1045 lines
32 KiB
Bash
Executable File
1045 lines
32 KiB
Bash
Executable File
#!/bin/bash
|
|
#
|
|
# .---. . .
|
|
# | | |
|
|
# |--- .--. .-. .-. .-.| .-. .--.--. |.-. .-. .--. .-.
|
|
# | | (.-' (.-' ( | ( )| | | | )( )| | (.-'
|
|
# ' ' --' --' -' - -' ' ' -' -' -' ' - --'
|
|
#
|
|
# Freedom in the Cloud
|
|
#
|
|
# Alters the security settings
|
|
#
|
|
# License
|
|
# =======
|
|
#
|
|
# Copyright (C) 2015-2016 Bob Mottram <bob@freedombone.net>
|
|
#
|
|
# This program is free software: you can redistribute it and/or modify
|
|
# it under the terms of the GNU Affero General Public License as published by
|
|
# the Free Software Foundation, either version 3 of the License, or
|
|
# (at your option) any later version.
|
|
#
|
|
# This program is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU Affero General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU Affero General Public License
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
PROJECT_NAME='freedombone'
|
|
|
|
export TEXTDOMAIN=${PROJECT_NAME}-sec
|
|
export TEXTDOMAINDIR="/usr/share/locale"
|
|
|
|
CONFIGURATION_FILE=$HOME/${PROJECT_NAME}.cfg
|
|
COMPLETION_FILE=$HOME/${PROJECT_NAME}-completed.txt
|
|
|
|
UTILS_FILES=/usr/share/${PROJECT_NAME}/utils/${PROJECT_NAME}-utils-*
|
|
for f in $UTILS_FILES
|
|
do
|
|
source $f
|
|
done
|
|
|
|
SSL_PROTOCOLS=
|
|
SSL_CIPHERS=
|
|
SSH_CIPHERS=
|
|
SSH_MACS=
|
|
SSH_KEX=
|
|
SSH_HOST_KEY_ALGORITHMS=
|
|
SSH_PASSWORDS=
|
|
XMPP_CIPHERS=
|
|
XMPP_ECC_CURVE=
|
|
|
|
WEBSITES_DIRECTORY='/etc/nginx/sites-available'
|
|
DOVECOT_CIPHERS='/etc/dovecot/conf.d/10-ssl.conf'
|
|
SSH_CONFIG='/etc/ssh/sshd_config'
|
|
XMPP_CONFIG='/etc/prosody/conf.avail/xmpp.cfg.lua'
|
|
|
|
MINIMUM_LENGTH=6
|
|
|
|
IMPORT_FILE=
|
|
EXPORT_FILE=
|
|
|
|
CURRENT_DIR=$(pwd)
|
|
|
|
DH_KEYLENGTH=2048
|
|
LETSENCRYPT_SERVER='https://acme-v01.api.letsencrypt.org/directory'
|
|
|
|
MY_USERNAME=
|
|
|
|
function get_protocols_from_website {
|
|
if [ ! -f $WEBSITES_DIRECTORY/$1 ]; then
|
|
return
|
|
fi
|
|
SSL_PROTOCOLS=$(cat $WEBSITES_DIRECTORY/$1 | grep 'ssl_protocols ' | awk -F "ssl_protocols " '{print $2}' | awk -F ';' '{print $1}')
|
|
}
|
|
|
|
function get_ciphers_from_website {
|
|
if [ ! -f $WEBSITES_DIRECTORY/$1 ]; then
|
|
return
|
|
fi
|
|
SSL_CIPHERS=$(cat $WEBSITES_DIRECTORY/$1 | grep 'ssl_ciphers ' | awk -F "ssl_ciphers " '{print $2}' | awk -F "'" '{print $2}')
|
|
}
|
|
|
|
function get_imap_settings {
|
|
if [ ! -f $DOVECOT_CIPHERS ]; then
|
|
return
|
|
fi
|
|
# clear commented out cipher list
|
|
sed -i "s|#ssl_cipher_list.*||g" $DOVECOT_CIPHERS
|
|
if [ $SSL_CIPHERS ]; then
|
|
return
|
|
fi
|
|
if [ ${#SSL_CIPHERS} -gt $MINIMUM_LENGTH ]; then
|
|
return
|
|
fi
|
|
SSL_CIPHERS=$(cat $DOVECOT_CIPHERS | grep 'ssl_cipher_list' | awk -F '=' '{print $2}' | awk -F "'" '{print $2}')
|
|
}
|
|
|
|
function get_xmpp_settings {
|
|
if [ ! -f $XMPP_CONFIG ]; then
|
|
return
|
|
fi
|
|
XMPP_CIPHERS=$(cat $XMPP_CONFIG | grep 'ciphers ' | awk -F '=' '{print $2}' | awk -F '"' '{print $2}')
|
|
XMPP_ECC_CURVE=$(cat $XMPP_CONFIG | grep 'curve ' | awk -F '=' '{print $2}' | awk -F '"' '{print $2}')
|
|
}
|
|
|
|
function get_ssh_settings {
|
|
if [ -f $SSH_CONFIG ]; then
|
|
SSH_PASSWORDS=$(cat $SSH_CONFIG | grep 'PasswordAuthentication ' | awk -F 'PasswordAuthentication ' '{print $2}')
|
|
fi
|
|
if [ -f /etc/ssh/ssh_config ]; then
|
|
SSH_HOST_KEY_ALGORITHMS=$(cat /etc/ssh/ssh_config | grep 'HostKeyAlgorithms ' | awk -F 'HostKeyAlgorithms ' '{print $2}')
|
|
fi
|
|
}
|
|
|
|
function change_website_settings {
|
|
if [ ! "$SSL_PROTOCOLS" ]; then
|
|
return
|
|
fi
|
|
if [ ! $SSL_CIPHERS ]; then
|
|
return
|
|
fi
|
|
if [ ${#SSL_PROTOCOLS} -lt $MINIMUM_LENGTH ]; then
|
|
return
|
|
fi
|
|
if [ ${#SSL_CIPHERS} -lt $MINIMUM_LENGTH ]; then
|
|
return
|
|
fi
|
|
if [ ! -d $WEBSITES_DIRECTORY ]; then
|
|
return
|
|
fi
|
|
|
|
cd $WEBSITES_DIRECTORY
|
|
for file in `dir -d *` ; do
|
|
sed -i "s|ssl_protocols .*|ssl_protocols $SSL_PROTOCOLS;|g" $WEBSITES_DIRECTORY/$file
|
|
sed -i "s|ssl_ciphers .*|ssl_ciphers '$SSL_CIPHERS';|g" $WEBSITES_DIRECTORY/$file
|
|
done
|
|
systemctl restart nginx
|
|
echo $'Web security settings changed'
|
|
}
|
|
|
|
function change_imap_settings {
|
|
if [ ! -f $DOVECOT_CIPHERS ]; then
|
|
return
|
|
fi
|
|
if [ ! $SSL_CIPHERS ]; then
|
|
return
|
|
fi
|
|
if [ ${#SSL_CIPHERS} -lt $MINIMUM_LENGTH ]; then
|
|
return
|
|
fi
|
|
sed -i "s|ssl_cipher_list.*|ssl_cipher_list = '$SSL_CIPHERS'|g" $DOVECOT_CIPHERS
|
|
sed -i "s|ssl_protocols.*|ssl_protocols = '$SSL_PROTOCOLS'|g" $DOVECOT_CIPHERS
|
|
systemctl restart dovecot
|
|
echo $'imap security settings changed'
|
|
}
|
|
|
|
function change_ssh_settings {
|
|
if [ -f /etc/ssh/ssh_config ]; then
|
|
if [ $SSH_HOST_KEY_ALGORITHMS ]; then
|
|
sed -i "s|HostKeyAlgorithms .*|HostKeyAlgorithms $SSH_HOST_KEY_ALGORITHMS|g" /etc/ssh/ssh_config
|
|
echo $'ssh client security settings changed'
|
|
fi
|
|
fi
|
|
if [ -f $SSH_CONFIG ]; then
|
|
if [ ! $SSH_CIPHERS ]; then
|
|
return
|
|
fi
|
|
if [ ! $SSH_MACS ]; then
|
|
return
|
|
fi
|
|
if [ ! $SSH_KEX ]; then
|
|
return
|
|
fi
|
|
if [ ! $SSH_PASSWORDS ]; then
|
|
SSH_PASSWORDS='yes'
|
|
fi
|
|
|
|
sed -i "s|Ciphers .*|Ciphers $SSH_CIPHERS|g" $SSH_CONFIG
|
|
sed -i "s|MACs .*|MACs $SSH_MACS|g" $SSH_CONFIG
|
|
sed -i "s|KexAlgorithms .*|KexAlgorithms $SSH_KEX|g" $SSH_CONFIG
|
|
sed -i "s|#PasswordAuthentication .*|PasswordAuthentication $SSH_PASSWORDS|g" $SSH_CONFIG
|
|
sed -i "s|PasswordAuthentication .*|PasswordAuthentication $SSH_PASSWORDS|g" $SSH_CONFIG
|
|
systemctl restart ssh
|
|
echo $'ssh server security settings changed'
|
|
fi
|
|
}
|
|
|
|
function change_xmpp_settings {
|
|
if [ ! -f $XMPP_CONFIG ]; then
|
|
return
|
|
fi
|
|
if [ ! $XMPP_CIPHERS ]; then
|
|
return
|
|
fi
|
|
if [ ! $XMPP_ECC_CURVE ]; then
|
|
return
|
|
fi
|
|
sed -i "s|ciphers =.*|ciphers = \"$XMPP_CIPHERS\";|g" $XMPP_CONFIG
|
|
sed -i "s|curve =.*|curve = \"$XMPP_ECC_CURVE\";|g" $XMPP_CONFIG
|
|
systemctl restart prosody
|
|
echo $'xmpp security settings changed'
|
|
}
|
|
|
|
function allow_ssh_passwords {
|
|
dialog --title $"SSH Passwords" \
|
|
--backtitle $"Freedombone Security Configuration" \
|
|
--yesno $"\nAllow SSH login using passwords?" 7 60
|
|
sel=$?
|
|
case $sel in
|
|
0) SSH_PASSWORDS="yes";;
|
|
1) SSH_PASSWORDS="no";;
|
|
255) exit 0;;
|
|
esac
|
|
}
|
|
|
|
function interactive_setup {
|
|
if [ $SSL_CIPHERS ]; then
|
|
data=$(tempfile 2>/dev/null)
|
|
trap "rm -f $data" 0 1 2 5 15
|
|
dialog --backtitle $"Freedombone Security Configuration" \
|
|
--form $"\nWeb/IMAP Ciphers:" 10 95 2 \
|
|
$"Protocols:" 1 1 "$SSL_PROTOCOLS" 1 15 90 90 \
|
|
$"Ciphers:" 2 1 "$SSL_CIPHERS" 2 15 90 512 \
|
|
2> $data
|
|
sel=$?
|
|
case $sel in
|
|
1) SSL_PROTOCOLS=$(cat $data | sed -n 1p)
|
|
SSL_CIPHERS=$(cat $data | sed -n 2p)
|
|
;;
|
|
255) exit 0;;
|
|
esac
|
|
fi
|
|
|
|
data=$(tempfile 2>/dev/null)
|
|
trap "rm -f $data" 0 1 2 5 15
|
|
if [ $SSH_HOST_KEY_ALGORITHMS ]; then
|
|
dialog --backtitle $"Freedombone Security Configuration" \
|
|
--form $"\nSecure Shell Ciphers:" 13 95 4 \
|
|
$"Ciphers:" 1 1 "$SSH_CIPHERS" 1 15 90 512 \
|
|
$"MACs:" 2 1 "$SSH_MACS" 2 15 90 512 \
|
|
$"KEX:" 3 1 "$SSH_KEX" 3 15 90 512 \
|
|
$"Host key algorithms:" 4 1 "$SSH_HOST_KEY_ALGORITHMS" 4 15 90 512 \
|
|
2> $data
|
|
sel=$?
|
|
case $sel in
|
|
1) SSH_CIPHERS=$(cat $data | sed -n 1p)
|
|
SSH_MACS=$(cat $data | sed -n 2p)
|
|
SSH_KEX=$(cat $data | sed -n 3p)
|
|
SSH_HOST_KEY_ALGORITHMS=$(cat $data | sed -n 4p)
|
|
;;
|
|
255) exit 0;;
|
|
esac
|
|
else
|
|
dialog --backtitle $"Freedombone Security Configuration" \
|
|
--form $"\nSecure Shell Ciphers:" 11 95 3 \
|
|
$"Ciphers:" 1 1 "$SSH_CIPHERS" 1 15 90 512 \
|
|
$"MACs:" 2 1 "$SSH_MACS" 2 15 90 512 \
|
|
$"KEX:" 3 1 "$SSH_KEX" 3 15 90 512 \
|
|
2> $data
|
|
sel=$?
|
|
case $sel in
|
|
1) SSH_CIPHERS=$(cat $data | sed -n 1p)
|
|
SSH_MACS=$(cat $data | sed -n 2p)
|
|
SSH_KEX=$(cat $data | sed -n 3p)
|
|
;;
|
|
255) exit 0;;
|
|
esac
|
|
fi
|
|
|
|
if [ $XMPP_CIPHERS ]; then
|
|
data=$(tempfile 2>/dev/null)
|
|
trap "rm -f $data" 0 1 2 5 15
|
|
dialog --backtitle $"Freedombone Security Configuration" \
|
|
--form $"\nXMPP Ciphers:" 10 95 2 \
|
|
$"Ciphers:" 1 1 "$XMPP_CIPHERS" 1 15 90 512 \
|
|
$"ECC Curve:" 2 1 "$XMPP_ECC_CURVE" 2 15 50 50 \
|
|
2> $data
|
|
sel=$?
|
|
case $sel in
|
|
1) XMPP_CIPHERS=$(cat $data | sed -n 1p)
|
|
XMPP_ECC_CURVE=$(cat $data | sed -n 2p)
|
|
;;
|
|
255) exit 0;;
|
|
esac
|
|
fi
|
|
|
|
dialog --title $"Final Confirmation" \
|
|
--backtitle $"Freedombone Security Configuration" \
|
|
--defaultno \
|
|
--yesno $"\nPlease confirm that you wish your security settings to be changed?\n\nWARNING: any mistakes made in the security settings could compromise your system, so be extra careful when answering 'yes'." 12 60
|
|
sel=$?
|
|
case $sel in
|
|
1) clear
|
|
echo $'Exiting without changing security settings'
|
|
exit 0;;
|
|
255) clear
|
|
echo $'Exiting without changing security settings'
|
|
exit 0;;
|
|
esac
|
|
|
|
clear
|
|
}
|
|
|
|
function send_monkeysphere_server_keys_to_users {
|
|
monkeysphere_server_keys=$(monkeysphere-host show-key | grep $"OpenPGP fingerprint" | awk -F ' ' '{print $3}')
|
|
for d in /home/*/ ; do
|
|
USERNAME=$(echo "$d" | awk -F '/' '{print $3}')
|
|
if [[ $(is_valid_user "$USERNAME") == "1" ]]; then
|
|
if [ ! -d /home/$USERNAME/.monkeysphere ]; then
|
|
mkdir /home/$USERNAME/.monkeysphere
|
|
fi
|
|
echo $monkeysphere_server_keys > /home/$USERNAME/.monkeysphere/server_keys
|
|
chown -R $USERNAME:$USERNAME /home/$USERNAME/.monkeysphere
|
|
fi
|
|
done
|
|
}
|
|
|
|
function regenerate_ssh_host_keys {
|
|
rm -f /etc/ssh/ssh_host_*
|
|
dpkg-reconfigure openssh-server
|
|
echo $'ssh host keys regenerated'
|
|
# remove small moduli
|
|
awk '$5 > 2000' /etc/ssh/moduli > ~/moduli
|
|
mv ~/moduli /etc/ssh/moduli
|
|
echo $'ssh small moduli removed'
|
|
# update monkeysphere
|
|
DEFAULT_DOMAIN_NAME=
|
|
read_config_param "DEFAULT_DOMAIN_NAME"
|
|
monkeysphere-host import-key /etc/ssh/ssh_host_rsa_key ssh://$DEFAULT_DOMAIN_NAME
|
|
SSH_ONION_HOSTNAME=$(cat ${COMPLETION_FILE} | grep 'ssh onion domain' | awk -F ':' '{print $2}')
|
|
monkeysphere-host import-key /etc/ssh/ssh_host_rsa_key ssh://$SSH_ONION_HOSTNAME
|
|
monkeysphere-host publish-key
|
|
send_monkeysphere_server_keys_to_users
|
|
echo $'updated monkeysphere ssh host key'
|
|
systemctl restart ssh
|
|
}
|
|
|
|
function regenerate_dh_keys {
|
|
if [ ! -d /etc/ssl/mycerts ]; then
|
|
echo $'No dhparam certificates were found'
|
|
return
|
|
fi
|
|
|
|
data=$(tempfile 2>/dev/null)
|
|
trap "rm -f $data" 0 1 2 5 15
|
|
dialog --backtitle "Freedombone Security Configuration" \
|
|
--title "Diffie-Hellman key length" \
|
|
--radiolist "The smaller length is better suited to low power embedded systems:" 12 40 3 \
|
|
1 "2048 bits" off \
|
|
2 "3072 bits" on \
|
|
3 "4096 bits" off 2> $data
|
|
sel=$?
|
|
case $sel in
|
|
1) exit 1;;
|
|
255) exit 1;;
|
|
esac
|
|
case $(cat $data) in
|
|
1) DH_KEYLENGTH=2048;;
|
|
2) DH_KEYLENGTH=3072;;
|
|
3) DH_KEYLENGTH=4096;;
|
|
esac
|
|
|
|
${PROJECT_NAME}-dhparam --recalc yes -l ${DH_KEYLENGTH}
|
|
}
|
|
|
|
function renew_startssl {
|
|
renew_domain=
|
|
data=$(tempfile 2>/dev/null)
|
|
trap "rm -f $data" 0 1 2 5 15
|
|
dialog --title $"Renew a StartSSL certificate" \
|
|
--backtitle $"Freedombone Security Settings" \
|
|
--inputbox $"Enter the domain name" 8 60 2>$data
|
|
sel=$?
|
|
case $sel in
|
|
0)
|
|
renew_domain=$(<$data)
|
|
;;
|
|
esac
|
|
|
|
if [ ! $renew_domain ]; then
|
|
return
|
|
fi
|
|
|
|
if [[ $renew_domain == "http"* ]]; then
|
|
dialog --title $"Renew a StartSSL certificate" \
|
|
--msgbox $"Don't include the https://" 6 40
|
|
return
|
|
fi
|
|
|
|
if [ ! -f /etc/ssl/certs/${renew_domain}.dhparam ]; then
|
|
dialog --title $"Renew a StartSSL certificate" \
|
|
--msgbox $"An existing certificate for $renew_domain was not found" 6 40
|
|
return
|
|
fi
|
|
|
|
if [[ $renew_domain != *"."* ]]; then
|
|
dialog --title $"Renew a StartSSL certificate" \
|
|
--msgbox $"Invalid domain name: $renew_domain" 6 40
|
|
return
|
|
fi
|
|
|
|
${PROJECT_NAME}-renew-cert -h $renew_domain -p startssl
|
|
|
|
exit 0
|
|
}
|
|
|
|
function renew_letsencrypt {
|
|
renew_domain=
|
|
data=$(tempfile 2>/dev/null)
|
|
trap "rm -f $data" 0 1 2 5 15
|
|
dialog --title $"Renew a Let's Encrypt certificate" \
|
|
--backtitle $"Freedombone Security Settings" \
|
|
--inputbox $"Enter the domain name" 8 60 2>$data
|
|
sel=$?
|
|
case $sel in
|
|
0)
|
|
renew_domain=$(<$data)
|
|
;;
|
|
esac
|
|
|
|
if [ ! $renew_domain ]; then
|
|
return
|
|
fi
|
|
|
|
if [[ $renew_domain == "http"* ]]; then
|
|
dialog --title $"Renew a Let's Encrypt certificate" \
|
|
--msgbox $"Don't include the https://" 6 40
|
|
return
|
|
fi
|
|
|
|
if [ ! -f /etc/ssl/certs/${renew_domain}.dhparam ]; then
|
|
dialog --title $"Renew a Let's Encrypt certificate" \
|
|
--msgbox $"An existing certificate for $renew_domain was not found" 6 40
|
|
return
|
|
fi
|
|
|
|
if [[ $renew_domain != *"."* ]]; then
|
|
dialog --title $"Renew a Let's Encrypt certificate" \
|
|
--msgbox $"Invalid domain name: $renew_domain" 6 40
|
|
return
|
|
fi
|
|
|
|
${PROJECT_NAME}-renew-cert -h $renew_domain -p 'letsencrypt'
|
|
|
|
exit 0
|
|
}
|
|
|
|
function create_letsencrypt {
|
|
new_domain=
|
|
data=$(tempfile 2>/dev/null)
|
|
trap "rm -f $data" 0 1 2 5 15
|
|
dialog --title $"Create a new Let's Encrypt certificate" \
|
|
--backtitle $"Freedombone Security Settings" \
|
|
--inputbox $"Enter the domain name" 8 60 2>$data
|
|
sel=$?
|
|
case $sel in
|
|
0)
|
|
new_domain=$(<$data)
|
|
;;
|
|
esac
|
|
|
|
if [ ! $new_domain ]; then
|
|
return
|
|
fi
|
|
|
|
if [[ $new_domain == "http"* ]]; then
|
|
dialog --title $"Create a new Let's Encrypt certificate" \
|
|
--msgbox $"Don't include the https://" 6 40
|
|
return
|
|
fi
|
|
|
|
if [[ $new_domain != *"."* ]]; then
|
|
dialog --title $"Create a new Let's Encrypt certificate" \
|
|
--msgbox $"Invalid domain name: $new_domain" 6 40
|
|
return
|
|
fi
|
|
|
|
if [ ! -d /var/www/${new_domain} ]; then
|
|
dialog --title $"Create a new Let's Encrypt certificate" \
|
|
--msgbox $'Domain not found within /var/www' 6 40
|
|
return
|
|
fi
|
|
|
|
${PROJECT_NAME}-addcert -e $new_domain -s $LETSENCRYPT_SERVER --dhkey $DH_KEYLENGTH
|
|
|
|
exit 0
|
|
}
|
|
|
|
function update_ciphersuite {
|
|
RECOMMENDED_SSL_CIPHERS="$SSL_CIPHERS"
|
|
if [ ${#RECOMMENDED_SSL_CIPHERS} -lt 5 ]; then
|
|
return
|
|
fi
|
|
|
|
RECOMMENDED_SSL_PROTOCOLS="$SSL_PROTOCOLS"
|
|
if [ ${#RECOMMENDED_SSL_PROTOCOLS} -lt 5 ]; then
|
|
return
|
|
fi
|
|
|
|
RECOMMENDED_SSH_CIPHERS="$SSH_CIPHERS"
|
|
if [ ${#RECOMMENDED_SSH_CIPHERS} -lt 5 ]; then
|
|
return
|
|
fi
|
|
|
|
RECOMMENDED_SSH_MACS="$SSH_MACS"
|
|
if [ ${#RECOMMENDED_SSH_MACS} -lt 5 ]; then
|
|
return
|
|
fi
|
|
|
|
RECOMMENDED_SSH_KEX="$SSH_KEX"
|
|
if [ ${#RECOMMENDED_SSH_KEX} -lt 5 ]; then
|
|
return
|
|
fi
|
|
|
|
cd $WEBSITES_DIRECTORY
|
|
for file in `dir -d *` ; do
|
|
sed -i "s|ssl_protocols .*|ssl_protocols $RECOMMENDED_SSL_PROTOCOLS;|g" $WEBSITES_DIRECTORY/$file
|
|
sed -i "s|ssl_ciphers .*|ssl_ciphers '$RECOMMENDED_SSL_CIPHERS';|g" $WEBSITES_DIRECTORY/$file
|
|
done
|
|
systemctl restart nginx
|
|
write_config_param "SSL_PROTOCOLS" "$RECOMMENDED_SSL_PROTOCOLS"
|
|
write_config_param "SSL_CIPHERS" "$RECOMMENDED_SSL_CIPHERS"
|
|
|
|
sed -i "s|Ciphers .*|Ciphers $RECOMMENDED_SSH_CIPHERS|g" $SSH_CONFIG
|
|
sed -i "s|MACs .*|MACs $RECOMMENDED_SSH_MACS|g" $SSH_CONFIG
|
|
sed -i "s|KexAlgorithms .*|KexAlgorithms $RECOMMENDED_SSH_KEX|g" $SSH_CONFIG
|
|
systemctl restart ssh
|
|
|
|
write_config_param "SSH_CIPHERS" "$RECOMMENDED_SSH_CIPHERS"
|
|
write_config_param "SSH_MACS" "$RECOMMENDED_SSH_MACS"
|
|
write_config_param "SSH_KEX" "$RECOMMENDED_SSH_KEX"
|
|
|
|
dialog --title $"Update ciphersuite" \
|
|
--msgbox $"The ciphersuite has been updated to recommended versions" 6 40
|
|
exit 0
|
|
}
|
|
|
|
function gpg_pubkey_from_email {
|
|
key_owner_username=$1
|
|
key_email_address=$2
|
|
key_id=
|
|
if [[ $key_owner_username != "root" ]]; then
|
|
key_id=$(su -c "gpg --list-keys $key_email_address | grep 'pub '" - $key_owner_username | awk -F ' ' '{print $2}' | awk -F '/' '{print $2}')
|
|
else
|
|
key_id=$(gpg --list-keys $key_email_address | grep 'pub ' | awk -F ' ' '{print $2}' | awk -F '/' '{print $2}')
|
|
fi
|
|
echo $key_id
|
|
}
|
|
|
|
function enable_monkeysphere {
|
|
monkey=
|
|
dialog --title $"GPG based authentication" \
|
|
--backtitle $"Freedombone Security Configuration" \
|
|
--defaultno \
|
|
--yesno $"\nEnable GPG based authentication with monkeysphere ?" 7 60
|
|
sel=$?
|
|
case $sel in
|
|
0) monkey='yes';;
|
|
255) exit 0;;
|
|
esac
|
|
|
|
if [ $monkey ]; then
|
|
read_config_param "MY_USERNAME"
|
|
|
|
if [ ! -f /home/$MY_USERNAME/.monkeysphere/authorized_user_ids ]; then
|
|
dialog --title $"GPG based authentication" \
|
|
--msgbox $"$MY_USERNAME does not currently have any ids within ~/.monkeysphere/authorized_user_ids" 6 40
|
|
exit 0
|
|
fi
|
|
|
|
MY_GPG_PUBLIC_KEY_ID=$(gpg_pubkey_from_email "$MY_USERNAME" "$MY_USERNAME@$HOSTNAME")
|
|
if [ ${#MY_GPG_PUBLIC_KEY_ID} -lt 4 ]; then
|
|
echo $'monkeysphere unable to get GPG key ID for user $MY_USERNAME'
|
|
exit 52825
|
|
fi
|
|
|
|
sed -i 's|#AuthorizedKeysFile|AuthorizedKeysFile|g' /etc/ssh/sshd_config
|
|
sed -i 's|AuthorizedKeysFile.*|AuthorizedKeysFile /var/lib/monkeysphere/authorized_keys/%u|g' /etc/ssh/sshd_config
|
|
monkeysphere-authentication update-users
|
|
|
|
# The admin user is the identity certifier
|
|
fpr=$(gpg --with-colons --fingerprint $MY_GPG_PUBLIC_KEY_ID | grep fpr | head -n 1 | awk -F ':' '{print $10}')
|
|
monkeysphere-authentication add-identity-certifier $fpr
|
|
monkeysphere-host publish-key
|
|
send_monkeysphere_server_keys_to_users
|
|
else
|
|
sed -i 's|#AuthorizedKeysFile|AuthorizedKeysFile|g' /etc/ssh/sshd_config
|
|
sed -i 's|AuthorizedKeysFile.*|AuthorizedKeysFile %h/.ssh/authorized_keys|g' /etc/ssh/sshd_config
|
|
fi
|
|
|
|
systemctl restart ssh
|
|
|
|
if [ $monkey ]; then
|
|
dialog --title $"GPG based authentication" \
|
|
--msgbox $"GPG based authentication was enabled" 6 40
|
|
else
|
|
dialog --title $"GPG based authentication" \
|
|
--msgbox $"GPG based authentication was disabled" 6 40
|
|
fi
|
|
exit 0
|
|
}
|
|
|
|
function register_website {
|
|
domain="$1"
|
|
|
|
if [[ ${domain} == *".local" ]]; then
|
|
echo $"Can't register local domains"
|
|
return
|
|
fi
|
|
|
|
if [ ! -f /etc/ssl/private/${domain}.key ]; then
|
|
echo $"No SSL/TLS private key found for ${domain}"
|
|
return
|
|
fi
|
|
|
|
if [ ! -f /etc/nginx/sites-available/${domain} ]; then
|
|
echo $"No virtual host found for ${domain}"
|
|
return
|
|
fi
|
|
|
|
monkeysphere-host import-key /etc/ssl/private/${domain}.key https://${domain}
|
|
monkeysphere-host publish-key
|
|
echo "0"
|
|
}
|
|
|
|
function register_website_interactive {
|
|
data=$(tempfile 2>/dev/null)
|
|
trap "rm -f $data" 0 1 2 5 15
|
|
dialog --title $"Register a website with monkeysphere" \
|
|
--backtitle $"Freedombone Security Settings" \
|
|
--inputbox $"Enter the website domain name (without https://)" 8 60 2>$data
|
|
sel=$?
|
|
case $sel in
|
|
0)
|
|
domain=$(<$data)
|
|
register_website "$domain"
|
|
if [ ! "$?" = "0" ]; then
|
|
dialog --title $"Register a website with monkeysphere" \
|
|
--msgbox "$?" 6 40
|
|
else
|
|
dialog --title $"Register a website with monkeysphere" \
|
|
--msgbox $"$domain has been registered" 6 40
|
|
fi
|
|
;;
|
|
esac
|
|
}
|
|
|
|
function pin_all_tls_certs {
|
|
${PROJECT_NAME}-pin-cert all
|
|
}
|
|
|
|
function remove_pinning {
|
|
data=$(tempfile 2>/dev/null)
|
|
trap "rm -f $data" 0 1 2 5 15
|
|
dialog --title $"Remove pinning for a domain" \
|
|
--backtitle $"Freedombone Security Settings" \
|
|
--inputbox $"Enter the website domain name (without https://)" 8 60 2>$data
|
|
sel=$?
|
|
case $sel in
|
|
0)
|
|
domain=$(<$data)
|
|
${PROJECT_NAME}-pin-cert "$domain" remove
|
|
if [ ! "$?" = "0" ]; then
|
|
dialog --title $"Removed pinning from $domain" \
|
|
--msgbox "$?" 6 40
|
|
fi
|
|
;;
|
|
esac
|
|
}
|
|
|
|
function menu_security_settings {
|
|
data=$(tempfile 2>/dev/null)
|
|
trap "rm -f $data" 0 1 2 5 15
|
|
dialog --backtitle $"Freedombone Control Panel" \
|
|
--title $"Security Settings" \
|
|
--radiolist $"Choose an operation:" 16 76 16 \
|
|
1 $"Regenerate ssh host keys" off \
|
|
2 $"Regenerate Diffie-Hellman keys" off \
|
|
3 $"Update cipersuite" off \
|
|
4 $"Create a new Let's Encrypt certificate" off \
|
|
5 $"Renew Let's Encrypt certificate" off \
|
|
6 $"Enable GPG based authentication (monkeysphere)" off \
|
|
7 $"Register a website with monkeysphere" off \
|
|
8 $"Allow ssh login with passwords" off \
|
|
9 $"Go Back/Exit" on 2> $data
|
|
sel=$?
|
|
case $sel in
|
|
1) exit 1;;
|
|
255) exit 1;;
|
|
esac
|
|
|
|
clear
|
|
|
|
read_config_param SSL_CIPHERS
|
|
read_config_param SSL_PROTOCOLS
|
|
read_config_param SSH_CIPHERS
|
|
read_config_param SSH_MACS
|
|
read_config_param SSH_KEX
|
|
|
|
get_imap_settings
|
|
get_ssh_settings
|
|
get_xmpp_settings
|
|
import_settings
|
|
export_settings
|
|
|
|
case $(cat $data) in
|
|
1)
|
|
regenerate_ssh_host_keys
|
|
;;
|
|
2)
|
|
regenerate_dh_keys
|
|
;;
|
|
3)
|
|
interactive_setup
|
|
update_ciphersuite
|
|
;;
|
|
4)
|
|
create_letsencrypt
|
|
;;
|
|
5)
|
|
renew_letsencrypt
|
|
;;
|
|
6)
|
|
enable_monkeysphere
|
|
;;
|
|
7)
|
|
register_website
|
|
;;
|
|
8)
|
|
allow_ssh_passwords
|
|
change_ssh_settings
|
|
exit 0
|
|
;;
|
|
9)
|
|
exit 0
|
|
;;
|
|
esac
|
|
|
|
change_website_settings
|
|
change_imap_settings
|
|
change_ssh_settings
|
|
change_xmpp_settings
|
|
}
|
|
|
|
function import_settings {
|
|
cd $CURRENT_DIR
|
|
|
|
if [ ! $IMPORT_FILE ]; then
|
|
return
|
|
fi
|
|
|
|
if [ ! -f $IMPORT_FILE ]; then
|
|
echo $"Import file $IMPORT_FILE not found"
|
|
exit 6393
|
|
fi
|
|
|
|
if grep -q "SSL_PROTOCOLS" $IMPORT_FILE; then
|
|
TEMP_VALUE=$(grep "SSL_PROTOCOLS" $IMPORT_FILE | awk -F '=' '{print $2}')
|
|
if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then
|
|
SSL_PROTOCOLS=$TEMP_VALUE
|
|
fi
|
|
fi
|
|
if grep -q "SSL_CIPHERS" $IMPORT_FILE; then
|
|
TEMP_VALUE=$(grep "SSL_CIPHERS" $IMPORT_FILE | awk -F '=' '{print $2}')
|
|
if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then
|
|
SSL_CIPHERS=$TEMP_VALUE
|
|
fi
|
|
fi
|
|
if grep -q "SSH_CIPHERS" $IMPORT_FILE; then
|
|
TEMP_VALUE=$(grep "SSH_CIPHERS" $IMPORT_FILE | awk -F '=' '{print $2}')
|
|
if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then
|
|
SSH_CIPHERS=$TEMP_VALUE
|
|
fi
|
|
fi
|
|
if grep -q "SSH_MACS" $IMPORT_FILE; then
|
|
TEMP_VALUE=$(grep "SSH_MACS" $IMPORT_FILE | awk -F '=' '{print $2}')
|
|
if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then
|
|
SSH_MACS=$TEMP_VALUE
|
|
fi
|
|
fi
|
|
if grep -q "SSH_KEX" $IMPORT_FILE; then
|
|
TEMP_VALUE=$(grep "SSH_KEX" $IMPORT_FILE | awk -F '=' '{print $2}')
|
|
if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then
|
|
SSH_KEX=$TEMP_VALUE
|
|
fi
|
|
fi
|
|
if grep -q "SSH_HOST_KEY_ALGORITHMS" $IMPORT_FILE; then
|
|
TEMP_VALUE=$(grep "SSH_HOST_KEY_ALGORITHMS" $IMPORT_FILE | awk -F '=' '{print $2}')
|
|
if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then
|
|
SSH_HOST_KEY_ALGORITHMS=$TEMP_VALUE
|
|
fi
|
|
fi
|
|
if grep -q "SSH_PASSWORDS" $IMPORT_FILE; then
|
|
TEMP_VALUE=$(grep "SSH_PASSWORDS" $IMPORT_FILE | awk -F '=' '{print $2}')
|
|
if [[ $TEMP_VALUE == "yes" || $TEMP_VALUE == "no" ]]; then
|
|
SSH_PASSWORDS=$TEMP_VALUE
|
|
fi
|
|
fi
|
|
if grep -q "XMPP_CIPHERS" $IMPORT_FILE; then
|
|
TEMP_VALUE=$(grep "XMPP_CIPHERS" $IMPORT_FILE | awk -F '=' '{print $2}')
|
|
if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then
|
|
XMPP_CIPHERS=$TEMP_VALUE
|
|
fi
|
|
fi
|
|
if grep -q "XMPP_ECC_CURVE" $IMPORT_FILE; then
|
|
TEMP_VALUE=$(grep "XMPP_ECC_CURVE" $IMPORT_FILE | awk -F '=' '{print $2}')
|
|
if [ ${#TEMP_VALUE} -gt 3 ]; then
|
|
XMPP_ECC_CURVE=$TEMP_VALUE
|
|
fi
|
|
fi
|
|
}
|
|
|
|
function export_settings {
|
|
if [ ! $EXPORT_FILE ]; then
|
|
return
|
|
fi
|
|
|
|
cd $CURRENT_DIR
|
|
|
|
if [ ! -f $EXPORT_FILE ]; then
|
|
if [ "$SSL_PROTOCOLS" ]; then
|
|
echo "SSL_PROTOCOLS=$SSL_PROTOCOLS" >> $EXPORT_FILE
|
|
fi
|
|
if [ $SSL_CIPHERS ]; then
|
|
echo "SSL_CIPHERS=$SSL_CIPHERS" >> $EXPORT_FILE
|
|
fi
|
|
if [ $SSH_CIPHERS ]; then
|
|
echo "SSH_CIPHERS=$SSH_CIPHERS" >> $EXPORT_FILE
|
|
fi
|
|
if [ $SSH_MACS ]; then
|
|
echo "SSH_MACS=$SSH_MACS" >> $EXPORT_FILE
|
|
fi
|
|
if [ $SSH_KEX ]; then
|
|
echo "SSH_KEX=$SSH_KEX" >> $EXPORT_FILE
|
|
fi
|
|
if [ $SSH_HOST_KEY_ALGORITHMS ]; then
|
|
echo "SSH_HOST_KEY_ALGORITHMS=$SSH_HOST_KEY_ALGORITHMS" >> $EXPORT_FILE
|
|
fi
|
|
if [ $SSH_PASSWORDS ]; then
|
|
echo "SSH_PASSWORDS=$SSH_PASSWORDS" >> $EXPORT_FILE
|
|
fi
|
|
if [ $XMPP_CIPHERS ]; then
|
|
echo "XMPP_CIPHERS=$XMPP_CIPHERS" >> $EXPORT_FILE
|
|
fi
|
|
if [ $XMPP_ECC_CURVE ]; then
|
|
echo "XMPP_ECC_CURVE=$XMPP_ECC_CURVE" >> $EXPORT_FILE
|
|
fi
|
|
echo "Security settings exported to $EXPORT_FILE"
|
|
exit 0
|
|
fi
|
|
|
|
if [ "$SSL_PROTOCOLS" ]; then
|
|
if grep -q "SSL_PROTOCOLS" $EXPORT_FILE; then
|
|
sed -i "s|SSL_PROTOCOLS=.*|SSL_PROTOCOLS=$SSL_PROTOCOLS|g" $EXPORT_FILE
|
|
else
|
|
echo "SSL_PROTOCOLS=$SSL_PROTOCOLS" >> $EXPORT_FILE
|
|
fi
|
|
fi
|
|
if [ $SSL_CIPHERS ]; then
|
|
if grep -q "SSL_CIPHERS" $EXPORT_FILE; then
|
|
sed -i "s|SSL_CIPHERS=.*|SSL_CIPHERS=$SSL_CIPHERS|g" $EXPORT_FILE
|
|
else
|
|
echo "SSL_CIPHERS=$SSL_CIPHERS" >> $EXPORT_FILE
|
|
fi
|
|
fi
|
|
if [ $SSH_CIPHERS ]; then
|
|
if grep -q "SSH_CIPHERS" $EXPORT_FILE; then
|
|
sed -i "s|SSH_CIPHERS=.*|SSH_CIPHERS=$SSH_CIPHERS|g" $EXPORT_FILE
|
|
else
|
|
echo "SSH_CIPHERS=$SSH_CIPHERS" >> $EXPORT_FILE
|
|
fi
|
|
fi
|
|
if [ $SSH_MACS ]; then
|
|
if grep -q "SSH_MACS" $EXPORT_FILE; then
|
|
sed -i "s|SSH_MACS=.*|SSH_MACS=$SSH_MACS|g" $EXPORT_FILE
|
|
else
|
|
echo "SSH_MACS=$SSH_MACS" >> $EXPORT_FILE
|
|
fi
|
|
fi
|
|
if [ $SSH_KEX ]; then
|
|
if grep -q "SSH_KEX" $EXPORT_FILE; then
|
|
sed -i "s|SSH_KEX=.*|SSH_KEX=$SSH_KEX|g" $EXPORT_FILE
|
|
else
|
|
echo "SSH_KEX=$SSH_KEX" >> $EXPORT_FILE
|
|
fi
|
|
fi
|
|
if [ $SSH_HOST_KEY_ALGORITHMS ]; then
|
|
if grep -q "SSH_HOST_KEY_ALGORITHMS" $EXPORT_FILE; then
|
|
sed -i "s|SSH_HOST_KEY_ALGORITHMS=.*|SSH_HOST_KEY_ALGORITHMS=$SSH_HOST_KEY_ALGORITHMS|g" $EXPORT_FILE
|
|
else
|
|
echo "SSH_HOST_KEY_ALGORITHMS=$SSH_HOST_KEY_ALGORITHMS" >> $EXPORT_FILE
|
|
fi
|
|
fi
|
|
if [ $SSH_PASSWORDS ]; then
|
|
if grep -q "SSH_PASSWORDS" $EXPORT_FILE; then
|
|
sed -i "s|SSH_PASSWORDS=.*|SSH_PASSWORDS=$SSH_PASSWORDS|g" $EXPORT_FILE
|
|
else
|
|
echo "SSH_PASSWORDS=$SSH_PASSWORDS" >> $EXPORT_FILE
|
|
fi
|
|
fi
|
|
if [ $XMPP_CIPHERS ]; then
|
|
if grep -q "XMPP_CIPHERS" $EXPORT_FILE; then
|
|
sed -i "s|XMPP_CIPHERS=.*|XMPP_CIPHERS=$XMPP_CIPHERS|g" $EXPORT_FILE
|
|
else
|
|
echo "XMPP_CIPHERS=$XMPP_CIPHERS" >> $EXPORT_FILE
|
|
fi
|
|
fi
|
|
if [ $XMPP_ECC_CURVE ]; then
|
|
if grep -q "XMPP_ECC_CURVE" $EXPORT_FILE; then
|
|
sed -i "s|XMPP_ECC_CURVE=.*|XMPP_ECC_CURVE=$XMPP_ECC_CURVE|g" $EXPORT_FILE
|
|
else
|
|
echo "XMPP_ECC_CURVE=$XMPP_ECC_CURVE" >> $EXPORT_FILE
|
|
fi
|
|
fi
|
|
echo $"Security settings exported to $EXPORT_FILE"
|
|
exit 0
|
|
}
|
|
|
|
function refresh_gpg_keys {
|
|
for d in /home/*/ ; do
|
|
USERNAME=$(echo "$d" | awk -F '/' '{print $3}')
|
|
if [[ $(is_valid_user "$USERNAME") == "1" ]]; then
|
|
su -c 'gpg --refresh-keys' - $USERNAME
|
|
fi
|
|
done
|
|
exit 0
|
|
}
|
|
|
|
function monkeysphere_sign_server_keys {
|
|
server_keys_file=/home/$USER/.monkeysphere/server_keys
|
|
if [ ! -f $server_keys_file ]; then
|
|
exit 0
|
|
fi
|
|
|
|
keys_signed=
|
|
while read line; do
|
|
echo $line
|
|
if [ ${#line} -gt 2 ]; then
|
|
fpr=$(gpg --with-colons --fingerprint "$line" | grep fpr | head -n 1 | awk -F ':' '{print $10}')
|
|
if [ ${#fpr} -gt 2 ]; then
|
|
gpg --sign-key $fpr
|
|
if [ "$?" = "0" ]; then
|
|
gpg --update-trustdb
|
|
keys_signed=1
|
|
fi
|
|
fi
|
|
fi
|
|
done <$server_keys_file
|
|
|
|
if [ $keys_signed ]; then
|
|
rm $server_keys_file
|
|
fi
|
|
exit 0
|
|
}
|
|
|
|
function htmly_hash {
|
|
# produces a hash corresponding to a htmly password
|
|
pass="$1"
|
|
HTMLYHASH_FILENAME=/usr/bin/htmlyhash
|
|
|
|
echo '<?php' > $HTMLYHASH_FILENAME
|
|
echo 'parse_str(implode("&", array_slice($argv, 1)), $_GET);' >> $HTMLYHASH_FILENAME
|
|
echo '$password = $_GET["password"];' >> $HTMLYHASH_FILENAME
|
|
echo '$hash = password_hash($password, PASSWORD_BCRYPT);' >> $HTMLYHASH_FILENAME
|
|
echo 'if (password_verify($password, $hash)) {' >> $HTMLYHASH_FILENAME
|
|
echo ' echo $hash;' >> $HTMLYHASH_FILENAME
|
|
echo '}' >> $HTMLYHASH_FILENAME
|
|
echo '?>' >> $HTMLYHASH_FILENAME
|
|
|
|
php $HTMLYHASH_FILENAME password="$pass"
|
|
}
|
|
|
|
function show_help {
|
|
echo ''
|
|
echo "${PROJECT_NAME}-sec"
|
|
echo ''
|
|
echo $'Alters the security settings'
|
|
echo ''
|
|
echo ''
|
|
echo $' -h --help Show help'
|
|
echo $' -e --export Export security settings to a file'
|
|
echo $' -i --import Import security settings from a file'
|
|
echo $' -r --refresh Refresh GPG keys for all users'
|
|
echo $' -s --sign Sign monkeysphere server keys'
|
|
echo $' --register [domain] Register a https domain with monkeysphere'
|
|
echo $' -b --htmlyhash [password] Returns the hash of a password for a htmly blog'
|
|
echo ''
|
|
exit 0
|
|
}
|
|
|
|
|
|
# Get the commandline options
|
|
while [[ $# > 1 ]]
|
|
do
|
|
key="$1"
|
|
|
|
case $key in
|
|
-h|--help)
|
|
show_help
|
|
;;
|
|
# Export settings
|
|
-e|--export)
|
|
shift
|
|
EXPORT_FILE="$1"
|
|
;;
|
|
# Export settings
|
|
-i|--import)
|
|
shift
|
|
IMPORT_FILE="$1"
|
|
;;
|
|
# Refresh GPG keys
|
|
-r|--refresh)
|
|
shift
|
|
refresh_gpg_keys
|
|
;;
|
|
# register a website
|
|
--register|--reg|--site)
|
|
shift
|
|
register_website "$1"
|
|
;;
|
|
# user signs monkeysphere server keys
|
|
-s|--sign)
|
|
shift
|
|
monkeysphere_sign_server_keys
|
|
;;
|
|
# get a hash of the given htmly password
|
|
-b|--htmlyhash)
|
|
shift
|
|
htmly_hash "$1"
|
|
exit 0
|
|
;;
|
|
*)
|
|
# unknown option
|
|
;;
|
|
esac
|
|
shift
|
|
done
|
|
|
|
menu_security_settings
|
|
|
|
exit 0
|