free
/
freedombone
Наблюдаван 1
Харесван 0
Разклонения 0
Код Задачи 0 Заявки за сливане 0 Версии 0 Уики Activity
6923 Ревизии
5 Клонове
ИН на ревизия: 98d4179784
Клонове Маркери
${ item.name }
Create branch ${ searchTerm }
from '98d4179784'
${ noResults }
freedombone/src/freedombone-utils-gpg

freedombone-utils-gpg 11KB
История Директен файл

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290 
  1. #!/bin/bash

  2. #

  3. # .---.                  .              .

  4. # |                      |              |

  5. # |--- .--. .-.  .-.  .-.|  .-. .--.--. |.-.  .-. .--.  .-.

  6. # |    |   (.-' (.-' (   | (   )|  |  | |   )(   )|  | (.-'

  7. # '    '     --'  --'  -' -  -' '  '   -' -'   -' '   -  --'

  8. #

  9. #                    Freedom in the Cloud

  10. #

  11. # gpg functions

  12. #

  13. # License

  14. # =======

  15. #

  16. # Copyright (C) 2016-2017 Bob Mottram <bob@freedombone.net>

  17. #

  18. # This program is free software: you can redistribute it and/or modify

  19. # it under the terms of the GNU Affero General Public License as published by

  20. # the Free Software Foundation, either version 3 of the License, or

  21. # (at your option) any later version.

  22. #

  23. # This program is distributed in the hope that it will be useful,

  24. # but WITHOUT ANY WARRANTY; without even the implied warranty of

  25. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

  26. # GNU Affero General Public License for more details.

  27. #

  28. # You should have received a copy of the GNU Affero General Public License

  29. # along with this program.  If not, see <http://www.gnu.org/licenses/>.

  30. 

  31. function gpg_update_mutt {

  32.     key_username=$1

  33. 

  34.     if [ ! -f /home/$key_username/.muttrc ]; then

  35.         return

  36.     fi

  37. 

  38.     CURR_EMAIL_ADDRESS=$key_username@$HOSTNAME

  39.     CURR_GPG_ID=$(gpg --homedir=/home/$key_username/.gnupg --list-keys $CURR_EMAIL_ADDRESS | sed -n '2p' | sed 's/^[ \t]*//')

  40. 

  41.     sed -i "s|set pgp_encrypt_only_command.*|set pgp_encrypt_only_command=\"/usr/lib/mutt/pgpewrap gpg --batch --quiet --no-verbose --output - --encrypt --textmode --armor --trust-model always --encrypt-to $CURR_GPG_ID -- -r %r -- %f\"|g" /home/$key_username/.muttrc

  42.     sed -i "s|set pgp_encrypt_sign_command.*|set pgp_encrypt_sign_command=\"/usr/lib/mutt/pgpewrap gpg %?p?--passphrase-fd 0? --batch --quiet --no-verbose --textmode --output - --encrypt --sign %?a?-u %a? --armor --trust-model always --encrypt-to $CURR_GPG_ID -- -r %r -- %f\"|g" /home/$key_username/.muttrc

  43. 

  44.     chown $key_username:$key_username /home/$key_username/.muttrc

  45. }

  46. 

  47. function gpg_import_public_key {

  48.     key_username=$1

  49.     key_filename=$2

  50. 

  51.     gpg --homedir=/home/$key_username/.gnupg --import $key_filename

  52.     gpg_set_permissions $key_username

  53. }

  54. 

  55. function gpg_import_private_key {

  56.     key_username=$1

  57.     key_filename=$2

  58. 

  59.     gpg --homedir=/home/$key_username/.gnupg --allow-secret-key-import --import $key_filename

  60.     gpg_set_permissions $key_username

  61. }

  62. 

  63. function gpg_export_public_key {

  64.     key_username=$1

  65.     key_id=$2

  66.     key_filename=$3

  67. 

  68.     su -m root -c "gpg --homedir /home/$key_username/.gnupg --output $key_filename --armor --export $key_id" - $key_username

  69. }

  70. 

  71. function gpg_export_private_key {

  72.     key_username=$1

  73.     key_id=$2

  74.     key_filename=$3

  75. 

  76.     su -m root -c "gpg --homedir=/home/$key_username/.gnupg --armor --output $key_filename --export-secret-key $key_id" - $key_username

  77. }

  78. 

  79. function gpg_create_key {

  80.     key_username=$1

  81.     key_passphrase=$2

  82. 

  83.     gpg_dir=/home/$key_username/.gnupg

  84. 

  85.     echo 'Key-Type: eddsa' > /home/$key_username/gpg-genkey.conf

  86.     echo 'Key-Curve: Ed25519' >> /home/$key_username/gpg-genkey.conf

  87.     echo 'Subkey-Type: eddsa' >> /home/$key_username/gpg-genkey.conf

  88.     echo 'Subkey-Curve: Ed25519' >> /home/$key_username/gpg-genkey.conf

  89.     echo "Name-Real:  $MY_NAME" >> /home/$key_username/gpg-genkey.conf

  90.     echo "Name-Email: $MY_EMAIL_ADDRESS" >> /home/$key_username/gpg-genkey.conf

  91.     echo 'Expire-Date: 0' >> /home/$key_username/gpg-genkey.conf

  92.     cat /home/$key_username/gpg-genkey.conf

  93.     if [ $key_passphrase ]; then

  94.         echo "Passphrase: $key_passphrase" >> /home/$key_username/gpg-genkey.conf

  95.     else

  96.         echo "Passphrase: $PROJECT_NAME" >> /home/$key_username/gpg-genkey.conf

  97.     fi

  98.     chown $key_username:$key_username /home/$key_username/gpg-genkey.conf

  99. 

  100.     echo $'Generating a new GPG key'

  101.     su -m root -c "gpg --homedir /home/$key_username/.gnupg --batch --full-gen-key /home/$key_username/gpg-genkey.conf" - $key_username

  102.     chown -R $key_username:$key_username /home/$key_username/.gnupg

  103.     KEY_EXISTS=$(gpg_key_exists "$key_username" "${key_username}@${HOSTNAME}")

  104.     if [[ $KEY_EXISTS == "no" ]]; then

  105.         echo $"A GPG key for ${key_username}@${HOSTNAME} could not be created"

  106.         exit 63621

  107.     fi

  108.     shred -zu /home/$key_username/gpg-genkey.conf

  109.     CURR_GPG_PUBLIC_KEY_ID=$(gpg_pubkey_from_email "$key_username" "${key_username}@${HOSTNAME}")

  110.     if [ ${#CURR_GPG_PUBLIC_KEY_ID} -lt 4 ]; then

  111.         echo $"GPG public key ID could not be obtained for ${key_username}@${HOSTNAME}"

  112.         exit 825292

  113.     fi

  114.     gpg_set_permissions $key_username

  115. }

  116. 

  117. function gpg_delete_key {

  118.     key_username=$1

  119.     key_id=$2

  120. 

  121.     chown -R $key_username:$key_username /home/$key_username/.gnupg

  122.     su -c "gpg --batch --quiet --homedir=/home/$key_username/.gnupg --delete-secret-key $key_id" - $key_username

  123.     su -c "gpg --batch --quiet --homedir=/home/$key_username/.gnupg --delete-key $key_id" - $key_username

  124. }

  125. 

  126. function gpg_set_permissions {

  127.     key_username=$1

  128. 

  129.     if [[ "$key_username" != 'root' ]]; then

  130.         chmod 700 /home/$key_username/.gnupg

  131.         chmod -R 600 /home/$key_username/.gnupg/*

  132.         chown -R $key_username:$key_username /home/$key_username/.gnupg

  133.     else

  134.         chmod 700 /root/.gnupg

  135.         chmod -R 600 /root/.gnupg/*

  136.         chown -R $key_username:$key_username /root/.gnupg

  137.     fi

  138. }

  139. 

  140. function gpg_reconstruct_key {

  141.     key_username=$1

  142.     key_interactive=$2

  143. 

  144.     if [ ! -d /home/$key_username/.gnupg_fragments ]; then

  145.         return

  146.     fi

  147.     cd /home/$key_username/.gnupg_fragments

  148.     no_of_shares=$(ls -afq keyshare.asc.* | wc -l)

  149.     if (( no_of_shares < 4 )); then

  150.         if [ $key_interactive ]; then

  151.             dialog --title $"Recover Encryption Keys" --msgbox $'Not enough fragments to reconstruct the key' 6 70

  152.         else

  153.             echo $'Not enough fragments to reconstruct the key'

  154.         fi

  155.         exit 7348

  156.     fi

  157.     gfcombine /home/$key_username/.gnupg_fragments/keyshare*

  158.     if [ ! "$?" = "0" ]; then

  159.         if [ $key_interactive ]; then

  160.             dialog --title $"Recover Encryption Keys" --msgbox $'Unable to reconstruct the key' 6 70

  161.         else

  162.             echo $'Unable to reconstruct the key'

  163.         fi

  164.         exit 7348

  165.     fi

  166. 

  167.     KEYS_FILE=/home/$key_username/.gnupg_fragments/keyshare.asc

  168.     if [ ! -f $KEYS_FILE ]; then

  169.         if [ $key_interactive ]; then

  170.             dialog --title $"Recover Encryption Keys" --msgbox $'Unable to reconstruct the key' 6 70

  171.         else

  172.             echo $'Unable to reconstruct the key'

  173.         fi

  174.         exit 52852

  175.     fi

  176. 

  177.     gpg --homedir=/home/$key_username/.gnupg --allow-secret-key-import --import $KEYS_FILE

  178.     if [ ! "$?" = "0" ]; then

  179.         shred -zu $KEYS_FILE

  180.         rm -rf /home/$key_username/.tempgnupg

  181.         if [ $key_interactive ]; then

  182.             dialog --title $"Recover Encryption Keys" --msgbox $'Unable to import gpg key' 6 70

  183.         else

  184.             echo $'Unable to import gpg key'

  185.         fi

  186.         exit 96547

  187.     fi

  188.     shred -zu $KEYS_FILE

  189. 

  190.     gpg_set_permissions $key_username

  191. 

  192.     if [ $key_interactive ]; then

  193.         dialog --title $"Recover Encryption Keys" --msgbox $'Key has been reconstructed' 6 70

  194.     else

  195.         echo $'Key has been reconstructed'

  196.     fi

  197. }

  198. 

  199. function gpg_agent_setup {

  200.     gpg_username=$1

  201. 

  202.     if [[ $gpg_username == 'root' ]]; then

  203.         if ! grep -q 'GPG_TTY' /root/.bashrc; then

  204.             echo '' >> /root/.bashrc

  205.             echo 'GPG_TTY=$(tty)' >> /root/.bashrc

  206.             echo 'export GPG_TTY' >> /root/.bashrc

  207.         fi

  208.         if ! grep -q 'use-agent' /root/.gnupg/gpg.conf; then

  209.             echo 'use-agent' >> /root/.gnupg/gpg.conf

  210.         fi

  211.         if ! grep -q 'pinentry-mode loopback' /root/.gnupg/gpg.conf; then

  212.             echo 'pinentry-mode loopback' >> /root/.gnupg/gpg.conf

  213.         fi

  214.         if [ ! -f /root/.gnupg/gpg-agent.conf ]; then

  215.             touch /root/.gnupg/gpg-agent.conf

  216.         fi

  217.         if ! grep -q 'allow-loopback-pinentry' /root/.gnupg/gpg-agent.conf; then

  218.             echo 'allow-loopback-pinentry' >> /root/.gnupg/gpg-agent.conf

  219.         fi

  220.         echo RELOADAGENT | gpg-connect-agent

  221.     else

  222.         if ! grep -q 'GPG_TTY' /home/$gpg_username/.bashrc; then

  223.             echo '' >> /home/$gpg_username/.bashrc

  224.             echo 'GPG_TTY=$(tty)' >> /home/$gpg_username/.bashrc

  225.             echo 'export GPG_TTY' >> /home/$gpg_username/.bashrc

  226.             chown $gpg_username:$gpg_username /home/$gpg_username/.bashrc

  227.         fi

  228.         if ! grep -q 'use-agent' /home/$gpg_username/.gnupg/gpg.conf; then

  229.             echo 'use-agent' >> /home/$gpg_username/.gnupg/gpg.conf

  230.         fi

  231.         if ! grep -q 'pinentry-mode loopback' /home/$gpg_username/.gnupg/gpg.conf; then

  232.             echo 'pinentry-mode loopback' >> /home/$gpg_username/.gnupg/gpg.conf

  233.         fi

  234.         if [ ! -f /home/$gpg_username/.gnupg/gpg-agent.conf ]; then

  235.             touch /home/$gpg_username/.gnupg/gpg-agent.conf

  236.         fi

  237.         if ! grep -q 'allow-loopback-pinentry' /home/$gpg_username/.gnupg/gpg-agent.conf; then

  238.             echo 'allow-loopback-pinentry' >> /home/$gpg_username/.gnupg/gpg-agent.conf

  239.         fi

  240.         su -c "echo RELOADAGENT | gpg-connect-agent" - $gpg_username

  241.     fi

  242. }

  243. 

  244. function gpg_pubkey_from_email {

  245.     key_owner_username=$1

  246.     key_email_address=$2

  247.     key_id=

  248.     if [[ $key_owner_username != "root" ]]; then

  249.         key_id=$(su -c "gpg --list-keys $key_email_address" - $key_owner_username | sed -n '2p' | sed 's/^[ \t]*//')

  250.     else

  251.         key_id=$(gpg --list-keys $key_email_address | sed -n '2p' | sed 's/^[ \t]*//')

  252.     fi

  253.     echo $key_id

  254. }

  255. 

  256. function enable_email_encryption_at_rest {

  257.     for d in /home/*/ ; do

  258.         USERNAME=$(echo "$d" | awk -F '/' '{print $3}')

  259.         if [[ $(is_valid_user "$USERNAME") == "1" ]]; then

  260.             if grep '#| /usr/bin/gpgit.pl' /home/$USERNAME/.procmailrc; then

  261.                 sed -i 's@#| /usr/bin/gpgit.pl@| /usr/bin/gpgit.pl@g' /home/$USERNAME/.procmailrc

  262.                 sed -i 's|#:0 f|:0 f|g' /home/$USERNAME/.procmailrc

  263.             fi

  264.         fi

  265.     done

  266. 

  267.     if grep '#| /usr/bin/gpgit.pl' /etc/skel/.procmailrc; then

  268.         sed -i 's@#| /usr/bin/gpgit.pl@| /usr/bin/gpgit.pl@g' /etc/skel/.procmailrc

  269.         sed -i 's|#:0 f|:0 f|g' /etc/skel/.procmailrc

  270.     fi

  271. }

  272. 

  273. function disable_email_encryption_at_rest {

  274.     for d in /home/*/ ; do

  275.         USERNAME=$(echo "$d" | awk -F '/' '{print $3}')

  276.         if [[ $(is_valid_user "$USERNAME") == "1" ]]; then

  277.             if ! grep '#| /usr/bin/gpgit.pl' /home/$USERNAME/.procmailrc; then

  278.                 sed -i 's@| /usr/bin/gpgit.pl@#| /usr/bin/gpgit.pl@g' /home/$USERNAME/.procmailrc

  279.                 sed -i 's|:0 f|#:0 f|g' /home/$USERNAME/.procmailrc

  280.             fi

  281.         fi

  282.     done

  283. 

  284.     if ! grep '#| /usr/bin/gpgit.pl' /etc/skel/.procmailrc; then

  285.         sed -i 's@| /usr/bin/gpgit.pl@#| /usr/bin/gpgit.pl@g' /etc/skel/.procmailrc

  286.         sed -i 's|:0 f|#:0 f|g' /etc/skel/.procmailrc

  287.     fi

  288. }

  289. 

  290. # NOTE: deliberately no exit 0