Mandos 1.8.9 migration from 1.7.19 issues
Teddy Hogeborn
teddy at recompile.se
Wed Apr 12 19:10:21 CEST 2023
Alan Ho <alan.ho at visier.com> writes:
> We have been a big fan of Mandos and have been deploying the service
> on many Ubuntu machines within our corporate network.(So that people
> cannot steal physical desktop from the office and expect it to boot up
> elsewhere)
>
> Currently, we are migrating from Ubuntu 18.04 to 20.04.
In other words, you upgraded from Mandos 1.7.19-1 (2018-02-22) to Mandos
1.8.9-2 (2019-09-04).
> When we upgraded Mandos, we found that the new mandos-client ( 1.8.9)
> now requires *--tls-privkey* and *--tls-pubkey.*
>
> 1. When I manually test the command from client machine to request the
> disk decryption key from the mandos server, it is successful IF I
> specify the path of the tls key pair
Yes; a complete example command is documented in
/usr/share/doc/mandos-client/README.Debian.gz
> sudo /usr/lib/x86_64-linux-gnu/mandos/plugins.d/mandos-client \
> --pubkey=/etc/keys/mandos/pubkey.txt \
> --seckey=/etc/keys/mandos/seckey.txt \
> *--tls-pubkey=/etc/keys/mandos/tls-pubkey.pem \*
> *--tls-privkey=/etc/keys/mandos/**tls-pubkey.pem** \*
> --debug
I assume that you meant "tls-privkey.pem" on that last line, and not
"tls-pubkey.pem"?
> 2. However, it appeared that once we rebooted the desktop with new
> mandos 1.8.9, it failed to boot and it got stuck in the stage where
> it is expecting a password from the mandos server. I am wondering
> if the new *tls-pubkey.pem* and *tls-pubkey.pem *keypair in
> /etc/keys/mandos/ were not found during the new startup process. My
> hunch is this needs to be specified in the initramfs but
> unfortunately there is very little migration documentation for this
> topic so I hope I come to the right place for some insights on how
> to proceed next.
This is unlikely to be the source of the problem, since the new --tls-*
options should be superfluous in the initramfs; the new tls-pubkey.pem
and tls-privkey.pem files are *automatically* used if present and
installed in the initramfs, which in turn should have been done by the
package installation. (If you want to check, you could use the
"initramfs-unpack" script from the Mandos source distribution to unpack
the initramfs file in order to inspect the exact contents of the
/conf/conf.d/mandos directory in the unpacked initramfs, where both
tls-*.pem files should be present.)
What does the server log say when the client tries to retrieve the
password, i.e. when running mandos-monitor, perhaps in verbose mode
(toggled using the "v" key)?
If you need to debug the boot process (using initramfs-tools or dracut
with sysvinit), uncomment the last line in the file
/etc/mandos/plugin-runner.conf and rebuild the initramfs using the
command "update-initramfs -k all -u".
(If you are using dracut with systemd instead of initramfs-tools, and
using Mandos 1.8.9 or older, in order to add debugging flags you need to
edit the file /lib/dracut/modules.d/90mandos/ask-password-mandos.service
and rebuild the initramfs using "dpkg-reconfigure dracut". A less ugly
way to add flags to mandos-client was implemented in Mandos 1.8.10, but
I assume that you are using Mandos 1.8.9.)
/Teddy Hogeborn
--
The Mandos Project
https://www.recompile.se/mandos
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
URL: <http://mail.recompile.se/pipermail/mandos-dev/attachments/20230412/2ca8219e/attachment.sig>
More information about the Mandos-Dev
mailing list