=== modified file 'Makefile' --- Makefile 2008-08-10 17:52:54 +0000 +++ Makefile 2008-08-12 06:46:11 +0000 @@ -1,4 +1,11 @@ -WARN=-O -Wall -Wformat=2 -Winit-self -Wmissing-include-dirs -Wswitch-default -Wswitch-enum -Wunused-parameter -Wstrict-aliasing=2 -Wextra -Wfloat-equal -Wundef -Wshadow -Wunsafe-loop-optimizations -Wpointer-arith -Wbad-function-cast -Wcast-qual -Wcast-align -Wwrite-strings -Wconversion -Wstrict-prototypes -Wold-style-definition -Wpacked -Wnested-externs -Wunreachable-code -Winline -Wvolatile-register-var +WARN=-O -Wall -Wformat=2 -Winit-self -Wmissing-include-dirs \ + -Wswitch-default -Wswitch-enum -Wunused-parameter \ + -Wstrict-aliasing=2 -Wextra -Wfloat-equal -Wundef -Wshadow \ + -Wunsafe-loop-optimizations -Wpointer-arith \ + -Wbad-function-cast -Wcast-qual -Wcast-align -Wwrite-strings \ + -Wconversion -Wstrict-prototypes -Wold-style-definition \ + -Wpacked -Wnested-externs -Wunreachable-code -Winline \ + -Wvolatile-register-var DEBUG=-ggdb3 # For info about _FORTIFY_SOURCE, see # @@ -18,32 +25,41 @@ --param man.output.quietly 1 \ --param man.authors.section.enabled 0 -PROGS=mandos-client plugins.d/password-request plugins.d/password-prompt -DOCS=mandos.8 mandos-client.8mandos plugins.d/password-request.8mandos plugins.d/password-prompt.8mandos mandos.conf.5 mandos-clients.conf.5 +PLUGINS=plugins.d/password-prompt plugins.d/password-request +PROGS=mandos-client $(PLUGINS) +DOCS=mandos.8 mandos-client.8mandos mandos-keygen.8 \ + plugins.d/password-request.8mandos \ + plugins.d/password-prompt.8mandos mandos.conf.5 \ + mandos-clients.conf.5 objects=$(shell for p in $(PROGS); do echo $${p}.o; done) -all: $(PROGS) $(DOCS) +all: $(PROGS) + +doc: $(DOCS) %.5: %.xml - cd $(shell dirname $^); $(DOCBOOKTOMAN) $(shell basename $^) + cd $(dir $^); $(DOCBOOKTOMAN) $(notdir $^) %.8: %.xml - cd $(shell dirname $^); $(DOCBOOKTOMAN) $(shell basename $^) + cd $(dir $^); $(DOCBOOKTOMAN) $(notdir $^) %.8mandos: %.xml - cd $(shell dirname $^); $(DOCBOOKTOMAN) $(shell basename $^) + cd $(dir $^); $(DOCBOOKTOMAN) $(notdir $^) mandos-client: mandos-client.o $(LINK.o) -lgnutls $(COMMON) $^ $(LOADLIBES) $(LDLIBS) -o $@ plugins.d/password-request: plugins.d/password-request.o - $(LINK.o) -lgnutls -lavahi-core -lgpgme $(COMMON) $^ $(LOADLIBES) $(LDLIBS) -o $@ + $(LINK.o) -lgnutls -lavahi-core -lgpgme $(COMMON) $^ \ + $(LOADLIBES) $(LDLIBS) -o $@ plugins.d/password-prompt: plugins.d/password-prompt.o $(LINK.o) $(COMMON) $^ $(LOADLIBES) $(LDLIBS) -o $@ -.PHONY : all clean distclean run-client run-server +.PHONY : all clean distclean run-client run-server install \ + install-server install-client uninstall uninstall-server \ + uninstall-client purge purge-server purge-client clean: -rm --force $(PROGS) $(objects) $(DOCS) core @@ -51,12 +67,93 @@ distclean: clean mostlyclean: clean maintainer-clean: clean + -rm --force --recursive keydir -check: all +check: ./mandos --check run-client: all - ./mandos-client --plugin-dir=plugins.d --options-for=password-request:--keydir=keydir + -mkdir keydir + -./mandos-keygen --dir keydir + ./mandos-client --plugin-dir=plugins.d \ + --options-for=password-request:--keydir=keydir -run-server: all +run-server: ./mandos --debug --configdir=. + +install: install-server install-client + +install-server: doc + mkdir --mode=0755 --parents /etc/mandos + install --mode=0755 mandos /usr/sbin/mandos + install --mode=0644 --target-directory=/etc/mandos mandos.conf + install --mode=0640 --target-directory=/etc/mandos \ + clients.conf + gzip --best --to-stdout mandos.8 \ + > /usr/share/man/man8/mandos.8.gz + gzip --best --to-stdout mandos.conf.5 \ + > /usr/share/man/man5/mandos.conf.5.gz + gzip --best --to-stdout mandos-clients.conf.5 \ + > /usr/share/man/man5/mandos-clients.conf.5.gz + +install-client: all doc /usr/share/initramfs-tools/hooks/. + mkdir --mode=0755 --parents /usr/lib/mandos /etc/mandos + mkdir --mode=0700 /usr/lib/mandos/plugins.d + chmod u=rwx,g=,o= /usr/lib/mandos/plugins.d + install --mode=0755 --target-directory=/usr/lib/mandos \ + mandos-client + install --mode=0755 --target-directory=/usr/sbin mandos-keygen + install --mode=0755 \ + --target-directory=/usr/lib/mandos/plugins.d \ + plugins.d/password-prompt + install --mode=4755 \ + --target-directory=/usr/lib/mandos/plugins.d \ + plugins.d/password-request + install initramfs-tools-hook \ + /usr/share/initramfs-tools/hooks/mandos + install initramfs-tools-hook-conf \ + /usr/share/initramfs-tools/conf-hooks.d/mandos + install initramfs-tools-hook-conf \ + /usr/share/initramfs-tools/conf-hooks.d/mandos + gzip --best --to-stdout mandos-keygen.8 \ + > /usr/share/man/man8/mandos-keygen.8.gz + gzip --best --to-stdout mandos-client.8mandos \ + > /usr/share/man/man8/mandos-client.8mandos.gz + gzip --best --to-stdout plugins.d/password-prompt.8mandos \ + > /usr/share/man/man8/password-prompt.8mandos.gz + gzip --best --to-stdout plugins.d/password-request.8mandos \ + > /usr/share/man/man8/password-request.8mandos.gz + /usr/sbin/mandos-keygen + update-initramfs -k all -u + +uninstall: uninstall-server uninstall-client + +uninstall-server: /usr/sbin/mandos + -rm --force /usr/sbin/mandos /usr/share/man/man8/mandos.8.gz \ + /usr/share/man/man5/mandos.conf.5.gz \ + /usr/share/man/man5/mandos-clients.conf.5.gz + -rmdir --force /etc/mandos + +uninstall-client: + -rm --force /usr/sbin/mandos-keygen \ + /usr/lib/mandos/mandos-client \ + /usr/lib/mandos/plugins.d/password-prompt \ + /usr/lib/mandos/plugins.d/password-request \ + /usr/share/initramfs-tools/hooks/mandos \ + /usr/share/initramfs-tools/conf-hooks.d/mandos \ + /usr/share/man/man8/mandos-client.8mandos.gz \ + /usr/share/man/man8/mandos-keygen.8.gz \ + /usr/share/man/man8/password-prompt.8mandos.gz \ + /usr/share/man/man8/password-request.8mandos.gz + -rmdir --force /usr/lib/mandos/plugins.d /usr/lib/mandos \ + /etc/mandos/plugins.d /etc/mandos + +purge: purge-server purge-client + +purge-server: uninstall-server + -rm --force /etc/mandos/server.conf /etc/mandos/clients.conf + -rmdir --force /etc/mandos + +purge-client: uninstall-client + -rm --force /etc/mandos/seckey.txt /etc/mandos/pubkey.txt + -rmdir --force /etc/mandos === modified file 'TODO' --- TODO 2008-08-11 16:35:32 +0000 +++ TODO 2008-08-12 06:46:11 +0000 @@ -6,7 +6,7 @@ [[file:/usr/share/common-licenses/GPL-3][GPLv3]] * Mandos-client -** [#A] Change syntaxt for arguments +** [#A] Change syntax for arguments ** [#A] Man page: man8/mandos-client.8mandos *** DESCRIPTION Describe the plus sign syntax for passing options from crypttab @@ -136,18 +136,26 @@ ** Enable client * Installer -** DONE [#A] Change initrd.img file to not be publically readable - /etc/initramfs-tools/conf.d/mandos - UMASK=027 -** Update initrd.img after installation -** [#A] Create mandos user and group for server -** [#A] Create /var/run/mandos directory with perm and ownership +** Client +*** DONE [#A] Change initrd.img file to not be publically readable + /usr/share/initramfs-tools/conf-hooks.d/mandos + UMASK=027 +*** Update initrd.img after installation +** Server +*** [#A] Create mandos user and group for server +*** [#A] Create /var/run/mandos directory with perm and ownership + +** mandos-keygen +*** [#A] Command man page: man8/mandos-keygen.8 +*** [#A] Output cut-and-paste ready snippet for clients.conf. * [#A] Package +** /usr/share/initramfs-tools/hooks/mandos +*** Do not install in initrd.img if configured not to + Use "/etc/initramfs-tools/conf.d/mandos"? Definitely a debconf + question. ** /etc/bash_completion.d/mandos -** /usr/share/initramfs-tools/hooks/mandos - [[file:/usr/share/doc/initramfs-tools/examples/example_hook][Example initramfs-tools hook script]] -*** Create GPG key ring files in initrd +*** From xml sources directly? ** unperish ** bzr-builddeb === added file 'mandos-keygen' --- mandos-keygen 1970-01-01 00:00:00 +0000 +++ mandos-keygen 2008-08-12 06:46:11 +0000 @@ -0,0 +1,165 @@ +#!/bin/sh +# +# Mandos key generator - create new OpenPGP keys for Mandos clients +# +# Copyright © 2007-2008 Teddy Hogeborn & Björn Påhlsson +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# +# Contact the authors at . +# + +KEYDIR="/etc/mandos" +KEYTYPE=DSA +KEYLENGTH=1024 +KEYNAME="`hostname --fqdn`" +KEYEMAIL="" +KEYCOMMENT="Mandos client key" +KEYEXPIRE=0 +FORCE=no +KEYCOMMENT_ORIG="$KEYCOMMENT" + +# Parse options +TEMP=`getopt --options d:t:l:n:e:c:x:f \ + --longoptions dir:,type:,length:,name:,email:,comment:,expire:,force \ + --name "$0" -- "$@"` + +eval set -- "$TEMP" +while :; do + case "$1" in + -d|--dir) KEYDIR="$2"; shift 2;; + -t|--type) KEYTYPE="$2"; shift 2;; + -l|--length) KEYLENGTH="$2"; shift 2;; + -n|--name) KEYNAME="$2"; shift 2;; + -e|--email) KEYEMAIL="$2"; shift 2;; + -c|--comment) KEYCOMMENT="$2"; shift 2;; + -x|--expire) KEYCOMMENT="$2"; shift 2;; + -f|--force) FORCE=yes; shift;; + --) shift; break;; + *) echo "Internal error" >&2; exit 1;; + esac +done +if [ "$#" -gt 0 ]; then + echo "Unknown arguments: '$@'" >&2 + exit 1 +fi + +SECKEYFILE="$KEYDIR/seckey.txt" +PUBKEYFILE="$KEYDIR/pubkey.txt" + +# Check for some invalid values +if [ -d "$KEYDIR" ]; then :; else + echo "$KEYDIR not a directory" >&2 + exit 1 +fi +if [ -w "$KEYDIR" ]; then :; else + echo "Directory $KEYDIR not writeable" >&2 + exit 1 +fi + +if [ -z "$KEYTYPE" ]; then + echo "Empty key type" >&2 + exit 1 +fi + +if [ -z "$KEYNAME" ]; then + echo "Empty key name" >&2 + exit 1 +fi + +if [ -z "$KEYLENGTH" ] || [ "$KEYLENGTH" -lt 512 ]; then + echo "Invalid key length" >&2 + exit 1 +fi + +if [ -z "$KEYEXPIRE" ]; then + echo "Empty key expiration" >&2 + exit 1 +fi + +# Make FORCE be 0 or 1 +case "$FORCE" in + [Yy][Ee][Ss]|[Tt][Rr][Uu][Ee]) FORCE=1;; + [Nn][Oo]|[Ff][Aa][Ll][Ss][Ee]|*) FORCE=0;; +esac + +if { [ -e "$SECKEYFILE" ] || [ -e "$PUBKEYFILE" ]; } \ + && [ "$FORCE" -eq 0 ]; then + echo "Refusing to overwrite old key files; use --force" >&2 + exit 1 +fi + +# Set lines for GPG batch file +if [ -n "$KEYCOMMENT" ]; then + KEYCOMMENTLINE="Name-Comment: $KEYCOMMENT" +fi +if [ -n "$KEYEMAIL" ]; then + KEYEMAILLINE="Name-Email: $KEYEMAIL" +fi + +# Create temp files +BATCHFILE="`mktemp -t mandos-gpg-batch.XXXXXXXXXX`" +SECRING="`mktemp -t mandos-gpg-secring.XXXXXXXXXX`" +PUBRING="`mktemp -t mandos-gpg-pubring.XXXXXXXXXX`" + +trap "rm --force $PUBRING $BATCHFILE; shred --remove $SECRING" EXIT + +# Create batch file for GPG +cat >"$BATCHFILE" </dev/null; then + shred --remove "$SECKEYFILE" +fi +if cp --backup=numbered --force "$PUBKEYFILE" "$PUBKEYFILE" \ + 2>/dev/null; then + rm --force "$PUBKEYFILE" +fi + +FILECOMMENT="Mandos client key for $KEYNAME" +if [ "$KEYCOMMENT" != "$KEYCOMMENT_ORIG" ]; then + FILECOMMENT="$FILECOMMENT ($KEYCOMMENT)" +fi + +if [ -n "$KEYEMAIL" ]; then + FILECOMMENT="$FILECOMMENT <$KEYEMAIL>" +fi + +gpg --no-random-seed-file --quiet --batch --no-tty --armor \ + --no-default-keyring --secret-keyring "$SECRING" \ + --keyring "$PUBRING" --export-options export-minimal \ + --comment "$FILECOMMENT" --output "$SECKEYFILE" \ + --export-secret-keys +gpg --no-random-seed-file --quiet --batch --no-tty --armor \ + --no-default-keyring --secret-keyring "$SECRING" \ + --keyring "$PUBRING" --export-options export-minimal \ + --comment "$FILECOMMENT" --output "$PUBKEYFILE" \ + --export