Chip 2007 January, February, March & April

home *** CD-ROM | disk | FTP | other *** search

/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / usr / bin / nessus-mkcert-client < prev next >

Wrap

Text File | 2006-03-29 | 12.2 KB | 471 lines

#!/bin/sh # # nessus-mkcert-client # # Written by Michel Arboi <arboi@alussinan.org> from nessus-mkcert # # This script is distributed under the Gnu General Public License (GPL) # case `echo -n` in \-n) Xn= ; Xc='\c' ;; *) Xn=-n ; Xc= esac umask 022 prefix=/usr datadir=/usr/share sysconfdir=/etc localstatedir=/var/lib sharedstatedir=${prefix}/com sbindir=${prefix}/sbin bindir=${prefix}/bin egdpath=@egdpath@ is_cygwin=@is_cygwin@ RANDFLAG="" test -n "$egdpath" && { RANDFLAG="-rand $egdpath" } PATH=$PATH:$sbindir:$bindir:/usr/ssl/bin:/usr/local/ssl/bin:/opt/ssl/bin # check if gettext is present if [ -f /usr/bin/gettext.sh ]; then # initialize gettext . gettext.sh export TEXTDOMAIN=nessus-scripts export TEXTDOMAINDIR=/usr/share/locale else # define dummy functions gettext () { echo $Xn "$1" $Xc } eval_gettext () { eval_gettext_var="echo $1" echo $Xn `eval $eval_gettext_var` $Xc } fi Bo='(' Bc=')' Hash='#' echo_no_nl () { echo $Xn "$*$Xc" } header() { clear echo "-------------------------------------------------------------------------------" gettext " Creation Nessus SSL Client Certificate"; echo echo "-------------------------------------------------------------------------------" echo } # # # We need openssl # case `openssl version` in OpenSSL*) ;; *) gettext "OpenSSL is not properly installed: The 'openssl' command line utility could not be found (is your \$PATH set properly?)"; echo exit 1 esac # Check environment if [ -z "$HOME" ]; then gettext "\$HOME should be defined." 1>&2; echo; exit 1 fi # # If EGD is not installed, we have to rely on other sources # of entropy # test -z "$RANDFLAG" -a -z "$RANDFILE" && { if [ ! -r /dev/random -a ! -r /dev/urandom -a ! -r $HOME/.rnd ]; then header gettext "You do not have any suitable random source."; echo gettext "You will be asked to type a few random keys on your keyboard to generate random bytes."; echo nessus-mkrand $HOME/.rnd 1024 gettext "Press [ENTER] to continue..."; echo fi } NESSUSPRIV="$localstatedir/nessus/CA" NESSUSPUB="$sharedstatedir/nessus/CA" while [ ! -d "$NESSUSPRIV" ]; do gettext "Nessus server 'private' directory: " read NESSUSPRIV done while [ ! -d "$NESSUSPUB" ]; do gettext "Nessus server 'public' directory: " read NESSUSPUB done CAKEY=$NESSUSPRIV/cakey.pem CACERT=$NESSUSPUB/cacert.pem while [ ! -f "$CAKEY" ]; do eval_gettext "\$CAKEY: not found or not a file." gettext "Nessus CA private key: " read CAKEY done while [ ! -f "$CACERT" ]; do eval_gettext "\$CACERT: not found or not a file." gettext "Nessus CA certificate: " read CACERT done for F in "$CAKEY" "$CACERT"; do if [ ! -r "$F" ]; then eval_gettext "Cannot read \$F" 1>&2; echo; exit 1 fi done R=x while [ "$R" != `gettext "y"` -a "$R" != `gettext "n"` ]; do gettext "Do you want to register the users in the Nessus server as soon as you create their certificates? (y/n): " read R done if [ "$R" = `gettext "y"` ]; then USERSDIR=$localstatedir/nessus/users while [ ! -d "$USERSDIR" ]; do eval_gettext "\$USERSDIR: not a directory."; echo gettext "Users directory? " read USERSDIR done else USERSDIR="" fi umask 066 # Set environment BASEDIR=${TMPDIR-/tmp}/nessus-mkcert.$$ mkdir $BASEDIR || exit 1 gettext "This script will now ask you the relevant information to create the SSL client certificates for Nessus."; echo gettext "Client certificates life time in days [365]: "; read x DFL_CERT_LIFETIME=${x:-365} # Default country = France - Too bad for you, but quicker for my tests! if [ ! -z "$LANG" ]; then DC=`echo $LANG | sed -n 's/^..*_$..$$/\1/p'` fi X=${DC:=FR} eval_gettext "Your country \${Bo}two letter code\${Bc} [\$X]: "; read x DFL_COUNTRY=${x:-$DC} gettext "Your state or province name [none]: "; read DFL_PROVINCE X=Paris; eval_gettext "Your location \${Bo}e.g. town\${Bc} [\$X]: "; read x DFL_LOCATION=${x:-$X} gettext "Your organization [none]: "; read DFL_ORGANIZATION gettext "Your organizational unit [none]: "; read DFL_ORGUNIT # cat <<EOF>$BASEDIR/stdC.cnf RANDFILE = $HOME/.rnd # [ ca ] default_ca = NessusCA [ NessusCA ] dir = $BASEDIR # Where everything is kept certs = \$dir # Where the issued certs are kept crl_dir = \$dir # Where the issued crl are kept database = \$dir/index.txt # database index file. new_certs_dir = \$dir # default place for new certs. certificate = $CACERT # The CA certificate serial = \$dir/serial # The current serial number crl = \$dir/crl.pem # The current CRL private_key = $CAKEY # The private key x509_extensions = usr_cert # The extentions to add to the cert crl_extensions = crl_ext default_days = 365 # how long to certify for default_crl_days= 30 # how long before next CRL default_md = md5 # which md to use. preserve = no # keep passed DN ordering policy = policy_anything [ policy_anything ] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional [ req ] default_bits = 1024 distinguished_name = req_distinguished_name # attributes = req_attributes x509_extensions = v3_ca # The extentions to add to the self signed cert [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = FR countryName_min = 2 countryName_max = 2 stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = Some-State localityName = Locality Name (eg, city) 0.organizationName = Organization Name (eg, company) 0.organizationName_default = Internet Widgits Pty Ltd # we can do this but it is not needed normally :-) #1.organizationName = Second Organization Name (eg, company) #1.organizationName_default = World Wide Web Pty Ltd organizationalUnitName = Organizational Unit Name (eg, section) #organizationalUnitName_default = commonName = Common Name (eg, your name or your server\'s hostname) commonName_max = 64 emailAddress = Email Address emailAddress_max = 40 # SET-ex3 = SET extension number 3 [ usr_cert ] # These extensions are added when 'ca' signs a request. # This goes against PKIX guidelines but some CAs do it and some software # requires this to avoid interpreting an end user certificate as a CA. #basicConstraints=CA:FALSE # Here are some examples of the usage of nsCertType. If it is omitted # the certificate can be used for anything *except* object signing. # This is OK for an SSL server. # nsCertType = nsCertType # For normal client use this is typical # nsCertType = client, email nsCertType = client keyUsage = nonRepudiation, digitalSignature, keyEncipherment # This will be displayed in Netscape's comment listbox. nsComment = "OpenSSL Generated Certificate" # PKIX recommendations harmless if included in all certificates. subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer:always # This stuff is for subjectAltName and issuerAltname. # Import the email address. subjectAltName=email:copy # Copy subject details issuerAltName=issuer:copy #nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem #nsBaseUrl #nsRevocationUrl #nsRenewalUrl #nsCaPolicyUrl #nsSslServerName [ v3_ca ] # PKIX recommendation. subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer:always # This is what PKIX recommends but some broken software chokes on critical # extensions. basicConstraints = critical,CA:true # So we do this instead. #basicConstraints = CA:true # Key usage: this is typical for a CA certificate. However since it will # prevent it being used as an test self-signed certificate it is best # left out by default. keyUsage = cRLSign, keyCertSign nsCertType = sslCA EOF # echo 01 > $BASEDIR/serial touch $BASEDIR/index.txt echo "**********" gettext "We are going to ask you some question for each client certificate. "; echo gettext "If some question has a default answer, you can force an empty answer by entering a single dot '.'"; echo echo "*********" I=1; ANOTHER=`gettext "y"` while [ "$ANOTHER" != `gettext "n"` ]; do PSEUDO="" while [ -z "$PSEUDO" ]; do eval_gettext "User \${Hash}\$I name \${Bo}e.g. Nessus username\${Bc}: " read PSEUDO CERTFILE="$BASEDIR/cert_$PSEUDO.pem" KEYFILE="$BASEDIR/key_$PSEUDO.pem" REQFILE="$BASEDIR/req_$PSEUDO.pem" DNFILE="$USERSDIR/$PSEUDO/auth/dname" # Not wise if USERSDIR is not set if [ -f "$CERTFILE" -o -f "$KEYFILE" -o -f "$DNFILE" ]; then A="" while [ -z "$A" ]; do gettext "Certificate, key or Nessus DN file(s) already exist."; echo gettext "Do you want to go on and overwrite it/them? (y/n) " read A if [ "$A" = `gettext "n"` ]; then PSEUDO=""; fi done fi done eval_gettext "Client certificates life time in days [\$DFL_CERT_LIFETIME]: " read x CERT_LIFETIME=${x:-$DFL_CERT_LIFETIME} X=$DFL_COUNTRY eval_gettext "Country \${Bo}two letter code\${Bc} [\$X]: "; read x COUNTRY=${x:-$DFL_COUNTRY} X=$DFL_PROVINCE eval_gettext "State or province name [\$X]: "; read x PROVINCE=${x:-$DFL_PROVINCE} X=$DFL_LOCATION eval_gettext "Location \${Bo}e.g. town\${Bc} [\$X]: "; read x LOCATION=${x:-$DFL_LOCATION} X=$DFL_ORGANIZATION eval_gettext "Organization [\$X]: "; read x ORGANIZATION=${x:-$DFL_ORGANIZATION} X=$DFL_ORGUNIT eval_gettext "Organization unit [\$X]: "; read x ORGUNIT=${x:-$DFL_ORGUNIT} gettext "e-Mail []: "; read EMAIL # Client key openssl genrsa -out $KEYFILE 1024 # Client certificate "request" echo "${COUNTRY:-.} ${PROVINCE:-.} ${LOCATION:-.} ${ORGANIZATION:-.} ${ORGUNIT:-.} $PSEUDO ${EMAIL:-.}" | openssl req -config $BASEDIR/stdC.cnf -new -key $KEYFILE -out $REQFILE # Sign the client certificate openssl ca -config $BASEDIR/stdC.cnf -name NessusCA -batch -days $CERT_LIFETIME -in $REQFILE -out $CERTFILE # Create export file for NessusWX NWX_CERTFILE=$BASEDIR/cert_nessuswx_$PSEUDO.pem cp $CERTFILE $NWX_CERTFILE cat $KEYFILE >> $NWX_CERTFILE chmod a+r $CERTFILE chmod a+r $NWX_CERTFILE if [ ! -z "$USERSDIR" ]; then # # create the auth dir, which contains the user rules, # password or cert, and plugin acl D="$USERSDIR/$PSEUDO/auth" if [ ! -d "$D" ]; then mkdir -p "$D" chmod 700 "$D" fi # # create the user auth/rules file # R="$USERSDIR/$PSEUDO/auth/rules" echo gettext "User rules"; echo echo "----------" eval_gettext "nessusd has a rules system which allows you to restrict the hosts that \$login has the right to test."; echo gettext "For instance, you may want him to be able to scan his own host only."; echo echo gettext "Please see the nessus-adduser(8) man page for the rules syntax."; echo echo gettext "Enter the rules for this user, and hit ctrl-D once you are done:"; echo tmpAddUserFile=$TMPDIR/rules.$$ gettext "(the user can have an empty rules set)"; echo cat > $tmpAddUserFile || { echo "Error - could not write $tmpAddUserFile" exit 1 } cp $tmpAddUserFile "$USERSDIR/$PSEUDO/auth/rules" rm $tmpAddUserFile # # create the cert authentication file auth/dname # > $DNFILE [ ! -z "$COUNTRY" -a "$COUNTRY" != "." ] && echo_no_nl "/C=$COUNTRY" >> $DNFILE [ ! -z "$PROVINCE" -a "$PROVINCE" != "." ] && echo_no_nl "/ST=$PROVINCE" >> $DNFILE [ ! -z "$LOCATION" -a "$LOCATION" != "." ] && echo_no_nl "/L=$LOCATION" >> $DNFILE [ ! -z "$ORGANIZATION" -a "$ORGANIZATION" != "." ] && echo_no_nl "/O=$ORGANIZATION" >> $DNFILE [ ! -z "$ORGUNIT" -a "$ORGUNIT" != "." ] && echo_no_nl "/OU=$ORGUNIT" >> $DNFILE echo_no_nl "/CN=$PSEUDO" >> $DNFILE [ ! -z "$EMAIL" ] && echo_no_nl "/emailAddress=$EMAIL" >> $DNFILE # # create the plugins dir, which contains the user plugins # E="$USERSDIR/$PSEUDO/plugins" if [ ! -d "$E" ]; then mkdir -p "$E" chmod 700 "$E" fi gettext "User added to Nessus."; echo fi gettext "Another client certificate? (y/n) " read ANOTHER I=`expr $I + 1` done eval_gettext "Your client certificates are in \$BASEDIR."; echo gettext "You will have to copy them by hand."; echo