From 5e862cdc3593203be3d7790ba50ea31c0e0ef952 Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Fri, 3 Jul 2015 19:19:36 +0100 Subject: [PATCH] Continuing with 'unforgettable key' implementation --- man/freedombone-recoverkey.1.gz | Bin 598 -> 641 bytes src/freedombone | 65 ++++++++++++++++++++------- src/freedombone-config | 77 +++++++++++++++++++++++++++----- src/freedombone-recoverkey | 63 +++++++++++++++++++++++++- 4 files changed, 178 insertions(+), 27 deletions(-) diff --git a/man/freedombone-recoverkey.1.gz b/man/freedombone-recoverkey.1.gz index 82a8b039e2c66ba50e4bcdfe290d90e78182c636..157e3de921b11f80789c0c005192a8ee14d57b35 100644 GIT binary patch literal 641 zcmV-{0)G7;iwFRLq?T0x1C3H$kJ3OCeebWh>5G~yWj|uF5@UoF0fmK7aHH!!OsBW) zgw99i1LVcu?zGfh2_>=V%ba`X+;h&{Xf=jRBc_rkQea0Tm0Q#s+`|=wH<$3m3Anzz zdK*IM|IaV2ur{b)8JH2_NErq}6ptai@6U!|aE9?`2bPDE0RrxDKUX>G`4~jH$X%P}aH%>is5s?D17P<0$Rzf927^@w%U<-UPCAD{&vn`6+ zZv=Be@u;OB1`_o3#tf#gmkuZqRhxiRdWOuErEf4+YCPydLG@l)-+hpF0lR|H0(Q)I zlG4cM_G(yt-%ry_^6u7P*|%> zuiMR;EnE^&$^8^lXxjZpbe9?9@OgcPL+DTA`O*5kzIth} b6Hn_~5191o?eoibJS+GE9e{A-NCf}@fK4~k literal 598 zcmV-c0;&BUiwFR^|B_Vz1C>(SZrVT)efL+4{L)qmc1TnyMO9TuDWrjbFf{5-)p|YH zE4&x&g_M_md)MHSBAbU=e%Ui;&Yan^(Q*uHjhIQEN`W1XRBlmka0guouP@<~6L59e zeH}vR|Bug9SQ*qW3`~h|qzr=~O2!aA^ryoxIHUNz1B=7S00DRC&s7dpajhi>?n=v4 ziT*@#j>4K+H~I1~ngYn>~cVh;31TEr_kh)dQd) zTLe;SB-sv9^dypHn1Pj^jkV1n8vKrSjL1C>jy*SR9EnFH=$>WrmLeuyk@t7Io@R;{-2>nSiJIVWH_tnLTA0HG&Z5uc( zna`)SRAtKvE87YsGp!B3xKd|kG+`;$EN{Rp7e0aptTZ;2HF9a2T#W*sI;~4--oBIO ztt)BXx{*;Ovp(Bq0cits;>=2wbVm_me5DSvzgmuGi!d0-6sFQzO*p(wW%^#rR9Z$& zUMLFY$^2$O)}YcJ!0D1zdrx?PG<#w09`Uj_4xz<07C;GUH||9 diff --git a/src/freedombone b/src/freedombone index 25cd729e..8542e108 100755 --- a/src/freedombone +++ b/src/freedombone @@ -3782,7 +3782,6 @@ function backup_to_friends_servers { # we just need to rsync it to each friend echo '# For each remote server' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME - echo 'ctr_share=0' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME echo 'while read remote_server' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME echo 'do' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME echo ' # Get the server and its password' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME @@ -3793,6 +3792,12 @@ function backup_to_friends_servers { echo -n '$1' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME echo "}')" >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME echo ' if [ $REMOTE_SERVER ]; then' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME + echo -n ' REMOTE_DOMAIN=$(echo "${remote_server}" | ' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME + echo -n "awk -F ':' '{print " >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME + echo -n '$1' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME + echo -n "}' | awk -F '@' '{print " >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME + echo -n '$2' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME + echo "}')" >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME echo -n ' REMOTE_SSH_PORT=$(echo "${remote_server}" | ' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME echo -n "awk -F ' ' '{print " >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME echo -n '$2' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME @@ -3808,27 +3813,49 @@ function backup_to_friends_servers { echo "$REMOTE_BACKUPS_LOG" >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME if [[ $ENABLE_SOCIAL_KEY_MANAGEMENT == "yes" ]]; then + echo '' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME + echo ' # Social key management' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME echo " if [ -d /home/$MY_USERNAME/.gnupg_fragments ]; then" >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME - echo " cd /home/$MY_USERNAME/.gnupg_fragments" >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME - echo ' no_of_shares=$(ls -afq keyshare* | wc -l)' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME - echo ' no_of_shares=$((no_of_fragments - 2))' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME - echo ' if [[ ${no_of_shares} > 0 ]]; then' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME - echo ' share_files=(/home/$MY_USERNAME/.gnupg_fragments/keyshare*)' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME - echo ' share_filename=${key_files[ctr_share]}' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME - echo " mkdir -p /home/$MY_USERNAME/tempkey/.gnupg_fragments" >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME - echo " cp $share_filename /home/$MY_USERNAME/tempkey/.gnupg_fragments/data" >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME - echo -n ' /usr/bin/sshpass -p $REMOTE_PASSWORD ' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME + echo ' if [ $REMOTE_DOMAIN ]; then' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME + echo " cd /home/$MY_USERNAME/.gnupg_fragments" >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME + echo ' no_of_shares=$(ls -afq keyshare* | wc -l)' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME + echo ' no_of_shares=$((no_of_fragments - 2))' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME + echo ' if [[ ${no_of_shares} > 0 ]]; then' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME + echo ' # Pick a share index based on the domain name' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME + echo ' # This ensures that the same share is always given to the same domain' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME + echo ' sharenumstr=$(md5sum <<< "$REMOTE_DOMAIN")' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME + echo ' share_index=$(echo $((0x${sharenumstr%% *} % ${no_of_shares})) | tr -d -)' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME + echo '' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME + echo ' # get the share filename' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME + echo ' share_files=(/home/$MY_USERNAME/.gnupg_fragments/keyshare*)' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME + echo ' share_filename=${share_files[share_index]}' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME + echo '' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME + echo ' # create a temp directory containing the share' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME + echo " mkdir -p /home/$MY_USERNAME/tempkey/.gnupg_fragments" >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME + echo " cp $share_filename /home/$MY_USERNAME/tempkey/.gnupg_fragments/" >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME + echo '' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME + echo ' # copy the fragments directory to the remote server' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME + echo -n ' /usr/bin/sshpass -p $REMOTE_PASSWORD ' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME echo "scp -r -P $REMOTE_SSH_PORT /home/$MY_USERNAME/tempkey/.gnupg_fragments $REMOTE_SERVER" >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME - echo " shred -zu /home/$MY_USERNAME/tempkey/.gnupg_fragments/*" >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME - echo " rm -rf /home/$MY_USERNAME/tempkey" >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME - echo ' ctr_share=$((ctr_share + 1))' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME - echo ' if [[ ${ctr_share} >= ${no_of_shares} ]]; then' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME - echo ' ctr_share=0' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME + echo ' if [ ! "$?" = "0" ]; then' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME + echo ' # Send a warning email' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME + echo -n ' echo "Key share to $REMOTE_SERVER failed" | mail -s "Freedombone social key management" ' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME + echo "$MY_EMAIL_ADDRESS" >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME + echo ' fi' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME + echo '' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME + echo ' # remove the temp file/directory' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME + echo " shred -zu /home/$MY_USERNAME/tempkey/.gnupg_fragments/*" >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME + echo " rm -rf /home/$MY_USERNAME/tempkey" >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME + echo '' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME + echo ' # Send a confirmation email' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME + echo -n ' echo "Key shared to $REMOTE_SERVER" | mail -s "Freedombone social key management" ' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME + echo "$MY_EMAIL_ADDRESS" >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME echo ' fi' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME echo ' fi' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME echo ' fi' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME fi + echo '' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME echo -n ' rsync -ratlzv --rsh="/usr/bin/sshpass -p $REMOTE_PASSWORD ssh -p $REMOTE_SSH_PORT -o StrictHostKeyChecking=no" ' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME echo '$SERVER_DIRECTORY/backup $REMOTE_SERVER' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME echo ' if [ ! "$?" = "0" ]; then' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME @@ -4480,6 +4507,14 @@ function restore_from_friend { echo ' rm -rf /root/tempdlna' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME echo ' fi' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME echo 'fi' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME + + if [[ $ENABLE_SOCIAL_KEY_MANAGEMENT == "yes" ]]; then + echo '' >> /usr/bin/$RESTORE_FROM_FRIENDS_SCRIPT_NAME + echo '# Retrieve key fragments' >> /usr/bin/$RESTORE_FROM_FRIENDS_SCRIPT_NAME + echo -n '/usr/bin/sshpass -p $REMOTE_PASSWORD ' >> /usr/bin/$RESTORE_FROM_FRIENDS_SCRIPT_NAME + echo "scp -r -P $REMOTE_SSH_PORT $REMOTE_SERVER/.gnupg_fragments /home/$MY_USERNAME/" >> /usr/bin/$RESTORE_FROM_FRIENDS_SCRIPT_NAME + fi + echo '' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME echo 'echo "*** Remote restore was successful ***"' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME echo '' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME diff --git a/src/freedombone-config b/src/freedombone-config index cc611114..01fbf09f 100755 --- a/src/freedombone-config +++ b/src/freedombone-config @@ -224,7 +224,7 @@ function save_configuration_file { echo "HWRNG=$HWRNG" >> $CONFIGURATION_FILE fi if [ $ENABLE_SOCIAL_KEY_MANAGEMENT ]; then - echo "ENABLE_SOCIAL_KEY_MANAGEMENT=$ENABLE_SOCIAL_KEY_MANAGEMENT" >> $CONFIGURATION_FILE + echo "ENABLE_SOCIAL_KEY_MANAGEMENT=$ENABLE_SOCIAL_KEY_MANAGEMENT" >> $CONFIGURATION_FILE fi } @@ -241,17 +241,43 @@ function validate_domain_name { fi } -function interactive_gpg { - dialog --title "Encryption keys" \ - --backtitle "Freedombone Configuration" \ - --defaultno \ - --yesno "\nDo you have existing GPG/PGP/ssh keys that you wish to install?" 7 60 - sel=$? - case $sel in - 1) return;; - 255) exit 0;; - esac +function interactive_gpg_from_remote { + REMOTE_SERVERS_LIST=/home/$MY_USERNAME/keyshareservers.txt + # get a list of remote servers + freedombone-remote -u $MY_USERNAME -l $REMOTE_SERVERS_LIST + if [ ! "$?" = "0" ]; then + echo "1" + return + fi + + if [ ! -f $REMOTE_SERVERS_LIST ]; then + echo "2" + return + fi + + # check the number of entries in the file + no_of_servers=$(cat $REMOTE_SERVERS_LIST | wc -l) + if [[ ${no_of_servers} < 3 ]]; then + dialog --title "Encryption keys" --msgbox 'There must be at least three servers to recover the key' 6 70 + echo "3" + return + fi + + # try to recover the key from the servers + freedombone-recoverkey -u $MY_USERNAME -l $REMOTE_SERVERS_LIST + if [ ! "$?" = "0" ]; then + dialog --title "Encryption keys" --msgbox 'Your key could not be recovered' 6 70 + echo "4" + return + fi + + dialog --title "Encryption keys" --msgbox 'Your key has been recovered' 6 70 + + echo '0' +} + +function interactive_gpg_from_usb { dialog --title "Encryption keys" --msgbox 'Plug in a USB drive containing a copy of your .gnupg directory' 6 70 if [[ $INSTALLING_ON_BBB == "yes" ]]; then @@ -312,6 +338,35 @@ function interactive_gpg { rm -rf $GPG_USB_MOUNT } +function interactive_gpg { + GPG_CONFIGURED="no" + while [[ $GPG_CONFIGURED != "yes" ]] + do + GPG_CONFIGURED="yes" + data=$(tempfile 2>/dev/null) + trap "rm -f $data" 0 1 2 5 15 + dialog --backtitle "Freedombone Configuration" \ + --radiolist "GPG/PGP keys for your system:" 17 40 3 \ + 1 "Generate new keys (new user)" on \ + 2 "Import keys from a USB drive" off \ + 3 "Retrieve keys from friends servers" off 2> $data + sel=$? + case $sel in + 1) exit 0;; + 255) exit 0;; + esac + case $(cat $data) in + 1) return;; + 2) interactive_gpg_from_usb + return;; + 3) retval=interactive_gpg_from_remote + if [[ retval != '0' ]]; then + GPG_CONFIGURED="no" + fi;; + esac + done +} + function interactive_configuration { # create a temporary copy of the configuration file # which can be used to pre-populate selections diff --git a/src/freedombone-recoverkey b/src/freedombone-recoverkey index 99ac67c3..f90f6e0b 100755 --- a/src/freedombone-recoverkey +++ b/src/freedombone-recoverkey @@ -28,9 +28,12 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see . +FRIENDS_SERVERS_LIST= +MY_USERNAME= + function show_help { echo '' - echo 'freedombone-recoverkey -u [username]' + echo 'freedombone-recoverkey -u [username] -l [friends servers list filename]' echo '' exit 0 } @@ -47,6 +50,12 @@ case $key in shift MY_USERNAME="$1" ;; + # backup list filename + # typically /home/$USER/backup.list + -l|--list) + shift + FRIENDS_SERVERS_LIST="$1" + ;; *) # unknown option ;; @@ -70,12 +79,64 @@ if [ ! -d /home/$MY_USERNAME ]; then echo "User $MY_USERNAME does not exist on the system" exit 7270 fi + FRAGMENTS_DIR=/home/$MY_USERNAME/.gnupg_fragments + +# find the remote backup list +if [ ! $FRIENDS_SERVERS_LIST ]; then + if [ -f /home/$MY_USERNAME/backup.list ]; then + FRIENDS_SERVERS_LIST=/home/$MY_USERNAME/backup.list + fi +fi + +# obtain shares/fragments from remote locations +if [ $FRIENDS_SERVERS_LIST ]; then + # For each remote server + while read remote_server + do + # Get the server and its password + # Format is: + # username@domain:/home/username + REMOTE_SERVER=$(echo "${remote_server}" | awk -F ' ' '{print $1}') + if [ $REMOTE_SERVER ]; then + REMOTE_SSH_PORT=$(echo "${remote_server}" | awk -F ' ' '{print $2}') + REMOTE_PASSWORD=$(echo "${remote_server}" | awk -F ' ' '{print $3}') + + # create a directory if it doesn't exist + if [ ! -d /home/$MY_USERNAME/.gnupg_fragments ]; then + mkdir -p /home/$MY_USERNAME/.gnupg_fragments + fi + + echo -n "Starting key retrieval from $REMOTE_SERVER..." + /usr/bin/sshpass -p $REMOTE_PASSWORD \ + scp -r -P $REMOTE_SSH_PORT $REMOTE_SERVER/.gnupg_fragments/* /home/$MY_USERNAME/.gnupg_fragments + if [ ! "$?" = "0" ]; then + echo 'FAILED' + else + echo 'Ok' + fi + fi + done < $FRIENDS_SERVERS_LIST +fi + +# was a directory created? if [ ! -d $FRAGMENTS_DIR ]; then echo 'No fragments have been recovered, so the key cannot be recovered' exit 7483 fi +# was anything downloaded? +cd $FRAGMENTS_DIR +no_of_shares=$(ls -afq keyshare* | wc -l) +no_of_shares=$((no_of_shares - 2)) +if [[ ${no_of_shares} == 0 ]]; then + echo 'No key fragments were retrieved' + exit 76882 +fi + +# set permissions on the fragments +chown -R $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.gnupg_fragments + # decrypt the file KEYS_FILE=$FRAGMENTS_DIR/keyshare.asc cd $FRAGMENTS_DIR