#!/bin/bash # command info if [ "$1" == "" ] || [ "$1" = "-h" ] || [ "$1" = "-help" ]; then echo "small config script to set a passwords A,B,C & D" echo "blitz.passwords.sh set a [?newpassword] " echo "blitz.passwords.sh set b [?newpassword] " echo "blitz.passwords.sh set c [?oldpassword] [?newpassword] " # will change lnd & core lightning if installed echo "blitz.passwords.sh check [a|b|c] [passwordToCheck]" echo "or just as a password enter dialog (result as file)" echo "blitz.passworda.sh set [x] [text] [result-file] [?empty-allowed]" exit 1 fi # check if started with sudo echo "runningUser='$EUID'" if [ "$EUID" -ne 0 ]; then echo "error='need user root'" exit 1 fi # prepare hased password storage hashedPasswordSalt="" hashedPasswordStoragePath="/mnt/hdd/app-data/passwords" if [ $(df | grep -c "/mnt/hdd") -gt 0 ]; then # check if path & salt file exists if [ $(ls ${hashedPasswordStoragePath}/salt.txt | grep -c "salt.txt") -eq 0 ]; then echo "# creating salt & hashedPasswordStoragePath ..." mkdir -p ${hashedPasswordStoragePath} echo "$RANDOM-$(date +%N)" | shasum -a 512 | cut -d " " -f1 | cut -c 1-16 > ${hashedPasswordStoragePath}/salt.txt chmod 660 ${hashedPasswordStoragePath}/salt.txt chown -R admin:admin ${hashedPasswordStoragePath} else echo "# salt file exists" fi hashedPasswordSalt=$(cat ${hashedPasswordStoragePath}/salt.txt) else echo "error='hdd not mounted yet - cannot set/check blitz passwords yet'" echo "correct=0" exit 1 fi ############################ # CHECKING PASSWORDS ############################ if [ "$1" == "check" ]; then # brute force protection # if there was another try within last minute add another 3 seconds delay protection source <(/home/admin/_cache.sh meta system_password_bruteforceprotection) /home/admin/_cache.sh set system_password_bruteforceprotection on 60 if [ "${value}" == "on" ] && [ "${stillvalid}" == "1" ]; then echo "# multiple tries within last minute - respond slow" sleep 5 # advanced brute force protection else echo "# first try within last minute - respond fast" sleep 1 # basic brute force protection fi typeOfPassword=$2 if [ "${typeOfPassword}" != "a" ] && [ "${typeOfPassword}" != "b" ] && [ "${typeOfPassword}" != "c" ]; then echo "error='unknown password to check'" echo "correct=0" exit 1 fi passwordToCheck=$3 clearedPassword=$(echo "${passwordToCheck}" | tr -dc '[:alnum:]-.' | tr -d ' ') if [ ${#clearedPassword} -lt ${#passwordToCheck} ]; then echo "error='password to check contains unvalid chars'" echo "correct=0" exit 1 fi passwordHashSystem=$(cat ${hashedPasswordStoragePath}/${typeOfPassword}.hash 2>/dev/null) passwordHashTest=$(mkpasswd -m sha-512 "${passwordToCheck}" -S "${hashedPasswordSalt:0:16}") #echo "# passwordToCheck(${passwordToCheck})" #echo "# passwordHashSystem(${passwordHashSystem})" #echo "# hashedPasswordSalt(${hashedPasswordSalt})" #echo "# passwordHashTest(${passwordHashTest})" if [ ${#passwordHashSystem} -eq 0 ]; then echo "error='password cannot be checked - no hash available'" echo "correct=0" exit 1 fi if [ "${passwordHashSystem}" == "${passwordHashTest}" ]; then echo "correct=1" else echo "correct=0" fi exit fi ############################ # SETTING PASSWORDS ############################ if [ "$1" != "set" ]; then echo "error='unkown parameter'" exit 1 fi # load raspiblitz config (if available) source /home/admin/raspiblitz.info source /mnt/hdd/raspiblitz.conf if [ ${#network} -eq 0 ]; then network="bitcoin" fi if [ ${#chain} -eq 0 ]; then chain="main" fi # 1. parameter [?a|b|c] abcd=$2 # run interactive if no further parameters reboot=0; OPTIONS=() if [ ${#abcd} -eq 0 ]; then reboot=1; emptyAllowed=1 OPTIONS+=(A "Master Login Password") OPTIONS+=(B "RPC/App Password") if [ "${lightning}" == "lnd" ] || [ "${lnd}" == "on" ]; then OPTIONS+=(C "LND Lightning Wallet Password") fi if [ "${cl}" == "on" ] && [ "${clEncryptedHSM}" == "on" ]; then OPTIONS+=(CL "C-Lightning Wallet Password") fi CHOICE=$(dialog --clear \ --backtitle "RaspiBlitz" \ --title "Set Password" \ --menu "Which password to change?" \ 11 50 7 \ "${OPTIONS[@]}" \ 2>&1 >/dev/tty) clear case $CHOICE in A) abcd='a'; ;; B) abcd='b'; ;; C) abcd='c'; ;; D) abcd='d'; ;; CL) abcd='cl'; ;; *) exit 0 ;; esac fi ############################ # PASSWORD A if [ "${abcd}" = "a" ]; then newPassword=$3 # if no password given by parameter - ask by dialog if [ ${#newPassword} -eq 0 ]; then clear # ask user for new password A (first time) password1=$(whiptail --passwordbox "\nSet new Admin/SSH Password A:\n(min 8chars, 1word, chars+number, no specials)" 10 52 "" --title "Password A" --backtitle "RaspiBlitz - Setup" 3>&1 1>&2 2>&3) if [ $? -eq 1 ]; then if [ ${emptyAllowed} -eq 0 ]; then echo "# CANCEL not possible" sleep 2 else exit 0 fi fi # ask user for new password A (second time) password2=$(whiptail --passwordbox "\nRe-Enter Password A:\n(This is new password to login per SSH)" 10 52 "" --title "Password A" --backtitle "RaspiBlitz - Setup" 3>&1 1>&2 2>&3) if [ $? -eq 1 ]; then if [ ${emptyAllowed} -eq 0 ]; then echo "# CANCEL not possible" sleep 2 else exit 0 fi fi # check if passwords match if [ "${password1}" != "${password2}" ]; then dialog --backtitle "RaspiBlitz - Setup" --msgbox "FAIL -> Passwords dont Match\nPlease try again ..." 6 52 # calling recursive repeat /home/admin/config.scripts/blitz.passwords.sh set a exit 0 fi # password zero if [ ${#password1} -eq 0 ]; then dialog --backtitle "RaspiBlitz - Setup" --msgbox "FAIL -> Password cannot be empty\nPlease try again ..." 6 52 # calling recursive repeat /home/admin/config.scripts/blitz.passwords.sh set a exit 0 fi # check that password does not contain bad characters clearedResult=$(echo "${password1}" | tr -dc '[:alnum:]-.' | tr -d ' ') if [ ${#clearedResult} != ${#password1} ] || [ ${#clearedResult} -eq 0 ]; then dialog --backtitle "RaspiBlitz - Setup" --msgbox "FAIL -> Contains bad characters (spaces, special chars)\nPlease try again ..." 6 52 # calling recursive repeat /home/admin/config.scripts/blitz.passwords.sh set a exit 0 fi # password longer than 8 if [ ${#password1} -lt 8 ]; then dialog --backtitle "RaspiBlitz - Setup" --msgbox "FAIL -> Password length under 8\nPlease try again ..." 6 52 # calling recursive repeat /home/admin/config.scripts/blitz.passwords.sh set a exit 0 fi # use entered password now as parameter newPassword="${password1}" fi # store password hash mkpasswd -m sha-512 "${newPassword}" -S "${hashedPasswordSalt:0:16}" > ${hashedPasswordStoragePath}/a.hash chown admin:admin ${hashedPasswordStoragePath}/a.hash chmod 660 ${hashedPasswordStoragePath}/a.hash # change user passwords and then change hostname echo "pi:$newPassword" | sudo chpasswd echo "root:$newPassword" | sudo chpasswd echo "bitcoin:$newPassword" | sudo chpasswd echo "admin:$newPassword" | sudo chpasswd sleep 1 echo "# OK - password A changed for user pi, root, admin & bitcoin" echo "error=''" ############################ # PASSWORD B elif [ "${abcd}" = "b" ]; then newPassword=$3 # if no password given by parameter - ask by dialog if [ ${#newPassword} -eq 0 ]; then clear # ask user for new password B (first time) password1=$(whiptail --passwordbox "\nPlease enter your new Password B:\n(min 8chars, 1word, chars+number, no specials)" 10 52 "" --title "Password B" --backtitle "RaspiBlitz - Setup" 3>&1 1>&2 2>&3) if [ $? -eq 1 ]; then if [ "${emptyAllowed}" == "0" ]; then echo "# CANCEL not possible" sleep 2 else exit 0 fi fi # ask user for new password B (second time) password2=$(whiptail --passwordbox "\nRe-Enter Password B:\n" 10 52 "" --title "Password B" --backtitle "RaspiBlitz - Setup" 3>&1 1>&2 2>&3) if [ $? -eq 1 ]; then if [ "${emptyAllowed}" == "0" ]; then echo "# CANCEL not possible" sleep 2 else exit 0 fi fi # check if passwords match if [ "${password1}" != "${password2}" ]; then dialog --backtitle "RaspiBlitz - Setup" --msgbox "FAIL -> Passwords dont Match\nPlease try again ..." 6 52 # calling recursive repeat /home/admin/config.scripts/blitz.passwords.sh set b exit 0 fi # password zero if [ ${#password1} -eq 0 ]; then dialog --backtitle "RaspiBlitz - Setup" --msgbox "FAIL -> Password cannot be empty\nPlease try again ..." 6 52 # calling recursive repeat /home/admin/config.scripts/blitz.passwords.sh set b exit 0 fi # check that password does not contain bad characters clearedResult=$(echo "${password1}" | tr -dc '[:alnum:]-.' | tr -d ' ') if [ ${#clearedResult} != ${#password1} ] || [ ${#clearedResult} -eq 0 ]; then dialog --backtitle "RaspiBlitz - Setup" --msgbox "FAIL -> Contains bad characters (spaces, special chars)\nPlease try again ..." 6 52 # calling recursive repeat /home/admin/config.scripts/blitz.passwords.sh set b exit 0 fi # password longer than 8 if [ ${#password1} -lt 8 ]; then dialog --backtitle "RaspiBlitz - Setup" --msgbox "FAIL -> Password length under 8\nPlease try again ..." 6 52 # calling recursive repeat /home/admin/config.scripts/blitz.passwords.sh set b exit 0 fi # use entered password now as parameter newPassword="${password1}" fi # store password hash mkpasswd -m sha-512 "${newPassword}" -S "${hashedPasswordSalt:0:16}" > ${hashedPasswordStoragePath}/b.hash chown admin:admin ${hashedPasswordStoragePath}/b.hash chmod 660 ${hashedPasswordStoragePath}/b.hash # change in assets (just in case this is used on setup) sed -i "s/^rpcpassword=.*/rpcpassword=${newPassword}/g" /home/admin/assets/${network}.conf 2>/dev/null # change in real configs sed -i "s/^rpcpassword=.*/rpcpassword=${newPassword}/g" /mnt/hdd/${network}/${network}.conf 2>/dev/null sed -i "s/^rpcpassword=.*/rpcpassword=${newPassword}/g" /home/admin/.${network}/${network}.conf 2>/dev/null # NOTE: now other bonus apps configs that need passwordB need to be adapted manually # bonus apps that use a "prestart" will adapt themselves on service restart after reboot # blitzweb if ! [ -f /etc/nginx/.htpasswd ]; then echo "${newPassword}" | sudo htpasswd -ci /etc/nginx/.htpasswd admin else echo "${newPassword}" | sudo htpasswd -i /etc/nginx/.htpasswd admin fi # electrs if [ "${ElectRS}" == "on" ]; then echo "# changing the RPC password for ELECTRS" RPC_USER=$(cat /mnt/hdd/bitcoin/bitcoin.conf | grep rpcuser | cut -c 9-) sudo sed -i "s/^auth = \"$RPC_USER.*\"/auth = \"$RPC_USER:${newPassword}\"/g" /home/electrs/.electrs/config.toml fi # BTCPayServer if [ "${BTCPayServer}" == "on" ]; then echo "# changing the RPC password for BTCPAYSERVER" sudo sed -i "s/^btc.rpc.password=.*/btc.rpc.password=${newPassword}/g" /home/btcpay/.nbxplorer/Main/settings.config fi # JoinMarket if [ "${joinmarket}" == "on" ]; then echo "# changing the RPC password for JOINMARKET" sudo sed -i "s/^rpc_password =.*/rpc_password = ${newPassword}/g" /home/joinmarket/.joinmarket/joinmarket.cfg echo "# changing the password for the 'joinmarket' user" echo "joinmarket:${newPassword}" | sudo chpasswd fi # ThunderHub if [ "${thunderhub}" == "on" ]; then echo "# changing the password for ThunderHub" sudo sed -i "s/^masterPassword:.*/masterPassword: '${newPassword}'/g" /mnt/hdd/app-data/thunderhub/thubConfig.yaml fi # LIT if [ "${lit}" == "on" ]; then echo "# changing the password for LIT" sudo sed -i "s/^uipassword=.*/uipassword=${newPassword}/g" /mnt/hdd/app-data/.lit/lit.conf sudo sed -i "s/^faraday.bitcoin.password=.*/faraday.bitcoin.password=${newPassword}/g" /mnt/hdd/app-data/.lit/lit.conf fi echo "# OK -> RPC Password B changed" echo "# Reboot is needed (will be triggered if interactive menu was called)" echo "error=''" sleep 3 ############################ # PASSWORD C # will change both (lnd & core lightning) if installed elif [ "${abcd}" = "c" ]; then oldPassword=$3 newPassword=$4 if [ "${oldPassword}" == "" ]; then # ask user for old password c clear oldPassword=$(whiptail --passwordbox "\nEnter old Password C:\n" 10 52 "" --title "Old Password C" --backtitle "RaspiBlitz - Passwords" 3>&1 1>&2 2>&3) if [ $? -eq 1 ] || [ "${oldPassword}" == "" ]; then # calling recursive repeat sudo /home/admin/config.scripts/blitz.passwords.sh set c fi echo "# OK ... processing" fi if [ "${newPassword}" == "" ]; then clear # ask user for new password c newPassword=$(whiptail --passwordbox "\nEnter new Password C:\n" 10 52 "" --title "New Password C" --backtitle "RaspiBlitz - Passwords" 3>&1 1>&2 2>&3) if [ $? -eq 1 ] || [ "${newPassword}" == "" ]; then # calling recursive repeat /home/admin/config.scripts/blitz.passwords.sh set c ${oldPassword} exit 0 fi # check new password does not contain bad characters clearedResult=$(echo "${newPassword}" | tr -dc '[:alnum:]-.' | tr -d ' ') if [ ${#clearedResult} != ${#newPassword} ] || [ ${#clearedResult} -eq 0 ]; then dialog --backtitle "RaspiBlitz - Setup" --msgbox "FAIL -> Contains bad characters (spaces, special chars)" 6 52 # calling recursive repeat /home/admin/config.scripts/blitz.password.sh set c ${oldPassword} exit 0 fi # check new password longer than 8 if [ ${#newPassword} -lt 8 ]; then dialog --backtitle "RaspiBlitz - Setup" --msgbox "FAIL -> Password length under 8" 6 52 # calling recursive repeat /home/admin/config.scripts/blitz.password.sh set c ${oldPassword} exit 0 fi # ask user to retype new password c newPassword2=$(whiptail --passwordbox "\nEnter again new Password C:\n" 10 52 "" --title "New Password C (repeat)" --backtitle "RaspiBlitz - Passwords" 3>&1 1>&2 2>&3) if [ $? -eq 1 ] || [ "${newPassword}" == "" ]; then # calling recursive repeat /home/admin/config.scripts/blitz.passwords.sh set c ${oldPassword} exit 0 fi echo "# OK ... processing" # check if passwords match if [ "${newPassword}" != "${newPassword2}" ]; then dialog --backtitle "RaspiBlitz - Setup" --msgbox "FAIL -> Passwords dont Match" 6 52 # calling recursive repeat /home/admin/config.scripts/blitz.passwords.sh set c ${oldPassword} exit 0 fi echo "# OK ... processing" fi # CHANGE LND WALLET PASSWORD if [ "${lightning}" == "lnd" ] || [ "${lnd}" == "on" ]; then echo "# CHANGE LND - PASSWORD C (only mainnet)" echo "# Make sure Auto-Unlocks off" sudo /home/admin/config.scripts/lnd.autounlock.sh off echo "# LND needs to be restarted to lock wallet first .. (please wait)" sudo systemctl restart lnd sleep 2 err="" if ! pip list | grep grpc; then echo "# pip install grpc" sudo -H python3 -m pip install grpcio==1.38.1 1>/dev/null 2>/dev/null fi source <(sudo /home/admin/config.scripts/lnd.initwallet.py change-password mainnet $oldPassword $newPassword) if [ "${err}" != "" ]; then echo "error='Was not able to change password'" sleep 2 exit 0 fi else echo "# LND not installed/active" fi # CHANGE CORE LIGHTNING WALLET PASSWORD if [ "${cl}" == "on" ] && [ "${clEncryptedHSM}" == "on" ]; then echo "# CHANGE CORE LIGHTNING - PASSWORD C (only mainnet)" sudo /home/admin/config.scripts/cl.hsmtool.sh change-password mainnet $oldPassword $newPassword #TODO: test success else echo "# CORE LIGHTNING not installed/active/encrypted" fi # store password hash mkpasswd -m sha-512 "${newPassword}" -S "${hashedPasswordSalt:0:16}" > ${hashedPasswordStoragePath}/c.hash chown admin:admin ${hashedPasswordStoragePath}/c.hash chmod 660 ${hashedPasswordStoragePath}/c.hash # final user output echo "" echo "#OK" echo "error=''" ############################ # PASSWORD X elif [ "${abcd}" = "x" ]; then emptyAllowed=0 if [ "$5" == "empty-allowed" ]; then emptyAllowed=1 fi # second parameter is the flexible text text=$3 resultFile=$4 shred -u "$4" 2>/dev/null # ask user for new password (first time) password1=$(whiptail --passwordbox "\n${text}:\n(min 8chars, 1word, chars+number, no specials)" 10 52 "" --backtitle "RaspiBlitz" 3>&1 1>&2 2>&3) # ask user for new password A (second time) password2="" if [ ${#password1} -gt 0 ]; then password2=$(whiptail --passwordbox "\nRe-Enter the Password:\n(to test if typed in correctly)" 10 52 "" --backtitle "RaspiBlitz" 3>&1 1>&2 2>&3) fi # check if passwords match if [ "${password1}" != "${password2}" ]; then dialog --backtitle "RaspiBlitz" --msgbox "FAIL -> Passwords dont Match\nPlease try again ..." 6 52 # calling recursive repeat /home/admin/config.scripts/blitz.passwords.sh set x "$3" "$4" "$5" exit 0 fi if [ ${emptyAllowed} -eq 0 ]; then # password zero if [ ${#password1} -eq 0 ]; then dialog --backtitle "RaspiBlitz" --msgbox "FAIL -> Password cannot be empty\nPlease try again ..." 6 52 # calling recursive repeat /home/admin/config.scripts/blitz.passwords.sh set x "$3" "$4" "$5" exit 0 fi # check that password does not contain bad characters clearedResult=$(echo "${password1}" | tr -dc '[:alnum:]-.' | tr -d ' ') if [ ${#clearedResult} != ${#password1} ] || [ ${#clearedResult} -eq 0 ]; then dialog --backtitle "RaspiBlitz" --msgbox "FAIL -> Contains bad characters (spaces, special chars)\nPlease try again ..." 6 62 # calling recursive repeat /home/admin/config.scripts/blitz.password.sh set x "$3" "$4" "$5" exit 0 fi # password longer than 8 if [ ${#password1} -lt 8 ]; then dialog --backtitle "RaspiBlitz" --msgbox "FAIL -> Password length under 8\nPlease try again ..." 6 52 # calling recursive repeat /home/admin/config.scripts/blitz.passwords.sh set x "$3" "$4" "$5" exit 0 fi fi # store result is file echo "${password1}" > "${resultFile}" else echo "# FAIL: there is no password '${abcd}' (reminder: use lower case)" echo "error='no password ${abcd}'" exit 0 fi # when started with menu ... reboot when done if [ "${reboot}" == "1" ]; then echo "# Now rebooting to activate changes ..." sudo /home/admin/config.scripts/blitz.shutdown.sh reboot fi