Expose key/cert fingerprint values in generateconfs to also enable easy use of

the added support for variable expansion of file contents there.
Add MD5 fingerprint for pub key as they are still around for SSH/SFTP.
Bump suggested RSA key bits to 4k to for common security recommendations while
at it.

Author: jonasbardino

mig/install/generateconfs.py

@@ -4,7 +4,7 @@
 # --- BEGIN_HEADER ---
 #
 # generateconfs - create custom MiG server configuration files
-# Copyright (C) 2003-2024  The MiG Project lead by Brian Vinter
+# Copyright (C) 2003-2025  The MiG Project
 #
 # This file is part of MiG.
 #
@@ -291,6 +291,9 @@ def main(argv, _generate_confs=generate_confs, _print=print):
         'enable_openid',
         'enable_gravatars',
         'enable_sitestatus',
+        'daemon_keycert_sha256',
+        'daemon_pubkey_md5',
+        'daemon_pubkey_sha256',
         'daemon_pubkey_from_dns',
         'seafile_ro_access',
         'public_use_https',

mig/shared/configuration.py

@@ -4,7 +4,7 @@
 # --- BEGIN_HEADER ---
 #
 # configuration - configuration wrapper
-# Copyright (C) 2003-2024  The MiG Project lead by Brian Vinter
+# Copyright (C) 2003-2025  The MiG Project by the Science HPC Center at UCPH
 #
 # This file is part of MiG.
 #

mig/shared/install.py

@@ -4,7 +4,7 @@
 # --- BEGIN_HEADER ---
 #
 # install - MiG server install helpers
-# Copyright (C) 2003-2024  The MiG Project lead by Brian Vinter
+# Copyright (C) 2003-2025  The MiG Project by the Science HPC Center at UCPH
 #
 # This file is part of MiG.
 #
@@ -412,7 +412,10 @@ def generate_confs(
     ext_oidc_rewrite_cookie='',
     dhparams_path='',
     daemon_keycert='',
+    daemon_keycert_sha256=keyword_auto,
     daemon_pubkey='',
+    daemon_pubkey_md5=keyword_auto,
+    daemon_pubkey_sha256=keyword_auto,
     daemon_pubkey_from_dns=False,
     daemon_show_address='',
     alias_field='',
@@ -730,7 +733,10 @@ def _generate_confs_prepare(
     ext_oidc_rewrite_cookie,
     dhparams_path,
     daemon_keycert,
+    daemon_keycert_sha256,
     daemon_pubkey,
+    daemon_pubkey_md5,
+    daemon_pubkey_sha256,
     daemon_pubkey_from_dns,
     daemon_show_address,
     alias_field,
@@ -999,9 +1005,9 @@ def _generate_confs_prepare(
     user_dict['__DHPARAMS_PATH__'] = dhparams_path
     user_dict['__DAEMON_KEYCERT__'] = daemon_keycert
     user_dict['__DAEMON_PUBKEY__'] = daemon_pubkey
-    user_dict['__DAEMON_KEYCERT_SHA256__'] = ''
-    user_dict['__DAEMON_PUBKEY_MD5__'] = ''
-    user_dict['__DAEMON_PUBKEY_SHA256__'] = ''
+    user_dict['__DAEMON_KEYCERT_SHA256__'] = daemon_keycert_sha256
+    user_dict['__DAEMON_PUBKEY_MD5__'] = daemon_pubkey_md5
+    user_dict['__DAEMON_PUBKEY_SHA256__'] = daemon_pubkey_sha256
     user_dict['__DAEMON_PUBKEY_FROM_DNS__'] = "%s" % daemon_pubkey_from_dns
     user_dict['__SFTP_PORT__'] = "%s" % sftp_port
     user_dict['__SFTP_SUBSYS_PORT__'] = "%s" % sftp_subsys_port
@@ -1925,15 +1931,19 @@ def _generate_confs_prepare(
 openssl dhparam 2048 -out %(__DHPARAMS_PATH__)s""" % user_dict)
             sys.exit(1)
 
-    # Auto-fill fingerprints if daemon key is set
+    # Auto-fill fingerprints if daemon key is set with AUTO fingerprint
     if user_dict['__DAEMON_KEYCERT__']:
         if not os.path.isfile(os.path.expanduser("%(__DAEMON_KEYCERT__)s" %
                                                  user_dict)):
             print("ERROR: requested daemon keycert file not found!")
-            print("""You can create it with:
-openssl genrsa -out %(__DAEMON_KEYCERT__)s 2048""" % user_dict)
+            print("""You can create it e.g. with:
+openssl genrsa -out %(__DAEMON_KEYCERT__)s 4096""" % user_dict)
             sys.exit(1)
+    else:
+        user_dict['__DAEMON_KEYCERT_SHA256__'] = ''
 
+    if user_dict['__DAEMON_KEYCERT__'] and keyword_auto in \
+            (daemon_keycert_sha256, ):
         key_path = os.path.expanduser(user_dict['__DAEMON_KEYCERT__'])
         openssl_cmd = ["openssl", "x509", "-noout", "-fingerprint", "-sha256",
                        "-in", key_path]
@@ -1948,15 +1958,21 @@ def _generate_confs_prepare(
             print("ERROR: failed to extract sha256 fingerprint of %s: %s" %
                   (key_path, exc))
             daemon_keycert_sha256 = ''
-        user_dict['__DAEMON_KEYCERT_SHA256__'] = daemon_keycert_sha256
+        if daemon_keycert_sha256 == keyword_auto:
+            user_dict['__DAEMON_KEYCERT_SHA256__'] = daemon_keycert_sha256
     if user_dict['__DAEMON_PUBKEY__']:
         if not os.path.isfile(os.path.expanduser("%(__DAEMON_PUBKEY__)s" %
                                                  user_dict)):
             print("ERROR: requested daemon pubkey file not found!")
             print("""You can create it with:
 ssh-keygen -f %(__DAEMON_KEYCERT__)s -y > %(__DAEMON_PUBKEY__)s""" % user_dict)
             sys.exit(1)
+    else:
+        user_dict['__DAEMON_PUBKEY_MD5__'] = ''
+        user_dict['__DAEMON_PUBKEY_SHA256__'] = ''
 
+    if user_dict['__DAEMON_PUBKEY__'] and keyword_auto in \
+            (daemon_pubkey_md5, daemon_pubkey_sha256):
         pubkey_path = os.path.expanduser(user_dict['__DAEMON_PUBKEY__'])
         pubkey = read_file(pubkey_path, None)
         if pubkey is None:
@@ -1974,9 +1990,12 @@ def _generate_confs_prepare(
         except Exception as exc:
             print("ERROR: failed to extract fingerprints of %s : %s" %
                   (pubkey_path, exc))
+            daemon_pubkey_md5 = ''
             daemon_pubkey_sha256 = ''
-        user_dict['__DAEMON_PUBKEY_MD5__'] = daemon_pubkey_md5
-        user_dict['__DAEMON_PUBKEY_SHA256__'] = daemon_pubkey_sha256
+        if daemon_pubkey_md5 == keyword_auto:
+            user_dict['__DAEMON_PUBKEY_MD5__'] = daemon_pubkey_md5
+        if daemon_pubkey_sha256 == keyword_auto:
+            user_dict['__DAEMON_PUBKEY_SHA256__'] = daemon_pubkey_sha256
 
     # Enable Debian/Ubuntu specific lines only there
     if user_dict['__DISTRO__'].lower() in ('ubuntu', 'debian'):