Improve security settings command

src/freedombone-sec

@@ -64,8 +64,6 @@ EXPORT_FILE=
 
 CURRENT_DIR=$(pwd)
 
-REGENERATE_SSH_HOST_KEYS="no"
-REGENERATE_DH_KEYS="no"
 DH_KEYLENGTH=2048
 LETSENCRYPT_SERVER='https://acme-v01.api.letsencrypt.org/directory'
 
@@ -85,25 +83,6 @@ function get_ciphers_from_website {
     SSL_CIPHERS=$(cat $WEBSITES_DIRECTORY/$1 | grep 'ssl_ciphers ' | awk -F "ssl_ciphers " '{print $2}' | awk -F "'" '{print $2}')
 }
 
-function get_website_settings {
-    if [ ! -d $WEBSITES_DIRECTORY ]; then
-        return
-    fi
-
-    cd $WEBSITES_DIRECTORY
-    for file in `dir -d *` ; do
-        get_protocols_from_website $file
-        if [ ${#SSL_PROTOCOLS} -gt $MINIMUM_LENGTH ]; then
-            get_ciphers_from_website $file
-            if [ ${#SSL_CIPHERS} -gt $MINIMUM_LENGTH ]; then
-                break
-            else
-                SSL_PROTOCOLS=""
-            fi
-        fi
-    done
-}
-
 function get_imap_settings {
     if [ ! -f $DOVECOT_CIPHERS ]; then
         return
@@ -129,19 +108,10 @@ function get_xmpp_settings {
 
 function get_ssh_settings {
     if [ -f $SSH_CONFIG ]; then
-        SSH_CIPHERS=$(cat $SSH_CONFIG | grep 'Ciphers ' | awk -F 'Ciphers ' '{print $2}')
-        SSH_MACS=$(cat $SSH_CONFIG | grep 'MACs ' | awk -F 'MACs ' '{print $2}')
-        SSH_KEX=$(cat $SSH_CONFIG | grep 'KexAlgorithms ' | awk -F 'KexAlgorithms ' '{print $2}')
         SSH_PASSWORDS=$(cat $SSH_CONFIG | grep 'PasswordAuthentication ' | awk -F 'PasswordAuthentication ' '{print $2}')
     fi
     if [ -f /etc/ssh/ssh_config ]; then
         SSH_HOST_KEY_ALGORITHMS=$(cat /etc/ssh/ssh_config | grep 'HostKeyAlgorithms ' | awk -F 'HostKeyAlgorithms ' '{print $2}')
-        if [ ! $SSH_CIPHERS ]; then
-            SSH_CIPHERS=$(cat /etc/ssh/ssh_config | grep 'Ciphers ' | awk -F 'Ciphers ' '{print $2}')
-        fi
-        if [ ! $SSH_MACS ]; then
-            SSH_MACS=$(cat /etc/ssh/ssh_config | grep 'MACs ' | awk -F 'MACs ' '{print $2}')
-        fi
     fi
 }
 
@@ -353,7 +323,6 @@ function send_monkeysphere_server_keys_to_users {
 }
 
 function regenerate_ssh_host_keys {
-    if [[ $REGENERATE_SSH_HOST_KEYS == "yes" ]]; then
     rm -f /etc/ssh/ssh_host_*
     dpkg-reconfigure openssh-server
     echo $'ssh host keys regenerated'
@@ -371,11 +340,9 @@ function regenerate_ssh_host_keys {
     send_monkeysphere_server_keys_to_users
     echo $'updated monkeysphere ssh host key'
     systemctl restart ssh
-    fi
 }
 
 function regenerate_dh_keys {
-    if [[ $REGENERATE_DH_KEYS == "yes" ]]; then
     if [ ! -d /etc/ssl/mycerts ]; then
         echo $'No dhparam certificates were found'
         return
@@ -401,7 +368,6 @@ function regenerate_dh_keys {
     esac
 
     ${PROJECT_NAME}-dhparam --recalc yes -l ${DH_KEYLENGTH}
-    fi
 }
 
 function renew_startssl {
@@ -528,11 +494,6 @@ function create_letsencrypt {
 }
 
 function update_ciphersuite {
-    read_config_param SSL_CIPHERS
-    read_config_param SSL_PROTOCOLS
-    read_config_param SSH_CIPHERS
-    read_config_param SSH_MACS
-
     RECOMMENDED_SSL_CIPHERS="$SSL_CIPHERS"
     if [ ${#RECOMMENDED_SSL_CIPHERS} -lt 5 ]; then
         return
@@ -714,31 +675,49 @@ function remove_pinning {
     esac
 }
 
-function housekeeping {
+function menu_security_settings {
-    cmd=(dialog --separate-output \
+    data=$(tempfile 2>/dev/null)
-                --backtitle "Freedombone Security Configuration" \
+    trap "rm -f $data" 0 1 2 5 15
-                --title "Housekeeping options" \
+    dialog --backtitle $"Freedombone Control Panel" \
-                --checklist "If you don't need to do any of these things then just press Enter:" 15 76 15)
+           --title $"Security Settings" \
-    options=(1 "Regenerate ssh host keys" off
+           --radiolist $"Choose an operation:" 15 76 15 \
-             2 "Regenerate Diffie-Hellman keys" off
+           1 $"Regenerate ssh host keys" off \
-             3 "Update cipersuite" off
+           2 $"Regenerate Diffie-Hellman keys" off \
-             4 "Create a new Let's Encrypt certificate" off
+           3 $"Update cipersuite" off \
-             5 "Renew Let's Encrypt certificate" off
+           4 $"Create a new Let's Encrypt certificate" off \
-             6 "Enable GPG based authentication (monkeysphere)" off
+           5 $"Renew Let's Encrypt certificate" off \
-             7 "Register a website with monkeysphere" off
+           6 $"Enable GPG based authentication (monkeysphere)" off \
-             8 "Go Back/Exit" on)
+           7 $"Register a website with monkeysphere" off \
-    choices=$("${cmd[@]}" "${options[@]}" 2>&1 >/dev/tty)
+           8 $"Go Back/Exit" on 2> $data
+    sel=$?
+    case $sel in
+        1) exit 1;;
+        255) exit 1;;
+    esac
+
     clear
-    for choice in $choices
+
-    do
+    read_config_param SSL_CIPHERS
-        case $choice in
+    read_config_param SSL_PROTOCOLS
+    read_config_param SSH_CIPHERS
+    read_config_param SSH_MACS
+    read_config_param SSH_KEX
+
+    get_imap_settings
+    get_ssh_settings
+    get_xmpp_settings
+    import_settings
+    export_settings
+
+    case $(cat $data) in
         1)
-                REGENERATE_SSH_HOST_KEYS="yes"
+            regenerate_ssh_host_keys
             ;;
         2)
-                REGENERATE_DH_KEYS="yes"
+            regenerate_dh_keys
             ;;
         3)
+            interactive_setup
             update_ciphersuite
             ;;
         4)
@@ -757,7 +736,11 @@ function housekeeping {
             exit 0
             ;;
     esac
-    done
+
+    change_website_settings
+    change_imap_settings
+    change_ssh_settings
+    change_xmpp_settings
 }
 
 function import_settings {
@@ -1054,18 +1037,6 @@ do
     shift
 done
 
-housekeeping
+menu_security_settings
-get_website_settings
+
-get_imap_settings
-get_ssh_settings
-get_xmpp_settings
-import_settings
-export_settings
-interactive_setup
-change_website_settings
-change_imap_settings
-change_ssh_settings
-change_xmpp_settings
-regenerate_ssh_host_keys
-regenerate_dh_keys
 exit 0