT_DOMAIN_NAME"
    monkeysphere-host import-key /etc/ssh/ssh_host_rsa_key ssh://$DEFAULT_DOMAIN_NAME
    SSH_ONION_HOSTNAME=$(cat ${COMPLETION_FILE} | grep 'ssh onion domain' | awk -F ':' '{print $2}')
    monkeysphere-host import-key /etc/ssh/ssh_host_rsa_key ssh://$SSH_ONION_HOSTNAME
    monkeysphere-host publish-key
    send_monkeysphere_server_keys_to_users
    echo $'updated monkeysphere ssh host key'
    systemctl restart ssh
}

function regenerate_dh_keys {
    if [ ! -d /etc/ssl/mycerts ]; then
        echo $'No dhparam certificates were found'
        return
    fi

    data=$(tempfile 2>/dev/null)
    trap "rm -f $data" 0 1 2 5 15
    dialog --backtitle "Freedombone Security Configuration" \
           --title "Diffie-Hellman key length" \
           --radiolist "The smaller length is better suited to low power embedded systems:" 12 40 3 \
           1 "2048 bits" off \
           2 "3072 bits" on \
           3 "4096 bits" off 2> $data
    sel=$?
    case $sel in
        1) exit 1;;
        255) exit 1;;
    esac
    case $(cat $data) in
        1) DH_KEYLENGTH=2048;;
        2) DH_KEYLENGTH=3072;;
        3) DH_KEYLENGTH=4096;;
    esac

    ${PROJECT_NAME}-dhparam --recalc yes -l ${DH_KEYLENGTH}
}

function renew_startssl {
    renew_domain=
    data=$(tempfile 2>/dev/null)
    trap "rm -f $data" 0 1 2 5 15
    dialog --title $"Renew a StartSSL certificate" \
           --backtitle $"Freedombone Security Settings" \
           --inputbox $"Enter the domain name" 8 60 2>$data
    sel=$?
    case $sel in
        0)
            renew_domain=$(<$data)
            ;;
    esac

    if [ ! $renew_domain ]; then
        return
    fi

    if [[ $renew_domain == "http"* ]]; then
        dialog --title $"Renew a StartSSL certificate" \
               --msgbox $"Don't include the https://" 6 40
        return
    fi

    if [ ! -f /etc/ssl/certs/${renew_domain}.dhparam ]; then
        dialog --title $"Renew a StartSSL certificate" \
               --msgbox $"An existing certificate for $renew_domain was not found" 6 40
        return
    fi

    if [[ $renew_domain != *"."* ]]; then
        dialog --title $"Renew a StartSSL certificate" \
               --msgbox $"Invalid domain name: $renew_domain" 6 40
        return
    fi

    ${PROJECT_NAME}-renew-cert -h $renew_domain -p startssl

    exit 0
}

function renew_letsencrypt {
    renew_domain=
    data=$(tempfile 2>/dev/null)
    trap "rm -f $data" 0 1 2 5 15
    dialog --title $"Renew a Let's Encrypt certificate" \
           --backtitle $"Freedombone Security Settings" \
           --inputbox $"Enter the domain name" 8 60 2>$data
    sel=$?
    case $sel in
        0)
            renew_domain=$(<$data)
            ;;
    esac

    if [ ! $renew_domain ]; then
        return
    fi

    if [[ $renew_domain == "http"* ]]; then
        dialog --title $"Renew a Let's Encrypt certificate" \
               --msgbox $"Don't include the https://" 6 40
        return
    fi

    if [ ! -f /etc/ssl/certs/${renew_domain}.dhparam ]; then
        dialog --title $"Renew a Let's Encrypt certificate" \
               --msgbox $"An existing certificate for $renew_domain was not found" 6 40
        return
    fi

    if [[ $renew_domain != *"."* ]]; then
        dialog --title $"Renew a Let's Encrypt certificate" \
               --msgbox $"Invalid domain name: $renew_domain" 6 40
        return
    fi

    ${PROJECT_NAME}-renew-cert -h $renew_domain -p 'letsencrypt'

    exit 0
}

function create_letsencrypt {
    new_domain=
    data=$(tempfile 2>/dev/null)
    trap "rm -f $data" 0 1 2 5 15
    dialog --title $"Create a new Let's Encrypt certificate" \
           --backtitle $"Freedombone Security Settings" \
           --inputbox $"Enter the domain name" 8 60 2>$data
    sel=$?
    case $sel in
        0)
            new_domain=$(<$data)
            ;;
    esac

    if [ ! $new_domain ]; then
        return
    fi

    if [[ $new_domain == "http"* ]]; then
        dialog --title $"Create a new Let's Encrypt certificate" \
               --msgbox $"Don't include the https://" 6 40
        return
    fi

    if [[ $new_domain != *"."* ]]; then
        dialog --title $"Create a new Let's Encrypt certificate" \
               --msgbox $"Invalid domain name: $new_domain" 6 40
        return
    fi

    if [ ! -d /var/www/${new_domain} ]; then
        domain_found=
        if [ -f /etc/nginx/sites-available/radicale ]; then
            if grep "${new_domain}" /etc/nginx/sites-available/radicale; then
                domain_found=1
            fi
        fi
        if [ -f /etc/nginx/sites-available/${new_domain} ]; then
            domain_found=1
        fi
        if [[ "${new_domain}" == "jitsi"* || "${new_domain}" == "meet"* ]]; then
            domain_found=1
        fi
        if [ ! $domain_found ]; then
            dialog --title $"Create a new Let's Encrypt certificate" \
                   --msgbox $'Domain not found within /var/www' 6 40
            return
        fi
    fi

    ${PROJECT_NAME}-addcert -e $new_domain -s $LETSENCRYPT_SERVER --dhkey $DH_KEYLENGTH

    exit 0
}

function update_ciphersuite {
    RECOMMENDED_SSL_CIPHERS="$SSL_CIPHERS"
    if [ ${#RECOMMENDED_SSL_CIPHERS} -lt 5 ]; then
        return
    fi

    RECOMMENDED_SSL_PROTOCOLS="$SSL_PROTOCOLS"
    if [ ${#RECOMMENDED_SSL_PROTOCOLS} -lt 5 ]; then
        return
    fi

    RECOMMENDED_SSH_CIPHERS="$SSH_CIPHERS"
    if [ ${#RECOMMENDED_SSH_CIPHERS} -lt 5 ]; then
        return
    fi

    RECOMMENDED_SSH_MACS="$SSH_MACS"
    if [ ${#RECOMMENDED_SSH_MACS} -lt 5 ]; then
        return
    fi

    RECOMMENDED_SSH_KEX="$SSH_KEX"
    if [ ${#RECOMMENDED_SSH_KEX} -lt 5 ]; then
        return
    fi

    cd $WEBSITES_DIRECTORY
    for file in `dir -d *` ; do
        sed -i "s|ssl_protocols .*|ssl_protocols $RECOMMENDED_SSL_PROTOCOLS;|g" $WEBSITES_DIRECTORY/$file
        sed -i "s|ssl_ciphers .*|ssl_ciphers '$RECOMMENDED_SSL_CIPHERS';|g" $WEBSITES_DIRECTORY/$file
    done
    systemctl restart nginx
    write_config_param "SSL_PROTOCOLS" "$RECOMMENDED_SSL_PROTOCOLS"
    write_config_param "SSL_CIPHERS" "$RECOMMENDED_SSL_CIPHERS"

    sed -i "s|Ciphers .*|Ciphers $RECOMMENDED_SSH_CIPHERS|g" $SSH_CONFIG
    sed -i "s|MACs .*|MACs $RECOMMENDED_SSH_MACS|g" $SSH_CONFIG
    sed -i "s|KexAlgorithms .*|KexAlgorithms $RECOMMENDED_SSH_KEX|g" $SSH_CONFIG
    systemctl restart ssh

    write_config_param "SSH_CIPHERS" "$RECOMMENDED_SSH_CIPHERS"
    write_config_param "SSH_MACS" "$RECOMMENDED_SSH_MACS"
    write_config_param "SSH_KEX" "$RECOMMENDED_SSH_KEX"

    dialog --title $"Update ciphersuite" \
           --msgbox $"The ciphersuite has been updated to recommended versions" 6 40
    exit 0
}

function gpg_pubkey_from_email {
    key_owner_username=$1
    key_email_address=$2
    key_id=
    if [[ $key_owner_username != "root" ]]; then
        key_id=$(su -c "gpg --list-keys $key_email_address | grep 'pub '" - $key_owner_username | awk -F ' ' '{print $2}' | awk -F '/' '{print $2}')
    else
        key_id=$(gpg --list-keys $key_email_address | grep 'pub ' | awk -F ' ' '{print $2}' | awk -F '/' '{print $2}')
    fi
    echo $key_id
}

function enable_monkeysphere {
    monkey=
    dialog --title $"GPG based authentication" \
           --backtitle $"Freedombone Security Configuration" \
           --defaultno \
           --yesno $"\nEnable GPG based authentication with monkeysphere ?" 7 60
    sel=$?
    case $sel in
        0) monkey='yes';;
        255) exit 0;;
    esac

    if [ $monkey ]; then
        read_config_param "MY_USERNAME"

        if [ ! -f /home/$MY_USERNAME/.monkeysphere/authorized_user_ids ]; then
            dialog --title $"GPG based authentication" \
                   --msgbox $"$MY_USERNAME does not currently have any ids within ~/.monkeysphere/authorized_user_ids" 6 40
            exit 0
        fi

        MY_GPG_PUBLIC_KEY_ID=$(gpg_pubkey_from_email "$MY_USERNAME" "$MY_USERNAME@$HOSTNAME")
        if [ ${#MY_GPG_PUBLIC_KEY_ID} -lt 4 ]; then
            echo $'monkeysphere unable to get GPG key ID for user $MY_USERNAME'
            exit 52825
        fi

        sed -i 's|#AuthorizedKeysFile|AuthorizedKeysFile|g' /etc/ssh/sshd_config
        sed -i 's|AuthorizedKeysFile.*|AuthorizedKeysFile /var/lib/monkeysphere/authorized_keys/%u|g' /etc/ssh/sshd_config
        monkeysphere-authentication update-users

        # The admin user is the identity certifier
        fpr=$(gpg --with-colons --fingerprint $MY_GPG_PUBLIC_KEY_ID | grep fpr | head -n 1 | awk -F ':' '{print $10}')
        monkeysphere-authentication add-identity-certifier $fpr
        monkeysphere-host publish-key
        send_monkeysphere_server_keys_to_users
    else
        sed -i 's|#AuthorizedKeysFile|AuthorizedKeysFile|g' /etc/ssh/sshd_config
        sed -i 's|AuthorizedKeysFile.*|AuthorizedKeysFile %h/.ssh/authorized_keys|g' /etc/ssh/sshd_config
    fi

    systemctl restart ssh

    if [ $monkey ]; then
        dialog --title $"GPG based authentication" \
               --msgbox $"GPG based authentication was enabled" 6 40
    else
        dialog --title $"GPG based authentication" \
               --msgbox $"GPG based authentication was disabled" 6 40
    fi
    exit 0
}

function register_website {
    domain="$1"

    if [[ ${domain} == *".local" ]]; then
        echo $"Can't register local domains"
        return
    fi

    if [ ! -f /etc/ssl/private/${domain}.key ]; then
        echo $"No SSL/TLS private key found for ${domain}"
        return
    fi

    if [ ! -f /etc/nginx/sites-available/${domain} ]; then
        echo $"No virtual host found for ${domain}"
        return
    fi

    monkeysphere-host import-key /etc/ssl/private/${domain}.key https://${domain}
    monkeysphere-host publish-key
    echo "0"
}

function register_website_interactive {
    data=$(tempfile 2>/dev/null)
    trap "rm -f $data" 0 1 2 5 15
    dialog --title $"Register a website with monkeysphere" \
           --backtitle $"Freedombone Security Settings" \
           --inputbox $"Enter the website domain name (without https://)" 8 60 2>$data
    sel=$?
    case $sel in
        0)
            domain=$(<$data)
            register_website "$domain"
            if [ ! "$?" = "0" ]; then
                dialog --title $"Register a website with monkeysphere" \
                       --msgbox "$?" 6 40
            else
                dialog --title $"Register a website with monkeysphere" \
                       --msgbox $"$domain has been registered" 6 40
            fi
            ;;
    esac
}

function pin_all_tls_certs {
    ${PROJECT_NAME}-pin-cert all
}

function remove_pinning {
    data=$(tempfile 2>/dev/null)
    trap "rm -f $data" 0 1 2 5 15
    dialog --title $"Remove pinning for a domain" \
           --backtitle $"Freedombone Security Settings" \
           --inputbox $"Enter the website domain name (without https://)" 8 60 2>$data
    sel=$?
    case $sel in
        0)
            domain=$(<$data)
            ${PROJECT_NAME}-pin-cert "$domain" remove
            if [ ! "$?" = "0" ]; then
                dialog --title $"Removed pinning from $domain" \
                       --msgbox "$?" 6 40
            fi
            ;;
    esac
}

function store_passwords {
    dialog --title $"Store Passwords" \
           --backtitle $"Freedombone Security Configuration" \
           --yesno $"\nDo you wish to store passwords on the system? Stored passwords are convenient but carry some additional security risk." 10 60
    sel=$?
    case $sel in
        0)
            if [ -f /root/.nostore ]; then
                read_config_param "MY_USERNAME"
                if [ ! -f /home/$MY_USERNAME/.ssh/authorized_keys ]; then
                    dialog --title $"Store Passwords" \
                           --msgbox $"\nYou should first enable key based ssh login to improve security" 8 60
                    return
                fi
                if [[ $SSH_PASSWORDS == 'yes' ]]; then
                    dialog --title $"Store Passwords" \
                           --msgbox $"\nYou should disable ssh passwords to improve security" 8 60
                    return
                fi
                ${PROJECT_NAME}-pass --enable yes
                dialog --title $"Store Passwords" \
                       --msgbox $"\nUser passwords will now be stored on the system" 8 60
            fi
            return
            ;;
        1)
            ${PROJECT_NAME}-pass --clear yes
            dialog --title $"Passwords were removed and will not be stored" \
                   --msgbox $"\nFor the best security you should now manually change passwords via web interfaces so that there is no possibility of them being recovered from the disk" 9 60
            return
            ;;
        255) return;;
    esac
}

function show_tor_bridges {
    clear
    bridges_list=$(grep "Bridge " /etc/tor/torrc | grep -v '##')
    if [ ${#bridges_list} -eq 0 ]; then
        echo $'No Tor bridges have been added'
        return
    fi
    echo "${bridges_list}"
}

function add_tor_bridge {
    data=$(tempfile 2>/dev/null)
    trap "rm -f $data" 0 1 2 5 15
    dialog --backtitle $"Freedombone Control Panel" \
           --title $"Add obfs4 Tor bridge" \
           --form "\n" 9 60 4 \
           $"IP address:   " 1 1 "   .   .   .   " 1 17 16 16 \
           $"Port:         " 2 1 "" 2 17 8 8 \
           $"Key/Nickname: " 3 1 "" 3 17 250 250 \
           2> $data
    sel=$?
    case $sel in
        1) return;;
        255) return;;
    esac
    bridge_ip_address=$(cat $data | sed -n 1p)
    bridge_port=$(cat $data | sed -n 2p)
    bridge_key=$(cat $data | sed -n 3p)
    if [[ "${bridge_ip_address}" == *" "* ]]; then
        return
    fi
    if [[ "${bridge_ip_address}" != *"."* ]]; then
        return
    fi
    if [ ${#bridge_port} -eq 0 ]; then
        return
    fi
    if [ ${#bridge_key} -eq 0 ]; then
        return
    fi
    tor_add_bridge "${bridge_ip_address}" "${bridge_port}" "${bridge_key}"
    dialog --title $"Add obfs4 Tor bridge" \
           --msgbox $"Bridge added" 6 40
}

function remove_tor_bridge {
    bridge_removed=
    data=$(tempfile 2>/dev/null)
    trap "rm -f $data" 0 1 2 5 15
    dialog --title $"Remove obfs4 Tor bridge" \
           --backtitle $"Freedombone Control Panel" \
           --inputbox $"Enter the IP address, key or Nickname of the bridge" 8 65 2>$data
    sel=$?
    case $sel in
        0)
            response=$(<$data)
            if [ ${#response} -gt 2 ]; then
                if [[ "${response}" != *" "* ]]; then
                    if [[ "${response}" == *"."* ]]; then
                        if grep "Bridge ${response}" /etc/tor/torrc; then
                            tor_remove_bridge "${response}"
                            bridge_removed=1
                        fi
                    else
                        if grep " $response" /etc/tor/torrc; then
                            tor_remove_bridge "${response}"
                            bridge_removed=1
                        fi
                    fi
                fi
            fi
            ;;
    esac
    if [ $bridge_removed ]; then
        dialog --title $"Remove obfs4 Tor bridge" \
               --msgbox $"Bridge removed" 6 40
    fi
}

function add_tor_bridge_relay {
    read_config_param 'TOR_BRIDGE_NICKNAME'
    read_config_param 'TOR_BRIDGE_PORT'

    # remove any previous bridge port from the firewall
    if [ ${#TOR_BRIDGE_PORT} -gt 0 ]; then
        firewall_remove $TOR_BRIDGE_PORT tcp
    fi

    data=$(tempfile 2>/dev/null)
    trap "rm -f $data" 0 1 2 5 15
    dialog --backtitle $"Freedombone Control Panel" \
           --title $"Become an obfs4 Tor bridge relay" \
           --form "\n" 8 60 2 \
           $"Bridge Nickname: " 1 1 "$TOR_BRIDGE_NICKNAME" 1 20 250 250 \
           2> $data
    sel=$?
    case $sel in
        1) return;;
        255) return;;
    esac
    bridge_nickname=$(cat $data | sed -n 1p)
    if [[ "${bridge_nickname}" == *" "* ]]; then
        return
    fi
    if [ ${#bridge_nickname} -eq 0 ]; then
        return
    fi
    TOR_BRIDGE_NICKNAME="$bridge_nickname"
    TOR_BRIDGE_PORT=$((20000 + RANDOM % 40000))
    write_config_param 'TOR_BRIDGE_NICKNAME' "$TOR_BRIDGE_NICKNAME"
    write_config_param 'TOR_BRIDGE_PORT' "$TOR_BRIDGE_PORT"
    tor_create_bridge_relay
    dialog --title $"You are now an obfs4 Tor bridge relay" \
           --msgbox $"\nIP address: $(get_ipv4_address)\n\nPort: ${TOR_BRIDGE_PORT}\n\nNickname: ${TOR_BRIDGE_NICKNAME}" 10 65
}

function remove_tor_bridge_relay {
    tor_remove_bridge_relay
    dialog --title $"Remove Tor bridge relay" \
           --msgbox $"Bridge relay removed" 10 60
}

function menu_tor_bridges {
    data=$(tempfile 2>/dev/null)
    trap "rm -f $data" 0 1 2 5 15
    dialog --backtitle $"Freedombone Control Panel" \
           --title $"Tor Bridges" \
           --radiolist $"Choose an operation:" 14 50 6 \
           1 $"Show bridges" off \
           2 $"Add a bridge" off \
           3 $"Remove a bridge" off \
           4 $"Make this system into a bridge" off \
           5 $"Stop being a bridge" off \
           6 $"Go Back/Exit" on 2> $data
    sel=$?
    case $sel in
        1) exit 1;;
        255) exit 1;;
    esac

    case $(cat $data) in
        1)
            show_tor_bridges
            exit 0
            ;;
        2)
            add_tor_bridge
            exit 0
            ;;
        3)
            remove_tor_bridge
            exit 0
            ;;
        4)
            add_tor_bridge_relay
            exit 0
            ;;
        5)
            remove_tor_bridge_relay
            exit 0
            ;;
        6)
            exit 0
            ;;
    esac
}

function menu_security_settings {
    data=$(tempfile 2>/dev/null)
    trap "rm -f $data" 0 1 2 5 15
    dialog --backtitle $"Freedombone Control Panel" \
           --title $"Security Settings" \
           --radiolist $"Choose an operation:" 21 76 21 \
           1 $"Run STIG tests" off \
           2 $"Show ssh host public key" off \
           3 $"Tor bridges" off \
           4 $"Password storage" off \
           5 $"Export passwords" off \
           6 $"Regenerate ssh host keys" off \
           7 $"Regenerate Diffie-Hellman keys" off \
           8 $"Update cipersuite" off \
           9 $"Create a new Let's Encrypt certificate" off \
           10 $"Renew Let's Encrypt certificate" off \
           11 $"Enable GPG based authentication (monkeysphere)" off \
           12 $"Register a website with monkeysphere" off \
           13 $"Allow ssh login with passwords" off \
           14 $"Go Back/Exit" on 2> $data
    sel=$?
    case $sel in
        1) exit 1;;
        255) exit 1;;
    esac

    clear

    read_config_param SSL_CIPHERS
    read_config_param SSL_PROTOCOLS
    read_config_param SSH_CIPHERS
    read_config_param SSH_MACS
    read_config_param SSH_KEX

    get_imap_settings
    get_ssh_settings
    get_xmpp_settings
    import_settings
    export_settings

    case $(cat $data) in
        1)
            clear
            echo $'Running STIG tests...'
            echo ''
            ${PROJECT_NAME}-tests --stig showall
            exit 0
            ;;
        2)
            dialog --title $"SSH host public keys" \
                   --msgbox "\n$(get_ssh_server_key)" 12 60
            exit 0
            ;;
        3)
            menu_tor_bridges
            exit 0
            ;;
        4)
            store_passwords
            exit 0
            ;;
        5)
            export_passwords
            exit 0
            ;;
        6)
            regenerate_ssh_host_keys
            ;;
        7)
            regenerate_dh_keys
            ;;
        8)
            interactive_setup
            update_ciphersuite
            ;;
        9)
            create_letsencrypt
            ;;
        10)
            renew_letsencrypt
            ;;
        11)
            enable_monkeysphere
            ;;
        12)
            register_website
            ;;
        13)
            allow_ssh_passwords
            change_ssh_settings
            exit 0
            ;;
        14)
            exit 0
            ;;
    esac

    change_website_settings
    change_imap_settings
    change_ssh_settings
    change_xmpp_settings
}

function import_settings {
    cd $CURRENT_DIR

    if [ ! $IMPORT_FILE ]; then
        return
    fi

    if [ ! -f $IMPORT_FILE ]; then
        echo $"Import file $IMPORT_FILE not found"
        exit 6393
    fi

    if grep -q "SSL_PROTOCOLS" $IMPORT_FILE; then
        TEMP_VALUE=$(grep "SSL_PROTOCOLS" $IMPORT_FILE | awk -F '=' '{print $2}')
        if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then
            SSL_PROTOCOLS=$TEMP_VALUE
        fi
    fi
    if grep -q "SSL_CIPHERS" $IMPORT_FILE; then
        TEMP_VALUE=$(grep "SSL_CIPHERS" $IMPORT_FILE | awk -F '=' '{print $2}')
        if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then
            SSL_CIPHERS=$TEMP_VALUE
        fi
    fi
    if grep -q "SSH_CIPHERS" $IMPORT_FILE; then
        TEMP_VALUE=$(grep "SSH_CIPHERS" $IMPORT_FILE | awk -F '=' '{print $2}')
        if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then
            SSH_CIPHERS=$TEMP_VALUE
        fi
    fi
    if grep -q "SSH_MACS" $IMPORT_FILE; then
        TEMP_VALUE=$(grep "SSH_MACS" $IMPORT_FILE | awk -F '=' '{print $2}')
        if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then
            SSH_MACS=$TEMP_VALUE
        fi
    fi
    if grep -q "SSH_KEX" $IMPORT_FILE; then
        TEMP_VALUE=$(grep "SSH_KEX" $IMPORT_FILE | awk -F '=' '{print $2}')
        if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then
            SSH_KEX=$TEMP_VALUE
        fi
    fi
    if grep -q "SSH_HOST_KEY_ALGORITHMS" $IMPORT_FILE; then
        TEMP_VALUE=$(grep "SSH_HOST_KEY_ALGORITHMS" $IMPORT_FILE | awk -F '=' '{print $2}')
        if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then
            SSH_HOST_KEY_ALGORITHMS=$TEMP_VALUE
        fi
    fi
    if grep -q "SSH_PASSWORDS" $IMPORT_FILE; then
        TEMP_VALUE=$(grep "SSH_PASSWORDS" $IMPORT_FILE | awk -F '=' '{print $2}')
        if [[ $TEMP_VALUE == "yes" || $TEMP_VALUE == "no" ]]; then
            SSH_PASSWORDS=$TEMP_VALUE
        fi
    fi
    if grep -q "XMPP_CIPHERS" $IMPORT_FILE; then
        TEMP_VALUE=$(grep "XMPP_CIPHERS" $IMPORT_FILE | awk -F '=' '{print $2}')
        if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then
            XMPP_CIPHERS=$TEMP_VALUE
        fi
    fi
    if grep -q "XMPP_ECC_CURVE" $IMPORT_FILE; then
        TEMP_VALUE=$(grep "XMPP_ECC_CURVE" $IMPORT_FILE | awk -F '=' '{print $2}')
        if [ ${#TEMP_VALUE} -gt 3 ]; then
            XMPP_ECC_CURVE=$TEMP_VALUE
        fi
    fi
}

function export_settings {
    if [ ! $EXPORT_FILE ]; then
        return
    fi

    cd $CURRENT_DIR

    if [ ! -f $EXPORT_FILE ]; then
        if [ "$SSL_PROTOCOLS" ]; then
            echo "SSL_PROTOCOLS=$SSL_PROTOCOLS" >> $EXPORT_FILE
        fi
        if [ $SSL_CIPHERS ]; then
            echo "SSL_CIPHERS=$SSL_CIPHERS" >> $EXPORT_FILE
        fi
        if [ $SSH_CIPHERS ]; then
            echo "SSH_CIPHERS=$SSH_CIPHERS" >> $EXPORT_FILE
        fi
        if [ $SSH_MACS ]; then
            echo "SSH_MACS=$SSH_MACS" >> $EXPORT_FILE
        fi
        if [ $SSH_KEX ]; then
            echo "SSH_KEX=$SSH_KEX" >> $EXPORT_FILE
        fi
        if [ $SSH_HOST_KEY_ALGORITHMS ]; then
            echo "SSH_HOST_KEY_ALGORITHMS=$SSH_HOST_KEY_ALGORITHMS" >> $EXPORT_FILE
        fi
        if [ $SSH_PASSWORDS ]; then
            echo "SSH_PASSWORDS=$SSH_PASSWORDS" >> $EXPORT_FILE
        fi
        if [ $XMPP_CIPHERS ]; then
            echo "XMPP_CIPHERS=$XMPP_CIPHERS" >> $EXPORT_FILE
        fi
        if [ $XMPP_ECC_CURVE ]; then
            echo "XMPP_ECC_CURVE=$XMPP_ECC_CURVE" >> $EXPORT_FILE
        fi
        echo "Security settings exported to $EXPORT_FILE"
        exit 0
    fi

    if [ "$SSL_PROTOCOLS" ]; then
        if grep -q "SSL_PROTOCOLS" $EXPORT_FILE; then
            sed -i "s|SSL_PROTOCOLS=.*|SSL_PROTOCOLS=$SSL_PROTOCOLS|g" $EXPORT_FILE
        else
            echo "SSL_PROTOCOLS=$SSL_PROTOCOLS" >> $EXPORT_FILE
        fi
    fi
    if [ $SSL_CIPHERS ]; then
        if grep -q "SSL_CIPHERS" $EXPORT_FILE; then
            sed -i "s|SSL_CIPHERS=.*|SSL_CIPHERS=$SSL_CIPHERS|g" $EXPORT_FILE
        else
            echo "SSL_CIPHERS=$SSL_CIPHERS" >> $EXPORT_FILE
        fi
    fi
    if [ $SSH_CIPHERS ]; then
        if grep -q "SSH_CIPHERS" $EXPORT_FILE; then
            sed -i "s|SSH_CIPHERS=.*|SSH_CIPHERS=$SSH_CIPHERS|g" $EXPORT_FILE
        else
            echo "SSH_CIPHERS=$SSH_CIPHERS" >> $EXPORT_FILE
        fi
    fi
    if [ $SSH_MACS ]; then
        if grep -q "SSH_MACS" $EXPORT_FILE; then
            sed -i "s|SSH_MACS=.*|SSH_MACS=$SSH_MACS|g" $EXPORT_FILE
        else
            echo "SSH_MACS=$SSH_MACS" >> $EXPORT_FILE
        fi
    fi
    if [ $SSH_KEX ]; then
        if grep -q "SSH_KEX" $EXPORT_FILE; then
            sed -i "s|SSH_KEX=.*|SSH_KEX=$SSH_KEX|g" $EXPORT_FILE
        else
            echo "SSH_KEX=$SSH_KEX" >> $EXPORT_FILE
        fi
    fi
    if [ $SSH_HOST_KEY_ALGORITHMS ]; then
        if grep -q "SSH_HOST_KEY_ALGORITHMS" $EXPORT_FILE; then
            sed -i "s|SSH_HOST_KEY_ALGORITHMS=.*|SSH_HOST_KEY_ALGORITHMS=$SSH_HOST_KEY_ALGORITHMS|g" $EXPORT_FILE
        else
            echo "SSH_HOST_KEY_ALGORITHMS=$SSH_HOST_KEY_ALGORITHMS" >> $EXPORT_FILE
        fi
    fi
    if [ $SSH_PASSWORDS ]; then
        if grep -q "SSH_PASSWORDS" $EXPORT_FILE; then
            sed -i "s|SSH_PASSWORDS=.*|SSH_PASSWORDS=$SSH_PASSWORDS|g" $EXPORT_FILE
        else
            echo "SSH_PASSWORDS=$SSH_PASSWORDS" >> $EXPORT_FILE
        fi
    fi
    if [ $XMPP_CIPHERS ]; then
        if grep -q "XMPP_CIPHERS" $EXPORT_FILE; then
            sed -i "s|XMPP_CIPHERS=.*|XMPP_CIPHERS=$XMPP_CIPHERS|g" $EXPORT_FILE
        else
            echo "XMPP_CIPHERS=$XMPP_CIPHERS" >> $EXPORT_FILE
        fi
    fi
    if [ $XMPP_ECC_CURVE ]; then
        if grep -q "XMPP_ECC_CURVE" $EXPORT_FILE; then
            sed -i "s|XMPP_ECC_CURVE=.*|XMPP_ECC_CURVE=$XMPP_ECC_CURVE|g" $EXPORT_FILE
        else
            echo "XMPP_ECC_CURVE=$XMPP_ECC_CURVE" >> $EXPORT_FILE
        fi
    fi
    echo $"Security settings exported to $EXPORT_FILE"
    exit 0
}

function refresh_gpg_keys {
    for d in /home/*/ ; do
        USERNAME=$(echo "$d" | awk -F '/' '{print $3}')
        if [[ $(is_valid_user "$USERNAME") == "1" ]]; then
            su -c 'gpg --refresh-keys' - $USERNAME
        fi
    done
    exit 0
}

function monkeysphere_sign_server_keys {
    server_keys_file=/home/$USER/.monkeysphere/server_keys
    if [ ! -f $server_keys_file ]; then
        exit 0
    fi

    keys_signed=
    while read line; do
        echo $line
        if [ ${#line} -gt 2 ]; then
            fpr=$(gpg --with-colons --fingerprint "$line" | grep fpr | head -n 1 | awk -F ':' '{print $10}')
            if [ ${#fpr} -gt 2 ]; then
                gpg --sign-key $fpr
                if [ "$?" = "0" ]; then
                    gpg --update-trustdb
                    keys_signed=1
                fi
            fi
        fi
    done <$server_keys_file

    if [ $keys_signed ]; then
        rm $server_keys_file
    fi
    exit 0
}

function htmly_hash {
    # produces a hash corresponding to a htmly password
    pass="$1"
    HTMLYHASH_FILENAME=/usr/bin/htmlyhash

    echo '<?php' > $HTMLYHASH_FILENAME
    echo 'parse_str(implode("&", array_slice($argv, 1)), $_GET);' >> $HTMLYHASH_FILENAME
    echo '$password = $_GET["password"];' >> $HTMLYHASH_FILENAME
    echo '$hash = password_hash($password, PASSWORD_BCRYPT);' >> $HTMLYHASH_FILENAME
    echo 'if (password_verify($password, $hash)) {' >> $HTMLYHASH_FILENAME
    echo '  echo $hash;' >> $HTMLYHASH_FILENAME
    echo '}' >> $HTMLYHASH_FILENAME
    echo '?>' >> $HTMLYHASH_FILENAME

    php $HTMLYHASH_FILENAME password="$pass"
}

function show_help {
    echo ''
    echo "${PROJECT_NAME}-sec"
    echo ''
    echo $'Alters the security settings'
    echo ''
    echo ''
    echo $'  -h --help                 Show help'
    echo $'  -e --export               Export security settings to a file'
    echo $'  -i --import               Import security settings from a file'
    echo $'  -r --refresh              Refresh GPG keys for all users'
    echo $'  -s --sign                 Sign monkeysphere server keys'
    echo $'     --register [domain]    Register a https domain with monkeysphere'
    echo $'  -b --htmlyhash [password] Returns the hash of a password for a htmly blog'
    echo ''
    exit 0
}


# Get the commandline options
while [[ $# > 1 ]]
do
    key="$1"

    case $key in
        -h|--help)
            show_help
            ;;
        # Export settings
        -e|--export)
            shift
            EXPORT_FILE="$1"
            ;;
        # Export settings
        -i|--import)
            shift
            IMPORT_FILE="$1"
            ;;
        # Refresh GPG keys
        -r|--refresh)
            shift
            refresh_gpg_keys
            ;;
        # register a website
        --register|--reg|--site)
            shift
            register_website "$1"
            ;;
        # user signs monkeysphere server keys
        -s|--sign)
            shift
            monkeysphere_sign_server_keys
            ;;
        # get a hash of the given htmly password
        -b|--htmlyhash)
            shift
            htmly_hash "$1"
            exit 0
            ;;
        *)
            # unknown option
            ;;
    esac
    shift
done

menu_security_settings

exit 0