free
/
freedombone
ウォッチ 1
お気に入りに登録 0
フォーク 0
コード 課題 0 プルリクエスト 0 リリース 0 Wiki アクティビティ
5036 コミット
5 ブランチ
ツリー: 5a9500bee8
ブランチ タグ
${ item.name }
ブランチ ${ searchTerm } を作成
'5a9500bee8' から
${ noResults }
freedombone/src/freedombone-sec

freedombone-sec 32KB
履歴 Raw形式

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044 
  1. #!/bin/bash

  2. #

  3. # .---.                  .              .

  4. # |                      |              |

  5. # |--- .--. .-.  .-.  .-.|  .-. .--.--. |.-.  .-. .--.  .-.

  6. # |    |   (.-' (.-' (   | (   )|  |  | |   )(   )|  | (.-'

  7. # '    '     --'  --'  -' -  -' '  '   -' -'   -' '   -  --'

  8. #

  9. #                    Freedom in the Cloud

  10. #

  11. # Alters the security settings

  12. #

  13. # License

  14. # =======

  15. #

  16. # Copyright (C) 2015-2016 Bob Mottram <bob@freedombone.net>

  17. #

  18. # This program is free software: you can redistribute it and/or modify

  19. # it under the terms of the GNU Affero General Public License as published by

  20. # the Free Software Foundation, either version 3 of the License, or

  21. # (at your option) any later version.

  22. #

  23. # This program is distributed in the hope that it will be useful,

  24. # but WITHOUT ANY WARRANTY; without even the implied warranty of

  25. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

  26. # GNU Affero General Public License for more details.

  27. #

  28. # You should have received a copy of the GNU Affero General Public License

  29. # along with this program.  If not, see <http://www.gnu.org/licenses/>.

  30. 

  31. PROJECT_NAME='freedombone'

  32. 

  33. export TEXTDOMAIN=${PROJECT_NAME}-sec

  34. export TEXTDOMAINDIR="/usr/share/locale"

  35. 

  36. CONFIGURATION_FILE=$HOME/${PROJECT_NAME}.cfg

  37. COMPLETION_FILE=$HOME/${PROJECT_NAME}-completed.txt

  38. 

  39. UTILS_FILES=/usr/share/${PROJECT_NAME}/utils/${PROJECT_NAME}-utils-*

  40. for f in $UTILS_FILES

  41. do

  42.   source $f

  43. done

  44. 

  45. SSL_PROTOCOLS=

  46. SSL_CIPHERS=

  47. SSH_CIPHERS=

  48. SSH_MACS=

  49. SSH_KEX=

  50. SSH_HOST_KEY_ALGORITHMS=

  51. SSH_PASSWORDS=

  52. XMPP_CIPHERS=

  53. XMPP_ECC_CURVE=

  54. 

  55. WEBSITES_DIRECTORY='/etc/nginx/sites-available'

  56. DOVECOT_CIPHERS='/etc/dovecot/conf.d/10-ssl.conf'

  57. SSH_CONFIG='/etc/ssh/sshd_config'

  58. XMPP_CONFIG='/etc/prosody/conf.avail/xmpp.cfg.lua'

  59. 

  60. MINIMUM_LENGTH=6

  61. 

  62. IMPORT_FILE=

  63. EXPORT_FILE=

  64. 

  65. CURRENT_DIR=$(pwd)

  66. 

  67. DH_KEYLENGTH=2048

  68. LETSENCRYPT_SERVER='https://acme-v01.api.letsencrypt.org/directory'

  69. 

  70. MY_USERNAME=

  71. 

  72. function get_protocols_from_website {

  73.     if [ ! -f $WEBSITES_DIRECTORY/$1 ]; then

  74.         return

  75.     fi

  76.     SSL_PROTOCOLS=$(cat $WEBSITES_DIRECTORY/$1 | grep 'ssl_protocols ' | awk -F "ssl_protocols " '{print $2}' | awk -F ';' '{print $1}')

  77. }

  78. 

  79. function get_ciphers_from_website {

  80.     if [ ! -f $WEBSITES_DIRECTORY/$1 ]; then

  81.         return

  82.     fi

  83.     SSL_CIPHERS=$(cat $WEBSITES_DIRECTORY/$1 | grep 'ssl_ciphers ' | awk -F "ssl_ciphers " '{print $2}' | awk -F "'" '{print $2}')

  84. }

  85. 

  86. function get_imap_settings {

  87.     if [ ! -f $DOVECOT_CIPHERS ]; then

  88.         return

  89.     fi

  90.     # clear commented out cipher list

  91.     sed -i "s|#ssl_cipher_list.*||g" $DOVECOT_CIPHERS

  92.     if [ $SSL_CIPHERS ]; then

  93.         return

  94.     fi

  95.     if [ ${#SSL_CIPHERS} -gt $MINIMUM_LENGTH ]; then

  96.         return

  97.     fi

  98.     SSL_CIPHERS=$(cat $DOVECOT_CIPHERS | grep 'ssl_cipher_list' | awk -F '=' '{print $2}' | awk -F "'" '{print $2}')

  99. }

  100. 

  101. function get_xmpp_settings {

  102.     if [ ! -f $XMPP_CONFIG ]; then

  103.         return

  104.     fi

  105.     XMPP_CIPHERS=$(cat $XMPP_CONFIG | grep 'ciphers ' | awk -F '=' '{print $2}' | awk -F '"' '{print $2}')

  106.     XMPP_ECC_CURVE=$(cat $XMPP_CONFIG | grep 'curve ' | awk -F '=' '{print $2}' | awk -F '"' '{print $2}')

  107. }

  108. 

  109. function get_ssh_settings {

  110.     if [ -f $SSH_CONFIG ]; then

  111.         SSH_PASSWORDS=$(cat $SSH_CONFIG | grep 'PasswordAuthentication ' | awk -F 'PasswordAuthentication ' '{print $2}')

  112.     fi

  113.     if [ -f /etc/ssh/ssh_config ]; then

  114.         SSH_HOST_KEY_ALGORITHMS=$(cat /etc/ssh/ssh_config | grep 'HostKeyAlgorithms ' | awk -F 'HostKeyAlgorithms ' '{print $2}')

  115.     fi

  116. }

  117. 

  118. function change_website_settings {

  119.     if [ ! "$SSL_PROTOCOLS" ]; then

  120.         return

  121.     fi

  122.     if [ ! $SSL_CIPHERS ]; then

  123.         return

  124.     fi

  125.     if [ ${#SSL_PROTOCOLS} -lt $MINIMUM_LENGTH ]; then

  126.         return

  127.     fi

  128.     if [ ${#SSL_CIPHERS} -lt $MINIMUM_LENGTH ]; then

  129.         return

  130.     fi

  131.     if [ ! -d $WEBSITES_DIRECTORY ]; then

  132.         return

  133.     fi

  134. 

  135.     cd $WEBSITES_DIRECTORY

  136.     for file in `dir -d *` ; do

  137.         sed -i "s|ssl_protocols .*|ssl_protocols $SSL_PROTOCOLS;|g" $WEBSITES_DIRECTORY/$file

  138.         sed -i "s|ssl_ciphers .*|ssl_ciphers '$SSL_CIPHERS';|g" $WEBSITES_DIRECTORY/$file

  139.     done

  140.     systemctl restart nginx

  141.     echo $'Web security settings changed'

  142. }

  143. 

  144. function change_imap_settings {

  145.     if [ ! -f $DOVECOT_CIPHERS ]; then

  146.         return

  147.     fi

  148.     if [ ! $SSL_CIPHERS ]; then

  149.         return

  150.     fi

  151.     if [ ${#SSL_CIPHERS} -lt $MINIMUM_LENGTH ]; then

  152.         return

  153.     fi

  154.     sed -i "s|ssl_cipher_list.*|ssl_cipher_list = '$SSL_CIPHERS'|g" $DOVECOT_CIPHERS

  155.     sed -i "s|ssl_protocols.*|ssl_protocols = '$SSL_PROTOCOLS'|g" $DOVECOT_CIPHERS

  156.     systemctl restart dovecot

  157.     echo $'imap security settings changed'

  158. }

  159. 

  160. function change_ssh_settings {

  161.     if [ -f /etc/ssh/ssh_config ]; then

  162.         if [ $SSH_HOST_KEY_ALGORITHMS ]; then

  163.             sed -i "s|HostKeyAlgorithms .*|HostKeyAlgorithms $SSH_HOST_KEY_ALGORITHMS|g" /etc/ssh/ssh_config

  164.             echo $'ssh client security settings changed'

  165.         fi

  166.     fi

  167.     if [ -f $SSH_CONFIG ]; then

  168.         if [ ! $SSH_CIPHERS ]; then

  169.             return

  170.         fi

  171.         if [ ! $SSH_MACS ]; then

  172.             return

  173.         fi

  174.         if [ ! $SSH_KEX ]; then

  175.             return

  176.         fi

  177.         if [ ! $SSH_PASSWORDS ]; then

  178.             SSH_PASSWORDS='yes'

  179.         fi

  180. 

  181.         sed -i "s|Ciphers .*|Ciphers $SSH_CIPHERS|g" $SSH_CONFIG

  182.         sed -i "s|MACs .*|MACs $SSH_MACS|g" $SSH_CONFIG

  183.         sed -i "s|KexAlgorithms .*|KexAlgorithms $SSH_KEX|g" $SSH_CONFIG

  184.         sed -i "s|#PasswordAuthentication .*|PasswordAuthentication $SSH_PASSWORDS|g" $SSH_CONFIG

  185.         sed -i "s|PasswordAuthentication .*|PasswordAuthentication $SSH_PASSWORDS|g" $SSH_CONFIG

  186.         systemctl restart ssh

  187.         echo $'ssh server security settings changed'

  188.     fi

  189. }

  190. 

  191. function change_xmpp_settings {

  192.     if [ ! -f $XMPP_CONFIG ]; then

  193.         return

  194.     fi

  195.     if [ ! $XMPP_CIPHERS ]; then

  196.         return

  197.     fi

  198.     if [ ! $XMPP_ECC_CURVE ]; then

  199.         return

  200.     fi

  201.     sed -i "s|ciphers =.*|ciphers = \"$XMPP_CIPHERS\";|g" $XMPP_CONFIG

  202.     sed -i "s|curve =.*|curve = \"$XMPP_ECC_CURVE\";|g" $XMPP_CONFIG

  203.     systemctl restart prosody

  204.     echo $'xmpp security settings changed'

  205. }

  206. 

  207. function allow_ssh_passwords {

  208.     dialog --title $"SSH Passwords" \

  209.            --backtitle $"Freedombone Security Configuration" \

  210.            --yesno $"\nAllow SSH login using passwords?" 7 60

  211.     sel=$?

  212.     case $sel in

  213.         0) SSH_PASSWORDS="yes";;

  214.         1) SSH_PASSWORDS="no";;

  215.         255) exit 0;;

  216.     esac

  217. }

  218. 

  219. function interactive_setup {

  220.     if [ $SSL_CIPHERS ]; then

  221.         data=$(tempfile 2>/dev/null)

  222.         trap "rm -f $data" 0 1 2 5 15

  223.         dialog --backtitle $"Freedombone Security Configuration" \

  224.                --form $"\nWeb/IMAP Ciphers:" 10 95 2 \

  225.                $"Protocols:" 1 1 "$SSL_PROTOCOLS" 1 15 90 90 \

  226.                $"Ciphers:" 2 1 "$SSL_CIPHERS" 2 15 90 512 \

  227.                2> $data

  228.         sel=$?

  229.         case $sel in

  230.             1) SSL_PROTOCOLS=$(cat $data | sed -n 1p)

  231.                SSL_CIPHERS=$(cat $data | sed -n 2p)

  232.                ;;

  233.             255) exit 0;;

  234.         esac

  235.     fi

  236. 

  237.     data=$(tempfile 2>/dev/null)

  238.     trap "rm -f $data" 0 1 2 5 15

  239.     if [ $SSH_HOST_KEY_ALGORITHMS ]; then

  240.         dialog --backtitle $"Freedombone Security Configuration" \

  241.                --form $"\nSecure Shell Ciphers:" 13 95 4 \

  242.                $"Ciphers:" 1 1 "$SSH_CIPHERS" 1 15 90 512 \

  243.                $"MACs:" 2 1 "$SSH_MACS" 2 15 90 512 \

  244.                $"KEX:" 3 1 "$SSH_KEX" 3 15 90 512 \

  245.                $"Host key algorithms:" 4 1 "$SSH_HOST_KEY_ALGORITHMS" 4 15 90 512 \

  246.                2> $data

  247.         sel=$?

  248.         case $sel in

  249.             1) SSH_CIPHERS=$(cat $data | sed -n 1p)

  250.                SSH_MACS=$(cat $data | sed -n 2p)

  251.                SSH_KEX=$(cat $data | sed -n 3p)

  252.                SSH_HOST_KEY_ALGORITHMS=$(cat $data | sed -n 4p)

  253.                ;;

  254.             255) exit 0;;

  255.         esac

  256.     else

  257.         dialog --backtitle $"Freedombone Security Configuration" \

  258.                --form $"\nSecure Shell Ciphers:" 11 95 3 \

  259.                $"Ciphers:" 1 1 "$SSH_CIPHERS" 1 15 90 512 \

  260.                $"MACs:" 2 1 "$SSH_MACS" 2 15 90 512 \

  261.                $"KEX:" 3 1 "$SSH_KEX" 3 15 90 512 \

  262.                2> $data

  263.         sel=$?

  264.         case $sel in

  265.             1) SSH_CIPHERS=$(cat $data | sed -n 1p)

  266.                SSH_MACS=$(cat $data | sed -n 2p)

  267.                SSH_KEX=$(cat $data | sed -n 3p)

  268.                ;;

  269.             255) exit 0;;

  270.         esac

  271.     fi

  272. 

  273.     if [ $XMPP_CIPHERS ]; then

  274.         data=$(tempfile 2>/dev/null)

  275.         trap "rm -f $data" 0 1 2 5 15

  276.         dialog --backtitle $"Freedombone Security Configuration" \

  277.                --form $"\nXMPP Ciphers:" 10 95 2 \

  278.                $"Ciphers:" 1 1 "$XMPP_CIPHERS" 1 15 90 512 \

  279.                $"ECC Curve:" 2 1 "$XMPP_ECC_CURVE" 2 15 50 50 \

  280.                2> $data

  281.         sel=$?

  282.         case $sel in

  283.             1) XMPP_CIPHERS=$(cat $data | sed -n 1p)

  284.                XMPP_ECC_CURVE=$(cat $data | sed -n 2p)

  285.                ;;

  286.             255) exit 0;;

  287.         esac

  288.     fi

  289. 

  290.     dialog --title $"Final Confirmation" \

  291.            --backtitle $"Freedombone Security Configuration" \

  292.            --defaultno \

  293.            --yesno $"\nPlease confirm that you wish your security settings to be changed?\n\nWARNING: any mistakes made in the security settings could compromise your system, so be extra careful when answering 'yes'." 12 60

  294.     sel=$?

  295.     case $sel in

  296.         1) clear

  297.            echo $'Exiting without changing security settings'

  298.            exit 0;;

  299.         255) clear

  300.              echo $'Exiting without changing security settings'

  301.              exit 0;;

  302.     esac

  303. 

  304.     clear

  305. }

  306. 

  307. function send_monkeysphere_server_keys_to_users {

  308.     monkeysphere_server_keys=$(monkeysphere-host show-key | grep $"OpenPGP fingerprint" | awk -F ' ' '{print $3}')

  309.     for d in /home/*/ ; do

  310.         USERNAME=$(echo "$d" | awk -F '/' '{print $3}')

  311.         if [[ $(is_valid_user "$USERNAME") == "1" ]]; then

  312.             if [ ! -d /home/$USERNAME/.monkeysphere ]; then

  313.                 mkdir /home/$USERNAME/.monkeysphere

  314.             fi

  315.             echo $monkeysphere_server_keys > /home/$USERNAME/.monkeysphere/server_keys

  316.             chown -R $USERNAME:$USERNAME /home/$USERNAME/.monkeysphere

  317.         fi

  318.     done

  319. }

  320. 

  321. function regenerate_ssh_host_keys {

  322.     rm -f /etc/ssh/ssh_host_*

  323.     dpkg-reconfigure openssh-server

  324.     echo $'ssh host keys regenerated'

  325.     # remove small moduli

  326.     awk '$5 > 2000' /etc/ssh/moduli > ~/moduli

  327.     mv ~/moduli /etc/ssh/moduli

  328.     echo $'ssh small moduli removed'

  329.     # update monkeysphere

  330.     DEFAULT_DOMAIN_NAME=

  331.     read_config_param "DEFAULT_DOMAIN_NAME"

  332.     monkeysphere-host import-key /etc/ssh/ssh_host_rsa_key ssh://$DEFAULT_DOMAIN_NAME

  333.     SSH_ONION_HOSTNAME=$(cat ${COMPLETION_FILE} | grep 'ssh onion domain' | awk -F ':' '{print $2}')

  334.     monkeysphere-host import-key /etc/ssh/ssh_host_rsa_key ssh://$SSH_ONION_HOSTNAME

  335.     monkeysphere-host publish-key

  336.     send_monkeysphere_server_keys_to_users

  337.     echo $'updated monkeysphere ssh host key'

  338.     systemctl restart ssh

  339. }

  340. 

  341. function regenerate_dh_keys {

  342.     if [ ! -d /etc/ssl/mycerts ]; then

  343.         echo $'No dhparam certificates were found'

  344.         return

  345.     fi

  346. 

  347.     data=$(tempfile 2>/dev/null)

  348.     trap "rm -f $data" 0 1 2 5 15

  349.     dialog --backtitle "Freedombone Security Configuration" \

  350.            --title "Diffie-Hellman key length" \

  351.            --radiolist "The smaller length is better suited to low power embedded systems:" 12 40 3 \

  352.            1 "2048 bits" off \

  353.            2 "3072 bits" on \

  354.            3 "4096 bits" off 2> $data

  355.     sel=$?

  356.     case $sel in

  357.         1) exit 1;;

  358.         255) exit 1;;

  359.     esac

  360.     case $(cat $data) in

  361.         1) DH_KEYLENGTH=2048;;

  362.         2) DH_KEYLENGTH=3072;;

  363.         3) DH_KEYLENGTH=4096;;

  364.     esac

  365. 

  366.     ${PROJECT_NAME}-dhparam --recalc yes -l ${DH_KEYLENGTH}

  367. }

  368. 

  369. function renew_startssl {

  370.     renew_domain=

  371.     data=$(tempfile 2>/dev/null)

  372.     trap "rm -f $data" 0 1 2 5 15

  373.     dialog --title $"Renew a StartSSL certificate" \

  374.            --backtitle $"Freedombone Security Settings" \

  375.            --inputbox $"Enter the domain name" 8 60 2>$data

  376.     sel=$?

  377.     case $sel in

  378.         0)

  379.             renew_domain=$(<$data)

  380.             ;;

  381.     esac

  382. 

  383.     if [ ! $renew_domain ]; then

  384.         return

  385.     fi

  386. 

  387.     if [[ $renew_domain == "http"* ]]; then

  388.         dialog --title $"Renew a StartSSL certificate" \

  389.                --msgbox $"Don't include the https://" 6 40

  390.         return

  391.     fi

  392. 

  393.     if [ ! -f /etc/ssl/certs/${renew_domain}.dhparam ]; then

  394.         dialog --title $"Renew a StartSSL certificate" \

  395.                --msgbox $"An existing certificate for $renew_domain was not found" 6 40

  396.         return

  397.     fi

  398. 

  399.     if [[ $renew_domain != *"."* ]]; then

  400.         dialog --title $"Renew a StartSSL certificate" \

  401.                --msgbox $"Invalid domain name: $renew_domain" 6 40

  402.         return

  403.     fi

  404. 

  405.     ${PROJECT_NAME}-renew-cert -h $renew_domain -p startssl

  406. 

  407.     exit 0

  408. }

  409. 

  410. function renew_letsencrypt {

  411.     renew_domain=

  412.     data=$(tempfile 2>/dev/null)

  413.     trap "rm -f $data" 0 1 2 5 15

  414.     dialog --title $"Renew a Let's Encrypt certificate" \

  415.            --backtitle $"Freedombone Security Settings" \

  416.            --inputbox $"Enter the domain name" 8 60 2>$data

  417.     sel=$?

  418.     case $sel in

  419.         0)

  420.             renew_domain=$(<$data)

  421.             ;;

  422.     esac

  423. 

  424.     if [ ! $renew_domain ]; then

  425.         return

  426.     fi

  427. 

  428.     if [[ $renew_domain == "http"* ]]; then

  429.         dialog --title $"Renew a Let's Encrypt certificate" \

  430.                --msgbox $"Don't include the https://" 6 40

  431.         return

  432.     fi

  433. 

  434.     if [ ! -f /etc/ssl/certs/${renew_domain}.dhparam ]; then

  435.         dialog --title $"Renew a Let's Encrypt certificate" \

  436.                --msgbox $"An existing certificate for $renew_domain was not found" 6 40

  437.         return

  438.     fi

  439. 

  440.     if [[ $renew_domain != *"."* ]]; then

  441.         dialog --title $"Renew a Let's Encrypt certificate" \

  442.                --msgbox $"Invalid domain name: $renew_domain" 6 40

  443.         return

  444.     fi

  445. 

  446.     ${PROJECT_NAME}-renew-cert -h $renew_domain -p 'letsencrypt'

  447. 

  448.     exit 0

  449. }

  450. 

  451. function create_letsencrypt {

  452.     new_domain=

  453.     data=$(tempfile 2>/dev/null)

  454.     trap "rm -f $data" 0 1 2 5 15

  455.     dialog --title $"Create a new Let's Encrypt certificate" \

  456.            --backtitle $"Freedombone Security Settings" \

  457.            --inputbox $"Enter the domain name" 8 60 2>$data

  458.     sel=$?

  459.     case $sel in

  460.         0)

  461.             new_domain=$(<$data)

  462.             ;;

  463.     esac

  464. 

  465.     if [ ! $new_domain ]; then

  466.         return

  467.     fi

  468. 

  469.     if [[ $new_domain == "http"* ]]; then

  470.         dialog --title $"Create a new Let's Encrypt certificate" \

  471.                --msgbox $"Don't include the https://" 6 40

  472.         return

  473.     fi

  474. 

  475.     if [[ $new_domain != *"."* ]]; then

  476.         dialog --title $"Create a new Let's Encrypt certificate" \

  477.                --msgbox $"Invalid domain name: $new_domain" 6 40

  478.         return

  479.     fi

  480. 

  481.     if [ ! -d /var/www/${new_domain} ]; then

  482.         dialog --title $"Create a new Let's Encrypt certificate" \

  483.                --msgbox $'Domain not found within /var/www' 6 40

  484.         return

  485.     fi

  486. 

  487.     ${PROJECT_NAME}-addcert -e $new_domain -s $LETSENCRYPT_SERVER --dhkey $DH_KEYLENGTH

  488. 

  489.     exit 0

  490. }

  491. 

  492. function update_ciphersuite {

  493.     RECOMMENDED_SSL_CIPHERS="$SSL_CIPHERS"

  494.     if [ ${#RECOMMENDED_SSL_CIPHERS} -lt 5 ]; then

  495.         return

  496.     fi

  497. 

  498.     RECOMMENDED_SSL_PROTOCOLS="$SSL_PROTOCOLS"

  499.     if [ ${#RECOMMENDED_SSL_PROTOCOLS} -lt 5 ]; then

  500.         return

  501.     fi

  502. 

  503.     RECOMMENDED_SSH_CIPHERS="$SSH_CIPHERS"

  504.     if [ ${#RECOMMENDED_SSH_CIPHERS} -lt 5 ]; then

  505.         return

  506.     fi

  507. 

  508.     RECOMMENDED_SSH_MACS="$SSH_MACS"

  509.     if [ ${#RECOMMENDED_SSH_MACS} -lt 5 ]; then

  510.         return

  511.     fi

  512. 

  513.     RECOMMENDED_SSH_KEX="$SSH_KEX"

  514.     if [ ${#RECOMMENDED_SSH_KEX} -lt 5 ]; then

  515.         return

  516.     fi

  517. 

  518.     cd $WEBSITES_DIRECTORY

  519.     for file in `dir -d *` ; do

  520.         sed -i "s|ssl_protocols .*|ssl_protocols $RECOMMENDED_SSL_PROTOCOLS;|g" $WEBSITES_DIRECTORY/$file

  521.         sed -i "s|ssl_ciphers .*|ssl_ciphers '$RECOMMENDED_SSL_CIPHERS';|g" $WEBSITES_DIRECTORY/$file

  522.     done

  523.     systemctl restart nginx

  524.     write_config_param "SSL_PROTOCOLS" "$RECOMMENDED_SSL_PROTOCOLS"

  525.     write_config_param "SSL_CIPHERS" "$RECOMMENDED_SSL_CIPHERS"

  526. 

  527.     sed -i "s|Ciphers .*|Ciphers $RECOMMENDED_SSH_CIPHERS|g" $SSH_CONFIG

  528.     sed -i "s|MACs .*|MACs $RECOMMENDED_SSH_MACS|g" $SSH_CONFIG

  529.     sed -i "s|KexAlgorithms .*|KexAlgorithms $RECOMMENDED_SSH_KEX|g" $SSH_CONFIG

  530.     systemctl restart ssh

  531. 

  532.     write_config_param "SSH_CIPHERS" "$RECOMMENDED_SSH_CIPHERS"

  533.     write_config_param "SSH_MACS" "$RECOMMENDED_SSH_MACS"

  534.     write_config_param "SSH_KEX" "$RECOMMENDED_SSH_KEX"

  535. 

  536.     dialog --title $"Update ciphersuite" \

  537.            --msgbox $"The ciphersuite has been updated to recommended versions" 6 40

  538.     exit 0

  539. }

  540. 

  541. function gpg_pubkey_from_email {

  542.     key_owner_username=$1

  543.     key_email_address=$2

  544.     key_id=

  545.     if [[ $key_owner_username != "root" ]]; then

  546.         key_id=$(su -c "gpg --list-keys $key_email_address | grep 'pub '" - $key_owner_username | awk -F ' ' '{print $2}' | awk -F '/' '{print $2}')

  547.     else

  548.         key_id=$(gpg --list-keys $key_email_address | grep 'pub ' | awk -F ' ' '{print $2}' | awk -F '/' '{print $2}')

  549.     fi

  550.     echo $key_id

  551. }

  552. 

  553. function enable_monkeysphere {

  554.     monkey=

  555.     dialog --title $"GPG based authentication" \

  556.            --backtitle $"Freedombone Security Configuration" \

  557.            --defaultno \

  558.            --yesno $"\nEnable GPG based authentication with monkeysphere ?" 7 60

  559.     sel=$?

  560.     case $sel in

  561.         0) monkey='yes';;

  562.         255) exit 0;;

  563.     esac

  564. 

  565.     if [ $monkey ]; then

  566.         read_config_param "MY_USERNAME"

  567. 

  568.         if [ ! -f /home/$MY_USERNAME/.monkeysphere/authorized_user_ids ]; then

  569.             dialog --title $"GPG based authentication" \

  570.                    --msgbox $"$MY_USERNAME does not currently have any ids within ~/.monkeysphere/authorized_user_ids" 6 40

  571.             exit 0

  572.         fi

  573. 

  574.         MY_GPG_PUBLIC_KEY_ID=$(gpg_pubkey_from_email "$MY_USERNAME" "$MY_USERNAME@$HOSTNAME")

  575.         if [ ${#MY_GPG_PUBLIC_KEY_ID} -lt 4 ]; then

  576.             echo $'monkeysphere unable to get GPG key ID for user $MY_USERNAME'

  577.             exit 52825

  578.         fi

  579. 

  580.         sed -i 's|#AuthorizedKeysFile|AuthorizedKeysFile|g' /etc/ssh/sshd_config

  581.         sed -i 's|AuthorizedKeysFile.*|AuthorizedKeysFile /var/lib/monkeysphere/authorized_keys/%u|g' /etc/ssh/sshd_config

  582.         monkeysphere-authentication update-users

  583. 

  584.         # The admin user is the identity certifier

  585.         fpr=$(gpg --with-colons --fingerprint $MY_GPG_PUBLIC_KEY_ID | grep fpr | head -n 1 | awk -F ':' '{print $10}')

  586.         monkeysphere-authentication add-identity-certifier $fpr

  587.         monkeysphere-host publish-key

  588.         send_monkeysphere_server_keys_to_users

  589.     else

  590.         sed -i 's|#AuthorizedKeysFile|AuthorizedKeysFile|g' /etc/ssh/sshd_config

  591.         sed -i 's|AuthorizedKeysFile.*|AuthorizedKeysFile %h/.ssh/authorized_keys|g' /etc/ssh/sshd_config

  592.     fi

  593. 

  594.     systemctl restart ssh

  595. 

  596.     if [ $monkey ]; then

  597.         dialog --title $"GPG based authentication" \

  598.                --msgbox $"GPG based authentication was enabled" 6 40

  599.     else

  600.         dialog --title $"GPG based authentication" \

  601.                --msgbox $"GPG based authentication was disabled" 6 40

  602.     fi

  603.     exit 0

  604. }

  605. 

  606. function register_website {

  607.     domain="$1"

  608. 

  609.     if [[ ${domain} == *".local" ]]; then

  610.         echo $"Can't register local domains"

  611.         return

  612.     fi

  613. 

  614.     if [ ! -f /etc/ssl/private/${domain}.key ]; then

  615.         echo $"No SSL/TLS private key found for ${domain}"

  616.         return

  617.     fi

  618. 

  619.     if [ ! -f /etc/nginx/sites-available/${domain} ]; then

  620.         echo $"No virtual host found for ${domain}"

  621.         return

  622.     fi

  623. 

  624.     monkeysphere-host import-key /etc/ssl/private/${domain}.key https://${domain}

  625.     monkeysphere-host publish-key

  626.     echo "0"

  627. }

  628. 

  629. function register_website_interactive {

  630.     data=$(tempfile 2>/dev/null)

  631.     trap "rm -f $data" 0 1 2 5 15

  632.     dialog --title $"Register a website with monkeysphere" \

  633.            --backtitle $"Freedombone Security Settings" \

  634.            --inputbox $"Enter the website domain name (without https://)" 8 60 2>$data

  635.     sel=$?

  636.     case $sel in

  637.         0)

  638.             domain=$(<$data)

  639.             register_website "$domain"

  640.             if [ ! "$?" = "0" ]; then

  641.                 dialog --title $"Register a website with monkeysphere" \

  642.                        --msgbox "$?" 6 40

  643.             else

  644.                 dialog --title $"Register a website with monkeysphere" \

  645.                        --msgbox $"$domain has been registered" 6 40

  646.             fi

  647.             ;;

  648.     esac

  649. }

  650. 

  651. function pin_all_tls_certs {

  652.     ${PROJECT_NAME}-pin-cert all

  653. }

  654. 

  655. function remove_pinning {

  656.     data=$(tempfile 2>/dev/null)

  657.     trap "rm -f $data" 0 1 2 5 15

  658.     dialog --title $"Remove pinning for a domain" \

  659.            --backtitle $"Freedombone Security Settings" \

  660.            --inputbox $"Enter the website domain name (without https://)" 8 60 2>$data

  661.     sel=$?

  662.     case $sel in

  663.         0)

  664.             domain=$(<$data)

  665.             ${PROJECT_NAME}-pin-cert "$domain" remove

  666.             if [ ! "$?" = "0" ]; then

  667.                 dialog --title $"Removed pinning from $domain" \

  668.                        --msgbox "$?" 6 40

  669.             fi

  670.             ;;

  671.     esac

  672. }

  673. 

  674. function menu_security_settings {

  675.     data=$(tempfile 2>/dev/null)

  676.     trap "rm -f $data" 0 1 2 5 15

  677.     dialog --backtitle $"Freedombone Control Panel" \

  678.            --title $"Security Settings" \

  679.            --radiolist $"Choose an operation:" 16 76 16 \

  680.            1 $"Regenerate ssh host keys" off \

  681.            2 $"Regenerate Diffie-Hellman keys" off \

  682.            3 $"Update cipersuite" off \

  683.            4 $"Create a new Let's Encrypt certificate" off \

  684.            5 $"Renew Let's Encrypt certificate" off \

  685.            6 $"Enable GPG based authentication (monkeysphere)" off \

  686.            7 $"Register a website with monkeysphere" off \

  687.            8 $"Allow ssh login with passwords" off \

  688.            9 $"Go Back/Exit" on 2> $data

  689.     sel=$?

  690.     case $sel in

  691.         1) exit 1;;

  692.         255) exit 1;;

  693.     esac

  694. 

  695.     clear

  696. 

  697.     read_config_param SSL_CIPHERS

  698.     read_config_param SSL_PROTOCOLS

  699.     read_config_param SSH_CIPHERS

  700.     read_config_param SSH_MACS

  701.     read_config_param SSH_KEX

  702. 

  703.     get_imap_settings

  704.     get_ssh_settings

  705.     get_xmpp_settings

  706.     import_settings

  707.     export_settings

  708. 

  709.     case $(cat $data) in

  710.         1)

  711.             regenerate_ssh_host_keys

  712.             ;;

  713.         2)

  714.             regenerate_dh_keys

  715.             ;;

  716.         3)

  717.             interactive_setup

  718.             update_ciphersuite

  719.             ;;

  720.         4)

  721.             create_letsencrypt

  722.             ;;

  723.         5)

  724.             renew_letsencrypt

  725.             ;;

  726.         6)

  727.             enable_monkeysphere

  728.             ;;

  729.         7)

  730.             register_website

  731.             ;;

  732.         8)

  733.             allow_ssh_passwords

  734.             change_ssh_settings

  735.             exit 0

  736.             ;;

  737.         9)

  738.             exit 0

  739.             ;;

  740.     esac

  741. 

  742.     change_website_settings

  743.     change_imap_settings

  744.     change_ssh_settings

  745.     change_xmpp_settings

  746. }

  747. 

  748. function import_settings {

  749.     cd $CURRENT_DIR

  750. 

  751.     if [ ! $IMPORT_FILE ]; then

  752.         return

  753.     fi

  754. 

  755.     if [ ! -f $IMPORT_FILE ]; then

  756.         echo $"Import file $IMPORT_FILE not found"

  757.         exit 6393

  758.     fi

  759. 

  760.     if grep -q "SSL_PROTOCOLS" $IMPORT_FILE; then

  761.         TEMP_VALUE=$(grep "SSL_PROTOCOLS" $IMPORT_FILE | awk -F '=' '{print $2}')

  762.         if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then

  763.             SSL_PROTOCOLS=$TEMP_VALUE

  764.         fi

  765.     fi

  766.     if grep -q "SSL_CIPHERS" $IMPORT_FILE; then

  767.         TEMP_VALUE=$(grep "SSL_CIPHERS" $IMPORT_FILE | awk -F '=' '{print $2}')

  768.         if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then

  769.             SSL_CIPHERS=$TEMP_VALUE

  770.         fi

  771.     fi

  772.     if grep -q "SSH_CIPHERS" $IMPORT_FILE; then

  773.         TEMP_VALUE=$(grep "SSH_CIPHERS" $IMPORT_FILE | awk -F '=' '{print $2}')

  774.         if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then

  775.             SSH_CIPHERS=$TEMP_VALUE

  776.         fi

  777.     fi

  778.     if grep -q "SSH_MACS" $IMPORT_FILE; then

  779.         TEMP_VALUE=$(grep "SSH_MACS" $IMPORT_FILE | awk -F '=' '{print $2}')

  780.         if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then

  781.             SSH_MACS=$TEMP_VALUE

  782.         fi

  783.     fi

  784.     if grep -q "SSH_KEX" $IMPORT_FILE; then

  785.         TEMP_VALUE=$(grep "SSH_KEX" $IMPORT_FILE | awk -F '=' '{print $2}')

  786.         if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then

  787.             SSH_KEX=$TEMP_VALUE

  788.         fi

  789.     fi

  790.     if grep -q "SSH_HOST_KEY_ALGORITHMS" $IMPORT_FILE; then

  791.         TEMP_VALUE=$(grep "SSH_HOST_KEY_ALGORITHMS" $IMPORT_FILE | awk -F '=' '{print $2}')

  792.         if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then

  793.             SSH_HOST_KEY_ALGORITHMS=$TEMP_VALUE

  794.         fi

  795.     fi

  796.     if grep -q "SSH_PASSWORDS" $IMPORT_FILE; then

  797.         TEMP_VALUE=$(grep "SSH_PASSWORDS" $IMPORT_FILE | awk -F '=' '{print $2}')

  798.         if [[ $TEMP_VALUE == "yes" || $TEMP_VALUE == "no" ]]; then

  799.             SSH_PASSWORDS=$TEMP_VALUE

  800.         fi

  801.     fi

  802.     if grep -q "XMPP_CIPHERS" $IMPORT_FILE; then

  803.         TEMP_VALUE=$(grep "XMPP_CIPHERS" $IMPORT_FILE | awk -F '=' '{print $2}')

  804.         if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then

  805.             XMPP_CIPHERS=$TEMP_VALUE

  806.         fi

  807.     fi

  808.     if grep -q "XMPP_ECC_CURVE" $IMPORT_FILE; then

  809.         TEMP_VALUE=$(grep "XMPP_ECC_CURVE" $IMPORT_FILE | awk -F '=' '{print $2}')

  810.         if [ ${#TEMP_VALUE} -gt 3 ]; then

  811.             XMPP_ECC_CURVE=$TEMP_VALUE

  812.         fi

  813.     fi

  814. }

  815. 

  816. function export_settings {

  817.     if [ ! $EXPORT_FILE ]; then

  818.         return

  819.     fi

  820. 

  821.     cd $CURRENT_DIR

  822. 

  823.     if [ ! -f $EXPORT_FILE ]; then

  824.         if [ "$SSL_PROTOCOLS" ]; then

  825.             echo "SSL_PROTOCOLS=$SSL_PROTOCOLS" >> $EXPORT_FILE

  826.         fi

  827.         if [ $SSL_CIPHERS ]; then

  828.             echo "SSL_CIPHERS=$SSL_CIPHERS" >> $EXPORT_FILE

  829.         fi

  830.         if [ $SSH_CIPHERS ]; then

  831.             echo "SSH_CIPHERS=$SSH_CIPHERS" >> $EXPORT_FILE

  832.         fi

  833.         if [ $SSH_MACS ]; then

  834.             echo "SSH_MACS=$SSH_MACS" >> $EXPORT_FILE

  835.         fi

  836.         if [ $SSH_KEX ]; then

  837.             echo "SSH_KEX=$SSH_KEX" >> $EXPORT_FILE

  838.         fi

  839.         if [ $SSH_HOST_KEY_ALGORITHMS ]; then

  840.             echo "SSH_HOST_KEY_ALGORITHMS=$SSH_HOST_KEY_ALGORITHMS" >> $EXPORT_FILE

  841.         fi

  842.         if [ $SSH_PASSWORDS ]; then

  843.             echo "SSH_PASSWORDS=$SSH_PASSWORDS" >> $EXPORT_FILE

  844.         fi

  845.         if [ $XMPP_CIPHERS ]; then

  846.             echo "XMPP_CIPHERS=$XMPP_CIPHERS" >> $EXPORT_FILE

  847.         fi

  848.         if [ $XMPP_ECC_CURVE ]; then

  849.             echo "XMPP_ECC_CURVE=$XMPP_ECC_CURVE" >> $EXPORT_FILE

  850.         fi

  851.         echo "Security settings exported to $EXPORT_FILE"

  852.         exit 0

  853.     fi

  854. 

  855.     if [ "$SSL_PROTOCOLS" ]; then

  856.         if grep -q "SSL_PROTOCOLS" $EXPORT_FILE; then

  857.             sed -i "s|SSL_PROTOCOLS=.*|SSL_PROTOCOLS=$SSL_PROTOCOLS|g" $EXPORT_FILE

  858.         else

  859.             echo "SSL_PROTOCOLS=$SSL_PROTOCOLS" >> $EXPORT_FILE

  860.         fi

  861.     fi

  862.     if [ $SSL_CIPHERS ]; then

  863.         if grep -q "SSL_CIPHERS" $EXPORT_FILE; then

  864.             sed -i "s|SSL_CIPHERS=.*|SSL_CIPHERS=$SSL_CIPHERS|g" $EXPORT_FILE

  865.         else

  866.             echo "SSL_CIPHERS=$SSL_CIPHERS" >> $EXPORT_FILE

  867.         fi

  868.     fi

  869.     if [ $SSH_CIPHERS ]; then

  870.         if grep -q "SSH_CIPHERS" $EXPORT_FILE; then

  871.             sed -i "s|SSH_CIPHERS=.*|SSH_CIPHERS=$SSH_CIPHERS|g" $EXPORT_FILE

  872.         else

  873.             echo "SSH_CIPHERS=$SSH_CIPHERS" >> $EXPORT_FILE

  874.         fi

  875.     fi

  876.     if [ $SSH_MACS ]; then

  877.         if grep -q "SSH_MACS" $EXPORT_FILE; then

  878.             sed -i "s|SSH_MACS=.*|SSH_MACS=$SSH_MACS|g" $EXPORT_FILE

  879.         else

  880.             echo "SSH_MACS=$SSH_MACS" >> $EXPORT_FILE

  881.         fi

  882.     fi

  883.     if [ $SSH_KEX ]; then

  884.         if grep -q "SSH_KEX" $EXPORT_FILE; then

  885.             sed -i "s|SSH_KEX=.*|SSH_KEX=$SSH_KEX|g" $EXPORT_FILE

  886.         else

  887.             echo "SSH_KEX=$SSH_KEX" >> $EXPORT_FILE

  888.         fi

  889.     fi

  890.     if [ $SSH_HOST_KEY_ALGORITHMS ]; then

  891.         if grep -q "SSH_HOST_KEY_ALGORITHMS" $EXPORT_FILE; then

  892.             sed -i "s|SSH_HOST_KEY_ALGORITHMS=.*|SSH_HOST_KEY_ALGORITHMS=$SSH_HOST_KEY_ALGORITHMS|g" $EXPORT_FILE

  893.         else

  894.             echo "SSH_HOST_KEY_ALGORITHMS=$SSH_HOST_KEY_ALGORITHMS" >> $EXPORT_FILE

  895.         fi

  896.     fi

  897.     if [ $SSH_PASSWORDS ]; then

  898.         if grep -q "SSH_PASSWORDS" $EXPORT_FILE; then

  899.             sed -i "s|SSH_PASSWORDS=.*|SSH_PASSWORDS=$SSH_PASSWORDS|g" $EXPORT_FILE

  900.         else

  901.             echo "SSH_PASSWORDS=$SSH_PASSWORDS" >> $EXPORT_FILE

  902.         fi

  903.     fi

  904.     if [ $XMPP_CIPHERS ]; then

  905.         if grep -q "XMPP_CIPHERS" $EXPORT_FILE; then

  906.             sed -i "s|XMPP_CIPHERS=.*|XMPP_CIPHERS=$XMPP_CIPHERS|g" $EXPORT_FILE

  907.         else

  908.             echo "XMPP_CIPHERS=$XMPP_CIPHERS" >> $EXPORT_FILE

  909.         fi

  910.     fi

  911.     if [ $XMPP_ECC_CURVE ]; then

  912.         if grep -q "XMPP_ECC_CURVE" $EXPORT_FILE; then

  913.             sed -i "s|XMPP_ECC_CURVE=.*|XMPP_ECC_CURVE=$XMPP_ECC_CURVE|g" $EXPORT_FILE

  914.         else

  915.             echo "XMPP_ECC_CURVE=$XMPP_ECC_CURVE" >> $EXPORT_FILE

  916.         fi

  917.     fi

  918.     echo $"Security settings exported to $EXPORT_FILE"

  919.     exit 0

  920. }

  921. 

  922. function refresh_gpg_keys {

  923.     for d in /home/*/ ; do

  924.         USERNAME=$(echo "$d" | awk -F '/' '{print $3}')

  925.         if [[ $(is_valid_user "$USERNAME") == "1" ]]; then

  926.             su -c 'gpg --refresh-keys' - $USERNAME

  927.         fi

  928.     done

  929.     exit 0

  930. }

  931. 

  932. function monkeysphere_sign_server_keys {

  933.     server_keys_file=/home/$USER/.monkeysphere/server_keys

  934.     if [ ! -f $server_keys_file ]; then

  935.         exit 0

  936.     fi

  937. 

  938.     keys_signed=

  939.     while read line; do

  940.         echo $line

  941.         if [ ${#line} -gt 2 ]; then

  942.             fpr=$(gpg --with-colons --fingerprint "$line" | grep fpr | head -n 1 | awk -F ':' '{print $10}')

  943.             if [ ${#fpr} -gt 2 ]; then

  944.                 gpg --sign-key $fpr

  945.                 if [ "$?" = "0" ]; then

  946.                     gpg --update-trustdb

  947.                     keys_signed=1

  948.                 fi

  949.             fi

  950.         fi

  951.     done <$server_keys_file

  952. 

  953.     if [ $keys_signed ]; then

  954.         rm $server_keys_file

  955.     fi

  956.     exit 0

  957. }

  958. 

  959. function htmly_hash {

  960.     # produces a hash corresponding to a htmly password

  961.     pass="$1"

  962.     HTMLYHASH_FILENAME=/usr/bin/htmlyhash

  963. 

  964.     echo '<?php' > $HTMLYHASH_FILENAME

  965.     echo 'parse_str(implode("&", array_slice($argv, 1)), $_GET);' >> $HTMLYHASH_FILENAME

  966.     echo '$password = $_GET["password"];' >> $HTMLYHASH_FILENAME

  967.     echo '$hash = password_hash($password, PASSWORD_BCRYPT);' >> $HTMLYHASH_FILENAME

  968.     echo 'if (password_verify($password, $hash)) {' >> $HTMLYHASH_FILENAME

  969.     echo '  echo $hash;' >> $HTMLYHASH_FILENAME

  970.     echo '}' >> $HTMLYHASH_FILENAME

  971.     echo '?>' >> $HTMLYHASH_FILENAME

  972. 

  973.     php $HTMLYHASH_FILENAME password="$pass"

  974. }

  975. 

  976. function show_help {

  977.     echo ''

  978.     echo "${PROJECT_NAME}-sec"

  979.     echo ''

  980.     echo $'Alters the security settings'

  981.     echo ''

  982.     echo ''

  983.     echo $'  -h --help                 Show help'

  984.     echo $'  -e --export               Export security settings to a file'

  985.     echo $'  -i --import               Import security settings from a file'

  986.     echo $'  -r --refresh              Refresh GPG keys for all users'

  987.     echo $'  -s --sign                 Sign monkeysphere server keys'

  988.     echo $'     --register [domain]    Register a https domain with monkeysphere'

  989.     echo $'  -b --htmlyhash [password] Returns the hash of a password for a htmly blog'

  990.     echo ''

  991.     exit 0

  992. }

  993. 

  994. 

  995. # Get the commandline options

  996. while [[ $# > 1 ]]

  997. do

  998.     key="$1"

  999. 

  1000.     case $key in

  1001.         -h|--help)

  1002.             show_help

  1003.             ;;

  1004.         # Export settings

  1005.         -e|--export)

  1006.             shift

  1007.             EXPORT_FILE="$1"

  1008.             ;;

  1009.         # Export settings

  1010.         -i|--import)

  1011.             shift

  1012.             IMPORT_FILE="$1"

  1013.             ;;

  1014.         # Refresh GPG keys

  1015.         -r|--refresh)

  1016.             shift

  1017.             refresh_gpg_keys

  1018.             ;;

  1019.         # register a website

  1020.         --register|--reg|--site)

  1021.             shift

  1022.             register_website "$1"

  1023.             ;;

  1024.         # user signs monkeysphere server keys

  1025.         -s|--sign)

  1026.             shift

  1027.             monkeysphere_sign_server_keys

  1028.             ;;

  1029.         # get a hash of the given htmly password

  1030.         -b|--htmlyhash)

  1031.             shift

  1032.             htmly_hash "$1"

  1033.             exit 0

  1034.             ;;

  1035.         *)

  1036.             # unknown option

  1037.             ;;

  1038.     esac

  1039.     shift

  1040. done

  1041. 

  1042. menu_security_settings

  1043. 

  1044. exit 0