Fix creation of backup key

This commit is contained in:
Bob Mottram 2017-06-03 12:20:15 +01:00
parent 50d99f06eb
commit 8e77c68ac0
4 changed files with 28 additions and 50 deletions

View File

@ -157,6 +157,7 @@ if [ ! -f $MY_GPG_PUBLIC_KEY ]; then
userdel -r $ADD_USERNAME
exit 7
fi
gpg_allow_tty $ADD_USERNAME
# add a monkeysphere subkey
#echo $'Adding monkeysphere subkey'

View File

@ -1646,36 +1646,14 @@ function configure_gpg {
fi
MY_GPG_PUBLIC_KEY=/tmp/public_key.gpg
su -m root -c "gpg --homedir /home/$MY_USERNAME/.gnupg --output $MY_GPG_PUBLIC_KEY --armor --export $MY_GPG_PUBLIC_KEY_ID" - $MY_USERNAME
if grep -q "install_email" $COMPLETION_FILE; then
if ! grep -q $"Change your GPG password" /home/$MY_USERNAME/README; then
echo '' >> /home/$MY_USERNAME/README
echo '' >> /home/$MY_USERNAME/README
echo $'# Change your GPG password' >> /home/$MY_USERNAME/README
echo $"It's very important to add a password to your GPG key so that" >> /home/$MY_USERNAME/README
echo $"if anyone does get access to your email they still won't be able" >> /home/$MY_USERNAME/README
echo $'to read them without knowning the GPG password.' >> /home/$MY_USERNAME/README
echo $'You can change the it with:' >> /home/$MY_USERNAME/README
echo '' >> /home/$MY_USERNAME/README
echo " gpg --edit-key $MY_GPG_PUBLIC_KEY_ID" >> /home/$MY_USERNAME/README
echo ' passwd' >> /home/$MY_USERNAME/README
echo ' save' >> /home/$MY_USERNAME/README
echo ' quit' >> /home/$MY_USERNAME/README
fi
if ! grep -q $"Publish your GPG public key" /home/$MY_USERNAME/README; then
echo '' >> /home/$MY_USERNAME/README
echo '' >> /home/$MY_USERNAME/README
echo $'# Publish your GPG public key' >> /home/$MY_USERNAME/README
echo $'So that others can send emails to you securely you should' >> /home/$MY_USERNAME/README
echo $'publish your GPG public key with the command:' >> /home/$MY_USERNAME/README
echo '' >> /home/$MY_USERNAME/README
echo " gpg --send-keys $MY_GPG_PUBLIC_KEY_ID" >> /home/$MY_USERNAME/README
fi
chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/README
chmod 600 /home/$MY_USERNAME/README
fi
fi
if [ ! -d /root/.gnupg ]; then
cp -r /home/$MY_USERNAME/.gnupg /root/
fi
gpg_allow_tty root
gpg_allow_tty $MY_USERNAME
mark_completed $FUNCNAME
}

View File

@ -51,22 +51,6 @@ function restart_site {
SUSPENDED_SITE=
}
function backup_create_password {
BACKUP_PASSWORD_FILE=$(mktemp /tmp/fileXXXXX)
# Note: this doesn't need to be secure, it's just a way of
# getting around the forced interactivity of the gpg agent
echo -n "$BACKUP_DUMMY_PASSWORD" > $BACKUP_PASSWORD_FILE
}
function backup_remove_password {
if [ ! $BACKUP_PASSWORD_FILE ]; then
return
fi
if [ -f $BACKUP_PASSWORD_FILE ]; then
shred -zu $BACKUP_PASSWORD_FILE
fi
}
function configure_backup_key {
if [[ $(is_completed $FUNCNAME) == "1" ]]; then
return
@ -104,20 +88,17 @@ function configure_backup_key {
fi
fi
backup_create_password
MY_BACKUP_KEY_ID=$(su -c "gpg --list-keys \"$MY_NAME (backup key)\"" - $MY_USERNAME | sed -n '2p' | sed 's/^[ \t]*//')
echo "Backup key: $MY_BACKUP_KEY_ID"
MY_BACKUP_KEY=/home/$MY_USERNAME/backup_key
su -m root -c "gpg --homedir /home/$MY_USERNAME/.gnupg --output ${MY_BACKUP_KEY}_public.asc --armor --export $MY_BACKUP_KEY_ID" - $MY_USERNAME
su -m root -c "gpg --homedir /home/$MY_USERNAME/.gnupg --output ${MY_BACKUP_KEY}_private.asc --armor --passphrase-fd $BACKUP_PASSWORD_FILE --export-secret-key $MY_BACKUP_KEY_ID" - $MY_USERNAME
su -m root -c "echo '$BACKUP_DUMMY_PASSWORD' | gpg --homedir /home/$MY_USERNAME/.gnupg --output ${MY_BACKUP_KEY}_private.asc --armor --batch --passphrase-fd 0 --export-secret-key $MY_BACKUP_KEY_ID" - $MY_USERNAME
if [ ! -f ${MY_BACKUP_KEY}_public.asc ]; then
backup_remove_password
echo 'Public backup key could not be exported'
exit 36829
fi
if [ ! -f ${MY_BACKUP_KEY}_private.asc ]; then
backup_remove_password
echo 'Private backup key could not be exported'
exit 29235
fi
@ -128,7 +109,6 @@ function configure_backup_key {
shred -zu ${MY_BACKUP_KEY}_public.asc
shred -zu ${MY_BACKUP_KEY}_private.asc
backup_remove_password
mark_completed $FUNCNAME
}

View File

@ -28,6 +28,25 @@
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
function gpg_allow_tty {
gpg_username=$1
if [[ $gpg_username == 'root' ]]; then
if ! grep -q 'GPG_TTY' /root/.bashrc; then
echo '' >> /root/.bashrc
echo 'GPG_TTY=$(tty)' >> /root/.bashrc
echo 'export GPG_TTY' >> /root/.bashrc
fi
else
if ! grep -q 'GPG_TTY' /home/$gpg_username/.bashrc; then
echo '' >> /home/$gpg_username/.bashrc
echo 'GPG_TTY=$(tty)' >> /home/$gpg_username/.bashrc
echo 'export GPG_TTY' >> /home/$gpg_username/.bashrc
chown $gpg_username:$gpg_username /home/$gpg_username/.bashrc
fi
fi
}
function gpg_pubkey_from_email {
key_owner_username=$1
key_email_address=$2