Mandos 1.8.9 migration from 1.7.19 issues

Alan Ho alan.ho at visier.com
Tue Apr 18 19:37:49 CEST 2023 

Hi Teddy,

Thank you for the response. We found out about this bug on 20.04 ->
https://bugs.launchpad.net/ubuntu/+source/mandos/+bug/1931287
Presently, we are following the patch from this user's suggestion
```

ubuntu 20.04 uses version 1.8.9.
Any plans to backport this fix?

Looks like it should be easy:

- setsid /lib/mandos/mandos-to-cryptroot-unlock &
+ # Use setsid if available
+ if command -v setsid >/dev/null 2>&1; then
+ setsid /lib/mandos/mandos-to-cryptroot-unlock &
+ else
+ /lib/mandos/mandos-to-cryptroot-unlock &
+ fi

```
Thank you,




On Wed, Apr 12, 2023 at 10:10 AM Teddy Hogeborn <teddy at recompile.se> wrote:

> Alan Ho <alan.ho at visier.com> writes:
>
> > We have been a big fan of Mandos and have been deploying the service
> > on many Ubuntu machines within our corporate network.(So that people
> > cannot steal physical desktop from the office and expect it to boot up
> > elsewhere)
> >
> > Currently, we are migrating from Ubuntu 18.04 to 20.04.
>
> In other words, you upgraded from Mandos 1.7.19-1 (2018-02-22) to Mandos
> 1.8.9-2 (2019-09-04).
>
> > When we upgraded Mandos, we found that the new mandos-client ( 1.8.9)
> > now requires *--tls-privkey* and *--tls-pubkey.*
> >
> > 1. When I manually test the command from client machine to request the
> >    disk decryption key from the mandos server, it is successful IF I
> >    specify the path of the tls key pair
>
> Yes; a complete example command is documented in
> /usr/share/doc/mandos-client/README.Debian.gz
>
> > sudo /usr/lib/x86_64-linux-gnu/mandos/plugins.d/mandos-client \
> > --pubkey=/etc/keys/mandos/pubkey.txt \
> > --seckey=/etc/keys/mandos/seckey.txt \
> > *--tls-pubkey=/etc/keys/mandos/tls-pubkey.pem \*
> > *--tls-privkey=/etc/keys/mandos/**tls-pubkey.pem** \*
> > --debug
>
> I assume that you meant "tls-privkey.pem" on that last line, and not
> "tls-pubkey.pem"?
>
> > 2. However, it appeared that once we rebooted the desktop with new
> >    mandos 1.8.9, it failed to boot and it got stuck in the stage where
> >    it is expecting a password from the mandos server.  I am wondering
> >    if the new *tls-pubkey.pem* and *tls-pubkey.pem *keypair in
> >    /etc/keys/mandos/ were not found during the new startup process. My
> >    hunch is this needs to be specified in the initramfs but
> >    unfortunately there is very little migration documentation for this
> >    topic so I hope I come to the right place for some insights on how
> >    to proceed next.
>
> This is unlikely to be the source of the problem, since the new --tls-*
> options should be superfluous in the initramfs; the new tls-pubkey.pem
> and tls-privkey.pem files are *automatically* used if present and
> installed in the initramfs, which in turn should have been done by the
> package installation.  (If you want to check, you could use the
> "initramfs-unpack" script from the Mandos source distribution to unpack
> the initramfs file in order to inspect the exact contents of the
> /conf/conf.d/mandos directory in the unpacked initramfs, where both
> tls-*.pem files should be present.)
>
> What does the server log say when the client tries to retrieve the
> password, i.e. when running mandos-monitor, perhaps in verbose mode
> (toggled using the "v" key)?
>
> If you need to debug the boot process (using initramfs-tools or dracut
> with sysvinit), uncomment the last line in the file
> /etc/mandos/plugin-runner.conf and rebuild the initramfs using the
> command "update-initramfs -k all -u".
>
> (If you are using dracut with systemd instead of initramfs-tools, and
> using Mandos 1.8.9 or older, in order to add debugging flags you need to
> edit the file /lib/dracut/modules.d/90mandos/ask-password-mandos.service
> and rebuild the initramfs using "dpkg-reconfigure dracut".  A less ugly
> way to add flags to mandos-client was implemented in Mandos 1.8.10, but
> I assume that you are using Mandos 1.8.9.)
>
> /Teddy Hogeborn
>
> --
> The Mandos Project
> https://www.recompile.se/mandos
>


-- 
*Alan Ho* | he/him/his | Sr. IT Ops Engineer
office: 604-753-8842
toll-free: 1-888-277-9331
alan.ho at visier.com
www.visier.com
<https://www.visier.com?utm_source=visier_email_signature&utm_medium=email>
| Blog
<https://www.visier.com/clarity/?utm_source=visier_email_signature&utm_medium=email>
<https://twitter.com/visier> <https://www.youtube.com/VisierAnalytics>
<https://www.linkedin.com/company/visier-analytics/>
<https://www.facebook.com/Visier/>
<https://events.visier.com/outsmart23?utm_source=marketing&utm_campaign=outsmart-23&utm_medium=email&utm_term=&utm_content=email-banner&cid=6c08a47702e2a6b38953>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.recompile.se/pipermail/mandos-dev/attachments/20230418/7168d3c1/attachment.htm>

More information about the Mandos-Dev mailing list