mirror of
https://github.com/mail-in-a-box/mailinabox.git
synced 2024-11-26 02:57:04 +00:00
use /dev/random for crypto-grade RNG with the help of haveged
Rather than pass `-r /dev/random` to ldns-keygen (it was `-r /dev/urandom`), don't pass `-r` at all since /dev/random is the default. Merges branch 'master' of github.com:pysiak/mailinabox
This commit is contained in:
commit
621fcc2233
11
setup/dns.sh
11
setup/dns.sh
@ -37,17 +37,16 @@ if [ ! -f "$STORAGE_ROOT/dns/dnssec/keys.conf" ]; then
|
|||||||
|
|
||||||
# Create the Key-Signing Key (KSK) (-k) which is the so-called
|
# Create the Key-Signing Key (KSK) (-k) which is the so-called
|
||||||
# Secure Entry Point. Use a NSEC3-compatible algorithm (best
|
# Secure Entry Point. Use a NSEC3-compatible algorithm (best
|
||||||
# practice), and a nice and long keylength. Use /dev/urandom
|
# practice), and a nice and long keylength. The domain name we
|
||||||
# instead of /dev/random for noise or else we'll be waiting
|
# provide ("_domain_") doesn't matter -- we'll use the same
|
||||||
# a very long time. The domain name we provide ("_domain_")
|
# keys for all our domains.
|
||||||
# doesn't matter -- we'll use the same keys for all our domains.
|
KSK=$(umask 077; cd $STORAGE_ROOT/dns/dnssec; ldns-keygen -a RSASHA1-NSEC3-SHA1 -b 2048 -k _domain_);
|
||||||
KSK=$(umask 077; cd $STORAGE_ROOT/dns/dnssec; ldns-keygen -a RSASHA1-NSEC3-SHA1 -b 2048 -k -r /dev/urandom _domain_);
|
|
||||||
|
|
||||||
# Now create a Zone-Signing Key (ZSK) which is expected to be
|
# Now create a Zone-Signing Key (ZSK) which is expected to be
|
||||||
# rotated more often than a KSK, although we have no plans to
|
# rotated more often than a KSK, although we have no plans to
|
||||||
# rotate it (and doing so would be difficult to do without
|
# rotate it (and doing so would be difficult to do without
|
||||||
# disturbing DNS availability.) Omit '-k' and use a shorter key.
|
# disturbing DNS availability.) Omit '-k' and use a shorter key.
|
||||||
ZSK=$(umask 077; cd $STORAGE_ROOT/dns/dnssec; ldns-keygen -a RSASHA1-NSEC3-SHA1 -b 1024 -r /dev/urandom _domain_);
|
ZSK=$(umask 077; cd $STORAGE_ROOT/dns/dnssec; ldns-keygen -a RSASHA1-NSEC3-SHA1 -b 1024 _domain_);
|
||||||
|
|
||||||
# These generate two sets of files like:
|
# These generate two sets of files like:
|
||||||
# K_domain_.+007+08882.ds <- DS record for adding to NSD configuration files
|
# K_domain_.+007+08882.ds <- DS record for adding to NSD configuration files
|
||||||
|
@ -7,8 +7,12 @@ hide_output apt-get update
|
|||||||
hide_output apt-get -y upgrade
|
hide_output apt-get -y upgrade
|
||||||
|
|
||||||
# Install basic utilities.
|
# Install basic utilities.
|
||||||
|
#
|
||||||
|
# haveged: Provides extra entropy to /dev/random so it doesn't stall
|
||||||
|
# when generating random numbers for private keys (e.g. during
|
||||||
|
# ldns-keygen).
|
||||||
|
|
||||||
apt_install python3 python3-pip wget curl bind9-host
|
apt_install python3 python3-pip wget curl bind9-host haveged
|
||||||
|
|
||||||
# Turn on basic services:
|
# Turn on basic services:
|
||||||
#
|
#
|
||||||
|
@ -36,7 +36,7 @@ if [ ! -d /usr/local/lib/roundcubemail ]; then
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
# Generate a safe 24-character secret key of safe characters.
|
# Generate a safe 24-character secret key of safe characters.
|
||||||
SECRET_KEY=$(dd if=/dev/urandom bs=20 count=1 2>/dev/null | base64 | fold -w 24 | head -n 1)
|
SECRET_KEY=$(dd if=/dev/random bs=20 count=1 2>/dev/null | base64 | fold -w 24 | head -n 1)
|
||||||
|
|
||||||
# Create a configuration file.
|
# Create a configuration file.
|
||||||
#
|
#
|
||||||
|
Loading…
Reference in New Issue
Block a user