=== modified file 'TODO' --- TODO 2008-09-19 12:02:03 +0000 +++ TODO 2008-09-19 23:31:34 +0000 @@ -1,8 +1,6 @@ -*- org -*- -* plugin-runner -** TODO Man page for plugin-runner.conf.5 - link to plugin-runner.8 +* DONE plugin-runner * mandos-client ** TODO [#B] Temporarily lower kernel log level @@ -41,18 +39,11 @@ * Installer ** Client-side -*** TODO Update initrd.img after installation - This seems to use some kind of "trigger" system - [[file:/usr/share/doc/dpkg/triggers.txt.gz]] - dpkg-trigger(1), deb-triggers(5) *** mandos-keygen -**** TODO [#A] Ask for password twice for confirmation -**** TODO "--passfile" option +**** TODO "--secfile" option Using the "secfile" option instead of "secret" **** TODO [#B] "--test" option For testing decryption before rebooting. -** Server-side -*** TODO [#A] Create mandos user and group for server * [#A] Package @@ -63,9 +54,6 @@ ** TODO /etc/bash_completion.d/mandos From XML sources directly? ** TODO unperish -** DONE bzr-builddeb -** DONE mandos user/group creation :test: -** DONE Key creation in postinst :test: * TODO Web site ** DONE http://www.fukt.bsnet.se/mandos === modified file 'mandos-keygen' --- mandos-keygen 2008-09-19 18:08:19 +0000 +++ mandos-keygen 2008-09-19 23:31:34 +0000 @@ -40,8 +40,8 @@ fi # Parse options -TEMP=`getopt --options vhd:t:l:n:e:c:x:f \ - --longoptions version,help,password,dir:,type:,length:,subtype:,sublength:,name:,email:,comment:,expire:,force \ +TEMP=`getopt --options vhpF:d:t:l:s:L:n:e:c:x:f \ + --longoptions version,help,password,passfile:,dir:,type:,length:,subtype:,sublength:,name:,email:,comment:,expire:,force \ --name "$0" -- "$@"` help(){ @@ -53,6 +53,7 @@ $basename [ OPTIONS ] Encrypted password creation: $basename { -p | --password } [ --name NAME ] [ --dir DIR] + $basename { -F | --passfile } FILE [ --name NAME ] [ --dir DIR] Key creation options: -v, --version Show program's version number and exit @@ -74,10 +75,14 @@ -x TIME, --expire TIME Key expire time. Default is no expiration. See gpg(1) for syntax. - -f, --force Force overwriting old keys. + -f, --force Force overwriting old key files. Password creation options: - -p, --password Create an encrypted password using the keys in + -p, --password Create an encrypted password using the key in + the key directory. All options other than + --dir and --name are ignored. + -F FILE, --passfile FILE + Encrypt a password from FILE using the key in the key directory. All options other than --dir and --name are ignored. EOF @@ -87,6 +92,7 @@ while :; do case "$1" in -p|--password) mode=password; shift;; + -F|--passfile) mode=password; PASSFILE="$2"; shift 2;; -d|--dir) KEYDIR="$2"; shift 2;; -t|--type) KEYTYPE="$2"; shift 2;; -s|--subtype) SUBKEYTYPE="$2"; shift 2;; @@ -235,7 +241,7 @@ FILECOMMENT="$FILECOMMENT <$KEYEMAIL>" fi - # Export keys from key rings to key files + # Export key from key rings to key files gpg --quiet --batch --no-tty --no-options --enable-dsa2 \ --homedir "$RINGDIR" --armor --export-options export-minimal \ --comment "$FILECOMMENT" --output "$SECKEYFILE" \ @@ -246,7 +252,7 @@ fi if [ "$mode" = password ]; then - # Import keys into temporary key rings + # Import key into temporary key rings gpg --quiet --batch --no-tty --no-options --enable-dsa2 \ --homedir "$RINGDIR" --trust-model always --armor \ --import "$SECKEYFILE" @@ -265,22 +271,37 @@ FILECOMMENT="Encrypted password for a Mandos client" - stty -echo - echo -n "Enter passphrase: " >&2 - head --lines=1 | tr --delete '\n' \ - | gpg --quiet --batch --no-tty --no-options --enable-dsa2 \ + if [ -n "$PASSFILE" ]; then + cat "$PASSFILE" + else + stty -echo + echo -n "Enter passphrase: " >&2 + first="$(head --lines=1 | tr --delete '\n')" + echo -n -e "\nRepeat passphrase: " >&2 + second="$(head --lines=1 | tr --delete '\n')" + echo >&2 + stty echo + if [ "$first" != "$second" ]; then + echo -e "Passphrase mismatch" >&2 + false + else + echo -n "$first" + fi + fi | gpg --quiet --batch --no-tty --no-options --enable-dsa2 \ --homedir "$RINGDIR" --trust-model always --armor --encrypt \ --recipient "$FINGERPRINT" --comment "$FILECOMMENT" \ > "$SECFILE" - echo >&2 - stty echo + status="${PIPESTATUS[0]}" + if [ "$status" -ne 0 ]; then + exit "$status" + fi cat <<-EOF [$KEYNAME] host = $KEYNAME fingerprint = $FINGERPRINT secret = -EOF + EOF sed --quiet --expression=' /^-----BEGIN PGP MESSAGE-----$/,/^-----END PGP MESSAGE-----$/{ /^$/,${ === modified file 'mandos-keygen.xml' --- mandos-keygen.xml 2008-09-12 19:12:40 +0000 +++ mandos-keygen.xml 2008-09-19 23:31:34 +0000 @@ -3,7 +3,7 @@ "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [ - + ]> @@ -122,6 +122,10 @@ + + + FILE @@ -167,8 +171,9 @@ This program can also be used with the - option to generate a ready-made - section for clients.conf (see + or + options to generate a ready-made section for + clients.conf (see mandos-clients.conf 5). @@ -326,6 +331,18 @@ + + + + + + The same as , but read from + FILE, not the terminal. + + +