15
15
# If prerm fails during replacement due to conflict:
16
16
# <postinst> abort-remove in-favour <new-package> <version>
18
. /usr/share/debconf/confmodule
20
# Update the initial RAM file system image
20
# Update the initial RAM filesystem image
23
update-initramfs -u -k all
25
if dpkg --compare-versions "$2" lt-nl "1.0.10-1"; then
26
# Make old initrd.img files unreadable too, in case they were
27
# created with mandos-client 1.0.8 or older.
28
find /boot -maxdepth 1 -type f -name "initrd.img-*.bak" \
29
-print0 | xargs --null --no-run-if-empty chmod o-r
23
if type update-initramfs >/dev/null 2>&1; then
33
28
# Add user and group
35
# Rename old "mandos" user and group
36
if dpkg --compare-versions "$2" lt "1.0.3-1"; then
37
case "`getent passwd mandos`" in
38
*:Mandos\ password\ system,,,:/nonexistent:/bin/false)
39
usermod --login _mandos mandos
40
groupmod --new-name _mandos mandos
45
# Create new user and group
46
if ! getent passwd _mandos >/dev/null; then
47
adduser --system --force-badname --quiet --home /nonexistent \
48
--no-create-home --group --disabled-password \
49
--gecos "Mandos password system" _mandos
53
# Create client key pairs
55
# If the OpenPGP key files do not exist, generate all keys using
57
if ! [ -r /etc/keys/mandos/pubkey.txt \
58
-a -r /etc/keys/mandos/seckey.txt ]; then
60
gpg-connect-agent KILLAGENT /bye || :
64
# If the TLS keys already exists, do nothing
65
if [ -r /etc/keys/mandos/tls-privkey.pem \
66
-a -r /etc/keys/mandos/tls-pubkey.pem ]; then
70
# If this is an upgrade from an old installation, the TLS keys
71
# will not exist; create them.
73
# First try certtool from GnuTLS
74
if ! certtool --generate-privkey --password='' \
75
--outfile /etc/keys/mandos/tls-privkey.pem \
76
--sec-param ultra --key-type=ed25519 --pkcs8 --no-text \
78
# Otherwise try OpenSSL
79
if ! openssl genpkey -algorithm X25519 \
80
-out /etc/keys/mandos/tls-privkey.pem; then
81
rm --force /etc/keys/mandos/tls-privkey.pem
82
# None of the commands succeded; give up
89
# First try certtool from GnuTLS
90
if ! certtool --password='' \
91
--load-privkey=/etc/keys/mandos/tls-privkey.pem \
92
--outfile=/etc/keys/mandos/tls-pubkey.pem --pubkey-info \
93
--no-text 2>/dev/null; then
94
# Otherwise try OpenSSL
95
if ! openssl pkey -in /etc/keys/mandos/tls-privkey.pem \
96
-out /etc/keys/mandos/tls-pubkey.pem -pubout; then
97
rm --force /etc/keys/mandos/tls-pubkey.pem
98
# None of the commands succeded; give up
107
if [ -r /etc/keys/mandos/dhparams.pem ]; then
110
# Create a Diffe-Hellman parameters file
111
DHFILE="`mktemp -t mandos-client-dh-parameters.XXXXXXXXXX.pem`"
112
# First try certtool from GnuTLS
113
if ! certtool --generate-dh-params --sec-param high \
114
--outfile "$DHFILE"; then
115
# Otherwise try OpenSSL
116
if ! openssl genpkey -genparam -algorithm DH -out "$DHFILE" \
117
-pkeyopt dh_paramgen_prime_len:3072; then
118
# None of the commands succeded; give up
123
sed --in-place --expression='0,/^-----BEGIN DH PARAMETERS-----$/d' \
125
sed --in-place --expression='1i-----BEGIN DH PARAMETERS-----' \
127
cp --archive "$DHFILE" /etc/keys/mandos/dhparams.pem
30
if ! getent passwd mandos >/dev/null; then
31
adduser --disabled-password --quiet --system \
32
--home /var/run/mandos --no-create-home \
33
--gecos "Mandos password daemon" --group mandos
37
# Create client key pair
39
if type mandos-keygen >/dev/null 2>&1; then
135
create_dh_params "$@" || :
136
update_initramfs "$@"
137
if dpkg --compare-versions "$2" lt-nl "1.7.10-1"; then
138
PLUGINHELPERDIR=/usr/lib/$(dpkg-architecture -qDEB_HOST_MULTIARCH 2>/dev/null)/mandos/plugin-helpers
139
if ! dpkg-statoverride --list "$PLUGINHELPERDIR" \
140
>/dev/null 2>&1; then
141
chmod u=rwx,go= -- "$PLUGINHELPERDIR"
143
if ! dpkg-statoverride --list /etc/mandos/plugin-helpers \
144
>/dev/null 2>&1; then
145
chmod u=rwx,go= -- /etc/mandos/plugin-helpers
149
50
abort-upgrade|abort-deconfigure|abort-remove)
153
echo "$0 called with unknown argument '$1'" 1>&2
54
echo "$0 called with unknown argument \`$1'" 1>&2