Version 1.6.2 of Mandos is released

Nathanael D. Noblet nathanael at gnat.ca
Thu Oct 24 23:38:02 CEST 2013 

Hello,

   I'm hoping the new key generation fixes my fedora/redhat issues.

   I'm unable to download the new release from 
ftp://ftp.recompile.se/pub/mandos. Using an ftp client it says:

"mget mandos_1.6.2.orig.tar.gz: server said: Failed to open file."

On 10/24/2013 03:17 PM, Teddy Hogeborn wrote:
> Version 1.6.2 of Mandos is released.  This is a bug fix release, fixing
> some very important bugs - some introduced by the recently released
> version 1.6.1, but also at least one annoying long-standing bug.
>
> SEMI-IMPORTANT NOTE:  The default key generation parameters have changed
> again in this release.  (In fact, the keys generated by mandos-keygen
> version 1.6.1 *never worked*.)  Also, going forward, this new default
> key type will presumably cause *much* less trouble with GnuTLS as it has
> done many times in the past.
>
> THEREFORE, *after* upgrading to Mandos 1.6.2, we encourage *everyone* to
> upgrade their clients' keys to the new default type.  This can be done
> with six commands on the client, as the root user, (assuming a working
> and responsive Mandos server):
>
>    # 0. Step zero - become root, using whatever method you prefer
>    sudo su
>    # 1. Create a temporary file for the old password.
>    passfile="`mktemp -t mandos-change-keytype-key.XXXXXXXXXX`"
>    # 2. Save the old password in the temporary file
>    /usr/lib/mandos/plugins.d/mandos-client --pubkey=/etc/keys/mandos/pubkey.txt --seckey=/etc/keys/mandos/seckey.txt > "$passfile"
>    # 3. Generate a new replacement key
>    mandos-keygen --force
>    # 4. Generate a new config file snippet, for the server's clients.conf
>    mandos-keygen --passfile "$passfile"
>    # 5. Remove the password file
>    shred --remove "$passfile"
>    # 6. Regenerate the initramfs images
>    update-initramfs -k all -u
>
> 7. Copy and paste the output from step 4 into the
>     /etc/mandos/clients.conf file on the Mandos server - what you want to
>     do is replace the old "fingerprint" and "secret" settings for the
>     client with the newly generated ones.
>
> 8. Restart the Mandos server to detect the new client fingerprints and
>     secrets:
>
>     service mandos restart
>
> That's it.  Enjoy the new Mandos release!
>
> NEWS file excerpt:
>
> Version 1.6.2 (2013-10-24)
> * Server
> ** PID file moved from /var/run to /run.
> ** Bug fix: Handle long secrets when saving client state.
> ** Bug fix: Use more magic in the GnuTLS priority string to handle
>     both old DSA/ELG 2048-bit keys and new RSA/RSA 4096-bit keys.
> * Client
> ** mandos-keygen: Bug fix: now generate RSA keys which GnuTLS can use.
>     		  Bug fix: Output passphrase prompts even when
>     		  redirecting standard output.
>
> Debian package changes:
>
> * debian/compat: Changed to "9".
> * debian/control (Build-Depends): Changed debhelper version to (>= 9).
>    (Standards-Version): Updated to "3.9.4".
>    (DM-Upload-Allowed): Removed.
>    (mandos/Depends): Add "initscripts (>= 2.88dsf-13.3)" to be able to
>                      use the "/run" directory (for mandos.pid).
> * debian/copyright (Copyright): Update year.
> * Fix "Mandos/gnutls fails to establish connection, "an algorithm that
>    is not enabled was negotiated"" fixed by upstream. (Closes: #702120)
>
> The upload would fix these Debian bugs: 702120
> The Debian package for unstable can be found on mentors.debian.net:
> - dget http://mentors.debian.net/debian/pool/main/m/mandos/mandos_1.6.2-1.dsc
>
> /Teddy Hogeborn & Björn Påhlsson
>
>
>
> _______________________________________________
> Mandos-Dev mailing list
> Mandos-Dev at recompile.se
> https://mail.recompile.se/cgi-bin/mailman/listinfo/mandos-dev
>


-- 
Nathanael d. Noblet
t 403.875.4613

More information about the Mandos-Dev mailing list