bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
|
505.1.13
by Teddy Hogeborn
Miscellaneous fixes prompted by lintian: |
1 |
#!/bin/sh
|
|
185
by Teddy Hogeborn
* .bzr-builddeb/default.conf: New. |
2 |
# This script can be called in the following ways:
|
3 |
#
|
|
4 |
# After the package was installed:
|
|
5 |
# <postinst> configure <old-version>
|
|
6 |
#
|
|
7 |
#
|
|
8 |
# If prerm fails during upgrade or fails on failed upgrade:
|
|
9 |
# <old-postinst> abort-upgrade <new-version>
|
|
10 |
#
|
|
11 |
# If prerm fails during deconfiguration of a package:
|
|
12 |
# <postinst> abort-deconfigure in-favour <new-package> <version>
|
|
13 |
# removing <old-package> <version>
|
|
14 |
#
|
|
15 |
# If prerm fails during replacement due to conflict:
|
|
16 |
# <postinst> abort-remove in-favour <new-package> <version>
|
|
17 |
||
|
967
by Teddy Hogeborn
Show debconf note about new TLS key IDs |
18 |
. /usr/share/debconf/confmodule
|
19 |
||
|
505.1.13
by Teddy Hogeborn
Miscellaneous fixes prompted by lintian: |
20 |
set -e |
21 |
||
|
195
by Teddy Hogeborn
* debian/control (mandos, mandos-client): Depend on "adduser". |
22 |
# Update the initial RAM file system image
|
|
185
by Teddy Hogeborn
* .bzr-builddeb/default.conf: New. |
23 |
update_initramfs()
|
24 |
{
|
|
|
771
by Teddy Hogeborn
Don't use absolute paths to commands in Debian configurations scripts. |
25 |
update-initramfs -u -k all |
|
237.2.21
by Teddy Hogeborn
* debian/mandos-client.postinst: Secure permissions of old |
26 |
|
27 |
if dpkg --compare-versions "$2" lt-nl "1.0.10-1"; then |
|
28 |
# Make old initrd.img files unreadable too, in case they were |
|
29 |
# created with mandos-client 1.0.8 or older. |
|
|
237.2.22
by Teddy Hogeborn
* debian/mandos-client.postinst (update_initramfs): Bug fix: typo. |
30 |
find /boot -maxdepth 1 -type f -name "initrd.img-*.bak" \ |
31 |
-print0 | xargs --null --no-run-if-empty chmod o-r |
|
|
237.2.21
by Teddy Hogeborn
* debian/mandos-client.postinst: Secure permissions of old |
32 |
fi |
|
185
by Teddy Hogeborn
* .bzr-builddeb/default.conf: New. |
33 |
}
|
34 |
||
|
190
by Teddy Hogeborn
* debian/mandos-client.postinst: Use "type" instead of "which". Split |
35 |
# Add user and group
|
36 |
add_mandos_user(){
|
|
|
238
by Teddy Hogeborn
First version of a somewhat complete D-Bus server interface. Also |
37 |
# Rename old "mandos" user and group |
|
348
by Teddy Hogeborn
* debian/mandos-client.postinst (configure): Don't look for user and |
38 |
if dpkg --compare-versions "$2" lt "1.0.3-1"; then |
39 |
case "`getent passwd mandos`" in |
|
40 |
*:Mandos\ password\ system,,,:/nonexistent:/bin/false) |
|
41 |
usermod --login _mandos mandos |
|
42 |
groupmod --new-name _mandos mandos |
|
43 |
return |
|
44 |
;; |
|
45 |
esac |
|
46 |
fi |
|
|
238
by Teddy Hogeborn
First version of a somewhat complete D-Bus server interface. Also |
47 |
# Create new user and group |
48 |
if ! getent passwd _mandos >/dev/null; then |
|
49 |
adduser --system --force-badname --quiet --home /nonexistent \ |
|
50 |
--no-create-home --group --disabled-password \ |
|
51 |
--gecos "Mandos password system" _mandos |
|
|
190
by Teddy Hogeborn
* debian/mandos-client.postinst: Use "type" instead of "which". Split |
52 |
fi |
53 |
}
|
|
54 |
||
|
962
by Teddy Hogeborn
Add support for using raw public keys in TLS (RFC 7250) |
55 |
# Create client key pairs
|
56 |
create_keys(){
|
|
57 |
# If the OpenPGP key files do not exist, generate all keys using |
|
58 |
# mandos-keygen |
|
59 |
if ! [ -r /etc/keys/mandos/pubkey.txt \ |
|
60 |
-a -r /etc/keys/mandos/seckey.txt ]; then |
|
61 |
mandos-keygen
|
|
62 |
gpg-connect-agent KILLAGENT /bye || : |
|
63 |
return 0 |
|
64 |
fi |
|
65 |
||
|
971
by Teddy Hogeborn
Bug fix: Only create TLS key with certtool, and read correct key file |
66 |
# Remove any bad TLS keys by 1.8.0-1 |
67 |
if dpkg --compare-versions "$2" eq "1.8.0-1" \ |
|
68 |
|| dpkg --compare-versions "$2" eq "1.8.0-1~bpo9+1"; then |
|
69 |
# Is the key bad? |
|
70 |
if ! certtool --password='' \ |
|
71 |
--load-privkey=/etc/keys/mandos/tls-privkey.pem \ |
|
72 |
--outfile=/dev/null --pubkey-info --no-text \ |
|
73 |
2>/dev/null; then |
|
|
973
by Teddy Hogeborn
Bug fix: Ignore some failures to remove files. |
74 |
shred --remove -- /etc/keys/mandos/tls-privkey.pem \ |
75 |
2>/dev/null || : |
|
76 |
rm --force -- /etc/keys/mandos/tls-pubkey.pem |
|
|
971
by Teddy Hogeborn
Bug fix: Only create TLS key with certtool, and read correct key file |
77 |
fi |
78 |
fi |
|
79 |
||
|
962
by Teddy Hogeborn
Add support for using raw public keys in TLS (RFC 7250) |
80 |
# If the TLS keys already exists, do nothing |
81 |
if [ -r /etc/keys/mandos/tls-privkey.pem \ |
|
82 |
-a -r /etc/keys/mandos/tls-pubkey.pem ]; then |
|
83 |
return 0 |
|
84 |
fi |
|
85 |
||
|
971
by Teddy Hogeborn
Bug fix: Only create TLS key with certtool, and read correct key file |
86 |
# Try to create the TLS keys |
87 |
||
88 |
TLS_PRIVKEYTMP="`mktemp -t mandos-client-privkey.XXXXXXXXXX`" |
|
89 |
||
90 |
if certtool --generate-privkey --password='' \ |
|
91 |
--outfile "$TLS_PRIVKEYTMP" --sec-param ultra \ |
|
92 |
--key-type=ed25519 --pkcs8 --no-text 2>/dev/null; then |
|
93 |
||
94 |
local umask=$(umask) |
|
95 |
umask 077 |
|
96 |
cp --archive "$TLS_PRIVKEYTMP" /etc/keys/mandos/tls-privkey.pem |
|
|
973
by Teddy Hogeborn
Bug fix: Ignore some failures to remove files. |
97 |
shred --remove -- "$TLS_PRIVKEYTMP" 2>/dev/null || : |
|
971
by Teddy Hogeborn
Bug fix: Only create TLS key with certtool, and read correct key file |
98 |
|
99 |
# First try certtool from GnuTLS |
|
100 |
if ! certtool --password='' \ |
|
101 |
--load-privkey=/etc/keys/mandos/tls-privkey.pem \ |
|
102 |
--outfile=/etc/keys/mandos/tls-pubkey.pem --pubkey-info \ |
|
103 |
--no-text 2>/dev/null; then |
|
104 |
# Otherwise try OpenSSL |
|
105 |
if ! openssl pkey -in /etc/keys/mandos/tls-privkey.pem \ |
|
106 |
-out /etc/keys/mandos/tls-pubkey.pem -pubout; then |
|
107 |
rm --force /etc/keys/mandos/tls-pubkey.pem |
|
108 |
# None of the commands succeded; give up |
|
109 |
umask $umask |
|
110 |
return 1 |
|
111 |
fi |
|
112 |
fi |
|
113 |
umask $umask |
|
114 |
||
115 |
key_id=$(mandos-keygen --passfile=/dev/null \ |
|
116 |
| grep --regexp="^key_id[ =]") |
|
117 |
||
118 |
db_version 2.0 |
|
119 |
db_fset mandos-client/key_id seen false |
|
120 |
db_reset mandos-client/key_id |
|
121 |
db_subst mandos-client/key_id key_id $key_id |
|
122 |
db_input critical mandos-client/key_id || true |
|
123 |
db_go
|
|
124 |
db_stop
|
|
125 |
else |
|
|
973
by Teddy Hogeborn
Bug fix: Ignore some failures to remove files. |
126 |
shred --remove -- "$TLS_PRIVKEYTMP" 2>/dev/null || : |
|
971
by Teddy Hogeborn
Bug fix: Only create TLS key with certtool, and read correct key file |
127 |
fi |
|
190
by Teddy Hogeborn
* debian/mandos-client.postinst: Use "type" instead of "which". Split |
128 |
}
|
129 |
||
|
765
by Teddy Hogeborn
Install client Diffie-Hellman parameters into initramfs. |
130 |
create_dh_params(){
|
|
766
by Teddy Hogeborn
Rename the "client-dhparams.pem" file to simply "dhparams.pem". |
131 |
if [ -r /etc/keys/mandos/dhparams.pem ]; then |
|
765
by Teddy Hogeborn
Install client Diffie-Hellman parameters into initramfs. |
132 |
return 0 |
133 |
fi |
|
134 |
# Create a Diffe-Hellman parameters file |
|
135 |
DHFILE="`mktemp -t mandos-client-dh-parameters.XXXXXXXXXX.pem`" |
|
136 |
# First try certtool from GnuTLS |
|
137 |
if ! certtool --generate-dh-params --sec-param high \ |
|
138 |
--outfile "$DHFILE"; then |
|
139 |
# Otherwise try OpenSSL |
|
140 |
if ! openssl genpkey -genparam -algorithm DH -out "$DHFILE" \ |
|
141 |
-pkeyopt dh_paramgen_prime_len:3072; then |
|
142 |
# None of the commands succeded; give up |
|
143 |
rm -- "$DHFILE" |
|
144 |
return 1 |
|
145 |
fi |
|
146 |
fi |
|
147 |
sed --in-place --expression='0,/^-----BEGIN DH PARAMETERS-----$/d' \ |
|
148 |
"$DHFILE" |
|
149 |
sed --in-place --expression='1i-----BEGIN DH PARAMETERS-----' \ |
|
150 |
"$DHFILE" |
|
|
766
by Teddy Hogeborn
Rename the "client-dhparams.pem" file to simply "dhparams.pem". |
151 |
cp --archive "$DHFILE" /etc/keys/mandos/dhparams.pem |
|
765
by Teddy Hogeborn
Install client Diffie-Hellman parameters into initramfs. |
152 |
rm -- "$DHFILE" |
153 |
}
|
|
154 |
||
|
185
by Teddy Hogeborn
* .bzr-builddeb/default.conf: New. |
155 |
case "$1" in |
156 |
configure) |
|
|
237.2.21
by Teddy Hogeborn
* debian/mandos-client.postinst: Secure permissions of old |
157 |
add_mandos_user "$@" |
|
962
by Teddy Hogeborn
Add support for using raw public keys in TLS (RFC 7250) |
158 |
create_keys "$@" |
|
765
by Teddy Hogeborn
Install client Diffie-Hellman parameters into initramfs. |
159 |
create_dh_params "$@" || : |
|
237.2.21
by Teddy Hogeborn
* debian/mandos-client.postinst: Secure permissions of old |
160 |
update_initramfs "$@" |
|
860
by Teddy Hogeborn
Fix permissions of /etc/mandos/plugin-helpers. |
161 |
if dpkg --compare-versions "$2" lt-nl "1.7.10-1"; then |
|
836
by Teddy Hogeborn
Client: Fix permissions on plugin helper directory. |
162 |
PLUGINHELPERDIR=/usr/lib/$(dpkg-architecture -qDEB_HOST_MULTIARCH 2>/dev/null)/mandos/plugin-helpers |
163 |
if ! dpkg-statoverride --list "$PLUGINHELPERDIR" \ |
|
164 |
>/dev/null 2>&1; then |
|
165 |
chmod u=rwx,go= -- "$PLUGINHELPERDIR" |
|
166 |
fi |
|
|
839
by Teddy Hogeborn
Client: Make plugin helper override directory mode u=rwx,go= |
167 |
if ! dpkg-statoverride --list /etc/mandos/plugin-helpers \ |
168 |
>/dev/null 2>&1; then |
|
169 |
chmod u=rwx,go= -- /etc/mandos/plugin-helpers |
|
170 |
fi |
|
|
836
by Teddy Hogeborn
Client: Fix permissions on plugin helper directory. |
171 |
fi |
|
185
by Teddy Hogeborn
* .bzr-builddeb/default.conf: New. |
172 |
;; |
173 |
abort-upgrade|abort-deconfigure|abort-remove) |
|
174 |
;; |
|
175 |
||
176 |
*) |
|
|
275
by Teddy Hogeborn
* debian/mandos-client.postinst: Converted to Bourne shell. Also |
177 |
echo "$0 called with unknown argument '$1'" 1>&2 |
|
185
by Teddy Hogeborn
* .bzr-builddeb/default.conf: New. |
178 |
exit 1 |
179 |
;; |
|
180 |
esac
|
|
181 |
||
182 |
#DEBHELPER#
|
|
183 |
||
184 |
exit 0 |