2015-02-01 15:57:59 +01:00
#!/bin/bash
2018-04-08 14:30:21 +02:00
# _____ _ _
# | __|___ ___ ___ _| |___ _____| |_ ___ ___ ___
# | __| _| -_| -_| . | . | | . | . | | -_|
# |__| |_| |___|___|___|___|_|_|_|___|___|_|_|___|
2015-02-01 15:57:59 +01:00
#
2018-04-08 14:30:21 +02:00
# Freedom in the Cloud
2015-02-01 15:57:59 +01:00
#
# Alters the security settings
#
# License
# =======
#
2018-02-21 20:32:13 +01:00
# Copyright (C) 2015-2018 Bob Mottram <bob@freedombone.net>
2015-02-01 15:57:59 +01:00
#
# This program is free software: you can redistribute it and/or modify
2016-02-13 23:09:27 +01:00
# it under the terms of the GNU Affero General Public License as published by
2015-02-01 15:57:59 +01:00
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
2016-02-13 23:09:27 +01:00
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
2015-02-01 15:57:59 +01:00
#
2016-02-13 23:09:27 +01:00
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
2015-02-01 15:57:59 +01:00
2015-11-27 12:42:16 +01:00
PROJECT_NAME='freedombone'
2015-11-27 17:52:23 +01:00
export TEXTDOMAIN=${PROJECT_NAME}-sec
2015-11-27 12:42:16 +01:00
export TEXTDOMAINDIR="/usr/share/locale"
2016-10-10 23:50:59 +02:00
CONFIGURATION_FILE=$HOME/${PROJECT_NAME}.cfg
2016-04-30 21:51:00 +02:00
COMPLETION_FILE=$HOME/${PROJECT_NAME}-completed.txt
2018-03-02 23:58:38 +01:00
UTILS_FILES="/usr/share/${PROJECT_NAME}/utils/${PROJECT_NAME}-utils-*"
2016-10-14 15:56:14 +02:00
for f in $UTILS_FILES
do
2018-03-02 23:58:38 +01:00
source "$f"
2016-10-14 15:56:14 +02:00
done
2016-10-01 11:39:23 +02:00
2015-02-01 15:57:59 +01:00
SSL_PROTOCOLS=
SSL_CIPHERS=
SSH_CIPHERS=
SSH_MACS=
SSH_KEX=
SSH_HOST_KEY_ALGORITHMS=
2015-02-01 19:00:09 +01:00
SSH_PASSWORDS=
2015-02-01 15:57:59 +01:00
XMPP_CIPHERS=
XMPP_ECC_CURVE=
WEBSITES_DIRECTORY='/etc/nginx/sites-available'
DOVECOT_CIPHERS='/etc/dovecot/conf.d/10-ssl.conf'
2015-02-01 18:17:28 +01:00
SSH_CONFIG='/etc/ssh/sshd_config'
XMPP_CONFIG='/etc/prosody/conf.avail/xmpp.cfg.lua'
2015-02-01 15:57:59 +01:00
MINIMUM_LENGTH=6
2015-02-02 22:04:36 +01:00
IMPORT_FILE=
EXPORT_FILE=
2015-02-02 22:18:49 +01:00
CURRENT_DIR=$(pwd)
2015-10-27 15:38:05 +01:00
DH_KEYLENGTH=2048
2015-12-05 15:17:20 +01:00
LETSENCRYPT_SERVER='https://acme-v01.api.letsencrypt.org/directory'
2015-08-15 14:34:59 +02:00
2016-05-01 18:11:00 +02:00
MY_USERNAME=
2018-03-18 12:06:27 +01:00
function ping_enable_disable {
ping_str=$"\\nDo you want to enable other systems to ping this machine?\\n\\nPing may be useful for diagnostic purposes, but for added security you may not want to enable it."
enable_ping="no"
dialog --title $"Enable Ping / ICMP" \
--backtitle $"Freedombone Control Panel" \
--defaultno \
--yesno "$ping_str" 10 60
sel=$?
case $sel in
0) enable_ping="yes";;
255) return;;
esac
if [[ $enable_ping == "yes" ]]; then
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
echo "0" > /proc/sys/net/ipv4/icmp_echo_ignore_all
else
iptables -D INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -D OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
fi
}
2018-03-18 11:58:18 +01:00
function any_key_verify {
echo ''
read -n1 -rsp $"Press any key to continue or C to check a hash..." key
if [[ "$key" != 'c' && "$key" != 'C' ]]; then
return
fi
data=$(mktemp 2>/dev/null)
dialog --title $"Check tripwire hash" \
--backtitle $"Freedombone Control Panel" \
--inputbox $"Paste your tripwire hash below and it will be checked against the current database" 12 60 2>"$data"
sel=$?
case $sel in
0)
GIVEN_HASH=$(<"$data")
if [ ${#GIVEN_HASH} -gt 8 ]; then
if [[ "$GIVEN_HASH" == *' '* ]]; then
dialog --title $"Check tripwire" \
--msgbox $"\\nThe hash should not contain any spaces" 10 40
else
DBHASH=$(sha512sum "/var/lib/tripwire/${HOSTNAME}.twd" | awk -F ' ' '{print $1}')
if [[ "$DBHASH" == "$GIVEN_HASH" ]]; then
dialog --title $"Check tripwire" \
--msgbox $"\\nSuccess\\n\\nThe hash you gave matches the current tripwire database" 10 40
else
dialog --title $"Check tripwire" \
--msgbox $"\\nFailed\\n\\nThe hash you gave does not match the current tripwire database. This might be because you reset the tripwire, or there could have been an unauthorised modification of the system" 12 50
fi
fi
fi
;;
esac
rm -f "$data"
}
function show_tripwire_verification_code {
if [ ! -f "/var/lib/tripwire/${HOSTNAME}.twd" ]; then
return
fi
clear
echo ''
echo $'Tripwire Verification Code'
echo ''
DBHASH=$(sha512sum "/var/lib/tripwire/${HOSTNAME}.twd")
echo -n "$DBHASH" | qrencode -t UTF8
echo ''
echo "$DBHASH"
echo ''
}
function reset_tripwire {
if [ ! -f /usr/bin/reset-tripwire ]; then
echo $'Missing /usr/bin/reset-tripwire'
any_key
return
fi
if [ ! -f "/etc/tripwire/${HOSTNAME}-local.key" ]; then
if [ -f "/etc/tripwire/${PROJECT_NAME}-local.key" ]; then
# shellcheck disable=SC2086
mv /etc/tripwire/${PROJECT_NAME}-local.key /etc/tripwire/${HOSTNAME}-local.key
# shellcheck disable=SC2086
mv /etc/tripwire/${PROJECT_NAME}-site.key /etc/tripwire/${HOSTNAME}-site.key
else
echo $'Error: missing local key'
any_key
return
fi
fi
clear
echo $'Turing off logging...'
"${PROJECT_NAME}-logging" off
echo $'Locking down permissions...'
lockdown_permissions
echo $'Creating configuration...'
echo '
' | twadmin --create-cfgfile -S "/etc/tripwire/${HOSTNAME}-site.key" /etc/tripwire/twcfg.txt
echo $'Resetting policy...'
echo '
' | twadmin --create-polfile -S "/etc/tripwire/${HOSTNAME}-site.key" /etc/tripwire/twpol.txt
echo $'Creating tripwire database'
echo '
' | tripwire --init --cfgfile /etc/tripwire/tw.cfg --polfile /etc/tripwire/tw.pol --dbfile "/var/lib/tripwire/${HOSTNAME}.twd"
echo $'Resetting the Tripwire...'
echo ''
echo '
' | reset-tripwire
echo ''
# Sometimes nginx fails to restart if matrix is installed
# Restart matrix first
if [ -d /etc/matrix ]; then
systemctl restart matrix
systemctl restart nginx
fi
if [ -f "/var/lib/tripwire/${HOSTNAME}.twd" ]; then
show_tripwire_verification_code
echo $'Tripwire is now reset. Take a note of the above hash, or record'
echo $'the QR code using a mobile device. This will enable you to independently'
echo $'verify the integrity of the tripwire.'
else
echo $'ERROR: tripwire database was not created'
fi
any_key
}
2018-03-18 11:33:43 +01:00
function passwords_show_apps {
SELECTED_APP=
i=0
W=()
name=()
# shellcheck disable=SC2068
for a in ${APPS_AVAILABLE[@]}
do
2018-03-18 11:48:38 +01:00
if grep -q "change_password_" "/usr/share/${PROJECT_NAME}/apps/${PROJECT_NAME}-app-${a}"; then
2018-03-18 11:33:43 +01:00
i=$((i+1))
W+=("$i" "$a")
name+=("$a")
fi
done
i=$((i+1))
W+=("$i" "mariadb")
name+=("mariadb")
# shellcheck disable=SC2068
2018-03-18 11:41:26 +01:00
selected_app_index=$(dialog --backtitle $"Freedombone Control Panel" --title $"User $SELECTED_USERNAME: Select App" --menu $"Select one of the following:" 24 40 17 ${W[@]} 3>&2 2>&1 1>&3)
2018-03-18 11:33:43 +01:00
# shellcheck disable=SC2181
if [ $? -eq 0 ]; then
SELECTED_APP="${name[$((selected_app_index-1))]}"
fi
}
function view_or_change_passwords {
passwords_select_user
if [ ! "$SELECTED_USERNAME" ]; then
return
fi
detect_installed_apps
passwords_show_apps
if [ ! "$SELECTED_APP" ]; then
return
fi
CURR_PASSWORD=$("${PROJECT_NAME}-pass" -u "${SELECTED_USERNAME}" -a "${SELECTED_APP}")
icann_address=$(get_app_icann_address "${SELECTED_APP}")
onion_address=$(get_app_onion_address "${SELECTED_APP}")
titlestr=$"View or Change Password"
if [ ${#onion_address} -gt 0 ]; then
viewstr=$"${SELECTED_APP} password for ${SELECTED_USERNAME} on $icann_address or $onion_address\\n\\nCopy or change it if you wish."
else
viewstr=$"${SELECTED_APP} password for ${SELECTED_USERNAME} on $icann_address\\n\\nCopy or change it if you wish."
fi
if [ -f /root/.nostore ]; then
titlestr=$"Change Password"
if [ ${#onion_address} -gt 0 ]; then
viewstr=$"Change the ${SELECTED_APP} password for ${SELECTED_USERNAME} on $icann_address or $onion_address."
else
viewstr=$"Change the ${SELECTED_APP} password for ${SELECTED_USERNAME} on $icann_address."
fi
fi
if [[ "${SELECTED_APP}" == 'mariadb' ]]; then
CURR_PASSWORD=$("${PROJECT_NAME}-pass" -u root -a mariadb)
dialog --title $"MariaDB database password" \
--msgbox "\\n ${CURR_PASSWORD}" 7 40
return
fi
data=$(mktemp 2>/dev/null)
dialog --title "$titlestr" \
--backtitle $"Freedombone Control Panel" \
--inputbox "$viewstr" 12 75 "$CURR_PASSWORD" 2>"$data"
sel=$?
case $sel in
0)
CURR_PASSWORD=$(<"$data")
if [ ${#CURR_PASSWORD} -gt 8 ]; then
"${PROJECT_NAME}-pass" -u "${SELECTED_USERNAME}" -a "${SELECTED_APP}" -p "${CURR_PASSWORD}"
"change_password_${SELECTED_APP}" "${SELECTED_USERNAME}" "${CURR_PASSWORD}"
dialog --title $"Change password" \
--msgbox $"The password was changed" 6 40
else
dialog --title $"Change password" \
--msgbox $"The password given must be at least 8 characters" 6 40
fi
;;
esac
rm -f "$data"
}
2018-03-18 11:03:43 +01:00
function show_firewall {
W=()
while read -r line; do
firewall_name=$(echo "$line" | awk -F '=' '{print $1}')
firewall_port=$(echo "$line" | awk -F '=' '{print $2}')
2018-03-18 11:07:05 +01:00
W+=("${firewall_name}" "${firewall_port}")
2018-03-18 11:03:43 +01:00
done < "$FIREWALL_CONFIG"
# shellcheck disable=SC2068
dialog --backtitle $"Freedombone Administrator Control Panel" --title $"Firewall" --menu $"Press ESC to return to main menu" 28 50 28 "${W[@]}" 3>&2 2>&1 1>&3
}
2016-11-24 14:44:42 +01:00
function export_passwords {
detect_usb_drive
dialog --title $"Export passwords to USB drive $USB_DRIVE" \
2016-11-24 15:32:37 +01:00
--backtitle $"Security Settings" \
2016-11-24 14:44:42 +01:00
--defaultno \
2018-03-02 20:17:02 +01:00
--yesno $"\\nPlease confirm that you wish to export passwords to a LUKS formatted USB drive. The drive should be plugged in." 10 60
2016-11-24 14:44:42 +01:00
sel=$?
case $sel in
1) return;;
255) return;;
esac
2016-11-24 15:32:37 +01:00
dialog --title $"Export passwords to USB drive $USB_DRIVE" \
--backtitle $"Security Settings" \
--defaultno \
2018-03-02 20:17:02 +01:00
--yesno $"\\nDo you need to format the drive as LUKS encrypted?" 12 60
2016-11-24 15:32:37 +01:00
sel=$?
case $sel in
2018-03-02 20:17:02 +01:00
0) ${PROJECT_NAME}-format "$USB_DRIVE";;
2016-11-24 15:32:37 +01:00
esac
2016-11-24 14:44:42 +01:00
clear
2018-03-02 20:17:02 +01:00
backup_mount_drive "${USB_DRIVE}"
${PROJECT_NAME}-pass --export "${USB_MOUNT}/${PROJECT_NAME}-passwords.xml"
backup_unmount_drive "${USB_DRIVE}"
2016-11-24 14:44:42 +01:00
}
2015-02-01 15:57:59 +01:00
function get_protocols_from_website {
2018-03-02 20:17:02 +01:00
if [ ! -f "$WEBSITES_DIRECTORY/$1" ]; then
2016-08-09 10:34:31 +02:00
return
fi
2018-03-02 20:17:02 +01:00
SSL_PROTOCOLS=$(grep 'ssl_protocols ' "$WEBSITES_DIRECTORY/$1" | awk -F "ssl_protocols " '{print $2}' | awk -F ';' '{print $1}')
2015-02-01 15:57:59 +01:00
}
function get_ciphers_from_website {
2018-03-02 20:17:02 +01:00
if [ ! -f "$WEBSITES_DIRECTORY/$1" ]; then
2016-08-09 10:34:31 +02:00
return
fi
2018-03-02 20:17:02 +01:00
SSL_CIPHERS=$(grep 'ssl_ciphers ' "$WEBSITES_DIRECTORY/$1" | awk -F "ssl_ciphers " '{print $2}' | awk -F "'" '{print $2}')
2015-02-01 15:57:59 +01:00
}
function get_imap_settings {
2016-08-09 10:34:31 +02:00
if [ ! -f $DOVECOT_CIPHERS ]; then
return
fi
# clear commented out cipher list
sed -i "s|#ssl_cipher_list.*||g" $DOVECOT_CIPHERS
2018-03-02 20:17:02 +01:00
if [ "$SSL_CIPHERS" ]; then
2016-08-09 10:34:31 +02:00
return
fi
if [ ${#SSL_CIPHERS} -gt $MINIMUM_LENGTH ]; then
return
fi
2018-03-02 20:17:02 +01:00
SSL_CIPHERS=$(grep 'ssl_cipher_list' "$DOVECOT_CIPHERS" | awk -F '=' '{print $2}' | awk -F "'" '{print $2}')
2015-02-01 15:57:59 +01:00
}
2015-02-01 18:17:28 +01:00
function get_xmpp_settings {
2016-08-09 10:34:31 +02:00
if [ ! -f $XMPP_CONFIG ]; then
return
fi
2018-03-02 20:17:02 +01:00
XMPP_CIPHERS=$(grep 'ciphers ' "$XMPP_CONFIG" | awk -F '=' '{print $2}' | awk -F '"' '{print $2}')
XMPP_ECC_CURVE=$(grep 'curve ' "$XMPP_CONFIG" | awk -F '=' '{print $2}' | awk -F '"' '{print $2}')
2015-02-01 18:17:28 +01:00
}
function get_ssh_settings {
2016-08-09 10:34:31 +02:00
if [ -f $SSH_CONFIG ]; then
2018-03-02 20:17:02 +01:00
SSH_PASSWORDS=$(grep 'PasswordAuthentication ' "$SSH_CONFIG" | awk -F 'PasswordAuthentication ' '{print $2}')
2016-08-09 10:34:31 +02:00
fi
if [ -f /etc/ssh/ssh_config ]; then
2018-03-02 20:17:02 +01:00
SSH_HOST_KEY_ALGORITHMS=$(grep 'HostKeyAlgorithms ' "/etc/ssh/ssh_config" | awk -F 'HostKeyAlgorithms ' '{print $2}')
2016-08-09 10:34:31 +02:00
fi
2015-02-01 18:17:28 +01:00
}
2015-02-01 15:57:59 +01:00
function change_website_settings {
2016-08-09 10:34:31 +02:00
if [ ! "$SSL_PROTOCOLS" ]; then
return
fi
2018-03-02 20:17:02 +01:00
if [ ! "$SSL_CIPHERS" ]; then
2016-08-09 10:34:31 +02:00
return
fi
if [ ${#SSL_PROTOCOLS} -lt $MINIMUM_LENGTH ]; then
return
fi
if [ ${#SSL_CIPHERS} -lt $MINIMUM_LENGTH ]; then
return
fi
if [ ! -d $WEBSITES_DIRECTORY ]; then
return
fi
2018-03-02 20:17:02 +01:00
cd $WEBSITES_DIRECTORY || exit 2468724628
for file in $(dir -d "*") ; do
sed -i "s|ssl_protocols .*|ssl_protocols $SSL_PROTOCOLS;|g" "$WEBSITES_DIRECTORY/$file"
if ! grep -q "Mobile compatible ciphers" "$WEBSITES_DIRECTORY/$file"; then
2017-05-25 19:03:46 +02:00
2018-03-02 20:17:02 +01:00
sed -i "s|ssl_ciphers .*|ssl_ciphers '$SSL_CIPHERS';|g" "$WEBSITES_DIRECTORY/$file"
2017-05-25 19:03:46 +02:00
else
2018-03-02 20:17:02 +01:00
sed -i "s|ssl_ciphers .*|ssl_ciphers '$SSL_CIPHERS_MOBILE';|g" "$WEBSITES_DIRECTORY/$file"
2017-05-25 19:03:46 +02:00
fi
2016-08-09 10:34:31 +02:00
done
systemctl restart nginx
echo $'Web security settings changed'
2015-02-01 15:57:59 +01:00
}
function change_imap_settings {
2016-08-09 10:34:31 +02:00
if [ ! -f $DOVECOT_CIPHERS ]; then
return
fi
2018-03-02 20:17:02 +01:00
if [ ! "$SSL_CIPHERS" ]; then
2016-08-09 10:34:31 +02:00
return
fi
if [ ${#SSL_CIPHERS} -lt $MINIMUM_LENGTH ]; then
return
fi
sed -i "s|ssl_cipher_list.*|ssl_cipher_list = '$SSL_CIPHERS'|g" $DOVECOT_CIPHERS
sed -i "s|ssl_protocols.*|ssl_protocols = '$SSL_PROTOCOLS'|g" $DOVECOT_CIPHERS
systemctl restart dovecot
echo $'imap security settings changed'
2015-02-01 18:17:28 +01:00
}
function change_ssh_settings {
2016-08-09 10:34:31 +02:00
if [ -f /etc/ssh/ssh_config ]; then
2018-03-02 20:17:02 +01:00
if [ "$SSH_HOST_KEY_ALGORITHMS" ]; then
2016-08-09 10:34:31 +02:00
sed -i "s|HostKeyAlgorithms .*|HostKeyAlgorithms $SSH_HOST_KEY_ALGORITHMS|g" /etc/ssh/ssh_config
echo $'ssh client security settings changed'
fi
fi
if [ -f $SSH_CONFIG ]; then
if [ ! $SSH_CIPHERS ]; then
return
fi
if [ ! $SSH_MACS ]; then
return
fi
if [ ! $SSH_KEX ]; then
return
fi
2018-03-02 20:17:02 +01:00
if [ ! "$SSH_PASSWORDS" ]; then
2016-10-30 11:07:57 +01:00
SSH_PASSWORDS='yes'
2016-08-09 10:34:31 +02:00
fi
sed -i "s|Ciphers .*|Ciphers $SSH_CIPHERS|g" $SSH_CONFIG
sed -i "s|MACs .*|MACs $SSH_MACS|g" $SSH_CONFIG
sed -i "s|KexAlgorithms .*|KexAlgorithms $SSH_KEX|g" $SSH_CONFIG
2016-10-30 11:07:57 +01:00
sed -i "s|#PasswordAuthentication .*|PasswordAuthentication $SSH_PASSWORDS|g" $SSH_CONFIG
2016-08-09 10:34:31 +02:00
sed -i "s|PasswordAuthentication .*|PasswordAuthentication $SSH_PASSWORDS|g" $SSH_CONFIG
systemctl restart ssh
echo $'ssh server security settings changed'
fi
2015-02-01 18:17:28 +01:00
}
function change_xmpp_settings {
2016-08-09 10:34:31 +02:00
if [ ! -f $XMPP_CONFIG ]; then
return
fi
2018-03-02 20:17:02 +01:00
if [ ! "$XMPP_CIPHERS" ]; then
2016-08-09 10:34:31 +02:00
return
fi
2018-03-02 20:17:02 +01:00
if [ ! "$XMPP_ECC_CURVE" ]; then
2016-08-09 10:34:31 +02:00
return
fi
sed -i "s|ciphers =.*|ciphers = \"$XMPP_CIPHERS\";|g" $XMPP_CONFIG
sed -i "s|curve =.*|curve = \"$XMPP_ECC_CURVE\";|g" $XMPP_CONFIG
systemctl restart prosody
echo $'xmpp security settings changed'
2015-02-01 18:17:28 +01:00
}
2016-10-30 11:07:57 +01:00
function allow_ssh_passwords {
2016-10-30 11:11:03 +01:00
dialog --title $"SSH Passwords" \
--backtitle $"Freedombone Security Configuration" \
2018-03-02 20:17:02 +01:00
--yesno $"\\nAllow SSH login using passwords?" 7 60
2016-10-30 11:07:57 +01:00
sel=$?
case $sel in
0) SSH_PASSWORDS="yes";;
1) SSH_PASSWORDS="no";;
255) exit 0;;
esac
}
2015-02-01 18:17:28 +01:00
function interactive_setup {
2018-03-02 20:17:02 +01:00
if [ "$SSL_CIPHERS" ]; then
data=$(mktemp 2>/dev/null)
2016-08-09 10:34:31 +02:00
dialog --backtitle $"Freedombone Security Configuration" \
2018-03-02 20:17:02 +01:00
--form $"\\nWeb/IMAP Ciphers:" 10 95 2 \
2016-08-09 10:34:31 +02:00
$"Protocols:" 1 1 "$SSL_PROTOCOLS" 1 15 90 90 \
$"Ciphers:" 2 1 "$SSL_CIPHERS" 2 15 90 512 \
2018-03-02 20:17:02 +01:00
2> "$data"
2016-08-09 10:34:31 +02:00
sel=$?
case $sel in
2018-03-02 20:17:02 +01:00
1) SSL_PROTOCOLS=$(sed -n 1p < "$data")
SSL_CIPHERS=$(sed -n 2p < "$data")
2016-08-09 10:34:31 +02:00
;;
2018-03-02 20:17:02 +01:00
255) rm -f "$data"
exit 0;;
2016-08-09 10:34:31 +02:00
esac
2018-03-02 20:17:02 +01:00
rm -f "$data"
2016-08-09 10:34:31 +02:00
fi
2018-03-02 20:17:02 +01:00
data=$(mktemp 2>/dev/null)
if [ "$SSH_HOST_KEY_ALGORITHMS" ]; then
2016-08-09 10:34:31 +02:00
dialog --backtitle $"Freedombone Security Configuration" \
2018-03-02 20:17:02 +01:00
--form $"\\nSecure Shell Ciphers:" 13 95 4 \
2016-08-09 10:34:31 +02:00
$"Ciphers:" 1 1 "$SSH_CIPHERS" 1 15 90 512 \
$"MACs:" 2 1 "$SSH_MACS" 2 15 90 512 \
$"KEX:" 3 1 "$SSH_KEX" 3 15 90 512 \
$"Host key algorithms:" 4 1 "$SSH_HOST_KEY_ALGORITHMS" 4 15 90 512 \
2018-03-02 20:17:02 +01:00
2> "$data"
2016-08-09 10:34:31 +02:00
sel=$?
case $sel in
2018-03-02 20:17:02 +01:00
1) SSH_CIPHERS=$(sed -n 1p < "$data")
SSH_MACS=$(sed -n 2p < "$data")
SSH_KEX=$(sed -n 3p < "$data")
SSH_HOST_KEY_ALGORITHMS=$(sed -n 4p < "$data")
2016-08-09 10:34:31 +02:00
;;
2018-03-02 20:17:02 +01:00
255) rm -f "$data"
exit 0;;
2016-08-09 10:34:31 +02:00
esac
else
dialog --backtitle $"Freedombone Security Configuration" \
2018-03-02 20:17:02 +01:00
--form $"\\nSecure Shell Ciphers:" 11 95 3 \
2016-08-09 10:34:31 +02:00
$"Ciphers:" 1 1 "$SSH_CIPHERS" 1 15 90 512 \
$"MACs:" 2 1 "$SSH_MACS" 2 15 90 512 \
$"KEX:" 3 1 "$SSH_KEX" 3 15 90 512 \
2018-03-02 20:17:02 +01:00
2> "$data"
2016-08-09 10:34:31 +02:00
sel=$?
case $sel in
2018-03-02 20:17:02 +01:00
1) SSH_CIPHERS=$(sed -n 1p < "$data")
SSH_MACS=$(sed -n 2p < "$data")
SSH_KEX=$(sed -n 3p < "$data")
2016-08-09 10:34:31 +02:00
;;
2018-03-02 20:17:02 +01:00
255) rm -f "$data"
exit 0;;
2016-08-09 10:34:31 +02:00
esac
fi
2018-03-02 20:17:02 +01:00
rm -f "$data"
2016-08-09 10:34:31 +02:00
2018-03-02 20:17:02 +01:00
if [ "$XMPP_CIPHERS" ]; then
data=$(mktemp 2>/dev/null)
2016-08-09 10:34:31 +02:00
dialog --backtitle $"Freedombone Security Configuration" \
2018-03-02 20:17:02 +01:00
--form $"\\nXMPP Ciphers:" 10 95 2 \
2016-08-09 10:34:31 +02:00
$"Ciphers:" 1 1 "$XMPP_CIPHERS" 1 15 90 512 \
$"ECC Curve:" 2 1 "$XMPP_ECC_CURVE" 2 15 50 50 \
2018-03-02 20:17:02 +01:00
2> "$data"
2016-08-09 10:34:31 +02:00
sel=$?
case $sel in
2018-03-02 20:17:02 +01:00
1) XMPP_CIPHERS=$(sed -n 1p < "$data")
XMPP_ECC_CURVE=$(sed -n 2p < "$data")
2016-08-09 10:34:31 +02:00
;;
2018-03-02 20:17:02 +01:00
255) rm -f "$data"
exit 0;;
2016-08-09 10:34:31 +02:00
esac
2018-03-02 20:17:02 +01:00
rm -f "$data"
2016-08-09 10:34:31 +02:00
fi
dialog --title $"Final Confirmation" \
--backtitle $"Freedombone Security Configuration" \
--defaultno \
2018-03-02 20:17:02 +01:00
--yesno $"\\nPlease confirm that you wish your security settings to be changed?\\n\\nWARNING: any mistakes made in the security settings could compromise your system, so be extra careful when answering 'yes'." 12 60
2016-08-09 10:34:31 +02:00
sel=$?
case $sel in
1) clear
echo $'Exiting without changing security settings'
exit 0;;
255) clear
echo $'Exiting without changing security settings'
exit 0;;
esac
clear
2015-02-01 15:57:59 +01:00
}
2016-05-04 10:53:37 +02:00
function send_monkeysphere_server_keys_to_users {
2016-08-09 10:34:31 +02:00
monkeysphere_server_keys=$(monkeysphere-host show-key | grep $"OpenPGP fingerprint" | awk -F ' ' '{print $3}')
for d in /home/*/ ; do
USERNAME=$(echo "$d" | awk -F '/' '{print $3}')
2016-10-01 11:48:07 +02:00
if [[ $(is_valid_user "$USERNAME") == "1" ]]; then
2018-03-02 20:17:02 +01:00
if [ ! -d "/home/$USERNAME/.monkeysphere" ]; then
mkdir "/home/$USERNAME/.monkeysphere"
2016-08-09 10:34:31 +02:00
fi
2018-03-02 20:17:02 +01:00
echo "$monkeysphere_server_keys" > "/home/$USERNAME/.monkeysphere/server_keys"
chown -R "$USERNAME":"$USERNAME" "/home/$USERNAME/.monkeysphere"
2016-08-09 10:34:31 +02:00
fi
done
2016-05-04 10:53:37 +02:00
}
2015-08-15 14:34:59 +02:00
function regenerate_ssh_host_keys {
2016-10-30 10:56:32 +01:00
rm -f /etc/ssh/ssh_host_*
dpkg-reconfigure openssh-server
echo $'ssh host keys regenerated'
# remove small moduli
awk '$5 > 2000' /etc/ssh/moduli > ~/moduli
mv ~/moduli /etc/ssh/moduli
echo $'ssh small moduli removed'
# update monkeysphere
DEFAULT_DOMAIN_NAME=
read_config_param "DEFAULT_DOMAIN_NAME"
2018-03-02 20:17:02 +01:00
monkeysphere-host import-key /etc/ssh/ssh_host_rsa_key "ssh://$DEFAULT_DOMAIN_NAME"
SSH_ONION_HOSTNAME=$(grep 'ssh onion domain' "${COMPLETION_FILE}" | awk -F ':' '{print $2}')
monkeysphere-host import-key /etc/ssh/ssh_host_rsa_key "ssh://$SSH_ONION_HOSTNAME"
2016-10-30 10:56:32 +01:00
monkeysphere-host publish-key
send_monkeysphere_server_keys_to_users
echo $'updated monkeysphere ssh host key'
systemctl restart ssh
2015-08-15 14:34:59 +02:00
}
function regenerate_dh_keys {
2016-10-30 10:56:32 +01:00
if [ ! -d /etc/ssl/mycerts ]; then
echo $'No dhparam certificates were found'
return
fi
2016-08-09 10:34:31 +02:00
2018-03-02 20:17:02 +01:00
data=$(mktemp 2>/dev/null)
2016-10-30 10:56:32 +01:00
dialog --backtitle "Freedombone Security Configuration" \
--title "Diffie-Hellman key length" \
--radiolist "The smaller length is better suited to low power embedded systems:" 12 40 3 \
1 "2048 bits" off \
2 "3072 bits" on \
2018-03-02 20:17:02 +01:00
3 "4096 bits" off 2> "$data"
2016-10-30 10:56:32 +01:00
sel=$?
case $sel in
2018-03-02 20:17:02 +01:00
1) rm -f "$data"
exit 1;;
255) rm -f "$data"
exit 1;;
2016-10-30 10:56:32 +01:00
esac
2018-03-02 20:17:02 +01:00
case $(cat "$data") in
2016-10-30 10:56:32 +01:00
1) DH_KEYLENGTH=2048;;
2) DH_KEYLENGTH=3072;;
3) DH_KEYLENGTH=4096;;
esac
2018-03-02 20:17:02 +01:00
rm -f "$data"
2016-08-09 10:34:31 +02:00
2016-10-30 10:56:32 +01:00
${PROJECT_NAME}-dhparam --recalc yes -l ${DH_KEYLENGTH}
2015-08-15 14:34:59 +02:00
}
2015-11-03 19:00:08 +01:00
function renew_startssl {
2016-08-09 10:34:31 +02:00
renew_domain=
2018-03-02 20:17:02 +01:00
data=$(mktemp 2>/dev/null)
2016-08-09 10:34:31 +02:00
dialog --title $"Renew a StartSSL certificate" \
--backtitle $"Freedombone Security Settings" \
2018-03-02 20:17:02 +01:00
--inputbox $"Enter the domain name" 8 60 2>"$data"
2016-08-09 10:34:31 +02:00
sel=$?
case $sel in
0)
2018-03-02 20:17:02 +01:00
renew_domain=$(<"$data")
2016-08-09 10:34:31 +02:00
;;
esac
2018-03-02 20:17:02 +01:00
rm -f "$data"
2016-08-09 10:34:31 +02:00
2018-03-02 20:17:02 +01:00
if [ ! "$renew_domain" ]; then
2016-08-09 10:34:31 +02:00
return
fi
if [[ $renew_domain == "http"* ]]; then
dialog --title $"Renew a StartSSL certificate" \
--msgbox $"Don't include the https://" 6 40
return
fi
2018-03-02 20:17:02 +01:00
if [ ! -f "/etc/ssl/certs/${renew_domain}.dhparam" ]; then
2016-08-09 10:34:31 +02:00
dialog --title $"Renew a StartSSL certificate" \
--msgbox $"An existing certificate for $renew_domain was not found" 6 40
return
fi
if [[ $renew_domain != *"."* ]]; then
dialog --title $"Renew a StartSSL certificate" \
--msgbox $"Invalid domain name: $renew_domain" 6 40
return
fi
2018-03-02 20:17:02 +01:00
${PROJECT_NAME}-renew-cert -h "$renew_domain" -p startssl
2016-08-09 10:34:31 +02:00
exit 0
2015-11-04 11:10:18 +01:00
}
function renew_letsencrypt {
2016-08-09 10:34:31 +02:00
renew_domain=
2018-03-02 20:17:02 +01:00
data=$(mktemp 2>/dev/null)
2016-08-09 10:34:31 +02:00
dialog --title $"Renew a Let's Encrypt certificate" \
--backtitle $"Freedombone Security Settings" \
2018-03-02 20:17:02 +01:00
--inputbox $"Enter the domain name" 8 60 2>"$data"
2016-08-09 10:34:31 +02:00
sel=$?
case $sel in
0)
2018-03-02 20:17:02 +01:00
renew_domain=$(<"$data")
2016-08-09 10:34:31 +02:00
;;
esac
2018-03-02 20:17:02 +01:00
rm -f "$data"
2016-08-09 10:34:31 +02:00
2018-03-02 20:17:02 +01:00
if [ ! "$renew_domain" ]; then
2016-08-09 10:34:31 +02:00
return
fi
if [[ $renew_domain == "http"* ]]; then
dialog --title $"Renew a Let's Encrypt certificate" \
--msgbox $"Don't include the https://" 6 40
return
fi
2018-03-02 20:17:02 +01:00
if [ ! -f "/etc/ssl/certs/${renew_domain}.dhparam" ]; then
2016-08-09 10:34:31 +02:00
dialog --title $"Renew a Let's Encrypt certificate" \
--msgbox $"An existing certificate for $renew_domain was not found" 6 40
return
fi
if [[ $renew_domain != *"."* ]]; then
dialog --title $"Renew a Let's Encrypt certificate" \
--msgbox $"Invalid domain name: $renew_domain" 6 40
return
fi
2018-03-02 20:17:02 +01:00
${PROJECT_NAME}-renew-cert -h "$renew_domain" -p 'letsencrypt'
2016-08-09 10:34:31 +02:00
exit 0
2015-11-03 19:00:08 +01:00
}
2017-02-25 12:28:55 +01:00
function delete_letsencrypt {
delete_domain=
2018-03-02 20:17:02 +01:00
data=$(mktemp 2>/dev/null)
2017-02-25 12:28:55 +01:00
dialog --title $"Delete a Let's Encrypt certificate" \
--backtitle $"Freedombone Security Settings" \
2018-03-02 20:17:02 +01:00
--inputbox $"Enter the domain name" 8 60 2>"$data"
2017-02-25 12:28:55 +01:00
sel=$?
case $sel in
0)
2018-03-02 20:17:02 +01:00
delete_domain=$(<"$data")
2017-02-25 12:28:55 +01:00
;;
esac
2018-03-02 20:17:02 +01:00
rm -f "$data"
2017-02-25 12:28:55 +01:00
2018-03-02 20:17:02 +01:00
if [ ! "$delete_domain" ]; then
2017-02-25 12:28:55 +01:00
return
fi
if [[ $delete_domain == "http"* ]]; then
dialog --title $"Delete a Let's Encrypt certificate" \
--msgbox $"Don't include the https://" 6 40
return
fi
2018-03-02 20:17:02 +01:00
if [ ! -f "/etc/ssl/certs/${delete_domain}.dhparam" ]; then
2017-02-25 12:28:55 +01:00
dialog --title $"Delete a Let's Encrypt certificate" \
--msgbox $"An existing certificate for $renew_domain was not found" 6 40
return
fi
if [[ $delete_domain != *"."* ]]; then
dialog --title $"Delete a Let's Encrypt certificate" \
--msgbox $"Invalid domain name: $delete_domain" 6 40
return
fi
2017-02-25 12:33:18 +01:00
dialog --title $"Delete a Let's Encrypt certificate" \
--backtitle $"Freedombone Security Settings" \
--defaultno \
2018-03-02 20:17:02 +01:00
--yesno $"\\nConfirm deletion of the TLS certificate for $delete_domain ?" 7 60
2017-02-25 12:33:18 +01:00
sel=$?
case $sel in
2018-03-02 20:17:02 +01:00
0) ${PROJECT_NAME}-addcert -r "$delete_domain";;
2017-02-25 12:33:18 +01:00
255) exit 0;;
esac
2017-02-25 12:28:55 +01:00
exit 0
}
2015-12-05 15:17:20 +01:00
function create_letsencrypt {
2016-08-09 10:34:31 +02:00
new_domain=
2018-03-02 20:17:02 +01:00
data=$(mktemp 2>/dev/null)
2016-08-09 10:34:31 +02:00
dialog --title $"Create a new Let's Encrypt certificate" \
--backtitle $"Freedombone Security Settings" \
2018-03-02 20:17:02 +01:00
--inputbox $"Enter the domain name" 8 60 2>"$data"
2016-08-09 10:34:31 +02:00
sel=$?
case $sel in
0)
2018-03-02 20:17:02 +01:00
new_domain=$(<"$data")
2016-08-09 10:34:31 +02:00
;;
esac
2018-03-02 20:17:02 +01:00
rm -f "$data"
2016-08-09 10:34:31 +02:00
2018-03-02 20:17:02 +01:00
if [ ! "$new_domain" ]; then
2016-08-09 10:34:31 +02:00
return
fi
if [[ $new_domain == "http"* ]]; then
dialog --title $"Create a new Let's Encrypt certificate" \
--msgbox $"Don't include the https://" 6 40
return
fi
if [[ $new_domain != *"."* ]]; then
dialog --title $"Create a new Let's Encrypt certificate" \
--msgbox $"Invalid domain name: $new_domain" 6 40
return
fi
2018-03-02 20:17:02 +01:00
if [ ! -d "/var/www/${new_domain}" ]; then
2016-11-08 23:20:32 +01:00
domain_found=
if [ -f /etc/nginx/sites-available/radicale ]; then
2017-06-28 14:52:14 +02:00
if grep -q "${new_domain}" /etc/nginx/sites-available/radicale; then
2016-11-08 23:20:32 +01:00
domain_found=1
fi
fi
2018-03-02 20:17:02 +01:00
if [ -f "/etc/nginx/sites-available/${new_domain}" ]; then
2016-11-09 20:27:02 +01:00
domain_found=1
fi
2016-11-09 20:40:05 +01:00
if [[ "${new_domain}" == "jitsi"* || "${new_domain}" == "meet"* ]]; then
domain_found=1
fi
2016-11-08 23:20:32 +01:00
if [ ! $domain_found ]; then
dialog --title $"Create a new Let's Encrypt certificate" \
--msgbox $'Domain not found within /var/www' 6 40
return
fi
2016-08-09 10:34:31 +02:00
fi
2018-03-02 20:17:02 +01:00
${PROJECT_NAME}-addcert -e "$new_domain" -s "$LETSENCRYPT_SERVER" --dhkey "$DH_KEYLENGTH"
2016-08-09 10:34:31 +02:00
exit 0
2015-12-05 15:17:20 +01:00
}
2016-01-08 11:09:12 +01:00
function update_ciphersuite {
2016-10-30 10:35:15 +01:00
RECOMMENDED_SSL_CIPHERS="$SSL_CIPHERS"
2016-08-09 10:34:31 +02:00
if [ ${#RECOMMENDED_SSL_CIPHERS} -lt 5 ]; then
return
fi
2016-10-30 10:35:15 +01:00
RECOMMENDED_SSL_PROTOCOLS="$SSL_PROTOCOLS"
2016-08-09 10:34:31 +02:00
if [ ${#RECOMMENDED_SSL_PROTOCOLS} -lt 5 ]; then
return
fi
2016-10-30 10:35:15 +01:00
RECOMMENDED_SSH_CIPHERS="$SSH_CIPHERS"
2016-08-09 10:34:31 +02:00
if [ ${#RECOMMENDED_SSH_CIPHERS} -lt 5 ]; then
return
fi
2016-10-30 10:35:15 +01:00
RECOMMENDED_SSH_MACS="$SSH_MACS"
2016-08-09 10:34:31 +02:00
if [ ${#RECOMMENDED_SSH_MACS} -lt 5 ]; then
return
fi
2016-10-30 10:35:15 +01:00
RECOMMENDED_SSH_KEX="$SSH_KEX"
2016-08-09 10:34:31 +02:00
if [ ${#RECOMMENDED_SSH_KEX} -lt 5 ]; then
return
fi
2018-03-02 20:17:02 +01:00
cd $WEBSITES_DIRECTORY || exit 728425476
for file in $(dir -d "*") ; do
sed -i "s|ssl_protocols .*|ssl_protocols $RECOMMENDED_SSL_PROTOCOLS;|g" "$WEBSITES_DIRECTORY/$file"
if ! grep -q "Mobile compatible ciphers" "$WEBSITES_DIRECTORY/$file"; then
sed -i "s|ssl_ciphers .*|ssl_ciphers '$RECOMMENDED_SSL_CIPHERS';|g" "$WEBSITES_DIRECTORY/$file"
2017-05-10 23:27:52 +02:00
else
2018-03-02 20:17:02 +01:00
sed -i "s|ssl_ciphers .*|ssl_ciphers '$SSL_CIPHERS_MOBILE';|g" "$WEBSITES_DIRECTORY/$file"
2017-05-10 23:27:52 +02:00
fi
2016-08-09 10:34:31 +02:00
done
systemctl restart nginx
2016-10-30 10:35:15 +01:00
write_config_param "SSL_PROTOCOLS" "$RECOMMENDED_SSL_PROTOCOLS"
write_config_param "SSL_CIPHERS" "$RECOMMENDED_SSL_CIPHERS"
2016-08-09 10:34:31 +02:00
sed -i "s|Ciphers .*|Ciphers $RECOMMENDED_SSH_CIPHERS|g" $SSH_CONFIG
sed -i "s|MACs .*|MACs $RECOMMENDED_SSH_MACS|g" $SSH_CONFIG
sed -i "s|KexAlgorithms .*|KexAlgorithms $RECOMMENDED_SSH_KEX|g" $SSH_CONFIG
systemctl restart ssh
2016-10-30 10:35:15 +01:00
write_config_param "SSH_CIPHERS" "$RECOMMENDED_SSH_CIPHERS"
write_config_param "SSH_MACS" "$RECOMMENDED_SSH_MACS"
write_config_param "SSH_KEX" "$RECOMMENDED_SSH_KEX"
2016-08-09 10:34:31 +02:00
dialog --title $"Update ciphersuite" \
--msgbox $"The ciphersuite has been updated to recommended versions" 6 40
exit 0
2016-01-08 11:09:12 +01:00
}
2016-05-01 18:11:00 +02:00
function enable_monkeysphere {
2016-08-09 10:34:31 +02:00
monkey=
dialog --title $"GPG based authentication" \
--backtitle $"Freedombone Security Configuration" \
--defaultno \
2018-03-02 20:17:02 +01:00
--yesno $"\\nEnable GPG based authentication with monkeysphere ?" 7 60
2016-08-09 10:34:31 +02:00
sel=$?
case $sel in
0) monkey='yes';;
255) exit 0;;
esac
if [ $monkey ]; then
2016-10-14 15:56:14 +02:00
read_config_param "MY_USERNAME"
2016-08-09 10:34:31 +02:00
if [ ! -f /home/$MY_USERNAME/.monkeysphere/authorized_user_ids ]; then
dialog --title $"GPG based authentication" \
--msgbox $"$MY_USERNAME does not currently have any ids within ~/.monkeysphere/authorized_user_ids" 6 40
exit 0
fi
MY_GPG_PUBLIC_KEY_ID=$(gpg_pubkey_from_email "$MY_USERNAME" "$MY_USERNAME@$HOSTNAME")
if [ ${#MY_GPG_PUBLIC_KEY_ID} -lt 4 ]; then
2017-06-01 18:58:49 +02:00
echo $"monkeysphere unable to get GPG key ID for user $MY_USERNAME@$HOSTNAME"
2016-08-09 10:34:31 +02:00
exit 52825
fi
sed -i 's|#AuthorizedKeysFile|AuthorizedKeysFile|g' /etc/ssh/sshd_config
sed -i 's|AuthorizedKeysFile.*|AuthorizedKeysFile /var/lib/monkeysphere/authorized_keys/%u|g' /etc/ssh/sshd_config
monkeysphere-authentication update-users
# The admin user is the identity certifier
2018-03-02 20:17:02 +01:00
fpr=$(gpg --with-colons --fingerprint "$MY_GPG_PUBLIC_KEY_ID" | grep fpr | head -n 1 | awk -F ':' '{print $10}')
monkeysphere-authentication add-identity-certifier "$fpr"
2016-08-09 10:34:31 +02:00
monkeysphere-host publish-key
send_monkeysphere_server_keys_to_users
else
sed -i 's|#AuthorizedKeysFile|AuthorizedKeysFile|g' /etc/ssh/sshd_config
sed -i 's|AuthorizedKeysFile.*|AuthorizedKeysFile %h/.ssh/authorized_keys|g' /etc/ssh/sshd_config
fi
systemctl restart ssh
if [ $monkey ]; then
dialog --title $"GPG based authentication" \
--msgbox $"GPG based authentication was enabled" 6 40
else
dialog --title $"GPG based authentication" \
--msgbox $"GPG based authentication was disabled" 6 40
fi
exit 0
2016-05-01 18:11:00 +02:00
}
2016-05-02 22:56:13 +02:00
function register_website {
2016-08-09 10:34:31 +02:00
domain="$1"
if [[ ${domain} == *".local" ]]; then
echo $"Can't register local domains"
return
fi
2018-03-02 20:17:02 +01:00
if [ ! -f "/etc/ssl/private/${domain}.key" ]; then
2016-08-09 10:34:31 +02:00
echo $"No SSL/TLS private key found for ${domain}"
return
fi
2018-03-02 20:17:02 +01:00
if [ ! -f "/etc/nginx/sites-available/${domain}" ]; then
2016-08-09 10:34:31 +02:00
echo $"No virtual host found for ${domain}"
return
fi
2018-03-02 20:17:02 +01:00
monkeysphere-host import-key "/etc/ssl/private/${domain}.key" "https://${domain}"
2016-08-09 10:34:31 +02:00
monkeysphere-host publish-key
echo "0"
2016-05-02 22:56:13 +02:00
}
function register_website_interactive {
2018-03-02 20:17:02 +01:00
data=$(mktemp 2>/dev/null)
2016-08-09 10:34:31 +02:00
dialog --title $"Register a website with monkeysphere" \
--backtitle $"Freedombone Security Settings" \
2018-03-02 20:17:02 +01:00
--inputbox $"Enter the website domain name (without https://)" 8 60 2>"$data"
2016-08-09 10:34:31 +02:00
sel=$?
case $sel in
0)
2018-03-02 20:17:02 +01:00
domain=$(<"$data")
if ! register_website "$domain"; then
2016-08-09 10:34:31 +02:00
dialog --title $"Register a website with monkeysphere" \
--msgbox "$?" 6 40
else
dialog --title $"Register a website with monkeysphere" \
--msgbox $"$domain has been registered" 6 40
fi
;;
esac
2018-03-02 20:17:02 +01:00
rm -f "$data"
2016-05-02 22:56:13 +02:00
}
2016-08-09 10:43:44 +02:00
function pin_all_tls_certs {
${PROJECT_NAME}-pin-cert all
}
2016-08-09 13:07:53 +02:00
function remove_pinning {
2018-03-02 20:17:02 +01:00
data=$(mktemp 2>/dev/null)
2016-08-09 13:07:53 +02:00
dialog --title $"Remove pinning for a domain" \
--backtitle $"Freedombone Security Settings" \
2018-03-02 20:17:02 +01:00
--inputbox $"Enter the website domain name (without https://)" 8 60 2>"$data"
2016-08-09 13:07:53 +02:00
sel=$?
case $sel in
0)
2018-03-02 20:17:02 +01:00
domain=$(<"$data")
if ! ${PROJECT_NAME}-pin-cert "$domain" remove; then
2016-08-09 13:07:53 +02:00
dialog --title $"Removed pinning from $domain" \
--msgbox "$?" 6 40
fi
;;
esac
2018-03-02 20:17:02 +01:00
rm -f "$data"
2016-08-09 13:07:53 +02:00
}
2016-11-23 13:25:46 +01:00
function store_passwords {
dialog --title $"Store Passwords" \
2016-11-23 10:34:45 +01:00
--backtitle $"Freedombone Security Configuration" \
2018-03-02 20:17:02 +01:00
--yesno $"\\nDo you wish to store passwords on the system? Stored passwords are convenient but carry some additional security risk." 10 60
2016-11-23 10:34:45 +01:00
sel=$?
case $sel in
2016-11-23 13:25:46 +01:00
0)
2016-11-23 13:52:09 +01:00
if [ -f /root/.nostore ]; then
read_config_param "MY_USERNAME"
if [ ! -f /home/$MY_USERNAME/.ssh/authorized_keys ]; then
dialog --title $"Store Passwords" \
2018-03-02 20:17:02 +01:00
--msgbox $"\\nYou should first enable key based ssh login to improve security" 8 60
2016-11-23 13:52:09 +01:00
return
fi
if [[ $SSH_PASSWORDS == 'yes' ]]; then
dialog --title $"Store Passwords" \
2018-03-02 20:17:02 +01:00
--msgbox $"\\nYou should disable ssh passwords to improve security" 8 60
2016-11-23 13:52:09 +01:00
return
fi
${PROJECT_NAME}-pass --enable yes
dialog --title $"Store Passwords" \
2018-03-02 20:17:02 +01:00
--msgbox $"\\nUser passwords will now be stored on the system" 8 60
2016-11-23 13:52:09 +01:00
fi
2016-11-23 13:25:46 +01:00
return
;;
1)
${PROJECT_NAME}-pass --clear yes
dialog --title $"Passwords were removed and will not be stored" \
2018-03-02 20:17:02 +01:00
--msgbox $"\\nFor the best security you should now manually change passwords via web interfaces so that there is no possibility of them being recovered from the disk" 9 60
2016-11-23 13:25:46 +01:00
return
;;
2016-11-23 10:34:45 +01:00
255) return;;
esac
}
2016-12-21 16:26:49 +01:00
function show_tor_bridges {
2016-12-21 17:57:31 +01:00
clear
2016-12-21 17:56:27 +01:00
bridges_list=$(grep "Bridge " /etc/tor/torrc | grep -v '##')
if [ ${#bridges_list} -eq 0 ]; then
2016-12-21 17:35:50 +01:00
echo $'No Tor bridges have been added'
return
fi
2016-12-21 17:56:27 +01:00
echo "${bridges_list}"
2016-12-21 16:26:49 +01:00
}
function add_tor_bridge {
2018-03-02 20:17:02 +01:00
data=$(mktemp 2>/dev/null)
2016-12-21 17:35:50 +01:00
dialog --backtitle $"Freedombone Control Panel" \
--title $"Add obfs4 Tor bridge" \
2018-03-02 20:17:02 +01:00
--form "\\n" 9 60 4 \
2016-12-22 12:30:44 +01:00
$"IP address: " 1 1 " . . . " 1 17 16 16 \
2016-12-22 13:37:39 +01:00
$"Port: " 2 1 "" 2 17 8 8 \
2016-12-22 12:30:44 +01:00
$"Key/Nickname: " 3 1 "" 3 17 250 250 \
2018-03-02 20:17:02 +01:00
2> "$data"
2016-12-21 17:35:50 +01:00
sel=$?
case $sel in
2018-03-02 20:17:02 +01:00
1) rm -f "$data"
return;;
255) rm -f "$data"
return;;
2016-12-21 17:35:50 +01:00
esac
2018-03-02 20:17:02 +01:00
bridge_ip_address=$(sed -n 1p < "$data")
bridge_port=$(sed -n 2p < "$data")
bridge_key=$(sed -n 3p < "$data")
rm -f "$data"
2016-12-21 17:35:50 +01:00
if [[ "${bridge_ip_address}" == *" "* ]]; then
return
fi
if [[ "${bridge_ip_address}" != *"."* ]]; then
return
fi
if [ ${#bridge_port} -eq 0 ]; then
return
fi
if [ ${#bridge_key} -eq 0 ]; then
return
fi
tor_add_bridge "${bridge_ip_address}" "${bridge_port}" "${bridge_key}"
dialog --title $"Add obfs4 Tor bridge" \
--msgbox $"Bridge added" 6 40
2016-12-21 16:26:49 +01:00
}
function remove_tor_bridge {
2016-12-22 14:13:48 +01:00
bridge_removed=
2018-03-02 20:17:02 +01:00
data=$(mktemp 2>/dev/null)
2016-12-22 14:13:48 +01:00
dialog --title $"Remove obfs4 Tor bridge" \
--backtitle $"Freedombone Control Panel" \
2018-03-02 20:17:02 +01:00
--inputbox $"Enter the IP address, key or Nickname of the bridge" 8 65 2>"$data"
2016-12-21 17:35:50 +01:00
sel=$?
case $sel in
2016-12-22 14:13:48 +01:00
0)
2018-03-02 20:17:02 +01:00
response=$(<"$data")
2016-12-22 14:13:48 +01:00
if [ ${#response} -gt 2 ]; then
if [[ "${response}" != *" "* ]]; then
if [[ "${response}" == *"."* ]]; then
2017-06-28 14:52:14 +02:00
if grep -q "Bridge ${response}" /etc/tor/torrc; then
2016-12-22 14:13:48 +01:00
tor_remove_bridge "${response}"
bridge_removed=1
fi
else
2017-06-28 14:52:14 +02:00
if grep -q " $response" /etc/tor/torrc; then
2016-12-22 14:13:48 +01:00
tor_remove_bridge "${response}"
bridge_removed=1
fi
fi
fi
fi
;;
2016-12-21 17:35:50 +01:00
esac
2018-03-02 20:17:02 +01:00
rm -f "$data"
2016-12-22 14:13:48 +01:00
if [ $bridge_removed ]; then
dialog --title $"Remove obfs4 Tor bridge" \
--msgbox $"Bridge removed" 6 40
2016-12-21 17:35:50 +01:00
fi
2016-12-21 16:26:49 +01:00
}
2016-12-22 12:30:44 +01:00
function add_tor_bridge_relay {
read_config_param 'TOR_BRIDGE_NICKNAME'
read_config_param 'TOR_BRIDGE_PORT'
# remove any previous bridge port from the firewall
if [ ${#TOR_BRIDGE_PORT} -gt 0 ]; then
2018-03-02 20:17:02 +01:00
firewall_remove "$TOR_BRIDGE_PORT" tcp
2016-12-22 12:30:44 +01:00
fi
2018-03-02 20:17:02 +01:00
data=$(mktemp 2>/dev/null)
2016-12-22 12:30:44 +01:00
dialog --backtitle $"Freedombone Control Panel" \
--title $"Become an obfs4 Tor bridge relay" \
2018-03-02 20:17:02 +01:00
--form "\\n" 8 60 2 \
2016-12-22 12:30:44 +01:00
$"Bridge Nickname: " 1 1 "$TOR_BRIDGE_NICKNAME" 1 20 250 250 \
2018-03-02 20:17:02 +01:00
2> "$data"
2016-12-22 12:30:44 +01:00
sel=$?
case $sel in
2018-03-02 20:17:02 +01:00
1) rm -f "$data"
return;;
255) rm -f "$data"
return;;
2016-12-22 12:30:44 +01:00
esac
2018-03-02 20:17:02 +01:00
bridge_nickname=$(sed -n 1p < "$data")
rm -f "$data"
2016-12-22 12:30:44 +01:00
if [[ "${bridge_nickname}" == *" "* ]]; then
return
fi
if [ ${#bridge_nickname} -eq 0 ]; then
return
fi
TOR_BRIDGE_NICKNAME="$bridge_nickname"
TOR_BRIDGE_PORT=$((20000 + RANDOM % 40000))
write_config_param 'TOR_BRIDGE_NICKNAME' "$TOR_BRIDGE_NICKNAME"
write_config_param 'TOR_BRIDGE_PORT' "$TOR_BRIDGE_PORT"
tor_create_bridge_relay
dialog --title $"You are now an obfs4 Tor bridge relay" \
2018-03-02 20:17:02 +01:00
--msgbox $"\\nIP address: $(get_ipv4_address)\\n\\nPort: ${TOR_BRIDGE_PORT}\\n\\nNickname: ${TOR_BRIDGE_NICKNAME}" 10 65
2016-12-22 12:30:44 +01:00
}
function remove_tor_bridge_relay {
tor_remove_bridge_relay
dialog --title $"Remove Tor bridge relay" \
--msgbox $"Bridge relay removed" 10 60
}
2016-12-21 17:38:24 +01:00
function menu_tor_bridges {
2018-03-17 23:10:44 +01:00
W=(1 $"Show bridges"
2 $"Add a bridge"
3 $"Remove a bridge"
4 $"Make this system into a bridge"
5 $"Stop being a bridge")
2016-12-21 16:26:49 +01:00
2018-03-17 23:10:44 +01:00
# shellcheck disable=SC2068
selection=$(dialog --backtitle $"Freedombone Administrator Control Panel" --title $"Security Settings" --menu $"Choose an operation, or ESC to go back:" 14 50 6 "${W[@]}" 3>&2 2>&1 1>&3)
if [ ! "$selection" ]; then
exit 0
fi
case $selection in
2016-12-21 16:26:49 +01:00
1)
show_tor_bridges
exit 0
;;
2)
add_tor_bridge
exit 0
;;
3)
remove_tor_bridge
exit 0
;;
4)
2016-12-22 12:30:44 +01:00
add_tor_bridge_relay
exit 0
;;
5)
remove_tor_bridge_relay
2016-12-21 16:26:49 +01:00
exit 0
;;
esac
}
2016-10-30 10:56:32 +01:00
function menu_security_settings {
2018-03-18 11:33:43 +01:00
W=(1 $"Passwords"
2 $"Run STIG tests"
3 $"Fix STIG test failures"
2018-03-18 11:58:18 +01:00
4 $"Show tripwire verification code"
5 $"Reset tripwire"
2018-03-18 12:06:27 +01:00
6 $"Enable or disable ping"
7 $"Show ssh host public key"
8 $"Tor bridges"
9 $"Password storage"
10 $"Export passwords"
11 $"Regenerate ssh host keys"
12 $"Regenerate Diffie-Hellman keys"
13 $"Update cipersuite"
14 $"Create a new Let's Encrypt certificate"
15 $"Renew Let's Encrypt certificate"
16 $"Delete a Let's Encrypt certificate"
2018-03-18 12:08:05 +01:00
17 $"Allow ssh login with passwords"
18 $"Show firewall")
2018-03-17 23:10:44 +01:00
# shellcheck disable=SC2068
2018-03-18 12:09:29 +01:00
selection=$(dialog --backtitle $"Freedombone Administrator Control Panel" --title $"Security Settings" --menu $"Choose an operation, or ESC to exit:" 25 76 25 "${W[@]}" 3>&2 2>&1 1>&3)
2018-03-17 23:10:44 +01:00
if [ ! "$selection" ]; then
exit 0
fi
2016-10-30 10:56:32 +01:00
2016-08-09 10:34:31 +02:00
clear
2016-10-30 10:56:32 +01:00
read_config_param SSL_CIPHERS
read_config_param SSL_PROTOCOLS
read_config_param SSH_CIPHERS
read_config_param SSH_MACS
read_config_param SSH_KEX
get_imap_settings
get_ssh_settings
get_xmpp_settings
import_settings
export_settings
2018-03-17 23:10:44 +01:00
case $selection in
2016-10-30 10:56:32 +01:00
1)
2018-03-18 11:33:43 +01:00
view_or_change_passwords
exit 0;
;;
2)
2016-12-01 11:41:48 +01:00
clear
echo $'Running STIG tests...'
echo ''
${PROJECT_NAME}-tests --stig showall
exit 0
;;
2018-03-18 11:33:43 +01:00
3)
2017-08-05 11:00:34 +02:00
clear
echo $'Fixing any STIG failures...'
echo ''
${PROJECT_NAME}-tests --stig fix
2017-08-05 11:07:33 +02:00
echo $'Fixes applied. You will need to run the STIG tests again to be sure that they were all fixed.'
2017-08-05 11:00:34 +02:00
exit 0
;;
2018-03-18 11:33:43 +01:00
4)
2018-03-18 11:58:18 +01:00
show_tripwire_verification_code
any_key_verify
2018-03-18 12:02:50 +01:00
exit 0
2018-03-18 11:58:18 +01:00
;;
5)
reset_tripwire
2018-03-18 12:02:50 +01:00
exit 0
2018-03-18 11:58:18 +01:00
;;
6)
2018-03-18 12:06:27 +01:00
ping_enable_disable
exit 0
;;
7)
2016-11-23 00:58:49 +01:00
dialog --title $"SSH host public keys" \
2018-03-17 23:10:44 +01:00
--msgbox "\\n$(get_ssh_server_key)" 12 60
2016-11-22 23:57:43 +01:00
exit 0
2016-10-30 10:56:32 +01:00
;;
2018-03-18 12:06:27 +01:00
8)
2016-12-21 16:26:49 +01:00
menu_tor_bridges
2016-11-23 10:42:26 +01:00
exit 0
2016-10-30 10:56:32 +01:00
;;
2018-03-18 12:06:27 +01:00
9)
2016-12-21 16:26:49 +01:00
store_passwords
2016-11-24 14:44:42 +01:00
exit 0
2016-11-22 23:57:43 +01:00
;;
2018-03-18 12:06:27 +01:00
10)
2016-12-21 16:26:49 +01:00
export_passwords
exit 0
2016-11-23 10:34:45 +01:00
;;
2018-03-18 12:06:27 +01:00
11)
2016-12-21 16:26:49 +01:00
regenerate_ssh_host_keys
2016-11-24 14:44:42 +01:00
;;
2018-03-18 12:06:27 +01:00
12)
2016-12-21 16:26:49 +01:00
regenerate_dh_keys
;;
2018-03-18 12:06:27 +01:00
13)
2016-10-30 10:56:32 +01:00
interactive_setup
update_ciphersuite
;;
2018-03-18 12:06:27 +01:00
14)
2016-10-30 10:56:32 +01:00
create_letsencrypt
;;
2018-03-18 12:06:27 +01:00
15)
2016-10-30 10:56:32 +01:00
renew_letsencrypt
;;
2018-03-18 12:06:27 +01:00
16)
2017-02-25 12:28:55 +01:00
delete_letsencrypt
2016-10-30 10:56:32 +01:00
;;
2018-03-18 12:06:27 +01:00
17)
2016-10-30 11:07:57 +01:00
allow_ssh_passwords
2016-10-30 11:11:03 +01:00
change_ssh_settings
2016-10-30 10:56:32 +01:00
exit 0
;;
2018-03-18 12:08:05 +01:00
18)
2018-03-18 11:03:43 +01:00
show_firewall
exit 0
;;
2016-10-30 10:56:32 +01:00
esac
change_website_settings
change_imap_settings
change_ssh_settings
change_xmpp_settings
2015-08-15 14:34:59 +02:00
}
2015-02-02 22:04:36 +01:00
function import_settings {
2018-03-02 20:17:02 +01:00
cd "$CURRENT_DIR" || exit 2468724684
2016-08-09 10:34:31 +02:00
if [ ! $IMPORT_FILE ]; then
return
fi
if [ ! -f $IMPORT_FILE ]; then
echo $"Import file $IMPORT_FILE not found"
exit 6393
fi
if grep -q "SSL_PROTOCOLS" $IMPORT_FILE; then
TEMP_VALUE=$(grep "SSL_PROTOCOLS" $IMPORT_FILE | awk -F '=' '{print $2}')
if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then
SSL_PROTOCOLS=$TEMP_VALUE
fi
fi
if grep -q "SSL_CIPHERS" $IMPORT_FILE; then
TEMP_VALUE=$(grep "SSL_CIPHERS" $IMPORT_FILE | awk -F '=' '{print $2}')
if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then
SSL_CIPHERS=$TEMP_VALUE
fi
fi
if grep -q "SSH_CIPHERS" $IMPORT_FILE; then
TEMP_VALUE=$(grep "SSH_CIPHERS" $IMPORT_FILE | awk -F '=' '{print $2}')
if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then
SSH_CIPHERS=$TEMP_VALUE
fi
fi
if grep -q "SSH_MACS" $IMPORT_FILE; then
TEMP_VALUE=$(grep "SSH_MACS" $IMPORT_FILE | awk -F '=' '{print $2}')
if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then
SSH_MACS=$TEMP_VALUE
fi
fi
if grep -q "SSH_KEX" $IMPORT_FILE; then
TEMP_VALUE=$(grep "SSH_KEX" $IMPORT_FILE | awk -F '=' '{print $2}')
if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then
SSH_KEX=$TEMP_VALUE
fi
fi
if grep -q "SSH_HOST_KEY_ALGORITHMS" $IMPORT_FILE; then
TEMP_VALUE=$(grep "SSH_HOST_KEY_ALGORITHMS" $IMPORT_FILE | awk -F '=' '{print $2}')
if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then
SSH_HOST_KEY_ALGORITHMS=$TEMP_VALUE
fi
fi
if grep -q "SSH_PASSWORDS" $IMPORT_FILE; then
TEMP_VALUE=$(grep "SSH_PASSWORDS" $IMPORT_FILE | awk -F '=' '{print $2}')
if [[ $TEMP_VALUE == "yes" || $TEMP_VALUE == "no" ]]; then
SSH_PASSWORDS=$TEMP_VALUE
fi
fi
if grep -q "XMPP_CIPHERS" $IMPORT_FILE; then
TEMP_VALUE=$(grep "XMPP_CIPHERS" $IMPORT_FILE | awk -F '=' '{print $2}')
if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then
XMPP_CIPHERS=$TEMP_VALUE
fi
fi
if grep -q "XMPP_ECC_CURVE" $IMPORT_FILE; then
TEMP_VALUE=$(grep "XMPP_ECC_CURVE" $IMPORT_FILE | awk -F '=' '{print $2}')
if [ ${#TEMP_VALUE} -gt 3 ]; then
XMPP_ECC_CURVE=$TEMP_VALUE
fi
fi
2015-02-02 22:04:36 +01:00
}
function export_settings {
2016-08-09 10:34:31 +02:00
if [ ! $EXPORT_FILE ]; then
return
fi
2018-03-02 20:17:02 +01:00
cd "$CURRENT_DIR" || exit 92465274527
2016-08-09 10:34:31 +02:00
if [ ! -f $EXPORT_FILE ]; then
if [ "$SSL_PROTOCOLS" ]; then
echo "SSL_PROTOCOLS=$SSL_PROTOCOLS" >> $EXPORT_FILE
fi
2018-03-02 20:17:02 +01:00
if [ "$SSL_CIPHERS" ]; then
2016-08-09 10:34:31 +02:00
echo "SSL_CIPHERS=$SSL_CIPHERS" >> $EXPORT_FILE
fi
2018-03-02 20:17:02 +01:00
if [ "$SSH_CIPHERS" ]; then
2016-08-09 10:34:31 +02:00
echo "SSH_CIPHERS=$SSH_CIPHERS" >> $EXPORT_FILE
fi
2018-03-02 20:17:02 +01:00
if [ "$SSH_MACS" ]; then
2016-08-09 10:34:31 +02:00
echo "SSH_MACS=$SSH_MACS" >> $EXPORT_FILE
fi
2018-03-02 20:17:02 +01:00
if [ "$SSH_KEX" ]; then
2016-08-09 10:34:31 +02:00
echo "SSH_KEX=$SSH_KEX" >> $EXPORT_FILE
fi
2018-03-02 20:17:02 +01:00
if [ "$SSH_HOST_KEY_ALGORITHMS" ]; then
2016-08-09 10:34:31 +02:00
echo "SSH_HOST_KEY_ALGORITHMS=$SSH_HOST_KEY_ALGORITHMS" >> $EXPORT_FILE
fi
2018-03-02 20:17:02 +01:00
if [ "$SSH_PASSWORDS" ]; then
2016-08-09 10:34:31 +02:00
echo "SSH_PASSWORDS=$SSH_PASSWORDS" >> $EXPORT_FILE
fi
2018-03-02 20:17:02 +01:00
if [ "$XMPP_CIPHERS" ]; then
2016-08-09 10:34:31 +02:00
echo "XMPP_CIPHERS=$XMPP_CIPHERS" >> $EXPORT_FILE
fi
2018-03-02 20:17:02 +01:00
if [ "$XMPP_ECC_CURVE" ]; then
2016-08-09 10:34:31 +02:00
echo "XMPP_ECC_CURVE=$XMPP_ECC_CURVE" >> $EXPORT_FILE
fi
echo "Security settings exported to $EXPORT_FILE"
exit 0
fi
if [ "$SSL_PROTOCOLS" ]; then
if grep -q "SSL_PROTOCOLS" $EXPORT_FILE; then
sed -i "s|SSL_PROTOCOLS=.*|SSL_PROTOCOLS=$SSL_PROTOCOLS|g" $EXPORT_FILE
else
echo "SSL_PROTOCOLS=$SSL_PROTOCOLS" >> $EXPORT_FILE
fi
fi
2018-03-02 20:17:02 +01:00
if [ "$SSL_CIPHERS" ]; then
2016-08-09 10:34:31 +02:00
if grep -q "SSL_CIPHERS" $EXPORT_FILE; then
sed -i "s|SSL_CIPHERS=.*|SSL_CIPHERS=$SSL_CIPHERS|g" $EXPORT_FILE
else
echo "SSL_CIPHERS=$SSL_CIPHERS" >> $EXPORT_FILE
fi
fi
2018-03-02 20:17:02 +01:00
if [ "$SSH_CIPHERS" ]; then
2016-08-09 10:34:31 +02:00
if grep -q "SSH_CIPHERS" $EXPORT_FILE; then
sed -i "s|SSH_CIPHERS=.*|SSH_CIPHERS=$SSH_CIPHERS|g" $EXPORT_FILE
else
echo "SSH_CIPHERS=$SSH_CIPHERS" >> $EXPORT_FILE
fi
fi
2018-03-02 20:17:02 +01:00
if [ "$SSH_MACS" ]; then
2016-08-09 10:34:31 +02:00
if grep -q "SSH_MACS" $EXPORT_FILE; then
sed -i "s|SSH_MACS=.*|SSH_MACS=$SSH_MACS|g" $EXPORT_FILE
else
echo "SSH_MACS=$SSH_MACS" >> $EXPORT_FILE
fi
fi
2018-03-02 20:17:02 +01:00
if [ "$SSH_KEX" ]; then
2016-08-09 10:34:31 +02:00
if grep -q "SSH_KEX" $EXPORT_FILE; then
sed -i "s|SSH_KEX=.*|SSH_KEX=$SSH_KEX|g" $EXPORT_FILE
else
echo "SSH_KEX=$SSH_KEX" >> $EXPORT_FILE
fi
fi
2018-03-02 20:17:02 +01:00
if [ "$SSH_HOST_KEY_ALGORITHMS" ]; then
2016-08-09 10:34:31 +02:00
if grep -q "SSH_HOST_KEY_ALGORITHMS" $EXPORT_FILE; then
sed -i "s|SSH_HOST_KEY_ALGORITHMS=.*|SSH_HOST_KEY_ALGORITHMS=$SSH_HOST_KEY_ALGORITHMS|g" $EXPORT_FILE
else
echo "SSH_HOST_KEY_ALGORITHMS=$SSH_HOST_KEY_ALGORITHMS" >> $EXPORT_FILE
fi
fi
2018-03-02 20:17:02 +01:00
if [ "$SSH_PASSWORDS" ]; then
2016-08-09 10:34:31 +02:00
if grep -q "SSH_PASSWORDS" $EXPORT_FILE; then
sed -i "s|SSH_PASSWORDS=.*|SSH_PASSWORDS=$SSH_PASSWORDS|g" $EXPORT_FILE
else
echo "SSH_PASSWORDS=$SSH_PASSWORDS" >> $EXPORT_FILE
fi
fi
2018-03-02 20:17:02 +01:00
if [ "$XMPP_CIPHERS" ]; then
2016-08-09 10:34:31 +02:00
if grep -q "XMPP_CIPHERS" $EXPORT_FILE; then
sed -i "s|XMPP_CIPHERS=.*|XMPP_CIPHERS=$XMPP_CIPHERS|g" $EXPORT_FILE
else
echo "XMPP_CIPHERS=$XMPP_CIPHERS" >> $EXPORT_FILE
fi
fi
2018-03-02 20:17:02 +01:00
if [ "$XMPP_ECC_CURVE" ]; then
2016-08-09 10:34:31 +02:00
if grep -q "XMPP_ECC_CURVE" $EXPORT_FILE; then
sed -i "s|XMPP_ECC_CURVE=.*|XMPP_ECC_CURVE=$XMPP_ECC_CURVE|g" $EXPORT_FILE
else
echo "XMPP_ECC_CURVE=$XMPP_ECC_CURVE" >> $EXPORT_FILE
fi
fi
echo $"Security settings exported to $EXPORT_FILE"
exit 0
2015-02-02 22:04:36 +01:00
}
2016-05-02 10:54:56 +02:00
function refresh_gpg_keys {
2016-08-09 10:34:31 +02:00
for d in /home/*/ ; do
USERNAME=$(echo "$d" | awk -F '/' '{print $3}')
2016-10-01 11:48:07 +02:00
if [[ $(is_valid_user "$USERNAME") == "1" ]]; then
2018-03-02 20:17:02 +01:00
su -c 'gpg --refresh-keys' - "$USERNAME"
2016-08-09 10:34:31 +02:00
fi
done
exit 0
2016-05-02 10:54:56 +02:00
}
2016-05-04 14:56:00 +02:00
function monkeysphere_sign_server_keys {
2016-08-09 10:34:31 +02:00
server_keys_file=/home/$USER/.monkeysphere/server_keys
2018-03-02 20:17:02 +01:00
if [ ! -f "$server_keys_file" ]; then
2016-08-09 10:34:31 +02:00
exit 0
fi
keys_signed=
2018-03-02 20:17:02 +01:00
while read -r line; do
echo "$line"
2016-08-09 10:34:31 +02:00
if [ ${#line} -gt 2 ]; then
fpr=$(gpg --with-colons --fingerprint "$line" | grep fpr | head -n 1 | awk -F ':' '{print $10}')
if [ ${#fpr} -gt 2 ]; then
2018-03-02 20:17:02 +01:00
if gpg --sign-key "$fpr"; then
2016-08-09 10:34:31 +02:00
gpg --update-trustdb
keys_signed=1
fi
fi
fi
2018-03-02 20:17:02 +01:00
done <"$server_keys_file"
2016-08-09 10:34:31 +02:00
if [ $keys_signed ]; then
2018-03-02 20:17:02 +01:00
rm "$server_keys_file"
2016-08-09 10:34:31 +02:00
fi
exit 0
2016-05-04 14:56:00 +02:00
}
2016-10-16 14:23:21 +02:00
function htmly_hash {
# produces a hash corresponding to a htmly password
2016-08-09 10:34:31 +02:00
pass="$1"
2016-10-16 14:23:21 +02:00
HTMLYHASH_FILENAME=/usr/bin/htmlyhash
2018-03-02 20:17:02 +01:00
{ echo '<?php';
echo "parse_str(implode(\"&\", array_slice(\$argv, 1)), \$_GET);";
echo "\$password = \$_GET[\"password\"];";
echo "\$hash = password_hash(\$password, PASSWORD_BCRYPT);";
echo "if (password_verify(\$password, \$hash)) {";
echo " echo \$hash;";
echo '}';
echo '?>'; } > "$HTMLYHASH_FILENAME"
2016-10-16 14:23:21 +02:00
php $HTMLYHASH_FILENAME password="$pass"
2016-05-21 15:41:48 +02:00
}
2015-02-02 22:04:36 +01:00
function show_help {
2016-08-09 10:34:31 +02:00
echo ''
echo "${PROJECT_NAME}-sec"
echo ''
echo $'Alters the security settings'
echo ''
echo ''
2016-10-16 14:23:21 +02:00
echo $' -h --help Show help'
echo $' -e --export Export security settings to a file'
echo $' -i --import Import security settings from a file'
echo $' -r --refresh Refresh GPG keys for all users'
echo $' -s --sign Sign monkeysphere server keys'
echo $' --register [domain] Register a https domain with monkeysphere'
echo $' -b --htmlyhash [password] Returns the hash of a password for a htmly blog'
2016-08-09 10:34:31 +02:00
echo ''
exit 0
2015-02-02 22:04:36 +01:00
}
# Get the commandline options
2018-02-25 12:04:13 +01:00
while [ $# -gt 1 ]
2015-02-02 22:04:36 +01:00
do
2016-08-09 10:34:31 +02:00
key="$1"
case $key in
-h|--help)
show_help
;;
# Export settings
-e|--export)
shift
EXPORT_FILE="$1"
;;
# Export settings
-i|--import)
shift
IMPORT_FILE="$1"
;;
# Refresh GPG keys
-r|--refresh)
shift
refresh_gpg_keys
;;
# register a website
--register|--reg|--site)
shift
register_website "$1"
;;
# user signs monkeysphere server keys
-s|--sign)
shift
monkeysphere_sign_server_keys
;;
2016-10-16 14:23:21 +02:00
# get a hash of the given htmly password
-b|--htmlyhash)
2016-08-09 10:34:31 +02:00
shift
2016-10-16 14:23:21 +02:00
htmly_hash "$1"
2016-08-09 10:34:31 +02:00
exit 0
;;
*)
# unknown option
;;
esac
shift
2015-02-02 22:04:36 +01:00
done
2016-10-30 10:56:32 +01:00
menu_security_settings
2015-02-01 15:57:59 +01:00
exit 0