Version 1.6.2 of Mandos is released
Teddy Hogeborn
teddy at recompile.se
Thu Oct 24 23:17:31 CEST 2013
Version 1.6.2 of Mandos is released. This is a bug fix release, fixing
some very important bugs - some introduced by the recently released
version 1.6.1, but also at least one annoying long-standing bug.
SEMI-IMPORTANT NOTE: The default key generation parameters have changed
again in this release. (In fact, the keys generated by mandos-keygen
version 1.6.1 *never worked*.) Also, going forward, this new default
key type will presumably cause *much* less trouble with GnuTLS as it has
done many times in the past.
THEREFORE, *after* upgrading to Mandos 1.6.2, we encourage *everyone* to
upgrade their clients' keys to the new default type. This can be done
with six commands on the client, as the root user, (assuming a working
and responsive Mandos server):
# 0. Step zero - become root, using whatever method you prefer
sudo su
# 1. Create a temporary file for the old password.
passfile="`mktemp -t mandos-change-keytype-key.XXXXXXXXXX`"
# 2. Save the old password in the temporary file
/usr/lib/mandos/plugins.d/mandos-client --pubkey=/etc/keys/mandos/pubkey.txt --seckey=/etc/keys/mandos/seckey.txt > "$passfile"
# 3. Generate a new replacement key
mandos-keygen --force
# 4. Generate a new config file snippet, for the server's clients.conf
mandos-keygen --passfile "$passfile"
# 5. Remove the password file
shred --remove "$passfile"
# 6. Regenerate the initramfs images
update-initramfs -k all -u
7. Copy and paste the output from step 4 into the
/etc/mandos/clients.conf file on the Mandos server - what you want to
do is replace the old "fingerprint" and "secret" settings for the
client with the newly generated ones.
8. Restart the Mandos server to detect the new client fingerprints and
secrets:
service mandos restart
That's it. Enjoy the new Mandos release!
NEWS file excerpt:
Version 1.6.2 (2013-10-24)
* Server
** PID file moved from /var/run to /run.
** Bug fix: Handle long secrets when saving client state.
** Bug fix: Use more magic in the GnuTLS priority string to handle
both old DSA/ELG 2048-bit keys and new RSA/RSA 4096-bit keys.
* Client
** mandos-keygen: Bug fix: now generate RSA keys which GnuTLS can use.
Bug fix: Output passphrase prompts even when
redirecting standard output.
Debian package changes:
* debian/compat: Changed to "9".
* debian/control (Build-Depends): Changed debhelper version to (>= 9).
(Standards-Version): Updated to "3.9.4".
(DM-Upload-Allowed): Removed.
(mandos/Depends): Add "initscripts (>= 2.88dsf-13.3)" to be able to
use the "/run" directory (for mandos.pid).
* debian/copyright (Copyright): Update year.
* Fix "Mandos/gnutls fails to establish connection, "an algorithm that
is not enabled was negotiated"" fixed by upstream. (Closes: #702120)
The upload would fix these Debian bugs: 702120
The Debian package for unstable can be found on mentors.debian.net:
- dget http://mentors.debian.net/debian/pool/main/m/mandos/mandos_1.6.2-1.dsc
/Teddy Hogeborn & Björn Påhlsson
--
The Mandos Project
http://www.recompile.se/mandos
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 489 bytes
Desc: not available
URL: <http://mail.recompile.se/pipermail/mandos-dev/attachments/20131024/6ed1ea13/attachment.sig>
More information about the Mandos-Dev
mailing list