From teddy at recompile.se  Mon Jul  8 14:44:42 2019
From: teddy at recompile.se (Teddy Hogeborn)
Date: Mon, 08 Jul 2019 14:44:42 +0200
Subject: Debian 10 "buster" packages available
Message-ID: <874l3wr8zp.fsf@recompile.se>

Mandos packages for Debian 10 "buster" are now available here (as also
documented on the web page):

deb https://ftp.recompile.se/pub/mandos/debian buster-backports main
deb-src https://ftp.recompile.se/pub/mandos/debian buster-backports main

Note that, as previously announced, Mandos clients or servers on Debian
10 "buster" *can not* communicate with Mandos clients or servers on
Debian 9 "stretch" or earlier, *even if* the version of Mandos is the
same!  This is due to a change in the GnuTLS library version 3.6.0,
which removed support for OpenPGP keys as TLS session keys, to GnuTLS
3.6.6, which added support for raw public keys.  Since it is not
possible to have both GnuTLS versions installed at the same time, there
is regrettably nothing we can do about this.

This is also the reason for Mandos packages not being available in
Debian stable - GnuTLS 3.6.6 was added to Debian so close to the freeze
that the Mandos packages were not done in time.  (We asked for an
exception, but no exception was made.)  Users of Debian unstable and
testing will continue to get updates as normal, and we fully expect
Mandos to again be a part of Debian stable when Debian 11 is released.
We encourage current users of Debian stable/buster to add the above
lines to their /etc/apt/sources.list file (and, if they have not already
done so, to follow the instructions on the web page on how to to add the
Mandos repository key to Apt).

/Teddy Hogeborn

-- 
The Mandos Project
https://www.recompile.se/mandos
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
URL: <http://mail.recompile.se/pipermail/mandos-dev/attachments/20190708/dc8de315/attachment.sig>

From teddy at recompile.se  Sat Jul 27 12:20:02 2019
From: teddy at recompile.se (Teddy Hogeborn)
Date: Sat, 27 Jul 2019 12:20:02 +0200
Subject: Mandos on Fedora/RHEL
In-Reply-To: <75058487.4.1554127381403@ox.logtenberg.eu> (Erik Logtenberg's
 message of "Mon, 1 Apr 2019 16:03:00 +0200 (CEST)")
References: <5xkre0fi6uhs8nmgclfhy1w1.1383657860847@email.android.com>
 <87wqkma6b4.fsf@tower.recompile.se> <527A773C.9090707@gnat.ca>
 <87ob5wywce.fsf@tower.recompile.se> <527D0C1B.5090300@gnat.ca>
 <75058487.4.1554127381403@ox.logtenberg.eu>
Message-ID: <87a7czsrsd.fsf@recompile.se>

Erik Logtenberg <erik at logtenberg.eu> writes:

> At this moment it seems that Fedora / Redhat based systems are still
> not yet actively supported by Mandos and/or vice versa. I see no
> mandos packages in Fedora koji and no Fedora documentation on the
> mandos website. Have these POC's ever been finished? I think it would
> still have amazing benefit for Fedora / Redhat to have mandos work
> seemlessly in those environments.

FYI: I have just made a commit to the trunk branch which adds dracut
support in Debian.  I might make a new release including this code soon.

/Teddy Hogeborn

-- 
The Mandos Project
https://www.recompile.se/mandos

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
URL: <http://mail.recompile.se/pipermail/mandos-dev/attachments/20190727/268428fb/attachment.sig>

From teddy at recompile.se  Sat Jul 27 13:03:25 2019
From: teddy at recompile.se (Teddy Hogeborn)
Date: Sat, 27 Jul 2019 13:03:25 +0200
Subject: systemd password agent
In-Reply-To: <48e7d91c6ffe74fa85b499564f6b357cec358c81.camel@kci.net> (Jesse
 Norell's message of "Thu, 25 Apr 2019 11:30:49 -0600")
References: <48e7d91c6ffe74fa85b499564f6b357cec358c81.camel@kci.net>
Message-ID: <87sgqrloxu.fsf@recompile.se>

jesse at kci.net (Jesse Norell) writes:

>   I am trying/wanting to use mandos to decrypt a second disk on a
> stretch system with systemd, and quickly find that keyscript is not
> supported in /etc/crypttab.  It seems the correct way to address this
> is to write a password agent for systemd, and I am curious of the
> status of that both as officially supported by the mandos project, and
> if anyone has any working examples they could share.
>
>   I came across the 'Mandos on Fedora/RHEL' thread from 2013 where
> Nathanael Noblet mentioned having a proof of concept password agent to
> get started, but in some quick searching I don't see a mandos package
> in RHEL to consult, and I don't see any signs of mandos-agent in the
> mandos source; my guess is I am now fully up to speed on systemd
> support for secondary disks.  :)
>
>   I'd be glad for any further insights/pointers/etc.

I have just made a commit to trunk which adds support for dracut(8), and
this includes adding a Password Agent program: password-agent(8mandos).

One complication for your use case might be that "password-agent" does
not currently distinguish between password questions, it simply runs
mandos-client (configurable), and when a password is received, this
password is sent to all currently active password questions, and the
agent then exits.  This may or may not work for your situation, I guess
you will have to experiment.

/Teddy Hogeborn

-- 
The Mandos Project
https://www.recompile.se/mandos
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
URL: <http://mail.recompile.se/pipermail/mandos-dev/attachments/20190727/48131f28/attachment.sig>

From teddy at recompile.se  Tue Jul 30 21:22:26 2019
From: teddy at recompile.se (Teddy Hogeborn)
Date: Tue, 30 Jul 2019 21:22:26 +0200
Subject: Version 1.8.5 of Mandos is released
Message-ID: <875znjtjil.fsf@recompile.se>

Mandos 1.8.5 is released.  It contains one major long-awaited new
feature (dracut(8) support) and a few minor-ish bug fixes.  It is still
only a minor version number increase, because the new feature does not
impact any old code or existing users.

Thanks to Juan Miguel Alcarria Herrera <juanmi at arco2000.es> for
reporting the bug about the server failing restarts when using the
"port" option, and thanks again to Peter Palfrader <weasel at debian.org>
for reporting the bug about the server leaving zombie processes.

The support for dracut(8) has been long in coming.  The first prototype
code for this feature was written during DebConf 15 in 2015, very close
to four years ago.  The delay was due to the systemd "Password Agents"
mechanism being difficult to implement correctly; easy to prototype, but
hard to implement correctly according to strict specifications.  So the
feature was shelved until May of this year, when we came up with a
design which worked, and now, two months later, it is done.

Version 1.8.5 (2019-07-30)
* Client
** Support dracut(8) as well as initramfs-tools(7).
** Minor bug fix: Allow the mandos-keygen --passfile option to use
   passfiles with names starting with "-".
** Document known limitation of mandos-keygen --password; it strips
   white space from start and end of the password.
* Server
** Bug fix: The server used to fail to restart if the "port" setting
   was used.  This has been fixed.
** Minor bug fix: Reap zombies left over from checker runs.  (Debian
   bug #933387)

Debian package changes:

* debian/mandos-client.README.Debian: Use new-style interface name.
* debian/tests/control: New file; implements autopkgtest support.
* debian/mandos-client.lintian-overrides
  (manpage-has-errors-from-man): Remove; unnecessary.
* debian/mandos.lintian-overrides
  (init.d-script-needs-depends-on-lsb-base): - '' -
* debian/mandos-client.postinst (update_initramfs): Upstream now
  supports dracut(8), so update commands here to and run the correct
  command to update initramfs.
* debian/control (Build-Depends): Add GLib -dev package.
  (mandos-client/Depends): Add dracut(8) as an alternative dependency to
  initramfs-tools.
  (mandos-client/Conflicts): New; set to "dracut-config-generic".
  (debian/mandos-client.README.Debian): Update for dracut(8) support.
* debian/mandos-client.templates: Reflowed by debconf-gettextize(1).
* debian/mandos.templates: - '' -
* debian/po/POTFILES.in: New.
* debian/po/templates.pot: - '' -
* debian/source/lintian-overrides: New.
* debian/control (Standards-Version): Update to "4.4.0".

/Teddy Hogeborn & Björn Påhlsson

-- 
The Mandos Project
https://www.recompile.se/mandos
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
URL: <http://mail.recompile.se/pipermail/mandos-dev/attachments/20190730/0a3fd14b/attachment.sig>