15
15
# If prerm fails during replacement due to conflict:
16
16
# <postinst> abort-remove in-favour <new-package> <version>
18
. /usr/share/debconf/confmodule
20
22
# Update the initial RAM file system image
23
update-initramfs -u -k all
25
if command -v update-initramfs >/dev/null; then
26
update-initramfs -k all -u 1>&2
27
elif command -v dracut >/dev/null; then
28
dracut_version="`dpkg-query --showformat='${Version}' --show dracut`"
29
if dpkg --compare-versions "$dracut_version" lt 043-1 \
30
&& bash -c '. /etc/dracut.conf; . /etc/dracut.conf.d/*; [ "$hostonly" != yes ]'; then
31
echo 'Dracut is not configured to use hostonly mode!' >&2
34
# Logic taken from dracut.postinst
35
for kernel in /boot/vmlinu[xz]-*; do
36
kversion="${kernel#/boot/vmlinu[xz]-}"
37
# Dracut preserves old permissions of initramfs image
38
# files, so we adjust permissions before creating new
39
# initramfs image containing secret keys.
40
if [ -e /boot/initrd.img-"$kversion" ]; then
41
chmod go-r /boot/initrd.img-"$kversion"
43
# An initrd image has not yet been created for this
44
# kernel, possibly because this new kernel is about to
45
# be, but has not yet been, installed. In this case,
46
# we create an empty file with the right permissions
47
# so that Dracut will preserve those permissions when
48
# it creates the real, new initrd image for this
50
install --mode=u=rw /dev/null \
51
/boot/initrd.img-"$kversion"
53
if [ "$kversion" != "*" ]; then
54
/etc/kernel/postinst.d/dracut "$kversion" 1>&2
25
59
if dpkg --compare-versions "$2" lt-nl "1.0.10-1"; then
26
60
# Make old initrd.img files unreadable too, in case they were
36
70
if dpkg --compare-versions "$2" lt "1.0.3-1"; then
37
71
case "`getent passwd mandos`" in
38
72
*:Mandos\ password\ system,,,:/nonexistent:/bin/false)
39
usermod --login _mandos mandos
40
groupmod --new-name _mandos mandos
73
usermod --login _mandos mandos 1>&2
74
groupmod --new-name _mandos mandos 1>&2
46
80
if ! getent passwd _mandos >/dev/null; then
47
81
adduser --system --force-badname --quiet --home /nonexistent \
48
82
--no-create-home --group --disabled-password \
49
--gecos "Mandos password system" _mandos
83
--gecos "Mandos password system" _mandos 1>&2
53
# Create client key pair
55
if [ -r /etc/keys/mandos/pubkey.txt \
56
-a -r /etc/keys/mandos/seckey.txt ]; then
87
# Create client key pairs
89
# If the OpenPGP key files do not exist, generate all keys using
91
if ! [ -r /etc/keys/mandos/pubkey.txt \
92
-a -r /etc/keys/mandos/seckey.txt ]; then
94
gpg-connect-agent KILLAGENT /bye 1>&2 || :
98
# Remove any bad TLS keys by 1.8.0-1
99
if dpkg --compare-versions "$2" eq "1.8.0-1" \
100
|| dpkg --compare-versions "$2" eq "1.8.0-1~bpo9+1"; then
102
if ! certtool --password='' \
103
--load-privkey=/etc/keys/mandos/tls-privkey.pem \
104
--outfile=/dev/null --pubkey-info --no-text \
105
1>&2 2>/dev/null; then
106
shred --remove -- /etc/keys/mandos/tls-privkey.pem \
108
rm --force -- /etc/keys/mandos/tls-pubkey.pem
112
# If the TLS keys already exists, do nothing
113
if [ -r /etc/keys/mandos/tls-privkey.pem \
114
-a -r /etc/keys/mandos/tls-pubkey.pem ]; then
118
# Try to create the TLS keys
120
TLS_PRIVKEYTMP="`mktemp -t mandos-client-privkey.XXXXXXXXXX`"
122
if certtool --generate-privkey --password='' \
123
--outfile "$TLS_PRIVKEYTMP" --sec-param ultra \
124
--key-type=ed25519 --pkcs8 --no-text 1>&2 \
129
cp --archive "$TLS_PRIVKEYTMP" /etc/keys/mandos/tls-privkey.pem
130
shred --remove -- "$TLS_PRIVKEYTMP" 2>/dev/null || :
132
# First try certtool from GnuTLS
133
if ! certtool --password='' \
134
--load-privkey=/etc/keys/mandos/tls-privkey.pem \
135
--outfile=/etc/keys/mandos/tls-pubkey.pem --pubkey-info \
136
--no-text 1>&2 2>/dev/null; then
137
# Otherwise try OpenSSL
138
if ! openssl pkey -in /etc/keys/mandos/tls-privkey.pem \
139
-out /etc/keys/mandos/tls-pubkey.pem -pubout \
141
rm --force /etc/keys/mandos/tls-pubkey.pem
142
# None of the commands succeded; give up
149
key_id=$(mandos-keygen --passfile=/dev/null \
150
| grep --regexp="^key_id[ =]")
153
db_fset mandos-client/key_id seen false
154
db_reset mandos-client/key_id
155
db_subst mandos-client/key_id key_id $key_id
156
db_input critical mandos-client/key_id || true
160
shred --remove -- "$TLS_PRIVKEYTMP" 2>/dev/null || :
62
164
create_dh_params(){
67
169
DHFILE="`mktemp -t mandos-client-dh-parameters.XXXXXXXXXX.pem`"
68
170
# First try certtool from GnuTLS
69
171
if ! certtool --generate-dh-params --sec-param high \
70
--outfile "$DHFILE"; then
172
--outfile "$DHFILE" 1>&2; then
71
173
# Otherwise try OpenSSL
72
174
if ! openssl genpkey -genparam -algorithm DH -out "$DHFILE" \
73
-pkeyopt dh_paramgen_prime_len:3072; then
175
-pkeyopt dh_paramgen_prime_len:3072 1>&2; then
74
176
# None of the commands succeded; give up
177
rm --force -- "$DHFILE"
81
183
sed --in-place --expression='1i-----BEGIN DH PARAMETERS-----' \
83
185
cp --archive "$DHFILE" /etc/keys/mandos/dhparams.pem
186
rm --force -- "$DHFILE"
89
191
add_mandos_user "$@"
91
193
create_dh_params "$@" || :
92
194
update_initramfs "$@"
93
if dpkg --compare-versions "$2" lt-nl "1.7.7-1"; then
195
if dpkg --compare-versions "$2" lt-nl "1.7.10-1"; then
94
196
PLUGINHELPERDIR=/usr/lib/$(dpkg-architecture -qDEB_HOST_MULTIARCH 2>/dev/null)/mandos/plugin-helpers
95
197
if ! dpkg-statoverride --list "$PLUGINHELPERDIR" \
96
198
>/dev/null 2>&1; then
97
199
chmod u=rwx,go= -- "$PLUGINHELPERDIR"
201
if ! dpkg-statoverride --list /etc/mandos/plugin-helpers \
202
>/dev/null 2>&1; then
203
chmod u=rwx,go= -- /etc/mandos/plugin-helpers
101
207
abort-upgrade|abort-deconfigure|abort-remove)