PATH:
usr
/
libexec
#!/usr/bin/bash set -eu # shellcheck disable=SC2034 # prefix= is set because the default /etc contains "${prefix}" prefix="/usr" COCKPIT_CONFIG="/etc/cockpit" COCKPIT_WS_CERTS_D="${COCKPIT_CONFIG}/ws-certs.d" COCKPIT_RUNTIME_DIR="/run/cockpit" install_cert() { local destination="${COCKPIT_WS_CERTS_D}/$1" mv -Z "$1" "${destination}" # The certificate should be world-readable chmod a+r "${destination}" # Force flush to disk for embedded devices sync "${destination}" } install_key() { local destination="${COCKPIT_WS_CERTS_D}/$1" mv -Z "$1" "${destination}" # Force flush to disk for embedded devices sync "${destination}" } selfsign_sscg() { sscg --quiet \ --lifetime "${DAYS}" \ --cert-key-file "${KEYFILE}" \ --cert-file "${CERTFILE}" \ --ca-file "${CA_FILE}" \ --hostname "${HOSTNAME}" \ --organization "${MACHINE_ID:-unspecified}" \ --subject-alt-name localhost \ --subject-alt-name IP:127.0.0.1/255.255.255.255 } selfsign_openssl() { openssl req -x509 \ -days "${DAYS}" \ -newkey rsa \ -keyout "${KEYFILE}" \ -keyform PEM \ -nodes \ -out "${CERTFILE}" \ -outform PEM \ -subj "${MACHINE_ID:+/O=${MACHINE_ID}}/CN=${HOSTNAME}" \ -addext "subjectAltName=IP:127.0.0.1,DNS:localhost" \ -addext "basicConstraints = critical,CA:TRUE" \ -addext "keyUsage = critical,digitalSignature,cRLSign,keyCertSign,keyEncipherment,keyAgreement" \ -addext "extendedKeyUsage = serverAuth" } cmd_selfsign() { # Common variables used by both methods local MACHINE_ID if [ -e /etc/machine-id ]; then MACHINE_ID="$(tr -d -c '[:xdigit:]' < /etc/machine-id)" fi local HOSTNAME="${HOSTNAME:-$(hostname)}" local CERTFILE="0-self-signed.cert" local KEYFILE="0-self-signed.key" local CA_FILE="0-self-signed-ca.pem" # do not stomp over a partial key -- the admin tried to do something wrong if [ -e "${COCKPIT_WS_CERTS_D}/${KEYFILE}" ] && [ ! -e "${COCKPIT_WS_CERTS_D}/${CERTFILE}" ]; then echo "Error: Found $KEYFILE but no $CERTFILE. Please remove the key file first." >&2 exit 1 fi mkdir -pZ "$COCKPIT_WS_CERTS_D" # We renew certificates up to 30 days before expiry, so give ourselves a # year, plus 30 days. The maximum is variously mentioned to be 397 or 398. local DAYS=395 # If sscg fails, try openssl selfsign_sscg || selfsign_openssl # Install the files and set permissions ($CA_FILE is only created by sscg) test ! -e "${CA_FILE}" || install_cert "${CA_FILE}" install_cert "${CERTFILE}" install_key "${KEYFILE}" } cmd_ipa_request() { local USER="$1" # IPA operations require auth; read password from stdin to avoid quoting issues # if kinit fails, we can't handle this setup, exit cleanly kinit "${USER}@${REALM}" || exit 0 # ensure this gets run with a non-C locale; ipa fails otherwise if [ "$(sh -c 'eval `locale`; echo $LC_CTYPE')" = 'C' ]; then export LC_CTYPE=C.UTF-8 fi # create a kerberos Service Principal Name for cockpit-ws, unless already present ipa service-show "${SERVICE}" || \ ipa service-add --ok-as-delegate=true --ok-to-auth-as-delegate=true --force "${SERVICE}" # add cockpit-ws key, unless already present klist -k "${KEYTAB}" | grep -qF "${SERVICE}" || \ ipa-getkeytab -p "HTTP/${HOST}" -k "${KEYTAB}" # request the certificate and put it into our certificate directory, so that auto-refresh works mkdir -pZ "$COCKPIT_WS_CERTS_D" ipa-getcert request -f "${COCKPIT_WS_CERTS_D}/10-ipa.cert" -k "${COCKPIT_WS_CERTS_D}/10-ipa.key" -K "HTTP/${HOST}" -m 640 -o root:root -M 644 -w -v } cmd_ipa_cleanup() { # clean up keytab if [ -e "${KEYTAB}" ]; then ipa-rmkeytab -k "${KEYTAB}" -p "${SERVICE}" fi # clean up certificate; support both "copy" and "direct" modes from cmd_ipa_request() if [ -e "${COCKPIT_WS_CERTS_D}/10-ipa.key" ]; then rm "${COCKPIT_WS_CERTS_D}/10-ipa.cert" "${COCKPIT_WS_CERTS_D}/10-ipa.key" ipa-getcert stop-tracking -f "${COCKPIT_WS_CERTS_D}/10-ipa.cert" -k "${COCKPIT_WS_CERTS_D}/10-ipa.key" || \ ipa-getcert stop-tracking -f /run/cockpit/certificate-helper/10-ipa.cert -k /run/cockpit/certificate-helper/10-ipa.key fi } cmd_ipa() { local REALM="$2" local HOST HOST="$(hostname -f)" local SERVICE="HTTP/${HOST}@${REALM}" local KEYTAB="${COCKPIT_CONFIG}/krb5.keytab" # use a temporary keytab to avoid interfering with the system one export KRB5CCNAME=/run/cockpit/keytab-setup # not an IPA setup? cannot handle this if [ -z "$(which ipa)" ]; then echo 'ipa must be installed for this command' exit 1 fi case "$1" in request) cmd_ipa_request "$3" ;; cleanup) cmd_ipa_cleanup ;; *) echo 'unknown subcommand' exit 1 ;; esac } main() { # ipa-getkeytab needs root to create the file, same for cert installation if [ "$(id -u)" != "0" ]; then echo 'must be run as root' exit 1 fi # Create a private working directory mkdir -p "${COCKPIT_RUNTIME_DIR}" WORKDIR="${COCKPIT_RUNTIME_DIR}/certificate-helper" mkdir -m 700 "${WORKDIR}" # we expect that not to have existed trap 'exit' INT QUIT PIPE TERM trap 'rm -rf "${WORKDIR}"' EXIT cd "${WORKDIR}" # Dispatch subcommand case "$1" in selfsign) cmd_selfsign ;; ipa) shift cmd_ipa "$@" ;; *) echo 'unknown subcommand' exit 1 ;; esac } main "$@"
[+]
tuned
[-] rtkit-daemon
[edit]
[-] flatpak-session-helper
[edit]
[-] at-spi-bus-launcher
[edit]
[-] nfsrahead
[edit]
[+]
os-prober
[-] flatpak-portal
[edit]
[+]
coreutils
[+]
dpkg
[-] generate-rndc-key.sh
[edit]
[-] at-spi2-registryd
[edit]
[-] fips-setup-helper
[edit]
[-] nm-initrd-generator
[edit]
[+]
irqbalance
[+]
cloud-init
[-] platform-python3.9
[edit]
[+]
utempter
[-] scdaemon
[edit]
[-] cockpit-client
[edit]
[+]
microcode_ctl
[-] grepconf.sh
[edit]
[-] low-memory-monitor
[edit]
[-] loadmodules
[edit]
[+]
grubby
[-] revokefs-fuse
[edit]
[-] geoclue
[edit]
[+]
totem-pl-parser
[-] import-state
[edit]
[-] virt-what-cpuid-helper
[edit]
[-] nm-priv-helper
[edit]
[-] imunify-message-gateway
[edit]
[+]
gawk
[-] tracker-xdg-portal-3
[edit]
[-] dnf-utils
[edit]
[-] cockpit-certificate-helper
[edit]
[-] platform-python
[edit]
[-] keyboxd
[edit]
[-] flatpak-oci-authenticator
[edit]
[-] dconf-service
[edit]
[-] platform-python3.9-x86_64-config
[edit]
[-] vi
[edit]
[-] cockpit-tls
[edit]
[-] glib-pacrunner
[edit]
[+]
hostname
[-] arptables-helper
[edit]
[+]
linux-boot-probes
[-] realmd
[edit]
[+]
grub2
[-] exim.daemon
[edit]
[-] nm-daemon-helper
[edit]
[+]
bluetooth
[-] gpg-preset-passphrase
[edit]
[-] tracker-miner-fs-3
[edit]
[-] pk-offline-update
[edit]
[-] upowerd
[edit]
[-] report-command-error
[edit]
[-] xdg-permission-store
[edit]
[-] gpg-wks-client
[edit]
[-] tracker-miner-fs-control-3
[edit]
[-] cockpit-wsinstance-factory
[edit]
[-] platform-python3.9-config
[edit]
[+]
gcc
[+]
dovecot
[-] flatpak-system-helper
[edit]
[+]
awk
[-] tracker-extract-3
[edit]
[-] xdg-desktop-portal
[edit]
[-] mlocate-run-updatedb
[edit]
[+]
installkernel
[-] nm-dispatcher
[edit]
[+]
rsyslog
[+]
initscripts
[-] gpg-pair-tool
[edit]
[+]
openldap
[-] nm-dhcp-helper
[edit]
[-] flatpak-validate-icon
[edit]
[-] packagekitd
[edit]
[+]
geoclue-2.0
[+]
iptables
[-] gpg-check-pattern
[edit]
[-] cockpit-client.ui
[edit]
[-] platform-python-config
[edit]
[+]
selinux
[+]
psacct
[+]
cpanel-pdns
[-] gpg-protect-tool
[edit]
[+]
gstreamer-1.0
[+]
sssd
[+]
smartmontools
[-] cockpit-askpass
[edit]
[+]
nfs-utils
[+]
man-db
[-] packagekit-direct
[edit]
[+]
imunify-notifier
[+]
getconf
[-] fprintd
[edit]
[-] dirmngr_ldap
[edit]
[-] run-with-intensity
[edit]
[-] cockpit-session
[edit]
[-] cockpit-desktop
[edit]
[+]
openssh
[-] lvresize_fs_helper
[edit]
[-] cockpit-certificate-ensure
[edit]
[+]
p11-kit
[-] xdg-document-portal
[edit]
[-] cockpit-ws
[edit]
[+]
..
[-] arptables-nft-helper
[edit]
[+]
lsm.d
[+]
os-probes
[-] tracker-writeback-3
[edit]
[+]
tracker3
[+]
sudo
[+]
git-core
[-] xdg-desktop-portal-gtk
[edit]