=== modified file 'Makefile' --- Makefile 2022-04-25 18:46:48 +0000 +++ Makefile 2023-02-07 18:59:50 +0000 @@ -96,8 +96,10 @@ GNUTLS_LIBS:=$(shell $(PKG_CONFIG) --libs gnutls) AVAHI_CFLAGS:=$(shell $(PKG_CONFIG) --cflags-only-I avahi-core) AVAHI_LIBS:=$(shell $(PKG_CONFIG) --libs avahi-core) -GPGME_CFLAGS:=$(shell gpgme-config --cflags; getconf LFS_CFLAGS) -GPGME_LIBS:=$(shell gpgme-config --libs; getconf LFS_LIBS; \ +GPGME_CFLAGS:=$(shell $(PKG_CONFIG) --cflags-only-I gpgme 2>/dev/null \ + || gpgme-config --cflags; getconf LFS_CFLAGS) +GPGME_LIBS:=$(shell $(PKG_CONFIG) --libs gpgme 2>/dev/null \ + || gpgme-config --libs; getconf LFS_LIBS; \ getconf LFS_LDFLAGS) LIBNL3_CFLAGS:=$(shell $(PKG_CONFIG) --cflags-only-I libnl-route-3.0) LIBNL3_LIBS:=$(shell $(PKG_CONFIG) --libs libnl-route-3.0) === modified file 'clients.conf' --- clients.conf 2022-04-23 20:36:45 +0000 +++ clients.conf 2023-02-07 19:29:28 +0000 @@ -50,8 +50,9 @@ ;fingerprint = 7788 2722 5BA7 DE53 9C5A 7CFA 59CF F7CD BD9A 5920 ; ;# This is base64-encoded binary data. It will be decoded and sent to -;# the client matching the above fingerprint. This should, of course, -;# be OpenPGP encrypted data, decryptable only by the client. +;# the client matching the above key_id (for GnuTLS 3.6.6 or later) or +;# the above fingerprint (for GnuTLS before 3.6.0). This should, of +;# course, be OpenPGP encrypted data, decryptable only by the client. ;secret = ; hQIOA6QdEjBs2L/HEAf/TCyrDe5Xnm9esa+Pb/vWF9CUqfn4srzVgSu234 ; REJMVv7lBSrPE2132Lmd2gqF1HeLKDJRSVxJpt6xoWOChGHg+TMyXDxK+N === modified file 'debian/control' --- debian/control 2022-04-24 16:17:18 +0000 +++ debian/control 2023-02-07 23:45:13 +0000 @@ -11,7 +11,7 @@ xsltproc, pkg-config, libnl-route-3-dev, systemd Build-Depends-Indep: python3 (>= 3), python3-dbus, python3-gi, po-debconf -Standards-Version: 4.6.0 +Standards-Version: 4.6.2 Vcs-Bzr: https://ftp.recompile.se/pub/mandos/trunk Vcs-Browser: https://bzr.recompile.se/loggerhead/mandos/trunk/files Homepage: https://www.recompile.se/mandos === modified file 'debian/po/fr.po' --- debian/po/fr.po 2021-02-04 17:59:45 +0000 +++ debian/po/fr.po 2023-02-07 23:29:39 +0000 @@ -35,8 +35,8 @@ #. Type: note #. Description #: ../mandos.templates:1001 -msgid "key_id = " -msgstr "key_id = " +msgid " key_id = " +msgstr " key_id = " #. Type: note #. Description === added file 'debian/po/pt_BR.po' --- debian/po/pt_BR.po 1970-01-01 00:00:00 +0000 +++ debian/po/pt_BR.po 2023-02-07 23:18:19 +0000 @@ -0,0 +1,156 @@ +# Debconf translations for mandos. +# Copyright (C) 2022 THE mandos'S COPYRIGHT HOLDER +# This file is distributed under the same license as the mandos package. +# Paulo Henrique de Lima Santana (phls) , 2022. +# +msgid "" +msgstr "" +"Project-Id-Version: mandos_1.8.15-1.1\n" +"Report-Msgid-Bugs-To: \n" +"POT-Creation-Date: 2022-11-29 18:51+0000\n" +"PO-Revision-Date: 2022-12-19 12:35-0300\n" +"Last-Translator: Paulo Henrique de Lima Santana (phls) \n" +"Language-Team: Brazilian Portuguese \n" +"Language: pt_BR\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Plural-Forms: nplurals=2; plural=(n > 1)\n" +"X-Generator: Gtranslator 42.0\n" + +#. Type: note +#. Description +#: ../mandos.templates:1001 +msgid "New client option \"key_id\" is REQUIRED on server" +msgstr "A nova opção para cliente \"key_id\" é NECESSÁRIA no servidor" + +#. Type: note +#. Description +#: ../mandos.templates:1001 +msgid "" +"A new \"key_id\" client option is REQUIRED in the clients.conf file, " +"otherwise the client most likely will not reboot unattended. This option:" +msgstr "" +"Uma nova opção para cliente \"key_id\" é NECESSÁRIA no arquivo clients.conf, " +"caso contrário, o cliente provavelmente não será reinicializado " +"automaticamente. Esta opção:" + +#. Type: note +#. Description +#: ../mandos.templates:1001 +msgid " key_id = " +msgstr " key_id = " + +#. Type: note +#. Description +#: ../mandos.templates:1001 +msgid "" +"must be added in the file /etc/mandos/clients.conf, right before the " +"\"fingerprint\" option, for each Mandos client. You must edit that file and " +"add this option for all clients. To see the correct key ID for each client, " +"run this command (on each client):" +msgstr "" +"deve ser adicionada no arquivo /etc/mandos/clients.conf, logo antes da opção " +"\"fingerprint\", para cada cliente Mandos. Você deve editar esse arquivo e " +"adicionar essa opção para todos os clientes. Para ver o ID da chave correta " +"para cada cliente, execute este comando (em cada cliente):" + +#. Type: note +#. Description +#: ../mandos.templates:1001 +msgid " mandos-keygen -F/dev/null|grep ^key_id" +msgstr " mandos-keygen -F/dev/null|grep ^key_id" + +#. Type: note +#. Description +#: ../mandos.templates:1001 +msgid "" +"Note: the clients must all also be using GnuTLS 3.6.6 or later; the server " +"cannot serve passwords for both old and new clients!" +msgstr "" +"Nota: todos os clientes também devem estar usando GnuTLS 3.6.6 ou posterior; " +"o servidor não pode fornecer senhas para clientes antigos e novos!" + +#. Type: note +#. Description +#: ../mandos.templates:1001 +msgid "" +"Rationale: With GnuTLS 3.6.6, Mandos has been forced to stop using OpenPGP " +"keys as TLS session keys. A new TLS key pair will be generated on each " +"client and will be used as identification, but the key ID of the public key " +"needs to be added to this server, since this will now be used to identify " +"the client to the server." +msgstr "" +"Justificativa: com o GnuTLS 3.6.6, o Mandos foi forçado a parar de usar " +"chaves OpenPGP como chaves de sessão TLS. Um novo par de chaves TLS será " +"gerado em cada cliente e será usado como identificação, mas o ID da chave " +"pública precisa ser adicionado a este servidor, pois agora será usado para " +"identificar o cliente para o servidor." + +#. Type: note +#. Description +#: ../mandos.templates:2001 +msgid "Bad key IDs have been removed from clients.conf" +msgstr "IDs de chaves ruins foram removidos de clients.conf" + +#. Type: note +#. Description +#: ../mandos.templates:2001 +msgid "" +"Bad key IDs, which were created by a bug in Mandos client 1.8.0, have been " +"removed from /etc/mandos/clients.conf" +msgstr "" +"IDs de chaves ruins, que foram criados por um bug no cliente Mandos 1.8.0, " +"foram removidos de /etc/mandos/clients.conf" + +#. Type: note +#. Description +#: ../mandos-client.templates:1001 +msgid "New client option \"${key_id}\" is REQUIRED on server" +msgstr "A nova opção para cliente \"${key_id}\" é OBRIGATÓRIA no servidor" + +#. Type: note +#. Description +#: ../mandos-client.templates:1001 +msgid "" +"A new \"key_id\" client option is REQUIRED in the server's clients.conf " +"file, otherwise this computer most likely will not reboot unattended. This " +"option:" +msgstr "" +"Uma nova opção para cliente \"key_id\" é NECESSÁRIA no arquivo clients.conf " +"do servidor, caso contrário, este computador provavelmente não será " +"reinicializado automaticamente. Esta opção:" + +#. Type: note +#. Description +#: ../mandos-client.templates:1001 +msgid " ${key_id}" +msgstr " ${key_id}" + +#. Type: note +#. Description +#: ../mandos-client.templates:1001 +msgid "" +"must be added (all on one line!) on the Mandos server host, in the file /etc/" +"mandos/clients.conf, right before the \"fingerprint\" option for this Mandos " +"client. You must edit that file on that server and add this option." +msgstr "" +"deve ser adicionada (tudo em uma linha!) na máquina do servidor Mandos, no " +"arquivo /etc/mandos/clients.conf, logo antes da opção \"fingerprint\" para " +"este cliente do Mandos. Você deve editar esse arquivo nesse servidor e " +"adicionar essa opção." + +#. Type: note +#. Description +#: ../mandos-client.templates:1001 +msgid "" +"With GnuTLS 3.6.6, Mandos has been forced to stop using OpenPGP keys as TLS " +"session keys. A new TLS key pair has been generated and will be used as " +"identification, but the key ID of the public key needs to be added to the " +"server, since this will now be used to identify the client to the server." +msgstr "" +"Com o GnuTLS 3.6.6, o Mandos foi forçado a parar de usar chaves OpenPGP como " +"chaves de sessão TLS. Um novo par de chaves TLS foi gerado e será usado como " +"identificação, mas o ID da chave pública precisa ser adicionado ao servidor, " +"pois agora será usado para identificar o cliente para o servidor." === modified file 'debian/rules' --- debian/rules 2019-04-09 22:31:23 +0000 +++ debian/rules 2023-02-07 19:40:12 +0000 @@ -35,7 +35,7 @@ --exclude etc/mandos/plugin-helpers \ --exclude usr/lib/$(DEB_HOST_MULTIARCH)/mandos/plugins.d \ --exclude usr/lib/$(DEB_HOST_MULTIARCH)/mandos/plugin-helpers \ - --exclude usr/share/doc/mandos-client/examples/network-hooks.d + --exclude usr/share/doc/mandos-client/examples/network-hooks.d/ chmod --recursive g-w -- \ "$(CURDIR)/debian/mandos-client/usr/share/doc/mandos-client/examples/network-hooks.d" === modified file 'dracut-module/password-agent.c' --- dracut-module/password-agent.c 2022-04-24 16:54:30 +0000 +++ dracut-module/password-agent.c 2023-02-07 19:50:53 +0000 @@ -1098,7 +1098,15 @@ } ievent_buffer; struct inotify_event *const ievent = &ievent_buffer.event; +#if defined(__GNUC__) and __GNUC__ >= 7 +#pragma GCC diagnostic push + /* ievent is pointing into a struct which is of sufficient size */ +#pragma GCC diagnostic ignored "-Wstringop-overflow" +#endif const ssize_t read_length = read(fd, ievent, ievent_size); +#if defined(__GNUC__) and __GNUC__ >= 7 +#pragma GCC diagnostic pop +#endif if(read_length == 0){ /* EOF */ error(0, 0, "Got EOF from inotify fd for directory %s", filename); *quit_now = true; @@ -2653,7 +2661,7 @@ bool password_is_read = false; const char helper_directory[] = "/nonexistent"; const char *const argv[] = { "/bin/sh", "-c", - "echo -n ${MANDOSPLUGINHELPERDIR}", NULL }; + "printf %s \"${MANDOSPLUGINHELPERDIR}\"", NULL }; const bool success = start_mandos_client(queue, epoll_fd, &mandos_client_exited, @@ -4182,8 +4190,16 @@ memcpy(ievent->name, dummy_file_name, sizeof(dummy_file_name)); const size_t ievent_size = (sizeof(struct inotify_event) + sizeof(dummy_file_name)); +#if defined(__GNUC__) and __GNUC__ >= 11 +#pragma GCC diagnostic push + /* ievent is pointing into a struct which is of sufficient size */ +#pragma GCC diagnostic ignored "-Wstringop-overread" +#endif g_assert_cmpint(write(pipefds[1], (char *)ievent, ievent_size), ==, ievent_size); +#if defined(__GNUC__) and __GNUC__ >= 11 +#pragma GCC diagnostic pop +#endif g_assert_cmpint(close(pipefds[1]), ==, 0); bool quit_now = false; @@ -4277,8 +4293,16 @@ memcpy(ievent->name, dummy_file_name, sizeof(dummy_file_name)); const size_t ievent_size = (sizeof(struct inotify_event) + sizeof(dummy_file_name)); +#if defined(__GNUC__) and __GNUC__ >= 11 +#pragma GCC diagnostic push + /* ievent is pointing into a struct which is of sufficient size */ +#pragma GCC diagnostic ignored "-Wstringop-overread" +#endif g_assert_cmpint(write(pipefds[1], (char *)ievent, ievent_size), ==, ievent_size); +#if defined(__GNUC__) and __GNUC__ >= 11 +#pragma GCC diagnostic pop +#endif g_assert_cmpint(close(pipefds[1]), ==, 0); bool quit_now = false; @@ -4374,8 +4398,16 @@ memcpy(ievent->name, dummy_file_name, sizeof(dummy_file_name)); const size_t ievent_size = (sizeof(struct inotify_event) + sizeof(dummy_file_name)); +#if defined(__GNUC__) and __GNUC__ >= 11 +#pragma GCC diagnostic push + /* ievent is pointing into a struct which is of sufficient size */ +#pragma GCC diagnostic ignored "-Wstringop-overread" +#endif g_assert_cmpint(write(pipefds[1], (char *)ievent, ievent_size), ==, ievent_size); +#if defined(__GNUC__) and __GNUC__ >= 11 +#pragma GCC diagnostic pop +#endif g_assert_cmpint(close(pipefds[1]), ==, 0); bool quit_now = false; @@ -4459,8 +4491,16 @@ memcpy(ievent->name, dummy_file_name, sizeof(dummy_file_name)); const size_t ievent_size = (sizeof(struct inotify_event) + sizeof(dummy_file_name)); +#if defined(__GNUC__) and __GNUC__ >= 11 +#pragma GCC diagnostic push + /* ievent is pointing into a struct which is of sufficient size */ +#pragma GCC diagnostic ignored "-Wstringop-overread" +#endif g_assert_cmpint(write(pipefds[1], (char *)ievent, ievent_size), ==, ievent_size); +#if defined(__GNUC__) and __GNUC__ >= 11 +#pragma GCC diagnostic pop +#endif g_assert_cmpint(close(pipefds[1]), ==, 0); bool quit_now = false; @@ -4543,8 +4583,16 @@ memcpy(ievent->name, dummy_file_name, sizeof(dummy_file_name)); const size_t ievent_size = (sizeof(struct inotify_event) + sizeof(dummy_file_name)); +#if defined(__GNUC__) and __GNUC__ >= 11 +#pragma GCC diagnostic push + /* ievent is pointing into a struct which is of sufficient size */ +#pragma GCC diagnostic ignored "-Wstringop-overread" +#endif g_assert_cmpint(write(pipefds[1], (char *)ievent, ievent_size), ==, ievent_size); +#if defined(__GNUC__) and __GNUC__ >= 11 +#pragma GCC diagnostic pop +#endif g_assert_cmpint(close(pipefds[1]), ==, 0); bool quit_now = false; @@ -4619,8 +4667,16 @@ memcpy(ievent->name, dummy_file_name, sizeof(dummy_file_name)); const size_t ievent_size = (sizeof(struct inotify_event) + sizeof(dummy_file_name)); +#if defined(__GNUC__) and __GNUC__ >= 11 +#pragma GCC diagnostic push + /* ievent is pointing into a struct which is of sufficient size */ +#pragma GCC diagnostic ignored "-Wstringop-overread" +#endif g_assert_cmpint(write(pipefds[1], (char *)ievent, ievent_size), ==, ievent_size); +#if defined(__GNUC__) and __GNUC__ >= 11 +#pragma GCC diagnostic pop +#endif g_assert_cmpint(close(pipefds[1]), ==, 0); bool quit_now = false; @@ -4698,8 +4754,16 @@ memcpy(ievent->name, dummy_file_name, sizeof(dummy_file_name)); const size_t ievent_size = (sizeof(struct inotify_event) + sizeof(dummy_file_name)); +#if defined(__GNUC__) and __GNUC__ >= 11 +#pragma GCC diagnostic push + /* ievent is pointing into a struct which is of sufficient size */ +#pragma GCC diagnostic ignored "-Wstringop-overread" +#endif g_assert_cmpint(write(pipefds[1], (char *)ievent, ievent_size), ==, ievent_size); +#if defined(__GNUC__) and __GNUC__ >= 11 +#pragma GCC diagnostic pop +#endif g_assert_cmpint(close(pipefds[1]), ==, 0); bool quit_now = false; === modified file 'mandos' --- mandos 2022-04-25 18:46:48 +0000 +++ mandos 2023-02-07 23:03:33 +0000 @@ -1045,7 +1045,6 @@ if getattr(self, "enabled", False): # Already enabled return - self.expires = datetime.datetime.utcnow() + self.timeout self.enabled = True self.last_enabled = datetime.datetime.utcnow() self.init_checker() @@ -1074,22 +1073,35 @@ def __del__(self): self.disable() - def init_checker(self): - # Schedule a new checker to be started an 'interval' from now, - # and every interval from then on. + def init_checker(self, randomize_start=False): + # Schedule a new checker to be started a randomly selected + # time (a fraction of 'interval') from now. This spreads out + # the startup of checkers over time when the server is + # started. if self.checker_initiator_tag is not None: GLib.source_remove(self.checker_initiator_tag) + interval_milliseconds = int(self.interval.total_seconds() + * 1000) + if randomize_start: + delay_milliseconds = random.randrange( + interval_milliseconds + 1) + else: + delay_milliseconds = interval_milliseconds self.checker_initiator_tag = GLib.timeout_add( - random.randrange(int(self.interval.total_seconds() * 1000 - + 1)), - self.start_checker) - # Schedule a disable() when 'timeout' has passed + delay_milliseconds, self.start_checker, randomize_start) + delay = datetime.timedelta(0, 0, 0, delay_milliseconds) + # A checker might take up to an 'interval' of time, so we can + # expire at the soonest one interval after a checker was + # started. Since the initial checker is delayed, the expire + # time might have to be extended. + now = datetime.datetime.utcnow() + self.expires = now + delay + self.interval + # Schedule a disable() at expire time if self.disable_initiator_tag is not None: GLib.source_remove(self.disable_initiator_tag) self.disable_initiator_tag = GLib.timeout_add( - int(self.timeout.total_seconds() * 1000), self.disable) - # Also start a new checker *right now*. - self.start_checker() + int((self.expires - now).total_seconds() * 1000), + self.disable) def checker_callback(self, source, condition, connection, command): @@ -1138,7 +1150,7 @@ def need_approval(self): self.last_approval_request = datetime.datetime.utcnow() - def start_checker(self): + def start_checker(self, start_was_randomized=False): """Start a new checker subprocess if one is not running. If a checker already exists, leave it running and do @@ -1194,6 +1206,17 @@ GLib.IOChannel.unix_new(pipe[0].fileno()), GLib.PRIORITY_DEFAULT, GLib.IO_IN, self.checker_callback, pipe[0], command) + if start_was_randomized: + # We were started after a random delay; Schedule a new + # checker to be started an 'interval' from now, and every + # interval from then on. + now = datetime.datetime.utcnow() + self.checker_initiator_tag = GLib.timeout_add( + int(self.interval.total_seconds() * 1000), + self.start_checker) + self.expires = max(self.expires, now + self.interval) + # Don't start a new checker again after same random delay + return False # Re-run this periodically if run by GLib.timeout_add return True @@ -3609,7 +3632,7 @@ mandos_dbus_service.client_added_signal(client) # Need to initiate checking of clients if client.enabled: - client.init_checker() + client.init_checker(randomize_start=True) tcp_server.enable() tcp_server.server_activate() === modified file 'mandos-clients.conf.xml' --- mandos-clients.conf.xml 2019-02-10 04:20:26 +0000 +++ mandos-clients.conf.xml 2023-02-07 19:29:28 +0000 @@ -228,13 +228,16 @@ >HEXSTRING - This option is required. + This option is required if the + is not set, and + optional otherwise. - This option sets the OpenPGP fingerprint that identifies - the public key that clients authenticate themselves with - through TLS. The string needs to be in hexadecimal form, - but spaces or upper/lower case are not significant. + This option sets the OpenPGP fingerprint that (before + GnuTLS 3.6.0) identified the public key that clients + authenticate themselves with through TLS. The string + needs to be in hexadecimal form, but spaces or upper/lower + case are not significant. @@ -244,13 +247,16 @@ >HEXSTRING - This option is optional. + This option is required if the + is not set, and + optional otherwise. - This option sets the certificate key ID that identifies - the public key that clients authenticate themselves with - through TLS. The string needs to be in hexadecimal form, - but spaces or upper/lower case are not significant. + This option sets the certificate key ID that (with GnuTLS + 3.6.6 or later) identifies the public key that clients + authenticate themselves with through TLS. The string + needs to be in hexadecimal form, but spaces or upper/lower + case are not significant. === modified file 'mandos-keygen' --- mandos-keygen 2022-04-25 18:46:48 +0000 +++ mandos-keygen 2023-02-07 19:11:25 +0000 @@ -147,28 +147,28 @@ echo "Empty key type" >&2 exit 1 fi - + if [ -z "$KEYNAME" ]; then echo "Empty key name" >&2 exit 1 fi - + if [ -z "$KEYLENGTH" ] || [ "$KEYLENGTH" -lt 512 ]; then echo "Invalid key length" >&2 exit 1 fi - + if [ -z "$KEYEXPIRE" ]; then echo "Empty key expiration" >&2 exit 1 fi - + # Make FORCE be 0 or 1 case "$FORCE" in [Yy][Ee][Ss]|[Tt][Rr][Uu][Ee]) FORCE=1;; [Nn][Oo]|[Ff][Aa][Ll][Ss][Ee]|*) FORCE=0;; esac - + if { [ -e "$SECKEYFILE" ] || [ -e "$PUBKEYFILE" ] \ || [ -e "$TLS_PRIVKEYFILE" ] \ || [ -e "$TLS_PUBKEYFILE" ]; } \ @@ -176,7 +176,7 @@ echo "Refusing to overwrite old key files; use --force" >&2 exit 1 fi - + # Set lines for GnuPG batch file if [ -n "$KEYCOMMENT" ]; then KEYCOMMENTLINE="Name-Comment: $KEYCOMMENT" @@ -184,7 +184,7 @@ if [ -n "$KEYEMAIL" ]; then KEYEMAILLINE="Name-Email: $KEYEMAIL" fi - + # Create temporary gpg batch file BATCHFILE="`mktemp -t mandos-keygen-batch.XXXXXXXXXX`" TLS_PRIVKEYTMP="`mktemp -t mandos-keygen-privkey.XXXXXXXXXX`" @@ -233,7 +233,7 @@ %no-protection %commit EOF - + if tty --quiet; then cat <<-EOF Note: Due to entropy requirements, key generation could take @@ -276,7 +276,7 @@ fi fi fi - + # Make sure trustdb.gpg exists; # this is a workaround for Debian bug #737128 gpg --quiet --batch --no-tty --no-options --enable-dsa2 \ @@ -287,12 +287,12 @@ --homedir "$RINGDIR" --trust-model always \ --gen-key "$BATCHFILE" rm --force "$BATCHFILE" - + if tty --quiet; then echo -n "Finished: " date fi - + # Backup any old key files if cp --backup=numbered --force "$SECKEYFILE" "$SECKEYFILE" \ 2>/dev/null; then @@ -302,16 +302,16 @@ 2>/dev/null; then rm --force "$PUBKEYFILE" fi - + FILECOMMENT="Mandos client key for $KEYNAME" if [ "$KEYCOMMENT" != "$KEYCOMMENT_ORIG" ]; then FILECOMMENT="$FILECOMMENT ($KEYCOMMENT)" fi - + if [ -n "$KEYEMAIL" ]; then FILECOMMENT="$FILECOMMENT <$KEYEMAIL>" fi - + # Export key from key rings to key files gpg --quiet --batch --no-tty --no-options --enable-dsa2 \ --homedir "$RINGDIR" --armor --export-options export-minimal \ @@ -323,13 +323,13 @@ fi if [ "$mode" = password ]; then - + # Make SSH be 0 or 1 case "$SSH" in [Yy][Ee][Ss]|[Tt][Rr][Uu][Ee]) SSH=1;; [Nn][Oo]|[Ff][Aa][Ll][Ss][Ee]|*) SSH=0;; esac - + if [ $SSH -eq 1 ]; then for ssh_keytype in ecdsa-sha2-nistp256 ed25519 rsa; do set +e @@ -346,7 +346,7 @@ fi done fi - + # Import key into temporary key rings gpg --quiet --batch --no-tty --no-options --enable-dsa2 \ --homedir "$RINGDIR" --trust-model always --armor \ @@ -354,16 +354,16 @@ gpg --quiet --batch --no-tty --no-options --enable-dsa2 \ --homedir "$RINGDIR" --trust-model always --armor \ --import "$PUBKEYFILE" - + # Get fingerprint of key FINGERPRINT="`gpg --quiet --batch --no-tty --no-options \ --enable-dsa2 --homedir "$RINGDIR" --trust-model always \ --fingerprint --with-colons \ | sed --quiet \ --expression='/^fpr:/{s/^fpr:.*:\\([0-9A-Z]*\\):\$/\\1/p;q}'`" - + test -n "$FINGERPRINT" - + if [ -r "$TLS_PUBKEYFILE" ]; then KEY_ID="$(certtool --key-id --hash=sha256 \ --infile="$TLS_PUBKEYFILE" 2>/dev/null || :)" @@ -376,9 +376,9 @@ fi test -n "$KEY_ID" fi - + FILECOMMENT="Encrypted password for a Mandos client" - + while [ ! -s "$SECFILE" ]; do if [ -n "$PASSFILE" ]; then cat -- "$PASSFILE" @@ -412,7 +412,7 @@ fi fi done - + cat <<-EOF [$KEYNAME] host = $KEYNAME