=== modified file 'Makefile'
--- Makefile 2013-10-20 15:25:09 +0000
+++ Makefile 2013-10-20 21:04:35 +0000
@@ -339,6 +339,8 @@
--target-directory=$(PREFIX)/lib/mandos plugin-runner
install --mode=u=rwx,go=rx --target-directory=$(PREFIX)/sbin \
mandos-keygen
+ install --mode=u=rwx,go=rx --target-directory=$(PREFIX)/sbin \
+ mandos-change-keytype
install --mode=u=rwx,go=rx \
--target-directory=$(PREFIX)/lib/mandos/plugins.d \
plugins.d/password-prompt
@@ -407,6 +409,7 @@
! grep --regexp='^ *[^ #].*keyscript=[^,=]*/mandos/' \
$(DESTDIR)/etc/crypttab
-rm --force $(PREFIX)/sbin/mandos-keygen \
+ $(PREFIX)/sbin/mandos-change-keytype \
$(PREFIX)/lib/mandos/plugin-runner \
$(PREFIX)/lib/mandos/plugins.d/password-prompt \
$(PREFIX)/lib/mandos/plugins.d/mandos-client \
=== modified file 'TODO'
--- TODO 2013-06-23 15:30:34 +0000
+++ TODO 2013-10-20 21:04:35 +0000
@@ -1,5 +1,9 @@
-*- org -*-
+* TODO [#A] mandos-change-keytype.xml
+* TODO [#A] Note about the necessity to change key type on upgrade
+ Possibly using mandos-change-keytype
+
* [[http://www.undeadly.org/cgi?action=article&sid=20110530221728][OpenBSD]]
* Testing
=== modified file 'mandos'
--- mandos 2013-10-20 15:25:09 +0000
+++ mandos 2013-10-20 21:04:35 +0000
@@ -2343,7 +2343,7 @@
"port": "",
"debug": "False",
"priority":
- "SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:+SIGN-RSA-SHA224",
+ "SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP",
"servicename": "Mandos",
"use_dbus": "True",
"use_ipv6": "True",
=== added file 'mandos-change-keytype'
--- mandos-change-keytype 1970-01-01 00:00:00 +0000
+++ mandos-change-keytype 2013-10-20 21:04:35 +0000
@@ -0,0 +1,42 @@
+#!/bin/sh -e
+#
+# Mandos key regenerator - create a new OpenPGP key for a Mandos client
+#
+# Copyright © 2013 Teddy Hogeborn
+# Copyright © 2013 Björn Påhlsson
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see .
+#
+# Contact the authors at .
+#
+
+PASSFILE="`mktemp -t mandos-change-keytype-key.XXXXXXXXXX`"
+
+# Remove temporary files on exit
+trap "
+set +e; \
+test -n \"$PASSFILE\" && shred --remove \"$PASSFILE\"; \
+" EXIT
+
+if [ -z "$PASSFILE" ]; then
+ exit 1
+fi
+
+/usr/lib/mandos/plugins.d/mandos-client \
+ --pubkey=/etc/keys/mandos/pubkey.txt \
+ --seckey=/etc/keys/mandos/seckey.txt > "$PASSFILE"
+
+./mandos-keygen --force "$@"
+
+./mandos-keygen --passfile "$PASSFILE"
=== modified file 'mandos-keygen'
--- mandos-keygen 2013-10-20 19:13:09 +0000
+++ mandos-keygen 2013-10-20 21:04:35 +0000
@@ -294,10 +294,10 @@
cat "$PASSFILE"
else
tty --quiet && stty -echo
- echo -n "Enter passphrase: "
+ echo -n "Enter passphrase: " >&2
read first
tty --quiet && echo >&2
- echo -n "Repeat passphrase: "
+ echo -n "Repeat passphrase: " >&2
read second
if tty --quiet; then
echo >&2
=== modified file 'mandos-options.xml'
--- mandos-options.xml 2013-06-23 15:13:06 +0000
+++ mandos-options.xml 2013-10-20 21:04:35 +0000
@@ -49,7 +49,7 @@
GnuTLS priority string for the TLS handshake.
The default is SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:+SIGN-RSA-SHA224
.
+ >SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP.
See gnutls_priority_init
3 for the syntax.
=== modified file 'mandos.conf'
--- mandos.conf 2013-06-23 15:13:06 +0000
+++ mandos.conf 2013-10-20 21:04:35 +0000
@@ -23,7 +23,7 @@
;debug = False
# GnuTLS priority for the TLS handshake. See gnutls_priority_init(3).
-;priority = SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:+SIGN-RSA-SHA224
+;priority = SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP
# Zeroconf service name. You need to change this if you for some
# reason want to run more than one server on the same *host*.