1279
|
|
|
Teddy Hogeborn |
2 months ago
|
|
|
1278
|
|
|
Teddy Hogeborn |
2 months ago
|
|
|
1127
|
|
Add dracut(8) support
Add support for the dracut(8) system for generating initramfs image files; dracut is an alternative to the "initramfs-tools" package.
* .bzrignore (dracut-module/password-agent): Ignore new binary file. * dracut-module: New directory for the dracut module. * INSTALL (Prerequisites/Libraries/Mandos Client): Add dracut as an alternative to initramfs-tools, and also add GLib. * Makefile (DRACUTMODULE, GLIB_CFLAGS, GLIB_LIBS): New. (CPROGS): Add "dracut-module/password-agent". (DOCS): Add "dracut-module/password-agent.8mandos". (dracut-module/password-agent.8mandos): New. (dracut-module/password-agent.8mandos.xhtml): - '' - (dracut-module/password-agent): - '' - (check): Add command to run tests of password-agent(8mandos). (install-client-nokey): Also install the dracut module directory, its files, and the password-agent(8mandos) manual page. (install-client): To update the initramfs image file, run update-initramfs or dracut depending on what is installed. (uninstall-client): - '' - and also uninstall the the files in the dracut module directory, that directory itself, and the password-agent(8mandos) manual page. * debian/control (Build-Depends): Add "libglib2.0-dev (>=2.40)". (Package: mandos-client/Depends): Add "dracut (>= 044+241-3)" as an alternative dependency to initramfs-tools. (Package: mandos-client/Conflicts): New; set to "dracut-config-generic". (debian/mandos-client.README.Debian): Document alternative commands to update the initramfs image for when dracut is used. * debian/mandos-client.postinst (update_initramfs): Use alternative commands to update the initramfs image for when dracut is used. * debian/tests/control (password-agent, password-agent-suid): Add two new tests. * dracut-module/ask-password-mandos.path: New. * dracut-module/ask-password-mandos.service: - '' - * dracut-module/cmdline-mandos.sh: - '' - * dracut-module/module-setup.sh: - '' - * dracut-module/password-agent.c: - '' - * dracut-module/password-agent.xml: - '' - * initramfs-unpack: Use the dracut "skipcpio" command, if available. Also be more flexible and try hard to detect where compressed data starts. * plugins.d/mandos-client.xml (SECURITY): Be more precise that the mandos-client binary might not always be setuid, but that the program assumes that it has been started that way. * plugins.d/password-prompt.c: Add new "--prompt" option. (conflict_detection): First try to detect the new PID file of plymouth. (main): Define and use new "prompt" variable. * plugins.d/password-prompt.xml (SYNOPSIS): Show new --prompt option. (DESCRIPTION): Describe new behavior of looking for plymouth PID file. (OPTIONS): Document new "--prompt" option. (ENVIRONMENT): Clarify that the CRYPTTAB_SOURCE and CRYPTTAB_NAME environment variables are not used if the --prompt option is used. Remove unnecessarily specific details about where the CRYPTTAB_SOURCE and CRYPTTAB_NAME comes from, since this can now be either initramfs-tools or dracut. (SEE ALSO): Remove superfluous crypttab(5) reference, and add commas to separate the other references. * plugins.d/plymouth.c: Add new "--prompt" and "--debug" options. (debug): New global flag. (fprintf_plus): New function, used for debug output. (exec_and_wait): Add extra "const" to "argv" argument. (main): Define and use new "prompt" variable. Add debug output. (main/options, main/parse_opt): New; used to parse options. * plugins.d/plymouth.xml (SYNOPSIS): Show new options. (OPTIONS): Document new options. (ENVIRONMENT): Clarify that the cryptsource and crypttarget environment variables are not used if the --prompt option is used. Remove unnecessarily specific details about where the cryptsource and crypttarget comes from, since this can now be either initramfs-tools or dracut. (EXAMPLE): Add an example using an option. (SEE ALSO): Remove superfluous crypttab(5) reference. * plugins.d/splashy.xml (ENVIRONMENT): Clarify that the cryptsource and crypttarget environment variables are not used if the --prompt option is used. Remove unnecessarily specific details about where the cryptsource and crypttarget comes from, since this can now be either initramfs-tools or dracut. (SEE ALSO): Remove superfluous crypttab(5) reference. * plugins.d/usplash.xml (ENVIRONMENT): Clarify that the cryptsource and crypttarget environment variables are not used if the --prompt option is used. Remove unnecessarily specific details about where the cryptsource and crypttarget comes from, since this can now be either initramfs-tools or dracut. (SEE ALSO): Remove superfluous crypttab(5) reference.
|
Teddy Hogeborn |
5 years ago
|
|
|
1106
|
|
|
Teddy Hogeborn |
5 years ago
|
|
|
962
|
|
Add support for using raw public keys in TLS (RFC 7250)
Since GnuTLS removed support for OpenPGP keys in TLS (RFC 6091), and no other library supports it, we have to change the protocol to use something else. We choose to use "raw public keys" (RFC 7250). Since we still use OpenPGP keys to decrypt the secret password, this means that each client will have two keys: One OpenPGP key and one TLS public/private key, and the key ID of the latter key is used to identify clients instead of the fingerprint of the OpenPGP key.
Note that this code is still compatible with GnuTLS before version 3.6.0 (when OpenPGP key support was removed). This commit merely adds support for using raw pulic keys instead with GnuTLS 3.6.6. or later.
* DBUS-API (Signals/ClientNotFound): Change name of first parameter from "Fingerprint" to "KeyID". (Mandos Client Interface/Properties/KeyID): New. * INSTALL: Document conflict with GnuTLS 3.6.0 (which removed OpenPGP key support) up until 3.6.6, when support for raw public keys was added. Also document new dependency of client on "gnutls-bin" package (for certtool). * Makefile (run-client): Depend on TLS key files, and also pass them as arguments to client. (keydir/tls-privkey.pem, keydir/tls-pubkey.pem): New. (confdir/clients.conf): Add dependency on TLS public key. (purge-client): Add removal of TLS key files. * clients.conf ([foo]/key_id, [bar]/key_id): New. * debian/control (Source: mandos/Build-Depends): Also allow libgnutls30 (>= 3.6.6) (Package: mandos/Depends): - '' - (Package: mandos/Description): Alter description to match new design. (Package: mandos-client/Description): - '' - (Package: mandos-client/Depends): Move "gnutls-bin | openssl" to here from "Recommends". * debian/mandos-client.README.Debian: Add --tls-privkey and --tls-pubkey options to test command. * debian/mandos-client.postinst (create_key): Renamed to "create_keys" (all callers changed), and also create TLS key. * debian/mandos-client.postrm (purge): Also remove TLS key files. * intro.xml (DESCRIPTION): Describe new dual-key design. * mandos (GnuTLS): Define different functions depending on whether support for raw public keys is detected. (Client.key_id): New attribute. (ClientDBus.KeyID_dbus_property): New method. (ProxyClient.__init__): Take new "key_id" parameter. (ClientHandler.handle): Use key IDs when using raw public keys and use fingerprints when using OpenPGP keys. (ClientHandler.peer_certificate): Also handle raw public keys. (ClientHandler.key_id): New. (MandosServer.handle_ipc): Pass key ID over the pipe IPC. Also check for key ID matches when looking up clients. (main): Default GnuTLS priority string depends on whether we are using raw public keys or not. When unpickling clients, set key_id if not set in the pickle. (main/MandosDBusService.ClientNotFound): Change name of first parameter from "Fingerprint" to "KeyID". * mandos-clients.conf.xml (OPTIONS): Document new "key_id" option. (OPTIONS/secret): Mention new key ID matchning. (EXPANSION/RUNTIME EXPANSION): Add new "key_id" option. (EXAMPLE): - '' - * mandos-ctl (tablewords, main/keywords): Add new "KeyID" property. * mandos-keygen: Create TLS key files. New "--tls-keytype" (-T) option. Alter help text to be more clear about key types. When in password mode, also output "key_id" option. * mandos-keygen.xml (SYNOPSIS): Add new "--tls-keytype" (-T) option. (DESCRIPTION): Alter to match new dual-key design. (OVERVIEW): - '' - (FILES): Add TLS key files. * mandos-options.xml (priority): Document new default priority string when using raw public keys. * mandos.xml (NETWORK PROTOCOL): Describe new protocol using key ID. (BUGS): Remove issue about checking expire times of OpenPGP keys, since TLS public keys do not have expiration times. (SECURITY/CLIENT): Alter description to match new design. (SEE ALSO/GnuTLS): - '' - (SEE ALSO): Add reference to RFC 7250, and alter description of when RFC 6091 is used. * overview.xml: Alter text to match new design. * plugin-runner.xml (EXAMPLE): Add --tls-pubkey and --tls-privkey options to mandos-client options. * plugins.d/mandos-client.c: Use raw public keys when compiling with supporting GnuTLS versions. Add new "--tls-pubkey" and "--tls-privkey" options (which do nothing if GnuTLS library does not support raw public keys). Alter text throughout to reflect new design. Only generate new DH parameters (based on size of OpenPGP key) when using OpenPGP in TLS. Default GnuTLS priority string depends on whether we are using raw public keys or not. * plugins.d/mandos-client.xml (SYNOPSIS): Add new "--tls-privkey" (-t) and "--tls-pubkey" (-T) options. (DESCRIPTION): Describe new dual-key design. (OPTIONS): Document new "--tls-privkey" (-t) and "--tls-pubkey" (-T) options. (OPTIONS/--dh-bits): No longer necessarily depends on OpenPGP key size. (FILES): Add default locations for TLS public and private key files. (EXAMPLE): Use new --tls-pubkey and --tls-privkey options. (SECURITY): Alter wording slightly to reflect new dual-key design. (SEE ALSO/GnuTLS): Alter description to match new design. (SEE ALSO): Add reference to RFC 7250, and alter description of when RFC 6091 is used.
|
Teddy Hogeborn |
5 years ago
|
|
|
854
|
|
|
Teddy Hogeborn |
8 years ago
|
|
|
847
|
|
|
Teddy Hogeborn |
8 years ago
|
|
|
768
|
|
|
Teddy Hogeborn |
9 years ago
|
|
|
759
|
|
|
Teddy Hogeborn |
9 years ago
|
|
|
641
|
|
|
Teddy Hogeborn |
11 years ago
|
|
|
621
|
|
|
Teddy Hogeborn |
11 years ago
|
|
|
600
|
|
|
Teddy Hogeborn |
12 years ago
|
|
|
594
|
|
|
Teddy Hogeborn |
12 years ago
|
|
|
547
|
|
|
Björn Påhlsson |
12 years ago
|
|
|
525
|
|
|
Björn Påhlsson |
12 years ago
|
|
|
507
|
|
|
Teddy Hogeborn |
13 years ago
|
|
|
448
|
|
|
teddy at bsnet |
14 years ago
|
|
|
444
|
|
|
Teddy Hogeborn |
14 years ago
|
|
|
366
|
|
|
Teddy Hogeborn |
15 years ago
|
|
|
332
|
|
|
Teddy Hogeborn |
15 years ago
|
|
|