Mandos-client fails decode
Dick Middleton
dick at lingbrae.com
Sat Mar 5 15:15:54 CET 2016
On 03/04/16 23:17, Teddy Hogeborn wrote:
> Dick Middleton <dick at lingbrae.com> writes:
>
>>>> I'm now using mandos-client 1.7.3 on a Stretch system.
>>>>
>>>> If I test mandos-client fetching passcode it is successful.
>>>> However at boot time it consistently fails to unlock the disk. It
>>>> reports:
>>>>
>>>> bad gpme_op_decode: GPME decryption failed
>>>
>> Where is the default location for the file? Installer puts it in
>> /etc/keys/mandos/dhparams.pem ?
>>
>> It's got 600 permissions and owned by root.
> Yes. It's not actually used from there; it's copied into the initramfs
> and used from there at boot, just like the key files.
I looked a initramfs image and the dhparams file is included. It suggests to
me that mandos-client is not picking up the dhparms file correctly.
all the mandos content is in <initramfs>/conf/conf.d/mandos
>> But, on my desktop (amd64) it segfaults when dh-params option given:
>>
>> Mandos plugin mandos-client: Unlinking "/tmp/mandosw2gt4j/S.gpg-agent"
>> Mandos plugin mandos-client: Unlinking "/tmp/mandosw2gt4j/private-keys-v1.d"
>> Mandos plugin mandos-client: Unlinking
>> "private-keys-v1.d/13DBD26E0DC10CE96543319E414937C7EEC55184.key"
>> Mandos plugin mandos-client: Unlinking
>> "private-keys-v1.d/CBCE568BDECE4A0147CA114196184F834909A49E.key"
>> Mandos plugin mandos-client: Unlinking "/tmp/mandosw2gt4j/pubring.kbx"
>> Mandos plugin mandos-client: Unlinking "/tmp/mandosw2gt4j/pubring.kbx~"
>> Mandos plugin mandos-client: Unlinking "/tmp/mandosw2gt4j/trustdb.gpg"
>> Floating point exception
>
> That is very strange.
Today it reports just "Segmentation fault" at the same point. If I run it
without debug it reports "illegal instruction". I look forward to tomorrow's
variation :)
> Just to be clear, the program itself doesn't do any significant floating
> point operations, and neither do any libraries it uses have any reason
> for doing so.
I think floating point might be spurious. It's just a segfault.
I've been playing about with initramfs trying to find anything not working.
This is a bit of a long shot but if I chroot into the initramfs file system
and try to run plugin-runner I get the following:
Mandos plugin mandos-client: Initializing GnuTLS
Mandos plugin mandos-client: Attempting to use OpenPGP public key
/conf/conf.d/mandos/pubkey.txt and secret key /conf/conf.d/mandos/seckey.txt
as GnuTLS credentials
I get the same if I run mandos-client directly:
Mandos plugin mandos-client: Error[-64] while reading the OpenPGP key pair
('./pubkey.txt', './seckey.txt')
Mandos plugin mandos-client: The GnuTLS error is: Error while reading file.
Mandos plugin mandos-client: init_gnutls_global failed
N.B /proc, /sys and /dev/exist in the chroot and I've added debug and
interface to plugin-runner.conf.
It can find plugin-runner and plugin-runner.conf but croaks on the keyfiles.
Both keyfiles exist and are accessible.
These all work if I'm not chrooted which suggest there's something missing
from initramfs. What is gnu/pgp using to access these files?
Dick
--
Dick Middleton
dick at lingbrae.com
More information about the Mandos-Dev
mailing list