blob: d72c52b208b76fc6defe4e7e68fea2fda54fae0d (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
|
#!/bin/sh
set -e
UUID_KKEY="7930cd94-b56e-4395-8859-f34da77f29be"
UUID_WKEY="9fcaf42a-86d5-4e70-828d-fd90aad2d964"
CRYPT_NAME="usbkey"
MOUNT_PATH="/media/usbkey"
op_mount() {
# First check if we have key drive
if [ ! -e "/dev/disk/by-uuid/$UUID_KKEY" ]; then
echo "Can't locate appropriate usb drive." >&2
exit 1
fi
# Decrypt drive
if [ -e "/dev/mapper/$CRYPT_NAME" ]; then
echo "USB key seems to be already decrypted" >&2
else
echo "Decrypting usb key" >&2
sudo -- cryptsetup open /dev/disk/by-uuid/"$UUID_KKEY" "$CRYPT_NAME"
fi
# Mount drive
if mount | grep -q "$MOUNT_PATH"; then
echo "USB key is already mounted" >&2
else
echo "Mounting usb key"
sudo -- mkdir -p "$MOUNT_PATH"
sudo -- mount -o uid="$(id -u)",gid="$(id -g)" "/dev/mapper/$CRYPT_NAME" "$MOUNT_PATH"
fi
echo "USB key drive mounted" >&2
}
op_unmount() {
# Unmount
if mount | grep -q "$MOUNT_PATH"; then
echo "Unmounting usb key" >&2
sync "$MOUNT_PATH"
sudo -- umount "$MOUNT_PATH"
fi
# Remove mount path
[ ! -d "$MOUNT_PATH" ] || sudo -- rmdir "$MOUNT_PATH"
# Close encryption
if [ -e "/dev/mapper/$CRYPT_NAME" ]; then
echo "Closing encryption on usb key" >&2
sudo -- cryptsetup close "$CRYPT_NAME"
fi
echo "USB key unmounted" >&2
}
check_mount() {
mount | grep "$MOUNT_PATH" | grep -q "/dev/mapper/$CRYPT_NAME"
}
op_sync() {
local DOUNMOUNT=false
if [ ! -e "/dev/disk/by-uuid/$UUID_WKEY" ]; then
echo "USB backup key seems to not be inserted. Please do so." >&2
exit 1
fi
if ! check_mount; then
DOUNMOUNT=true
op_mount
fi
# Mount backup usb
sudo -- cryptsetup open "/dev/disk/by-uuid/$UUID_WKEY" "$CRYPT_NAME-backup"
sudo -- mkdir -p "$MOUNT_PATH-backup"
sudo -- mount -o uid="$(id -u)",gid="$(id -g)" "/dev/mapper/$CRYPT_NAME-backup" "$MOUNT_PATH-backup"
# Sync them
rsync -ax --delete --progress "$MOUNT_PATH/" "$MOUNT_PATH-backup/"
# Unmount it
sudo -- umount "$MOUNT_PATH-backup"
sudo -- rmdir "$MOUNT_PATH-backup"
sudo -- cryptsetup close "$CRYPT_NAME-backup"
if $DOUNMOUNT; then
op_unmount
fi
echo "Sync process finished." >&2
}
op_gpg_import() {
# TODO
true
}
op_ssh_list() {
check_mount || op_mount
for KEY in $(find "$MOUNT_PATH/ssh" -name '*.pub'); do
local N="${KEY#$MOUNT_PATH/ssh/}"
echo -n "${N%.pub}: "
sed -n 's/ssh-rsa .* \(.*\)/\1/p' "$KEY"
done
}
check_name() {
if [ -z "$NAME" ]; then
echo "You have to specify key name!" >&2
exit 1
fi
}
op_ssh_generate() {
check_name
check_mount || op_mount
if [ -f "$MOUNT_PATH/ssh/$NAME" ]; then
echo "Key $NAME seems to already exists." >&2
exit 1
fi
echo -n "Please enter comment: "
read COMMENT
ssh-keygen -f "$MOUNT_PATH/ssh/$NAME" -C "$COMMENT"
echo "SSH key $NAME was generated." >&2
}
op_ssh_import() {
check_name
check_mount || op_mount
if [ -f "$MOUNT_PATH/ssh/$NAME" ] && [ -f "$MOUNT_PATH/ssh/$NAME.pub" ]; then
echo "There is no key named $NAME" >&2
exit 1
fi
cp "$MOUNT_PATH/ssh/$NAME" ~/.ssh/
cp "$MOUNT_PATH/ssh/$NAME.pub" ~/.ssh/
echo "SSH key $NAME copied to local .ssh directory." >&2
}
# Note OpenVPN: CA generated using following command
# openssl req -nodes -new -x509 -keyout ca.key -out ca.crt -config openssl.cnf
op_openvpn_list() {
check_mount || op_mount
for KEY in $(find "$MOUNT_PATH/openvpn" -name 'ca.crt' -o -name '*.crt' -print); do
local N="${KEY#$MOUNT_PATH/openvpn/}"
echo "${N%.crt}"
done
}
op_openvpn_get() {
check_name
check_mount || op_mount
if [ ! -f "$MOUNT_PATH/openvpn/$NAME.key" ] || [ ! -f "$MOUNT_PATH/openvpn/$NAME.crt" ]; then
echo "There is no OpenVPN key $NAME" >&2
exit 1
fi
mkdir "openvpn-$NAME"
cp "$MOUNT_PATH/openvpn/$NAME.key" "openvpn-$NAME/"
cp "$MOUNT_PATH/openvpn/$NAME.crl" "openvpn-$NAME/"
cp "$MOUNT_PATH/openvpn/ca.crt" "openvpn-$NAME/"
cp "$MOUNT_PATH/openvpn/ta.key" "openvpn-$NAME/"
echo "OpenVPN key $NAME copied to openvpn-$NAME directory." >&2
}
op_openvpn_generate() {
check_name
check_mount || op_mount
if [ -f "$MOUNT_PATH/openvpn/$NAME.key" ] && [ -f "$MOUNT_PATH/openvpn/$NAME.crt" ]; then
echo "OpenVPN key $NAME seems to already exists" >&2
exit 1
fi
(
cd "$MOUNT_PATH/openvpn"
# Build request
openssl req -batch -days 3650 -nodes -new -config "openssl.cnf" \
-keyout "$NAME.key" -out "$NAME.csr"
# Sign request
openssl ca -days 3650 -config "openssl.cnf" \
-out "$NAME.crt" -in "$NAME.csr"
)
echo "OpenVPN key $NAME was generated." >&2
}
unknown_argument() {
echo "Unknown argument: $1"
exit 1
}
# Parse operation (operation have to be first)
case "$1" in
-h|--help)
echo "Usb key manager"
echo "Usage: usbkey OPERATION ..."
echo
echo "Operations:"
echo " mount: Mount key of usb driver"
echo " unmount: Unmount usb driver"
echo " sync: Synchronize drive to bakup drive"
echo " gpg-import: Import gpg key"
echo " ssh-import: Import ssh key"
echo " ssh-generate: Generate new ssh key"
echo " ssh-list: List all ssh keys in store"
echo " openvpn-list: List all openvpn keys"
echo " openvpn-get: Get openvpn keys for some host"
echo " openvpn-generate: Generate openvpn key for new host"
exit 0
;;
mount|unmount|sync|gpg-import|ssh-import|ssh-generate|ssh-list|openvpn-list|openvpn-get|openvpn-generate)
OPERATION="$1"
;;
*)
unknown_argument "$1"
;;
esac
shift
# Parse rest of the arguments
while [ $# -gt 0 ]; do
case "$1" in
-h|--help)
echo "Usb key manager"
case "$OPERATION" in
mount|unmount|sync|ssh-list|openvn-list)
echo "Usage: usbkey $OPERATION [-h]"
;;
ssh-*|openvpn-*)
echo "Usage: usbkey $OPERATION NAME [-h]"
;;
# TODO
esac
exit 0
;;
*)
if [ -z "$NAME" ] && \
[ "$OPERATION" = "ssh-import" -o "$OPERATION" = "ssh-generate" -o \
"$OPERATION" = "openvpn-get" -o "$OPERATION" = "openvpn-generate" ] \
; then
NAME="$1"
else
unknown_argument "$1"
fi
;;
esac
shift
done
# Go to operation handler
eval "op_$(echo "$OPERATION" | tr '-' '_')"
|