Version 1.6.2 of Mandos is released

Teddy Hogeborn teddy at recompile.se
Thu Oct 24 23:17:31 CEST 2013 

Version 1.6.2 of Mandos is released.  This is a bug fix release, fixing
some very important bugs - some introduced by the recently released
version 1.6.1, but also at least one annoying long-standing bug.

SEMI-IMPORTANT NOTE:  The default key generation parameters have changed
again in this release.  (In fact, the keys generated by mandos-keygen
version 1.6.1 *never worked*.)  Also, going forward, this new default
key type will presumably cause *much* less trouble with GnuTLS as it has
done many times in the past.

THEREFORE, *after* upgrading to Mandos 1.6.2, we encourage *everyone* to
upgrade their clients' keys to the new default type.  This can be done
with six commands on the client, as the root user, (assuming a working
and responsive Mandos server):

  # 0. Step zero - become root, using whatever method you prefer
  sudo su
  # 1. Create a temporary file for the old password.
  passfile="`mktemp -t mandos-change-keytype-key.XXXXXXXXXX`"
  # 2. Save the old password in the temporary file
  /usr/lib/mandos/plugins.d/mandos-client --pubkey=/etc/keys/mandos/pubkey.txt --seckey=/etc/keys/mandos/seckey.txt > "$passfile"
  # 3. Generate a new replacement key
  mandos-keygen --force
  # 4. Generate a new config file snippet, for the server's clients.conf
  mandos-keygen --passfile "$passfile"
  # 5. Remove the password file
  shred --remove "$passfile"
  # 6. Regenerate the initramfs images
  update-initramfs -k all -u

7. Copy and paste the output from step 4 into the
   /etc/mandos/clients.conf file on the Mandos server - what you want to
   do is replace the old "fingerprint" and "secret" settings for the
   client with the newly generated ones.

8. Restart the Mandos server to detect the new client fingerprints and
   secrets:

   service mandos restart

That's it.  Enjoy the new Mandos release!

NEWS file excerpt:

Version 1.6.2 (2013-10-24)
* Server
** PID file moved from /var/run to /run.
** Bug fix: Handle long secrets when saving client state.
** Bug fix: Use more magic in the GnuTLS priority string to handle
   both old DSA/ELG 2048-bit keys and new RSA/RSA 4096-bit keys.
* Client
** mandos-keygen: Bug fix: now generate RSA keys which GnuTLS can use.
   		  Bug fix: Output passphrase prompts even when
   		  redirecting standard output.

Debian package changes:

* debian/compat: Changed to "9".
* debian/control (Build-Depends): Changed debhelper version to (>= 9).
  (Standards-Version): Updated to "3.9.4".
  (DM-Upload-Allowed): Removed.
  (mandos/Depends): Add "initscripts (>= 2.88dsf-13.3)" to be able to
                    use the "/run" directory (for mandos.pid).
* debian/copyright (Copyright): Update year.
* Fix "Mandos/gnutls fails to establish connection, "an algorithm that
  is not enabled was negotiated"" fixed by upstream. (Closes: #702120)

The upload would fix these Debian bugs: 702120
The Debian package for unstable can be found on mentors.debian.net:
- dget http://mentors.debian.net/debian/pool/main/m/mandos/mandos_1.6.2-1.dsc

/Teddy Hogeborn & Björn Påhlsson

-- 
The Mandos Project
http://www.recompile.se/mandos
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 489 bytes
Desc: not available
URL: <http://mail.recompile.se/pipermail/mandos-dev/attachments/20131024/6ed1ea13/attachment.sig>

More information about the Mandos-Dev mailing list