15
15
# If prerm fails during replacement due to conflict:
16
16
# <postinst> abort-remove in-favour <new-package> <version>
18
. /usr/share/debconf/confmodule
18
22
# Update the initial RAM file system image
21
if [ -x /usr/sbin/update-initramfs ]; then
22
update-initramfs -u -k all
25
if command -v update-initramfs >/dev/null; then
26
update-initramfs -k all -u
27
elif command -v dracut >/dev/null; then
28
dracut_version="`dpkg-query --showformat='${Version}' --show dracut`"
29
if dpkg --compare-versions "$dracut_version" lt 043-1 \
30
&& bash -c '. /etc/dracut.conf; . /etc/dracut.conf.d/*; [ "$hostonly" != yes ]'; then
31
echo 'Dracut is not configured to use hostonly mode!' >&2
34
# Logic taken from dracut.postinst
35
for kernel in /boot/vmlinu[xz]-*; do
36
kversion="${kernel#/boot/vmlinu[xz]-}"
37
# Dracut preserves old permissions of initramfs image
38
# files, so we adjust permissions before creating new
39
# initramfs image containing secret keys.
40
chmod go-r /boot/initrd.img-"$kversion"
41
if [ "$kversion" != "*" ]; then
42
/etc/kernel/postinst.d/dracut "$kversion"
25
47
if dpkg --compare-versions "$2" lt-nl "1.0.10-1"; then
26
48
# Make old initrd.img files unreadable too, in case they were
27
49
# created with mandos-client 1.0.8 or older.
28
find /boot -maxdepth 1 -name "initrd.img-*.bak"-print0 \
29
| xargs --null --no-run-if-empty chmod o-r
50
find /boot -maxdepth 1 -type f -name "initrd.img-*.bak" \
51
-print0 | xargs --null --no-run-if-empty chmod o-r
33
55
# Add user and group
35
57
# Rename old "mandos" user and group
36
case "`getent passwd mandos`" in
37
*:Mandos\ password\ system,,,:/nonexistent:/bin/false)
38
usermod --login _mandos mandos
39
groupmod --new-name _mandos mandos
58
if dpkg --compare-versions "$2" lt "1.0.3-1"; then
59
case "`getent passwd mandos`" in
60
*:Mandos\ password\ system,,,:/nonexistent:/bin/false)
61
usermod --login _mandos mandos
62
groupmod --new-name _mandos mandos
43
67
# Create new user and group
44
68
if ! getent passwd _mandos >/dev/null; then
45
69
adduser --system --force-badname --quiet --home /nonexistent \
51
# Create client key pair
53
if [ -r /etc/keys/mandos/pubkey.txt \
54
-a -r /etc/keys/mandos/seckey.txt ]; then
57
if [ -x /usr/sbin/mandos-keygen ]; then
75
# Create client key pairs
77
# If the OpenPGP key files do not exist, generate all keys using
79
if ! [ -r /etc/keys/mandos/pubkey.txt \
80
-a -r /etc/keys/mandos/seckey.txt ]; then
82
gpg-connect-agent KILLAGENT /bye || :
86
# Remove any bad TLS keys by 1.8.0-1
87
if dpkg --compare-versions "$2" eq "1.8.0-1" \
88
|| dpkg --compare-versions "$2" eq "1.8.0-1~bpo9+1"; then
90
if ! certtool --password='' \
91
--load-privkey=/etc/keys/mandos/tls-privkey.pem \
92
--outfile=/dev/null --pubkey-info --no-text \
94
shred --remove -- /etc/keys/mandos/tls-privkey.pem \
96
rm --force -- /etc/keys/mandos/tls-pubkey.pem
100
# If the TLS keys already exists, do nothing
101
if [ -r /etc/keys/mandos/tls-privkey.pem \
102
-a -r /etc/keys/mandos/tls-pubkey.pem ]; then
106
# Try to create the TLS keys
108
TLS_PRIVKEYTMP="`mktemp -t mandos-client-privkey.XXXXXXXXXX`"
110
if certtool --generate-privkey --password='' \
111
--outfile "$TLS_PRIVKEYTMP" --sec-param ultra \
112
--key-type=ed25519 --pkcs8 --no-text 2>/dev/null; then
116
cp --archive "$TLS_PRIVKEYTMP" /etc/keys/mandos/tls-privkey.pem
117
shred --remove -- "$TLS_PRIVKEYTMP" 2>/dev/null || :
119
# First try certtool from GnuTLS
120
if ! certtool --password='' \
121
--load-privkey=/etc/keys/mandos/tls-privkey.pem \
122
--outfile=/etc/keys/mandos/tls-pubkey.pem --pubkey-info \
123
--no-text 2>/dev/null; then
124
# Otherwise try OpenSSL
125
if ! openssl pkey -in /etc/keys/mandos/tls-privkey.pem \
126
-out /etc/keys/mandos/tls-pubkey.pem -pubout; then
127
rm --force /etc/keys/mandos/tls-pubkey.pem
128
# None of the commands succeded; give up
135
key_id=$(mandos-keygen --passfile=/dev/null \
136
| grep --regexp="^key_id[ =]")
139
db_fset mandos-client/key_id seen false
140
db_reset mandos-client/key_id
141
db_subst mandos-client/key_id key_id $key_id
142
db_input critical mandos-client/key_id || true
146
shred --remove -- "$TLS_PRIVKEYTMP" 2>/dev/null || :
151
if [ -r /etc/keys/mandos/dhparams.pem ]; then
154
# Create a Diffe-Hellman parameters file
155
DHFILE="`mktemp -t mandos-client-dh-parameters.XXXXXXXXXX.pem`"
156
# First try certtool from GnuTLS
157
if ! certtool --generate-dh-params --sec-param high \
158
--outfile "$DHFILE"; then
159
# Otherwise try OpenSSL
160
if ! openssl genpkey -genparam -algorithm DH -out "$DHFILE" \
161
-pkeyopt dh_paramgen_prime_len:3072; then
162
# None of the commands succeded; give up
167
sed --in-place --expression='0,/^-----BEGIN DH PARAMETERS-----$/d' \
169
sed --in-place --expression='1i-----BEGIN DH PARAMETERS-----' \
171
cp --archive "$DHFILE" /etc/keys/mandos/dhparams.pem
64
177
add_mandos_user "$@"
179
create_dh_params "$@" || :
66
180
update_initramfs "$@"
181
if dpkg --compare-versions "$2" lt-nl "1.7.10-1"; then
182
PLUGINHELPERDIR=/usr/lib/$(dpkg-architecture -qDEB_HOST_MULTIARCH 2>/dev/null)/mandos/plugin-helpers
183
if ! dpkg-statoverride --list "$PLUGINHELPERDIR" \
184
>/dev/null 2>&1; then
185
chmod u=rwx,go= -- "$PLUGINHELPERDIR"
187
if ! dpkg-statoverride --list /etc/mandos/plugin-helpers \
188
>/dev/null 2>&1; then
189
chmod u=rwx,go= -- /etc/mandos/plugin-helpers
68
193
abort-upgrade|abort-deconfigure|abort-remove)