freedombone-sec 34KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088
  1. #!/bin/bash
  2. #
  3. # .---. . .
  4. # | | |
  5. # |--- .--. .-. .-. .-.| .-. .--.--. |.-. .-. .--. .-.
  6. # | | (.-' (.-' ( | ( )| | | | )( )| | (.-'
  7. # ' ' --' --' -' - -' ' ' -' -' -' ' - --'
  8. #
  9. # Freedom in the Cloud
  10. #
  11. # Alters the security settings
  12. #
  13. # License
  14. # =======
  15. #
  16. # Copyright (C) 2015-2016 Bob Mottram <bob@robotics.uk.to>
  17. #
  18. # This program is free software: you can redistribute it and/or modify
  19. # it under the terms of the GNU Affero General Public License as published by
  20. # the Free Software Foundation, either version 3 of the License, or
  21. # (at your option) any later version.
  22. #
  23. # This program is distributed in the hope that it will be useful,
  24. # but WITHOUT ANY WARRANTY; without even the implied warranty of
  25. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  26. # GNU Affero General Public License for more details.
  27. #
  28. # You should have received a copy of the GNU Affero General Public License
  29. # along with this program. If not, see <http://www.gnu.org/licenses/>.
  30. PROJECT_NAME='freedombone'
  31. export TEXTDOMAIN=${PROJECT_NAME}-sec
  32. export TEXTDOMAINDIR="/usr/share/locale"
  33. CONFIGURATION_FILE=/root/${PROJECT_NAME}.cfg
  34. COMPLETION_FILE=$HOME/${PROJECT_NAME}-completed.txt
  35. SSL_PROTOCOLS=
  36. SSL_CIPHERS=
  37. SSH_CIPHERS=
  38. SSH_MACS=
  39. SSH_KEX=
  40. SSH_HOST_KEY_ALGORITHMS=
  41. SSH_PASSWORDS=
  42. XMPP_CIPHERS=
  43. XMPP_ECC_CURVE=
  44. WEBSITES_DIRECTORY='/etc/nginx/sites-available'
  45. DOVECOT_CIPHERS='/etc/dovecot/conf.d/10-ssl.conf'
  46. SSH_CONFIG='/etc/ssh/sshd_config'
  47. XMPP_CONFIG='/etc/prosody/conf.avail/xmpp.cfg.lua'
  48. MINIMUM_LENGTH=6
  49. IMPORT_FILE=
  50. EXPORT_FILE=
  51. CURRENT_DIR=$(pwd)
  52. REGENERATE_SSH_HOST_KEYS="no"
  53. REGENERATE_DH_KEYS="no"
  54. DH_KEYLENGTH=2048
  55. LETSENCRYPT_SERVER='https://acme-v01.api.letsencrypt.org/directory'
  56. MY_USERNAME=
  57. function get_protocols_from_website {
  58. if [ ! -f $WEBSITES_DIRECTORY/$1 ]; then
  59. return
  60. fi
  61. SSL_PROTOCOLS=$(cat $WEBSITES_DIRECTORY/$1 | grep 'ssl_protocols ' | awk -F "ssl_protocols " '{print $2}' | awk -F ';' '{print $1}')
  62. }
  63. function get_ciphers_from_website {
  64. if [ ! -f $WEBSITES_DIRECTORY/$1 ]; then
  65. return
  66. fi
  67. SSL_CIPHERS=$(cat $WEBSITES_DIRECTORY/$1 | grep 'ssl_ciphers ' | awk -F "ssl_ciphers " '{print $2}' | awk -F "'" '{print $2}')
  68. }
  69. function get_website_settings {
  70. if [ ! -d $WEBSITES_DIRECTORY ]; then
  71. return
  72. fi
  73. cd $WEBSITES_DIRECTORY
  74. for file in `dir -d *` ; do
  75. get_protocols_from_website $file
  76. if [ ${#SSL_PROTOCOLS} -gt $MINIMUM_LENGTH ]; then
  77. get_ciphers_from_website $file
  78. if [ ${#SSL_CIPHERS} -gt $MINIMUM_LENGTH ]; then
  79. break
  80. else
  81. SSL_PROTOCOLS=""
  82. fi
  83. fi
  84. done
  85. }
  86. function get_imap_settings {
  87. if [ ! -f $DOVECOT_CIPHERS ]; then
  88. return
  89. fi
  90. # clear commented out cipher list
  91. sed -i "s|#ssl_cipher_list.*||g" $DOVECOT_CIPHERS
  92. if [ $SSL_CIPHERS ]; then
  93. return
  94. fi
  95. if [ ${#SSL_CIPHERS} -gt $MINIMUM_LENGTH ]; then
  96. return
  97. fi
  98. SSL_CIPHERS=$(cat $DOVECOT_CIPHERS | grep 'ssl_cipher_list' | awk -F '=' '{print $2}' | awk -F "'" '{print $2}')
  99. }
  100. function get_xmpp_settings {
  101. if [ ! -f $XMPP_CONFIG ]; then
  102. return
  103. fi
  104. XMPP_CIPHERS=$(cat $XMPP_CONFIG | grep 'ciphers ' | awk -F '=' '{print $2}' | awk -F '"' '{print $2}')
  105. XMPP_ECC_CURVE=$(cat $XMPP_CONFIG | grep 'curve ' | awk -F '=' '{print $2}' | awk -F '"' '{print $2}')
  106. }
  107. function get_ssh_settings {
  108. if [ -f $SSH_CONFIG ]; then
  109. SSH_CIPHERS=$(cat $SSH_CONFIG | grep 'Ciphers ' | awk -F 'Ciphers ' '{print $2}')
  110. SSH_MACS=$(cat $SSH_CONFIG | grep 'MACs ' | awk -F 'MACs ' '{print $2}')
  111. SSH_KEX=$(cat $SSH_CONFIG | grep 'KexAlgorithms ' | awk -F 'KexAlgorithms ' '{print $2}')
  112. SSH_PASSWORDS=$(cat $SSH_CONFIG | grep 'PasswordAuthentication ' | awk -F 'PasswordAuthentication ' '{print $2}')
  113. fi
  114. if [ -f /etc/ssh/ssh_config ]; then
  115. SSH_HOST_KEY_ALGORITHMS=$(cat /etc/ssh/ssh_config | grep 'HostKeyAlgorithms ' | awk -F 'HostKeyAlgorithms ' '{print $2}')
  116. if [ ! $SSH_CIPHERS ]; then
  117. SSH_CIPHERS=$(cat /etc/ssh/ssh_config | grep 'Ciphers ' | awk -F 'Ciphers ' '{print $2}')
  118. fi
  119. if [ ! $SSH_MACS ]; then
  120. SSH_MACS=$(cat /etc/ssh/ssh_config | grep 'MACs ' | awk -F 'MACs ' '{print $2}')
  121. fi
  122. fi
  123. }
  124. function change_website_settings {
  125. if [ ! "$SSL_PROTOCOLS" ]; then
  126. return
  127. fi
  128. if [ ! $SSL_CIPHERS ]; then
  129. return
  130. fi
  131. if [ ${#SSL_PROTOCOLS} -lt $MINIMUM_LENGTH ]; then
  132. return
  133. fi
  134. if [ ${#SSL_CIPHERS} -lt $MINIMUM_LENGTH ]; then
  135. return
  136. fi
  137. if [ ! -d $WEBSITES_DIRECTORY ]; then
  138. return
  139. fi
  140. cd $WEBSITES_DIRECTORY
  141. for file in `dir -d *` ; do
  142. sed -i "s|ssl_protocols .*|ssl_protocols $SSL_PROTOCOLS;|g" $WEBSITES_DIRECTORY/$file
  143. sed -i "s|ssl_ciphers .*|ssl_ciphers '$SSL_CIPHERS';|g" $WEBSITES_DIRECTORY/$file
  144. done
  145. systemctl restart nginx
  146. echo $'Web security settings changed'
  147. }
  148. function change_imap_settings {
  149. if [ ! -f $DOVECOT_CIPHERS ]; then
  150. return
  151. fi
  152. if [ ! $SSL_CIPHERS ]; then
  153. return
  154. fi
  155. if [ ${#SSL_CIPHERS} -lt $MINIMUM_LENGTH ]; then
  156. return
  157. fi
  158. sed -i "s|ssl_cipher_list.*|ssl_cipher_list = '$SSL_CIPHERS'|g" $DOVECOT_CIPHERS
  159. sed -i "s|ssl_protocols.*|ssl_protocols = '$SSL_PROTOCOLS'|g" $DOVECOT_CIPHERS
  160. systemctl restart dovecot
  161. echo $'imap security settings changed'
  162. }
  163. function change_ssh_settings {
  164. if [ -f /etc/ssh/ssh_config ]; then
  165. if [ $SSH_HOST_KEY_ALGORITHMS ]; then
  166. sed -i "s|HostKeyAlgorithms .*|HostKeyAlgorithms $SSH_HOST_KEY_ALGORITHMS|g" /etc/ssh/ssh_config
  167. echo $'ssh client security settings changed'
  168. fi
  169. fi
  170. if [ -f $SSH_CONFIG ]; then
  171. if [ ! $SSH_CIPHERS ]; then
  172. return
  173. fi
  174. if [ ! $SSH_MACS ]; then
  175. return
  176. fi
  177. if [ ! $SSH_KEX ]; then
  178. return
  179. fi
  180. if [ ! $SSH_PASSWORDS ]; then
  181. return
  182. fi
  183. sed -i "s|Ciphers .*|Ciphers $SSH_CIPHERS|g" $SSH_CONFIG
  184. sed -i "s|MACs .*|MACs $SSH_MACS|g" $SSH_CONFIG
  185. sed -i "s|KexAlgorithms .*|KexAlgorithms $SSH_KEX|g" $SSH_CONFIG
  186. sed -i "s|PasswordAuthentication .*|PasswordAuthentication $SSH_PASSWORDS|g" $SSH_CONFIG
  187. systemctl restart ssh
  188. echo $'ssh server security settings changed'
  189. fi
  190. }
  191. function change_xmpp_settings {
  192. if [ ! -f $XMPP_CONFIG ]; then
  193. return
  194. fi
  195. if [ ! $XMPP_CIPHERS ]; then
  196. return
  197. fi
  198. if [ ! $XMPP_ECC_CURVE ]; then
  199. return
  200. fi
  201. sed -i "s|ciphers =.*|ciphers = \"$XMPP_CIPHERS\";|g" $XMPP_CONFIG
  202. sed -i "s|curve =.*|curve = \"$XMPP_ECC_CURVE\";|g" $XMPP_CONFIG
  203. systemctl restart prosody
  204. echo $'xmpp security settings changed'
  205. }
  206. function interactive_setup {
  207. if [ $SSL_CIPHERS ]; then
  208. data=$(tempfile 2>/dev/null)
  209. trap "rm -f $data" 0 1 2 5 15
  210. dialog --backtitle $"Freedombone Security Configuration" \
  211. --form $"\nWeb/IMAP Ciphers:" 10 95 2 \
  212. $"Protocols:" 1 1 "$SSL_PROTOCOLS" 1 15 90 90 \
  213. $"Ciphers:" 2 1 "$SSL_CIPHERS" 2 15 90 512 \
  214. 2> $data
  215. sel=$?
  216. case $sel in
  217. 1) SSL_PROTOCOLS=$(cat $data | sed -n 1p)
  218. SSL_CIPHERS=$(cat $data | sed -n 2p)
  219. ;;
  220. 255) exit 0;;
  221. esac
  222. fi
  223. data=$(tempfile 2>/dev/null)
  224. trap "rm -f $data" 0 1 2 5 15
  225. if [ $SSH_HOST_KEY_ALGORITHMS ]; then
  226. dialog --backtitle $"Freedombone Security Configuration" \
  227. --form $"\nSecure Shell Ciphers:" 13 95 4 \
  228. $"Ciphers:" 1 1 "$SSH_CIPHERS" 1 15 90 512 \
  229. $"MACs:" 2 1 "$SSH_MACS" 2 15 90 512 \
  230. $"KEX:" 3 1 "$SSH_KEX" 3 15 90 512 \
  231. $"Host key algorithms:" 4 1 "$SSH_HOST_KEY_ALGORITHMS" 4 15 90 512 \
  232. 2> $data
  233. sel=$?
  234. case $sel in
  235. 1) SSH_CIPHERS=$(cat $data | sed -n 1p)
  236. SSH_MACS=$(cat $data | sed -n 2p)
  237. SSH_KEX=$(cat $data | sed -n 3p)
  238. SSH_HOST_KEY_ALGORITHMS=$(cat $data | sed -n 4p)
  239. ;;
  240. 255) exit 0;;
  241. esac
  242. else
  243. dialog --backtitle $"Freedombone Security Configuration" \
  244. --form $"\nSecure Shell Ciphers:" 11 95 3 \
  245. $"Ciphers:" 1 1 "$SSH_CIPHERS" 1 15 90 512 \
  246. $"MACs:" 2 1 "$SSH_MACS" 2 15 90 512 \
  247. $"KEX:" 3 1 "$SSH_KEX" 3 15 90 512 \
  248. 2> $data
  249. sel=$?
  250. case $sel in
  251. 1) SSH_CIPHERS=$(cat $data | sed -n 1p)
  252. SSH_MACS=$(cat $data | sed -n 2p)
  253. SSH_KEX=$(cat $data | sed -n 3p)
  254. ;;
  255. 255) exit 0;;
  256. esac
  257. fi
  258. if [[ $SSH_PASSWORDS == "yes" ]]; then
  259. dialog --title $"SSH Passwords" \
  260. --backtitle $"Freedombone Security Configuration" \
  261. --yesno $"\nAllow SSH login using passwords?" 7 60
  262. else
  263. dialog --title $"SSH Passwords" \
  264. --backtitle $"Freedombone Security Configuration" \
  265. --defaultno \
  266. --yesno $"\nAllow SSH login using passwords?" 7 60
  267. fi
  268. sel=$?
  269. case $sel in
  270. 0) SSH_PASSWORDS="yes";;
  271. 1) SSH_PASSWORDS="no";;
  272. 255) exit 0;;
  273. esac
  274. if [ $XMPP_CIPHERS ]; then
  275. data=$(tempfile 2>/dev/null)
  276. trap "rm -f $data" 0 1 2 5 15
  277. dialog --backtitle $"Freedombone Security Configuration" \
  278. --form $"\nXMPP Ciphers:" 10 95 2 \
  279. $"Ciphers:" 1 1 "$XMPP_CIPHERS" 1 15 90 512 \
  280. $"ECC Curve:" 2 1 "$XMPP_ECC_CURVE" 2 15 50 50 \
  281. 2> $data
  282. sel=$?
  283. case $sel in
  284. 1) XMPP_CIPHERS=$(cat $data | sed -n 1p)
  285. XMPP_ECC_CURVE=$(cat $data | sed -n 2p)
  286. ;;
  287. 255) exit 0;;
  288. esac
  289. fi
  290. dialog --title $"Final Confirmation" \
  291. --backtitle $"Freedombone Security Configuration" \
  292. --defaultno \
  293. --yesno $"\nPlease confirm that you wish your security settings to be changed?\n\nWARNING: any mistakes made in the security settings could compromise your system, so be extra careful when answering 'yes'." 12 60
  294. sel=$?
  295. case $sel in
  296. 1) clear
  297. echo $'Exiting without changing security settings'
  298. exit 0;;
  299. 255) clear
  300. echo $'Exiting without changing security settings'
  301. exit 0;;
  302. esac
  303. clear
  304. }
  305. function send_monkeysphere_server_keys_to_users {
  306. monkeysphere_server_keys=$(monkeysphere-host show-key | grep $"OpenPGP fingerprint" | awk -F ' ' '{print $3}')
  307. for d in /home/*/ ; do
  308. USERNAME=$(echo "$d" | awk -F '/' '{print $3}')
  309. if [[ $USERNAME != "git" && $USERNAME != "mirrors" && $USERNAME != "sync" && $USERNAME != "tahoelafs" ]]; then
  310. if [ ! -d /home/$USERNAME/.monkeysphere ]; then
  311. mkdir /home/$USERNAME/.monkeysphere
  312. fi
  313. echo $monkeysphere_server_keys > /home/$USERNAME/.monkeysphere/server_keys
  314. chown -R $USERNAME:$USERNAME /home/$USERNAME/.monkeysphere
  315. fi
  316. done
  317. }
  318. function regenerate_ssh_host_keys {
  319. if [[ $REGENERATE_SSH_HOST_KEYS == "yes" ]]; then
  320. rm -f /etc/ssh/ssh_host_*
  321. dpkg-reconfigure openssh-server
  322. echo $'ssh host keys regenerated'
  323. # remove small moduli
  324. awk '$5 > 2000' /etc/ssh/moduli > ~/moduli
  325. mv ~/moduli /etc/ssh/moduli
  326. echo $'ssh small moduli removed'
  327. # update monkeysphere
  328. DEFAULT_DOMAIN_NAME=
  329. if grep -q "DEFAULT_DOMAIN_NAME" $CONFIGURATION_FILE; then
  330. DEFAULT_DOMAIN_NAME=$(grep "DEFAULT_DOMAIN_NAME" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
  331. fi
  332. monkeysphere-host import-key /etc/ssh/ssh_host_rsa_key ssh://$DEFAULT_DOMAIN_NAME
  333. SSH_ONION_HOSTNAME=$(cat ${COMPLETION_FILE} | grep 'ssh onion domain' | awk -F ':' '{print $2}')
  334. monkeysphere-host import-key /etc/ssh/ssh_host_rsa_key ssh://$SSH_ONION_HOSTNAME
  335. monkeysphere-host publish-key
  336. send_monkeysphere_server_keys_to_users
  337. echo $'updated monkeysphere ssh host key'
  338. systemctl restart ssh
  339. fi
  340. }
  341. function regenerate_dh_keys {
  342. if [[ $REGENERATE_DH_KEYS == "yes" ]]; then
  343. if [ ! -d /etc/ssl/mycerts ]; then
  344. echo $'No dhparam certificates were found'
  345. return
  346. fi
  347. data=$(tempfile 2>/dev/null)
  348. trap "rm -f $data" 0 1 2 5 15
  349. dialog --backtitle "Freedombone Security Configuration" \
  350. --title "Diffie-Hellman key length" \
  351. --radiolist "The smaller length is better suited to low power embedded systems:" 12 40 3 \
  352. 1 "2048 bits" off \
  353. 2 "3072 bits" on \
  354. 3 "4096 bits" off 2> $data
  355. sel=$?
  356. case $sel in
  357. 1) exit 1;;
  358. 255) exit 1;;
  359. esac
  360. case $(cat $data) in
  361. 1) DH_KEYLENGTH=2048;;
  362. 2) DH_KEYLENGTH=3072;;
  363. 3) DH_KEYLENGTH=4096;;
  364. esac
  365. ${PROJECT_NAME}-dhparam --recalc yes -l ${DH_KEYLENGTH}
  366. fi
  367. }
  368. function renew_startssl {
  369. renew_domain=
  370. data=$(tempfile 2>/dev/null)
  371. trap "rm -f $data" 0 1 2 5 15
  372. dialog --title $"Renew a StartSSL certificate" \
  373. --backtitle $"Freedombone Security Settings" \
  374. --inputbox $"Enter the domain name" 8 60 2>$data
  375. sel=$?
  376. case $sel in
  377. 0)
  378. renew_domain=$(<$data)
  379. ;;
  380. esac
  381. if [ ! $renew_domain ]; then
  382. return
  383. fi
  384. if [[ $renew_domain == "http"* ]]; then
  385. dialog --title $"Renew a StartSSL certificate" \
  386. --msgbox $"Don't include the https://" 6 40
  387. return
  388. fi
  389. if [ ! -f /etc/ssl/certs/${renew_domain}.dhparam ]; then
  390. dialog --title $"Renew a StartSSL certificate" \
  391. --msgbox $"An existing certificate for $renew_domain was not found" 6 40
  392. return
  393. fi
  394. if [[ $renew_domain != *"."* ]]; then
  395. dialog --title $"Renew a StartSSL certificate" \
  396. --msgbox $"Invalid domain name: $renew_domain" 6 40
  397. return
  398. fi
  399. ${PROJECT_NAME}-renew-cert -h $renew_domain -p startssl
  400. exit 0
  401. }
  402. function renew_letsencrypt {
  403. renew_domain=
  404. data=$(tempfile 2>/dev/null)
  405. trap "rm -f $data" 0 1 2 5 15
  406. dialog --title $"Renew a Let's Encrypt certificate" \
  407. --backtitle $"Freedombone Security Settings" \
  408. --inputbox $"Enter the domain name" 8 60 2>$data
  409. sel=$?
  410. case $sel in
  411. 0)
  412. renew_domain=$(<$data)
  413. ;;
  414. esac
  415. if [ ! $renew_domain ]; then
  416. return
  417. fi
  418. if [[ $renew_domain == "http"* ]]; then
  419. dialog --title $"Renew a Let's Encrypt certificate" \
  420. --msgbox $"Don't include the https://" 6 40
  421. return
  422. fi
  423. if [ ! -f /etc/ssl/certs/${renew_domain}.dhparam ]; then
  424. dialog --title $"Renew a Let's Encrypt certificate" \
  425. --msgbox $"An existing certificate for $renew_domain was not found" 6 40
  426. return
  427. fi
  428. if [[ $renew_domain != *"."* ]]; then
  429. dialog --title $"Renew a Let's Encrypt certificate" \
  430. --msgbox $"Invalid domain name: $renew_domain" 6 40
  431. return
  432. fi
  433. ${PROJECT_NAME}-renew-cert -h $renew_domain -p 'letsencrypt'
  434. exit 0
  435. }
  436. function create_letsencrypt {
  437. new_domain=
  438. data=$(tempfile 2>/dev/null)
  439. trap "rm -f $data" 0 1 2 5 15
  440. dialog --title $"Create a new Let's Encrypt certificate" \
  441. --backtitle $"Freedombone Security Settings" \
  442. --inputbox $"Enter the domain name" 8 60 2>$data
  443. sel=$?
  444. case $sel in
  445. 0)
  446. new_domain=$(<$data)
  447. ;;
  448. esac
  449. if [ ! $new_domain ]; then
  450. return
  451. fi
  452. if [[ $new_domain == "http"* ]]; then
  453. dialog --title $"Create a new Let's Encrypt certificate" \
  454. --msgbox $"Don't include the https://" 6 40
  455. return
  456. fi
  457. if [[ $new_domain != *"."* ]]; then
  458. dialog --title $"Create a new Let's Encrypt certificate" \
  459. --msgbox $"Invalid domain name: $new_domain" 6 40
  460. return
  461. fi
  462. if [ ! -d /var/www/${new_domain} ]; then
  463. dialog --title $"Create a new Let's Encrypt certificate" \
  464. --msgbox $'Domain not found within /var/www' 6 40
  465. return
  466. fi
  467. ${PROJECT_NAME}-addcert -e $new_domain -s $LETSENCRYPT_SERVER --dhkey $DH_KEYLENGTH
  468. exit 0
  469. }
  470. function update_ciphersuite {
  471. project_filename=/usr/local/bin/${PROJECT_NAME}
  472. if [ ! -f $project_filename ]; then
  473. project_filename=/usr/bin/${PROJECT_NAME}
  474. fi
  475. SSH_FILENAME=${project_filename}-utils-ssh
  476. SSL_FILENAME=${project_filename}-utils-web
  477. RECOMMENDED_SSL_CIPHERS=$(cat $SSL_FILENAME | grep 'SSL_CIPHERS=' | head -n 1 | awk -F '=' '{print $2}' | awk -F '"' '{print $2}')
  478. if [ ! "$RECOMMENDED_SSL_CIPHERS" ]; then
  479. return
  480. fi
  481. if [ ${#RECOMMENDED_SSL_CIPHERS} -lt 5 ]; then
  482. return
  483. fi
  484. RECOMMENDED_SSL_PROTOCOLS=$(cat $SSL_FILENAME | grep 'SSL_PROTOCOLS=' | head -n 1 | awk -F '=' '{print $2}' | awk -F '"' '{print $2}')
  485. if [ ! "$RECOMMENDED_SSL_PROTOCOLS" ]; then
  486. return
  487. fi
  488. if [ ${#RECOMMENDED_SSL_PROTOCOLS} -lt 5 ]; then
  489. return
  490. fi
  491. RECOMMENDED_SSH_CIPHERS=$(cat $SSH_FILENAME | grep 'SSH_CIPHERS=' | head -n 1 | awk -F '=' '{print $2}' | awk -F '"' '{print $2}')
  492. if [ ! "$RECOMMENDED_SSH_CIPHERS" ]; then
  493. return
  494. fi
  495. if [ ${#RECOMMENDED_SSH_CIPHERS} -lt 5 ]; then
  496. return
  497. fi
  498. RECOMMENDED_SSH_MACS=$(cat $SSH_FILENAME | grep 'SSH_MACS=' | head -n 1 | awk -F '=' '{print $2}' | awk -F '"' '{print $2}')
  499. if [ ! "$RECOMMENDED_SSH_MACS" ]; then
  500. return
  501. fi
  502. if [ ${#RECOMMENDED_SSH_MACS} -lt 5 ]; then
  503. return
  504. fi
  505. RECOMMENDED_SSH_KEX=$(cat $SSH_FILENAME | grep 'SSH_KEX=' | head -n 1 | awk -F '=' '{print $2}' | awk -F '"' '{print $2}')
  506. if [ ! "$RECOMMENDED_SSH_KEX" ]; then
  507. return
  508. fi
  509. if [ ${#RECOMMENDED_SSH_KEX} -lt 5 ]; then
  510. return
  511. fi
  512. cd $WEBSITES_DIRECTORY
  513. for file in `dir -d *` ; do
  514. sed -i "s|ssl_protocols .*|ssl_protocols $RECOMMENDED_SSL_PROTOCOLS;|g" $WEBSITES_DIRECTORY/$file
  515. sed -i "s|ssl_ciphers .*|ssl_ciphers '$RECOMMENDED_SSL_CIPHERS';|g" $WEBSITES_DIRECTORY/$file
  516. done
  517. systemctl restart nginx
  518. sed -i "s|Ciphers .*|Ciphers $RECOMMENDED_SSH_CIPHERS|g" $SSH_CONFIG
  519. sed -i "s|MACs .*|MACs $RECOMMENDED_SSH_MACS|g" $SSH_CONFIG
  520. sed -i "s|KexAlgorithms .*|KexAlgorithms $RECOMMENDED_SSH_KEX|g" $SSH_CONFIG
  521. systemctl restart ssh
  522. dialog --title $"Update ciphersuite" \
  523. --msgbox $"The ciphersuite has been updated to recommended versions" 6 40
  524. exit 0
  525. }
  526. function gpg_pubkey_from_email {
  527. key_owner_username=$1
  528. key_email_address=$2
  529. key_id=
  530. if [[ $key_owner_username != "root" ]]; then
  531. key_id=$(su -c "gpg --list-keys $key_email_address | grep 'pub '" - $key_owner_username | awk -F ' ' '{print $2}' | awk -F '/' '{print $2}')
  532. else
  533. key_id=$(gpg --list-keys $key_email_address | grep 'pub ' | awk -F ' ' '{print $2}' | awk -F '/' '{print $2}')
  534. fi
  535. echo $key_id
  536. }
  537. function enable_monkeysphere {
  538. monkey=
  539. dialog --title $"GPG based authentication" \
  540. --backtitle $"Freedombone Security Configuration" \
  541. --defaultno \
  542. --yesno $"\nEnable GPG based authentication with monkeysphere ?" 7 60
  543. sel=$?
  544. case $sel in
  545. 0) monkey='yes';;
  546. 255) exit 0;;
  547. esac
  548. if [ $monkey ]; then
  549. if grep -q "MY_USERNAME" $CONFIGURATION_FILE; then
  550. MY_USERNAME=$(grep "MY_USERNAME" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
  551. fi
  552. if [ ! -f /home/$MY_USERNAME/.monkeysphere/authorized_user_ids ]; then
  553. dialog --title $"GPG based authentication" \
  554. --msgbox $"$MY_USERNAME does not currently have any ids within ~/.monkeysphere/authorized_user_ids" 6 40
  555. exit 0
  556. fi
  557. MY_GPG_PUBLIC_KEY_ID=$(gpg_pubkey_from_email "$MY_USERNAME" "$MY_USERNAME@$HOSTNAME")
  558. if [ ${#MY_GPG_PUBLIC_KEY_ID} -lt 4 ]; then
  559. echo $'monkeysphere unable to get GPG key ID for user $MY_USERNAME'
  560. exit 52825
  561. fi
  562. sed -i 's|#AuthorizedKeysFile|AuthorizedKeysFile|g' /etc/ssh/sshd_config
  563. sed -i 's|AuthorizedKeysFile.*|AuthorizedKeysFile /var/lib/monkeysphere/authorized_keys/%u|g' /etc/ssh/sshd_config
  564. monkeysphere-authentication update-users
  565. # The admin user is the identity certifier
  566. fpr=$(gpg --with-colons --fingerprint $MY_GPG_PUBLIC_KEY_ID | grep fpr | head -n 1 | awk -F ':' '{print $10}')
  567. monkeysphere-authentication add-identity-certifier $fpr
  568. monkeysphere-host publish-key
  569. send_monkeysphere_server_keys_to_users
  570. else
  571. sed -i 's|#AuthorizedKeysFile|AuthorizedKeysFile|g' /etc/ssh/sshd_config
  572. sed -i 's|AuthorizedKeysFile.*|AuthorizedKeysFile %h/.ssh/authorized_keys|g' /etc/ssh/sshd_config
  573. fi
  574. systemctl restart ssh
  575. if [ $monkey ]; then
  576. dialog --title $"GPG based authentication" \
  577. --msgbox $"GPG based authentication was enabled" 6 40
  578. else
  579. dialog --title $"GPG based authentication" \
  580. --msgbox $"GPG based authentication was disabled" 6 40
  581. fi
  582. exit 0
  583. }
  584. function register_website {
  585. domain="$1"
  586. if [[ ${domain} == *".local" ]]; then
  587. echo $"Can't register local domains"
  588. return
  589. fi
  590. if [ ! -f /etc/ssl/private/${domain}.key ]; then
  591. echo $"No SSL/TLS private key found for ${domain}"
  592. return
  593. fi
  594. if [ ! -f /etc/nginx/sites-available/${domain} ]; then
  595. echo $"No virtual host found for ${domain}"
  596. return
  597. fi
  598. monkeysphere-host import-key /etc/ssl/private/${domain}.key https://${domain}
  599. monkeysphere-host publish-key
  600. echo "0"
  601. }
  602. function register_website_interactive {
  603. data=$(tempfile 2>/dev/null)
  604. trap "rm -f $data" 0 1 2 5 15
  605. dialog --title $"Register a website with monkeysphere" \
  606. --backtitle $"Freedombone Security Settings" \
  607. --inputbox $"Enter the website domain name (without https://)" 8 60 2>$data
  608. sel=$?
  609. case $sel in
  610. 0)
  611. domain=$(<$data)
  612. register_website "$domain"
  613. if [ ! "$?" = "0" ]; then
  614. dialog --title $"Register a website with monkeysphere" \
  615. --msgbox "$?" 6 40
  616. else
  617. dialog --title $"Register a website with monkeysphere" \
  618. --msgbox $"$domain has been registered" 6 40
  619. fi
  620. ;;
  621. esac
  622. }
  623. function pin_all_tls_certs {
  624. ${PROJECT_NAME}-pin-cert all
  625. }
  626. function remove_pinning {
  627. data=$(tempfile 2>/dev/null)
  628. trap "rm -f $data" 0 1 2 5 15
  629. dialog --title $"Remove pinning for a domain" \
  630. --backtitle $"Freedombone Security Settings" \
  631. --inputbox $"Enter the website domain name (without https://)" 8 60 2>$data
  632. sel=$?
  633. case $sel in
  634. 0)
  635. domain=$(<$data)
  636. ${PROJECT_NAME}-pin-cert "$domain" remove
  637. if [ ! "$?" = "0" ]; then
  638. dialog --title $"Removed pinning from $domain" \
  639. --msgbox "$?" 6 40
  640. fi
  641. ;;
  642. esac
  643. }
  644. function housekeeping {
  645. cmd=(dialog --separate-output \
  646. --backtitle "Freedombone Security Configuration" \
  647. --title "Housekeeping options" \
  648. --checklist "If you don't need to do any of these things then just press Enter:" 17 76 17)
  649. options=(1 "Regenerate ssh host keys" off
  650. 2 "Regenerate Diffie-Hellman keys" off
  651. 3 "Update cipersuite" off
  652. 4 "Create a new Let's Encrypt certificate" off
  653. 5 "Renew Let's Encrypt certificate" off
  654. 6 "Enable GPG based authentication (monkeysphere)" off
  655. 7 "Register a website with monkeysphere" off
  656. 8 "Pin all TLS certificates" off
  657. 9 "Remove pinning for a domain" off
  658. 10 "Go Back/Exit" on)
  659. choices=$("${cmd[@]}" "${options[@]}" 2>&1 >/dev/tty)
  660. clear
  661. for choice in $choices
  662. do
  663. case $choice in
  664. 1)
  665. REGENERATE_SSH_HOST_KEYS="yes"
  666. ;;
  667. 2)
  668. REGENERATE_DH_KEYS="yes"
  669. ;;
  670. 3)
  671. update_ciphersuite
  672. ;;
  673. 4)
  674. create_letsencrypt
  675. ;;
  676. 5)
  677. renew_letsencrypt
  678. ;;
  679. 6)
  680. enable_monkeysphere
  681. ;;
  682. 7)
  683. register_website
  684. ;;
  685. 8)
  686. pin_all_tls_certs
  687. ;;
  688. 9)
  689. remove_pinning
  690. ;;
  691. 10)
  692. exit 0
  693. ;;
  694. esac
  695. done
  696. }
  697. function import_settings {
  698. cd $CURRENT_DIR
  699. if [ ! $IMPORT_FILE ]; then
  700. return
  701. fi
  702. if [ ! -f $IMPORT_FILE ]; then
  703. echo $"Import file $IMPORT_FILE not found"
  704. exit 6393
  705. fi
  706. if grep -q "SSL_PROTOCOLS" $IMPORT_FILE; then
  707. TEMP_VALUE=$(grep "SSL_PROTOCOLS" $IMPORT_FILE | awk -F '=' '{print $2}')
  708. if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then
  709. SSL_PROTOCOLS=$TEMP_VALUE
  710. fi
  711. fi
  712. if grep -q "SSL_CIPHERS" $IMPORT_FILE; then
  713. TEMP_VALUE=$(grep "SSL_CIPHERS" $IMPORT_FILE | awk -F '=' '{print $2}')
  714. if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then
  715. SSL_CIPHERS=$TEMP_VALUE
  716. fi
  717. fi
  718. if grep -q "SSH_CIPHERS" $IMPORT_FILE; then
  719. TEMP_VALUE=$(grep "SSH_CIPHERS" $IMPORT_FILE | awk -F '=' '{print $2}')
  720. if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then
  721. SSH_CIPHERS=$TEMP_VALUE
  722. fi
  723. fi
  724. if grep -q "SSH_MACS" $IMPORT_FILE; then
  725. TEMP_VALUE=$(grep "SSH_MACS" $IMPORT_FILE | awk -F '=' '{print $2}')
  726. if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then
  727. SSH_MACS=$TEMP_VALUE
  728. fi
  729. fi
  730. if grep -q "SSH_KEX" $IMPORT_FILE; then
  731. TEMP_VALUE=$(grep "SSH_KEX" $IMPORT_FILE | awk -F '=' '{print $2}')
  732. if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then
  733. SSH_KEX=$TEMP_VALUE
  734. fi
  735. fi
  736. if grep -q "SSH_HOST_KEY_ALGORITHMS" $IMPORT_FILE; then
  737. TEMP_VALUE=$(grep "SSH_HOST_KEY_ALGORITHMS" $IMPORT_FILE | awk -F '=' '{print $2}')
  738. if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then
  739. SSH_HOST_KEY_ALGORITHMS=$TEMP_VALUE
  740. fi
  741. fi
  742. if grep -q "SSH_PASSWORDS" $IMPORT_FILE; then
  743. TEMP_VALUE=$(grep "SSH_PASSWORDS" $IMPORT_FILE | awk -F '=' '{print $2}')
  744. if [[ $TEMP_VALUE == "yes" || $TEMP_VALUE == "no" ]]; then
  745. SSH_PASSWORDS=$TEMP_VALUE
  746. fi
  747. fi
  748. if grep -q "XMPP_CIPHERS" $IMPORT_FILE; then
  749. TEMP_VALUE=$(grep "XMPP_CIPHERS" $IMPORT_FILE | awk -F '=' '{print $2}')
  750. if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then
  751. XMPP_CIPHERS=$TEMP_VALUE
  752. fi
  753. fi
  754. if grep -q "XMPP_ECC_CURVE" $IMPORT_FILE; then
  755. TEMP_VALUE=$(grep "XMPP_ECC_CURVE" $IMPORT_FILE | awk -F '=' '{print $2}')
  756. if [ ${#TEMP_VALUE} -gt 3 ]; then
  757. XMPP_ECC_CURVE=$TEMP_VALUE
  758. fi
  759. fi
  760. }
  761. function export_settings {
  762. if [ ! $EXPORT_FILE ]; then
  763. return
  764. fi
  765. cd $CURRENT_DIR
  766. if [ ! -f $EXPORT_FILE ]; then
  767. if [ "$SSL_PROTOCOLS" ]; then
  768. echo "SSL_PROTOCOLS=$SSL_PROTOCOLS" >> $EXPORT_FILE
  769. fi
  770. if [ $SSL_CIPHERS ]; then
  771. echo "SSL_CIPHERS=$SSL_CIPHERS" >> $EXPORT_FILE
  772. fi
  773. if [ $SSH_CIPHERS ]; then
  774. echo "SSH_CIPHERS=$SSH_CIPHERS" >> $EXPORT_FILE
  775. fi
  776. if [ $SSH_MACS ]; then
  777. echo "SSH_MACS=$SSH_MACS" >> $EXPORT_FILE
  778. fi
  779. if [ $SSH_KEX ]; then
  780. echo "SSH_KEX=$SSH_KEX" >> $EXPORT_FILE
  781. fi
  782. if [ $SSH_HOST_KEY_ALGORITHMS ]; then
  783. echo "SSH_HOST_KEY_ALGORITHMS=$SSH_HOST_KEY_ALGORITHMS" >> $EXPORT_FILE
  784. fi
  785. if [ $SSH_PASSWORDS ]; then
  786. echo "SSH_PASSWORDS=$SSH_PASSWORDS" >> $EXPORT_FILE
  787. fi
  788. if [ $XMPP_CIPHERS ]; then
  789. echo "XMPP_CIPHERS=$XMPP_CIPHERS" >> $EXPORT_FILE
  790. fi
  791. if [ $XMPP_ECC_CURVE ]; then
  792. echo "XMPP_ECC_CURVE=$XMPP_ECC_CURVE" >> $EXPORT_FILE
  793. fi
  794. echo "Security settings exported to $EXPORT_FILE"
  795. exit 0
  796. fi
  797. if [ "$SSL_PROTOCOLS" ]; then
  798. if grep -q "SSL_PROTOCOLS" $EXPORT_FILE; then
  799. sed -i "s|SSL_PROTOCOLS=.*|SSL_PROTOCOLS=$SSL_PROTOCOLS|g" $EXPORT_FILE
  800. else
  801. echo "SSL_PROTOCOLS=$SSL_PROTOCOLS" >> $EXPORT_FILE
  802. fi
  803. fi
  804. if [ $SSL_CIPHERS ]; then
  805. if grep -q "SSL_CIPHERS" $EXPORT_FILE; then
  806. sed -i "s|SSL_CIPHERS=.*|SSL_CIPHERS=$SSL_CIPHERS|g" $EXPORT_FILE
  807. else
  808. echo "SSL_CIPHERS=$SSL_CIPHERS" >> $EXPORT_FILE
  809. fi
  810. fi
  811. if [ $SSH_CIPHERS ]; then
  812. if grep -q "SSH_CIPHERS" $EXPORT_FILE; then
  813. sed -i "s|SSH_CIPHERS=.*|SSH_CIPHERS=$SSH_CIPHERS|g" $EXPORT_FILE
  814. else
  815. echo "SSH_CIPHERS=$SSH_CIPHERS" >> $EXPORT_FILE
  816. fi
  817. fi
  818. if [ $SSH_MACS ]; then
  819. if grep -q "SSH_MACS" $EXPORT_FILE; then
  820. sed -i "s|SSH_MACS=.*|SSH_MACS=$SSH_MACS|g" $EXPORT_FILE
  821. else
  822. echo "SSH_MACS=$SSH_MACS" >> $EXPORT_FILE
  823. fi
  824. fi
  825. if [ $SSH_KEX ]; then
  826. if grep -q "SSH_KEX" $EXPORT_FILE; then
  827. sed -i "s|SSH_KEX=.*|SSH_KEX=$SSH_KEX|g" $EXPORT_FILE
  828. else
  829. echo "SSH_KEX=$SSH_KEX" >> $EXPORT_FILE
  830. fi
  831. fi
  832. if [ $SSH_HOST_KEY_ALGORITHMS ]; then
  833. if grep -q "SSH_HOST_KEY_ALGORITHMS" $EXPORT_FILE; then
  834. sed -i "s|SSH_HOST_KEY_ALGORITHMS=.*|SSH_HOST_KEY_ALGORITHMS=$SSH_HOST_KEY_ALGORITHMS|g" $EXPORT_FILE
  835. else
  836. echo "SSH_HOST_KEY_ALGORITHMS=$SSH_HOST_KEY_ALGORITHMS" >> $EXPORT_FILE
  837. fi
  838. fi
  839. if [ $SSH_PASSWORDS ]; then
  840. if grep -q "SSH_PASSWORDS" $EXPORT_FILE; then
  841. sed -i "s|SSH_PASSWORDS=.*|SSH_PASSWORDS=$SSH_PASSWORDS|g" $EXPORT_FILE
  842. else
  843. echo "SSH_PASSWORDS=$SSH_PASSWORDS" >> $EXPORT_FILE
  844. fi
  845. fi
  846. if [ $XMPP_CIPHERS ]; then
  847. if grep -q "XMPP_CIPHERS" $EXPORT_FILE; then
  848. sed -i "s|XMPP_CIPHERS=.*|XMPP_CIPHERS=$XMPP_CIPHERS|g" $EXPORT_FILE
  849. else
  850. echo "XMPP_CIPHERS=$XMPP_CIPHERS" >> $EXPORT_FILE
  851. fi
  852. fi
  853. if [ $XMPP_ECC_CURVE ]; then
  854. if grep -q "XMPP_ECC_CURVE" $EXPORT_FILE; then
  855. sed -i "s|XMPP_ECC_CURVE=.*|XMPP_ECC_CURVE=$XMPP_ECC_CURVE|g" $EXPORT_FILE
  856. else
  857. echo "XMPP_ECC_CURVE=$XMPP_ECC_CURVE" >> $EXPORT_FILE
  858. fi
  859. fi
  860. echo $"Security settings exported to $EXPORT_FILE"
  861. exit 0
  862. }
  863. function refresh_gpg_keys {
  864. for d in /home/*/ ; do
  865. USERNAME=$(echo "$d" | awk -F '/' '{print $3}')
  866. if [[ $USERNAME != "git" && $USERNAME != "mirrors" && $USERNAME != "sync" && $USERNAME != "tahoelafs" ]]; then
  867. su -c 'gpg --refresh-keys' - $USERNAME
  868. fi
  869. done
  870. exit 0
  871. }
  872. function monkeysphere_sign_server_keys {
  873. server_keys_file=/home/$USER/.monkeysphere/server_keys
  874. if [ ! -f $server_keys_file ]; then
  875. exit 0
  876. fi
  877. keys_signed=
  878. while read line; do
  879. echo $line
  880. if [ ${#line} -gt 2 ]; then
  881. fpr=$(gpg --with-colons --fingerprint "$line" | grep fpr | head -n 1 | awk -F ':' '{print $10}')
  882. if [ ${#fpr} -gt 2 ]; then
  883. gpg --sign-key $fpr
  884. if [ "$?" = "0" ]; then
  885. gpg --update-trustdb
  886. keys_signed=1
  887. fi
  888. fi
  889. fi
  890. done <$server_keys_file
  891. if [ $keys_signed ]; then
  892. rm $server_keys_file
  893. fi
  894. exit 0
  895. }
  896. function blog_hash {
  897. # produces a hash corresponding to a blog password
  898. pass="$1"
  899. BLOGHASH_FILENAME=/usr/bin/bloghash
  900. echo '<?php' > $BLOGHASH_FILENAME
  901. echo 'parse_str(implode("&", array_slice($argv, 1)), $_GET);' >> $BLOGHASH_FILENAME
  902. echo '$password = $_GET["password"];' >> $BLOGHASH_FILENAME
  903. echo '$hash = password_hash($password, PASSWORD_BCRYPT);' >> $BLOGHASH_FILENAME
  904. echo 'if (password_verify($password, $hash)) {' >> $BLOGHASH_FILENAME
  905. echo ' echo $hash;' >> $BLOGHASH_FILENAME
  906. echo '}' >> $BLOGHASH_FILENAME
  907. echo '?>' >> $BLOGHASH_FILENAME
  908. php $BLOGHASH_FILENAME password="$pass"
  909. }
  910. function show_help {
  911. echo ''
  912. echo "${PROJECT_NAME}-sec"
  913. echo ''
  914. echo $'Alters the security settings'
  915. echo ''
  916. echo ''
  917. echo $' -h --help Show help'
  918. echo $' -e --export Export security settings to a file'
  919. echo $' -i --import Import security settings from a file'
  920. echo $' -r --refresh Refresh GPG keys for all users'
  921. echo $' -s --sign Sign monkeysphere server keys'
  922. echo $' --register [domain] Register a https domain with monkeysphere'
  923. echo $' -b --bloghash [password] Returns the hash of a password for the blog'
  924. echo ''
  925. exit 0
  926. }
  927. # Get the commandline options
  928. while [[ $# > 1 ]]
  929. do
  930. key="$1"
  931. case $key in
  932. -h|--help)
  933. show_help
  934. ;;
  935. # Export settings
  936. -e|--export)
  937. shift
  938. EXPORT_FILE="$1"
  939. ;;
  940. # Export settings
  941. -i|--import)
  942. shift
  943. IMPORT_FILE="$1"
  944. ;;
  945. # Refresh GPG keys
  946. -r|--refresh)
  947. shift
  948. refresh_gpg_keys
  949. ;;
  950. # register a website
  951. --register|--reg|--site)
  952. shift
  953. register_website "$1"
  954. ;;
  955. # user signs monkeysphere server keys
  956. -s|--sign)
  957. shift
  958. monkeysphere_sign_server_keys
  959. ;;
  960. # get a hash of the given blog password
  961. -b|--bloghash)
  962. shift
  963. blog_hash "$1"
  964. exit 0
  965. ;;
  966. *)
  967. # unknown option
  968. ;;
  969. esac
  970. shift
  971. done
  972. housekeeping
  973. get_website_settings
  974. get_imap_settings
  975. get_ssh_settings
  976. get_xmpp_settings
  977. import_settings
  978. export_settings
  979. interactive_setup
  980. change_website_settings
  981. change_imap_settings
  982. change_ssh_settings
  983. change_xmpp_settings
  984. regenerate_ssh_host_keys
  985. regenerate_dh_keys
  986. exit 0