Version 1.8.0 of Mandos is released

Teddy Hogeborn teddy at recompile.se
Sun Feb 10 06:37:28 CET 2019 

Mandos 1.8.0 is released.  As some of you may know, GnuTLS dropped
support for OpenPGP keys (RFC 6091) in version 3.6.  But in version
3.6.6, GnuTLS added support for using raw public keys (RFC 7250)
instead, so this release of Mandos adds support for that.  Thanks to Tom
Vrancken <email at tomvrancken.nl> for implementing this in GnuTLS!

There are, however, a few unavoidable factors with not using OpenPGP
keys:

* There now must be *two* keys for each client, one OpenPGP key (for
  decrypting the password) and a TLS public/private key pair for use in
  the TLS session.

* The fingerprint of the OpenPGP key can no longer identify a client,
  since the OpenPGP is no longer visible in the TLS handshake.
  Therefore the key ID of the TLS public key is used instead.

Therefore, in this release, all clients now have a new option in
/etc/mandos/clients.conf: "key_id".  To find out the key ID of a client,
run "mandos-keygen -F/dev/null|grep ^key_id" on the client, *after*
installing Mandos client 1.8.0.  This key_id option must be added to the
clients.conf file on the Mandos server, beside the fingerprint option.
This must be done for all clients.

The key_id and fingerprint options of a client in the clients.conf file
will look something like this:

[foo]
key_id = F33FCBED11ED5E03073F6A55B86FFE92AF0E24C045FB6E3B40547B3DC0C030ED
fingerprint = 3E393AEAEFB84C7E89E2F547B3A107558FCA3A27

Note that the "secret" option can remain unchanged, since the OpenPGP
keys will not change.  The same goes for all other options; only the
"key_id" option needs to be added.

The Mandos server detects, on startup, what version of GnuTLS is
present, and will happily keep using OpenPGP keys while a sufficiently
old version of GnuTLS is present.  But it cannot then use the new raw
public key IDs to identify clients.  If instead GnuTLS 3.6.6 is detected
on startup, raw public keys must be used, and passwords will only be
given out to clients which both themselves use raw public keys and also
has a key_id configured in the clients.conf file.

The Mandos client determines at compile time what version of GnuTLS is
present, and the program binary will be hard-coded to use that version,
and either OpenPGP keys or raw public keys, whichever is available.

So, if you have some servers with GnuTLS < 3.6 and some servers with
GnuTLS 3.6.6, you must run two Mandos servers, one using old GnuTLS with
OpenPGP keys in TLS, and one other server for the modern GnuTLS using
raw public key IDs.

Version 1.8.0 (2019-02-10)
* Client
** Use new TLS keys for server communication and identification.
   With GnuTLS 3.6 or later, OpenPGP keys are no longer supported.
   The client can now use the new "raw public keys" (RFC 7250) API
   instead, using GnuTLS 3.6.6.  Please note: This *requires* new key
   IDs to be added to server's client.conf file.
** New --tls-privkey and --tls-pubkey options to load TLS key files.
   If GnuTLS is too old, these options do nothing.
* Server
** Supports either old or new GnuTLS.
   The server now supports using GnuTLS 3.6.6 and clients connecting
   with "raw public keys" as identification.  The server will read
   both fingerprints and key IDs from clients.conf file, and will use
   either one or the other, depending on what is supported by GnuTLS
   on the system.  Please note: both are *not* supported at once; if
   one type is supported by GnuTLS, all values of the other type from
   clients.conf are ignored.

Debian package changes:

* debian/control (Standards-Version): Update to "4.3.0".
  (Package: mandos-client/Depends): Change from "cryptsetup" to
  "cryptsetup (<< 2:2.0.3-1) | cryptsetup-initramfs".  Add "debconf (>=
  1.5.5) | debconf-2.0".
  (Source: mandos/Build-Depends): Also allow libgnutls30 (>= 3.6.6).
  (Package: mandos/Depends): - '' - and add debconf (>= 1.5.5) |
  debconf-2.0".
  (Package: mandos/Description): Alter description to match new design.
  (Package: mandos-client/Description): - '' -
  (Package: mandos-client/Depends): Move "gnutls-bin | openssl" to here
  from "Recommends".
* debian/mandos-client.README.Debian: Add --tls-privkey and --tls-pubkey
  options to test command.
* debian/mandos-client.postinst (create_key): Renamed to "create_keys"
  - all callers changed - and also create TLS key files.  Show notice if
  new TLS key files were created.
* debian/mandos-client.postrm (purge): Also remove TLS key files.
* debian/mandos-client.lintian-overrides: Override warnings.
* debian/mandos-client.templates: New.
* debian/mandos.lintian-overrides: Override warnings.
* debian/mandos.postinst (configure): If GnuTLS 3.6.6 or later is
  detected, show an important notice (once) about the new key_id option
  required in clients.conf.
* debian/mandos.templates: New.
* debian/copyright: Update copyright year to 2019.

/Teddy Hogeborn & Björn Påhlsson

-- 
The Mandos Project
https://www.recompile.se/mandos
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
URL: <http://mail.recompile.se/pipermail/mandos-dev/attachments/20190210/b364b5d9/attachment.sig>

More information about the Mandos-Dev mailing list