Mandos 1.8.9 migration from 1.7.19 issues

Teddy Hogeborn teddy at recompile.se
Thu Apr 20 12:47:05 CEST 2023 

Alan Ho <alan.ho at visier.com> writes:

You replied to me personally, not to the discussion list.  It it OK for
me to copy our conversation to the list again?

> On Wed, Apr 12, 2023 at 10:10 AM Teddy Hogeborn <teddy at recompile.se> wrote:
>
> > Alan Ho <alan.ho at visier.com> writes:
> >
> > > We have been a big fan of Mandos and have been deploying the
> > > service on many Ubuntu machines within our corporate network.(So
> > > that people cannot steal physical desktop from the office and
> > > expect it to boot up elsewhere)
> > >
> > > Currently, we are migrating from Ubuntu 18.04 to 20.04.
> >
> > In other words, you upgraded from Mandos 1.7.19-1 (2018-02-22) to
> > Mandos 1.8.9-2 (2019-09-04).
> >
> > > When we upgraded Mandos, we found that the new mandos-client (
> > > 1.8.9) now requires *--tls-privkey* and *--tls-pubkey.*
> > >
> > > 1. When I manually test the command from client machine to request
> > >    the disk decryption key from the mandos server, it is
> > >    successful IF I specify the path of the tls key pair
> >
> > Yes; a complete example command is documented in
> > /usr/share/doc/mandos-client/README.Debian.gz
> >
> > > sudo /usr/lib/x86_64-linux-gnu/mandos/plugins.d/mandos-client \
> > > --pubkey=/etc/keys/mandos/pubkey.txt \
> > > --seckey=/etc/keys/mandos/seckey.txt \
> > > *--tls-pubkey=/etc/keys/mandos/tls-pubkey.pem \*
> > > *--tls-privkey=/etc/keys/mandos/**tls-pubkey.pem** \*
> > > --debug
> >
> > I assume that you meant "tls-privkey.pem" on that last line, and not
> > "tls-pubkey.pem"?
> >
> > > 2. However, it appeared that once we rebooted the desktop with new
> > >    mandos 1.8.9, it failed to boot and it got stuck in the stage
> > >    where it is expecting a password from the mandos server.  I am
> > >    wondering if the new *tls-pubkey.pem* and *tls-pubkey.pem
> > >    *keypair in /etc/keys/mandos/ were not found during the new
> > >    startup process. My hunch is this needs to be specified in the
> > >    initramfs but unfortunately there is very little migration
> > >    documentation for this topic so I hope I come to the right
> > >    place for some insights on how to proceed next.
> >
> > This is unlikely to be the source of the problem, since the new
> > --tls-* options should be superfluous in the initramfs; the new
> > tls-pubkey.pem and tls-privkey.pem files are *automatically* used if
> > present and installed in the initramfs, which in turn should have
> > been done by the package installation.  (If you want to check, you
> > could use the "initramfs-unpack" script from the Mandos source
> > distribution to unpack the initramfs file in order to inspect the
> > exact contents of the /conf/conf.d/mandos directory in the unpacked
> > initramfs, where both tls-*.pem files should be present.)
> >
> > What does the server log say when the client tries to retrieve the
> > password, i.e. when running mandos-monitor, perhaps in verbose mode
> > (toggled using the "v" key)?
> >
> > If you need to debug the boot process (using initramfs-tools or
> > dracut with sysvinit), uncomment the last line in the file
> > /etc/mandos/plugin-runner.conf and rebuild the initramfs using the
> > command "update-initramfs -k all -u".
> >
> > (If you are using dracut with systemd instead of initramfs-tools,
> > and using Mandos 1.8.9 or older, in order to add debugging flags you
> > need to edit the file
> > /lib/dracut/modules.d/90mandos/ask-password-mandos.service and
> > rebuild the initramfs using "dpkg-reconfigure dracut".  A less ugly
> > way to add flags to mandos-client was implemented in Mandos 1.8.10,
> > but I assume that you are using Mandos 1.8.9.)
>
> Thank you for the response. We found out about this bug on 20.04 ->
> https://bugs.launchpad.net/ubuntu/+source/mandos/+bug/1931287
> Presently, we are following the patch from this user's suggestion
> ```
>
> ubuntu 20.04 uses version 1.8.9.
> Any plans to backport this fix?
>
> Looks like it should be easy:
>
> - setsid /lib/mandos/mandos-to-cryptroot-unlock &
> + # Use setsid if available
> + if command -v setsid >/dev/null 2>&1; then
> + setsid /lib/mandos/mandos-to-cryptroot-unlock &
> + else
> + /lib/mandos/mandos-to-cryptroot-unlock &
> + fi
>
> ```

We implemented and released that fix in Mandos 1.8.12 on 2020-07-04.  We
have no control over how or when Ubuntu does backports.  We provide our
own backported packages of the latest releases; see the web page on
https://www.recompile.se/mandos#Download for installation instructions
for Debian, which I belive should also work for Ubuntu.

/Teddy Hogeborn

-- 
The Mandos Project
https://www.recompile.se/mandos
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
URL: <http://mail.recompile.se/pipermail/mandos-dev/attachments/20230420/b911a8ce/attachment.sig>

More information about the Mandos-Dev mailing list