/usr/sbin/mandos-keygen is in mandos-client 1.7.1-2build1.
This file is owned by root:root, with mode 0o755.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 | #!/bin/sh -e
#
# Mandos key generator - create a new OpenPGP key for a Mandos client
#
# Copyright © 2008-2015 Teddy Hogeborn
# Copyright © 2008-2015 Björn Påhlsson
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
# Contact the authors at <mandos@recompile.se>.
#
VERSION="1.7.1"
KEYDIR="/etc/keys/mandos"
KEYTYPE=RSA
KEYLENGTH=4096
SUBKEYTYPE=RSA
SUBKEYLENGTH=4096
KEYNAME="`hostname --fqdn 2>/dev/null || hostname`"
KEYEMAIL=""
KEYCOMMENT=""
KEYEXPIRE=0
FORCE=no
SSH=yes
KEYCOMMENT_ORIG="$KEYCOMMENT"
mode=keygen
if [ ! -d "$KEYDIR" ]; then
KEYDIR="/etc/mandos/keys"
fi
# Parse options
TEMP=`getopt --options vhpF:d:t:l:s:L:n:e:c:x:fS \
--longoptions version,help,password,passfile:,dir:,type:,length:,subtype:,sublength:,name:,email:,comment:,expire:,force,no-ssh \
--name "$0" -- "$@"`
help(){
basename="`basename "$0"`"
cat <<EOF
Usage: $basename [ -v | --version ]
$basename [ -h | --help ]
Key creation:
$basename [ OPTIONS ]
Encrypted password creation:
$basename { -p | --password } [ --name NAME ] [ --dir DIR]
$basename { -F | --passfile } FILE [ --name NAME ] [ --dir DIR]
Key creation options:
-v, --version Show program's version number and exit
-h, --help Show this help message and exit
-d DIR, --dir DIR Target directory for key files
-t TYPE, --type TYPE Key type. Default is RSA.
-l BITS, --length BITS
Key length in bits. Default is 4096.
-s TYPE, --subtype TYPE
Subkey type. Default is RSA.
-L BITS, --sublength BITS
Subkey length in bits. Default is 4096.
-n NAME, --name NAME Name of key. Default is the FQDN.
-e ADDRESS, --email ADDRESS
Email address of key. Default is empty.
-c TEXT, --comment TEXT
Comment field for key. The default is empty.
-x TIME, --expire TIME
Key expire time. Default is no expiration.
See gpg(1) for syntax.
-f, --force Force overwriting old key files.
Password creation options:
-p, --password Create an encrypted password using the key in
the key directory. All options other than
--dir and --name are ignored.
-F FILE, --passfile FILE
Encrypt a password from FILE using the key in
the key directory. All options other than
--dir and --name are ignored.
-S, --no-ssh Don't get SSH key or set "checker" option.
EOF
}
eval set -- "$TEMP"
while :; do
case "$1" in
-p|--password) mode=password; shift;;
-F|--passfile) mode=password; PASSFILE="$2"; shift 2;;
-d|--dir) KEYDIR="$2"; shift 2;;
-t|--type) KEYTYPE="$2"; shift 2;;
-s|--subtype) SUBKEYTYPE="$2"; shift 2;;
-l|--length) KEYLENGTH="$2"; shift 2;;
-L|--sublength) SUBKEYLENGTH="$2"; shift 2;;
-n|--name) KEYNAME="$2"; shift 2;;
-e|--email) KEYEMAIL="$2"; shift 2;;
-c|--comment) KEYCOMMENT="$2"; shift 2;;
-x|--expire) KEYEXPIRE="$2"; shift 2;;
-f|--force) FORCE=yes; shift;;
-S|--no-ssh) SSH=no; shift;;
-v|--version) echo "$0 $VERSION"; exit;;
-h|--help) help; exit;;
--) shift; break;;
*) echo "Internal error" >&2; exit 1;;
esac
done
if [ "$#" -gt 0 ]; then
echo "Unknown arguments: '$*'" >&2
exit 1
fi
SECKEYFILE="$KEYDIR/seckey.txt"
PUBKEYFILE="$KEYDIR/pubkey.txt"
# Check for some invalid values
if [ ! -d "$KEYDIR" ]; then
echo "$KEYDIR not a directory" >&2
exit 1
fi
if [ ! -r "$KEYDIR" ]; then
echo "Directory $KEYDIR not readable" >&2
exit 1
fi
if [ "$mode" = keygen ]; then
if [ ! -w "$KEYDIR" ]; then
echo "Directory $KEYDIR not writeable" >&2
exit 1
fi
if [ -z "$KEYTYPE" ]; then
echo "Empty key type" >&2
exit 1
fi
if [ -z "$KEYNAME" ]; then
echo "Empty key name" >&2
exit 1
fi
if [ -z "$KEYLENGTH" ] || [ "$KEYLENGTH" -lt 512 ]; then
echo "Invalid key length" >&2
exit 1
fi
if [ -z "$KEYEXPIRE" ]; then
echo "Empty key expiration" >&2
exit 1
fi
# Make FORCE be 0 or 1
case "$FORCE" in
[Yy][Ee][Ss]|[Tt][Rr][Uu][Ee]) FORCE=1;;
[Nn][Oo]|[Ff][Aa][Ll][Ss][Ee]|*) FORCE=0;;
esac
if [ \( -e "$SECKEYFILE" -o -e "$PUBKEYFILE" \) \
-a "$FORCE" -eq 0 ]; then
echo "Refusing to overwrite old key files; use --force" >&2
exit 1
fi
# Set lines for GnuPG batch file
if [ -n "$KEYCOMMENT" ]; then
KEYCOMMENTLINE="Name-Comment: $KEYCOMMENT"
fi
if [ -n "$KEYEMAIL" ]; then
KEYEMAILLINE="Name-Email: $KEYEMAIL"
fi
# Create temporary gpg batch file
BATCHFILE="`mktemp -t mandos-keygen-batch.XXXXXXXXXX`"
fi
if [ "$mode" = password ]; then
# Create temporary encrypted password file
SECFILE="`mktemp -t mandos-keygen-secfile.XXXXXXXXXX`"
fi
# Create temporary key ring directory
RINGDIR="`mktemp -d -t mandos-keygen-keyrings.XXXXXXXXXX`"
# Remove temporary files on exit
trap "
set +e; \
test -n \"$SECFILE\" && shred --remove \"$SECFILE\"; \
shred --remove \"$RINGDIR\"/sec* 2>/dev/null;
test -n \"$BATCHFILE\" && rm --force \"$BATCHFILE\"; \
rm --recursive --force \"$RINGDIR\";
tty --quiet && stty echo; \
" EXIT
set -e
umask 077
if [ "$mode" = keygen ]; then
# Create batch file for GnuPG
cat >"$BATCHFILE" <<-EOF
Key-Type: $KEYTYPE
Key-Length: $KEYLENGTH
Key-Usage: sign,auth
Subkey-Type: $SUBKEYTYPE
Subkey-Length: $SUBKEYLENGTH
Subkey-Usage: encrypt
Name-Real: $KEYNAME
$KEYCOMMENTLINE
$KEYEMAILLINE
Expire-Date: $KEYEXPIRE
#Preferences: <string>
#Handle: <no-spaces>
#%pubring pubring.gpg
#%secring secring.gpg
%commit
EOF
if tty --quiet; then
cat <<-EOF
Note: Due to entropy requirements, key generation could take
anything from a few minutes to SEVERAL HOURS. Please be
patient and/or supply the system with more entropy if needed.
EOF
echo -n "Started: "
date
fi
# Make sure trustdb.gpg exists;
# this is a workaround for Debian bug #737128
gpg --quiet --batch --no-tty --no-options --enable-dsa2 \
--homedir "$RINGDIR" \
--import-ownertrust < /dev/null
# Generate a new key in the key rings
gpg --quiet --batch --no-tty --no-options --enable-dsa2 \
--homedir "$RINGDIR" --trust-model always \
--gen-key "$BATCHFILE"
rm --force "$BATCHFILE"
if tty --quiet; then
echo -n "Finished: "
date
fi
# Backup any old key files
if cp --backup=numbered --force "$SECKEYFILE" "$SECKEYFILE" \
2>/dev/null; then
shred --remove "$SECKEYFILE"
fi
if cp --backup=numbered --force "$PUBKEYFILE" "$PUBKEYFILE" \
2>/dev/null; then
rm --force "$PUBKEYFILE"
fi
FILECOMMENT="Mandos client key for $KEYNAME"
if [ "$KEYCOMMENT" != "$KEYCOMMENT_ORIG" ]; then
FILECOMMENT="$FILECOMMENT ($KEYCOMMENT)"
fi
if [ -n "$KEYEMAIL" ]; then
FILECOMMENT="$FILECOMMENT <$KEYEMAIL>"
fi
# Export key from key rings to key files
gpg --quiet --batch --no-tty --no-options --enable-dsa2 \
--homedir "$RINGDIR" --armor --export-options export-minimal \
--comment "$FILECOMMENT" --output "$SECKEYFILE" \
--export-secret-keys
gpg --quiet --batch --no-tty --no-options --enable-dsa2 \
--homedir "$RINGDIR" --armor --export-options export-minimal \
--comment "$FILECOMMENT" --output "$PUBKEYFILE" --export
fi
if [ "$mode" = password ]; then
# Make SSH be 0 or 1
case "$SSH" in
[Yy][Ee][Ss]|[Tt][Rr][Uu][Ee]) SSH=1;;
[Nn][Oo]|[Ff][Aa][Ll][Ss][Ee]|*) SSH=0;;
esac
if [ $SSH -eq 1 ]; then
for ssh_keytype in ed25519 rsa; do
set +e
ssh_fingerprint="`ssh-keyscan -t $ssh_keytype localhost 2>/dev/null`"
set -e
if [ $? -ne 0 ]; then
ssh_fingerprint=""
continue
fi
if [ -n "$ssh_fingerprint" ]; then
ssh_fingerprint="${ssh_fingerprint#localhost }"
break
fi
done
fi
# Import key into temporary key rings
gpg --quiet --batch --no-tty --no-options --enable-dsa2 \
--homedir "$RINGDIR" --trust-model always --armor \
--import "$SECKEYFILE"
gpg --quiet --batch --no-tty --no-options --enable-dsa2 \
--homedir "$RINGDIR" --trust-model always --armor \
--import "$PUBKEYFILE"
# Get fingerprint of key
FINGERPRINT="`gpg --quiet --batch --no-tty --no-options \
--enable-dsa2 --homedir "$RINGDIR" --trust-model always \
--fingerprint --with-colons \
| sed --quiet \
--expression='/^fpr:/{s/^fpr:.*:\\([0-9A-Z]*\\):\$/\\1/p;q}'`"
test -n "$FINGERPRINT"
FILECOMMENT="Encrypted password for a Mandos client"
while [ ! -s "$SECFILE" ]; do
if [ -n "$PASSFILE" ]; then
cat "$PASSFILE"
else
tty --quiet && stty -echo
echo -n "Enter passphrase: " >&2
read first
tty --quiet && echo >&2
echo -n "Repeat passphrase: " >&2
read second
if tty --quiet; then
echo >&2
stty echo
fi
if [ "$first" != "$second" ]; then
echo "Passphrase mismatch" >&2
touch "$RINGDIR"/mismatch
else
echo -n "$first"
fi
fi | gpg --quiet --batch --no-tty --no-options --enable-dsa2 \
--homedir "$RINGDIR" --trust-model always --armor \
--encrypt --sign --recipient "$FINGERPRINT" --comment \
"$FILECOMMENT" > "$SECFILE"
if [ -e "$RINGDIR"/mismatch ]; then
rm --force "$RINGDIR"/mismatch
if tty --quiet; then
> "$SECFILE"
else
exit 1
fi
fi
done
cat <<-EOF
[$KEYNAME]
host = $KEYNAME
fingerprint = $FINGERPRINT
secret =
EOF
sed --quiet --expression='
/^-----BEGIN PGP MESSAGE-----$/,/^-----END PGP MESSAGE-----$/{
/^$/,${
# Remove 24-bit Radix-64 checksum
s/=....$//
# Indent four spaces
/^[^-]/s/^/ /p
}
}' < "$SECFILE"
if [ -n "$ssh_fingerprint" ]; then
echo 'checker = ssh-keyscan -t '"$ssh_keytype"' %%(host)s 2>/dev/null | grep --fixed-strings --line-regexp --quiet --regexp=%%(host)s" %(ssh_fingerprint)s"'
echo "ssh_fingerprint = ${ssh_fingerprint}"
fi
fi
trap - EXIT
set +e
# Remove the password file, if any
if [ -n "$SECFILE" ]; then
shred --remove "$SECFILE"
fi
# Remove the key rings
shred --remove "$RINGDIR"/sec* 2>/dev/null
rm --recursive --force "$RINGDIR"
|