Version 1.6.2 of Mandos is released
Nathanael D. Noblet
nathanael at gnat.ca
Thu Oct 24 23:38:02 CEST 2013
Hello,
I'm hoping the new key generation fixes my fedora/redhat issues.
I'm unable to download the new release from
ftp://ftp.recompile.se/pub/mandos. Using an ftp client it says:
"mget mandos_1.6.2.orig.tar.gz: server said: Failed to open file."
On 10/24/2013 03:17 PM, Teddy Hogeborn wrote:
> Version 1.6.2 of Mandos is released. This is a bug fix release, fixing
> some very important bugs - some introduced by the recently released
> version 1.6.1, but also at least one annoying long-standing bug.
>
> SEMI-IMPORTANT NOTE: The default key generation parameters have changed
> again in this release. (In fact, the keys generated by mandos-keygen
> version 1.6.1 *never worked*.) Also, going forward, this new default
> key type will presumably cause *much* less trouble with GnuTLS as it has
> done many times in the past.
>
> THEREFORE, *after* upgrading to Mandos 1.6.2, we encourage *everyone* to
> upgrade their clients' keys to the new default type. This can be done
> with six commands on the client, as the root user, (assuming a working
> and responsive Mandos server):
>
> # 0. Step zero - become root, using whatever method you prefer
> sudo su
> # 1. Create a temporary file for the old password.
> passfile="`mktemp -t mandos-change-keytype-key.XXXXXXXXXX`"
> # 2. Save the old password in the temporary file
> /usr/lib/mandos/plugins.d/mandos-client --pubkey=/etc/keys/mandos/pubkey.txt --seckey=/etc/keys/mandos/seckey.txt > "$passfile"
> # 3. Generate a new replacement key
> mandos-keygen --force
> # 4. Generate a new config file snippet, for the server's clients.conf
> mandos-keygen --passfile "$passfile"
> # 5. Remove the password file
> shred --remove "$passfile"
> # 6. Regenerate the initramfs images
> update-initramfs -k all -u
>
> 7. Copy and paste the output from step 4 into the
> /etc/mandos/clients.conf file on the Mandos server - what you want to
> do is replace the old "fingerprint" and "secret" settings for the
> client with the newly generated ones.
>
> 8. Restart the Mandos server to detect the new client fingerprints and
> secrets:
>
> service mandos restart
>
> That's it. Enjoy the new Mandos release!
>
> NEWS file excerpt:
>
> Version 1.6.2 (2013-10-24)
> * Server
> ** PID file moved from /var/run to /run.
> ** Bug fix: Handle long secrets when saving client state.
> ** Bug fix: Use more magic in the GnuTLS priority string to handle
> both old DSA/ELG 2048-bit keys and new RSA/RSA 4096-bit keys.
> * Client
> ** mandos-keygen: Bug fix: now generate RSA keys which GnuTLS can use.
> Bug fix: Output passphrase prompts even when
> redirecting standard output.
>
> Debian package changes:
>
> * debian/compat: Changed to "9".
> * debian/control (Build-Depends): Changed debhelper version to (>= 9).
> (Standards-Version): Updated to "3.9.4".
> (DM-Upload-Allowed): Removed.
> (mandos/Depends): Add "initscripts (>= 2.88dsf-13.3)" to be able to
> use the "/run" directory (for mandos.pid).
> * debian/copyright (Copyright): Update year.
> * Fix "Mandos/gnutls fails to establish connection, "an algorithm that
> is not enabled was negotiated"" fixed by upstream. (Closes: #702120)
>
> The upload would fix these Debian bugs: 702120
> The Debian package for unstable can be found on mentors.debian.net:
> - dget http://mentors.debian.net/debian/pool/main/m/mandos/mandos_1.6.2-1.dsc
>
> /Teddy Hogeborn & Björn Påhlsson
>
>
>
> _______________________________________________
> Mandos-Dev mailing list
> Mandos-Dev at recompile.se
> https://mail.recompile.se/cgi-bin/mailman/listinfo/mandos-dev
>
--
Nathanael d. Noblet
t 403.875.4613
More information about the Mandos-Dev
mailing list