Continuing with 'unforgettable key' implementation

2015-07-03 19:19:36 +01:00 · 2015-07-03 19:19:36 +01:00 · 5e862cdc35
parent 02bd649d8a
commit 5e862cdc35
4 changed files with 178 additions and 27 deletions
--- a/man/freedombone-recoverkey.1.gz
+++ b/man/freedombone-recoverkey.1.gz
--- a/src/freedombone
+++ b/src/freedombone
@ -3782,7 +3782,6 @@ function backup_to_friends_servers {
  # we just need to rsync it to each friend

  echo '# For each remote server' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
-  echo 'ctr_share=0' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
  echo 'while read remote_server' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
  echo 'do' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
  echo '  # Get the server and its password' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
@ -3793,6 +3792,12 @@ function backup_to_friends_servers {
  echo -n '$1' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
  echo "}')" >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
  echo '  if [ $REMOTE_SERVER ]; then' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
+  echo -n '    REMOTE_DOMAIN=$(echo "${remote_server}" | ' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
+  echo -n "awk -F ':' '{print " >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
+  echo -n '$1' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
+  echo -n "}' | awk -F '@' '{print " >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
+  echo -n '$2' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
+  echo "}')" >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
  echo -n '    REMOTE_SSH_PORT=$(echo "${remote_server}" | ' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
  echo -n "awk -F ' ' '{print " >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
  echo -n '$2' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
@ -3808,27 +3813,49 @@ function backup_to_friends_servers {
  echo "$REMOTE_BACKUPS_LOG" >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME

  if [[ $ENABLE_SOCIAL_KEY_MANAGEMENT == "yes" ]]; then
+      echo '' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
+      echo '    # Social key management' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
      echo "    if [ -d /home/$MY_USERNAME/.gnupg_fragments ]; then" >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
-      echo "        cd /home/$MY_USERNAME/.gnupg_fragments" >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
-      echo '        no_of_shares=$(ls -afq keyshare* | wc -l)' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
-      echo '        no_of_shares=$((no_of_fragments - 2))' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
-      echo '        if [[ ${no_of_shares} > 0 ]]; then' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
-      echo '            share_files=(/home/$MY_USERNAME/.gnupg_fragments/keyshare*)' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
-      echo '            share_filename=${key_files[ctr_share]}' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
-      echo "            mkdir -p /home/$MY_USERNAME/tempkey/.gnupg_fragments" >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
-      echo "            cp $share_filename /home/$MY_USERNAME/tempkey/.gnupg_fragments/data" >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
-      echo -n '            /usr/bin/sshpass -p $REMOTE_PASSWORD ' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
+      echo '        if [ $REMOTE_DOMAIN ]; then' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
+      echo "            cd /home/$MY_USERNAME/.gnupg_fragments" >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
+      echo '            no_of_shares=$(ls -afq keyshare* | wc -l)' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
+      echo '            no_of_shares=$((no_of_fragments - 2))' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
+      echo '            if [[ ${no_of_shares} > 0 ]]; then' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
+      echo '                # Pick a share index based on the domain name' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
+      echo '                # This ensures that the same share is always given to the same domain' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
+      echo '                sharenumstr=$(md5sum <<< "$REMOTE_DOMAIN")' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
+      echo '                share_index=$(echo $((0x${sharenumstr%% *} % ${no_of_shares})) | tr -d -)' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
+      echo '' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
+      echo '                # get the share filename' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
+      echo '                share_files=(/home/$MY_USERNAME/.gnupg_fragments/keyshare*)' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
+      echo '                share_filename=${share_files[share_index]}' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
+      echo '' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
+      echo '                # create a temp directory containing the share' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
+      echo "                mkdir -p /home/$MY_USERNAME/tempkey/.gnupg_fragments" >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
+      echo "                cp $share_filename /home/$MY_USERNAME/tempkey/.gnupg_fragments/" >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
+      echo '' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
+      echo '                # copy the fragments directory to the remote server' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
+      echo -n '                /usr/bin/sshpass -p $REMOTE_PASSWORD ' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
      echo "scp -r -P $REMOTE_SSH_PORT /home/$MY_USERNAME/tempkey/.gnupg_fragments $REMOTE_SERVER" >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
-      echo "            shred -zu /home/$MY_USERNAME/tempkey/.gnupg_fragments/*" >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
-      echo "            rm -rf /home/$MY_USERNAME/tempkey" >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
-      echo '            ctr_share=$((ctr_share + 1))' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
-      echo '            if [[ ${ctr_share} >= ${no_of_shares} ]]; then' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
-      echo '                ctr_share=0' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
+      echo '                if [ ! "$?" = "0" ]; then' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
+      echo '                    # Send a warning email' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
+      echo -n '                    echo "Key share to $REMOTE_SERVER failed" | mail -s "Freedombone social key management" ' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
+      echo "$MY_EMAIL_ADDRESS" >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
+      echo '                fi' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
+      echo '' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
+      echo '                # remove the temp file/directory' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
+      echo "                shred -zu /home/$MY_USERNAME/tempkey/.gnupg_fragments/*" >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
+      echo "                rm -rf /home/$MY_USERNAME/tempkey" >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
+      echo '' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
+      echo '                # Send a confirmation email' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
+      echo -n '                echo "Key shared to $REMOTE_SERVER" | mail -s "Freedombone social key management" ' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
+      echo "$MY_EMAIL_ADDRESS" >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
      echo '            fi' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
      echo '        fi' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
      echo '    fi' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
  fi

+  echo '' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
  echo -n '    rsync -ratlzv --rsh="/usr/bin/sshpass -p $REMOTE_PASSWORD ssh -p $REMOTE_SSH_PORT -o StrictHostKeyChecking=no" ' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
  echo '$SERVER_DIRECTORY/backup $REMOTE_SERVER' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
  echo '    if [ ! "$?" = "0" ]; then' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
@ -4480,6 +4507,14 @@ function restore_from_friend {
  echo '    rm -rf /root/tempdlna' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME
  echo '  fi' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME
  echo 'fi' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME
+
+  if [[ $ENABLE_SOCIAL_KEY_MANAGEMENT == "yes" ]]; then
+      echo '' >> /usr/bin/$RESTORE_FROM_FRIENDS_SCRIPT_NAME
+      echo '# Retrieve key fragments' >> /usr/bin/$RESTORE_FROM_FRIENDS_SCRIPT_NAME
+      echo -n '/usr/bin/sshpass -p $REMOTE_PASSWORD ' >> /usr/bin/$RESTORE_FROM_FRIENDS_SCRIPT_NAME
+      echo "scp -r -P $REMOTE_SSH_PORT $REMOTE_SERVER/.gnupg_fragments /home/$MY_USERNAME/" >> /usr/bin/$RESTORE_FROM_FRIENDS_SCRIPT_NAME
+  fi
+
  echo '' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME
  echo 'echo "*** Remote restore was successful ***"' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME
  echo '' >> /usr/bin/$RESTORE_FROM_FRIEND_SCRIPT_NAME
--- a/src/freedombone-config
+++ b/src/freedombone-config
@ -224,7 +224,7 @@ function save_configuration_file {
      echo "HWRNG=$HWRNG" >> $CONFIGURATION_FILE
  fi
  if [ $ENABLE_SOCIAL_KEY_MANAGEMENT ]; then
-	  echo "ENABLE_SOCIAL_KEY_MANAGEMENT=$ENABLE_SOCIAL_KEY_MANAGEMENT" >> $CONFIGURATION_FILE
+      echo "ENABLE_SOCIAL_KEY_MANAGEMENT=$ENABLE_SOCIAL_KEY_MANAGEMENT" >> $CONFIGURATION_FILE
  fi
 }

@ -241,17 +241,43 @@ function validate_domain_name {
  fi
 }

-function interactive_gpg {
-  dialog --title "Encryption keys" \
-         --backtitle "Freedombone Configuration" \
-         --defaultno \
-         --yesno "\nDo you have existing GPG/PGP/ssh keys that you wish to install?" 7 60
-  sel=$?
-  case $sel in
-      1) return;;
-      255) exit 0;;
-  esac
+function interactive_gpg_from_remote {
+  REMOTE_SERVERS_LIST=/home/$MY_USERNAME/keyshareservers.txt

+  # get a list of remote servers
+  freedombone-remote -u $MY_USERNAME -l $REMOTE_SERVERS_LIST
+  if [ ! "$?" = "0" ]; then
+      echo "1"
+      return
+  fi
+
+  if [ ! -f $REMOTE_SERVERS_LIST ]; then
+      echo "2"
+      return
+  fi
+  
+  # check the number of entries in the file
+  no_of_servers=$(cat $REMOTE_SERVERS_LIST | wc -l)
+  if [[ ${no_of_servers} < 3 ]]; then
+      dialog --title "Encryption keys" --msgbox 'There must be at least three servers to recover the key' 6 70
+      echo "3"
+      return
+  fi
+  
+  # try to recover the key from the servers
+  freedombone-recoverkey -u $MY_USERNAME -l $REMOTE_SERVERS_LIST
+  if [ ! "$?" = "0" ]; then
+      dialog --title "Encryption keys" --msgbox 'Your key could not be recovered' 6 70
+      echo "4"
+      return
+  fi
+
+  dialog --title "Encryption keys" --msgbox 'Your key has been recovered' 6 70
+
+  echo '0'
+}
+
+function interactive_gpg_from_usb {
  dialog --title "Encryption keys" --msgbox 'Plug in a USB drive containing a copy of your .gnupg directory' 6 70

  if [[ $INSTALLING_ON_BBB == "yes" ]]; then
@ -312,6 +338,35 @@ function interactive_gpg {
  rm -rf $GPG_USB_MOUNT
 }

+function interactive_gpg {
+  GPG_CONFIGURED="no"
+  while [[ $GPG_CONFIGURED != "yes" ]]
+  do
+      GPG_CONFIGURED="yes"
+      data=$(tempfile 2>/dev/null)
+      trap "rm -f $data" 0 1 2 5 15
+      dialog --backtitle "Freedombone Configuration" \
+          --radiolist "GPG/PGP keys for your system:" 17 40 3 \
+          1 "Generate new keys (new user)" on \
+          2 "Import keys from a USB drive" off \
+          3 "Retrieve keys from friends servers" off 2> $data
+      sel=$?
+      case $sel in
+          1) exit 0;;
+          255) exit 0;;
+      esac
+      case $(cat $data) in
+          1) return;;
+          2) interactive_gpg_from_usb
+             return;;
+          3) retval=interactive_gpg_from_remote
+             if [[ retval != '0' ]]; then
+                 GPG_CONFIGURED="no"
+             fi;;
+      esac
+  done
+}
+
 function interactive_configuration {
  # create a temporary copy of the configuration file
  # which can be used to pre-populate selections
--- a/src/freedombone-recoverkey
+++ b/src/freedombone-recoverkey
@ -28,9 +28,12 @@
 # You should have received a copy of the GNU General Public License
 # along with this program. If not, see <http://www.gnu.org/licenses/>.

+FRIENDS_SERVERS_LIST=
+MY_USERNAME=
+
 function show_help {
    echo ''
-    echo 'freedombone-recoverkey -u [username]'
+    echo 'freedombone-recoverkey -u [username] -l [friends servers list filename]'
    echo ''
    exit 0
 }
@ -47,6 +50,12 @@ case $key in
    shift
    MY_USERNAME="$1"
    ;;
+    # backup list filename
+    # typically /home/$USER/backup.list
+    -l|--list)
+    shift
+    FRIENDS_SERVERS_LIST="$1"
+    ;;
    *)
    # unknown option
    ;;
@ -70,12 +79,64 @@ if [ ! -d /home/$MY_USERNAME ]; then
    echo "User $MY_USERNAME does not exist on the system"
    exit 7270
 fi
+
 FRAGMENTS_DIR=/home/$MY_USERNAME/.gnupg_fragments
+
+# find the remote backup list
+if [ ! $FRIENDS_SERVERS_LIST ]; then
+    if [ -f /home/$MY_USERNAME/backup.list ]; then
+        FRIENDS_SERVERS_LIST=/home/$MY_USERNAME/backup.list
+    fi
+fi
+
+# obtain shares/fragments from remote locations
+if [ $FRIENDS_SERVERS_LIST ]; then
+    # For each remote server
+    while read remote_server
+    do
+        # Get the server and its password
+        # Format is:
+        #   username@domain:/home/username <port number> <ssh password>
+        REMOTE_SERVER=$(echo "${remote_server}" | awk -F ' ' '{print $1}')
+        if [ $REMOTE_SERVER ]; then
+            REMOTE_SSH_PORT=$(echo "${remote_server}" | awk -F ' ' '{print $2}')
+            REMOTE_PASSWORD=$(echo "${remote_server}" | awk -F ' ' '{print $3}')
+
+            # create a directory if it doesn't exist
+            if [ ! -d /home/$MY_USERNAME/.gnupg_fragments ]; then
+                mkdir -p /home/$MY_USERNAME/.gnupg_fragments
+            fi
+
+            echo -n "Starting key retrieval from $REMOTE_SERVER..."
+            /usr/bin/sshpass -p $REMOTE_PASSWORD \
+                scp -r -P $REMOTE_SSH_PORT $REMOTE_SERVER/.gnupg_fragments/* /home/$MY_USERNAME/.gnupg_fragments
+            if [ ! "$?" = "0" ]; then
+                echo 'FAILED'
+            else
+                echo 'Ok'
+            fi
+        fi
+    done < $FRIENDS_SERVERS_LIST
+fi   
+
+# was a directory created?
 if [ ! -d $FRAGMENTS_DIR ]; then
    echo 'No fragments have been recovered, so the key cannot be recovered'
    exit 7483
 fi

+# was anything downloaded?
+cd $FRAGMENTS_DIR
+no_of_shares=$(ls -afq keyshare* | wc -l)
+no_of_shares=$((no_of_shares - 2))
+if [[ ${no_of_shares} == 0 ]]; then
+    echo 'No key fragments were retrieved'
+    exit 76882
+fi
+
+# set permissions on the fragments
+chown -R $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.gnupg_fragments
+
 # decrypt the file
 KEYS_FILE=$FRAGMENTS_DIR/keyshare.asc
 cd $FRAGMENTS_DIR