dowkd.in

   1 #!/usr/bin/perl
   2
   3 # Debian/OpenSSL Weak Key Detector
   4 #
   5 # Written by Florian Weimer <fw@deneb.enyo.de>, with blacklist data
   6 # from Kees Cook, Peter Palfrader and James Strandboge.
   7 #
   8 # Patches and comments are welcome.
   9
  10 use strict;
  11 use warnings;
  12
  13 sub help () {
  14     print <<EOF;
  15 usage: $0 [OPTIONS...] COMMAND [ARGUMENTS...]
  16
  17 COMMAND is one of:
  18
  19   file: examine files on the command line for weak keys
  20   host: examine the specified hosts for weak SSH keys
  21   user: examine user SSH keys for weakness; examine all users if no
  22         users are given
  23   help: show this help screen
  24
  25 OPTIONS is one pf:
  26
  27   -c FILE: set the database cache file name (default: dowkd.db)
  28
  29 dowkd currently handles OpenSSH host and user keys and OpenVPN shared
  30 secrets, as long as they use default key lengths and have been created
  31 on a little-endian architecture (such as i386 or amd64).  Note that
  32 the blacklist by dowkd may be incomplete; it is only intended as a
  33 quick check.
  34
  35 EOF
  36 }
  37
  38 use DB_File;
  39 use File::Temp;
  40 use Fcntl;
  41 use IO::Handle;
  42
  43 my $db_version = '1';
  44
  45 my $db_file = 'dowkd.db';
  46
  47 my $db;
  48 my %db;
  49
  50 sub create_db () {
  51     $db = tie %db, 'DB_File', $db_file, O_RDWR | O_CREAT, 0777, $DB_BTREE
  52         or die "error: could not open database: $!\n";
  53
  54     $db{''} = $db_version;
  55     while (my $line = <DATA>) {
  56         next if $line =~ /^\**$/;
  57         chomp $line;
  58         $line =~ /^[0-9a-f]{32}$/ or die "error: invalid data line";
  59         $line =~ s/(..)/chr(hex($1))/ge;
  60         $db{$line} = '';
  61     }
  62
  63     $db->sync;
  64 }
  65
  66 sub open_db () {
  67     if (-r $db_file) {
  68         $db = tie %db, 'DB_File', $db_file, O_RDONLY, 0777, $DB_BTREE
  69             or die "error: could not open database: $!\n";
  70         my $stored_version = $db{''};
  71         $stored_version && $stored_version eq $db_version or create_db;
  72     } else {
  73         unlink $db_file;
  74         create_db;
  75     }
  76 }
  77
  78 sub safe_backtick (@) {
  79     my @args = @_;
  80     my $fh;
  81     open $fh, '-|', @args
  82         or die "error: failed to spawn $args[0]: $!\n";
  83     my @result;
  84     if (wantarray) {
  85         @result = <$fh>;
  86     } else {
  87         local $/;
  88         @result = scalar(<$fh>);
  89     }
  90     close $fh;
  91     $? == 0 or return undef;
  92     if (wantarray) {
  93         return @result;
  94     } else {
  95         return $result[0];
  96     }
  97 }
  98
  99 my $keys_found = 0;
 100 my $keys_vulnerable = 0;
 101
 102 sub print_stats () {
 103     print STDERR "summary: keys found: $keys_found, weak keys: $keys_vulnerable\n";
 104 }
 105
 106 sub check_hash ($$) {
 107     my ($name, $hash) = @_;
 108     ++$keys_found;
 109     if (exists $db{$hash}) {
 110         ++$keys_vulnerable;
 111         print "$name: weak key\n";
 112     }
 113 }
 114
 115 sub ssh_fprint_file ($) {
 116     my $name = shift;
 117     my $data = safe_backtick qw/ssh-keygen -l -f/, $name;
 118     defined $data or return ();
 119     my @data = $data =~ /^(\d+) ([0-9a-f]{2}(?::[0-9a-f]{2}){15})/;
 120     return @data if @data == 2;
 121     return ();
 122 }
 123
 124 sub ssh_fprint_check ($$$) {
 125     my ($name, $length, $hash) = @_;
 126     if ($length == 1024 || $length == 2048) {
 127         $hash =~ y/://d;
 128         $hash =~ s/(..)/chr(hex($1))/ge;
 129         check_hash $name, $hash;
 130     } else {
 131         warn "$name: warning: no suitable blacklist\n";
 132     }
 133                       }
 134
 135 sub from_ssh_key_file ($) {
 136     my $name = shift;
 137     my ($length, $hash) = ssh_fprint_file $name;
 138     if ($length && $hash) {
 139         ssh_fprint_check "$name:1", $length, $hash;
 140     } else {
 141         warn "$name:1: warning: failed to parse SSH key file\n";
 142     }
 143 }
 144
 145 sub clear_tmp ($) {
 146     my $tmp = shift;
 147     seek $tmp, 0, 0 or die "seek: $!";
 148     truncate $tmp, 0 or die "truncate: $!";
 149 }
 150
 151 sub from_ssh_auth_file ($) {
 152     my $name = shift;
 153     my $auth;
 154     unless (open $auth, '<', $name) {
 155         warn "$name:0: error: open failed: $!\n";
 156         return;
 157     }
 158     my $tmp = new File::Temp;
 159     while (my $line = <$auth>) {
 160         chomp $line;
 161         my $lineno = $.;
 162         clear_tmp $tmp;
 163         print $tmp "$line\n" or die "print: $!";
 164         $tmp->flush;
 165         my ($length, $hash) = ssh_fprint_file "$tmp";
 166         if ($length && $hash) {
 167             ssh_fprint_check "$name:$lineno", $length, $hash;
 168         } else {
 169             warn "$name:$lineno: warning: unparsable line\n";
 170         }
 171     }
 172 }
 173
 174 sub from_openvpn_key ($) {
 175     my $name = shift;
 176     my $key;
 177     unless (open $key, '<', $name) {
 178         warn "$name:0: open failed: $!\n";
 179         return 1;
 180     }
 181
 182     my $marker;
 183     while (my $line = <$key>) {
 184         return 0 if $. > 10;
 185         if ($line =~ /^-----BEGIN OpenVPN Static key V1-----/) {
 186             $marker = 1;
 187         } elsif ($marker) {
 188             if ($line =~ /^([0-9a-f]{32})/) {
 189                 $line = $1;
 190                 $line =~ s/(..)/chr(hex($1))/ge;
 191                 check_hash "$name:$.", $line;
 192                 return 1;
 193             } else {
 194                 warn "$name:$.: warning: illegal OpenVPN file format\n";
 195                 return 1;
 196             }
 197         }
 198     }
 199 }
 200
 201 sub from_ssh_host (@) {
 202     my @names = @_;
 203     my @lines;
 204     push @lines, safe_backtick qw/ssh-keyscan -t rsa/, @names;
 205     push @lines, safe_backtick qw/ssh-keyscan -t dsa/, @names;
 206
 207     my $tmp = new File::Temp;
 208     for my $line (@lines) {
 209         next if $line =~ /^#/;
 210         my ($host, $data) = $line =~ /^(\S+) (.*)$/;
 211         clear_tmp $tmp;
 212         print $tmp "$data\n" or die "print: $!";
 213         $tmp->flush;
 214         my ($length, $hash) = ssh_fprint_file "$tmp";
 215         if ($length && $hash) {
 216             ssh_fprint_check "$host", $length, $hash;
 217         } else {
 218             warn "$host: warning: unparsable line\n";
 219         }
 220     }
 221 }
 222
 223 sub from_user ($) {
 224     my $user = shift;
 225     my ($name,$passwd,$uid,$gid,
 226         $quota,$comment,$gcos,$dir,$shell,$expire) = getpwnam($user);
 227     my $file = "$dir/.ssh/authorized_keys";
 228     from_ssh_auth_file $file if -r $file;
 229     $file = "$dir/.ssh/authorized_keys2";
 230     from_ssh_auth_file $file if -r $file;
 231     $file = "$dir/.ssh/id_rsa.pub";
 232     from_ssh_key_file $file if -r $file;
 233     $file = "$dir/.ssh/id_dsa.pub";
 234     from_ssh_key_file $file if -r $file;
 235 }
 236
 237 sub from_user_all () {
 238     setpwent;
 239     while (my $name = getpwent) {
 240         from_user $name;
 241     }
 242     endpwent;
 243 }
 244
 245 if (@ARGV && $ARGV[0] eq '-c') {
 246     shift @ARGV;
 247     $db_file = shift @ARGV if @ARGV;
 248 }
 249 if (@ARGV) {
 250     open_db;
 251     my $cmd = shift @ARGV;
 252     if ($cmd eq 'file') {
 253         for my $name (@ARGV) {
 254             next if from_openvpn_key $name;
 255             from_ssh_auth_file $name;
 256         }
 257     } elsif ($cmd eq 'host') {
 258         from_ssh_host @ARGV;
 259     } elsif ($cmd eq 'user') {
 260         if (@ARGV) {
 261             from_user $_ for @ARGV;
 262         } else {
 263             from_user_all;
 264         }
 265     } elsif ($cmd eq 'help') {
 266         help;
 267         exit 0;
 268     } else {
 269         die "error: invalid command, use \"help\" to get help\n";
 270     }
 271     print_stats;
 272 } else {
 273     help;
 274     exit 1;
 275 }
 276
 277 my %hash;
 278
 279 __DATA__