18
18
. /usr/share/debconf/confmodule
22
# Update the initial RAM file system image
20
# Update the initramfs
25
update-initramfs -u -k all
27
if dpkg --compare-versions "$2" lt-nl "1.0.10-1"; then
28
# Make old initrd.img files unreadable too, in case they were
29
# created with mandos-client 1.0.8 or older.
30
find /boot -maxdepth 1 -type f -name "initrd.img-*.bak" \
31
-print0 | xargs --null --no-run-if-empty chmod o-r
37
# Rename old "mandos" user and group
38
if dpkg --compare-versions "$2" lt "1.0.3-1"; then
39
case "`getent passwd mandos`" in
40
*:Mandos\ password\ system,,,:/nonexistent:/bin/false)
41
usermod --login _mandos mandos
42
groupmod --new-name _mandos mandos
47
# Create new user and group
48
if ! getent passwd _mandos >/dev/null; then
49
adduser --system --force-badname --quiet --home /nonexistent \
50
--no-create-home --group --disabled-password \
51
--gecos "Mandos password system" _mandos
55
# Create client key pairs
57
# If the OpenPGP key files do not exist, generate all keys using
59
if ! [ -r /etc/keys/mandos/pubkey.txt \
60
-a -r /etc/keys/mandos/seckey.txt ]; then
62
gpg-connect-agent KILLAGENT /bye || :
66
# If the TLS keys already exists, do nothing
67
if [ -r /etc/keys/mandos/tls-privkey.pem \
68
-a -r /etc/keys/mandos/tls-pubkey.pem ]; then
72
# If this is an upgrade from an old installation, the TLS keys
73
# will not exist; create them.
75
# First try certtool from GnuTLS
76
if ! certtool --generate-privkey --password='' \
77
--outfile /etc/keys/mandos/tls-privkey.pem \
78
--sec-param ultra --key-type=ed25519 --pkcs8 --no-text \
80
# Otherwise try OpenSSL
81
if ! openssl genpkey -algorithm X25519 \
82
-out /etc/keys/mandos/tls-privkey.pem; then
83
rm --force /etc/keys/mandos/tls-privkey.pem
84
# None of the commands succeded; give up
91
# First try certtool from GnuTLS
92
if ! certtool --password='' \
93
--load-privkey=/etc/keys/mandos/tls-privkey.pem \
94
--outfile=/etc/keys/mandos/tls-pubkey.pem --pubkey-info \
95
--no-text 2>/dev/null; then
96
# Otherwise try OpenSSL
97
if ! openssl pkey -in /etc/keys/mandos/tls-privkey.pem \
98
-out /etc/keys/mandos/tls-pubkey.pem -pubout; then
99
rm --force /etc/keys/mandos/tls-pubkey.pem
100
# None of the commands succeded; give up
107
key_id=$(mandos-keygen --passfile=/dev/null \
108
| grep --regexp="^key_id[ =]")
111
db_fset mandos-client/key_id seen false
112
db_reset mandos-client/key_id
113
db_subst mandos-client/key_id key_id $key_id
114
db_input critical mandos-client/key_id || true
120
if [ -r /etc/keys/mandos/dhparams.pem ]; then
123
# Create a Diffe-Hellman parameters file
124
DHFILE="`mktemp -t mandos-client-dh-parameters.XXXXXXXXXX.pem`"
125
# First try certtool from GnuTLS
126
if ! certtool --generate-dh-params --sec-param high \
127
--outfile "$DHFILE"; then
128
# Otherwise try OpenSSL
129
if ! openssl genpkey -genparam -algorithm DH -out "$DHFILE" \
130
-pkeyopt dh_paramgen_prime_len:3072; then
131
# None of the commands succeded; give up
136
sed --in-place --expression='0,/^-----BEGIN DH PARAMETERS-----$/d' \
138
sed --in-place --expression='1i-----BEGIN DH PARAMETERS-----' \
140
cp --archive "$DHFILE" /etc/keys/mandos/dhparams.pem
23
if which update-initramfs >/dev/null 2>&1; then
148
create_dh_params "$@" || :
149
update_initramfs "$@"
150
if dpkg --compare-versions "$2" lt-nl "1.7.10-1"; then
151
PLUGINHELPERDIR=/usr/lib/$(dpkg-architecture -qDEB_HOST_MULTIARCH 2>/dev/null)/mandos/plugin-helpers
152
if ! dpkg-statoverride --list "$PLUGINHELPERDIR" \
153
>/dev/null 2>&1; then
154
chmod u=rwx,go= -- "$PLUGINHELPERDIR"
156
if ! dpkg-statoverride --list /etc/mandos/plugin-helpers \
157
>/dev/null 2>&1; then
158
chmod u=rwx,go= -- /etc/mandos/plugin-helpers
162
33
abort-upgrade|abort-deconfigure|abort-remove)
166
echo "$0 called with unknown argument '$1'" 1>&2
37
echo "$0 called with unknown argument \`$1'" 1>&2
added
removed
debian/mandos-client.postinst
