dowkd.in

   1 #!/usr/bin/perl
   2
   3 # Debian/OpenSSL Weak Key Detector
   4 #
   5 # Written by Florian Weimer <fw@deneb.enyo.de>, with blacklist data
   6 # from Kees Cook, Peter Palfrader and James Strandboge.
   7 #
   8 # Patches and comments are welcome.
   9
  10 use strict;
  11 use warnings;
  12
  13 sub help () {
  14     print <<EOF;
  15 usage: $0 [OPTIONS...] COMMAND [ARGUMENTS...]
  16
  17 COMMAND is one of:
  18
  19   file: examine files on the command line for weak keys
  20   host: examine the specified hosts for weak SSH keys
  21   user: examine user SSH keys for weakness; examine all users if no
  22         users are given
  23   help: show this help screen
  24
  25 OPTIONS is one pf:
  26
  27   -c FILE: set the database cache file name (default: dowkd.db)
  28
  29 dowkd currently handles OpenSSH host and user keys and OpenVPN shared
  30 secrets, as long as they use default key lengths and have been created
  31 on a little-endian architecture (such as i386 or amd64).  Note that
  32 the blacklist by dowkd may be incomplete; it is only intended as a
  33 quick check.
  34
  35 EOF
  36 }
  37
  38 use DB_File;
  39 use File::Temp;
  40 use Fcntl;
  41 use IO::Handle;
  42
  43 my $db_version = '1';
  44
  45 my $db_file = 'dowkd.db';
  46
  47 my $db;
  48 my %db;
  49
  50 sub create_db () {
  51     $db = tie %db, 'DB_File', $db_file, O_RDWR | O_CREAT, 0777, $DB_BTREE
  52         or die "error: could not open database: $!\n";
  53
  54     $db{''} = $db_version;
  55     while (my $line = <DATA>) {
  56         next if $line =~ /^\**$/;
  57         chomp $line;
  58         $line =~ /^[0-9a-f]{32}$/ or die "error: invalid data line";
  59         $line =~ s/(..)/chr(hex($1))/ge;
  60         $db{$line} = '';
  61     }
  62
  63     $db->sync;
  64 }
  65
  66 sub open_db () {
  67     if (-r $db_file) {
  68         $db = tie %db, 'DB_File', $db_file, O_RDONLY, 0777, $DB_BTREE
  69             or die "error: could not open database: $!\n";
  70         my $stored_version = $db{''};
  71         $stored_version && $stored_version eq $db_version or create_db;
  72     } else {
  73         unlink $db_file;
  74         create_db;
  75     }
  76 }
  77
  78 sub safe_backtick (@) {
  79     my @args = @_;
  80     my $fh;
  81     open $fh, '-|', @args
  82         or die "error: failed to spawn $args[0]: $!\n";
  83     my @result;
  84     if (wantarray) {
  85         @result = <$fh>;
  86     } else {
  87         local $/;
  88         @result = scalar(<$fh>);
  89     }
  90     close $fh;
  91     $? == 0 or return undef;
  92     if (wantarray) {
  93         return @result;
  94     } else {
  95         return $result[0];
  96     }
  97 }
  98
  99 sub check_hash ($$) {
 100     my ($name, $hash) = @_;
 101     if (exists $db{$hash}) {
 102         print "$name: weak key\n";
 103     }
 104 }
 105
 106 sub ssh_fprint_file ($) {
 107     my $name = shift;
 108     my $data = safe_backtick qw/ssh-keygen -l -f/, $name;
 109     defined $data or return ();
 110     my @data = $data =~ /^(\d+) ([0-9a-f]{2}(?::[0-9a-f]{2}){15})/;
 111     return @data if @data == 2;
 112     return ();
 113 }
 114
 115 sub ssh_fprint_check ($$$) {
 116     my ($name, $length, $hash) = @_;
 117     if ($length == 1024 || $length == 2048) {
 118         $hash =~ y/://d;
 119         $hash =~ s/(..)/chr(hex($1))/ge;
 120         check_hash $name, $hash;
 121     } else {
 122         warn "$name: warning: no suitable blacklist\n";
 123     }
 124                       }
 125
 126 sub from_ssh_key_file ($) {
 127     my $name = shift;
 128     my ($length, $hash) = ssh_fprint_file $name;
 129     if ($length && $hash) {
 130         ssh_fprint_check "$name:1", $length, $hash;
 131     } else {
 132         warn "$name:1: warning: failed to parse SSH key file\n";
 133     }
 134 }
 135
 136 sub clear_tmp ($) {
 137     my $tmp = shift;
 138     seek $tmp, 0, 0 or die "seek: $!";
 139     truncate $tmp, 0 or die "truncate: $!";
 140 }
 141
 142 sub from_ssh_auth_file ($) {
 143     my $name = shift;
 144     my $auth;
 145     unless (open $auth, '<', $name) {
 146         warn "$name:0: error: open failed: $!\n";
 147         return;
 148     }
 149     my $tmp = new File::Temp;
 150     while (my $line = <$auth>) {
 151         chomp $line;
 152         my $lineno = $.;
 153         clear_tmp $tmp;
 154         print $tmp "$line\n" or die "print: $!";
 155         $tmp->flush;
 156         my ($length, $hash) = ssh_fprint_file "$tmp";
 157         if ($length && $hash) {
 158             ssh_fprint_check "$name:$lineno", $length, $hash;
 159         } else {
 160             warn "$name:$lineno: warning: unparsable line\n";
 161         }
 162     }
 163 }
 164
 165 sub from_openvpn_key ($) {
 166     my $name = shift;
 167     my $key;
 168     unless (open $key, '<', $name) {
 169         warn "$name:0: open failed: $!\n";
 170         return 1;
 171     }
 172
 173     my $marker;
 174     while (my $line = <$key>) {
 175         return 0 if $. > 10;
 176         if ($line =~ /^-----BEGIN OpenVPN Static key V1-----/) {
 177             $marker = 1;
 178         } elsif ($marker) {
 179             if ($line =~ /^([0-9a-f]{32})/) {
 180                 $line = $1;
 181                 $line =~ s/(..)/chr(hex($1))/ge;
 182                 check_hash "$name:$.", $line;
 183                 return 1;
 184             } else {
 185                 warn "$name:$.: warning: illegal OpenVPN file format\n";
 186                 return 1;
 187             }
 188         }
 189     }
 190 }
 191
 192 sub from_ssh_host (@) {
 193     my @names = @_;
 194     my @lines;
 195     push @lines, safe_backtick qw/ssh-keyscan -t rsa/, @names;
 196     push @lines, safe_backtick qw/ssh-keyscan -t dsa/, @names;
 197
 198     my $tmp = new File::Temp;
 199     for my $line (@lines) {
 200         next if $line =~ /^#/;
 201         my ($host, $data) = $line =~ /^(\S+) (.*)$/;
 202         clear_tmp $tmp;
 203         print $tmp "$data\n" or die "print: $!";
 204         $tmp->flush;
 205         my ($length, $hash) = ssh_fprint_file "$tmp";
 206         if ($length && $hash) {
 207             ssh_fprint_check "$host", $length, $hash;
 208         } else {
 209             warn "$host: warning: unparsable line\n";
 210         }
 211     }
 212 }
 213
 214 sub from_user ($) {
 215     my $user = shift;
 216     my ($name,$passwd,$uid,$gid,
 217         $quota,$comment,$gcos,$dir,$shell,$expire) = getpwnam($user);
 218     my $file = "$dir/.ssh/authorized_keys";
 219     from_ssh_auth_file $file if -r $file;
 220     $file = "$dir/.ssh/id_rsa.pub";
 221     from_ssh_key_file $file if -r $file;
 222     $file = "$dir/.ssh/id_dsa.pub";
 223     from_ssh_key_file $file if -r $file;
 224 }
 225
 226 sub from_user_all () {
 227     setpwent;
 228     while (my $name = getpwent) {
 229         from_user $name;
 230     }
 231     endpwent;
 232 }
 233
 234 if (@ARGV && $ARGV[0] eq '-c') {
 235     shift @ARGV;
 236     $db_file = shift @ARGV if @ARGV;
 237 }
 238 if (@ARGV) {
 239     open_db;
 240     my $cmd = shift @ARGV;
 241     if ($cmd eq 'file') {
 242         for my $name (@ARGV) {
 243             next if from_openvpn_key $name;
 244             from_ssh_auth_file $name;
 245         }
 246     } elsif ($cmd eq 'host') {
 247         from_ssh_host @ARGV;
 248     } elsif ($cmd eq 'user') {
 249         if (@ARGV) {
 250             from_user $_ for @ARGV;
 251         } else {
 252             from_user_all;
 253         }
 254     } elsif ($cmd eq 'help') {
 255         help;
 256     } else {
 257         die "error: invalid command, use \"help\" to get help\n";
 258     }
 259 } else {
 260     help;
 261     exit 1;
 262 }
 263
 264 my %hash;
 265
 266 __DATA__