#!/bin/sh # This script can be called in the following ways: # # After the package was installed: # configure # # # If prerm fails during upgrade or fails on failed upgrade: # abort-upgrade # # If prerm fails during deconfiguration of a package: # abort-deconfigure in-favour # removing # # If prerm fails during replacement due to conflict: # abort-remove in-favour . /usr/share/debconf/confmodule set -e # Update the initial RAM file system image update_initramfs() { if command -v update-initramfs >/dev/null; then update-initramfs -k all -u elif command -v dracut >/dev/null; then dracut_version="`dpkg-query --showformat='${Version}' --show dracut`" if dpkg --compare-versions "$dracut_version" lt 043-1 \ && bash -c '. /etc/dracut.conf; . /etc/dracut.conf.d/*; [ "$hostonly" != yes ]'; then echo 'Dracut is not configured to use hostonly mode!' >&2 return 1 fi # Logic taken from dracut.postinst for kernel in /boot/vmlinu[xz]-*; do kversion="${kernel#/boot/vmlinu[xz]-}" # Dracut preserves old permissions of initramfs image # files, so we adjust permissions before creating new # initramfs image containing secret keys. chmod go-r /boot/initrd.img-"$kversion" if [ "$kversion" != "*" ]; then /etc/kernel/postinst.d/dracut "$kversion" fi done fi if dpkg --compare-versions "$2" lt-nl "1.0.10-1"; then # Make old initrd.img files unreadable too, in case they were # created with mandos-client 1.0.8 or older. find /boot -maxdepth 1 -type f -name "initrd.img-*.bak" \ -print0 | xargs --null --no-run-if-empty chmod o-r fi } # Add user and group add_mandos_user(){ # Rename old "mandos" user and group if dpkg --compare-versions "$2" lt "1.0.3-1"; then case "`getent passwd mandos`" in *:Mandos\ password\ system,,,:/nonexistent:/bin/false) usermod --login _mandos mandos groupmod --new-name _mandos mandos return ;; esac fi # Create new user and group if ! getent passwd _mandos >/dev/null; then adduser --system --force-badname --quiet --home /nonexistent \ --no-create-home --group --disabled-password \ --gecos "Mandos password system" _mandos fi } # Create client key pairs create_keys(){ # If the OpenPGP key files do not exist, generate all keys using # mandos-keygen if ! [ -r /etc/keys/mandos/pubkey.txt \ -a -r /etc/keys/mandos/seckey.txt ]; then mandos-keygen gpg-connect-agent KILLAGENT /bye || : return 0 fi # Remove any bad TLS keys by 1.8.0-1 if dpkg --compare-versions "$2" eq "1.8.0-1" \ || dpkg --compare-versions "$2" eq "1.8.0-1~bpo9+1"; then # Is the key bad? if ! certtool --password='' \ --load-privkey=/etc/keys/mandos/tls-privkey.pem \ --outfile=/dev/null --pubkey-info --no-text \ 2>/dev/null; then shred --remove -- /etc/keys/mandos/tls-privkey.pem \ 2>/dev/null || : rm --force -- /etc/keys/mandos/tls-pubkey.pem fi fi # If the TLS keys already exists, do nothing if [ -r /etc/keys/mandos/tls-privkey.pem \ -a -r /etc/keys/mandos/tls-pubkey.pem ]; then return 0 fi # Try to create the TLS keys TLS_PRIVKEYTMP="`mktemp -t mandos-client-privkey.XXXXXXXXXX`" if certtool --generate-privkey --password='' \ --outfile "$TLS_PRIVKEYTMP" --sec-param ultra \ --key-type=ed25519 --pkcs8 --no-text 2>/dev/null; then local umask=$(umask) umask 077 cp --archive "$TLS_PRIVKEYTMP" /etc/keys/mandos/tls-privkey.pem shred --remove -- "$TLS_PRIVKEYTMP" 2>/dev/null || : # First try certtool from GnuTLS if ! certtool --password='' \ --load-privkey=/etc/keys/mandos/tls-privkey.pem \ --outfile=/etc/keys/mandos/tls-pubkey.pem --pubkey-info \ --no-text 2>/dev/null; then # Otherwise try OpenSSL if ! openssl pkey -in /etc/keys/mandos/tls-privkey.pem \ -out /etc/keys/mandos/tls-pubkey.pem -pubout; then rm --force /etc/keys/mandos/tls-pubkey.pem # None of the commands succeded; give up umask $umask return 1 fi fi umask $umask key_id=$(mandos-keygen --passfile=/dev/null \ | grep --regexp="^key_id[ =]") db_version 2.0 db_fset mandos-client/key_id seen false db_reset mandos-client/key_id db_subst mandos-client/key_id key_id $key_id db_input critical mandos-client/key_id || true db_go db_stop else shred --remove -- "$TLS_PRIVKEYTMP" 2>/dev/null || : fi } create_dh_params(){ if [ -r /etc/keys/mandos/dhparams.pem ]; then return 0 fi # Create a Diffe-Hellman parameters file DHFILE="`mktemp -t mandos-client-dh-parameters.XXXXXXXXXX.pem`" # First try certtool from GnuTLS if ! certtool --generate-dh-params --sec-param high \ --outfile "$DHFILE"; then # Otherwise try OpenSSL if ! openssl genpkey -genparam -algorithm DH -out "$DHFILE" \ -pkeyopt dh_paramgen_prime_len:3072; then # None of the commands succeded; give up rm -- "$DHFILE" return 1 fi fi sed --in-place --expression='0,/^-----BEGIN DH PARAMETERS-----$/d' \ "$DHFILE" sed --in-place --expression='1i-----BEGIN DH PARAMETERS-----' \ "$DHFILE" cp --archive "$DHFILE" /etc/keys/mandos/dhparams.pem rm -- "$DHFILE" } case "$1" in configure) add_mandos_user "$@" create_keys "$@" create_dh_params "$@" || : update_initramfs "$@" if dpkg --compare-versions "$2" lt-nl "1.7.10-1"; then PLUGINHELPERDIR=/usr/lib/$(dpkg-architecture -qDEB_HOST_MULTIARCH 2>/dev/null)/mandos/plugin-helpers if ! dpkg-statoverride --list "$PLUGINHELPERDIR" \ >/dev/null 2>&1; then chmod u=rwx,go= -- "$PLUGINHELPERDIR" fi if ! dpkg-statoverride --list /etc/mandos/plugin-helpers \ >/dev/null 2>&1; then chmod u=rwx,go= -- /etc/mandos/plugin-helpers fi fi ;; abort-upgrade|abort-deconfigure|abort-remove) ;; *) echo "$0 called with unknown argument '$1'" 1>&2 exit 1 ;; esac exit 0