diff --git a/src/freedombone-sec b/src/freedombone-sec index b10629ac..74f51907 100755 --- a/src/freedombone-sec +++ b/src/freedombone-sec @@ -66,270 +66,270 @@ LETSENCRYPT_SERVER='https://acme-v01.api.letsencrypt.org/directory' MY_USERNAME= function get_protocols_from_website { - if [ ! -f $WEBSITES_DIRECTORY/$1 ]; then - return - fi - SSL_PROTOCOLS=$(cat $WEBSITES_DIRECTORY/$1 | grep 'ssl_protocols ' | awk -F "ssl_protocols " '{print $2}' | awk -F ';' '{print $1}') + if [ ! -f $WEBSITES_DIRECTORY/$1 ]; then + return + fi + SSL_PROTOCOLS=$(cat $WEBSITES_DIRECTORY/$1 | grep 'ssl_protocols ' | awk -F "ssl_protocols " '{print $2}' | awk -F ';' '{print $1}') } function get_ciphers_from_website { - if [ ! -f $WEBSITES_DIRECTORY/$1 ]; then - return - fi - SSL_CIPHERS=$(cat $WEBSITES_DIRECTORY/$1 | grep 'ssl_ciphers ' | awk -F "ssl_ciphers " '{print $2}' | awk -F "'" '{print $2}') + if [ ! -f $WEBSITES_DIRECTORY/$1 ]; then + return + fi + SSL_CIPHERS=$(cat $WEBSITES_DIRECTORY/$1 | grep 'ssl_ciphers ' | awk -F "ssl_ciphers " '{print $2}' | awk -F "'" '{print $2}') } function get_website_settings { - if [ ! -d $WEBSITES_DIRECTORY ]; then - return - fi + if [ ! -d $WEBSITES_DIRECTORY ]; then + return + fi - cd $WEBSITES_DIRECTORY - for file in `dir -d *` ; do - get_protocols_from_website $file - if [ ${#SSL_PROTOCOLS} -gt $MINIMUM_LENGTH ]; then - get_ciphers_from_website $file - if [ ${#SSL_CIPHERS} -gt $MINIMUM_LENGTH ]; then - break - else - SSL_PROTOCOLS="" - fi - fi - done + cd $WEBSITES_DIRECTORY + for file in `dir -d *` ; do + get_protocols_from_website $file + if [ ${#SSL_PROTOCOLS} -gt $MINIMUM_LENGTH ]; then + get_ciphers_from_website $file + if [ ${#SSL_CIPHERS} -gt $MINIMUM_LENGTH ]; then + break + else + SSL_PROTOCOLS="" + fi + fi + done } function get_imap_settings { - if [ ! -f $DOVECOT_CIPHERS ]; then - return - fi - # clear commented out cipher list - sed -i "s|#ssl_cipher_list.*||g" $DOVECOT_CIPHERS - if [ $SSL_CIPHERS ]; then - return - fi - if [ ${#SSL_CIPHERS} -gt $MINIMUM_LENGTH ]; then - return - fi - SSL_CIPHERS=$(cat $DOVECOT_CIPHERS | grep 'ssl_cipher_list' | awk -F '=' '{print $2}' | awk -F "'" '{print $2}') + if [ ! -f $DOVECOT_CIPHERS ]; then + return + fi + # clear commented out cipher list + sed -i "s|#ssl_cipher_list.*||g" $DOVECOT_CIPHERS + if [ $SSL_CIPHERS ]; then + return + fi + if [ ${#SSL_CIPHERS} -gt $MINIMUM_LENGTH ]; then + return + fi + SSL_CIPHERS=$(cat $DOVECOT_CIPHERS | grep 'ssl_cipher_list' | awk -F '=' '{print $2}' | awk -F "'" '{print $2}') } function get_xmpp_settings { - if [ ! -f $XMPP_CONFIG ]; then - return - fi - XMPP_CIPHERS=$(cat $XMPP_CONFIG | grep 'ciphers ' | awk -F '=' '{print $2}' | awk -F '"' '{print $2}') - XMPP_ECC_CURVE=$(cat $XMPP_CONFIG | grep 'curve ' | awk -F '=' '{print $2}' | awk -F '"' '{print $2}') + if [ ! -f $XMPP_CONFIG ]; then + return + fi + XMPP_CIPHERS=$(cat $XMPP_CONFIG | grep 'ciphers ' | awk -F '=' '{print $2}' | awk -F '"' '{print $2}') + XMPP_ECC_CURVE=$(cat $XMPP_CONFIG | grep 'curve ' | awk -F '=' '{print $2}' | awk -F '"' '{print $2}') } function get_ssh_settings { - if [ -f $SSH_CONFIG ]; then - SSH_CIPHERS=$(cat $SSH_CONFIG | grep 'Ciphers ' | awk -F 'Ciphers ' '{print $2}') - SSH_MACS=$(cat $SSH_CONFIG | grep 'MACs ' | awk -F 'MACs ' '{print $2}') - SSH_KEX=$(cat $SSH_CONFIG | grep 'KexAlgorithms ' | awk -F 'KexAlgorithms ' '{print $2}') - SSH_PASSWORDS=$(cat $SSH_CONFIG | grep 'PasswordAuthentication ' | awk -F 'PasswordAuthentication ' '{print $2}') - fi - if [ -f /etc/ssh/ssh_config ]; then - SSH_HOST_KEY_ALGORITHMS=$(cat /etc/ssh/ssh_config | grep 'HostKeyAlgorithms ' | awk -F 'HostKeyAlgorithms ' '{print $2}') - if [ ! $SSH_CIPHERS ]; then - SSH_CIPHERS=$(cat /etc/ssh/ssh_config | grep 'Ciphers ' | awk -F 'Ciphers ' '{print $2}') - fi - if [ ! $SSH_MACS ]; then - SSH_MACS=$(cat /etc/ssh/ssh_config | grep 'MACs ' | awk -F 'MACs ' '{print $2}') - fi - fi + if [ -f $SSH_CONFIG ]; then + SSH_CIPHERS=$(cat $SSH_CONFIG | grep 'Ciphers ' | awk -F 'Ciphers ' '{print $2}') + SSH_MACS=$(cat $SSH_CONFIG | grep 'MACs ' | awk -F 'MACs ' '{print $2}') + SSH_KEX=$(cat $SSH_CONFIG | grep 'KexAlgorithms ' | awk -F 'KexAlgorithms ' '{print $2}') + SSH_PASSWORDS=$(cat $SSH_CONFIG | grep 'PasswordAuthentication ' | awk -F 'PasswordAuthentication ' '{print $2}') + fi + if [ -f /etc/ssh/ssh_config ]; then + SSH_HOST_KEY_ALGORITHMS=$(cat /etc/ssh/ssh_config | grep 'HostKeyAlgorithms ' | awk -F 'HostKeyAlgorithms ' '{print $2}') + if [ ! $SSH_CIPHERS ]; then + SSH_CIPHERS=$(cat /etc/ssh/ssh_config | grep 'Ciphers ' | awk -F 'Ciphers ' '{print $2}') + fi + if [ ! $SSH_MACS ]; then + SSH_MACS=$(cat /etc/ssh/ssh_config | grep 'MACs ' | awk -F 'MACs ' '{print $2}') + fi + fi } function change_website_settings { - if [ ! "$SSL_PROTOCOLS" ]; then - return - fi - if [ ! $SSL_CIPHERS ]; then - return - fi - if [ ${#SSL_PROTOCOLS} -lt $MINIMUM_LENGTH ]; then - return - fi - if [ ${#SSL_CIPHERS} -lt $MINIMUM_LENGTH ]; then - return - fi - if [ ! -d $WEBSITES_DIRECTORY ]; then - return - fi + if [ ! "$SSL_PROTOCOLS" ]; then + return + fi + if [ ! $SSL_CIPHERS ]; then + return + fi + if [ ${#SSL_PROTOCOLS} -lt $MINIMUM_LENGTH ]; then + return + fi + if [ ${#SSL_CIPHERS} -lt $MINIMUM_LENGTH ]; then + return + fi + if [ ! -d $WEBSITES_DIRECTORY ]; then + return + fi - cd $WEBSITES_DIRECTORY - for file in `dir -d *` ; do - sed -i "s|ssl_protocols .*|ssl_protocols $SSL_PROTOCOLS;|g" $WEBSITES_DIRECTORY/$file - sed -i "s|ssl_ciphers .*|ssl_ciphers '$SSL_CIPHERS';|g" $WEBSITES_DIRECTORY/$file - done - systemctl restart nginx - echo $'Web security settings changed' + cd $WEBSITES_DIRECTORY + for file in `dir -d *` ; do + sed -i "s|ssl_protocols .*|ssl_protocols $SSL_PROTOCOLS;|g" $WEBSITES_DIRECTORY/$file + sed -i "s|ssl_ciphers .*|ssl_ciphers '$SSL_CIPHERS';|g" $WEBSITES_DIRECTORY/$file + done + systemctl restart nginx + echo $'Web security settings changed' } function change_imap_settings { - if [ ! -f $DOVECOT_CIPHERS ]; then - return - fi - if [ ! $SSL_CIPHERS ]; then - return - fi - if [ ${#SSL_CIPHERS} -lt $MINIMUM_LENGTH ]; then - return - fi - sed -i "s|ssl_cipher_list.*|ssl_cipher_list = '$SSL_CIPHERS'|g" $DOVECOT_CIPHERS - sed -i "s|ssl_protocols.*|ssl_protocols = '$SSL_PROTOCOLS'|g" $DOVECOT_CIPHERS - systemctl restart dovecot - echo $'imap security settings changed' + if [ ! -f $DOVECOT_CIPHERS ]; then + return + fi + if [ ! $SSL_CIPHERS ]; then + return + fi + if [ ${#SSL_CIPHERS} -lt $MINIMUM_LENGTH ]; then + return + fi + sed -i "s|ssl_cipher_list.*|ssl_cipher_list = '$SSL_CIPHERS'|g" $DOVECOT_CIPHERS + sed -i "s|ssl_protocols.*|ssl_protocols = '$SSL_PROTOCOLS'|g" $DOVECOT_CIPHERS + systemctl restart dovecot + echo $'imap security settings changed' } function change_ssh_settings { - if [ -f /etc/ssh/ssh_config ]; then - if [ $SSH_HOST_KEY_ALGORITHMS ]; then - sed -i "s|HostKeyAlgorithms .*|HostKeyAlgorithms $SSH_HOST_KEY_ALGORITHMS|g" /etc/ssh/ssh_config - echo $'ssh client security settings changed' - fi - fi - if [ -f $SSH_CONFIG ]; then - if [ ! $SSH_CIPHERS ]; then - return - fi - if [ ! $SSH_MACS ]; then - return - fi - if [ ! $SSH_KEX ]; then - return - fi - if [ ! $SSH_PASSWORDS ]; then - return - fi + if [ -f /etc/ssh/ssh_config ]; then + if [ $SSH_HOST_KEY_ALGORITHMS ]; then + sed -i "s|HostKeyAlgorithms .*|HostKeyAlgorithms $SSH_HOST_KEY_ALGORITHMS|g" /etc/ssh/ssh_config + echo $'ssh client security settings changed' + fi + fi + if [ -f $SSH_CONFIG ]; then + if [ ! $SSH_CIPHERS ]; then + return + fi + if [ ! $SSH_MACS ]; then + return + fi + if [ ! $SSH_KEX ]; then + return + fi + if [ ! $SSH_PASSWORDS ]; then + return + fi - sed -i "s|Ciphers .*|Ciphers $SSH_CIPHERS|g" $SSH_CONFIG - sed -i "s|MACs .*|MACs $SSH_MACS|g" $SSH_CONFIG - sed -i "s|KexAlgorithms .*|KexAlgorithms $SSH_KEX|g" $SSH_CONFIG - sed -i "s|PasswordAuthentication .*|PasswordAuthentication $SSH_PASSWORDS|g" $SSH_CONFIG - systemctl restart ssh - echo $'ssh server security settings changed' - fi + sed -i "s|Ciphers .*|Ciphers $SSH_CIPHERS|g" $SSH_CONFIG + sed -i "s|MACs .*|MACs $SSH_MACS|g" $SSH_CONFIG + sed -i "s|KexAlgorithms .*|KexAlgorithms $SSH_KEX|g" $SSH_CONFIG + sed -i "s|PasswordAuthentication .*|PasswordAuthentication $SSH_PASSWORDS|g" $SSH_CONFIG + systemctl restart ssh + echo $'ssh server security settings changed' + fi } function change_xmpp_settings { - if [ ! -f $XMPP_CONFIG ]; then - return - fi - if [ ! $XMPP_CIPHERS ]; then - return - fi - if [ ! $XMPP_ECC_CURVE ]; then - return - fi - sed -i "s|ciphers =.*|ciphers = \"$XMPP_CIPHERS\";|g" $XMPP_CONFIG - sed -i "s|curve =.*|curve = \"$XMPP_ECC_CURVE\";|g" $XMPP_CONFIG - systemctl restart prosody - echo $'xmpp security settings changed' + if [ ! -f $XMPP_CONFIG ]; then + return + fi + if [ ! $XMPP_CIPHERS ]; then + return + fi + if [ ! $XMPP_ECC_CURVE ]; then + return + fi + sed -i "s|ciphers =.*|ciphers = \"$XMPP_CIPHERS\";|g" $XMPP_CONFIG + sed -i "s|curve =.*|curve = \"$XMPP_ECC_CURVE\";|g" $XMPP_CONFIG + systemctl restart prosody + echo $'xmpp security settings changed' } function interactive_setup { - if [ $SSL_CIPHERS ]; then - data=$(tempfile 2>/dev/null) - trap "rm -f $data" 0 1 2 5 15 - dialog --backtitle $"Freedombone Security Configuration" \ - --form $"\nWeb/IMAP Ciphers:" 10 95 2 \ - $"Protocols:" 1 1 "$SSL_PROTOCOLS" 1 15 90 90 \ - $"Ciphers:" 2 1 "$SSL_CIPHERS" 2 15 90 512 \ - 2> $data - sel=$? - case $sel in - 1) SSL_PROTOCOLS=$(cat $data | sed -n 1p) - SSL_CIPHERS=$(cat $data | sed -n 2p) - ;; - 255) exit 0;; - esac - fi + if [ $SSL_CIPHERS ]; then + data=$(tempfile 2>/dev/null) + trap "rm -f $data" 0 1 2 5 15 + dialog --backtitle $"Freedombone Security Configuration" \ + --form $"\nWeb/IMAP Ciphers:" 10 95 2 \ + $"Protocols:" 1 1 "$SSL_PROTOCOLS" 1 15 90 90 \ + $"Ciphers:" 2 1 "$SSL_CIPHERS" 2 15 90 512 \ + 2> $data + sel=$? + case $sel in + 1) SSL_PROTOCOLS=$(cat $data | sed -n 1p) + SSL_CIPHERS=$(cat $data | sed -n 2p) + ;; + 255) exit 0;; + esac + fi - data=$(tempfile 2>/dev/null) - trap "rm -f $data" 0 1 2 5 15 - if [ $SSH_HOST_KEY_ALGORITHMS ]; then - dialog --backtitle $"Freedombone Security Configuration" \ - --form $"\nSecure Shell Ciphers:" 13 95 4 \ - $"Ciphers:" 1 1 "$SSH_CIPHERS" 1 15 90 512 \ - $"MACs:" 2 1 "$SSH_MACS" 2 15 90 512 \ - $"KEX:" 3 1 "$SSH_KEX" 3 15 90 512 \ - $"Host key algorithms:" 4 1 "$SSH_HOST_KEY_ALGORITHMS" 4 15 90 512 \ - 2> $data - sel=$? - case $sel in - 1) SSH_CIPHERS=$(cat $data | sed -n 1p) - SSH_MACS=$(cat $data | sed -n 2p) - SSH_KEX=$(cat $data | sed -n 3p) - SSH_HOST_KEY_ALGORITHMS=$(cat $data | sed -n 4p) - ;; - 255) exit 0;; - esac - else - dialog --backtitle $"Freedombone Security Configuration" \ - --form $"\nSecure Shell Ciphers:" 11 95 3 \ - $"Ciphers:" 1 1 "$SSH_CIPHERS" 1 15 90 512 \ - $"MACs:" 2 1 "$SSH_MACS" 2 15 90 512 \ - $"KEX:" 3 1 "$SSH_KEX" 3 15 90 512 \ - 2> $data - sel=$? - case $sel in - 1) SSH_CIPHERS=$(cat $data | sed -n 1p) - SSH_MACS=$(cat $data | sed -n 2p) - SSH_KEX=$(cat $data | sed -n 3p) - ;; - 255) exit 0;; - esac - fi + data=$(tempfile 2>/dev/null) + trap "rm -f $data" 0 1 2 5 15 + if [ $SSH_HOST_KEY_ALGORITHMS ]; then + dialog --backtitle $"Freedombone Security Configuration" \ + --form $"\nSecure Shell Ciphers:" 13 95 4 \ + $"Ciphers:" 1 1 "$SSH_CIPHERS" 1 15 90 512 \ + $"MACs:" 2 1 "$SSH_MACS" 2 15 90 512 \ + $"KEX:" 3 1 "$SSH_KEX" 3 15 90 512 \ + $"Host key algorithms:" 4 1 "$SSH_HOST_KEY_ALGORITHMS" 4 15 90 512 \ + 2> $data + sel=$? + case $sel in + 1) SSH_CIPHERS=$(cat $data | sed -n 1p) + SSH_MACS=$(cat $data | sed -n 2p) + SSH_KEX=$(cat $data | sed -n 3p) + SSH_HOST_KEY_ALGORITHMS=$(cat $data | sed -n 4p) + ;; + 255) exit 0;; + esac + else + dialog --backtitle $"Freedombone Security Configuration" \ + --form $"\nSecure Shell Ciphers:" 11 95 3 \ + $"Ciphers:" 1 1 "$SSH_CIPHERS" 1 15 90 512 \ + $"MACs:" 2 1 "$SSH_MACS" 2 15 90 512 \ + $"KEX:" 3 1 "$SSH_KEX" 3 15 90 512 \ + 2> $data + sel=$? + case $sel in + 1) SSH_CIPHERS=$(cat $data | sed -n 1p) + SSH_MACS=$(cat $data | sed -n 2p) + SSH_KEX=$(cat $data | sed -n 3p) + ;; + 255) exit 0;; + esac + fi - if [[ $SSH_PASSWORDS == "yes" ]]; then - dialog --title $"SSH Passwords" \ - --backtitle $"Freedombone Security Configuration" \ - --yesno $"\nAllow SSH login using passwords?" 7 60 - else - dialog --title $"SSH Passwords" \ - --backtitle $"Freedombone Security Configuration" \ - --defaultno \ - --yesno $"\nAllow SSH login using passwords?" 7 60 - fi - sel=$? - case $sel in - 0) SSH_PASSWORDS="yes";; - 1) SSH_PASSWORDS="no";; - 255) exit 0;; - esac + if [[ $SSH_PASSWORDS == "yes" ]]; then + dialog --title $"SSH Passwords" \ + --backtitle $"Freedombone Security Configuration" \ + --yesno $"\nAllow SSH login using passwords?" 7 60 + else + dialog --title $"SSH Passwords" \ + --backtitle $"Freedombone Security Configuration" \ + --defaultno \ + --yesno $"\nAllow SSH login using passwords?" 7 60 + fi + sel=$? + case $sel in + 0) SSH_PASSWORDS="yes";; + 1) SSH_PASSWORDS="no";; + 255) exit 0;; + esac - if [ $XMPP_CIPHERS ]; then - data=$(tempfile 2>/dev/null) - trap "rm -f $data" 0 1 2 5 15 - dialog --backtitle $"Freedombone Security Configuration" \ - --form $"\nXMPP Ciphers:" 10 95 2 \ - $"Ciphers:" 1 1 "$XMPP_CIPHERS" 1 15 90 512 \ - $"ECC Curve:" 2 1 "$XMPP_ECC_CURVE" 2 15 50 50 \ - 2> $data - sel=$? - case $sel in - 1) XMPP_CIPHERS=$(cat $data | sed -n 1p) - XMPP_ECC_CURVE=$(cat $data | sed -n 2p) - ;; - 255) exit 0;; - esac - fi + if [ $XMPP_CIPHERS ]; then + data=$(tempfile 2>/dev/null) + trap "rm -f $data" 0 1 2 5 15 + dialog --backtitle $"Freedombone Security Configuration" \ + --form $"\nXMPP Ciphers:" 10 95 2 \ + $"Ciphers:" 1 1 "$XMPP_CIPHERS" 1 15 90 512 \ + $"ECC Curve:" 2 1 "$XMPP_ECC_CURVE" 2 15 50 50 \ + 2> $data + sel=$? + case $sel in + 1) XMPP_CIPHERS=$(cat $data | sed -n 1p) + XMPP_ECC_CURVE=$(cat $data | sed -n 2p) + ;; + 255) exit 0;; + esac + fi - dialog --title $"Final Confirmation" \ - --backtitle $"Freedombone Security Configuration" \ - --defaultno \ - --yesno $"\nPlease confirm that you wish your security settings to be changed?\n\nWARNING: any mistakes made in the security settings could compromise your system, so be extra careful when answering 'yes'." 12 60 - sel=$? - case $sel in - 1) clear - echo $'Exiting without changing security settings' - exit 0;; - 255) clear + dialog --title $"Final Confirmation" \ + --backtitle $"Freedombone Security Configuration" \ + --defaultno \ + --yesno $"\nPlease confirm that you wish your security settings to be changed?\n\nWARNING: any mistakes made in the security settings could compromise your system, so be extra careful when answering 'yes'." 12 60 + sel=$? + case $sel in + 1) clear echo $'Exiting without changing security settings' exit 0;; - esac + 255) clear + echo $'Exiting without changing security settings' + exit 0;; + esac - clear + clear } function send_monkeysphere_server_keys_to_users { @@ -347,180 +347,180 @@ function send_monkeysphere_server_keys_to_users { } function regenerate_ssh_host_keys { - if [[ $REGENERATE_SSH_HOST_KEYS == "yes" ]]; then - rm -f /etc/ssh/ssh_host_* - dpkg-reconfigure openssh-server - echo $'ssh host keys regenerated' - # remove small moduli - awk '$5 > 2000' /etc/ssh/moduli > ~/moduli - mv ~/moduli /etc/ssh/moduli - echo $'ssh small moduli removed' - # update monkeysphere - DEFAULT_DOMAIN_NAME= - if grep -q "DEFAULT_DOMAIN_NAME" $CONFIGURATION_FILE; then - DEFAULT_DOMAIN_NAME=$(grep "DEFAULT_DOMAIN_NAME" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - monkeysphere-host import-key /etc/ssh/ssh_host_rsa_key ssh://$DEFAULT_DOMAIN_NAME - SSH_ONION_HOSTNAME=$(cat ${COMPLETION_FILE} | grep 'ssh onion domain' | awk -F ':' '{print $2}') - monkeysphere-host import-key /etc/ssh/ssh_host_rsa_key ssh://$SSH_ONION_HOSTNAME - monkeysphere-host publish-key - send_monkeysphere_server_keys_to_users - echo $'updated monkeysphere ssh host key' - systemctl restart ssh - fi + if [[ $REGENERATE_SSH_HOST_KEYS == "yes" ]]; then + rm -f /etc/ssh/ssh_host_* + dpkg-reconfigure openssh-server + echo $'ssh host keys regenerated' + # remove small moduli + awk '$5 > 2000' /etc/ssh/moduli > ~/moduli + mv ~/moduli /etc/ssh/moduli + echo $'ssh small moduli removed' + # update monkeysphere + DEFAULT_DOMAIN_NAME= + if grep -q "DEFAULT_DOMAIN_NAME" $CONFIGURATION_FILE; then + DEFAULT_DOMAIN_NAME=$(grep "DEFAULT_DOMAIN_NAME" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + monkeysphere-host import-key /etc/ssh/ssh_host_rsa_key ssh://$DEFAULT_DOMAIN_NAME + SSH_ONION_HOSTNAME=$(cat ${COMPLETION_FILE} | grep 'ssh onion domain' | awk -F ':' '{print $2}') + monkeysphere-host import-key /etc/ssh/ssh_host_rsa_key ssh://$SSH_ONION_HOSTNAME + monkeysphere-host publish-key + send_monkeysphere_server_keys_to_users + echo $'updated monkeysphere ssh host key' + systemctl restart ssh + fi } function regenerate_dh_keys { - if [[ $REGENERATE_DH_KEYS == "yes" ]]; then - if [ ! -d /etc/ssl/mycerts ]; then - echo $'No dhparam certificates were found' - return - fi + if [[ $REGENERATE_DH_KEYS == "yes" ]]; then + if [ ! -d /etc/ssl/mycerts ]; then + echo $'No dhparam certificates were found' + return + fi - data=$(tempfile 2>/dev/null) - trap "rm -f $data" 0 1 2 5 15 - dialog --backtitle "Freedombone Security Configuration" \ - --title "Diffie-Hellman key length" \ - --radiolist "The smaller length is better suited to low power embedded systems:" 12 40 3 \ - 1 "2048 bits" off \ - 2 "3072 bits" on \ - 3 "4096 bits" off 2> $data - sel=$? - case $sel in - 1) exit 1;; - 255) exit 1;; - esac - case $(cat $data) in - 1) DH_KEYLENGTH=2048;; - 2) DH_KEYLENGTH=3072;; - 3) DH_KEYLENGTH=4096;; - esac + data=$(tempfile 2>/dev/null) + trap "rm -f $data" 0 1 2 5 15 + dialog --backtitle "Freedombone Security Configuration" \ + --title "Diffie-Hellman key length" \ + --radiolist "The smaller length is better suited to low power embedded systems:" 12 40 3 \ + 1 "2048 bits" off \ + 2 "3072 bits" on \ + 3 "4096 bits" off 2> $data + sel=$? + case $sel in + 1) exit 1;; + 255) exit 1;; + esac + case $(cat $data) in + 1) DH_KEYLENGTH=2048;; + 2) DH_KEYLENGTH=3072;; + 3) DH_KEYLENGTH=4096;; + esac - ${PROJECT_NAME}-dhparam --recalc yes -l ${DH_KEYLENGTH} - fi + ${PROJECT_NAME}-dhparam --recalc yes -l ${DH_KEYLENGTH} + fi } function renew_startssl { - renew_domain= - data=$(tempfile 2>/dev/null) - trap "rm -f $data" 0 1 2 5 15 - dialog --title $"Renew a StartSSL certificate" \ - --backtitle $"Freedombone Security Settings" \ - --inputbox $"Enter the domain name" 8 60 2>$data - sel=$? - case $sel in - 0) - renew_domain=$(<$data) - ;; - esac + renew_domain= + data=$(tempfile 2>/dev/null) + trap "rm -f $data" 0 1 2 5 15 + dialog --title $"Renew a StartSSL certificate" \ + --backtitle $"Freedombone Security Settings" \ + --inputbox $"Enter the domain name" 8 60 2>$data + sel=$? + case $sel in + 0) + renew_domain=$(<$data) + ;; + esac - if [ ! $renew_domain ]; then - return - fi + if [ ! $renew_domain ]; then + return + fi - if [[ $renew_domain == "http"* ]]; then - dialog --title $"Renew a StartSSL certificate" \ - --msgbox $"Don't include the https://" 6 40 - return - fi + if [[ $renew_domain == "http"* ]]; then + dialog --title $"Renew a StartSSL certificate" \ + --msgbox $"Don't include the https://" 6 40 + return + fi - if [ ! -f /etc/ssl/certs/${renew_domain}.dhparam ]; then - dialog --title $"Renew a StartSSL certificate" \ - --msgbox $"An existing certificate for $renew_domain was not found" 6 40 - return - fi + if [ ! -f /etc/ssl/certs/${renew_domain}.dhparam ]; then + dialog --title $"Renew a StartSSL certificate" \ + --msgbox $"An existing certificate for $renew_domain was not found" 6 40 + return + fi - if [[ $renew_domain != *"."* ]]; then - dialog --title $"Renew a StartSSL certificate" \ - --msgbox $"Invalid domain name: $renew_domain" 6 40 - return - fi + if [[ $renew_domain != *"."* ]]; then + dialog --title $"Renew a StartSSL certificate" \ + --msgbox $"Invalid domain name: $renew_domain" 6 40 + return + fi - ${PROJECT_NAME}-renew-cert -h $renew_domain -p startssl + ${PROJECT_NAME}-renew-cert -h $renew_domain -p startssl - exit 0 + exit 0 } function renew_letsencrypt { - renew_domain= - data=$(tempfile 2>/dev/null) - trap "rm -f $data" 0 1 2 5 15 - dialog --title $"Renew a Let's Encrypt certificate" \ - --backtitle $"Freedombone Security Settings" \ - --inputbox $"Enter the domain name" 8 60 2>$data - sel=$? - case $sel in - 0) - renew_domain=$(<$data) - ;; - esac + renew_domain= + data=$(tempfile 2>/dev/null) + trap "rm -f $data" 0 1 2 5 15 + dialog --title $"Renew a Let's Encrypt certificate" \ + --backtitle $"Freedombone Security Settings" \ + --inputbox $"Enter the domain name" 8 60 2>$data + sel=$? + case $sel in + 0) + renew_domain=$(<$data) + ;; + esac - if [ ! $renew_domain ]; then - return - fi + if [ ! $renew_domain ]; then + return + fi - if [[ $renew_domain == "http"* ]]; then - dialog --title $"Renew a Let's Encrypt certificate" \ - --msgbox $"Don't include the https://" 6 40 - return - fi + if [[ $renew_domain == "http"* ]]; then + dialog --title $"Renew a Let's Encrypt certificate" \ + --msgbox $"Don't include the https://" 6 40 + return + fi - if [ ! -f /etc/ssl/certs/${renew_domain}.dhparam ]; then - dialog --title $"Renew a Let's Encrypt certificate" \ - --msgbox $"An existing certificate for $renew_domain was not found" 6 40 - return - fi + if [ ! -f /etc/ssl/certs/${renew_domain}.dhparam ]; then + dialog --title $"Renew a Let's Encrypt certificate" \ + --msgbox $"An existing certificate for $renew_domain was not found" 6 40 + return + fi - if [[ $renew_domain != *"."* ]]; then - dialog --title $"Renew a Let's Encrypt certificate" \ - --msgbox $"Invalid domain name: $renew_domain" 6 40 - return - fi + if [[ $renew_domain != *"."* ]]; then + dialog --title $"Renew a Let's Encrypt certificate" \ + --msgbox $"Invalid domain name: $renew_domain" 6 40 + return + fi - ${PROJECT_NAME}-renew-cert -h $renew_domain -p 'letsencrypt' + ${PROJECT_NAME}-renew-cert -h $renew_domain -p 'letsencrypt' - exit 0 + exit 0 } function create_letsencrypt { - new_domain= - data=$(tempfile 2>/dev/null) - trap "rm -f $data" 0 1 2 5 15 - dialog --title $"Create a new Let's Encrypt certificate" \ - --backtitle $"Freedombone Security Settings" \ - --inputbox $"Enter the domain name" 8 60 2>$data - sel=$? - case $sel in - 0) - new_domain=$(<$data) - ;; - esac + new_domain= + data=$(tempfile 2>/dev/null) + trap "rm -f $data" 0 1 2 5 15 + dialog --title $"Create a new Let's Encrypt certificate" \ + --backtitle $"Freedombone Security Settings" \ + --inputbox $"Enter the domain name" 8 60 2>$data + sel=$? + case $sel in + 0) + new_domain=$(<$data) + ;; + esac - if [ ! $new_domain ]; then - return - fi + if [ ! $new_domain ]; then + return + fi - if [[ $new_domain == "http"* ]]; then - dialog --title $"Create a new Let's Encrypt certificate" \ - --msgbox $"Don't include the https://" 6 40 - return - fi + if [[ $new_domain == "http"* ]]; then + dialog --title $"Create a new Let's Encrypt certificate" \ + --msgbox $"Don't include the https://" 6 40 + return + fi - if [[ $new_domain != *"."* ]]; then - dialog --title $"Create a new Let's Encrypt certificate" \ - --msgbox $"Invalid domain name: $new_domain" 6 40 - return - fi + if [[ $new_domain != *"."* ]]; then + dialog --title $"Create a new Let's Encrypt certificate" \ + --msgbox $"Invalid domain name: $new_domain" 6 40 + return + fi - if [ ! -d /var/www/${new_domain} ]; then - dialog --title $"Create a new Let's Encrypt certificate" \ - --msgbox $'Domain not found within /var/www' 6 40 - return - fi + if [ ! -d /var/www/${new_domain} ]; then + dialog --title $"Create a new Let's Encrypt certificate" \ + --msgbox $'Domain not found within /var/www' 6 40 + return + fi - ${PROJECT_NAME}-addcert -e $new_domain -s $LETSENCRYPT_SERVER --dhkey $DH_KEYLENGTH + ${PROJECT_NAME}-addcert -e $new_domain -s $LETSENCRYPT_SERVER --dhkey $DH_KEYLENGTH - exit 0 + exit 0 } function update_ciphersuite { @@ -677,249 +677,245 @@ function register_website { } function register_website_interactive { - data=$(tempfile 2>/dev/null) - trap "rm -f $data" 0 1 2 5 15 - dialog --title $"Register a website with monkeysphere" \ - --backtitle $"Freedombone Security Settings" \ - --inputbox $"Enter the website domain name (without https://)" 8 60 2>$data - sel=$? - case $sel in - 0) - domain=$(<$data) - register_website "$domain" - if [ ! "$?" = "0" ]; then - dialog --title $"Register a website with monkeysphere" \ - --msgbox "$?" 6 40 - else - dialog --title $"Register a website with monkeysphere" \ - --msgbox $"$domain has been registered" 6 40 - fi - ;; - esac + data=$(tempfile 2>/dev/null) + trap "rm -f $data" 0 1 2 5 15 + dialog --title $"Register a website with monkeysphere" \ + --backtitle $"Freedombone Security Settings" \ + --inputbox $"Enter the website domain name (without https://)" 8 60 2>$data + sel=$? + case $sel in + 0) + domain=$(<$data) + register_website "$domain" + if [ ! "$?" = "0" ]; then + dialog --title $"Register a website with monkeysphere" \ + --msgbox "$?" 6 40 + else + dialog --title $"Register a website with monkeysphere" \ + --msgbox $"$domain has been registered" 6 40 + fi + ;; + esac } function housekeeping { - cmd=(dialog --separate-output \ - --backtitle "Freedombone Security Configuration" \ - --title "Housekeeping options" \ - --checklist "If you don't need to do any of these things then just press Enter:" 17 76 17) - options=(1 "Regenerate ssh host keys" off - 2 "Regenerate Diffie-Hellman keys" off - 3 "Renew a StartSSL certificate" off - 4 "Update cipersuite" off - 5 "Create a new Let's Encrypt certificate" off - 6 "Renew Let's Encrypt certificate" off - 7 "Enable GPG based authentication (monkeysphere)" off - 8 "Register a website with monkeysphere" off - 9 "Go Back/Exit" on) - choices=$("${cmd[@]}" "${options[@]}" 2>&1 >/dev/tty) - clear - for choice in $choices - do - case $choice in - 1) - REGENERATE_SSH_HOST_KEYS="yes" - ;; - 2) - REGENERATE_DH_KEYS="yes" - ;; - 3) - renew_startssl - ;; - 4) - update_ciphersuite - ;; - 5) - create_letsencrypt - ;; - 6) - renew_letsencrypt - ;; - 7) - enable_monkeysphere - ;; - 8) - register_website - ;; - 9) - exit 0 - ;; - esac - done + cmd=(dialog --separate-output \ + --backtitle "Freedombone Security Configuration" \ + --title "Housekeeping options" \ + --checklist "If you don't need to do any of these things then just press Enter:" 17 76 17) + options=(1 "Regenerate ssh host keys" off + 2 "Regenerate Diffie-Hellman keys" off + 3 "Update cipersuite" off + 4 "Create a new Let's Encrypt certificate" off + 5 "Renew Let's Encrypt certificate" off + 6 "Enable GPG based authentication (monkeysphere)" off + 7 "Register a website with monkeysphere" off + 8 "Go Back/Exit" on) + choices=$("${cmd[@]}" "${options[@]}" 2>&1 >/dev/tty) + clear + for choice in $choices + do + case $choice in + 1) + REGENERATE_SSH_HOST_KEYS="yes" + ;; + 2) + REGENERATE_DH_KEYS="yes" + ;; + 3) + update_ciphersuite + ;; + 4) + create_letsencrypt + ;; + 5) + renew_letsencrypt + ;; + 6) + enable_monkeysphere + ;; + 7) + register_website + ;; + 8) + exit 0 + ;; + esac + done } function import_settings { - cd $CURRENT_DIR + cd $CURRENT_DIR - if [ ! $IMPORT_FILE ]; then - return - fi + if [ ! $IMPORT_FILE ]; then + return + fi - if [ ! -f $IMPORT_FILE ]; then - echo $"Import file $IMPORT_FILE not found" - exit 6393 - fi + if [ ! -f $IMPORT_FILE ]; then + echo $"Import file $IMPORT_FILE not found" + exit 6393 + fi - if grep -q "SSL_PROTOCOLS" $IMPORT_FILE; then - TEMP_VALUE=$(grep "SSL_PROTOCOLS" $IMPORT_FILE | awk -F '=' '{print $2}') - if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then - SSL_PROTOCOLS=$TEMP_VALUE - fi - fi - if grep -q "SSL_CIPHERS" $IMPORT_FILE; then - TEMP_VALUE=$(grep "SSL_CIPHERS" $IMPORT_FILE | awk -F '=' '{print $2}') - if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then - SSL_CIPHERS=$TEMP_VALUE - fi - fi - if grep -q "SSH_CIPHERS" $IMPORT_FILE; then - TEMP_VALUE=$(grep "SSH_CIPHERS" $IMPORT_FILE | awk -F '=' '{print $2}') - if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then - SSH_CIPHERS=$TEMP_VALUE - fi - fi - if grep -q "SSH_MACS" $IMPORT_FILE; then - TEMP_VALUE=$(grep "SSH_MACS" $IMPORT_FILE | awk -F '=' '{print $2}') - if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then - SSH_MACS=$TEMP_VALUE - fi - fi - if grep -q "SSH_KEX" $IMPORT_FILE; then - TEMP_VALUE=$(grep "SSH_KEX" $IMPORT_FILE | awk -F '=' '{print $2}') - if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then - SSH_KEX=$TEMP_VALUE - fi - fi - if grep -q "SSH_HOST_KEY_ALGORITHMS" $IMPORT_FILE; then - TEMP_VALUE=$(grep "SSH_HOST_KEY_ALGORITHMS" $IMPORT_FILE | awk -F '=' '{print $2}') - if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then - SSH_HOST_KEY_ALGORITHMS=$TEMP_VALUE - fi - fi - if grep -q "SSH_PASSWORDS" $IMPORT_FILE; then - TEMP_VALUE=$(grep "SSH_PASSWORDS" $IMPORT_FILE | awk -F '=' '{print $2}') - if [[ $TEMP_VALUE == "yes" || $TEMP_VALUE == "no" ]]; then - SSH_PASSWORDS=$TEMP_VALUE - fi - fi - if grep -q "XMPP_CIPHERS" $IMPORT_FILE; then - TEMP_VALUE=$(grep "XMPP_CIPHERS" $IMPORT_FILE | awk -F '=' '{print $2}') - if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then - XMPP_CIPHERS=$TEMP_VALUE - fi - fi - if grep -q "XMPP_ECC_CURVE" $IMPORT_FILE; then - TEMP_VALUE=$(grep "XMPP_ECC_CURVE" $IMPORT_FILE | awk -F '=' '{print $2}') - if [ ${#TEMP_VALUE} -gt 3 ]; then - XMPP_ECC_CURVE=$TEMP_VALUE - fi - fi + if grep -q "SSL_PROTOCOLS" $IMPORT_FILE; then + TEMP_VALUE=$(grep "SSL_PROTOCOLS" $IMPORT_FILE | awk -F '=' '{print $2}') + if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then + SSL_PROTOCOLS=$TEMP_VALUE + fi + fi + if grep -q "SSL_CIPHERS" $IMPORT_FILE; then + TEMP_VALUE=$(grep "SSL_CIPHERS" $IMPORT_FILE | awk -F '=' '{print $2}') + if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then + SSL_CIPHERS=$TEMP_VALUE + fi + fi + if grep -q "SSH_CIPHERS" $IMPORT_FILE; then + TEMP_VALUE=$(grep "SSH_CIPHERS" $IMPORT_FILE | awk -F '=' '{print $2}') + if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then + SSH_CIPHERS=$TEMP_VALUE + fi + fi + if grep -q "SSH_MACS" $IMPORT_FILE; then + TEMP_VALUE=$(grep "SSH_MACS" $IMPORT_FILE | awk -F '=' '{print $2}') + if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then + SSH_MACS=$TEMP_VALUE + fi + fi + if grep -q "SSH_KEX" $IMPORT_FILE; then + TEMP_VALUE=$(grep "SSH_KEX" $IMPORT_FILE | awk -F '=' '{print $2}') + if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then + SSH_KEX=$TEMP_VALUE + fi + fi + if grep -q "SSH_HOST_KEY_ALGORITHMS" $IMPORT_FILE; then + TEMP_VALUE=$(grep "SSH_HOST_KEY_ALGORITHMS" $IMPORT_FILE | awk -F '=' '{print $2}') + if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then + SSH_HOST_KEY_ALGORITHMS=$TEMP_VALUE + fi + fi + if grep -q "SSH_PASSWORDS" $IMPORT_FILE; then + TEMP_VALUE=$(grep "SSH_PASSWORDS" $IMPORT_FILE | awk -F '=' '{print $2}') + if [[ $TEMP_VALUE == "yes" || $TEMP_VALUE == "no" ]]; then + SSH_PASSWORDS=$TEMP_VALUE + fi + fi + if grep -q "XMPP_CIPHERS" $IMPORT_FILE; then + TEMP_VALUE=$(grep "XMPP_CIPHERS" $IMPORT_FILE | awk -F '=' '{print $2}') + if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then + XMPP_CIPHERS=$TEMP_VALUE + fi + fi + if grep -q "XMPP_ECC_CURVE" $IMPORT_FILE; then + TEMP_VALUE=$(grep "XMPP_ECC_CURVE" $IMPORT_FILE | awk -F '=' '{print $2}') + if [ ${#TEMP_VALUE} -gt 3 ]; then + XMPP_ECC_CURVE=$TEMP_VALUE + fi + fi } function export_settings { - if [ ! $EXPORT_FILE ]; then - return - fi + if [ ! $EXPORT_FILE ]; then + return + fi - cd $CURRENT_DIR + cd $CURRENT_DIR - if [ ! -f $EXPORT_FILE ]; then - if [ "$SSL_PROTOCOLS" ]; then - echo "SSL_PROTOCOLS=$SSL_PROTOCOLS" >> $EXPORT_FILE - fi - if [ $SSL_CIPHERS ]; then - echo "SSL_CIPHERS=$SSL_CIPHERS" >> $EXPORT_FILE - fi - if [ $SSH_CIPHERS ]; then - echo "SSH_CIPHERS=$SSH_CIPHERS" >> $EXPORT_FILE - fi - if [ $SSH_MACS ]; then - echo "SSH_MACS=$SSH_MACS" >> $EXPORT_FILE - fi - if [ $SSH_KEX ]; then - echo "SSH_KEX=$SSH_KEX" >> $EXPORT_FILE - fi - if [ $SSH_HOST_KEY_ALGORITHMS ]; then - echo "SSH_HOST_KEY_ALGORITHMS=$SSH_HOST_KEY_ALGORITHMS" >> $EXPORT_FILE - fi - if [ $SSH_PASSWORDS ]; then - echo "SSH_PASSWORDS=$SSH_PASSWORDS" >> $EXPORT_FILE - fi - if [ $XMPP_CIPHERS ]; then - echo "XMPP_CIPHERS=$XMPP_CIPHERS" >> $EXPORT_FILE - fi - if [ $XMPP_ECC_CURVE ]; then - echo "XMPP_ECC_CURVE=$XMPP_ECC_CURVE" >> $EXPORT_FILE - fi - echo "Security settings exported to $EXPORT_FILE" - exit 0 - fi + if [ ! -f $EXPORT_FILE ]; then + if [ "$SSL_PROTOCOLS" ]; then + echo "SSL_PROTOCOLS=$SSL_PROTOCOLS" >> $EXPORT_FILE + fi + if [ $SSL_CIPHERS ]; then + echo "SSL_CIPHERS=$SSL_CIPHERS" >> $EXPORT_FILE + fi + if [ $SSH_CIPHERS ]; then + echo "SSH_CIPHERS=$SSH_CIPHERS" >> $EXPORT_FILE + fi + if [ $SSH_MACS ]; then + echo "SSH_MACS=$SSH_MACS" >> $EXPORT_FILE + fi + if [ $SSH_KEX ]; then + echo "SSH_KEX=$SSH_KEX" >> $EXPORT_FILE + fi + if [ $SSH_HOST_KEY_ALGORITHMS ]; then + echo "SSH_HOST_KEY_ALGORITHMS=$SSH_HOST_KEY_ALGORITHMS" >> $EXPORT_FILE + fi + if [ $SSH_PASSWORDS ]; then + echo "SSH_PASSWORDS=$SSH_PASSWORDS" >> $EXPORT_FILE + fi + if [ $XMPP_CIPHERS ]; then + echo "XMPP_CIPHERS=$XMPP_CIPHERS" >> $EXPORT_FILE + fi + if [ $XMPP_ECC_CURVE ]; then + echo "XMPP_ECC_CURVE=$XMPP_ECC_CURVE" >> $EXPORT_FILE + fi + echo "Security settings exported to $EXPORT_FILE" + exit 0 + fi - if [ "$SSL_PROTOCOLS" ]; then - if grep -q "SSL_PROTOCOLS" $EXPORT_FILE; then - sed -i "s|SSL_PROTOCOLS=.*|SSL_PROTOCOLS=$SSL_PROTOCOLS|g" $EXPORT_FILE - else - echo "SSL_PROTOCOLS=$SSL_PROTOCOLS" >> $EXPORT_FILE - fi - fi - if [ $SSL_CIPHERS ]; then - if grep -q "SSL_CIPHERS" $EXPORT_FILE; then - sed -i "s|SSL_CIPHERS=.*|SSL_CIPHERS=$SSL_CIPHERS|g" $EXPORT_FILE - else - echo "SSL_CIPHERS=$SSL_CIPHERS" >> $EXPORT_FILE - fi - fi - if [ $SSH_CIPHERS ]; then - if grep -q "SSH_CIPHERS" $EXPORT_FILE; then - sed -i "s|SSH_CIPHERS=.*|SSH_CIPHERS=$SSH_CIPHERS|g" $EXPORT_FILE - else - echo "SSH_CIPHERS=$SSH_CIPHERS" >> $EXPORT_FILE - fi - fi - if [ $SSH_MACS ]; then - if grep -q "SSH_MACS" $EXPORT_FILE; then - sed -i "s|SSH_MACS=.*|SSH_MACS=$SSH_MACS|g" $EXPORT_FILE - else - echo "SSH_MACS=$SSH_MACS" >> $EXPORT_FILE - fi - fi - if [ $SSH_KEX ]; then - if grep -q "SSH_KEX" $EXPORT_FILE; then - sed -i "s|SSH_KEX=.*|SSH_KEX=$SSH_KEX|g" $EXPORT_FILE - else - echo "SSH_KEX=$SSH_KEX" >> $EXPORT_FILE - fi - fi - if [ $SSH_HOST_KEY_ALGORITHMS ]; then - if grep -q "SSH_HOST_KEY_ALGORITHMS" $EXPORT_FILE; then - sed -i "s|SSH_HOST_KEY_ALGORITHMS=.*|SSH_HOST_KEY_ALGORITHMS=$SSH_HOST_KEY_ALGORITHMS|g" $EXPORT_FILE - else - echo "SSH_HOST_KEY_ALGORITHMS=$SSH_HOST_KEY_ALGORITHMS" >> $EXPORT_FILE - fi - fi - if [ $SSH_PASSWORDS ]; then - if grep -q "SSH_PASSWORDS" $EXPORT_FILE; then - sed -i "s|SSH_PASSWORDS=.*|SSH_PASSWORDS=$SSH_PASSWORDS|g" $EXPORT_FILE - else - echo "SSH_PASSWORDS=$SSH_PASSWORDS" >> $EXPORT_FILE - fi - fi - if [ $XMPP_CIPHERS ]; then - if grep -q "XMPP_CIPHERS" $EXPORT_FILE; then - sed -i "s|XMPP_CIPHERS=.*|XMPP_CIPHERS=$XMPP_CIPHERS|g" $EXPORT_FILE - else - echo "XMPP_CIPHERS=$XMPP_CIPHERS" >> $EXPORT_FILE - fi - fi - if [ $XMPP_ECC_CURVE ]; then - if grep -q "XMPP_ECC_CURVE" $EXPORT_FILE; then - sed -i "s|XMPP_ECC_CURVE=.*|XMPP_ECC_CURVE=$XMPP_ECC_CURVE|g" $EXPORT_FILE - else - echo "XMPP_ECC_CURVE=$XMPP_ECC_CURVE" >> $EXPORT_FILE - fi - fi - echo $"Security settings exported to $EXPORT_FILE" - exit 0 + if [ "$SSL_PROTOCOLS" ]; then + if grep -q "SSL_PROTOCOLS" $EXPORT_FILE; then + sed -i "s|SSL_PROTOCOLS=.*|SSL_PROTOCOLS=$SSL_PROTOCOLS|g" $EXPORT_FILE + else + echo "SSL_PROTOCOLS=$SSL_PROTOCOLS" >> $EXPORT_FILE + fi + fi + if [ $SSL_CIPHERS ]; then + if grep -q "SSL_CIPHERS" $EXPORT_FILE; then + sed -i "s|SSL_CIPHERS=.*|SSL_CIPHERS=$SSL_CIPHERS|g" $EXPORT_FILE + else + echo "SSL_CIPHERS=$SSL_CIPHERS" >> $EXPORT_FILE + fi + fi + if [ $SSH_CIPHERS ]; then + if grep -q "SSH_CIPHERS" $EXPORT_FILE; then + sed -i "s|SSH_CIPHERS=.*|SSH_CIPHERS=$SSH_CIPHERS|g" $EXPORT_FILE + else + echo "SSH_CIPHERS=$SSH_CIPHERS" >> $EXPORT_FILE + fi + fi + if [ $SSH_MACS ]; then + if grep -q "SSH_MACS" $EXPORT_FILE; then + sed -i "s|SSH_MACS=.*|SSH_MACS=$SSH_MACS|g" $EXPORT_FILE + else + echo "SSH_MACS=$SSH_MACS" >> $EXPORT_FILE + fi + fi + if [ $SSH_KEX ]; then + if grep -q "SSH_KEX" $EXPORT_FILE; then + sed -i "s|SSH_KEX=.*|SSH_KEX=$SSH_KEX|g" $EXPORT_FILE + else + echo "SSH_KEX=$SSH_KEX" >> $EXPORT_FILE + fi + fi + if [ $SSH_HOST_KEY_ALGORITHMS ]; then + if grep -q "SSH_HOST_KEY_ALGORITHMS" $EXPORT_FILE; then + sed -i "s|SSH_HOST_KEY_ALGORITHMS=.*|SSH_HOST_KEY_ALGORITHMS=$SSH_HOST_KEY_ALGORITHMS|g" $EXPORT_FILE + else + echo "SSH_HOST_KEY_ALGORITHMS=$SSH_HOST_KEY_ALGORITHMS" >> $EXPORT_FILE + fi + fi + if [ $SSH_PASSWORDS ]; then + if grep -q "SSH_PASSWORDS" $EXPORT_FILE; then + sed -i "s|SSH_PASSWORDS=.*|SSH_PASSWORDS=$SSH_PASSWORDS|g" $EXPORT_FILE + else + echo "SSH_PASSWORDS=$SSH_PASSWORDS" >> $EXPORT_FILE + fi + fi + if [ $XMPP_CIPHERS ]; then + if grep -q "XMPP_CIPHERS" $EXPORT_FILE; then + sed -i "s|XMPP_CIPHERS=.*|XMPP_CIPHERS=$XMPP_CIPHERS|g" $EXPORT_FILE + else + echo "XMPP_CIPHERS=$XMPP_CIPHERS" >> $EXPORT_FILE + fi + fi + if [ $XMPP_ECC_CURVE ]; then + if grep -q "XMPP_ECC_CURVE" $EXPORT_FILE; then + sed -i "s|XMPP_ECC_CURVE=.*|XMPP_ECC_CURVE=$XMPP_ECC_CURVE|g" $EXPORT_FILE + else + echo "XMPP_ECC_CURVE=$XMPP_ECC_CURVE" >> $EXPORT_FILE + fi + fi + echo $"Security settings exported to $EXPORT_FILE" + exit 0 } function refresh_gpg_keys { @@ -977,69 +973,69 @@ function blog_hash { } function show_help { - echo '' - echo "${PROJECT_NAME}-sec" - echo '' - echo $'Alters the security settings' - echo '' - echo '' - echo $' -h --help Show help' - echo $' -e --export Export security settings to a file' - echo $' -i --import Import security settings from a file' - echo $' -r --refresh Refresh GPG keys for all users' - echo $' -s --sign Sign monkeysphere server keys' - echo $' --register [domain] Register a https domain with monkeysphere' - echo $' -b --bloghash [password] Returns the hash of a password for the blog' - echo '' - exit 0 + echo '' + echo "${PROJECT_NAME}-sec" + echo '' + echo $'Alters the security settings' + echo '' + echo '' + echo $' -h --help Show help' + echo $' -e --export Export security settings to a file' + echo $' -i --import Import security settings from a file' + echo $' -r --refresh Refresh GPG keys for all users' + echo $' -s --sign Sign monkeysphere server keys' + echo $' --register [domain] Register a https domain with monkeysphere' + echo $' -b --bloghash [password] Returns the hash of a password for the blog' + echo '' + exit 0 } # Get the commandline options while [[ $# > 1 ]] do -key="$1" + key="$1" -case $key in - -h|--help) - show_help - ;; - # Export settings - -e|--export) + case $key in + -h|--help) + show_help + ;; + # Export settings + -e|--export) + shift + EXPORT_FILE="$1" + ;; + # Export settings + -i|--import) + shift + IMPORT_FILE="$1" + ;; + # Refresh GPG keys + -r|--refresh) + shift + refresh_gpg_keys + ;; + # register a website + --register|--reg|--site) + shift + register_website "$1" + ;; + # user signs monkeysphere server keys + -s|--sign) + shift + monkeysphere_sign_server_keys + ;; + # get a hash of the given blog password + -b|--bloghash) + shift + blog_hash "$1" + exit 0 + ;; + *) + # unknown option + ;; + esac shift - EXPORT_FILE="$1" - ;; - # Export settings - -i|--import) - shift - IMPORT_FILE="$1" - ;; - # Refresh GPG keys - -r|--refresh) - shift - refresh_gpg_keys - ;; - # register a website - --register|--reg|--site) - shift - register_website "$1" - ;; - # user signs monkeysphere server keys - -s|--sign) - shift - monkeysphere_sign_server_keys - ;; - # get a hash of the given blog password - -b|--bloghash) - shift - blog_hash "$1" - exit 0 - ;; - *) - # unknown option - ;; -esac -shift done housekeeping