=== modified file 'debian/control' --- debian/control 2019-02-09 23:51:47 +0000 +++ debian/control 2019-02-10 03:50:20 +0000 @@ -25,7 +25,8 @@ libgnutls28-dev (<< 3.6.0) | libgnutls30 (<< 3.6.0) | libgnutls30 (>= 3.6.6), python-dbus, python-gi, avahi-daemon, adduser, python-urwid, - gnupg2 | gnupg, systemd-sysv | lsb-base (>= 3.0-6) + gnupg2 | gnupg, systemd-sysv | lsb-base (>= 3.0-6), + debconf (>= 1.5.5) | debconf-2.0 Recommends: ssh-client | fping Description: server giving encrypted passwords to Mandos clients This is the server part of the Mandos system, which allows @@ -47,7 +48,8 @@ Depends: ${shlibs:Depends}, ${misc:Depends}, adduser, cryptsetup (<< 2:2.0.3-1) | cryptsetup-initramfs, initramfs-tools (>= 0.99), dpkg-dev (>=1.16.0), - gnutls-bin (>= 3.6.6) | openssl (>= 1.1.0) + gnutls-bin (>= 3.6.6) | openssl (>= 1.1.0), + debconf (>= 1.5.5) | debconf-2.0 Recommends: ssh Breaks: dropbear (<= 0.53.1-1) Enhances: cryptsetup === modified file 'debian/mandos-client.lintian-overrides' --- debian/mandos-client.lintian-overrides 2016-03-19 04:21:00 +0000 +++ debian/mandos-client.lintian-overrides 2019-02-10 03:50:20 +0000 @@ -30,3 +30,14 @@ mandos-client binary: non-standard-dir-perm etc/mandos/plugins.d/ 0700 != 0755 # Likewise for plugin-helpers directory mandos-client binary: non-standard-dir-perm etc/mandos/plugin-helpers/ 0700 != 0755 + +# The debconf templates is only used for displaying information +# detected in the postinst, not for saving answers to questions, so we +# don't need a .config file. +mandos-client binary: no-debconf-config + +# The notice displayed from the postinst script really is critical +mandos-client binary: postinst-uses-db-input + +# It is a really long line +mandos-client binary: manpage-has-errors-from-man usr/share/man/man8/plugin-runner.8mandos.gz *: warning *: can't break line === modified file 'debian/mandos-client.postinst' --- debian/mandos-client.postinst 2019-02-09 23:23:26 +0000 +++ debian/mandos-client.postinst 2019-02-10 03:50:20 +0000 @@ -15,6 +15,8 @@ # If prerm fails during replacement due to conflict: # abort-remove in-favour +. /usr/share/debconf/confmodule + set -e # Update the initial RAM file system image @@ -101,6 +103,17 @@ fi fi umask $umask + + key_id=$(mandos-keygen --passfile=/dev/null \ + | grep --regexp="^key_id[ =]") + + db_version 2.0 + db_fset mandos-client/key_id seen false + db_reset mandos-client/key_id + db_subst mandos-client/key_id key_id $key_id + db_input critical mandos-client/key_id || true + db_go + db_stop } create_dh_params(){ === added file 'debian/mandos-client.templates' --- debian/mandos-client.templates 1970-01-01 00:00:00 +0000 +++ debian/mandos-client.templates 2019-02-10 03:50:20 +0000 @@ -0,0 +1,10 @@ +Template: mandos-client/key_id +Type: note +Description: New client option "${key_id}" is REQUIRED on server + A new "key_id" client option is REQUIRED in the server's clients.conf file, otherwise this computer most likely will not reboot unattended. This option: + . + ${key_id} + . + must be added (all on one line!) on the Mandos server host, in the file /etc/mandos/clients.conf, right before the "fingerprint" option for this Mandos client. You must edit that file on that server and add this option. + . + With GnuTLS 3.6.6, Mandos has been forced to stop using OpenPGP keys as TLS session keys. A new TLS key pair has been generated and will be used as identification, but the key ID of the public key needs to be added to the server, since this will now be used to identify the client to the server. === modified file 'debian/mandos.lintian-overrides' --- debian/mandos.lintian-overrides 2018-02-10 18:58:32 +0000 +++ debian/mandos.lintian-overrides 2019-02-10 03:50:20 +0000 @@ -3,3 +3,11 @@ # mandos binary: non-standard-file-perm etc/mandos/clients.conf 0600 != 0644 mandos: init.d-script-needs-depends-on-lsb-base etc/init.d/mandos (line 46) + +# The debconf templates is only used for displaying information +# detected in the postinst, not for saving answers to questions, so we +# don't need a .config file. +mandos binary: no-debconf-config + +# The notice displayed from the postinst script really is critical +mandos binary: postinst-uses-db-input === modified file 'debian/mandos.postinst' --- debian/mandos.postinst 2016-03-19 03:48:56 +0000 +++ debian/mandos.postinst 2019-02-10 03:50:20 +0000 @@ -15,6 +15,8 @@ # If prerm fails during replacement due to conflict: # abort-remove in-favour +. /usr/share/debconf/confmodule + set -e case "$1" in @@ -53,6 +55,17 @@ chown _mandos:_mandos /var/lib/mandos chmod u=rwx,go= /var/lib/mandos fi + + gnutls_version=$(dpkg-query --showformat='${Version}' \ + --show libgnutls30 \ + 2>/dev/null || :) + if [ -n "$gnutls_version" ] \ + && dpkg --compare-versions $gnutls_version ge 3.6.6; then + db_version 2.0 + db_input critical mandos/key_id || true + db_go + db_stop + fi ;; abort-upgrade|abort-deconfigure|abort-remove) === added file 'debian/mandos.templates' --- debian/mandos.templates 1970-01-01 00:00:00 +0000 +++ debian/mandos.templates 2019-02-10 03:50:20 +0000 @@ -0,0 +1,14 @@ +Template: mandos/key_id +Type: note +Description: New client option "key_id" is REQUIRED on server + A new "key_id" client option is REQUIRED in the clients.conf file, otherwise the client most likely will not reboot unattended. This option: + . + key_id = + . + must be added in the file /etc/mandos/clients.conf, right before the "fingerprint" option, for each Mandos client. You must edit that file and add this option for all clients. To see the correct key ID for each client, run this command (on each client): + . + mandos-keygen -F/dev/null|grep ^key_id + . + Note: the client must all also be using GnuTLS 3.6.6 or later; the server cannot serve passwords for both old and new clients! + . + Rationale: With GnuTLS 3.6.6, Mandos has been forced to stop using OpenPGP keys as TLS session keys. A new TLS key pair will be generated on each client and will be used as identification, but the key ID of the public key needs to be added to this server, since this will now be used to identify the client to the server.