/mandos/trunk : changes

» Changes to INSTALL from revision 1305

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

From Revision 1305 to 319

expand all

Rev	Summary	Authors	Date
1186	INSTALL: Add "-" argument to "su" invocations. INSTALL: Add "-" argument to "su" invocations.	Teddy Hogeborn	4 years ago
1171	Use Python 3 by default Use Python 3 by default * INSTALL: Document Python 3 dependency. * debian/control: Change both of "python (>= 2.7), python (<< 3)" to "python (>= 3)" and change all python-* dependencies to be python3-* instead. * mandos: Change first line to use "python3" instead of "python". * mandos-ctl: - '' - * mandos-monitor: - '' -	Teddy Hogeborn	5 years ago
1167	Server: Use new GLib.io_add_watch() call signature Server: Use new GLib.io_add_watch() call signature * INSTALL: Increase version requirement of PyGObject to 3.8. * mandos: When calling GLib.io_add_watch(), always pass priority as the second argument, which is supported by PyGObject 3.8 or later.	Teddy Hogeborn	5 years ago
1127	Add dracut(8) support Add dracut(8) support Add support for the dracut(8) system for generating initramfs image files; dracut is an alternative to the "initramfs-tools" package. * .bzrignore (dracut-module/password-agent): Ignore new binary file. * dracut-module: New directory for the dracut module. * INSTALL (Prerequisites/Libraries/Mandos Client): Add dracut as an alternative to initramfs-tools, and also add GLib. * Makefile (DRACUTMODULE, GLIB_CFLAGS, GLIB_LIBS): New. (CPROGS): Add "dracut-module/password-agent". (DOCS): Add "dracut-module/password-agent.8mandos". (dracut-module/password-agent.8mandos): New. (dracut-module/password-agent.8mandos.xhtml): - '' - (dracut-module/password-agent): - '' - (check): Add command to run tests of password-agent(8mandos). (install-client-nokey): Also install the dracut module directory, its files, and the password-agent(8mandos) manual page. (install-client): To update the initramfs image file, run update-initramfs or dracut depending on what is installed. (uninstall-client): - '' - and also uninstall the the files in the dracut module directory, that directory itself, and the password-agent(8mandos) manual page. * debian/control (Build-Depends): Add "libglib2.0-dev (>=2.40)". (Package: mandos-client/Depends): Add "dracut (>= 044+241-3)" as an alternative dependency to initramfs-tools. (Package: mandos-client/Conflicts): New; set to "dracut-config-generic". (debian/mandos-client.README.Debian): Document alternative commands to update the initramfs image for when dracut is used. * debian/mandos-client.postinst (update_initramfs): Use alternative commands to update the initramfs image for when dracut is used. * debian/tests/control (password-agent, password-agent-suid): Add two new tests. * dracut-module/ask-password-mandos.path: New. * dracut-module/ask-password-mandos.service: - '' - * dracut-module/cmdline-mandos.sh: - '' - * dracut-module/module-setup.sh: - '' - * dracut-module/password-agent.c: - '' - * dracut-module/password-agent.xml: - '' - * initramfs-unpack: Use the dracut "skipcpio" command, if available. Also be more flexible and try hard to detect where compressed data starts. * plugins.d/mandos-client.xml (SECURITY): Be more precise that the mandos-client binary might not always be setuid, but that the program assumes that it has been started that way. * plugins.d/password-prompt.c: Add new "--prompt" option. (conflict_detection): First try to detect the new PID file of plymouth. (main): Define and use new "prompt" variable. * plugins.d/password-prompt.xml (SYNOPSIS): Show new --prompt option. (DESCRIPTION): Describe new behavior of looking for plymouth PID file. (OPTIONS): Document new "--prompt" option. (ENVIRONMENT): Clarify that the CRYPTTAB_SOURCE and CRYPTTAB_NAME environment variables are not used if the --prompt option is used. Remove unnecessarily specific details about where the CRYPTTAB_SOURCE and CRYPTTAB_NAME comes from, since this can now be either initramfs-tools or dracut. (SEE ALSO): Remove superfluous crypttab(5) reference, and add commas to separate the other references. * plugins.d/plymouth.c: Add new "--prompt" and "--debug" options. (debug): New global flag. (fprintf_plus): New function, used for debug output. (exec_and_wait): Add extra "const" to "argv" argument. (main): Define and use new "prompt" variable. Add debug output. (main/options, main/parse_opt): New; used to parse options. * plugins.d/plymouth.xml (SYNOPSIS): Show new options. (OPTIONS): Document new options. (ENVIRONMENT): Clarify that the cryptsource and crypttarget environment variables are not used if the --prompt option is used. Remove unnecessarily specific details about where the cryptsource and crypttarget comes from, since this can now be either initramfs-tools or dracut. (EXAMPLE): Add an example using an option. (SEE ALSO): Remove superfluous crypttab(5) reference. * plugins.d/splashy.xml (ENVIRONMENT): Clarify that the cryptsource and crypttarget environment variables are not used if the --prompt option is used. Remove unnecessarily specific details about where the cryptsource and crypttarget comes from, since this can now be either initramfs-tools or dracut. (SEE ALSO): Remove superfluous crypttab(5) reference. * plugins.d/usplash.xml (ENVIRONMENT): Clarify that the cryptsource and crypttarget environment variables are not used if the --prompt option is used. Remove unnecessarily specific details about where the cryptsource and crypttarget comes from, since this can now be either initramfs-tools or dracut. (SEE ALSO): Remove superfluous crypttab(5) reference.	Teddy Hogeborn	5 years ago
1121	Change URL for Avahi to use HTTPS Change URL for Avahi to use HTTPS * INSTALL (Prerequisites/Libraries): Change URL for Avahi to "https://www.avahi.org/". * mandos.xml (SEE ALSO): - '' - * plugins.d/mandos-client.xml (SEE ALSO): - '' -	Teddy Hogeborn	5 years ago
1118	Client: Document requirement of libnl-route library Client: Document requirement of libnl-route library * INSTALL (Prerequisites/Libraries/Mandos Client): Add "libnl-route". * Makefile (plugin-helpers/mandos-client-iprouteadddel): Write comment explaining that the explicit target exists to add the libnl-route library.	Teddy Hogeborn	5 years ago
1114	Stop linking to librt Stop linking to librt Since we are using the clock_* functions from <time.h>, we now require the GNU C library version 2.17 or later (released in 2012), where linking to librt is no longer required in order to use the clock_* functions from <time.h>. This enables us to remove an otherwise unnecessary link to librt. * INSTALL (Mandos Client): Document new GNU C library version requirement. * Makefile (plugins.d/mandos-client): Remove "-lrt".	Teddy Hogeborn	5 years ago
962	Add support for using raw public keys in TLS (RFC 7250) Add support for using raw public keys in TLS (RFC 7250) Since GnuTLS removed support for OpenPGP keys in TLS (RFC 6091), and no other library supports it, we have to change the protocol to use something else. We choose to use "raw public keys" (RFC 7250). Since we still use OpenPGP keys to decrypt the secret password, this means that each client will have two keys: One OpenPGP key and one TLS public/private key, and the key ID of the latter key is used to identify clients instead of the fingerprint of the OpenPGP key. Note that this code is still compatible with GnuTLS before version 3.6.0 (when OpenPGP key support was removed). This commit merely adds support for using raw pulic keys instead with GnuTLS 3.6.6. or later. * DBUS-API (Signals/ClientNotFound): Change name of first parameter from "Fingerprint" to "KeyID". (Mandos Client Interface/Properties/KeyID): New. * INSTALL: Document conflict with GnuTLS 3.6.0 (which removed OpenPGP key support) up until 3.6.6, when support for raw public keys was added. Also document new dependency of client on "gnutls-bin" package (for certtool). * Makefile (run-client): Depend on TLS key files, and also pass them as arguments to client. (keydir/tls-privkey.pem, keydir/tls-pubkey.pem): New. (confdir/clients.conf): Add dependency on TLS public key. (purge-client): Add removal of TLS key files. * clients.conf ([foo]/key_id, [bar]/key_id): New. * debian/control (Source: mandos/Build-Depends): Also allow libgnutls30 (>= 3.6.6) (Package: mandos/Depends): - '' - (Package: mandos/Description): Alter description to match new design. (Package: mandos-client/Description): - '' - (Package: mandos-client/Depends): Move "gnutls-bin \| openssl" to here from "Recommends". * debian/mandos-client.README.Debian: Add --tls-privkey and --tls-pubkey options to test command. * debian/mandos-client.postinst (create_key): Renamed to "create_keys" (all callers changed), and also create TLS key. * debian/mandos-client.postrm (purge): Also remove TLS key files. * intro.xml (DESCRIPTION): Describe new dual-key design. * mandos (GnuTLS): Define different functions depending on whether support for raw public keys is detected. (Client.key_id): New attribute. (ClientDBus.KeyID_dbus_property): New method. (ProxyClient.__init__): Take new "key_id" parameter. (ClientHandler.handle): Use key IDs when using raw public keys and use fingerprints when using OpenPGP keys. (ClientHandler.peer_certificate): Also handle raw public keys. (ClientHandler.key_id): New. (MandosServer.handle_ipc): Pass key ID over the pipe IPC. Also check for key ID matches when looking up clients. (main): Default GnuTLS priority string depends on whether we are using raw public keys or not. When unpickling clients, set key_id if not set in the pickle. (main/MandosDBusService.ClientNotFound): Change name of first parameter from "Fingerprint" to "KeyID". * mandos-clients.conf.xml (OPTIONS): Document new "key_id" option. (OPTIONS/secret): Mention new key ID matchning. (EXPANSION/RUNTIME EXPANSION): Add new "key_id" option. (EXAMPLE): - '' - * mandos-ctl (tablewords, main/keywords): Add new "KeyID" property. * mandos-keygen: Create TLS key files. New "--tls-keytype" (-T) option. Alter help text to be more clear about key types. When in password mode, also output "key_id" option. * mandos-keygen.xml (SYNOPSIS): Add new "--tls-keytype" (-T) option. (DESCRIPTION): Alter to match new dual-key design. (OVERVIEW): - '' - (FILES): Add TLS key files. * mandos-options.xml (priority): Document new default priority string when using raw public keys. * mandos.xml (NETWORK PROTOCOL): Describe new protocol using key ID. (BUGS): Remove issue about checking expire times of OpenPGP keys, since TLS public keys do not have expiration times. (SECURITY/CLIENT): Alter description to match new design. (SEE ALSO/GnuTLS): - '' - (SEE ALSO): Add reference to RFC 7250, and alter description of when RFC 6091 is used. * overview.xml: Alter text to match new design. * plugin-runner.xml (EXAMPLE): Add --tls-pubkey and --tls-privkey options to mandos-client options. * plugins.d/mandos-client.c: Use raw public keys when compiling with supporting GnuTLS versions. Add new "--tls-pubkey" and "--tls-privkey" options (which do nothing if GnuTLS library does not support raw public keys). Alter text throughout to reflect new design. Only generate new DH parameters (based on size of OpenPGP key) when using OpenPGP in TLS. Default GnuTLS priority string depends on whether we are using raw public keys or not. * plugins.d/mandos-client.xml (SYNOPSIS): Add new "--tls-privkey" (-t) and "--tls-pubkey" (-T) options. (DESCRIPTION): Describe new dual-key design. (OPTIONS): Document new "--tls-privkey" (-t) and "--tls-pubkey" (-T) options. (OPTIONS/--dh-bits): No longer necessarily depends on OpenPGP key size. (FILES): Add default locations for TLS public and private key files. (EXAMPLE): Use new --tls-pubkey and --tls-privkey options. (SECURITY): Alter wording slightly to reflect new dual-key design. (SEE ALSO/GnuTLS): Alter description to match new design. (SEE ALSO): Add reference to RFC 7250, and alter description of when RFC 6091 is used.	Teddy Hogeborn	5 years ago
868	Change all http:// URLs to https:// wherever possible. Change all http:// URLs to https:// wherever possible. * INSTALL (Prerequisites/Libraries/Mandos Server): Change "http://" to "https://" wherever possible. * Makefile (FORTIFY): - '' - * mandos.xml (SEE ALSO): - '' - * plugin-runner.c (main): - '' - * plugins.d/mandos-client.c (start_mandos_communication): - '' - * plugins.d/mandos-client.xml (SEE ALSO): - '' -	Teddy Hogeborn	8 years ago
831	Server: Fix bug where it did not exit timely on signals Server: Fix bug where it did not exit timely on signals Use GLib.unix_signal_add() instead of signal.signal() to catch signals; this will allow GLib to do its internal magic with signal file descriptors. (GLib does not handle signals properly otherwise.) The function unix_signal_add() requires GLib 2.30 or later, which was not required by PyGobject until version 3.7.1, so depend on this. * INSTALL (Mandos Server): Document dependency on PyGObject 3.7.1 * mandos (main): Use GLib.unix_signal_add instead of signal.signal. * init.d-mandos (do_stop): Remove workaround. * mandos.service ([Service]): - '' -	Teddy Hogeborn	8 years ago
828	Server: Add Python 3 compatibility Server: Add Python 3 compatibility Add Python 3 compatibility by not using the python-avahi module. Also fix miscellaneous things which differs in Python 3. Especially hard to fix is loading and saving clients data between Python 3 and 2, since pickle formats have problems with strings. * INSTALL: Remove python-avahi (and change python-gobject to python-gi, which is preferred now). * debian/control (Source: mandos/Build-Depends-Indep): Remove "python-avahi". * mandos: Wrap future_builtins import in try-except clause. Do not import avahi module. Use codecs.decode(..., "base64) instead of .decode("base64). Use .keys(), .values(), and .items() instead of .iterkeys(), .itervalues(), and .iteritems(). (alternate_dbus_interfaces/wrapper): Python 3 still requires the "black magic", but luckily it still works. The Python 3 type() constructor requires first argument to be a string, not a byte string. (copy_function): New. Use throughout. (Avahi, avahi): New class and global variable. (GnuTLS._need_version): Changed to be a byte string. (main): Decode byte strings loaded from pickle file. (main/cleanup): Dump using pickle prototoc 2 which Python 2 can read.	Teddy Hogeborn	8 years ago
810	Depend on the GNU C Library 2.16 or later Depend on the GNU C Library 2.16 or later * INSTALL: Document dependency. * plugin-runner.c: Remove #ifdefs for scandirat() and adding of -Wsign-conversion for FD_SET, FD_CLR, and FD_ISSET. * plugins.d/mandos-client.c: - '' -	Teddy Hogeborn	8 years ago
801	Stop using python-gnutls. Use GnuTLS 3.3 or later directly. Stop using python-gnutls. Use GnuTLS 3.3 or later directly. * INSTALL: Document dependency on GnuTLS 3.3 and remove dependency on Python-GnuTLS. * debian/control (Source: mandos/Build-Depends): Add (>= 3.3.0) to "libgnutls28-dev" and "gnutls-dev". (Source: mandos/Build-Depends-Indep): Remove "python2.7-gnutls". (Package: mandos/Depends): Remove "python-gnutls" and "python2.7-gnutls", add "libgnutls28-dev (>= 3.3.0) \| libgnutls30 (>= 3.3.0)" * mandos: Remove imports of "gnutls" and all submodules. (GnuTLS, gnutls): New; simulate a "gnutls" module. Change all callers to match new shorter names.	Teddy Hogeborn	8 years ago
724	Merge from Python 2.7 branch. Merge from Python 2.7 branch.	Teddy Hogeborn	10 years ago
723	INSTALL: Add org-mode setting to show all text when opening. INSTALL: Add org-mode setting to show all text when opening. * INSTALL (STARTUP): New org-mode setting; set to "showall".	Teddy Hogeborn	10 years ago
719	Update non-package install instructions. Update non-package install instructions. * INSTALL: Update package names, URLs and versions. Remove discussion of adjusting network device name. Adjust minimum reboot time to reflect new default timeout value.	Teddy Hogeborn	10 years ago
708	mandos-keygen: Generate "checker" option to use SSH fingerpr... mandos-keygen: Generate "checker" option to use SSH fingerprints. To turn this off, use a new "--no-ssh" option to mandos-keygen. * INSTALL (Mandos Server, Mandos Client): Document new suggested installation of SSH. * Makefile (confdir/clients.conf): Use new "--no-ssh" option to "mandos-keygen". * debian/control (mandos/Depends): Changed to "fping \| ssh-client". (mandos-client/Recommends): New; set to "ssh". * intro.xml (FREQUENTLY ASKED QUESTIONS): Rename and rewrite section called "Faking ping replies?" to address new default behavior. * mandos-clients.conf.xml (OPTIONS/checker): Briefly discuss new behavior of mandos-keygen. * mandos-keygen: Bug fix: Suppress failure output of "shred" to remove "sec", since no such files may exist. (password mode): Scan for SSH key fingerprints and output as new "checker" and "ssh_fingerprint" options, unless new "--no-ssh" option is given. mandos-keygen.xml (SYNOPSIS/--force): Bug fix: Document short form. (OPTIONS/--no-ssh): New. (SEE ALSO): Add reference "ssh-keyscan(1)". * plugins.d/mandos-client.xml (SECURITY): Briefly mention the possibility of using SSH key fingerprints for checking.	Teddy Hogeborn	10 years ago
618	* mandos: Bug fix: Make boolean options work from the config... * mandos: Bug fix: Make boolean options work from the config file again. Bug fix: Make --no-ipv6 work again. Bug fix: Add extra magic to GnuTLS priority to make it work with current version of GnuTLS. * mandos-options.xml (priority): Document new default value. * mandos.conf (priority): - '' - * plugins.d/mandos-client.xml (EXAMPLE): Minor grammar fix.	Teddy Hogeborn	11 years ago
472	* INSTALL: Updated. * INSTALL: Updated.	Teddy Hogeborn	13 years ago
319	* INSTALL: Changed "Python 2.4" to "Python 2.5". * INSTALL: Changed "Python 2.4" to "Python 2.5". * mandos.lsm: - '' -	Teddy Hogeborn	15 years ago

Older »