Mandos 1.8.9 migration from 1.7.19 issues

Teddy Hogeborn teddy at recompile.se
Wed Apr 12 19:10:21 CEST 2023 

Alan Ho <alan.ho at visier.com> writes:

> We have been a big fan of Mandos and have been deploying the service
> on many Ubuntu machines within our corporate network.(So that people
> cannot steal physical desktop from the office and expect it to boot up
> elsewhere)
>
> Currently, we are migrating from Ubuntu 18.04 to 20.04.

In other words, you upgraded from Mandos 1.7.19-1 (2018-02-22) to Mandos
1.8.9-2 (2019-09-04).

> When we upgraded Mandos, we found that the new mandos-client ( 1.8.9)
> now requires *--tls-privkey* and *--tls-pubkey.*
>
> 1. When I manually test the command from client machine to request the
>    disk decryption key from the mandos server, it is successful IF I
>    specify the path of the tls key pair

Yes; a complete example command is documented in
/usr/share/doc/mandos-client/README.Debian.gz

> sudo /usr/lib/x86_64-linux-gnu/mandos/plugins.d/mandos-client \
> --pubkey=/etc/keys/mandos/pubkey.txt \
> --seckey=/etc/keys/mandos/seckey.txt \
> *--tls-pubkey=/etc/keys/mandos/tls-pubkey.pem \*
> *--tls-privkey=/etc/keys/mandos/**tls-pubkey.pem** \*
> --debug

I assume that you meant "tls-privkey.pem" on that last line, and not
"tls-pubkey.pem"?

> 2. However, it appeared that once we rebooted the desktop with new
>    mandos 1.8.9, it failed to boot and it got stuck in the stage where
>    it is expecting a password from the mandos server.  I am wondering
>    if the new *tls-pubkey.pem* and *tls-pubkey.pem *keypair in
>    /etc/keys/mandos/ were not found during the new startup process. My
>    hunch is this needs to be specified in the initramfs but
>    unfortunately there is very little migration documentation for this
>    topic so I hope I come to the right place for some insights on how
>    to proceed next.

This is unlikely to be the source of the problem, since the new --tls-*
options should be superfluous in the initramfs; the new tls-pubkey.pem
and tls-privkey.pem files are *automatically* used if present and
installed in the initramfs, which in turn should have been done by the
package installation.  (If you want to check, you could use the
"initramfs-unpack" script from the Mandos source distribution to unpack
the initramfs file in order to inspect the exact contents of the
/conf/conf.d/mandos directory in the unpacked initramfs, where both
tls-*.pem files should be present.)

What does the server log say when the client tries to retrieve the
password, i.e. when running mandos-monitor, perhaps in verbose mode
(toggled using the "v" key)?

If you need to debug the boot process (using initramfs-tools or dracut
with sysvinit), uncomment the last line in the file
/etc/mandos/plugin-runner.conf and rebuild the initramfs using the
command "update-initramfs -k all -u".

(If you are using dracut with systemd instead of initramfs-tools, and
using Mandos 1.8.9 or older, in order to add debugging flags you need to
edit the file /lib/dracut/modules.d/90mandos/ask-password-mandos.service
and rebuild the initramfs using "dpkg-reconfigure dracut".  A less ugly
way to add flags to mandos-client was implemented in Mandos 1.8.10, but
I assume that you are using Mandos 1.8.9.)

/Teddy Hogeborn

-- 
The Mandos Project
https://www.recompile.se/mandos
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
URL: <http://mail.recompile.se/pipermail/mandos-dev/attachments/20230412/2ca8219e/attachment.sig>

More information about the Mandos-Dev mailing list