/mandos/release

To get this branch, use:
bzr branch http://bzr.recompile.se/loggerhead/mandos/release

« back to all changes in this revision

Viewing changes to mandos-keygen

  • Committer: Teddy Hogeborn
  • Date: 2023-02-07 19:29:28 UTC
  • mto: This revision was merged to the branch mainline in revision 408.
  • Revision ID: teddy@recompile.se-20230207192928-ueasjbsufb92o6ud
Clarify documentation and a comment about GnuTLS versions

* clients.conf ([foo]/secret): In the comment for the example client's
  "secret" setting, clarify GnuTLS version conditions.
* mandos-clients.conf.xml (OPTIONS/fingerprint, OPTIONS/key_id):
  Clarify required/optional status under different GnuTLS versions.

Show diffs side-by-side

added added

removed removed

Lines of Context:
23
23
# Contact the authors at <mandos@recompile.se>.
24
24
25
25
 
26
 
VERSION="1.8.18"
 
26
VERSION="1.8.15"
27
27
 
28
28
KEYDIR="/etc/keys/mandos"
29
29
KEYTYPE=RSA
331
331
    esac
332
332
 
333
333
    if [ $SSH -eq 1 ]; then
334
 
        # The -q option is new in OpenSSH 9.8
335
 
        for ssh_keyscan_quiet in "-q " ""; do
336
 
            for ssh_keytype in ecdsa-sha2-nistp256 ed25519 rsa; do
337
 
                set +e
338
 
                ssh_fingerprint="`ssh-keyscan ${ssh_keyscan_quiet}-t $ssh_keytype localhost 2>/dev/null`"
339
 
                err=$?
340
 
                set -e
341
 
                if [ $err -ne 0 ]; then
342
 
                    ssh_fingerprint=""
343
 
                    continue
344
 
                fi
345
 
                if [ -n "$ssh_fingerprint" ]; then
346
 
                    ssh_fingerprint="${ssh_fingerprint#localhost }"
347
 
                    break 2
348
 
                fi
349
 
            done
 
334
        for ssh_keytype in ecdsa-sha2-nistp256 ed25519 rsa; do
 
335
            set +e
 
336
            ssh_fingerprint="`ssh-keyscan -t $ssh_keytype localhost 2>/dev/null`"
 
337
            err=$?
 
338
            set -e
 
339
            if [ $err -ne 0 ]; then
 
340
                ssh_fingerprint=""
 
341
                continue
 
342
            fi
 
343
            if [ -n "$ssh_fingerprint" ]; then
 
344
                ssh_fingerprint="${ssh_fingerprint#localhost }"
 
345
                break
 
346
            fi
350
347
        done
351
348
    fi
352
349
 
437
434
            }
438
435
        }' < "$SECFILE"
439
436
    if [ -n "$ssh_fingerprint" ]; then
440
 
        if [ -n "$ssh_keyscan_quiet" ]; then
441
 
            echo "# Note: if the Mandos server has OpenSSH older than 9.8, the ${ssh_keyscan_quiet}"
442
 
            echo "# option *must* be removed from the 'checker' setting below"
443
 
        fi
444
 
        echo 'checker = ssh-keyscan '"$ssh_keyscan_quiet"'-t '"$ssh_keytype"' %%(host)s 2>/dev/null | grep --fixed-strings --line-regexp --quiet --regexp=%%(host)s" %(ssh_fingerprint)s"'
 
437
        echo 'checker = ssh-keyscan -t '"$ssh_keytype"' %%(host)s 2>/dev/null | grep --fixed-strings --line-regexp --quiet --regexp=%%(host)s" %(ssh_fingerprint)s"'
445
438
        echo "ssh_fingerprint = ${ssh_fingerprint}"
446
439
    fi
447
440
fi