freedombone-sec 42KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167116811691170117111721173117411751176117711781179118011811182118311841185118611871188118911901191119211931194119511961197119811991200120112021203120412051206120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233123412351236123712381239124012411242124312441245124612471248124912501251125212531254125512561257125812591260126112621263126412651266126712681269127012711272127312741275127612771278127912801281128212831284128512861287128812891290129112921293129412951296129712981299130013011302130313041305130613071308130913101311131213131314131513161317131813191320132113221323132413251326132713281329133013311332133313341335133613371338133913401341134213431344134513461347134813491350135113521353135413551356135713581359136013611362136313641365136613671368136913701371137213731374137513761377
  1. #!/bin/bash
  2. #
  3. # .---. . .
  4. # | | |
  5. # |--- .--. .-. .-. .-.| .-. .--.--. |.-. .-. .--. .-.
  6. # | | (.-' (.-' ( | ( )| | | | )( )| | (.-'
  7. # ' ' --' --' -' - -' ' ' -' -' -' ' - --'
  8. #
  9. # Freedom in the Cloud
  10. #
  11. # Alters the security settings
  12. #
  13. # License
  14. # =======
  15. #
  16. # Copyright (C) 2015-2016 Bob Mottram <bob@freedombone.net>
  17. #
  18. # This program is free software: you can redistribute it and/or modify
  19. # it under the terms of the GNU Affero General Public License as published by
  20. # the Free Software Foundation, either version 3 of the License, or
  21. # (at your option) any later version.
  22. #
  23. # This program is distributed in the hope that it will be useful,
  24. # but WITHOUT ANY WARRANTY; without even the implied warranty of
  25. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  26. # GNU Affero General Public License for more details.
  27. #
  28. # You should have received a copy of the GNU Affero General Public License
  29. # along with this program. If not, see <http://www.gnu.org/licenses/>.
  30. PROJECT_NAME='freedombone'
  31. export TEXTDOMAIN=${PROJECT_NAME}-sec
  32. export TEXTDOMAINDIR="/usr/share/locale"
  33. CONFIGURATION_FILE=$HOME/${PROJECT_NAME}.cfg
  34. COMPLETION_FILE=$HOME/${PROJECT_NAME}-completed.txt
  35. UTILS_FILES=/usr/share/${PROJECT_NAME}/utils/${PROJECT_NAME}-utils-*
  36. for f in $UTILS_FILES
  37. do
  38. source $f
  39. done
  40. SSL_PROTOCOLS=
  41. SSL_CIPHERS=
  42. SSH_CIPHERS=
  43. SSH_MACS=
  44. SSH_KEX=
  45. SSH_HOST_KEY_ALGORITHMS=
  46. SSH_PASSWORDS=
  47. XMPP_CIPHERS=
  48. XMPP_ECC_CURVE=
  49. WEBSITES_DIRECTORY='/etc/nginx/sites-available'
  50. DOVECOT_CIPHERS='/etc/dovecot/conf.d/10-ssl.conf'
  51. SSH_CONFIG='/etc/ssh/sshd_config'
  52. XMPP_CONFIG='/etc/prosody/conf.avail/xmpp.cfg.lua'
  53. MINIMUM_LENGTH=6
  54. IMPORT_FILE=
  55. EXPORT_FILE=
  56. CURRENT_DIR=$(pwd)
  57. DH_KEYLENGTH=2048
  58. LETSENCRYPT_SERVER='https://acme-v01.api.letsencrypt.org/directory'
  59. MY_USERNAME=
  60. function export_passwords {
  61. detect_usb_drive
  62. data=$(tempfile 2>/dev/null)
  63. trap "rm -f $data" 0 1 2 5 15
  64. dialog --title $"Export passwords to USB drive $USB_DRIVE" \
  65. --backtitle $"Security Settings" \
  66. --defaultno \
  67. --yesno $"\nPlease confirm that you wish to export passwords to a LUKS formatted USB drive. The drive should be plugged in." 10 60
  68. sel=$?
  69. case $sel in
  70. 1) return;;
  71. 255) return;;
  72. esac
  73. data=$(tempfile 2>/dev/null)
  74. trap "rm -f $data" 0 1 2 5 15
  75. dialog --title $"Export passwords to USB drive $USB_DRIVE" \
  76. --backtitle $"Security Settings" \
  77. --defaultno \
  78. --yesno $"\nDo you need to format the drive as LUKS encrypted?" 12 60
  79. sel=$?
  80. case $sel in
  81. 0) ${PROJECT_NAME}-format $USB_DRIVE;;
  82. esac
  83. clear
  84. backup_mount_drive ${USB_DRIVE}
  85. ${PROJECT_NAME}-pass --export ${USB_MOUNT}/${PROJECT_NAME}-passwords.xml
  86. backup_unmount_drive ${USB_DRIVE}
  87. }
  88. function get_protocols_from_website {
  89. if [ ! -f $WEBSITES_DIRECTORY/$1 ]; then
  90. return
  91. fi
  92. SSL_PROTOCOLS=$(cat $WEBSITES_DIRECTORY/$1 | grep 'ssl_protocols ' | awk -F "ssl_protocols " '{print $2}' | awk -F ';' '{print $1}')
  93. }
  94. function get_ciphers_from_website {
  95. if [ ! -f $WEBSITES_DIRECTORY/$1 ]; then
  96. return
  97. fi
  98. SSL_CIPHERS=$(cat $WEBSITES_DIRECTORY/$1 | grep 'ssl_ciphers ' | awk -F "ssl_ciphers " '{print $2}' | awk -F "'" '{print $2}')
  99. }
  100. function get_imap_settings {
  101. if [ ! -f $DOVECOT_CIPHERS ]; then
  102. return
  103. fi
  104. # clear commented out cipher list
  105. sed -i "s|#ssl_cipher_list.*||g" $DOVECOT_CIPHERS
  106. if [ $SSL_CIPHERS ]; then
  107. return
  108. fi
  109. if [ ${#SSL_CIPHERS} -gt $MINIMUM_LENGTH ]; then
  110. return
  111. fi
  112. SSL_CIPHERS=$(cat $DOVECOT_CIPHERS | grep 'ssl_cipher_list' | awk -F '=' '{print $2}' | awk -F "'" '{print $2}')
  113. }
  114. function get_xmpp_settings {
  115. if [ ! -f $XMPP_CONFIG ]; then
  116. return
  117. fi
  118. XMPP_CIPHERS=$(cat $XMPP_CONFIG | grep 'ciphers ' | awk -F '=' '{print $2}' | awk -F '"' '{print $2}')
  119. XMPP_ECC_CURVE=$(cat $XMPP_CONFIG | grep 'curve ' | awk -F '=' '{print $2}' | awk -F '"' '{print $2}')
  120. }
  121. function get_ssh_settings {
  122. if [ -f $SSH_CONFIG ]; then
  123. SSH_PASSWORDS=$(cat $SSH_CONFIG | grep 'PasswordAuthentication ' | awk -F 'PasswordAuthentication ' '{print $2}')
  124. fi
  125. if [ -f /etc/ssh/ssh_config ]; then
  126. SSH_HOST_KEY_ALGORITHMS=$(cat /etc/ssh/ssh_config | grep 'HostKeyAlgorithms ' | awk -F 'HostKeyAlgorithms ' '{print $2}')
  127. fi
  128. }
  129. function change_website_settings {
  130. if [ ! "$SSL_PROTOCOLS" ]; then
  131. return
  132. fi
  133. if [ ! $SSL_CIPHERS ]; then
  134. return
  135. fi
  136. if [ ${#SSL_PROTOCOLS} -lt $MINIMUM_LENGTH ]; then
  137. return
  138. fi
  139. if [ ${#SSL_CIPHERS} -lt $MINIMUM_LENGTH ]; then
  140. return
  141. fi
  142. if [ ! -d $WEBSITES_DIRECTORY ]; then
  143. return
  144. fi
  145. cd $WEBSITES_DIRECTORY
  146. for file in `dir -d *` ; do
  147. sed -i "s|ssl_protocols .*|ssl_protocols $SSL_PROTOCOLS;|g" $WEBSITES_DIRECTORY/$file
  148. sed -i "s|ssl_ciphers .*|ssl_ciphers '$SSL_CIPHERS';|g" $WEBSITES_DIRECTORY/$file
  149. done
  150. systemctl restart nginx
  151. echo $'Web security settings changed'
  152. }
  153. function change_imap_settings {
  154. if [ ! -f $DOVECOT_CIPHERS ]; then
  155. return
  156. fi
  157. if [ ! $SSL_CIPHERS ]; then
  158. return
  159. fi
  160. if [ ${#SSL_CIPHERS} -lt $MINIMUM_LENGTH ]; then
  161. return
  162. fi
  163. sed -i "s|ssl_cipher_list.*|ssl_cipher_list = '$SSL_CIPHERS'|g" $DOVECOT_CIPHERS
  164. sed -i "s|ssl_protocols.*|ssl_protocols = '$SSL_PROTOCOLS'|g" $DOVECOT_CIPHERS
  165. systemctl restart dovecot
  166. echo $'imap security settings changed'
  167. }
  168. function change_ssh_settings {
  169. if [ -f /etc/ssh/ssh_config ]; then
  170. if [ $SSH_HOST_KEY_ALGORITHMS ]; then
  171. sed -i "s|HostKeyAlgorithms .*|HostKeyAlgorithms $SSH_HOST_KEY_ALGORITHMS|g" /etc/ssh/ssh_config
  172. echo $'ssh client security settings changed'
  173. fi
  174. fi
  175. if [ -f $SSH_CONFIG ]; then
  176. if [ ! $SSH_CIPHERS ]; then
  177. return
  178. fi
  179. if [ ! $SSH_MACS ]; then
  180. return
  181. fi
  182. if [ ! $SSH_KEX ]; then
  183. return
  184. fi
  185. if [ ! $SSH_PASSWORDS ]; then
  186. SSH_PASSWORDS='yes'
  187. fi
  188. sed -i "s|Ciphers .*|Ciphers $SSH_CIPHERS|g" $SSH_CONFIG
  189. sed -i "s|MACs .*|MACs $SSH_MACS|g" $SSH_CONFIG
  190. sed -i "s|KexAlgorithms .*|KexAlgorithms $SSH_KEX|g" $SSH_CONFIG
  191. sed -i "s|#PasswordAuthentication .*|PasswordAuthentication $SSH_PASSWORDS|g" $SSH_CONFIG
  192. sed -i "s|PasswordAuthentication .*|PasswordAuthentication $SSH_PASSWORDS|g" $SSH_CONFIG
  193. systemctl restart ssh
  194. echo $'ssh server security settings changed'
  195. fi
  196. }
  197. function change_xmpp_settings {
  198. if [ ! -f $XMPP_CONFIG ]; then
  199. return
  200. fi
  201. if [ ! $XMPP_CIPHERS ]; then
  202. return
  203. fi
  204. if [ ! $XMPP_ECC_CURVE ]; then
  205. return
  206. fi
  207. sed -i "s|ciphers =.*|ciphers = \"$XMPP_CIPHERS\";|g" $XMPP_CONFIG
  208. sed -i "s|curve =.*|curve = \"$XMPP_ECC_CURVE\";|g" $XMPP_CONFIG
  209. systemctl restart prosody
  210. echo $'xmpp security settings changed'
  211. }
  212. function allow_ssh_passwords {
  213. dialog --title $"SSH Passwords" \
  214. --backtitle $"Freedombone Security Configuration" \
  215. --yesno $"\nAllow SSH login using passwords?" 7 60
  216. sel=$?
  217. case $sel in
  218. 0) SSH_PASSWORDS="yes";;
  219. 1) SSH_PASSWORDS="no";;
  220. 255) exit 0;;
  221. esac
  222. }
  223. function interactive_setup {
  224. if [ $SSL_CIPHERS ]; then
  225. data=$(tempfile 2>/dev/null)
  226. trap "rm -f $data" 0 1 2 5 15
  227. dialog --backtitle $"Freedombone Security Configuration" \
  228. --form $"\nWeb/IMAP Ciphers:" 10 95 2 \
  229. $"Protocols:" 1 1 "$SSL_PROTOCOLS" 1 15 90 90 \
  230. $"Ciphers:" 2 1 "$SSL_CIPHERS" 2 15 90 512 \
  231. 2> $data
  232. sel=$?
  233. case $sel in
  234. 1) SSL_PROTOCOLS=$(cat $data | sed -n 1p)
  235. SSL_CIPHERS=$(cat $data | sed -n 2p)
  236. ;;
  237. 255) exit 0;;
  238. esac
  239. fi
  240. data=$(tempfile 2>/dev/null)
  241. trap "rm -f $data" 0 1 2 5 15
  242. if [ $SSH_HOST_KEY_ALGORITHMS ]; then
  243. dialog --backtitle $"Freedombone Security Configuration" \
  244. --form $"\nSecure Shell Ciphers:" 13 95 4 \
  245. $"Ciphers:" 1 1 "$SSH_CIPHERS" 1 15 90 512 \
  246. $"MACs:" 2 1 "$SSH_MACS" 2 15 90 512 \
  247. $"KEX:" 3 1 "$SSH_KEX" 3 15 90 512 \
  248. $"Host key algorithms:" 4 1 "$SSH_HOST_KEY_ALGORITHMS" 4 15 90 512 \
  249. 2> $data
  250. sel=$?
  251. case $sel in
  252. 1) SSH_CIPHERS=$(cat $data | sed -n 1p)
  253. SSH_MACS=$(cat $data | sed -n 2p)
  254. SSH_KEX=$(cat $data | sed -n 3p)
  255. SSH_HOST_KEY_ALGORITHMS=$(cat $data | sed -n 4p)
  256. ;;
  257. 255) exit 0;;
  258. esac
  259. else
  260. dialog --backtitle $"Freedombone Security Configuration" \
  261. --form $"\nSecure Shell Ciphers:" 11 95 3 \
  262. $"Ciphers:" 1 1 "$SSH_CIPHERS" 1 15 90 512 \
  263. $"MACs:" 2 1 "$SSH_MACS" 2 15 90 512 \
  264. $"KEX:" 3 1 "$SSH_KEX" 3 15 90 512 \
  265. 2> $data
  266. sel=$?
  267. case $sel in
  268. 1) SSH_CIPHERS=$(cat $data | sed -n 1p)
  269. SSH_MACS=$(cat $data | sed -n 2p)
  270. SSH_KEX=$(cat $data | sed -n 3p)
  271. ;;
  272. 255) exit 0;;
  273. esac
  274. fi
  275. if [ $XMPP_CIPHERS ]; then
  276. data=$(tempfile 2>/dev/null)
  277. trap "rm -f $data" 0 1 2 5 15
  278. dialog --backtitle $"Freedombone Security Configuration" \
  279. --form $"\nXMPP Ciphers:" 10 95 2 \
  280. $"Ciphers:" 1 1 "$XMPP_CIPHERS" 1 15 90 512 \
  281. $"ECC Curve:" 2 1 "$XMPP_ECC_CURVE" 2 15 50 50 \
  282. 2> $data
  283. sel=$?
  284. case $sel in
  285. 1) XMPP_CIPHERS=$(cat $data | sed -n 1p)
  286. XMPP_ECC_CURVE=$(cat $data | sed -n 2p)
  287. ;;
  288. 255) exit 0;;
  289. esac
  290. fi
  291. dialog --title $"Final Confirmation" \
  292. --backtitle $"Freedombone Security Configuration" \
  293. --defaultno \
  294. --yesno $"\nPlease confirm that you wish your security settings to be changed?\n\nWARNING: any mistakes made in the security settings could compromise your system, so be extra careful when answering 'yes'." 12 60
  295. sel=$?
  296. case $sel in
  297. 1) clear
  298. echo $'Exiting without changing security settings'
  299. exit 0;;
  300. 255) clear
  301. echo $'Exiting without changing security settings'
  302. exit 0;;
  303. esac
  304. clear
  305. }
  306. function send_monkeysphere_server_keys_to_users {
  307. monkeysphere_server_keys=$(monkeysphere-host show-key | grep $"OpenPGP fingerprint" | awk -F ' ' '{print $3}')
  308. for d in /home/*/ ; do
  309. USERNAME=$(echo "$d" | awk -F '/' '{print $3}')
  310. if [[ $(is_valid_user "$USERNAME") == "1" ]]; then
  311. if [ ! -d /home/$USERNAME/.monkeysphere ]; then
  312. mkdir /home/$USERNAME/.monkeysphere
  313. fi
  314. echo $monkeysphere_server_keys > /home/$USERNAME/.monkeysphere/server_keys
  315. chown -R $USERNAME:$USERNAME /home/$USERNAME/.monkeysphere
  316. fi
  317. done
  318. }
  319. function regenerate_ssh_host_keys {
  320. rm -f /etc/ssh/ssh_host_*
  321. dpkg-reconfigure openssh-server
  322. echo $'ssh host keys regenerated'
  323. # remove small moduli
  324. awk '$5 > 2000' /etc/ssh/moduli > ~/moduli
  325. mv ~/moduli /etc/ssh/moduli
  326. echo $'ssh small moduli removed'
  327. # update monkeysphere
  328. DEFAULT_DOMAIN_NAME=
  329. read_config_param "DEFAULT_DOMAIN_NAME"
  330. monkeysphere-host import-key /etc/ssh/ssh_host_rsa_key ssh://$DEFAULT_DOMAIN_NAME
  331. SSH_ONION_HOSTNAME=$(cat ${COMPLETION_FILE} | grep 'ssh onion domain' | awk -F ':' '{print $2}')
  332. monkeysphere-host import-key /etc/ssh/ssh_host_rsa_key ssh://$SSH_ONION_HOSTNAME
  333. monkeysphere-host publish-key
  334. send_monkeysphere_server_keys_to_users
  335. echo $'updated monkeysphere ssh host key'
  336. systemctl restart ssh
  337. }
  338. function regenerate_dh_keys {
  339. if [ ! -d /etc/ssl/mycerts ]; then
  340. echo $'No dhparam certificates were found'
  341. return
  342. fi
  343. data=$(tempfile 2>/dev/null)
  344. trap "rm -f $data" 0 1 2 5 15
  345. dialog --backtitle "Freedombone Security Configuration" \
  346. --title "Diffie-Hellman key length" \
  347. --radiolist "The smaller length is better suited to low power embedded systems:" 12 40 3 \
  348. 1 "2048 bits" off \
  349. 2 "3072 bits" on \
  350. 3 "4096 bits" off 2> $data
  351. sel=$?
  352. case $sel in
  353. 1) exit 1;;
  354. 255) exit 1;;
  355. esac
  356. case $(cat $data) in
  357. 1) DH_KEYLENGTH=2048;;
  358. 2) DH_KEYLENGTH=3072;;
  359. 3) DH_KEYLENGTH=4096;;
  360. esac
  361. ${PROJECT_NAME}-dhparam --recalc yes -l ${DH_KEYLENGTH}
  362. }
  363. function renew_startssl {
  364. renew_domain=
  365. data=$(tempfile 2>/dev/null)
  366. trap "rm -f $data" 0 1 2 5 15
  367. dialog --title $"Renew a StartSSL certificate" \
  368. --backtitle $"Freedombone Security Settings" \
  369. --inputbox $"Enter the domain name" 8 60 2>$data
  370. sel=$?
  371. case $sel in
  372. 0)
  373. renew_domain=$(<$data)
  374. ;;
  375. esac
  376. if [ ! $renew_domain ]; then
  377. return
  378. fi
  379. if [[ $renew_domain == "http"* ]]; then
  380. dialog --title $"Renew a StartSSL certificate" \
  381. --msgbox $"Don't include the https://" 6 40
  382. return
  383. fi
  384. if [ ! -f /etc/ssl/certs/${renew_domain}.dhparam ]; then
  385. dialog --title $"Renew a StartSSL certificate" \
  386. --msgbox $"An existing certificate for $renew_domain was not found" 6 40
  387. return
  388. fi
  389. if [[ $renew_domain != *"."* ]]; then
  390. dialog --title $"Renew a StartSSL certificate" \
  391. --msgbox $"Invalid domain name: $renew_domain" 6 40
  392. return
  393. fi
  394. ${PROJECT_NAME}-renew-cert -h $renew_domain -p startssl
  395. exit 0
  396. }
  397. function renew_letsencrypt {
  398. renew_domain=
  399. data=$(tempfile 2>/dev/null)
  400. trap "rm -f $data" 0 1 2 5 15
  401. dialog --title $"Renew a Let's Encrypt certificate" \
  402. --backtitle $"Freedombone Security Settings" \
  403. --inputbox $"Enter the domain name" 8 60 2>$data
  404. sel=$?
  405. case $sel in
  406. 0)
  407. renew_domain=$(<$data)
  408. ;;
  409. esac
  410. if [ ! $renew_domain ]; then
  411. return
  412. fi
  413. if [[ $renew_domain == "http"* ]]; then
  414. dialog --title $"Renew a Let's Encrypt certificate" \
  415. --msgbox $"Don't include the https://" 6 40
  416. return
  417. fi
  418. if [ ! -f /etc/ssl/certs/${renew_domain}.dhparam ]; then
  419. dialog --title $"Renew a Let's Encrypt certificate" \
  420. --msgbox $"An existing certificate for $renew_domain was not found" 6 40
  421. return
  422. fi
  423. if [[ $renew_domain != *"."* ]]; then
  424. dialog --title $"Renew a Let's Encrypt certificate" \
  425. --msgbox $"Invalid domain name: $renew_domain" 6 40
  426. return
  427. fi
  428. ${PROJECT_NAME}-renew-cert -h $renew_domain -p 'letsencrypt'
  429. exit 0
  430. }
  431. function delete_letsencrypt {
  432. delete_domain=
  433. data=$(tempfile 2>/dev/null)
  434. trap "rm -f $data" 0 1 2 5 15
  435. dialog --title $"Delete a Let's Encrypt certificate" \
  436. --backtitle $"Freedombone Security Settings" \
  437. --inputbox $"Enter the domain name" 8 60 2>$data
  438. sel=$?
  439. case $sel in
  440. 0)
  441. delete_domain=$(<$data)
  442. ;;
  443. esac
  444. if [ ! $delete_domain ]; then
  445. return
  446. fi
  447. if [[ $delete_domain == "http"* ]]; then
  448. dialog --title $"Delete a Let's Encrypt certificate" \
  449. --msgbox $"Don't include the https://" 6 40
  450. return
  451. fi
  452. if [ ! -f /etc/ssl/certs/${delete_domain}.dhparam ]; then
  453. dialog --title $"Delete a Let's Encrypt certificate" \
  454. --msgbox $"An existing certificate for $renew_domain was not found" 6 40
  455. return
  456. fi
  457. if [[ $delete_domain != *"."* ]]; then
  458. dialog --title $"Delete a Let's Encrypt certificate" \
  459. --msgbox $"Invalid domain name: $delete_domain" 6 40
  460. return
  461. fi
  462. dialog --title $"Delete a Let's Encrypt certificate" \
  463. --backtitle $"Freedombone Security Settings" \
  464. --defaultno \
  465. --yesno $"\nConfirm deletion of the TLS certificate for $delete_domain ?" 7 60
  466. sel=$?
  467. case $sel in
  468. 0) ${PROJECT_NAME}-addcert -r $delete_domain;;
  469. 255) exit 0;;
  470. esac
  471. exit 0
  472. }
  473. function create_letsencrypt {
  474. new_domain=
  475. data=$(tempfile 2>/dev/null)
  476. trap "rm -f $data" 0 1 2 5 15
  477. dialog --title $"Create a new Let's Encrypt certificate" \
  478. --backtitle $"Freedombone Security Settings" \
  479. --inputbox $"Enter the domain name" 8 60 2>$data
  480. sel=$?
  481. case $sel in
  482. 0)
  483. new_domain=$(<$data)
  484. ;;
  485. esac
  486. if [ ! $new_domain ]; then
  487. return
  488. fi
  489. if [[ $new_domain == "http"* ]]; then
  490. dialog --title $"Create a new Let's Encrypt certificate" \
  491. --msgbox $"Don't include the https://" 6 40
  492. return
  493. fi
  494. if [[ $new_domain != *"."* ]]; then
  495. dialog --title $"Create a new Let's Encrypt certificate" \
  496. --msgbox $"Invalid domain name: $new_domain" 6 40
  497. return
  498. fi
  499. if [ ! -d /var/www/${new_domain} ]; then
  500. domain_found=
  501. if [ -f /etc/nginx/sites-available/radicale ]; then
  502. if grep "${new_domain}" /etc/nginx/sites-available/radicale; then
  503. domain_found=1
  504. fi
  505. fi
  506. if [ -f /etc/nginx/sites-available/${new_domain} ]; then
  507. domain_found=1
  508. fi
  509. if [[ "${new_domain}" == "jitsi"* || "${new_domain}" == "meet"* ]]; then
  510. domain_found=1
  511. fi
  512. if [ ! $domain_found ]; then
  513. dialog --title $"Create a new Let's Encrypt certificate" \
  514. --msgbox $'Domain not found within /var/www' 6 40
  515. return
  516. fi
  517. fi
  518. ${PROJECT_NAME}-addcert -e $new_domain -s $LETSENCRYPT_SERVER --dhkey $DH_KEYLENGTH
  519. exit 0
  520. }
  521. function update_ciphersuite {
  522. RECOMMENDED_SSL_CIPHERS="$SSL_CIPHERS"
  523. if [ ${#RECOMMENDED_SSL_CIPHERS} -lt 5 ]; then
  524. return
  525. fi
  526. RECOMMENDED_SSL_PROTOCOLS="$SSL_PROTOCOLS"
  527. if [ ${#RECOMMENDED_SSL_PROTOCOLS} -lt 5 ]; then
  528. return
  529. fi
  530. RECOMMENDED_SSH_CIPHERS="$SSH_CIPHERS"
  531. if [ ${#RECOMMENDED_SSH_CIPHERS} -lt 5 ]; then
  532. return
  533. fi
  534. RECOMMENDED_SSH_MACS="$SSH_MACS"
  535. if [ ${#RECOMMENDED_SSH_MACS} -lt 5 ]; then
  536. return
  537. fi
  538. RECOMMENDED_SSH_KEX="$SSH_KEX"
  539. if [ ${#RECOMMENDED_SSH_KEX} -lt 5 ]; then
  540. return
  541. fi
  542. cd $WEBSITES_DIRECTORY
  543. for file in `dir -d *` ; do
  544. sed -i "s|ssl_protocols .*|ssl_protocols $RECOMMENDED_SSL_PROTOCOLS;|g" $WEBSITES_DIRECTORY/$file
  545. if ! grep -q "Mobile compatible ciphers" $WEBSITES_DIRECTORY/$file; then
  546. sed -i "s|ssl_ciphers .*|ssl_ciphers '$RECOMMENDED_SSL_CIPHERS';|g" $WEBSITES_DIRECTORY/$file
  547. else
  548. sed -i "s|ssl_ciphers .*|ssl_ciphers '$SSL_CIPHERS_MOBILE';|g" $WEBSITES_DIRECTORY/$file
  549. fi
  550. done
  551. systemctl restart nginx
  552. write_config_param "SSL_PROTOCOLS" "$RECOMMENDED_SSL_PROTOCOLS"
  553. write_config_param "SSL_CIPHERS" "$RECOMMENDED_SSL_CIPHERS"
  554. sed -i "s|Ciphers .*|Ciphers $RECOMMENDED_SSH_CIPHERS|g" $SSH_CONFIG
  555. sed -i "s|MACs .*|MACs $RECOMMENDED_SSH_MACS|g" $SSH_CONFIG
  556. sed -i "s|KexAlgorithms .*|KexAlgorithms $RECOMMENDED_SSH_KEX|g" $SSH_CONFIG
  557. systemctl restart ssh
  558. write_config_param "SSH_CIPHERS" "$RECOMMENDED_SSH_CIPHERS"
  559. write_config_param "SSH_MACS" "$RECOMMENDED_SSH_MACS"
  560. write_config_param "SSH_KEX" "$RECOMMENDED_SSH_KEX"
  561. dialog --title $"Update ciphersuite" \
  562. --msgbox $"The ciphersuite has been updated to recommended versions" 6 40
  563. exit 0
  564. }
  565. function gpg_pubkey_from_email {
  566. key_owner_username=$1
  567. key_email_address=$2
  568. key_id=
  569. if [[ $key_owner_username != "root" ]]; then
  570. key_id=$(su -c "gpg --list-keys $key_email_address | grep 'pub '" - $key_owner_username | awk -F ' ' '{print $2}' | awk -F '/' '{print $2}')
  571. else
  572. key_id=$(gpg --list-keys $key_email_address | grep 'pub ' | awk -F ' ' '{print $2}' | awk -F '/' '{print $2}')
  573. fi
  574. echo $key_id
  575. }
  576. function enable_monkeysphere {
  577. monkey=
  578. dialog --title $"GPG based authentication" \
  579. --backtitle $"Freedombone Security Configuration" \
  580. --defaultno \
  581. --yesno $"\nEnable GPG based authentication with monkeysphere ?" 7 60
  582. sel=$?
  583. case $sel in
  584. 0) monkey='yes';;
  585. 255) exit 0;;
  586. esac
  587. if [ $monkey ]; then
  588. read_config_param "MY_USERNAME"
  589. if [ ! -f /home/$MY_USERNAME/.monkeysphere/authorized_user_ids ]; then
  590. dialog --title $"GPG based authentication" \
  591. --msgbox $"$MY_USERNAME does not currently have any ids within ~/.monkeysphere/authorized_user_ids" 6 40
  592. exit 0
  593. fi
  594. MY_GPG_PUBLIC_KEY_ID=$(gpg_pubkey_from_email "$MY_USERNAME" "$MY_USERNAME@$HOSTNAME")
  595. if [ ${#MY_GPG_PUBLIC_KEY_ID} -lt 4 ]; then
  596. echo $'monkeysphere unable to get GPG key ID for user $MY_USERNAME'
  597. exit 52825
  598. fi
  599. sed -i 's|#AuthorizedKeysFile|AuthorizedKeysFile|g' /etc/ssh/sshd_config
  600. sed -i 's|AuthorizedKeysFile.*|AuthorizedKeysFile /var/lib/monkeysphere/authorized_keys/%u|g' /etc/ssh/sshd_config
  601. monkeysphere-authentication update-users
  602. # The admin user is the identity certifier
  603. fpr=$(gpg --with-colons --fingerprint $MY_GPG_PUBLIC_KEY_ID | grep fpr | head -n 1 | awk -F ':' '{print $10}')
  604. monkeysphere-authentication add-identity-certifier $fpr
  605. monkeysphere-host publish-key
  606. send_monkeysphere_server_keys_to_users
  607. else
  608. sed -i 's|#AuthorizedKeysFile|AuthorizedKeysFile|g' /etc/ssh/sshd_config
  609. sed -i 's|AuthorizedKeysFile.*|AuthorizedKeysFile %h/.ssh/authorized_keys|g' /etc/ssh/sshd_config
  610. fi
  611. systemctl restart ssh
  612. if [ $monkey ]; then
  613. dialog --title $"GPG based authentication" \
  614. --msgbox $"GPG based authentication was enabled" 6 40
  615. else
  616. dialog --title $"GPG based authentication" \
  617. --msgbox $"GPG based authentication was disabled" 6 40
  618. fi
  619. exit 0
  620. }
  621. function register_website {
  622. domain="$1"
  623. if [[ ${domain} == *".local" ]]; then
  624. echo $"Can't register local domains"
  625. return
  626. fi
  627. if [ ! -f /etc/ssl/private/${domain}.key ]; then
  628. echo $"No SSL/TLS private key found for ${domain}"
  629. return
  630. fi
  631. if [ ! -f /etc/nginx/sites-available/${domain} ]; then
  632. echo $"No virtual host found for ${domain}"
  633. return
  634. fi
  635. monkeysphere-host import-key /etc/ssl/private/${domain}.key https://${domain}
  636. monkeysphere-host publish-key
  637. echo "0"
  638. }
  639. function register_website_interactive {
  640. data=$(tempfile 2>/dev/null)
  641. trap "rm -f $data" 0 1 2 5 15
  642. dialog --title $"Register a website with monkeysphere" \
  643. --backtitle $"Freedombone Security Settings" \
  644. --inputbox $"Enter the website domain name (without https://)" 8 60 2>$data
  645. sel=$?
  646. case $sel in
  647. 0)
  648. domain=$(<$data)
  649. register_website "$domain"
  650. if [ ! "$?" = "0" ]; then
  651. dialog --title $"Register a website with monkeysphere" \
  652. --msgbox "$?" 6 40
  653. else
  654. dialog --title $"Register a website with monkeysphere" \
  655. --msgbox $"$domain has been registered" 6 40
  656. fi
  657. ;;
  658. esac
  659. }
  660. function pin_all_tls_certs {
  661. ${PROJECT_NAME}-pin-cert all
  662. }
  663. function remove_pinning {
  664. data=$(tempfile 2>/dev/null)
  665. trap "rm -f $data" 0 1 2 5 15
  666. dialog --title $"Remove pinning for a domain" \
  667. --backtitle $"Freedombone Security Settings" \
  668. --inputbox $"Enter the website domain name (without https://)" 8 60 2>$data
  669. sel=$?
  670. case $sel in
  671. 0)
  672. domain=$(<$data)
  673. ${PROJECT_NAME}-pin-cert "$domain" remove
  674. if [ ! "$?" = "0" ]; then
  675. dialog --title $"Removed pinning from $domain" \
  676. --msgbox "$?" 6 40
  677. fi
  678. ;;
  679. esac
  680. }
  681. function store_passwords {
  682. dialog --title $"Store Passwords" \
  683. --backtitle $"Freedombone Security Configuration" \
  684. --yesno $"\nDo you wish to store passwords on the system? Stored passwords are convenient but carry some additional security risk." 10 60
  685. sel=$?
  686. case $sel in
  687. 0)
  688. if [ -f /root/.nostore ]; then
  689. read_config_param "MY_USERNAME"
  690. if [ ! -f /home/$MY_USERNAME/.ssh/authorized_keys ]; then
  691. dialog --title $"Store Passwords" \
  692. --msgbox $"\nYou should first enable key based ssh login to improve security" 8 60
  693. return
  694. fi
  695. if [[ $SSH_PASSWORDS == 'yes' ]]; then
  696. dialog --title $"Store Passwords" \
  697. --msgbox $"\nYou should disable ssh passwords to improve security" 8 60
  698. return
  699. fi
  700. ${PROJECT_NAME}-pass --enable yes
  701. dialog --title $"Store Passwords" \
  702. --msgbox $"\nUser passwords will now be stored on the system" 8 60
  703. fi
  704. return
  705. ;;
  706. 1)
  707. ${PROJECT_NAME}-pass --clear yes
  708. dialog --title $"Passwords were removed and will not be stored" \
  709. --msgbox $"\nFor the best security you should now manually change passwords via web interfaces so that there is no possibility of them being recovered from the disk" 9 60
  710. return
  711. ;;
  712. 255) return;;
  713. esac
  714. }
  715. function show_tor_bridges {
  716. clear
  717. bridges_list=$(grep "Bridge " /etc/tor/torrc | grep -v '##')
  718. if [ ${#bridges_list} -eq 0 ]; then
  719. echo $'No Tor bridges have been added'
  720. return
  721. fi
  722. echo "${bridges_list}"
  723. }
  724. function add_tor_bridge {
  725. data=$(tempfile 2>/dev/null)
  726. trap "rm -f $data" 0 1 2 5 15
  727. dialog --backtitle $"Freedombone Control Panel" \
  728. --title $"Add obfs4 Tor bridge" \
  729. --form "\n" 9 60 4 \
  730. $"IP address: " 1 1 " . . . " 1 17 16 16 \
  731. $"Port: " 2 1 "" 2 17 8 8 \
  732. $"Key/Nickname: " 3 1 "" 3 17 250 250 \
  733. 2> $data
  734. sel=$?
  735. case $sel in
  736. 1) return;;
  737. 255) return;;
  738. esac
  739. bridge_ip_address=$(cat $data | sed -n 1p)
  740. bridge_port=$(cat $data | sed -n 2p)
  741. bridge_key=$(cat $data | sed -n 3p)
  742. if [[ "${bridge_ip_address}" == *" "* ]]; then
  743. return
  744. fi
  745. if [[ "${bridge_ip_address}" != *"."* ]]; then
  746. return
  747. fi
  748. if [ ${#bridge_port} -eq 0 ]; then
  749. return
  750. fi
  751. if [ ${#bridge_key} -eq 0 ]; then
  752. return
  753. fi
  754. tor_add_bridge "${bridge_ip_address}" "${bridge_port}" "${bridge_key}"
  755. dialog --title $"Add obfs4 Tor bridge" \
  756. --msgbox $"Bridge added" 6 40
  757. }
  758. function remove_tor_bridge {
  759. bridge_removed=
  760. data=$(tempfile 2>/dev/null)
  761. trap "rm -f $data" 0 1 2 5 15
  762. dialog --title $"Remove obfs4 Tor bridge" \
  763. --backtitle $"Freedombone Control Panel" \
  764. --inputbox $"Enter the IP address, key or Nickname of the bridge" 8 65 2>$data
  765. sel=$?
  766. case $sel in
  767. 0)
  768. response=$(<$data)
  769. if [ ${#response} -gt 2 ]; then
  770. if [[ "${response}" != *" "* ]]; then
  771. if [[ "${response}" == *"."* ]]; then
  772. if grep "Bridge ${response}" /etc/tor/torrc; then
  773. tor_remove_bridge "${response}"
  774. bridge_removed=1
  775. fi
  776. else
  777. if grep " $response" /etc/tor/torrc; then
  778. tor_remove_bridge "${response}"
  779. bridge_removed=1
  780. fi
  781. fi
  782. fi
  783. fi
  784. ;;
  785. esac
  786. if [ $bridge_removed ]; then
  787. dialog --title $"Remove obfs4 Tor bridge" \
  788. --msgbox $"Bridge removed" 6 40
  789. fi
  790. }
  791. function add_tor_bridge_relay {
  792. read_config_param 'TOR_BRIDGE_NICKNAME'
  793. read_config_param 'TOR_BRIDGE_PORT'
  794. # remove any previous bridge port from the firewall
  795. if [ ${#TOR_BRIDGE_PORT} -gt 0 ]; then
  796. firewall_remove $TOR_BRIDGE_PORT tcp
  797. fi
  798. data=$(tempfile 2>/dev/null)
  799. trap "rm -f $data" 0 1 2 5 15
  800. dialog --backtitle $"Freedombone Control Panel" \
  801. --title $"Become an obfs4 Tor bridge relay" \
  802. --form "\n" 8 60 2 \
  803. $"Bridge Nickname: " 1 1 "$TOR_BRIDGE_NICKNAME" 1 20 250 250 \
  804. 2> $data
  805. sel=$?
  806. case $sel in
  807. 1) return;;
  808. 255) return;;
  809. esac
  810. bridge_nickname=$(cat $data | sed -n 1p)
  811. if [[ "${bridge_nickname}" == *" "* ]]; then
  812. return
  813. fi
  814. if [ ${#bridge_nickname} -eq 0 ]; then
  815. return
  816. fi
  817. TOR_BRIDGE_NICKNAME="$bridge_nickname"
  818. TOR_BRIDGE_PORT=$((20000 + RANDOM % 40000))
  819. write_config_param 'TOR_BRIDGE_NICKNAME' "$TOR_BRIDGE_NICKNAME"
  820. write_config_param 'TOR_BRIDGE_PORT' "$TOR_BRIDGE_PORT"
  821. tor_create_bridge_relay
  822. dialog --title $"You are now an obfs4 Tor bridge relay" \
  823. --msgbox $"\nIP address: $(get_ipv4_address)\n\nPort: ${TOR_BRIDGE_PORT}\n\nNickname: ${TOR_BRIDGE_NICKNAME}" 10 65
  824. }
  825. function remove_tor_bridge_relay {
  826. tor_remove_bridge_relay
  827. dialog --title $"Remove Tor bridge relay" \
  828. --msgbox $"Bridge relay removed" 10 60
  829. }
  830. function menu_tor_bridges {
  831. data=$(tempfile 2>/dev/null)
  832. trap "rm -f $data" 0 1 2 5 15
  833. dialog --backtitle $"Freedombone Control Panel" \
  834. --title $"Tor Bridges" \
  835. --radiolist $"Choose an operation:" 14 50 6 \
  836. 1 $"Show bridges" off \
  837. 2 $"Add a bridge" off \
  838. 3 $"Remove a bridge" off \
  839. 4 $"Make this system into a bridge" off \
  840. 5 $"Stop being a bridge" off \
  841. 6 $"Go Back/Exit" on 2> $data
  842. sel=$?
  843. case $sel in
  844. 1) exit 1;;
  845. 255) exit 1;;
  846. esac
  847. case $(cat $data) in
  848. 1)
  849. show_tor_bridges
  850. exit 0
  851. ;;
  852. 2)
  853. add_tor_bridge
  854. exit 0
  855. ;;
  856. 3)
  857. remove_tor_bridge
  858. exit 0
  859. ;;
  860. 4)
  861. add_tor_bridge_relay
  862. exit 0
  863. ;;
  864. 5)
  865. remove_tor_bridge_relay
  866. exit 0
  867. ;;
  868. 6)
  869. exit 0
  870. ;;
  871. esac
  872. }
  873. function menu_security_settings {
  874. data=$(tempfile 2>/dev/null)
  875. trap "rm -f $data" 0 1 2 5 15
  876. dialog --backtitle $"Freedombone Control Panel" \
  877. --title $"Security Settings" \
  878. --radiolist $"Choose an operation:" 22 76 22 \
  879. 1 $"Run STIG tests" off \
  880. 2 $"Show ssh host public key" off \
  881. 3 $"Tor bridges" off \
  882. 4 $"Password storage" off \
  883. 5 $"Export passwords" off \
  884. 6 $"Regenerate ssh host keys" off \
  885. 7 $"Regenerate Diffie-Hellman keys" off \
  886. 8 $"Update cipersuite" off \
  887. 9 $"Create a new Let's Encrypt certificate" off \
  888. 10 $"Renew Let's Encrypt certificate" off \
  889. 11 $"Delete a Let's Encrypt certificate" off \
  890. 12 $"Enable GPG based authentication (monkeysphere)" off \
  891. 13 $"Register a website with monkeysphere" off \
  892. 14 $"Allow ssh login with passwords" off \
  893. 15 $"Go Back/Exit" on 2> $data
  894. sel=$?
  895. case $sel in
  896. 1) exit 1;;
  897. 255) exit 1;;
  898. esac
  899. clear
  900. read_config_param SSL_CIPHERS
  901. read_config_param SSL_PROTOCOLS
  902. read_config_param SSH_CIPHERS
  903. read_config_param SSH_MACS
  904. read_config_param SSH_KEX
  905. get_imap_settings
  906. get_ssh_settings
  907. get_xmpp_settings
  908. import_settings
  909. export_settings
  910. case $(cat $data) in
  911. 1)
  912. clear
  913. echo $'Running STIG tests...'
  914. echo ''
  915. ${PROJECT_NAME}-tests --stig showall
  916. exit 0
  917. ;;
  918. 2)
  919. dialog --title $"SSH host public keys" \
  920. --msgbox "\n$(get_ssh_server_key)" 12 60
  921. exit 0
  922. ;;
  923. 3)
  924. menu_tor_bridges
  925. exit 0
  926. ;;
  927. 4)
  928. store_passwords
  929. exit 0
  930. ;;
  931. 5)
  932. export_passwords
  933. exit 0
  934. ;;
  935. 6)
  936. regenerate_ssh_host_keys
  937. ;;
  938. 7)
  939. regenerate_dh_keys
  940. ;;
  941. 8)
  942. interactive_setup
  943. update_ciphersuite
  944. ;;
  945. 9)
  946. create_letsencrypt
  947. ;;
  948. 10)
  949. renew_letsencrypt
  950. ;;
  951. 11)
  952. delete_letsencrypt
  953. ;;
  954. 12)
  955. enable_monkeysphere
  956. ;;
  957. 13)
  958. register_website
  959. ;;
  960. 14)
  961. allow_ssh_passwords
  962. change_ssh_settings
  963. exit 0
  964. ;;
  965. 15)
  966. exit 0
  967. ;;
  968. esac
  969. change_website_settings
  970. change_imap_settings
  971. change_ssh_settings
  972. change_xmpp_settings
  973. }
  974. function import_settings {
  975. cd $CURRENT_DIR
  976. if [ ! $IMPORT_FILE ]; then
  977. return
  978. fi
  979. if [ ! -f $IMPORT_FILE ]; then
  980. echo $"Import file $IMPORT_FILE not found"
  981. exit 6393
  982. fi
  983. if grep -q "SSL_PROTOCOLS" $IMPORT_FILE; then
  984. TEMP_VALUE=$(grep "SSL_PROTOCOLS" $IMPORT_FILE | awk -F '=' '{print $2}')
  985. if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then
  986. SSL_PROTOCOLS=$TEMP_VALUE
  987. fi
  988. fi
  989. if grep -q "SSL_CIPHERS" $IMPORT_FILE; then
  990. TEMP_VALUE=$(grep "SSL_CIPHERS" $IMPORT_FILE | awk -F '=' '{print $2}')
  991. if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then
  992. SSL_CIPHERS=$TEMP_VALUE
  993. fi
  994. fi
  995. if grep -q "SSH_CIPHERS" $IMPORT_FILE; then
  996. TEMP_VALUE=$(grep "SSH_CIPHERS" $IMPORT_FILE | awk -F '=' '{print $2}')
  997. if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then
  998. SSH_CIPHERS=$TEMP_VALUE
  999. fi
  1000. fi
  1001. if grep -q "SSH_MACS" $IMPORT_FILE; then
  1002. TEMP_VALUE=$(grep "SSH_MACS" $IMPORT_FILE | awk -F '=' '{print $2}')
  1003. if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then
  1004. SSH_MACS=$TEMP_VALUE
  1005. fi
  1006. fi
  1007. if grep -q "SSH_KEX" $IMPORT_FILE; then
  1008. TEMP_VALUE=$(grep "SSH_KEX" $IMPORT_FILE | awk -F '=' '{print $2}')
  1009. if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then
  1010. SSH_KEX=$TEMP_VALUE
  1011. fi
  1012. fi
  1013. if grep -q "SSH_HOST_KEY_ALGORITHMS" $IMPORT_FILE; then
  1014. TEMP_VALUE=$(grep "SSH_HOST_KEY_ALGORITHMS" $IMPORT_FILE | awk -F '=' '{print $2}')
  1015. if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then
  1016. SSH_HOST_KEY_ALGORITHMS=$TEMP_VALUE
  1017. fi
  1018. fi
  1019. if grep -q "SSH_PASSWORDS" $IMPORT_FILE; then
  1020. TEMP_VALUE=$(grep "SSH_PASSWORDS" $IMPORT_FILE | awk -F '=' '{print $2}')
  1021. if [[ $TEMP_VALUE == "yes" || $TEMP_VALUE == "no" ]]; then
  1022. SSH_PASSWORDS=$TEMP_VALUE
  1023. fi
  1024. fi
  1025. if grep -q "XMPP_CIPHERS" $IMPORT_FILE; then
  1026. TEMP_VALUE=$(grep "XMPP_CIPHERS" $IMPORT_FILE | awk -F '=' '{print $2}')
  1027. if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then
  1028. XMPP_CIPHERS=$TEMP_VALUE
  1029. fi
  1030. fi
  1031. if grep -q "XMPP_ECC_CURVE" $IMPORT_FILE; then
  1032. TEMP_VALUE=$(grep "XMPP_ECC_CURVE" $IMPORT_FILE | awk -F '=' '{print $2}')
  1033. if [ ${#TEMP_VALUE} -gt 3 ]; then
  1034. XMPP_ECC_CURVE=$TEMP_VALUE
  1035. fi
  1036. fi
  1037. }
  1038. function export_settings {
  1039. if [ ! $EXPORT_FILE ]; then
  1040. return
  1041. fi
  1042. cd $CURRENT_DIR
  1043. if [ ! -f $EXPORT_FILE ]; then
  1044. if [ "$SSL_PROTOCOLS" ]; then
  1045. echo "SSL_PROTOCOLS=$SSL_PROTOCOLS" >> $EXPORT_FILE
  1046. fi
  1047. if [ $SSL_CIPHERS ]; then
  1048. echo "SSL_CIPHERS=$SSL_CIPHERS" >> $EXPORT_FILE
  1049. fi
  1050. if [ $SSH_CIPHERS ]; then
  1051. echo "SSH_CIPHERS=$SSH_CIPHERS" >> $EXPORT_FILE
  1052. fi
  1053. if [ $SSH_MACS ]; then
  1054. echo "SSH_MACS=$SSH_MACS" >> $EXPORT_FILE
  1055. fi
  1056. if [ $SSH_KEX ]; then
  1057. echo "SSH_KEX=$SSH_KEX" >> $EXPORT_FILE
  1058. fi
  1059. if [ $SSH_HOST_KEY_ALGORITHMS ]; then
  1060. echo "SSH_HOST_KEY_ALGORITHMS=$SSH_HOST_KEY_ALGORITHMS" >> $EXPORT_FILE
  1061. fi
  1062. if [ $SSH_PASSWORDS ]; then
  1063. echo "SSH_PASSWORDS=$SSH_PASSWORDS" >> $EXPORT_FILE
  1064. fi
  1065. if [ $XMPP_CIPHERS ]; then
  1066. echo "XMPP_CIPHERS=$XMPP_CIPHERS" >> $EXPORT_FILE
  1067. fi
  1068. if [ $XMPP_ECC_CURVE ]; then
  1069. echo "XMPP_ECC_CURVE=$XMPP_ECC_CURVE" >> $EXPORT_FILE
  1070. fi
  1071. echo "Security settings exported to $EXPORT_FILE"
  1072. exit 0
  1073. fi
  1074. if [ "$SSL_PROTOCOLS" ]; then
  1075. if grep -q "SSL_PROTOCOLS" $EXPORT_FILE; then
  1076. sed -i "s|SSL_PROTOCOLS=.*|SSL_PROTOCOLS=$SSL_PROTOCOLS|g" $EXPORT_FILE
  1077. else
  1078. echo "SSL_PROTOCOLS=$SSL_PROTOCOLS" >> $EXPORT_FILE
  1079. fi
  1080. fi
  1081. if [ $SSL_CIPHERS ]; then
  1082. if grep -q "SSL_CIPHERS" $EXPORT_FILE; then
  1083. sed -i "s|SSL_CIPHERS=.*|SSL_CIPHERS=$SSL_CIPHERS|g" $EXPORT_FILE
  1084. else
  1085. echo "SSL_CIPHERS=$SSL_CIPHERS" >> $EXPORT_FILE
  1086. fi
  1087. fi
  1088. if [ $SSH_CIPHERS ]; then
  1089. if grep -q "SSH_CIPHERS" $EXPORT_FILE; then
  1090. sed -i "s|SSH_CIPHERS=.*|SSH_CIPHERS=$SSH_CIPHERS|g" $EXPORT_FILE
  1091. else
  1092. echo "SSH_CIPHERS=$SSH_CIPHERS" >> $EXPORT_FILE
  1093. fi
  1094. fi
  1095. if [ $SSH_MACS ]; then
  1096. if grep -q "SSH_MACS" $EXPORT_FILE; then
  1097. sed -i "s|SSH_MACS=.*|SSH_MACS=$SSH_MACS|g" $EXPORT_FILE
  1098. else
  1099. echo "SSH_MACS=$SSH_MACS" >> $EXPORT_FILE
  1100. fi
  1101. fi
  1102. if [ $SSH_KEX ]; then
  1103. if grep -q "SSH_KEX" $EXPORT_FILE; then
  1104. sed -i "s|SSH_KEX=.*|SSH_KEX=$SSH_KEX|g" $EXPORT_FILE
  1105. else
  1106. echo "SSH_KEX=$SSH_KEX" >> $EXPORT_FILE
  1107. fi
  1108. fi
  1109. if [ $SSH_HOST_KEY_ALGORITHMS ]; then
  1110. if grep -q "SSH_HOST_KEY_ALGORITHMS" $EXPORT_FILE; then
  1111. sed -i "s|SSH_HOST_KEY_ALGORITHMS=.*|SSH_HOST_KEY_ALGORITHMS=$SSH_HOST_KEY_ALGORITHMS|g" $EXPORT_FILE
  1112. else
  1113. echo "SSH_HOST_KEY_ALGORITHMS=$SSH_HOST_KEY_ALGORITHMS" >> $EXPORT_FILE
  1114. fi
  1115. fi
  1116. if [ $SSH_PASSWORDS ]; then
  1117. if grep -q "SSH_PASSWORDS" $EXPORT_FILE; then
  1118. sed -i "s|SSH_PASSWORDS=.*|SSH_PASSWORDS=$SSH_PASSWORDS|g" $EXPORT_FILE
  1119. else
  1120. echo "SSH_PASSWORDS=$SSH_PASSWORDS" >> $EXPORT_FILE
  1121. fi
  1122. fi
  1123. if [ $XMPP_CIPHERS ]; then
  1124. if grep -q "XMPP_CIPHERS" $EXPORT_FILE; then
  1125. sed -i "s|XMPP_CIPHERS=.*|XMPP_CIPHERS=$XMPP_CIPHERS|g" $EXPORT_FILE
  1126. else
  1127. echo "XMPP_CIPHERS=$XMPP_CIPHERS" >> $EXPORT_FILE
  1128. fi
  1129. fi
  1130. if [ $XMPP_ECC_CURVE ]; then
  1131. if grep -q "XMPP_ECC_CURVE" $EXPORT_FILE; then
  1132. sed -i "s|XMPP_ECC_CURVE=.*|XMPP_ECC_CURVE=$XMPP_ECC_CURVE|g" $EXPORT_FILE
  1133. else
  1134. echo "XMPP_ECC_CURVE=$XMPP_ECC_CURVE" >> $EXPORT_FILE
  1135. fi
  1136. fi
  1137. echo $"Security settings exported to $EXPORT_FILE"
  1138. exit 0
  1139. }
  1140. function refresh_gpg_keys {
  1141. for d in /home/*/ ; do
  1142. USERNAME=$(echo "$d" | awk -F '/' '{print $3}')
  1143. if [[ $(is_valid_user "$USERNAME") == "1" ]]; then
  1144. su -c 'gpg --refresh-keys' - $USERNAME
  1145. fi
  1146. done
  1147. exit 0
  1148. }
  1149. function monkeysphere_sign_server_keys {
  1150. server_keys_file=/home/$USER/.monkeysphere/server_keys
  1151. if [ ! -f $server_keys_file ]; then
  1152. exit 0
  1153. fi
  1154. keys_signed=
  1155. while read line; do
  1156. echo $line
  1157. if [ ${#line} -gt 2 ]; then
  1158. fpr=$(gpg --with-colons --fingerprint "$line" | grep fpr | head -n 1 | awk -F ':' '{print $10}')
  1159. if [ ${#fpr} -gt 2 ]; then
  1160. gpg --sign-key $fpr
  1161. if [ "$?" = "0" ]; then
  1162. gpg --update-trustdb
  1163. keys_signed=1
  1164. fi
  1165. fi
  1166. fi
  1167. done <$server_keys_file
  1168. if [ $keys_signed ]; then
  1169. rm $server_keys_file
  1170. fi
  1171. exit 0
  1172. }
  1173. function htmly_hash {
  1174. # produces a hash corresponding to a htmly password
  1175. pass="$1"
  1176. HTMLYHASH_FILENAME=/usr/bin/htmlyhash
  1177. echo '<?php' > $HTMLYHASH_FILENAME
  1178. echo 'parse_str(implode("&", array_slice($argv, 1)), $_GET);' >> $HTMLYHASH_FILENAME
  1179. echo '$password = $_GET["password"];' >> $HTMLYHASH_FILENAME
  1180. echo '$hash = password_hash($password, PASSWORD_BCRYPT);' >> $HTMLYHASH_FILENAME
  1181. echo 'if (password_verify($password, $hash)) {' >> $HTMLYHASH_FILENAME
  1182. echo ' echo $hash;' >> $HTMLYHASH_FILENAME
  1183. echo '}' >> $HTMLYHASH_FILENAME
  1184. echo '?>' >> $HTMLYHASH_FILENAME
  1185. php $HTMLYHASH_FILENAME password="$pass"
  1186. }
  1187. function show_help {
  1188. echo ''
  1189. echo "${PROJECT_NAME}-sec"
  1190. echo ''
  1191. echo $'Alters the security settings'
  1192. echo ''
  1193. echo ''
  1194. echo $' -h --help Show help'
  1195. echo $' -e --export Export security settings to a file'
  1196. echo $' -i --import Import security settings from a file'
  1197. echo $' -r --refresh Refresh GPG keys for all users'
  1198. echo $' -s --sign Sign monkeysphere server keys'
  1199. echo $' --register [domain] Register a https domain with monkeysphere'
  1200. echo $' -b --htmlyhash [password] Returns the hash of a password for a htmly blog'
  1201. echo ''
  1202. exit 0
  1203. }
  1204. # Get the commandline options
  1205. while [[ $# > 1 ]]
  1206. do
  1207. key="$1"
  1208. case $key in
  1209. -h|--help)
  1210. show_help
  1211. ;;
  1212. # Export settings
  1213. -e|--export)
  1214. shift
  1215. EXPORT_FILE="$1"
  1216. ;;
  1217. # Export settings
  1218. -i|--import)
  1219. shift
  1220. IMPORT_FILE="$1"
  1221. ;;
  1222. # Refresh GPG keys
  1223. -r|--refresh)
  1224. shift
  1225. refresh_gpg_keys
  1226. ;;
  1227. # register a website
  1228. --register|--reg|--site)
  1229. shift
  1230. register_website "$1"
  1231. ;;
  1232. # user signs monkeysphere server keys
  1233. -s|--sign)
  1234. shift
  1235. monkeysphere_sign_server_keys
  1236. ;;
  1237. # get a hash of the given htmly password
  1238. -b|--htmlyhash)
  1239. shift
  1240. htmly_hash "$1"
  1241. exit 0
  1242. ;;
  1243. *)
  1244. # unknown option
  1245. ;;
  1246. esac
  1247. shift
  1248. done
  1249. menu_security_settings
  1250. exit 0