Version 1.6.6 of Mandos is released

Teddy Hogeborn teddy at recompile.se
Sun Jul 13 23:53:46 CEST 2014 

Version 1.6.6 of Mandos is released.  It is a minor release and includes
some bug fixes and a few new features.

Version 1.6.6 (2014-07-13)
* Client
** If client host has an SSH server, "mandos-keygen --password" now
   outputs "checker" option which uses "ssh-keyscan"; this is more
   secure than the default "fping" checker.
** Bug fix: allow "." in network hook names, to match documentation.
** Better error messages.
* Server
** New --no-zeroconf option.
** Bug fix: Fix --servicename option, broken since 1.6.4.
** Bug fix: Fix --socket option work for --socket=0.

Debian package changes (for this release):

  * debian/mandos.postinst: Fix typo in comment.
  * debian/control (mandos/Recommends): Changed to "ssh-client | fping".
    (mandos-client/Recommends): New; set to "ssh".

Debian package changes (since 1.6.5-1):

  * debian/control (mandos-client/Depends): Add "dpkg-dev (>=1.16.0)";
    initramfs-tools-hook runs "dpkg-architecture -qDEB_HOST_MULTIARCH".
    (Closes: #750221)
  * debian/rules (override_dh_auto_test-arch): New; does nothing.  Fixes
    FTBFS for build-indep.

As noted above, there is a new feature, turned on by default, in
"mandos-keygen" when using "--password" or "--passfile" for generating
new passwords (*not* keys) and outputing a client section for inclusion
into clients.conf on the Mandos server.  The new feature, if not
disabled, checks to see if the client has an SSH server, and if it has
one, outputs config setting to use a "checker" which uses "ssh-keyscan"
to verify the key on the client (while the default checker uses "fping"
to simply ping the client).  This will only affect new clients, and will
not require any change to any existing clients.

How to update existing clients:

To take advantage of this new feature for existing clients, simply log
in to the clients, and run this command (after upgrading to 1.6.6):

# mandos-keygen --passfile /dev/null|grep '^checker\|^ssh_fingerprint'

Take the generated output, if any, and append it to the client's section
in /etc/mandos/clients.conf on the Mandos server.  Repeat this for all
clients which have SSH servers which are reachable by the Mandos server.

(No link to package on mentors.debian.net is provided, since Teddy is
now a Debian Maintainer, and has uploaded the package directly to Debian
unstable.)

/Teddy Hogeborn & Björn Påhlsson

-- 
The Mandos Project
http://www.recompile.se/mandos
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 489 bytes
Desc: not available
URL: <http://mail.recompile.se/pipermail/mandos-dev/attachments/20140713/75b073c7/attachment.sig>

More information about the Mandos-Dev mailing list