From a97c7d8dcf22260338f2544d7e0fa77b455b45f8 Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Sun, 18 Mar 2018 10:33:43 +0000 Subject: [PATCH] Move passwords to security settings --- src/freedombone-controlpanel | 202 ++++++-------------------------- src/freedombone-sec | 155 +++++++++++++++++++----- src/freedombone-utils-passwords | 41 +++++++ 3 files changed, 201 insertions(+), 197 deletions(-) diff --git a/src/freedombone-controlpanel b/src/freedombone-controlpanel index 38aa0875..4868c38d 100755 --- a/src/freedombone-controlpanel +++ b/src/freedombone-controlpanel @@ -185,73 +185,6 @@ function get_app_icann_address { echo "${DEFAULT_DOMAIN_NAME}" } -function passwords_select_user { - SELECTED_USERNAME= - - # shellcheck disable=SC2207 - users_array=($(ls /home)) - - delete=(git) - # shellcheck disable=SC2068 - for del in ${delete[@]} - do - # shellcheck disable=SC2206 - users_array=(${users_array[@]/$del}) - done - - i=0 - W=() - name=() - # shellcheck disable=SC2068 - for u in ${users_array[@]} - do - if [[ $(is_valid_user "$u") == "1" ]]; then - i=$((i+1)) - W+=("$i" "$u") - name+=("$u") - fi - done - - if [ $i -eq 1 ]; then - SELECTED_USERNAME="${name[0]}" - else - # shellcheck disable=SC2068 - user_index=$(dialog --backtitle $"Freedombone Control Panel" --title $"Select User" --menu $"Select one of the following:" 24 40 17 ${W[@]} 3>&2 2>&1 1>&3) - - # shellcheck disable=SC2181 - if [ $? -eq 0 ]; then - SELECTED_USERNAME="${name[$((user_index-1))]}" - fi - fi -} - -function passwords_show_apps { - SELECTED_APP= - i=0 - W=() - name=() - # shellcheck disable=SC2068 - for a in ${APPS_AVAILABLE[@]} - do - if [[ $(function_exists "change_password_${a}") == "1" ]]; then - i=$((i+1)) - W+=("$i" "$a") - name+=("$a") - fi - done - i=$((i+1)) - W+=("$i" "mariadb") - name+=("mariadb") - - # shellcheck disable=SC2068 - selected_app_index=$(dialog --backtitle $"Freedombone Control Panel" --title $"Select App" --menu $"Select one of the following:" 24 40 17 ${W[@]} 3>&2 2>&1 1>&3) - - # shellcheck disable=SC2181 - if [ $? -eq 0 ]; then - SELECTED_APP="${name[$((selected_app_index-1))]}" - fi -} - function reset_password_tries { passwords_select_user if [ ! "$SELECTED_USERNAME" ]; then @@ -262,67 +195,6 @@ function reset_password_tries { --msgbox $"Password tries have been reset for $SELECTED_USERNAME" 6 60 } -function view_or_change_passwords { - passwords_select_user - if [ ! "$SELECTED_USERNAME" ]; then - return - fi - detect_installed_apps - passwords_show_apps - if [ ! "$SELECTED_APP" ]; then - return - fi - - CURR_PASSWORD=$("${PROJECT_NAME}-pass" -u "${SELECTED_USERNAME}" -a "${SELECTED_APP}") - - icann_address=$(get_app_icann_address "${SELECTED_APP}") - onion_address=$(get_app_onion_address "${SELECTED_APP}") - - titlestr=$"View or Change Password" - if [ ${#onion_address} -gt 0 ]; then - viewstr=$"${SELECTED_APP} password for ${SELECTED_USERNAME} on $icann_address or $onion_address\\n\\nCopy or change it if you wish." - else - viewstr=$"${SELECTED_APP} password for ${SELECTED_USERNAME} on $icann_address\\n\\nCopy or change it if you wish." - fi - - if [ -f /root/.nostore ]; then - titlestr=$"Change Password" - if [ ${#onion_address} -gt 0 ]; then - viewstr=$"Change the ${SELECTED_APP} password for ${SELECTED_USERNAME} on $icann_address or $onion_address." - else - viewstr=$"Change the ${SELECTED_APP} password for ${SELECTED_USERNAME} on $icann_address." - fi - fi - - if [[ "${SELECTED_APP}" == 'mariadb' ]]; then - CURR_PASSWORD=$("${PROJECT_NAME}-pass" -u root -a mariadb) - dialog --title $"MariaDB database password" \ - --msgbox "\\n ${CURR_PASSWORD}" 7 40 - return - fi - - data=$(mktemp 2>/dev/null) - dialog --title "$titlestr" \ - --backtitle $"Freedombone Control Panel" \ - --inputbox "$viewstr" 12 75 "$CURR_PASSWORD" 2>"$data" - sel=$? - case $sel in - 0) - CURR_PASSWORD=$(<"$data") - if [ ${#CURR_PASSWORD} -gt 8 ]; then - "${PROJECT_NAME}-pass" -u "${SELECTED_USERNAME}" -a "${SELECTED_APP}" -p "${CURR_PASSWORD}" - "change_password_${SELECTED_APP}" "${SELECTED_USERNAME}" "${CURR_PASSWORD}" - dialog --title $"Change password" \ - --msgbox $"The password was changed" 6 40 - else - dialog --title $"Change password" \ - --msgbox $"The password given must be at least 8 characters" 6 40 - fi - ;; - esac - rm -f "$data" -} - function check_for_updates { if [ ! -f "/etc/cron.weekly/$UPGRADE_SCRIPT_NAME" ]; then dialog --title $"Check for updates" \ @@ -2227,25 +2099,24 @@ function menu_top_level { while true do W=(1 $"About this system" - 2 $"Passwords" - 3 $"Backup and Restore" - 4 $"Verify Tripwire Code" - 5 $"Reset Tripwire" - 6 $"App Settings" - 7 $"Add/Remove Apps" - 8 $"Logging on/off" - 9 $"Ping enable/disable" - 10 $"Manage Users" - 11 $"Email Menu" - 12 $"Domain or User Blocking" - 13 $"Security Settings" - 14 $"Change the name of this system" - 15 $"Set a static local IP address" - 16 $"Wifi menu" - 17 $"Add Clacks" - 18 $"Check for updates" - 19 $"Power off the system" - 20 $"Restart the system") + 2 $"Backup and Restore" + 3 $"Verify Tripwire Code" + 4 $"Reset Tripwire" + 5 $"App Settings" + 6 $"Add/Remove Apps" + 7 $"Logging on/off" + 8 $"Ping enable/disable" + 9 $"Manage Users" + 10 $"Email Menu" + 11 $"Domain or User Blocking" + 12 $"Security Settings" + 13 $"Change the name of this system" + 14 $"Set a static local IP address" + 15 $"Wifi menu" + 16 $"Add Clacks" + 17 $"Check for updates" + 18 $"Power off the system" + 19 $"Restart the system") # shellcheck disable=SC2068 selection=$(dialog --backtitle $"Freedombone Administrator Control Panel" --title $"Administrator Control Panel" --menu $"Choose an operation, or ESC to exit:" 27 60 27 "${W[@]}" 3>&2 2>&1 1>&3) @@ -2258,29 +2129,28 @@ function menu_top_level { case $selection in 1) show_about;; - 2) view_or_change_passwords;; - 3) menu_backup_restore;; - 4) show_tripwire_verification_code + 2) menu_backup_restore;; + 3) show_tripwire_verification_code any_key_verify;; - 5) reset_tripwire;; - 6) menu_app_settings;; - 7) if ! /usr/local/bin/addremove; then + 4) reset_tripwire;; + 5) menu_app_settings;; + 6) if ! /usr/local/bin/addremove; then any_key fi ;; - 8) logging_on_off;; - 9) ping_enable_disable;; - 10) menu_users;; - 11) menu_email;; - 12) domain_blocking;; - 13) security_settings;; - 14) change_system_name;; - 15) set_static_IP;; - 16) menu_wifi;; - 17) add_clacks;; - 18) check_for_updates;; - 19) shut_down_system;; - 20) restart_system;; + 7) logging_on_off;; + 8) ping_enable_disable;; + 9) menu_users;; + 10) menu_email;; + 11) domain_blocking;; + 12) security_settings;; + 13) change_system_name;; + 14) set_static_IP;; + 15) menu_wifi;; + 16) add_clacks;; + 17) check_for_updates;; + 18) shut_down_system;; + 19) restart_system;; esac done } diff --git a/src/freedombone-sec b/src/freedombone-sec index 4db067fa..08f4adc4 100755 --- a/src/freedombone-sec +++ b/src/freedombone-sec @@ -69,6 +69,94 @@ LETSENCRYPT_SERVER='https://acme-v01.api.letsencrypt.org/directory' MY_USERNAME= +function passwords_show_apps { + SELECTED_APP= + i=0 + W=() + name=() + # shellcheck disable=SC2068 + for a in ${APPS_AVAILABLE[@]} + do + if [[ $(function_exists "change_password_${a}") == "1" ]]; then + i=$((i+1)) + W+=("$i" "$a") + name+=("$a") + fi + done + i=$((i+1)) + W+=("$i" "mariadb") + name+=("mariadb") + + # shellcheck disable=SC2068 + selected_app_index=$(dialog --backtitle $"Freedombone Control Panel" --title $"Select App" --menu $"Select one of the following:" 24 40 17 ${W[@]} 3>&2 2>&1 1>&3) + + # shellcheck disable=SC2181 + if [ $? -eq 0 ]; then + SELECTED_APP="${name[$((selected_app_index-1))]}" + fi +} + +function view_or_change_passwords { + passwords_select_user + if [ ! "$SELECTED_USERNAME" ]; then + return + fi + detect_installed_apps + passwords_show_apps + if [ ! "$SELECTED_APP" ]; then + return + fi + + CURR_PASSWORD=$("${PROJECT_NAME}-pass" -u "${SELECTED_USERNAME}" -a "${SELECTED_APP}") + + icann_address=$(get_app_icann_address "${SELECTED_APP}") + onion_address=$(get_app_onion_address "${SELECTED_APP}") + + titlestr=$"View or Change Password" + if [ ${#onion_address} -gt 0 ]; then + viewstr=$"${SELECTED_APP} password for ${SELECTED_USERNAME} on $icann_address or $onion_address\\n\\nCopy or change it if you wish." + else + viewstr=$"${SELECTED_APP} password for ${SELECTED_USERNAME} on $icann_address\\n\\nCopy or change it if you wish." + fi + + if [ -f /root/.nostore ]; then + titlestr=$"Change Password" + if [ ${#onion_address} -gt 0 ]; then + viewstr=$"Change the ${SELECTED_APP} password for ${SELECTED_USERNAME} on $icann_address or $onion_address." + else + viewstr=$"Change the ${SELECTED_APP} password for ${SELECTED_USERNAME} on $icann_address." + fi + fi + + if [[ "${SELECTED_APP}" == 'mariadb' ]]; then + CURR_PASSWORD=$("${PROJECT_NAME}-pass" -u root -a mariadb) + dialog --title $"MariaDB database password" \ + --msgbox "\\n ${CURR_PASSWORD}" 7 40 + return + fi + + data=$(mktemp 2>/dev/null) + dialog --title "$titlestr" \ + --backtitle $"Freedombone Control Panel" \ + --inputbox "$viewstr" 12 75 "$CURR_PASSWORD" 2>"$data" + sel=$? + case $sel in + 0) + CURR_PASSWORD=$(<"$data") + if [ ${#CURR_PASSWORD} -gt 8 ]; then + "${PROJECT_NAME}-pass" -u "${SELECTED_USERNAME}" -a "${SELECTED_APP}" -p "${CURR_PASSWORD}" + "change_password_${SELECTED_APP}" "${SELECTED_USERNAME}" "${CURR_PASSWORD}" + dialog --title $"Change password" \ + --msgbox $"The password was changed" 6 40 + else + dialog --title $"Change password" \ + --msgbox $"The password given must be at least 8 characters" 6 40 + fi + ;; + esac + rm -f "$data" +} + function show_firewall { W=() while read -r line; do @@ -974,22 +1062,23 @@ function menu_tor_bridges { } function menu_security_settings { - W=(1 $"Run STIG tests" - 2 $"Fix STIG test failures" - 3 $"Show ssh host public key" - 4 $"Tor bridges" - 5 $"Password storage" - 6 $"Export passwords" - 7 $"Regenerate ssh host keys" - 8 $"Regenerate Diffie-Hellman keys" - 9 $"Update cipersuite" - 10 $"Create a new Let's Encrypt certificate" - 11 $"Renew Let's Encrypt certificate" - 12 $"Delete a Let's Encrypt certificate" - 13 $"Enable GPG based authentication (monkeysphere)" - 14 $"Register a website with monkeysphere" - 15 $"Allow ssh login with passwords" - 16 $"Show firewall") + W=(1 $"Passwords" + 2 $"Run STIG tests" + 3 $"Fix STIG test failures" + 4 $"Show ssh host public key" + 5 $"Tor bridges" + 6 $"Password storage" + 7 $"Export passwords" + 8 $"Regenerate ssh host keys" + 9 $"Regenerate Diffie-Hellman keys" + 10 $"Update cipersuite" + 11 $"Create a new Let's Encrypt certificate" + 12 $"Renew Let's Encrypt certificate" + 13 $"Delete a Let's Encrypt certificate" + 14 $"Enable GPG based authentication (monkeysphere)" + 15 $"Register a website with monkeysphere" + 16 $"Allow ssh login with passwords" + 17 $"Show firewall") # shellcheck disable=SC2068 selection=$(dialog --backtitle $"Freedombone Administrator Control Panel" --title $"Security Settings" --menu $"Choose an operation, or ESC to exit:" 24 76 24 "${W[@]}" 3>&2 2>&1 1>&3) @@ -1014,13 +1103,17 @@ function menu_security_settings { case $selection in 1) + view_or_change_passwords + exit 0; + ;; + 2) clear echo $'Running STIG tests...' echo '' ${PROJECT_NAME}-tests --stig showall exit 0 ;; - 2) + 3) clear echo $'Fixing any STIG failures...' echo '' @@ -1028,54 +1121,54 @@ function menu_security_settings { echo $'Fixes applied. You will need to run the STIG tests again to be sure that they were all fixed.' exit 0 ;; - 3) + 4) dialog --title $"SSH host public keys" \ --msgbox "\\n$(get_ssh_server_key)" 12 60 exit 0 ;; - 4) + 5) menu_tor_bridges exit 0 ;; - 5) + 6) store_passwords exit 0 ;; - 6) + 7) export_passwords exit 0 ;; - 7) + 8) regenerate_ssh_host_keys ;; - 8) + 9) regenerate_dh_keys ;; - 9) + 10) interactive_setup update_ciphersuite ;; - 10) + 11) create_letsencrypt ;; - 11) + 12) renew_letsencrypt ;; - 12) + 13) delete_letsencrypt ;; - 13) + 14) enable_monkeysphere ;; - 14) + 15) register_website ;; - 15) + 16) allow_ssh_passwords change_ssh_settings exit 0 ;; - 16) + 17) show_firewall exit 0 ;; diff --git a/src/freedombone-utils-passwords b/src/freedombone-utils-passwords index fa5c8703..85b085dc 100755 --- a/src/freedombone-utils-passwords +++ b/src/freedombone-utils-passwords @@ -39,6 +39,47 @@ MINIMUM_PASSWORD_LENGTH=10 # The default password length used in images DEFAULT_PASSWORD_LENGTH=20 +function passwords_select_user { + SELECTED_USERNAME= + + # shellcheck disable=SC2207 + users_array=($(ls /home)) + + delete=(git) + # shellcheck disable=SC2068 + for del in ${delete[@]} + do + # shellcheck disable=SC2206 + users_array=(${users_array[@]/$del}) + done + + i=0 + W=() + name=() + # shellcheck disable=SC2068 + for u in ${users_array[@]} + do + if [[ $(is_valid_user "$u") == "1" ]]; then + i=$((i+1)) + W+=("$i" "$u") + name+=("$u") + fi + done + + if [ $i -eq 1 ]; then + SELECTED_USERNAME="${name[0]}" + else + # shellcheck disable=SC2068 + user_index=$(dialog --backtitle $"Freedombone Control Panel" --title $"Select User" --menu $"Select one of the following:" 24 40 17 ${W[@]} 3>&2 2>&1 1>&3) + + # shellcheck disable=SC2181 + if [ $? -eq 0 ]; then + # shellcheck disable=SC2034 + SELECTED_USERNAME="${name[$((user_index-1))]}" + fi + fi +} + function enforce_good_passwords { # because humans are generally bad at choosing passwords if [[ $(is_completed "${FUNCNAME[0]}") == "1" ]]; then