2
# This script can be called in the following ways:
4
# After the package was installed:
5
# <postinst> configure <old-version>
8
# If prerm fails during upgrade or fails on failed upgrade:
9
# <old-postinst> abort-upgrade <new-version>
11
# If prerm fails during deconfiguration of a package:
12
# <postinst> abort-deconfigure in-favour <new-package> <version>
13
# removing <old-package> <version>
15
# If prerm fails during replacement due to conflict:
16
# <postinst> abort-remove in-favour <new-package> <version>
20
# Update the initial RAM file system image
23
update-initramfs -u -k all
25
if dpkg --compare-versions "$2" lt-nl "1.0.10-1"; then
26
# Make old initrd.img files unreadable too, in case they were
27
# created with mandos-client 1.0.8 or older.
28
find /boot -maxdepth 1 -type f -name "initrd.img-*.bak" \
29
-print0 | xargs --null --no-run-if-empty chmod o-r
35
# Rename old "mandos" user and group
36
if dpkg --compare-versions "$2" lt "1.0.3-1"; then
37
case "`getent passwd mandos`" in
38
*:Mandos\ password\ system,,,:/nonexistent:/bin/false)
39
usermod --login _mandos mandos
40
groupmod --new-name _mandos mandos
45
# Create new user and group
46
if ! getent passwd _mandos >/dev/null; then
47
adduser --system --force-badname --quiet --home /nonexistent \
48
--no-create-home --group --disabled-password \
49
--gecos "Mandos password system" _mandos
53
# Create client key pairs
55
# If the OpenPGP key files do not exist, generate all keys using
57
if ! [ -r /etc/keys/mandos/pubkey.txt \
58
-a -r /etc/keys/mandos/seckey.txt ]; then
60
gpg-connect-agent KILLAGENT /bye || :
64
# If the TLS keys already exists, do nothing
65
if [ -r /etc/keys/mandos/tls-privkey.pem \
66
-a -r /etc/keys/mandos/tls-pubkey.pem ]; then
70
# If this is an upgrade from an old installation, the TLS keys
71
# will not exist; create them.
73
# First try certtool from GnuTLS
74
if ! certtool --generate-privkey --password='' \
75
--outfile /etc/keys/mandos/tls-privkey.pem \
76
--sec-param ultra --key-type=ed25519 --pkcs8 --no-text \
78
# Otherwise try OpenSSL
79
if ! openssl genpkey -algorithm X25519 \
80
-out /etc/keys/mandos/tls-privkey.pem; then
81
rm --force /etc/keys/mandos/tls-privkey.pem
82
# None of the commands succeded; give up
89
# First try certtool from GnuTLS
90
if ! certtool --password='' \
91
--load-privkey=/etc/keys/mandos/tls-privkey.pem \
92
--outfile=/etc/keys/mandos/tls-pubkey.pem --pubkey-info \
93
--no-text 2>/dev/null; then
94
# Otherwise try OpenSSL
95
if ! openssl pkey -in /etc/keys/mandos/tls-privkey.pem \
96
-out /etc/keys/mandos/tls-pubkey.pem -pubout; then
97
rm --force /etc/keys/mandos/tls-pubkey.pem
98
# None of the commands succeded; give up
107
if [ -r /etc/keys/mandos/dhparams.pem ]; then
110
# Create a Diffe-Hellman parameters file
111
DHFILE="`mktemp -t mandos-client-dh-parameters.XXXXXXXXXX.pem`"
112
# First try certtool from GnuTLS
113
if ! certtool --generate-dh-params --sec-param high \
114
--outfile "$DHFILE"; then
115
# Otherwise try OpenSSL
116
if ! openssl genpkey -genparam -algorithm DH -out "$DHFILE" \
117
-pkeyopt dh_paramgen_prime_len:3072; then
118
# None of the commands succeded; give up
123
sed --in-place --expression='0,/^-----BEGIN DH PARAMETERS-----$/d' \
125
sed --in-place --expression='1i-----BEGIN DH PARAMETERS-----' \
127
cp --archive "$DHFILE" /etc/keys/mandos/dhparams.pem
135
create_dh_params "$@" || :
136
update_initramfs "$@"
137
if dpkg --compare-versions "$2" lt-nl "1.7.10-1"; then
138
PLUGINHELPERDIR=/usr/lib/$(dpkg-architecture -qDEB_HOST_MULTIARCH 2>/dev/null)/mandos/plugin-helpers
139
if ! dpkg-statoverride --list "$PLUGINHELPERDIR" \
140
>/dev/null 2>&1; then
141
chmod u=rwx,go= -- "$PLUGINHELPERDIR"
143
if ! dpkg-statoverride --list /etc/mandos/plugin-helpers \
144
>/dev/null 2>&1; then
145
chmod u=rwx,go= -- /etc/mandos/plugin-helpers
149
abort-upgrade|abort-deconfigure|abort-remove)
153
echo "$0 called with unknown argument '$1'" 1>&2
added
removed
debian/mandos-client.postinst
