free
/
freedombone
Watch 1
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
5803 Commits
5 Branches
Tree: cf4e137c25
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'cf4e137c25'
${ noResults }
freedombone/src/freedombone-sec

freedombone-sec 38KB
History Raw

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171117211731174117511761177117811791180118111821183118411851186118711881189119011911192119311941195119611971198119912001201120212031204120512061207120812091210121112121213121412151216121712181219122012211222122312241225122612271228122912301231123212331234123512361237123812391240124112421243124412451246124712481249125012511252125312541255125612571258 
  1. #!/bin/bash

  2. #

  3. # .---.                  .              .

  4. # |                      |              |

  5. # |--- .--. .-.  .-.  .-.|  .-. .--.--. |.-.  .-. .--.  .-.

  6. # |    |   (.-' (.-' (   | (   )|  |  | |   )(   )|  | (.-'

  7. # '    '     --'  --'  -' -  -' '  '   -' -'   -' '   -  --'

  8. #

  9. #                    Freedom in the Cloud

  10. #

  11. # Alters the security settings

  12. #

  13. # License

  14. # =======

  15. #

  16. # Copyright (C) 2015-2016 Bob Mottram <bob@freedombone.net>

  17. #

  18. # This program is free software: you can redistribute it and/or modify

  19. # it under the terms of the GNU Affero General Public License as published by

  20. # the Free Software Foundation, either version 3 of the License, or

  21. # (at your option) any later version.

  22. #

  23. # This program is distributed in the hope that it will be useful,

  24. # but WITHOUT ANY WARRANTY; without even the implied warranty of

  25. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

  26. # GNU Affero General Public License for more details.

  27. #

  28. # You should have received a copy of the GNU Affero General Public License

  29. # along with this program.  If not, see <http://www.gnu.org/licenses/>.

  30. 

  31. PROJECT_NAME='freedombone'

  32. 

  33. export TEXTDOMAIN=${PROJECT_NAME}-sec

  34. export TEXTDOMAINDIR="/usr/share/locale"

  35. 

  36. CONFIGURATION_FILE=$HOME/${PROJECT_NAME}.cfg

  37. COMPLETION_FILE=$HOME/${PROJECT_NAME}-completed.txt

  38. 

  39. UTILS_FILES=/usr/share/${PROJECT_NAME}/utils/${PROJECT_NAME}-utils-*

  40. for f in $UTILS_FILES

  41. do

  42.     source $f

  43. done

  44. 

  45. SSL_PROTOCOLS=

  46. SSL_CIPHERS=

  47. SSH_CIPHERS=

  48. SSH_MACS=

  49. SSH_KEX=

  50. SSH_HOST_KEY_ALGORITHMS=

  51. SSH_PASSWORDS=

  52. XMPP_CIPHERS=

  53. XMPP_ECC_CURVE=

  54. 

  55. WEBSITES_DIRECTORY='/etc/nginx/sites-available'

  56. DOVECOT_CIPHERS='/etc/dovecot/conf.d/10-ssl.conf'

  57. SSH_CONFIG='/etc/ssh/sshd_config'

  58. XMPP_CONFIG='/etc/prosody/conf.avail/xmpp.cfg.lua'

  59. 

  60. MINIMUM_LENGTH=6

  61. 

  62. IMPORT_FILE=

  63. EXPORT_FILE=

  64. 

  65. CURRENT_DIR=$(pwd)

  66. 

  67. DH_KEYLENGTH=2048

  68. LETSENCRYPT_SERVER='https://acme-v01.api.letsencrypt.org/directory'

  69. 

  70. MY_USERNAME=

  71. 

  72. function export_passwords {

  73.     detect_usb_drive

  74.     data=$(tempfile 2>/dev/null)

  75.     trap "rm -f $data" 0 1 2 5 15

  76.     dialog --title $"Export passwords to USB drive $USB_DRIVE" \

  77.            --backtitle $"Security Settings" \

  78.            --defaultno \

  79.            --yesno $"\nPlease confirm that you wish to export passwords to a LUKS formatted USB drive. The drive should be plugged in." 10 60

  80.     sel=$?

  81.     case $sel in

  82.         1) return;;

  83.         255) return;;

  84.     esac

  85. 

  86.     data=$(tempfile 2>/dev/null)

  87.     trap "rm -f $data" 0 1 2 5 15

  88.     dialog --title $"Export passwords to USB drive $USB_DRIVE" \

  89.            --backtitle $"Security Settings" \

  90.            --defaultno \

  91.            --yesno $"\nDo you need to format the drive as LUKS encrypted?" 12 60

  92.     sel=$?

  93.     case $sel in

  94.         0) ${PROJECT_NAME}-format $USB_DRIVE;;

  95.     esac

  96. 

  97.     clear

  98.     backup_mount_drive ${USB_DRIVE}

  99.     ${PROJECT_NAME}-pass --export ${USB_MOUNT}/${PROJECT_NAME}-passwords.xml

  100.     backup_unmount_drive ${USB_DRIVE}

  101. }

  102. 

  103. function get_protocols_from_website {

  104.     if [ ! -f $WEBSITES_DIRECTORY/$1 ]; then

  105.         return

  106.     fi

  107.     SSL_PROTOCOLS=$(cat $WEBSITES_DIRECTORY/$1 | grep 'ssl_protocols ' | awk -F "ssl_protocols " '{print $2}' | awk -F ';' '{print $1}')

  108. }

  109. 

  110. function get_ciphers_from_website {

  111.     if [ ! -f $WEBSITES_DIRECTORY/$1 ]; then

  112.         return

  113.     fi

  114.     SSL_CIPHERS=$(cat $WEBSITES_DIRECTORY/$1 | grep 'ssl_ciphers ' | awk -F "ssl_ciphers " '{print $2}' | awk -F "'" '{print $2}')

  115. }

  116. 

  117. function get_imap_settings {

  118.     if [ ! -f $DOVECOT_CIPHERS ]; then

  119.         return

  120.     fi

  121.     # clear commented out cipher list

  122.     sed -i "s|#ssl_cipher_list.*||g" $DOVECOT_CIPHERS

  123.     if [ $SSL_CIPHERS ]; then

  124.         return

  125.     fi

  126.     if [ ${#SSL_CIPHERS} -gt $MINIMUM_LENGTH ]; then

  127.         return

  128.     fi

  129.     SSL_CIPHERS=$(cat $DOVECOT_CIPHERS | grep 'ssl_cipher_list' | awk -F '=' '{print $2}' | awk -F "'" '{print $2}')

  130. }

  131. 

  132. function get_xmpp_settings {

  133.     if [ ! -f $XMPP_CONFIG ]; then

  134.         return

  135.     fi

  136.     XMPP_CIPHERS=$(cat $XMPP_CONFIG | grep 'ciphers ' | awk -F '=' '{print $2}' | awk -F '"' '{print $2}')

  137.     XMPP_ECC_CURVE=$(cat $XMPP_CONFIG | grep 'curve ' | awk -F '=' '{print $2}' | awk -F '"' '{print $2}')

  138. }

  139. 

  140. function get_ssh_settings {

  141.     if [ -f $SSH_CONFIG ]; then

  142.         SSH_PASSWORDS=$(cat $SSH_CONFIG | grep 'PasswordAuthentication ' | awk -F 'PasswordAuthentication ' '{print $2}')

  143.     fi

  144.     if [ -f /etc/ssh/ssh_config ]; then

  145.         SSH_HOST_KEY_ALGORITHMS=$(cat /etc/ssh/ssh_config | grep 'HostKeyAlgorithms ' | awk -F 'HostKeyAlgorithms ' '{print $2}')

  146.     fi

  147. }

  148. 

  149. function change_website_settings {

  150.     if [ ! "$SSL_PROTOCOLS" ]; then

  151.         return

  152.     fi

  153.     if [ ! $SSL_CIPHERS ]; then

  154.         return

  155.     fi

  156.     if [ ${#SSL_PROTOCOLS} -lt $MINIMUM_LENGTH ]; then

  157.         return

  158.     fi

  159.     if [ ${#SSL_CIPHERS} -lt $MINIMUM_LENGTH ]; then

  160.         return

  161.     fi

  162.     if [ ! -d $WEBSITES_DIRECTORY ]; then

  163.         return

  164.     fi

  165. 

  166.     cd $WEBSITES_DIRECTORY

  167.     for file in `dir -d *` ; do

  168.         sed -i "s|ssl_protocols .*|ssl_protocols $SSL_PROTOCOLS;|g" $WEBSITES_DIRECTORY/$file

  169.         sed -i "s|ssl_ciphers .*|ssl_ciphers '$SSL_CIPHERS';|g" $WEBSITES_DIRECTORY/$file

  170.     done

  171.     systemctl restart nginx

  172.     echo $'Web security settings changed'

  173. }

  174. 

  175. function change_imap_settings {

  176.     if [ ! -f $DOVECOT_CIPHERS ]; then

  177.         return

  178.     fi

  179.     if [ ! $SSL_CIPHERS ]; then

  180.         return

  181.     fi

  182.     if [ ${#SSL_CIPHERS} -lt $MINIMUM_LENGTH ]; then

  183.         return

  184.     fi

  185.     sed -i "s|ssl_cipher_list.*|ssl_cipher_list = '$SSL_CIPHERS'|g" $DOVECOT_CIPHERS

  186.     sed -i "s|ssl_protocols.*|ssl_protocols = '$SSL_PROTOCOLS'|g" $DOVECOT_CIPHERS

  187.     systemctl restart dovecot

  188.     echo $'imap security settings changed'

  189. }

  190. 

  191. function change_ssh_settings {

  192.     if [ -f /etc/ssh/ssh_config ]; then

  193.         if [ $SSH_HOST_KEY_ALGORITHMS ]; then

  194.             sed -i "s|HostKeyAlgorithms .*|HostKeyAlgorithms $SSH_HOST_KEY_ALGORITHMS|g" /etc/ssh/ssh_config

  195.             echo $'ssh client security settings changed'

  196.         fi

  197.     fi

  198.     if [ -f $SSH_CONFIG ]; then

  199.         if [ ! $SSH_CIPHERS ]; then

  200.             return

  201.         fi

  202.         if [ ! $SSH_MACS ]; then

  203.             return

  204.         fi

  205.         if [ ! $SSH_KEX ]; then

  206.             return

  207.         fi

  208.         if [ ! $SSH_PASSWORDS ]; then

  209.             SSH_PASSWORDS='yes'

  210.         fi

  211. 

  212.         sed -i "s|Ciphers .*|Ciphers $SSH_CIPHERS|g" $SSH_CONFIG

  213.         sed -i "s|MACs .*|MACs $SSH_MACS|g" $SSH_CONFIG

  214.         sed -i "s|KexAlgorithms .*|KexAlgorithms $SSH_KEX|g" $SSH_CONFIG

  215.         sed -i "s|#PasswordAuthentication .*|PasswordAuthentication $SSH_PASSWORDS|g" $SSH_CONFIG

  216.         sed -i "s|PasswordAuthentication .*|PasswordAuthentication $SSH_PASSWORDS|g" $SSH_CONFIG

  217.         systemctl restart ssh

  218.         echo $'ssh server security settings changed'

  219.     fi

  220. }

  221. 

  222. function change_xmpp_settings {

  223.     if [ ! -f $XMPP_CONFIG ]; then

  224.         return

  225.     fi

  226.     if [ ! $XMPP_CIPHERS ]; then

  227.         return

  228.     fi

  229.     if [ ! $XMPP_ECC_CURVE ]; then

  230.         return

  231.     fi

  232.     sed -i "s|ciphers =.*|ciphers = \"$XMPP_CIPHERS\";|g" $XMPP_CONFIG

  233.     sed -i "s|curve =.*|curve = \"$XMPP_ECC_CURVE\";|g" $XMPP_CONFIG

  234.     systemctl restart prosody

  235.     echo $'xmpp security settings changed'

  236. }

  237. 

  238. function allow_ssh_passwords {

  239.     dialog --title $"SSH Passwords" \

  240.            --backtitle $"Freedombone Security Configuration" \

  241.            --yesno $"\nAllow SSH login using passwords?" 7 60

  242.     sel=$?

  243.     case $sel in

  244.         0) SSH_PASSWORDS="yes";;

  245.         1) SSH_PASSWORDS="no";;

  246.         255) exit 0;;

  247.     esac

  248. }

  249. 

  250. function interactive_setup {

  251.     if [ $SSL_CIPHERS ]; then

  252.         data=$(tempfile 2>/dev/null)

  253.         trap "rm -f $data" 0 1 2 5 15

  254.         dialog --backtitle $"Freedombone Security Configuration" \

  255.                --form $"\nWeb/IMAP Ciphers:" 10 95 2 \

  256.                $"Protocols:" 1 1 "$SSL_PROTOCOLS" 1 15 90 90 \

  257.                $"Ciphers:" 2 1 "$SSL_CIPHERS" 2 15 90 512 \

  258.                2> $data

  259.         sel=$?

  260.         case $sel in

  261.             1) SSL_PROTOCOLS=$(cat $data | sed -n 1p)

  262.                SSL_CIPHERS=$(cat $data | sed -n 2p)

  263.                ;;

  264.             255) exit 0;;

  265.         esac

  266.     fi

  267. 

  268.     data=$(tempfile 2>/dev/null)

  269.     trap "rm -f $data" 0 1 2 5 15

  270.     if [ $SSH_HOST_KEY_ALGORITHMS ]; then

  271.         dialog --backtitle $"Freedombone Security Configuration" \

  272.                --form $"\nSecure Shell Ciphers:" 13 95 4 \

  273.                $"Ciphers:" 1 1 "$SSH_CIPHERS" 1 15 90 512 \

  274.                $"MACs:" 2 1 "$SSH_MACS" 2 15 90 512 \

  275.                $"KEX:" 3 1 "$SSH_KEX" 3 15 90 512 \

  276.                $"Host key algorithms:" 4 1 "$SSH_HOST_KEY_ALGORITHMS" 4 15 90 512 \

  277.                2> $data

  278.         sel=$?

  279.         case $sel in

  280.             1) SSH_CIPHERS=$(cat $data | sed -n 1p)

  281.                SSH_MACS=$(cat $data | sed -n 2p)

  282.                SSH_KEX=$(cat $data | sed -n 3p)

  283.                SSH_HOST_KEY_ALGORITHMS=$(cat $data | sed -n 4p)

  284.                ;;

  285.             255) exit 0;;

  286.         esac

  287.     else

  288.         dialog --backtitle $"Freedombone Security Configuration" \

  289.                --form $"\nSecure Shell Ciphers:" 11 95 3 \

  290.                $"Ciphers:" 1 1 "$SSH_CIPHERS" 1 15 90 512 \

  291.                $"MACs:" 2 1 "$SSH_MACS" 2 15 90 512 \

  292.                $"KEX:" 3 1 "$SSH_KEX" 3 15 90 512 \

  293.                2> $data

  294.         sel=$?

  295.         case $sel in

  296.             1) SSH_CIPHERS=$(cat $data | sed -n 1p)

  297.                SSH_MACS=$(cat $data | sed -n 2p)

  298.                SSH_KEX=$(cat $data | sed -n 3p)

  299.                ;;

  300.             255) exit 0;;

  301.         esac

  302.     fi

  303. 

  304.     if [ $XMPP_CIPHERS ]; then

  305.         data=$(tempfile 2>/dev/null)

  306.         trap "rm -f $data" 0 1 2 5 15

  307.         dialog --backtitle $"Freedombone Security Configuration" \

  308.                --form $"\nXMPP Ciphers:" 10 95 2 \

  309.                $"Ciphers:" 1 1 "$XMPP_CIPHERS" 1 15 90 512 \

  310.                $"ECC Curve:" 2 1 "$XMPP_ECC_CURVE" 2 15 50 50 \

  311.                2> $data

  312.         sel=$?

  313.         case $sel in

  314.             1) XMPP_CIPHERS=$(cat $data | sed -n 1p)

  315.                XMPP_ECC_CURVE=$(cat $data | sed -n 2p)

  316.                ;;

  317.             255) exit 0;;

  318.         esac

  319.     fi

  320. 

  321.     dialog --title $"Final Confirmation" \

  322.            --backtitle $"Freedombone Security Configuration" \

  323.            --defaultno \

  324.            --yesno $"\nPlease confirm that you wish your security settings to be changed?\n\nWARNING: any mistakes made in the security settings could compromise your system, so be extra careful when answering 'yes'." 12 60

  325.     sel=$?

  326.     case $sel in

  327.         1) clear

  328.            echo $'Exiting without changing security settings'

  329.            exit 0;;

  330.         255) clear

  331.              echo $'Exiting without changing security settings'

  332.              exit 0;;

  333.     esac

  334. 

  335.     clear

  336. }

  337. 

  338. function send_monkeysphere_server_keys_to_users {

  339.     monkeysphere_server_keys=$(monkeysphere-host show-key | grep $"OpenPGP fingerprint" | awk -F ' ' '{print $3}')

  340.     for d in /home/*/ ; do

  341.         USERNAME=$(echo "$d" | awk -F '/' '{print $3}')

  342.         if [[ $(is_valid_user "$USERNAME") == "1" ]]; then

  343.             if [ ! -d /home/$USERNAME/.monkeysphere ]; then

  344.                 mkdir /home/$USERNAME/.monkeysphere

  345.             fi

  346.             echo $monkeysphere_server_keys > /home/$USERNAME/.monkeysphere/server_keys

  347.             chown -R $USERNAME:$USERNAME /home/$USERNAME/.monkeysphere

  348.         fi

  349.     done

  350. }

  351. 

  352. function regenerate_ssh_host_keys {

  353.     rm -f /etc/ssh/ssh_host_*

  354.     dpkg-reconfigure openssh-server

  355.     echo $'ssh host keys regenerated'

  356.     # remove small moduli

  357.     awk '$5 > 2000' /etc/ssh/moduli > ~/moduli

  358.     mv ~/moduli /etc/ssh/moduli

  359.     echo $'ssh small moduli removed'

  360.     # update monkeysphere

  361.     DEFAULT_DOMAIN_NAME=

  362.     read_config_param "DEFAULT_DOMAIN_NAME"

  363.     monkeysphere-host import-key /etc/ssh/ssh_host_rsa_key ssh://$DEFAULT_DOMAIN_NAME

  364.     SSH_ONION_HOSTNAME=$(cat ${COMPLETION_FILE} | grep 'ssh onion domain' | awk -F ':' '{print $2}')

  365.     monkeysphere-host import-key /etc/ssh/ssh_host_rsa_key ssh://$SSH_ONION_HOSTNAME

  366.     monkeysphere-host publish-key

  367.     send_monkeysphere_server_keys_to_users

  368.     echo $'updated monkeysphere ssh host key'

  369.     systemctl restart ssh

  370. }

  371. 

  372. function regenerate_dh_keys {

  373.     if [ ! -d /etc/ssl/mycerts ]; then

  374.         echo $'No dhparam certificates were found'

  375.         return

  376.     fi

  377. 

  378.     data=$(tempfile 2>/dev/null)

  379.     trap "rm -f $data" 0 1 2 5 15

  380.     dialog --backtitle "Freedombone Security Configuration" \

  381.            --title "Diffie-Hellman key length" \

  382.            --radiolist "The smaller length is better suited to low power embedded systems:" 12 40 3 \

  383.            1 "2048 bits" off \

  384.            2 "3072 bits" on \

  385.            3 "4096 bits" off 2> $data

  386.     sel=$?

  387.     case $sel in

  388.         1) exit 1;;

  389.         255) exit 1;;

  390.     esac

  391.     case $(cat $data) in

  392.         1) DH_KEYLENGTH=2048;;

  393.         2) DH_KEYLENGTH=3072;;

  394.         3) DH_KEYLENGTH=4096;;

  395.     esac

  396. 

  397.     ${PROJECT_NAME}-dhparam --recalc yes -l ${DH_KEYLENGTH}

  398. }

  399. 

  400. function renew_startssl {

  401.     renew_domain=

  402.     data=$(tempfile 2>/dev/null)

  403.     trap "rm -f $data" 0 1 2 5 15

  404.     dialog --title $"Renew a StartSSL certificate" \

  405.            --backtitle $"Freedombone Security Settings" \

  406.            --inputbox $"Enter the domain name" 8 60 2>$data

  407.     sel=$?

  408.     case $sel in

  409.         0)

  410.             renew_domain=$(<$data)

  411.             ;;

  412.     esac

  413. 

  414.     if [ ! $renew_domain ]; then

  415.         return

  416.     fi

  417. 

  418.     if [[ $renew_domain == "http"* ]]; then

  419.         dialog --title $"Renew a StartSSL certificate" \

  420.                --msgbox $"Don't include the https://" 6 40

  421.         return

  422.     fi

  423. 

  424.     if [ ! -f /etc/ssl/certs/${renew_domain}.dhparam ]; then

  425.         dialog --title $"Renew a StartSSL certificate" \

  426.                --msgbox $"An existing certificate for $renew_domain was not found" 6 40

  427.         return

  428.     fi

  429. 

  430.     if [[ $renew_domain != *"."* ]]; then

  431.         dialog --title $"Renew a StartSSL certificate" \

  432.                --msgbox $"Invalid domain name: $renew_domain" 6 40

  433.         return

  434.     fi

  435. 

  436.     ${PROJECT_NAME}-renew-cert -h $renew_domain -p startssl

  437. 

  438.     exit 0

  439. }

  440. 

  441. function renew_letsencrypt {

  442.     renew_domain=

  443.     data=$(tempfile 2>/dev/null)

  444.     trap "rm -f $data" 0 1 2 5 15

  445.     dialog --title $"Renew a Let's Encrypt certificate" \

  446.            --backtitle $"Freedombone Security Settings" \

  447.            --inputbox $"Enter the domain name" 8 60 2>$data

  448.     sel=$?

  449.     case $sel in

  450.         0)

  451.             renew_domain=$(<$data)

  452.             ;;

  453.     esac

  454. 

  455.     if [ ! $renew_domain ]; then

  456.         return

  457.     fi

  458. 

  459.     if [[ $renew_domain == "http"* ]]; then

  460.         dialog --title $"Renew a Let's Encrypt certificate" \

  461.                --msgbox $"Don't include the https://" 6 40

  462.         return

  463.     fi

  464. 

  465.     if [ ! -f /etc/ssl/certs/${renew_domain}.dhparam ]; then

  466.         dialog --title $"Renew a Let's Encrypt certificate" \

  467.                --msgbox $"An existing certificate for $renew_domain was not found" 6 40

  468.         return

  469.     fi

  470. 

  471.     if [[ $renew_domain != *"."* ]]; then

  472.         dialog --title $"Renew a Let's Encrypt certificate" \

  473.                --msgbox $"Invalid domain name: $renew_domain" 6 40

  474.         return

  475.     fi

  476. 

  477.     ${PROJECT_NAME}-renew-cert -h $renew_domain -p 'letsencrypt'

  478. 

  479.     exit 0

  480. }

  481. 

  482. function create_letsencrypt {

  483.     new_domain=

  484.     data=$(tempfile 2>/dev/null)

  485.     trap "rm -f $data" 0 1 2 5 15

  486.     dialog --title $"Create a new Let's Encrypt certificate" \

  487.            --backtitle $"Freedombone Security Settings" \

  488.            --inputbox $"Enter the domain name" 8 60 2>$data

  489.     sel=$?

  490.     case $sel in

  491.         0)

  492.             new_domain=$(<$data)

  493.             ;;

  494.     esac

  495. 

  496.     if [ ! $new_domain ]; then

  497.         return

  498.     fi

  499. 

  500.     if [[ $new_domain == "http"* ]]; then

  501.         dialog --title $"Create a new Let's Encrypt certificate" \

  502.                --msgbox $"Don't include the https://" 6 40

  503.         return

  504.     fi

  505. 

  506.     if [[ $new_domain != *"."* ]]; then

  507.         dialog --title $"Create a new Let's Encrypt certificate" \

  508.                --msgbox $"Invalid domain name: $new_domain" 6 40

  509.         return

  510.     fi

  511. 

  512.     if [ ! -d /var/www/${new_domain} ]; then

  513.         domain_found=

  514.         if [ -f /etc/nginx/sites-available/radicale ]; then

  515.             if grep "${new_domain}" /etc/nginx/sites-available/radicale; then

  516.                 domain_found=1

  517.             fi

  518.         fi

  519.         if [ -f /etc/nginx/sites-available/${new_domain} ]; then

  520.             domain_found=1

  521.         fi

  522.         if [[ "${new_domain}" == "jitsi"* || "${new_domain}" == "meet"* ]]; then

  523.             domain_found=1

  524.         fi

  525.         if [ ! $domain_found ]; then

  526.             dialog --title $"Create a new Let's Encrypt certificate" \

  527.                    --msgbox $'Domain not found within /var/www' 6 40

  528.             return

  529.         fi

  530.     fi

  531. 

  532.     ${PROJECT_NAME}-addcert -e $new_domain -s $LETSENCRYPT_SERVER --dhkey $DH_KEYLENGTH

  533. 

  534.     exit 0

  535. }

  536. 

  537. function update_ciphersuite {

  538.     RECOMMENDED_SSL_CIPHERS="$SSL_CIPHERS"

  539.     if [ ${#RECOMMENDED_SSL_CIPHERS} -lt 5 ]; then

  540.         return

  541.     fi

  542. 

  543.     RECOMMENDED_SSL_PROTOCOLS="$SSL_PROTOCOLS"

  544.     if [ ${#RECOMMENDED_SSL_PROTOCOLS} -lt 5 ]; then

  545.         return

  546.     fi

  547. 

  548.     RECOMMENDED_SSH_CIPHERS="$SSH_CIPHERS"

  549.     if [ ${#RECOMMENDED_SSH_CIPHERS} -lt 5 ]; then

  550.         return

  551.     fi

  552. 

  553.     RECOMMENDED_SSH_MACS="$SSH_MACS"

  554.     if [ ${#RECOMMENDED_SSH_MACS} -lt 5 ]; then

  555.         return

  556.     fi

  557. 

  558.     RECOMMENDED_SSH_KEX="$SSH_KEX"

  559.     if [ ${#RECOMMENDED_SSH_KEX} -lt 5 ]; then

  560.         return

  561.     fi

  562. 

  563.     cd $WEBSITES_DIRECTORY

  564.     for file in `dir -d *` ; do

  565.         sed -i "s|ssl_protocols .*|ssl_protocols $RECOMMENDED_SSL_PROTOCOLS;|g" $WEBSITES_DIRECTORY/$file

  566.         sed -i "s|ssl_ciphers .*|ssl_ciphers '$RECOMMENDED_SSL_CIPHERS';|g" $WEBSITES_DIRECTORY/$file

  567.     done

  568.     systemctl restart nginx

  569.     write_config_param "SSL_PROTOCOLS" "$RECOMMENDED_SSL_PROTOCOLS"

  570.     write_config_param "SSL_CIPHERS" "$RECOMMENDED_SSL_CIPHERS"

  571. 

  572.     sed -i "s|Ciphers .*|Ciphers $RECOMMENDED_SSH_CIPHERS|g" $SSH_CONFIG

  573.     sed -i "s|MACs .*|MACs $RECOMMENDED_SSH_MACS|g" $SSH_CONFIG

  574.     sed -i "s|KexAlgorithms .*|KexAlgorithms $RECOMMENDED_SSH_KEX|g" $SSH_CONFIG

  575.     systemctl restart ssh

  576. 

  577.     write_config_param "SSH_CIPHERS" "$RECOMMENDED_SSH_CIPHERS"

  578.     write_config_param "SSH_MACS" "$RECOMMENDED_SSH_MACS"

  579.     write_config_param "SSH_KEX" "$RECOMMENDED_SSH_KEX"

  580. 

  581.     dialog --title $"Update ciphersuite" \

  582.            --msgbox $"The ciphersuite has been updated to recommended versions" 6 40

  583.     exit 0

  584. }

  585. 

  586. function gpg_pubkey_from_email {

  587.     key_owner_username=$1

  588.     key_email_address=$2

  589.     key_id=

  590.     if [[ $key_owner_username != "root" ]]; then

  591.         key_id=$(su -c "gpg --list-keys $key_email_address | grep 'pub '" - $key_owner_username | awk -F ' ' '{print $2}' | awk -F '/' '{print $2}')

  592.     else

  593.         key_id=$(gpg --list-keys $key_email_address | grep 'pub ' | awk -F ' ' '{print $2}' | awk -F '/' '{print $2}')

  594.     fi

  595.     echo $key_id

  596. }

  597. 

  598. function enable_monkeysphere {

  599.     monkey=

  600.     dialog --title $"GPG based authentication" \

  601.            --backtitle $"Freedombone Security Configuration" \

  602.            --defaultno \

  603.            --yesno $"\nEnable GPG based authentication with monkeysphere ?" 7 60

  604.     sel=$?

  605.     case $sel in

  606.         0) monkey='yes';;

  607.         255) exit 0;;

  608.     esac

  609. 

  610.     if [ $monkey ]; then

  611.         read_config_param "MY_USERNAME"

  612. 

  613.         if [ ! -f /home/$MY_USERNAME/.monkeysphere/authorized_user_ids ]; then

  614.             dialog --title $"GPG based authentication" \

  615.                    --msgbox $"$MY_USERNAME does not currently have any ids within ~/.monkeysphere/authorized_user_ids" 6 40

  616.             exit 0

  617.         fi

  618. 

  619.         MY_GPG_PUBLIC_KEY_ID=$(gpg_pubkey_from_email "$MY_USERNAME" "$MY_USERNAME@$HOSTNAME")

  620.         if [ ${#MY_GPG_PUBLIC_KEY_ID} -lt 4 ]; then

  621.             echo $'monkeysphere unable to get GPG key ID for user $MY_USERNAME'

  622.             exit 52825

  623.         fi

  624. 

  625.         sed -i 's|#AuthorizedKeysFile|AuthorizedKeysFile|g' /etc/ssh/sshd_config

  626.         sed -i 's|AuthorizedKeysFile.*|AuthorizedKeysFile /var/lib/monkeysphere/authorized_keys/%u|g' /etc/ssh/sshd_config

  627.         monkeysphere-authentication update-users

  628. 

  629.         # The admin user is the identity certifier

  630.         fpr=$(gpg --with-colons --fingerprint $MY_GPG_PUBLIC_KEY_ID | grep fpr | head -n 1 | awk -F ':' '{print $10}')

  631.         monkeysphere-authentication add-identity-certifier $fpr

  632.         monkeysphere-host publish-key

  633.         send_monkeysphere_server_keys_to_users

  634.     else

  635.         sed -i 's|#AuthorizedKeysFile|AuthorizedKeysFile|g' /etc/ssh/sshd_config

  636.         sed -i 's|AuthorizedKeysFile.*|AuthorizedKeysFile %h/.ssh/authorized_keys|g' /etc/ssh/sshd_config

  637.     fi

  638. 

  639.     systemctl restart ssh

  640. 

  641.     if [ $monkey ]; then

  642.         dialog --title $"GPG based authentication" \

  643.                --msgbox $"GPG based authentication was enabled" 6 40

  644.     else

  645.         dialog --title $"GPG based authentication" \

  646.                --msgbox $"GPG based authentication was disabled" 6 40

  647.     fi

  648.     exit 0

  649. }

  650. 

  651. function register_website {

  652.     domain="$1"

  653. 

  654.     if [[ ${domain} == *".local" ]]; then

  655.         echo $"Can't register local domains"

  656.         return

  657.     fi

  658. 

  659.     if [ ! -f /etc/ssl/private/${domain}.key ]; then

  660.         echo $"No SSL/TLS private key found for ${domain}"

  661.         return

  662.     fi

  663. 

  664.     if [ ! -f /etc/nginx/sites-available/${domain} ]; then

  665.         echo $"No virtual host found for ${domain}"

  666.         return

  667.     fi

  668. 

  669.     monkeysphere-host import-key /etc/ssl/private/${domain}.key https://${domain}

  670.     monkeysphere-host publish-key

  671.     echo "0"

  672. }

  673. 

  674. function register_website_interactive {

  675.     data=$(tempfile 2>/dev/null)

  676.     trap "rm -f $data" 0 1 2 5 15

  677.     dialog --title $"Register a website with monkeysphere" \

  678.            --backtitle $"Freedombone Security Settings" \

  679.            --inputbox $"Enter the website domain name (without https://)" 8 60 2>$data

  680.     sel=$?

  681.     case $sel in

  682.         0)

  683.             domain=$(<$data)

  684.             register_website "$domain"

  685.             if [ ! "$?" = "0" ]; then

  686.                 dialog --title $"Register a website with monkeysphere" \

  687.                        --msgbox "$?" 6 40

  688.             else

  689.                 dialog --title $"Register a website with monkeysphere" \

  690.                        --msgbox $"$domain has been registered" 6 40

  691.             fi

  692.             ;;

  693.     esac

  694. }

  695. 

  696. function pin_all_tls_certs {

  697.     ${PROJECT_NAME}-pin-cert all

  698. }

  699. 

  700. function remove_pinning {

  701.     data=$(tempfile 2>/dev/null)

  702.     trap "rm -f $data" 0 1 2 5 15

  703.     dialog --title $"Remove pinning for a domain" \

  704.            --backtitle $"Freedombone Security Settings" \

  705.            --inputbox $"Enter the website domain name (without https://)" 8 60 2>$data

  706.     sel=$?

  707.     case $sel in

  708.         0)

  709.             domain=$(<$data)

  710.             ${PROJECT_NAME}-pin-cert "$domain" remove

  711.             if [ ! "$?" = "0" ]; then

  712.                 dialog --title $"Removed pinning from $domain" \

  713.                        --msgbox "$?" 6 40

  714.             fi

  715.             ;;

  716.     esac

  717. }

  718. 

  719. function store_passwords {

  720.     dialog --title $"Store Passwords" \

  721.            --backtitle $"Freedombone Security Configuration" \

  722.            --yesno $"\nDo you wish to store passwords on the system? Stored passwords are convenient but carry some additional security risk." 10 60

  723.     sel=$?

  724.     case $sel in

  725.         0)

  726.             if [ -f /root/.nostore ]; then

  727.                 read_config_param "MY_USERNAME"

  728.                 if [ ! -f /home/$MY_USERNAME/.ssh/authorized_keys ]; then

  729.                     dialog --title $"Store Passwords" \

  730.                            --msgbox $"\nYou should first enable key based ssh login to improve security" 8 60

  731.                     return

  732.                 fi

  733.                 if [[ $SSH_PASSWORDS == 'yes' ]]; then

  734.                     dialog --title $"Store Passwords" \

  735.                            --msgbox $"\nYou should disable ssh passwords to improve security" 8 60

  736.                     return

  737.                 fi

  738.                 ${PROJECT_NAME}-pass --enable yes

  739.                 dialog --title $"Store Passwords" \

  740.                        --msgbox $"\nUser passwords will now be stored on the system" 8 60

  741.             fi

  742.             return

  743.             ;;

  744.         1)

  745.             ${PROJECT_NAME}-pass --clear yes

  746.             dialog --title $"Passwords were removed and will not be stored" \

  747.                    --msgbox $"\nFor the best security you should now manually change passwords via web interfaces so that there is no possibility of them being recovered from the disk" 9 60

  748.             return

  749.             ;;

  750.         255) return;;

  751.     esac

  752. }

  753. 

  754. function show_tor_bridges {

  755.     clear

  756.     bridges_list=$(grep "Bridge " /etc/tor/torrc | grep -v '##')

  757.     if [ ${#bridges_list} -eq 0 ]; then

  758.         echo $'No Tor bridges have been added'

  759.         return

  760.     fi

  761.     echo "${bridges_list}"

  762. }

  763. 

  764. function add_tor_bridge {

  765.     data=$(tempfile 2>/dev/null)

  766.     trap "rm -f $data" 0 1 2 5 15

  767.     dialog --backtitle $"Freedombone Control Panel" \

  768.            --title $"Add obfs4 Tor bridge" \

  769.            --form "\n" 9 60 4 \

  770.            $"IP address:" 1 1 "   .   .   .   " 1 15 16 16 \

  771.            $"Port:      " 2 1 "" 2 15 5 5 \

  772.            $"Key:       " 3 1 "" 3 15 250 250 \

  773.            2> $data

  774.     sel=$?

  775.     case $sel in

  776.         1) return;;

  777.         255) return;;

  778.     esac

  779.     bridge_ip_address=$(cat $data | sed -n 1p)

  780.     bridge_port=$(cat $data | sed -n 2p)

  781.     bridge_key=$(cat $data | sed -n 3p)

  782.     if [[ "${bridge_ip_address}" == *" "* ]]; then

  783.         return

  784.     fi

  785.     if [[ "${bridge_ip_address}" != *"."* ]]; then

  786.         return

  787.     fi

  788.     if [ ${#bridge_port} -eq 0 ]; then

  789.         return

  790.     fi

  791.     if [ ${#bridge_key} -eq 0 ]; then

  792.         return

  793.     fi

  794.     tor_add_bridge "${bridge_ip_address}" "${bridge_port}" "${bridge_key}"

  795.     dialog --title $"Add obfs4 Tor bridge" \

  796.            --msgbox $"Bridge added" 6 40

  797. }

  798. 

  799. function remove_tor_bridge {

  800.     data=$(tempfile 2>/dev/null)

  801.     trap "rm -f $data" 0 1 2 5 15

  802.     dialog --backtitle $"Freedombone Control Panel" \

  803.            --title $"Remove obfs4 Tor bridge" \

  804.            --form "\n" 7 60 1 \

  805.            $"IP address:" 1 1 "   .   .   .   " 1 15 16 16 \

  806.            2> $data

  807.     sel=$?

  808.     case $sel in

  809.         1) return;;

  810.         255) return;;

  811.     esac

  812.     bridge_ip_address=$(cat $data | sed -n 1p)

  813.     if [[ "${bridge_ip_address}" == *" "* ]]; then

  814.         return

  815.     fi

  816.     if [[ "${bridge_ip_address}" != *"."* ]]; then

  817.         return

  818.     fi

  819.     tor_remove_bridge "${bridge_ip_address}"

  820.     dialog --title $"Remove obfs4 Tor bridge" \

  821.            --msgbox $"Bridge removed" 6 40

  822. }

  823. 

  824. function menu_tor_bridges {

  825.     data=$(tempfile 2>/dev/null)

  826.     trap "rm -f $data" 0 1 2 5 15

  827.     dialog --backtitle $"Freedombone Control Panel" \

  828.            --title $"Tor Bridges" \

  829.            --radiolist $"Choose an operation:" 12 50 4 \

  830.            1 $"Show bridges" off \

  831.            2 $"Add a bridge" off \

  832.            3 $"Remove a bridge" off \

  833.            4 $"Go Back/Exit" on 2> $data

  834.     sel=$?

  835.     case $sel in

  836.         1) exit 1;;

  837.         255) exit 1;;

  838.     esac

  839. 

  840.     case $(cat $data) in

  841.         1)

  842.             show_tor_bridges

  843.             exit 0

  844.             ;;

  845.         2)

  846.             add_tor_bridge

  847.             exit 0

  848.             ;;

  849.         3)

  850.             remove_tor_bridge

  851.             exit 0

  852.             ;;

  853.         4)

  854.             exit 0

  855.             ;;

  856.     esac

  857. }

  858. 

  859. function menu_security_settings {

  860.     data=$(tempfile 2>/dev/null)

  861.     trap "rm -f $data" 0 1 2 5 15

  862.     dialog --backtitle $"Freedombone Control Panel" \

  863.            --title $"Security Settings" \

  864.            --radiolist $"Choose an operation:" 21 76 21 \

  865.            1 $"Run STIG tests" off \

  866.            2 $"Show ssh host public key" off \

  867.            3 $"Tor bridges" off \

  868.            4 $"Password storage" off \

  869.            5 $"Export passwords" off \

  870.            6 $"Regenerate ssh host keys" off \

  871.            7 $"Regenerate Diffie-Hellman keys" off \

  872.            8 $"Update cipersuite" off \

  873.            9 $"Create a new Let's Encrypt certificate" off \

  874.            10 $"Renew Let's Encrypt certificate" off \

  875.            11 $"Enable GPG based authentication (monkeysphere)" off \

  876.            12 $"Register a website with monkeysphere" off \

  877.            13 $"Allow ssh login with passwords" off \

  878.            14 $"Go Back/Exit" on 2> $data

  879.     sel=$?

  880.     case $sel in

  881.         1) exit 1;;

  882.         255) exit 1;;

  883.     esac

  884. 

  885.     clear

  886. 

  887.     read_config_param SSL_CIPHERS

  888.     read_config_param SSL_PROTOCOLS

  889.     read_config_param SSH_CIPHERS

  890.     read_config_param SSH_MACS

  891.     read_config_param SSH_KEX

  892. 

  893.     get_imap_settings

  894.     get_ssh_settings

  895.     get_xmpp_settings

  896.     import_settings

  897.     export_settings

  898. 

  899.     case $(cat $data) in

  900.         1)

  901.             clear

  902.             echo $'Running STIG tests...'

  903.             echo ''

  904.             ${PROJECT_NAME}-tests --stig showall

  905.             exit 0

  906.             ;;

  907.         2)

  908.             dialog --title $"SSH host public keys" \

  909.                    --msgbox "\n$(get_ssh_server_key)" 12 60

  910.             exit 0

  911.             ;;

  912.         3)

  913.             menu_tor_bridges

  914.             exit 0

  915.             ;;

  916.         4)

  917.             store_passwords

  918.             exit 0

  919.             ;;

  920.         5)

  921.             export_passwords

  922.             exit 0

  923.             ;;

  924.         6)

  925.             regenerate_ssh_host_keys

  926.             ;;

  927.         7)

  928.             regenerate_dh_keys

  929.             ;;

  930.         8)

  931.             interactive_setup

  932.             update_ciphersuite

  933.             ;;

  934.         9)

  935.             create_letsencrypt

  936.             ;;

  937.         10)

  938.             renew_letsencrypt

  939.             ;;

  940.         11)

  941.             enable_monkeysphere

  942.             ;;

  943.         12)

  944.             register_website

  945.             ;;

  946.         13)

  947.             allow_ssh_passwords

  948.             change_ssh_settings

  949.             exit 0

  950.             ;;

  951.         14)

  952.             exit 0

  953.             ;;

  954.     esac

  955. 

  956.     change_website_settings

  957.     change_imap_settings

  958.     change_ssh_settings

  959.     change_xmpp_settings

  960. }

  961. 

  962. function import_settings {

  963.     cd $CURRENT_DIR

  964. 

  965.     if [ ! $IMPORT_FILE ]; then

  966.         return

  967.     fi

  968. 

  969.     if [ ! -f $IMPORT_FILE ]; then

  970.         echo $"Import file $IMPORT_FILE not found"

  971.         exit 6393

  972.     fi

  973. 

  974.     if grep -q "SSL_PROTOCOLS" $IMPORT_FILE; then

  975.         TEMP_VALUE=$(grep "SSL_PROTOCOLS" $IMPORT_FILE | awk -F '=' '{print $2}')

  976.         if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then

  977.             SSL_PROTOCOLS=$TEMP_VALUE

  978.         fi

  979.     fi

  980.     if grep -q "SSL_CIPHERS" $IMPORT_FILE; then

  981.         TEMP_VALUE=$(grep "SSL_CIPHERS" $IMPORT_FILE | awk -F '=' '{print $2}')

  982.         if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then

  983.             SSL_CIPHERS=$TEMP_VALUE

  984.         fi

  985.     fi

  986.     if grep -q "SSH_CIPHERS" $IMPORT_FILE; then

  987.         TEMP_VALUE=$(grep "SSH_CIPHERS" $IMPORT_FILE | awk -F '=' '{print $2}')

  988.         if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then

  989.             SSH_CIPHERS=$TEMP_VALUE

  990.         fi

  991.     fi

  992.     if grep -q "SSH_MACS" $IMPORT_FILE; then

  993.         TEMP_VALUE=$(grep "SSH_MACS" $IMPORT_FILE | awk -F '=' '{print $2}')

  994.         if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then

  995.             SSH_MACS=$TEMP_VALUE

  996.         fi

  997.     fi

  998.     if grep -q "SSH_KEX" $IMPORT_FILE; then

  999.         TEMP_VALUE=$(grep "SSH_KEX" $IMPORT_FILE | awk -F '=' '{print $2}')

  1000.         if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then

  1001.             SSH_KEX=$TEMP_VALUE

  1002.         fi

  1003.     fi

  1004.     if grep -q "SSH_HOST_KEY_ALGORITHMS" $IMPORT_FILE; then

  1005.         TEMP_VALUE=$(grep "SSH_HOST_KEY_ALGORITHMS" $IMPORT_FILE | awk -F '=' '{print $2}')

  1006.         if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then

  1007.             SSH_HOST_KEY_ALGORITHMS=$TEMP_VALUE

  1008.         fi

  1009.     fi

  1010.     if grep -q "SSH_PASSWORDS" $IMPORT_FILE; then

  1011.         TEMP_VALUE=$(grep "SSH_PASSWORDS" $IMPORT_FILE | awk -F '=' '{print $2}')

  1012.         if [[ $TEMP_VALUE == "yes" || $TEMP_VALUE == "no" ]]; then

  1013.             SSH_PASSWORDS=$TEMP_VALUE

  1014.         fi

  1015.     fi

  1016.     if grep -q "XMPP_CIPHERS" $IMPORT_FILE; then

  1017.         TEMP_VALUE=$(grep "XMPP_CIPHERS" $IMPORT_FILE | awk -F '=' '{print $2}')

  1018.         if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then

  1019.             XMPP_CIPHERS=$TEMP_VALUE

  1020.         fi

  1021.     fi

  1022.     if grep -q "XMPP_ECC_CURVE" $IMPORT_FILE; then

  1023.         TEMP_VALUE=$(grep "XMPP_ECC_CURVE" $IMPORT_FILE | awk -F '=' '{print $2}')

  1024.         if [ ${#TEMP_VALUE} -gt 3 ]; then

  1025.             XMPP_ECC_CURVE=$TEMP_VALUE

  1026.         fi

  1027.     fi

  1028. }

  1029. 

  1030. function export_settings {

  1031.     if [ ! $EXPORT_FILE ]; then

  1032.         return

  1033.     fi

  1034. 

  1035.     cd $CURRENT_DIR

  1036. 

  1037.     if [ ! -f $EXPORT_FILE ]; then

  1038.         if [ "$SSL_PROTOCOLS" ]; then

  1039.             echo "SSL_PROTOCOLS=$SSL_PROTOCOLS" >> $EXPORT_FILE

  1040.         fi

  1041.         if [ $SSL_CIPHERS ]; then

  1042.             echo "SSL_CIPHERS=$SSL_CIPHERS" >> $EXPORT_FILE

  1043.         fi

  1044.         if [ $SSH_CIPHERS ]; then

  1045.             echo "SSH_CIPHERS=$SSH_CIPHERS" >> $EXPORT_FILE

  1046.         fi

  1047.         if [ $SSH_MACS ]; then

  1048.             echo "SSH_MACS=$SSH_MACS" >> $EXPORT_FILE

  1049.         fi

  1050.         if [ $SSH_KEX ]; then

  1051.             echo "SSH_KEX=$SSH_KEX" >> $EXPORT_FILE

  1052.         fi

  1053.         if [ $SSH_HOST_KEY_ALGORITHMS ]; then

  1054.             echo "SSH_HOST_KEY_ALGORITHMS=$SSH_HOST_KEY_ALGORITHMS" >> $EXPORT_FILE

  1055.         fi

  1056.         if [ $SSH_PASSWORDS ]; then

  1057.             echo "SSH_PASSWORDS=$SSH_PASSWORDS" >> $EXPORT_FILE

  1058.         fi

  1059.         if [ $XMPP_CIPHERS ]; then

  1060.             echo "XMPP_CIPHERS=$XMPP_CIPHERS" >> $EXPORT_FILE

  1061.         fi

  1062.         if [ $XMPP_ECC_CURVE ]; then

  1063.             echo "XMPP_ECC_CURVE=$XMPP_ECC_CURVE" >> $EXPORT_FILE

  1064.         fi

  1065.         echo "Security settings exported to $EXPORT_FILE"

  1066.         exit 0

  1067.     fi

  1068. 

  1069.     if [ "$SSL_PROTOCOLS" ]; then

  1070.         if grep -q "SSL_PROTOCOLS" $EXPORT_FILE; then

  1071.             sed -i "s|SSL_PROTOCOLS=.*|SSL_PROTOCOLS=$SSL_PROTOCOLS|g" $EXPORT_FILE

  1072.         else

  1073.             echo "SSL_PROTOCOLS=$SSL_PROTOCOLS" >> $EXPORT_FILE

  1074.         fi

  1075.     fi

  1076.     if [ $SSL_CIPHERS ]; then

  1077.         if grep -q "SSL_CIPHERS" $EXPORT_FILE; then

  1078.             sed -i "s|SSL_CIPHERS=.*|SSL_CIPHERS=$SSL_CIPHERS|g" $EXPORT_FILE

  1079.         else

  1080.             echo "SSL_CIPHERS=$SSL_CIPHERS" >> $EXPORT_FILE

  1081.         fi

  1082.     fi

  1083.     if [ $SSH_CIPHERS ]; then

  1084.         if grep -q "SSH_CIPHERS" $EXPORT_FILE; then

  1085.             sed -i "s|SSH_CIPHERS=.*|SSH_CIPHERS=$SSH_CIPHERS|g" $EXPORT_FILE

  1086.         else

  1087.             echo "SSH_CIPHERS=$SSH_CIPHERS" >> $EXPORT_FILE

  1088.         fi

  1089.     fi

  1090.     if [ $SSH_MACS ]; then

  1091.         if grep -q "SSH_MACS" $EXPORT_FILE; then

  1092.             sed -i "s|SSH_MACS=.*|SSH_MACS=$SSH_MACS|g" $EXPORT_FILE

  1093.         else

  1094.             echo "SSH_MACS=$SSH_MACS" >> $EXPORT_FILE

  1095.         fi

  1096.     fi

  1097.     if [ $SSH_KEX ]; then

  1098.         if grep -q "SSH_KEX" $EXPORT_FILE; then

  1099.             sed -i "s|SSH_KEX=.*|SSH_KEX=$SSH_KEX|g" $EXPORT_FILE

  1100.         else

  1101.             echo "SSH_KEX=$SSH_KEX" >> $EXPORT_FILE

  1102.         fi

  1103.     fi

  1104.     if [ $SSH_HOST_KEY_ALGORITHMS ]; then

  1105.         if grep -q "SSH_HOST_KEY_ALGORITHMS" $EXPORT_FILE; then

  1106.             sed -i "s|SSH_HOST_KEY_ALGORITHMS=.*|SSH_HOST_KEY_ALGORITHMS=$SSH_HOST_KEY_ALGORITHMS|g" $EXPORT_FILE

  1107.         else

  1108.             echo "SSH_HOST_KEY_ALGORITHMS=$SSH_HOST_KEY_ALGORITHMS" >> $EXPORT_FILE

  1109.         fi

  1110.     fi

  1111.     if [ $SSH_PASSWORDS ]; then

  1112.         if grep -q "SSH_PASSWORDS" $EXPORT_FILE; then

  1113.             sed -i "s|SSH_PASSWORDS=.*|SSH_PASSWORDS=$SSH_PASSWORDS|g" $EXPORT_FILE

  1114.         else

  1115.             echo "SSH_PASSWORDS=$SSH_PASSWORDS" >> $EXPORT_FILE

  1116.         fi

  1117.     fi

  1118.     if [ $XMPP_CIPHERS ]; then

  1119.         if grep -q "XMPP_CIPHERS" $EXPORT_FILE; then

  1120.             sed -i "s|XMPP_CIPHERS=.*|XMPP_CIPHERS=$XMPP_CIPHERS|g" $EXPORT_FILE

  1121.         else

  1122.             echo "XMPP_CIPHERS=$XMPP_CIPHERS" >> $EXPORT_FILE

  1123.         fi

  1124.     fi

  1125.     if [ $XMPP_ECC_CURVE ]; then

  1126.         if grep -q "XMPP_ECC_CURVE" $EXPORT_FILE; then

  1127.             sed -i "s|XMPP_ECC_CURVE=.*|XMPP_ECC_CURVE=$XMPP_ECC_CURVE|g" $EXPORT_FILE

  1128.         else

  1129.             echo "XMPP_ECC_CURVE=$XMPP_ECC_CURVE" >> $EXPORT_FILE

  1130.         fi

  1131.     fi

  1132.     echo $"Security settings exported to $EXPORT_FILE"

  1133.     exit 0

  1134. }

  1135. 

  1136. function refresh_gpg_keys {

  1137.     for d in /home/*/ ; do

  1138.         USERNAME=$(echo "$d" | awk -F '/' '{print $3}')

  1139.         if [[ $(is_valid_user "$USERNAME") == "1" ]]; then

  1140.             su -c 'gpg --refresh-keys' - $USERNAME

  1141.         fi

  1142.     done

  1143.     exit 0

  1144. }

  1145. 

  1146. function monkeysphere_sign_server_keys {

  1147.     server_keys_file=/home/$USER/.monkeysphere/server_keys

  1148.     if [ ! -f $server_keys_file ]; then

  1149.         exit 0

  1150.     fi

  1151. 

  1152.     keys_signed=

  1153.     while read line; do

  1154.         echo $line

  1155.         if [ ${#line} -gt 2 ]; then

  1156.             fpr=$(gpg --with-colons --fingerprint "$line" | grep fpr | head -n 1 | awk -F ':' '{print $10}')

  1157.             if [ ${#fpr} -gt 2 ]; then

  1158.                 gpg --sign-key $fpr

  1159.                 if [ "$?" = "0" ]; then

  1160.                     gpg --update-trustdb

  1161.                     keys_signed=1

  1162.                 fi

  1163.             fi

  1164.         fi

  1165.     done <$server_keys_file

  1166. 

  1167.     if [ $keys_signed ]; then

  1168.         rm $server_keys_file

  1169.     fi

  1170.     exit 0

  1171. }

  1172. 

  1173. function htmly_hash {

  1174.     # produces a hash corresponding to a htmly password

  1175.     pass="$1"

  1176.     HTMLYHASH_FILENAME=/usr/bin/htmlyhash

  1177. 

  1178.     echo '<?php' > $HTMLYHASH_FILENAME

  1179.     echo 'parse_str(implode("&", array_slice($argv, 1)), $_GET);' >> $HTMLYHASH_FILENAME

  1180.     echo '$password = $_GET["password"];' >> $HTMLYHASH_FILENAME

  1181.     echo '$hash = password_hash($password, PASSWORD_BCRYPT);' >> $HTMLYHASH_FILENAME

  1182.     echo 'if (password_verify($password, $hash)) {' >> $HTMLYHASH_FILENAME

  1183.     echo '  echo $hash;' >> $HTMLYHASH_FILENAME

  1184.     echo '}' >> $HTMLYHASH_FILENAME

  1185.     echo '?>' >> $HTMLYHASH_FILENAME

  1186. 

  1187.     php $HTMLYHASH_FILENAME password="$pass"

  1188. }

  1189. 

  1190. function show_help {

  1191.     echo ''

  1192.     echo "${PROJECT_NAME}-sec"

  1193.     echo ''

  1194.     echo $'Alters the security settings'

  1195.     echo ''

  1196.     echo ''

  1197.     echo $'  -h --help                 Show help'

  1198.     echo $'  -e --export               Export security settings to a file'

  1199.     echo $'  -i --import               Import security settings from a file'

  1200.     echo $'  -r --refresh              Refresh GPG keys for all users'

  1201.     echo $'  -s --sign                 Sign monkeysphere server keys'

  1202.     echo $'     --register [domain]    Register a https domain with monkeysphere'

  1203.     echo $'  -b --htmlyhash [password] Returns the hash of a password for a htmly blog'

  1204.     echo ''

  1205.     exit 0

  1206. }

  1207. 

  1208. 

  1209. # Get the commandline options

  1210. while [[ $# > 1 ]]

  1211. do

  1212.     key="$1"

  1213. 

  1214.     case $key in

  1215.         -h|--help)

  1216.             show_help

  1217.             ;;

  1218.         # Export settings

  1219.         -e|--export)

  1220.             shift

  1221.             EXPORT_FILE="$1"

  1222.             ;;

  1223.         # Export settings

  1224.         -i|--import)

  1225.             shift

  1226.             IMPORT_FILE="$1"

  1227.             ;;

  1228.         # Refresh GPG keys

  1229.         -r|--refresh)

  1230.             shift

  1231.             refresh_gpg_keys

  1232.             ;;

  1233.         # register a website

  1234.         --register|--reg|--site)

  1235.             shift

  1236.             register_website "$1"

  1237.             ;;

  1238.         # user signs monkeysphere server keys

  1239.         -s|--sign)

  1240.             shift

  1241.             monkeysphere_sign_server_keys

  1242.             ;;

  1243.         # get a hash of the given htmly password

  1244.         -b|--htmlyhash)

  1245.             shift

  1246.             htmly_hash "$1"

  1247.             exit 0

  1248.             ;;

  1249.         *)

  1250.             # unknown option

  1251.             ;;

  1252.     esac

  1253.     shift

  1254. done

  1255. 

  1256. menu_security_settings

  1257. 

  1258. exit 0