freedombone-sec 42KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217121812191220122112221223122412251226122712281229123012311232123312341235123612371238123912401241124212431244124512461247124812491250125112521253125412551256125712581259126012611262126312641265126612671268126912701271127212731274127512761277127812791280128112821283128412851286128712881289129012911292129312941295129612971298129913001301130213031304130513061307130813091310131113121313131413151316131713181319132013211322132313241325132613271328132913301331133213331334133513361337133813391340134113421343134413451346134713481349135013511352135313541355135613571358135913601361136213631364136513661367136813691370137113721373
  1. #!/bin/bash
  2. #
  3. # .---. . .
  4. # | | |
  5. # |--- .--. .-. .-. .-.| .-. .--.--. |.-. .-. .--. .-.
  6. # | | (.-' (.-' ( | ( )| | | | )( )| | (.-'
  7. # ' ' --' --' -' - -' ' ' -' -' -' ' - --'
  8. #
  9. # Freedom in the Cloud
  10. #
  11. # Alters the security settings
  12. #
  13. # License
  14. # =======
  15. #
  16. # Copyright (C) 2015-2016 Bob Mottram <bob@freedombone.net>
  17. #
  18. # This program is free software: you can redistribute it and/or modify
  19. # it under the terms of the GNU Affero General Public License as published by
  20. # the Free Software Foundation, either version 3 of the License, or
  21. # (at your option) any later version.
  22. #
  23. # This program is distributed in the hope that it will be useful,
  24. # but WITHOUT ANY WARRANTY; without even the implied warranty of
  25. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  26. # GNU Affero General Public License for more details.
  27. #
  28. # You should have received a copy of the GNU Affero General Public License
  29. # along with this program. If not, see <http://www.gnu.org/licenses/>.
  30. PROJECT_NAME='freedombone'
  31. export TEXTDOMAIN=${PROJECT_NAME}-sec
  32. export TEXTDOMAINDIR="/usr/share/locale"
  33. CONFIGURATION_FILE=$HOME/${PROJECT_NAME}.cfg
  34. COMPLETION_FILE=$HOME/${PROJECT_NAME}-completed.txt
  35. UTILS_FILES=/usr/share/${PROJECT_NAME}/utils/${PROJECT_NAME}-utils-*
  36. for f in $UTILS_FILES
  37. do
  38. source $f
  39. done
  40. SSL_PROTOCOLS=
  41. SSL_CIPHERS=
  42. SSH_CIPHERS=
  43. SSH_MACS=
  44. SSH_KEX=
  45. SSH_HOST_KEY_ALGORITHMS=
  46. SSH_PASSWORDS=
  47. XMPP_CIPHERS=
  48. XMPP_ECC_CURVE=
  49. WEBSITES_DIRECTORY='/etc/nginx/sites-available'
  50. DOVECOT_CIPHERS='/etc/dovecot/conf.d/10-ssl.conf'
  51. SSH_CONFIG='/etc/ssh/sshd_config'
  52. XMPP_CONFIG='/etc/prosody/conf.avail/xmpp.cfg.lua'
  53. MINIMUM_LENGTH=6
  54. IMPORT_FILE=
  55. EXPORT_FILE=
  56. CURRENT_DIR=$(pwd)
  57. DH_KEYLENGTH=2048
  58. LETSENCRYPT_SERVER='https://acme-v01.api.letsencrypt.org/directory'
  59. MY_USERNAME=
  60. function export_passwords {
  61. detect_usb_drive
  62. data=$(tempfile 2>/dev/null)
  63. trap "rm -f $data" 0 1 2 5 15
  64. dialog --title $"Export passwords to USB drive $USB_DRIVE" \
  65. --backtitle $"Security Settings" \
  66. --defaultno \
  67. --yesno $"\nPlease confirm that you wish to export passwords to a LUKS formatted USB drive. The drive should be plugged in." 10 60
  68. sel=$?
  69. case $sel in
  70. 1) return;;
  71. 255) return;;
  72. esac
  73. data=$(tempfile 2>/dev/null)
  74. trap "rm -f $data" 0 1 2 5 15
  75. dialog --title $"Export passwords to USB drive $USB_DRIVE" \
  76. --backtitle $"Security Settings" \
  77. --defaultno \
  78. --yesno $"\nDo you need to format the drive as LUKS encrypted?" 12 60
  79. sel=$?
  80. case $sel in
  81. 0) ${PROJECT_NAME}-format $USB_DRIVE;;
  82. esac
  83. clear
  84. backup_mount_drive ${USB_DRIVE}
  85. ${PROJECT_NAME}-pass --export ${USB_MOUNT}/${PROJECT_NAME}-passwords.xml
  86. backup_unmount_drive ${USB_DRIVE}
  87. }
  88. function get_protocols_from_website {
  89. if [ ! -f $WEBSITES_DIRECTORY/$1 ]; then
  90. return
  91. fi
  92. SSL_PROTOCOLS=$(cat $WEBSITES_DIRECTORY/$1 | grep 'ssl_protocols ' | awk -F "ssl_protocols " '{print $2}' | awk -F ';' '{print $1}')
  93. }
  94. function get_ciphers_from_website {
  95. if [ ! -f $WEBSITES_DIRECTORY/$1 ]; then
  96. return
  97. fi
  98. SSL_CIPHERS=$(cat $WEBSITES_DIRECTORY/$1 | grep 'ssl_ciphers ' | awk -F "ssl_ciphers " '{print $2}' | awk -F "'" '{print $2}')
  99. }
  100. function get_imap_settings {
  101. if [ ! -f $DOVECOT_CIPHERS ]; then
  102. return
  103. fi
  104. # clear commented out cipher list
  105. sed -i "s|#ssl_cipher_list.*||g" $DOVECOT_CIPHERS
  106. if [ $SSL_CIPHERS ]; then
  107. return
  108. fi
  109. if [ ${#SSL_CIPHERS} -gt $MINIMUM_LENGTH ]; then
  110. return
  111. fi
  112. SSL_CIPHERS=$(cat $DOVECOT_CIPHERS | grep 'ssl_cipher_list' | awk -F '=' '{print $2}' | awk -F "'" '{print $2}')
  113. }
  114. function get_xmpp_settings {
  115. if [ ! -f $XMPP_CONFIG ]; then
  116. return
  117. fi
  118. XMPP_CIPHERS=$(cat $XMPP_CONFIG | grep 'ciphers ' | awk -F '=' '{print $2}' | awk -F '"' '{print $2}')
  119. XMPP_ECC_CURVE=$(cat $XMPP_CONFIG | grep 'curve ' | awk -F '=' '{print $2}' | awk -F '"' '{print $2}')
  120. }
  121. function get_ssh_settings {
  122. if [ -f $SSH_CONFIG ]; then
  123. SSH_PASSWORDS=$(cat $SSH_CONFIG | grep 'PasswordAuthentication ' | awk -F 'PasswordAuthentication ' '{print $2}')
  124. fi
  125. if [ -f /etc/ssh/ssh_config ]; then
  126. SSH_HOST_KEY_ALGORITHMS=$(cat /etc/ssh/ssh_config | grep 'HostKeyAlgorithms ' | awk -F 'HostKeyAlgorithms ' '{print $2}')
  127. fi
  128. }
  129. function change_website_settings {
  130. if [ ! "$SSL_PROTOCOLS" ]; then
  131. return
  132. fi
  133. if [ ! $SSL_CIPHERS ]; then
  134. return
  135. fi
  136. if [ ${#SSL_PROTOCOLS} -lt $MINIMUM_LENGTH ]; then
  137. return
  138. fi
  139. if [ ${#SSL_CIPHERS} -lt $MINIMUM_LENGTH ]; then
  140. return
  141. fi
  142. if [ ! -d $WEBSITES_DIRECTORY ]; then
  143. return
  144. fi
  145. cd $WEBSITES_DIRECTORY
  146. for file in `dir -d *` ; do
  147. sed -i "s|ssl_protocols .*|ssl_protocols $SSL_PROTOCOLS;|g" $WEBSITES_DIRECTORY/$file
  148. sed -i "s|ssl_ciphers .*|ssl_ciphers '$SSL_CIPHERS';|g" $WEBSITES_DIRECTORY/$file
  149. done
  150. systemctl restart nginx
  151. echo $'Web security settings changed'
  152. }
  153. function change_imap_settings {
  154. if [ ! -f $DOVECOT_CIPHERS ]; then
  155. return
  156. fi
  157. if [ ! $SSL_CIPHERS ]; then
  158. return
  159. fi
  160. if [ ${#SSL_CIPHERS} -lt $MINIMUM_LENGTH ]; then
  161. return
  162. fi
  163. sed -i "s|ssl_cipher_list.*|ssl_cipher_list = '$SSL_CIPHERS'|g" $DOVECOT_CIPHERS
  164. sed -i "s|ssl_protocols.*|ssl_protocols = '$SSL_PROTOCOLS'|g" $DOVECOT_CIPHERS
  165. systemctl restart dovecot
  166. echo $'imap security settings changed'
  167. }
  168. function change_ssh_settings {
  169. if [ -f /etc/ssh/ssh_config ]; then
  170. if [ $SSH_HOST_KEY_ALGORITHMS ]; then
  171. sed -i "s|HostKeyAlgorithms .*|HostKeyAlgorithms $SSH_HOST_KEY_ALGORITHMS|g" /etc/ssh/ssh_config
  172. echo $'ssh client security settings changed'
  173. fi
  174. fi
  175. if [ -f $SSH_CONFIG ]; then
  176. if [ ! $SSH_CIPHERS ]; then
  177. return
  178. fi
  179. if [ ! $SSH_MACS ]; then
  180. return
  181. fi
  182. if [ ! $SSH_KEX ]; then
  183. return
  184. fi
  185. if [ ! $SSH_PASSWORDS ]; then
  186. SSH_PASSWORDS='yes'
  187. fi
  188. sed -i "s|Ciphers .*|Ciphers $SSH_CIPHERS|g" $SSH_CONFIG
  189. sed -i "s|MACs .*|MACs $SSH_MACS|g" $SSH_CONFIG
  190. sed -i "s|KexAlgorithms .*|KexAlgorithms $SSH_KEX|g" $SSH_CONFIG
  191. sed -i "s|#PasswordAuthentication .*|PasswordAuthentication $SSH_PASSWORDS|g" $SSH_CONFIG
  192. sed -i "s|PasswordAuthentication .*|PasswordAuthentication $SSH_PASSWORDS|g" $SSH_CONFIG
  193. systemctl restart ssh
  194. echo $'ssh server security settings changed'
  195. fi
  196. }
  197. function change_xmpp_settings {
  198. if [ ! -f $XMPP_CONFIG ]; then
  199. return
  200. fi
  201. if [ ! $XMPP_CIPHERS ]; then
  202. return
  203. fi
  204. if [ ! $XMPP_ECC_CURVE ]; then
  205. return
  206. fi
  207. sed -i "s|ciphers =.*|ciphers = \"$XMPP_CIPHERS\";|g" $XMPP_CONFIG
  208. sed -i "s|curve =.*|curve = \"$XMPP_ECC_CURVE\";|g" $XMPP_CONFIG
  209. systemctl restart prosody
  210. echo $'xmpp security settings changed'
  211. }
  212. function allow_ssh_passwords {
  213. dialog --title $"SSH Passwords" \
  214. --backtitle $"Freedombone Security Configuration" \
  215. --yesno $"\nAllow SSH login using passwords?" 7 60
  216. sel=$?
  217. case $sel in
  218. 0) SSH_PASSWORDS="yes";;
  219. 1) SSH_PASSWORDS="no";;
  220. 255) exit 0;;
  221. esac
  222. }
  223. function interactive_setup {
  224. if [ $SSL_CIPHERS ]; then
  225. data=$(tempfile 2>/dev/null)
  226. trap "rm -f $data" 0 1 2 5 15
  227. dialog --backtitle $"Freedombone Security Configuration" \
  228. --form $"\nWeb/IMAP Ciphers:" 10 95 2 \
  229. $"Protocols:" 1 1 "$SSL_PROTOCOLS" 1 15 90 90 \
  230. $"Ciphers:" 2 1 "$SSL_CIPHERS" 2 15 90 512 \
  231. 2> $data
  232. sel=$?
  233. case $sel in
  234. 1) SSL_PROTOCOLS=$(cat $data | sed -n 1p)
  235. SSL_CIPHERS=$(cat $data | sed -n 2p)
  236. ;;
  237. 255) exit 0;;
  238. esac
  239. fi
  240. data=$(tempfile 2>/dev/null)
  241. trap "rm -f $data" 0 1 2 5 15
  242. if [ $SSH_HOST_KEY_ALGORITHMS ]; then
  243. dialog --backtitle $"Freedombone Security Configuration" \
  244. --form $"\nSecure Shell Ciphers:" 13 95 4 \
  245. $"Ciphers:" 1 1 "$SSH_CIPHERS" 1 15 90 512 \
  246. $"MACs:" 2 1 "$SSH_MACS" 2 15 90 512 \
  247. $"KEX:" 3 1 "$SSH_KEX" 3 15 90 512 \
  248. $"Host key algorithms:" 4 1 "$SSH_HOST_KEY_ALGORITHMS" 4 15 90 512 \
  249. 2> $data
  250. sel=$?
  251. case $sel in
  252. 1) SSH_CIPHERS=$(cat $data | sed -n 1p)
  253. SSH_MACS=$(cat $data | sed -n 2p)
  254. SSH_KEX=$(cat $data | sed -n 3p)
  255. SSH_HOST_KEY_ALGORITHMS=$(cat $data | sed -n 4p)
  256. ;;
  257. 255) exit 0;;
  258. esac
  259. else
  260. dialog --backtitle $"Freedombone Security Configuration" \
  261. --form $"\nSecure Shell Ciphers:" 11 95 3 \
  262. $"Ciphers:" 1 1 "$SSH_CIPHERS" 1 15 90 512 \
  263. $"MACs:" 2 1 "$SSH_MACS" 2 15 90 512 \
  264. $"KEX:" 3 1 "$SSH_KEX" 3 15 90 512 \
  265. 2> $data
  266. sel=$?
  267. case $sel in
  268. 1) SSH_CIPHERS=$(cat $data | sed -n 1p)
  269. SSH_MACS=$(cat $data | sed -n 2p)
  270. SSH_KEX=$(cat $data | sed -n 3p)
  271. ;;
  272. 255) exit 0;;
  273. esac
  274. fi
  275. if [ $XMPP_CIPHERS ]; then
  276. data=$(tempfile 2>/dev/null)
  277. trap "rm -f $data" 0 1 2 5 15
  278. dialog --backtitle $"Freedombone Security Configuration" \
  279. --form $"\nXMPP Ciphers:" 10 95 2 \
  280. $"Ciphers:" 1 1 "$XMPP_CIPHERS" 1 15 90 512 \
  281. $"ECC Curve:" 2 1 "$XMPP_ECC_CURVE" 2 15 50 50 \
  282. 2> $data
  283. sel=$?
  284. case $sel in
  285. 1) XMPP_CIPHERS=$(cat $data | sed -n 1p)
  286. XMPP_ECC_CURVE=$(cat $data | sed -n 2p)
  287. ;;
  288. 255) exit 0;;
  289. esac
  290. fi
  291. dialog --title $"Final Confirmation" \
  292. --backtitle $"Freedombone Security Configuration" \
  293. --defaultno \
  294. --yesno $"\nPlease confirm that you wish your security settings to be changed?\n\nWARNING: any mistakes made in the security settings could compromise your system, so be extra careful when answering 'yes'." 12 60
  295. sel=$?
  296. case $sel in
  297. 1) clear
  298. echo $'Exiting without changing security settings'
  299. exit 0;;
  300. 255) clear
  301. echo $'Exiting without changing security settings'
  302. exit 0;;
  303. esac
  304. clear
  305. }
  306. function send_monkeysphere_server_keys_to_users {
  307. monkeysphere_server_keys=$(monkeysphere-host show-key | grep $"OpenPGP fingerprint" | awk -F ' ' '{print $3}')
  308. for d in /home/*/ ; do
  309. USERNAME=$(echo "$d" | awk -F '/' '{print $3}')
  310. if [[ $(is_valid_user "$USERNAME") == "1" ]]; then
  311. if [ ! -d /home/$USERNAME/.monkeysphere ]; then
  312. mkdir /home/$USERNAME/.monkeysphere
  313. fi
  314. echo $monkeysphere_server_keys > /home/$USERNAME/.monkeysphere/server_keys
  315. chown -R $USERNAME:$USERNAME /home/$USERNAME/.monkeysphere
  316. fi
  317. done
  318. }
  319. function regenerate_ssh_host_keys {
  320. rm -f /etc/ssh/ssh_host_*
  321. dpkg-reconfigure openssh-server
  322. echo $'ssh host keys regenerated'
  323. # remove small moduli
  324. awk '$5 > 2000' /etc/ssh/moduli > ~/moduli
  325. mv ~/moduli /etc/ssh/moduli
  326. echo $'ssh small moduli removed'
  327. # update monkeysphere
  328. DEFAULT_DOMAIN_NAME=
  329. read_config_param "DEFAULT_DOMAIN_NAME"
  330. monkeysphere-host import-key /etc/ssh/ssh_host_rsa_key ssh://$DEFAULT_DOMAIN_NAME
  331. SSH_ONION_HOSTNAME=$(cat ${COMPLETION_FILE} | grep 'ssh onion domain' | awk -F ':' '{print $2}')
  332. monkeysphere-host import-key /etc/ssh/ssh_host_rsa_key ssh://$SSH_ONION_HOSTNAME
  333. monkeysphere-host publish-key
  334. send_monkeysphere_server_keys_to_users
  335. echo $'updated monkeysphere ssh host key'
  336. systemctl restart ssh
  337. }
  338. function regenerate_dh_keys {
  339. if [ ! -d /etc/ssl/mycerts ]; then
  340. echo $'No dhparam certificates were found'
  341. return
  342. fi
  343. data=$(tempfile 2>/dev/null)
  344. trap "rm -f $data" 0 1 2 5 15
  345. dialog --backtitle "Freedombone Security Configuration" \
  346. --title "Diffie-Hellman key length" \
  347. --radiolist "The smaller length is better suited to low power embedded systems:" 12 40 3 \
  348. 1 "2048 bits" off \
  349. 2 "3072 bits" on \
  350. 3 "4096 bits" off 2> $data
  351. sel=$?
  352. case $sel in
  353. 1) exit 1;;
  354. 255) exit 1;;
  355. esac
  356. case $(cat $data) in
  357. 1) DH_KEYLENGTH=2048;;
  358. 2) DH_KEYLENGTH=3072;;
  359. 3) DH_KEYLENGTH=4096;;
  360. esac
  361. ${PROJECT_NAME}-dhparam --recalc yes -l ${DH_KEYLENGTH}
  362. }
  363. function renew_startssl {
  364. renew_domain=
  365. data=$(tempfile 2>/dev/null)
  366. trap "rm -f $data" 0 1 2 5 15
  367. dialog --title $"Renew a StartSSL certificate" \
  368. --backtitle $"Freedombone Security Settings" \
  369. --inputbox $"Enter the domain name" 8 60 2>$data
  370. sel=$?
  371. case $sel in
  372. 0)
  373. renew_domain=$(<$data)
  374. ;;
  375. esac
  376. if [ ! $renew_domain ]; then
  377. return
  378. fi
  379. if [[ $renew_domain == "http"* ]]; then
  380. dialog --title $"Renew a StartSSL certificate" \
  381. --msgbox $"Don't include the https://" 6 40
  382. return
  383. fi
  384. if [ ! -f /etc/ssl/certs/${renew_domain}.dhparam ]; then
  385. dialog --title $"Renew a StartSSL certificate" \
  386. --msgbox $"An existing certificate for $renew_domain was not found" 6 40
  387. return
  388. fi
  389. if [[ $renew_domain != *"."* ]]; then
  390. dialog --title $"Renew a StartSSL certificate" \
  391. --msgbox $"Invalid domain name: $renew_domain" 6 40
  392. return
  393. fi
  394. ${PROJECT_NAME}-renew-cert -h $renew_domain -p startssl
  395. exit 0
  396. }
  397. function renew_letsencrypt {
  398. renew_domain=
  399. data=$(tempfile 2>/dev/null)
  400. trap "rm -f $data" 0 1 2 5 15
  401. dialog --title $"Renew a Let's Encrypt certificate" \
  402. --backtitle $"Freedombone Security Settings" \
  403. --inputbox $"Enter the domain name" 8 60 2>$data
  404. sel=$?
  405. case $sel in
  406. 0)
  407. renew_domain=$(<$data)
  408. ;;
  409. esac
  410. if [ ! $renew_domain ]; then
  411. return
  412. fi
  413. if [[ $renew_domain == "http"* ]]; then
  414. dialog --title $"Renew a Let's Encrypt certificate" \
  415. --msgbox $"Don't include the https://" 6 40
  416. return
  417. fi
  418. if [ ! -f /etc/ssl/certs/${renew_domain}.dhparam ]; then
  419. dialog --title $"Renew a Let's Encrypt certificate" \
  420. --msgbox $"An existing certificate for $renew_domain was not found" 6 40
  421. return
  422. fi
  423. if [[ $renew_domain != *"."* ]]; then
  424. dialog --title $"Renew a Let's Encrypt certificate" \
  425. --msgbox $"Invalid domain name: $renew_domain" 6 40
  426. return
  427. fi
  428. ${PROJECT_NAME}-renew-cert -h $renew_domain -p 'letsencrypt'
  429. exit 0
  430. }
  431. function delete_letsencrypt {
  432. delete_domain=
  433. data=$(tempfile 2>/dev/null)
  434. trap "rm -f $data" 0 1 2 5 15
  435. dialog --title $"Delete a Let's Encrypt certificate" \
  436. --backtitle $"Freedombone Security Settings" \
  437. --inputbox $"Enter the domain name" 8 60 2>$data
  438. sel=$?
  439. case $sel in
  440. 0)
  441. delete_domain=$(<$data)
  442. ;;
  443. esac
  444. if [ ! $delete_domain ]; then
  445. return
  446. fi
  447. if [[ $delete_domain == "http"* ]]; then
  448. dialog --title $"Delete a Let's Encrypt certificate" \
  449. --msgbox $"Don't include the https://" 6 40
  450. return
  451. fi
  452. if [ ! -f /etc/ssl/certs/${delete_domain}.dhparam ]; then
  453. dialog --title $"Delete a Let's Encrypt certificate" \
  454. --msgbox $"An existing certificate for $renew_domain was not found" 6 40
  455. return
  456. fi
  457. if [[ $delete_domain != *"."* ]]; then
  458. dialog --title $"Delete a Let's Encrypt certificate" \
  459. --msgbox $"Invalid domain name: $delete_domain" 6 40
  460. return
  461. fi
  462. dialog --title $"Delete a Let's Encrypt certificate" \
  463. --backtitle $"Freedombone Security Settings" \
  464. --defaultno \
  465. --yesno $"\nConfirm deletion of the TLS certificate for $delete_domain ?" 7 60
  466. sel=$?
  467. case $sel in
  468. 0) ${PROJECT_NAME}-addcert -r $delete_domain;;
  469. 255) exit 0;;
  470. esac
  471. exit 0
  472. }
  473. function create_letsencrypt {
  474. new_domain=
  475. data=$(tempfile 2>/dev/null)
  476. trap "rm -f $data" 0 1 2 5 15
  477. dialog --title $"Create a new Let's Encrypt certificate" \
  478. --backtitle $"Freedombone Security Settings" \
  479. --inputbox $"Enter the domain name" 8 60 2>$data
  480. sel=$?
  481. case $sel in
  482. 0)
  483. new_domain=$(<$data)
  484. ;;
  485. esac
  486. if [ ! $new_domain ]; then
  487. return
  488. fi
  489. if [[ $new_domain == "http"* ]]; then
  490. dialog --title $"Create a new Let's Encrypt certificate" \
  491. --msgbox $"Don't include the https://" 6 40
  492. return
  493. fi
  494. if [[ $new_domain != *"."* ]]; then
  495. dialog --title $"Create a new Let's Encrypt certificate" \
  496. --msgbox $"Invalid domain name: $new_domain" 6 40
  497. return
  498. fi
  499. if [ ! -d /var/www/${new_domain} ]; then
  500. domain_found=
  501. if [ -f /etc/nginx/sites-available/radicale ]; then
  502. if grep "${new_domain}" /etc/nginx/sites-available/radicale; then
  503. domain_found=1
  504. fi
  505. fi
  506. if [ -f /etc/nginx/sites-available/${new_domain} ]; then
  507. domain_found=1
  508. fi
  509. if [[ "${new_domain}" == "jitsi"* || "${new_domain}" == "meet"* ]]; then
  510. domain_found=1
  511. fi
  512. if [ ! $domain_found ]; then
  513. dialog --title $"Create a new Let's Encrypt certificate" \
  514. --msgbox $'Domain not found within /var/www' 6 40
  515. return
  516. fi
  517. fi
  518. ${PROJECT_NAME}-addcert -e $new_domain -s $LETSENCRYPT_SERVER --dhkey $DH_KEYLENGTH
  519. exit 0
  520. }
  521. function update_ciphersuite {
  522. RECOMMENDED_SSL_CIPHERS="$SSL_CIPHERS"
  523. if [ ${#RECOMMENDED_SSL_CIPHERS} -lt 5 ]; then
  524. return
  525. fi
  526. RECOMMENDED_SSL_PROTOCOLS="$SSL_PROTOCOLS"
  527. if [ ${#RECOMMENDED_SSL_PROTOCOLS} -lt 5 ]; then
  528. return
  529. fi
  530. RECOMMENDED_SSH_CIPHERS="$SSH_CIPHERS"
  531. if [ ${#RECOMMENDED_SSH_CIPHERS} -lt 5 ]; then
  532. return
  533. fi
  534. RECOMMENDED_SSH_MACS="$SSH_MACS"
  535. if [ ${#RECOMMENDED_SSH_MACS} -lt 5 ]; then
  536. return
  537. fi
  538. RECOMMENDED_SSH_KEX="$SSH_KEX"
  539. if [ ${#RECOMMENDED_SSH_KEX} -lt 5 ]; then
  540. return
  541. fi
  542. cd $WEBSITES_DIRECTORY
  543. for file in `dir -d *` ; do
  544. sed -i "s|ssl_protocols .*|ssl_protocols $RECOMMENDED_SSL_PROTOCOLS;|g" $WEBSITES_DIRECTORY/$file
  545. sed -i "s|ssl_ciphers .*|ssl_ciphers '$RECOMMENDED_SSL_CIPHERS';|g" $WEBSITES_DIRECTORY/$file
  546. done
  547. systemctl restart nginx
  548. write_config_param "SSL_PROTOCOLS" "$RECOMMENDED_SSL_PROTOCOLS"
  549. write_config_param "SSL_CIPHERS" "$RECOMMENDED_SSL_CIPHERS"
  550. sed -i "s|Ciphers .*|Ciphers $RECOMMENDED_SSH_CIPHERS|g" $SSH_CONFIG
  551. sed -i "s|MACs .*|MACs $RECOMMENDED_SSH_MACS|g" $SSH_CONFIG
  552. sed -i "s|KexAlgorithms .*|KexAlgorithms $RECOMMENDED_SSH_KEX|g" $SSH_CONFIG
  553. systemctl restart ssh
  554. write_config_param "SSH_CIPHERS" "$RECOMMENDED_SSH_CIPHERS"
  555. write_config_param "SSH_MACS" "$RECOMMENDED_SSH_MACS"
  556. write_config_param "SSH_KEX" "$RECOMMENDED_SSH_KEX"
  557. dialog --title $"Update ciphersuite" \
  558. --msgbox $"The ciphersuite has been updated to recommended versions" 6 40
  559. exit 0
  560. }
  561. function gpg_pubkey_from_email {
  562. key_owner_username=$1
  563. key_email_address=$2
  564. key_id=
  565. if [[ $key_owner_username != "root" ]]; then
  566. key_id=$(su -c "gpg --list-keys $key_email_address | grep 'pub '" - $key_owner_username | awk -F ' ' '{print $2}' | awk -F '/' '{print $2}')
  567. else
  568. key_id=$(gpg --list-keys $key_email_address | grep 'pub ' | awk -F ' ' '{print $2}' | awk -F '/' '{print $2}')
  569. fi
  570. echo $key_id
  571. }
  572. function enable_monkeysphere {
  573. monkey=
  574. dialog --title $"GPG based authentication" \
  575. --backtitle $"Freedombone Security Configuration" \
  576. --defaultno \
  577. --yesno $"\nEnable GPG based authentication with monkeysphere ?" 7 60
  578. sel=$?
  579. case $sel in
  580. 0) monkey='yes';;
  581. 255) exit 0;;
  582. esac
  583. if [ $monkey ]; then
  584. read_config_param "MY_USERNAME"
  585. if [ ! -f /home/$MY_USERNAME/.monkeysphere/authorized_user_ids ]; then
  586. dialog --title $"GPG based authentication" \
  587. --msgbox $"$MY_USERNAME does not currently have any ids within ~/.monkeysphere/authorized_user_ids" 6 40
  588. exit 0
  589. fi
  590. MY_GPG_PUBLIC_KEY_ID=$(gpg_pubkey_from_email "$MY_USERNAME" "$MY_USERNAME@$HOSTNAME")
  591. if [ ${#MY_GPG_PUBLIC_KEY_ID} -lt 4 ]; then
  592. echo $'monkeysphere unable to get GPG key ID for user $MY_USERNAME'
  593. exit 52825
  594. fi
  595. sed -i 's|#AuthorizedKeysFile|AuthorizedKeysFile|g' /etc/ssh/sshd_config
  596. sed -i 's|AuthorizedKeysFile.*|AuthorizedKeysFile /var/lib/monkeysphere/authorized_keys/%u|g' /etc/ssh/sshd_config
  597. monkeysphere-authentication update-users
  598. # The admin user is the identity certifier
  599. fpr=$(gpg --with-colons --fingerprint $MY_GPG_PUBLIC_KEY_ID | grep fpr | head -n 1 | awk -F ':' '{print $10}')
  600. monkeysphere-authentication add-identity-certifier $fpr
  601. monkeysphere-host publish-key
  602. send_monkeysphere_server_keys_to_users
  603. else
  604. sed -i 's|#AuthorizedKeysFile|AuthorizedKeysFile|g' /etc/ssh/sshd_config
  605. sed -i 's|AuthorizedKeysFile.*|AuthorizedKeysFile %h/.ssh/authorized_keys|g' /etc/ssh/sshd_config
  606. fi
  607. systemctl restart ssh
  608. if [ $monkey ]; then
  609. dialog --title $"GPG based authentication" \
  610. --msgbox $"GPG based authentication was enabled" 6 40
  611. else
  612. dialog --title $"GPG based authentication" \
  613. --msgbox $"GPG based authentication was disabled" 6 40
  614. fi
  615. exit 0
  616. }
  617. function register_website {
  618. domain="$1"
  619. if [[ ${domain} == *".local" ]]; then
  620. echo $"Can't register local domains"
  621. return
  622. fi
  623. if [ ! -f /etc/ssl/private/${domain}.key ]; then
  624. echo $"No SSL/TLS private key found for ${domain}"
  625. return
  626. fi
  627. if [ ! -f /etc/nginx/sites-available/${domain} ]; then
  628. echo $"No virtual host found for ${domain}"
  629. return
  630. fi
  631. monkeysphere-host import-key /etc/ssl/private/${domain}.key https://${domain}
  632. monkeysphere-host publish-key
  633. echo "0"
  634. }
  635. function register_website_interactive {
  636. data=$(tempfile 2>/dev/null)
  637. trap "rm -f $data" 0 1 2 5 15
  638. dialog --title $"Register a website with monkeysphere" \
  639. --backtitle $"Freedombone Security Settings" \
  640. --inputbox $"Enter the website domain name (without https://)" 8 60 2>$data
  641. sel=$?
  642. case $sel in
  643. 0)
  644. domain=$(<$data)
  645. register_website "$domain"
  646. if [ ! "$?" = "0" ]; then
  647. dialog --title $"Register a website with monkeysphere" \
  648. --msgbox "$?" 6 40
  649. else
  650. dialog --title $"Register a website with monkeysphere" \
  651. --msgbox $"$domain has been registered" 6 40
  652. fi
  653. ;;
  654. esac
  655. }
  656. function pin_all_tls_certs {
  657. ${PROJECT_NAME}-pin-cert all
  658. }
  659. function remove_pinning {
  660. data=$(tempfile 2>/dev/null)
  661. trap "rm -f $data" 0 1 2 5 15
  662. dialog --title $"Remove pinning for a domain" \
  663. --backtitle $"Freedombone Security Settings" \
  664. --inputbox $"Enter the website domain name (without https://)" 8 60 2>$data
  665. sel=$?
  666. case $sel in
  667. 0)
  668. domain=$(<$data)
  669. ${PROJECT_NAME}-pin-cert "$domain" remove
  670. if [ ! "$?" = "0" ]; then
  671. dialog --title $"Removed pinning from $domain" \
  672. --msgbox "$?" 6 40
  673. fi
  674. ;;
  675. esac
  676. }
  677. function store_passwords {
  678. dialog --title $"Store Passwords" \
  679. --backtitle $"Freedombone Security Configuration" \
  680. --yesno $"\nDo you wish to store passwords on the system? Stored passwords are convenient but carry some additional security risk." 10 60
  681. sel=$?
  682. case $sel in
  683. 0)
  684. if [ -f /root/.nostore ]; then
  685. read_config_param "MY_USERNAME"
  686. if [ ! -f /home/$MY_USERNAME/.ssh/authorized_keys ]; then
  687. dialog --title $"Store Passwords" \
  688. --msgbox $"\nYou should first enable key based ssh login to improve security" 8 60
  689. return
  690. fi
  691. if [[ $SSH_PASSWORDS == 'yes' ]]; then
  692. dialog --title $"Store Passwords" \
  693. --msgbox $"\nYou should disable ssh passwords to improve security" 8 60
  694. return
  695. fi
  696. ${PROJECT_NAME}-pass --enable yes
  697. dialog --title $"Store Passwords" \
  698. --msgbox $"\nUser passwords will now be stored on the system" 8 60
  699. fi
  700. return
  701. ;;
  702. 1)
  703. ${PROJECT_NAME}-pass --clear yes
  704. dialog --title $"Passwords were removed and will not be stored" \
  705. --msgbox $"\nFor the best security you should now manually change passwords via web interfaces so that there is no possibility of them being recovered from the disk" 9 60
  706. return
  707. ;;
  708. 255) return;;
  709. esac
  710. }
  711. function show_tor_bridges {
  712. clear
  713. bridges_list=$(grep "Bridge " /etc/tor/torrc | grep -v '##')
  714. if [ ${#bridges_list} -eq 0 ]; then
  715. echo $'No Tor bridges have been added'
  716. return
  717. fi
  718. echo "${bridges_list}"
  719. }
  720. function add_tor_bridge {
  721. data=$(tempfile 2>/dev/null)
  722. trap "rm -f $data" 0 1 2 5 15
  723. dialog --backtitle $"Freedombone Control Panel" \
  724. --title $"Add obfs4 Tor bridge" \
  725. --form "\n" 9 60 4 \
  726. $"IP address: " 1 1 " . . . " 1 17 16 16 \
  727. $"Port: " 2 1 "" 2 17 8 8 \
  728. $"Key/Nickname: " 3 1 "" 3 17 250 250 \
  729. 2> $data
  730. sel=$?
  731. case $sel in
  732. 1) return;;
  733. 255) return;;
  734. esac
  735. bridge_ip_address=$(cat $data | sed -n 1p)
  736. bridge_port=$(cat $data | sed -n 2p)
  737. bridge_key=$(cat $data | sed -n 3p)
  738. if [[ "${bridge_ip_address}" == *" "* ]]; then
  739. return
  740. fi
  741. if [[ "${bridge_ip_address}" != *"."* ]]; then
  742. return
  743. fi
  744. if [ ${#bridge_port} -eq 0 ]; then
  745. return
  746. fi
  747. if [ ${#bridge_key} -eq 0 ]; then
  748. return
  749. fi
  750. tor_add_bridge "${bridge_ip_address}" "${bridge_port}" "${bridge_key}"
  751. dialog --title $"Add obfs4 Tor bridge" \
  752. --msgbox $"Bridge added" 6 40
  753. }
  754. function remove_tor_bridge {
  755. bridge_removed=
  756. data=$(tempfile 2>/dev/null)
  757. trap "rm -f $data" 0 1 2 5 15
  758. dialog --title $"Remove obfs4 Tor bridge" \
  759. --backtitle $"Freedombone Control Panel" \
  760. --inputbox $"Enter the IP address, key or Nickname of the bridge" 8 65 2>$data
  761. sel=$?
  762. case $sel in
  763. 0)
  764. response=$(<$data)
  765. if [ ${#response} -gt 2 ]; then
  766. if [[ "${response}" != *" "* ]]; then
  767. if [[ "${response}" == *"."* ]]; then
  768. if grep "Bridge ${response}" /etc/tor/torrc; then
  769. tor_remove_bridge "${response}"
  770. bridge_removed=1
  771. fi
  772. else
  773. if grep " $response" /etc/tor/torrc; then
  774. tor_remove_bridge "${response}"
  775. bridge_removed=1
  776. fi
  777. fi
  778. fi
  779. fi
  780. ;;
  781. esac
  782. if [ $bridge_removed ]; then
  783. dialog --title $"Remove obfs4 Tor bridge" \
  784. --msgbox $"Bridge removed" 6 40
  785. fi
  786. }
  787. function add_tor_bridge_relay {
  788. read_config_param 'TOR_BRIDGE_NICKNAME'
  789. read_config_param 'TOR_BRIDGE_PORT'
  790. # remove any previous bridge port from the firewall
  791. if [ ${#TOR_BRIDGE_PORT} -gt 0 ]; then
  792. firewall_remove $TOR_BRIDGE_PORT tcp
  793. fi
  794. data=$(tempfile 2>/dev/null)
  795. trap "rm -f $data" 0 1 2 5 15
  796. dialog --backtitle $"Freedombone Control Panel" \
  797. --title $"Become an obfs4 Tor bridge relay" \
  798. --form "\n" 8 60 2 \
  799. $"Bridge Nickname: " 1 1 "$TOR_BRIDGE_NICKNAME" 1 20 250 250 \
  800. 2> $data
  801. sel=$?
  802. case $sel in
  803. 1) return;;
  804. 255) return;;
  805. esac
  806. bridge_nickname=$(cat $data | sed -n 1p)
  807. if [[ "${bridge_nickname}" == *" "* ]]; then
  808. return
  809. fi
  810. if [ ${#bridge_nickname} -eq 0 ]; then
  811. return
  812. fi
  813. TOR_BRIDGE_NICKNAME="$bridge_nickname"
  814. TOR_BRIDGE_PORT=$((20000 + RANDOM % 40000))
  815. write_config_param 'TOR_BRIDGE_NICKNAME' "$TOR_BRIDGE_NICKNAME"
  816. write_config_param 'TOR_BRIDGE_PORT' "$TOR_BRIDGE_PORT"
  817. tor_create_bridge_relay
  818. dialog --title $"You are now an obfs4 Tor bridge relay" \
  819. --msgbox $"\nIP address: $(get_ipv4_address)\n\nPort: ${TOR_BRIDGE_PORT}\n\nNickname: ${TOR_BRIDGE_NICKNAME}" 10 65
  820. }
  821. function remove_tor_bridge_relay {
  822. tor_remove_bridge_relay
  823. dialog --title $"Remove Tor bridge relay" \
  824. --msgbox $"Bridge relay removed" 10 60
  825. }
  826. function menu_tor_bridges {
  827. data=$(tempfile 2>/dev/null)
  828. trap "rm -f $data" 0 1 2 5 15
  829. dialog --backtitle $"Freedombone Control Panel" \
  830. --title $"Tor Bridges" \
  831. --radiolist $"Choose an operation:" 14 50 6 \
  832. 1 $"Show bridges" off \
  833. 2 $"Add a bridge" off \
  834. 3 $"Remove a bridge" off \
  835. 4 $"Make this system into a bridge" off \
  836. 5 $"Stop being a bridge" off \
  837. 6 $"Go Back/Exit" on 2> $data
  838. sel=$?
  839. case $sel in
  840. 1) exit 1;;
  841. 255) exit 1;;
  842. esac
  843. case $(cat $data) in
  844. 1)
  845. show_tor_bridges
  846. exit 0
  847. ;;
  848. 2)
  849. add_tor_bridge
  850. exit 0
  851. ;;
  852. 3)
  853. remove_tor_bridge
  854. exit 0
  855. ;;
  856. 4)
  857. add_tor_bridge_relay
  858. exit 0
  859. ;;
  860. 5)
  861. remove_tor_bridge_relay
  862. exit 0
  863. ;;
  864. 6)
  865. exit 0
  866. ;;
  867. esac
  868. }
  869. function menu_security_settings {
  870. data=$(tempfile 2>/dev/null)
  871. trap "rm -f $data" 0 1 2 5 15
  872. dialog --backtitle $"Freedombone Control Panel" \
  873. --title $"Security Settings" \
  874. --radiolist $"Choose an operation:" 22 76 22 \
  875. 1 $"Run STIG tests" off \
  876. 2 $"Show ssh host public key" off \
  877. 3 $"Tor bridges" off \
  878. 4 $"Password storage" off \
  879. 5 $"Export passwords" off \
  880. 6 $"Regenerate ssh host keys" off \
  881. 7 $"Regenerate Diffie-Hellman keys" off \
  882. 8 $"Update cipersuite" off \
  883. 9 $"Create a new Let's Encrypt certificate" off \
  884. 10 $"Renew Let's Encrypt certificate" off \
  885. 11 $"Delete a Let's Encrypt certificate" off \
  886. 12 $"Enable GPG based authentication (monkeysphere)" off \
  887. 13 $"Register a website with monkeysphere" off \
  888. 14 $"Allow ssh login with passwords" off \
  889. 15 $"Go Back/Exit" on 2> $data
  890. sel=$?
  891. case $sel in
  892. 1) exit 1;;
  893. 255) exit 1;;
  894. esac
  895. clear
  896. read_config_param SSL_CIPHERS
  897. read_config_param SSL_PROTOCOLS
  898. read_config_param SSH_CIPHERS
  899. read_config_param SSH_MACS
  900. read_config_param SSH_KEX
  901. get_imap_settings
  902. get_ssh_settings
  903. get_xmpp_settings
  904. import_settings
  905. export_settings
  906. case $(cat $data) in
  907. 1)
  908. clear
  909. echo $'Running STIG tests...'
  910. echo ''
  911. ${PROJECT_NAME}-tests --stig showall
  912. exit 0
  913. ;;
  914. 2)
  915. dialog --title $"SSH host public keys" \
  916. --msgbox "\n$(get_ssh_server_key)" 12 60
  917. exit 0
  918. ;;
  919. 3)
  920. menu_tor_bridges
  921. exit 0
  922. ;;
  923. 4)
  924. store_passwords
  925. exit 0
  926. ;;
  927. 5)
  928. export_passwords
  929. exit 0
  930. ;;
  931. 6)
  932. regenerate_ssh_host_keys
  933. ;;
  934. 7)
  935. regenerate_dh_keys
  936. ;;
  937. 8)
  938. interactive_setup
  939. update_ciphersuite
  940. ;;
  941. 9)
  942. create_letsencrypt
  943. ;;
  944. 10)
  945. renew_letsencrypt
  946. ;;
  947. 11)
  948. delete_letsencrypt
  949. ;;
  950. 12)
  951. enable_monkeysphere
  952. ;;
  953. 13)
  954. register_website
  955. ;;
  956. 14)
  957. allow_ssh_passwords
  958. change_ssh_settings
  959. exit 0
  960. ;;
  961. 15)
  962. exit 0
  963. ;;
  964. esac
  965. change_website_settings
  966. change_imap_settings
  967. change_ssh_settings
  968. change_xmpp_settings
  969. }
  970. function import_settings {
  971. cd $CURRENT_DIR
  972. if [ ! $IMPORT_FILE ]; then
  973. return
  974. fi
  975. if [ ! -f $IMPORT_FILE ]; then
  976. echo $"Import file $IMPORT_FILE not found"
  977. exit 6393
  978. fi
  979. if grep -q "SSL_PROTOCOLS" $IMPORT_FILE; then
  980. TEMP_VALUE=$(grep "SSL_PROTOCOLS" $IMPORT_FILE | awk -F '=' '{print $2}')
  981. if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then
  982. SSL_PROTOCOLS=$TEMP_VALUE
  983. fi
  984. fi
  985. if grep -q "SSL_CIPHERS" $IMPORT_FILE; then
  986. TEMP_VALUE=$(grep "SSL_CIPHERS" $IMPORT_FILE | awk -F '=' '{print $2}')
  987. if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then
  988. SSL_CIPHERS=$TEMP_VALUE
  989. fi
  990. fi
  991. if grep -q "SSH_CIPHERS" $IMPORT_FILE; then
  992. TEMP_VALUE=$(grep "SSH_CIPHERS" $IMPORT_FILE | awk -F '=' '{print $2}')
  993. if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then
  994. SSH_CIPHERS=$TEMP_VALUE
  995. fi
  996. fi
  997. if grep -q "SSH_MACS" $IMPORT_FILE; then
  998. TEMP_VALUE=$(grep "SSH_MACS" $IMPORT_FILE | awk -F '=' '{print $2}')
  999. if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then
  1000. SSH_MACS=$TEMP_VALUE
  1001. fi
  1002. fi
  1003. if grep -q "SSH_KEX" $IMPORT_FILE; then
  1004. TEMP_VALUE=$(grep "SSH_KEX" $IMPORT_FILE | awk -F '=' '{print $2}')
  1005. if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then
  1006. SSH_KEX=$TEMP_VALUE
  1007. fi
  1008. fi
  1009. if grep -q "SSH_HOST_KEY_ALGORITHMS" $IMPORT_FILE; then
  1010. TEMP_VALUE=$(grep "SSH_HOST_KEY_ALGORITHMS" $IMPORT_FILE | awk -F '=' '{print $2}')
  1011. if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then
  1012. SSH_HOST_KEY_ALGORITHMS=$TEMP_VALUE
  1013. fi
  1014. fi
  1015. if grep -q "SSH_PASSWORDS" $IMPORT_FILE; then
  1016. TEMP_VALUE=$(grep "SSH_PASSWORDS" $IMPORT_FILE | awk -F '=' '{print $2}')
  1017. if [[ $TEMP_VALUE == "yes" || $TEMP_VALUE == "no" ]]; then
  1018. SSH_PASSWORDS=$TEMP_VALUE
  1019. fi
  1020. fi
  1021. if grep -q "XMPP_CIPHERS" $IMPORT_FILE; then
  1022. TEMP_VALUE=$(grep "XMPP_CIPHERS" $IMPORT_FILE | awk -F '=' '{print $2}')
  1023. if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then
  1024. XMPP_CIPHERS=$TEMP_VALUE
  1025. fi
  1026. fi
  1027. if grep -q "XMPP_ECC_CURVE" $IMPORT_FILE; then
  1028. TEMP_VALUE=$(grep "XMPP_ECC_CURVE" $IMPORT_FILE | awk -F '=' '{print $2}')
  1029. if [ ${#TEMP_VALUE} -gt 3 ]; then
  1030. XMPP_ECC_CURVE=$TEMP_VALUE
  1031. fi
  1032. fi
  1033. }
  1034. function export_settings {
  1035. if [ ! $EXPORT_FILE ]; then
  1036. return
  1037. fi
  1038. cd $CURRENT_DIR
  1039. if [ ! -f $EXPORT_FILE ]; then
  1040. if [ "$SSL_PROTOCOLS" ]; then
  1041. echo "SSL_PROTOCOLS=$SSL_PROTOCOLS" >> $EXPORT_FILE
  1042. fi
  1043. if [ $SSL_CIPHERS ]; then
  1044. echo "SSL_CIPHERS=$SSL_CIPHERS" >> $EXPORT_FILE
  1045. fi
  1046. if [ $SSH_CIPHERS ]; then
  1047. echo "SSH_CIPHERS=$SSH_CIPHERS" >> $EXPORT_FILE
  1048. fi
  1049. if [ $SSH_MACS ]; then
  1050. echo "SSH_MACS=$SSH_MACS" >> $EXPORT_FILE
  1051. fi
  1052. if [ $SSH_KEX ]; then
  1053. echo "SSH_KEX=$SSH_KEX" >> $EXPORT_FILE
  1054. fi
  1055. if [ $SSH_HOST_KEY_ALGORITHMS ]; then
  1056. echo "SSH_HOST_KEY_ALGORITHMS=$SSH_HOST_KEY_ALGORITHMS" >> $EXPORT_FILE
  1057. fi
  1058. if [ $SSH_PASSWORDS ]; then
  1059. echo "SSH_PASSWORDS=$SSH_PASSWORDS" >> $EXPORT_FILE
  1060. fi
  1061. if [ $XMPP_CIPHERS ]; then
  1062. echo "XMPP_CIPHERS=$XMPP_CIPHERS" >> $EXPORT_FILE
  1063. fi
  1064. if [ $XMPP_ECC_CURVE ]; then
  1065. echo "XMPP_ECC_CURVE=$XMPP_ECC_CURVE" >> $EXPORT_FILE
  1066. fi
  1067. echo "Security settings exported to $EXPORT_FILE"
  1068. exit 0
  1069. fi
  1070. if [ "$SSL_PROTOCOLS" ]; then
  1071. if grep -q "SSL_PROTOCOLS" $EXPORT_FILE; then
  1072. sed -i "s|SSL_PROTOCOLS=.*|SSL_PROTOCOLS=$SSL_PROTOCOLS|g" $EXPORT_FILE
  1073. else
  1074. echo "SSL_PROTOCOLS=$SSL_PROTOCOLS" >> $EXPORT_FILE
  1075. fi
  1076. fi
  1077. if [ $SSL_CIPHERS ]; then
  1078. if grep -q "SSL_CIPHERS" $EXPORT_FILE; then
  1079. sed -i "s|SSL_CIPHERS=.*|SSL_CIPHERS=$SSL_CIPHERS|g" $EXPORT_FILE
  1080. else
  1081. echo "SSL_CIPHERS=$SSL_CIPHERS" >> $EXPORT_FILE
  1082. fi
  1083. fi
  1084. if [ $SSH_CIPHERS ]; then
  1085. if grep -q "SSH_CIPHERS" $EXPORT_FILE; then
  1086. sed -i "s|SSH_CIPHERS=.*|SSH_CIPHERS=$SSH_CIPHERS|g" $EXPORT_FILE
  1087. else
  1088. echo "SSH_CIPHERS=$SSH_CIPHERS" >> $EXPORT_FILE
  1089. fi
  1090. fi
  1091. if [ $SSH_MACS ]; then
  1092. if grep -q "SSH_MACS" $EXPORT_FILE; then
  1093. sed -i "s|SSH_MACS=.*|SSH_MACS=$SSH_MACS|g" $EXPORT_FILE
  1094. else
  1095. echo "SSH_MACS=$SSH_MACS" >> $EXPORT_FILE
  1096. fi
  1097. fi
  1098. if [ $SSH_KEX ]; then
  1099. if grep -q "SSH_KEX" $EXPORT_FILE; then
  1100. sed -i "s|SSH_KEX=.*|SSH_KEX=$SSH_KEX|g" $EXPORT_FILE
  1101. else
  1102. echo "SSH_KEX=$SSH_KEX" >> $EXPORT_FILE
  1103. fi
  1104. fi
  1105. if [ $SSH_HOST_KEY_ALGORITHMS ]; then
  1106. if grep -q "SSH_HOST_KEY_ALGORITHMS" $EXPORT_FILE; then
  1107. sed -i "s|SSH_HOST_KEY_ALGORITHMS=.*|SSH_HOST_KEY_ALGORITHMS=$SSH_HOST_KEY_ALGORITHMS|g" $EXPORT_FILE
  1108. else
  1109. echo "SSH_HOST_KEY_ALGORITHMS=$SSH_HOST_KEY_ALGORITHMS" >> $EXPORT_FILE
  1110. fi
  1111. fi
  1112. if [ $SSH_PASSWORDS ]; then
  1113. if grep -q "SSH_PASSWORDS" $EXPORT_FILE; then
  1114. sed -i "s|SSH_PASSWORDS=.*|SSH_PASSWORDS=$SSH_PASSWORDS|g" $EXPORT_FILE
  1115. else
  1116. echo "SSH_PASSWORDS=$SSH_PASSWORDS" >> $EXPORT_FILE
  1117. fi
  1118. fi
  1119. if [ $XMPP_CIPHERS ]; then
  1120. if grep -q "XMPP_CIPHERS" $EXPORT_FILE; then
  1121. sed -i "s|XMPP_CIPHERS=.*|XMPP_CIPHERS=$XMPP_CIPHERS|g" $EXPORT_FILE
  1122. else
  1123. echo "XMPP_CIPHERS=$XMPP_CIPHERS" >> $EXPORT_FILE
  1124. fi
  1125. fi
  1126. if [ $XMPP_ECC_CURVE ]; then
  1127. if grep -q "XMPP_ECC_CURVE" $EXPORT_FILE; then
  1128. sed -i "s|XMPP_ECC_CURVE=.*|XMPP_ECC_CURVE=$XMPP_ECC_CURVE|g" $EXPORT_FILE
  1129. else
  1130. echo "XMPP_ECC_CURVE=$XMPP_ECC_CURVE" >> $EXPORT_FILE
  1131. fi
  1132. fi
  1133. echo $"Security settings exported to $EXPORT_FILE"
  1134. exit 0
  1135. }
  1136. function refresh_gpg_keys {
  1137. for d in /home/*/ ; do
  1138. USERNAME=$(echo "$d" | awk -F '/' '{print $3}')
  1139. if [[ $(is_valid_user "$USERNAME") == "1" ]]; then
  1140. su -c 'gpg --refresh-keys' - $USERNAME
  1141. fi
  1142. done
  1143. exit 0
  1144. }
  1145. function monkeysphere_sign_server_keys {
  1146. server_keys_file=/home/$USER/.monkeysphere/server_keys
  1147. if [ ! -f $server_keys_file ]; then
  1148. exit 0
  1149. fi
  1150. keys_signed=
  1151. while read line; do
  1152. echo $line
  1153. if [ ${#line} -gt 2 ]; then
  1154. fpr=$(gpg --with-colons --fingerprint "$line" | grep fpr | head -n 1 | awk -F ':' '{print $10}')
  1155. if [ ${#fpr} -gt 2 ]; then
  1156. gpg --sign-key $fpr
  1157. if [ "$?" = "0" ]; then
  1158. gpg --update-trustdb
  1159. keys_signed=1
  1160. fi
  1161. fi
  1162. fi
  1163. done <$server_keys_file
  1164. if [ $keys_signed ]; then
  1165. rm $server_keys_file
  1166. fi
  1167. exit 0
  1168. }
  1169. function htmly_hash {
  1170. # produces a hash corresponding to a htmly password
  1171. pass="$1"
  1172. HTMLYHASH_FILENAME=/usr/bin/htmlyhash
  1173. echo '<?php' > $HTMLYHASH_FILENAME
  1174. echo 'parse_str(implode("&", array_slice($argv, 1)), $_GET);' >> $HTMLYHASH_FILENAME
  1175. echo '$password = $_GET["password"];' >> $HTMLYHASH_FILENAME
  1176. echo '$hash = password_hash($password, PASSWORD_BCRYPT);' >> $HTMLYHASH_FILENAME
  1177. echo 'if (password_verify($password, $hash)) {' >> $HTMLYHASH_FILENAME
  1178. echo ' echo $hash;' >> $HTMLYHASH_FILENAME
  1179. echo '}' >> $HTMLYHASH_FILENAME
  1180. echo '?>' >> $HTMLYHASH_FILENAME
  1181. php $HTMLYHASH_FILENAME password="$pass"
  1182. }
  1183. function show_help {
  1184. echo ''
  1185. echo "${PROJECT_NAME}-sec"
  1186. echo ''
  1187. echo $'Alters the security settings'
  1188. echo ''
  1189. echo ''
  1190. echo $' -h --help Show help'
  1191. echo $' -e --export Export security settings to a file'
  1192. echo $' -i --import Import security settings from a file'
  1193. echo $' -r --refresh Refresh GPG keys for all users'
  1194. echo $' -s --sign Sign monkeysphere server keys'
  1195. echo $' --register [domain] Register a https domain with monkeysphere'
  1196. echo $' -b --htmlyhash [password] Returns the hash of a password for a htmly blog'
  1197. echo ''
  1198. exit 0
  1199. }
  1200. # Get the commandline options
  1201. while [[ $# > 1 ]]
  1202. do
  1203. key="$1"
  1204. case $key in
  1205. -h|--help)
  1206. show_help
  1207. ;;
  1208. # Export settings
  1209. -e|--export)
  1210. shift
  1211. EXPORT_FILE="$1"
  1212. ;;
  1213. # Export settings
  1214. -i|--import)
  1215. shift
  1216. IMPORT_FILE="$1"
  1217. ;;
  1218. # Refresh GPG keys
  1219. -r|--refresh)
  1220. shift
  1221. refresh_gpg_keys
  1222. ;;
  1223. # register a website
  1224. --register|--reg|--site)
  1225. shift
  1226. register_website "$1"
  1227. ;;
  1228. # user signs monkeysphere server keys
  1229. -s|--sign)
  1230. shift
  1231. monkeysphere_sign_server_keys
  1232. ;;
  1233. # get a hash of the given htmly password
  1234. -b|--htmlyhash)
  1235. shift
  1236. htmly_hash "$1"
  1237. exit 0
  1238. ;;
  1239. *)
  1240. # unknown option
  1241. ;;
  1242. esac
  1243. shift
  1244. done
  1245. menu_security_settings
  1246. exit 0