<div dir="ltr">Hi Teddy,<div><br></div><div>Thank you for the response. We found out about this bug on 20.04 -> <a href="https://bugs.launchpad.net/ubuntu/+source/mandos/+bug/1931287">https://bugs.launchpad.net/ubuntu/+source/mandos/+bug/1931287</a></div><div>Presently, we are following the patch from this user's suggestion</div><div>```</div><div><p style="margin:0px 0px 0.8em;padding:0px;width:auto;max-width:75em;color:rgb(51,51,51);font-family:monospace;font-size:12px">ubuntu 20.04 uses version 1.8.9.<br>Any plans to backport this fix?</p><p id="gmail-yui_3_10_3_1_1681839391358_282" style="margin:0px 0px 0.8em;padding:0px;width:auto;max-width:75em;color:rgb(51,51,51);font-family:monospace;font-size:12px">Looks like it should be easy:</p><p style="margin:0px 0px 0.8em;padding:0px;width:auto;max-width:75em;color:rgb(51,51,51);font-family:monospace;font-size:12px">- setsid /lib/mandos/mandos-to-cryptroot-unlock &<br>+ # Use setsid if available<br>+ if command -v setsid >/dev/null 2>&1; then<br>+ setsid /lib/mandos/mandos-to-cryptroot-unlock &<br>+ else<br>+ /lib/mandos/mandos-to-cryptroot-unlock &<br>+ fi</p><p style="margin:0px 0px 0.8em;padding:0px;width:auto;max-width:75em;color:rgb(51,51,51);font-family:monospace;font-size:12px">```<br></p>Thank you,<p style="margin:0px 0px 0.8em;padding:0px;width:auto;max-width:75em;color:rgb(51,51,51);font-family:monospace;font-size:12px"><br></p><p style="margin:0px 0px 0.8em;padding:0px;width:auto;max-width:75em;color:rgb(51,51,51);font-family:monospace;font-size:12px"><br></p></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Apr 12, 2023 at 10:10 AM Teddy Hogeborn <<a href="mailto:teddy@recompile.se">teddy@recompile.se</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Alan Ho <<a href="mailto:alan.ho@visier.com" target="_blank">alan.ho@visier.com</a>> writes:<br>
<br>
> We have been a big fan of Mandos and have been deploying the service<br>
> on many Ubuntu machines within our corporate network.(So that people<br>
> cannot steal physical desktop from the office and expect it to boot up<br>
> elsewhere)<br>
><br>
> Currently, we are migrating from Ubuntu 18.04 to 20.04.<br>
<br>
In other words, you upgraded from Mandos 1.7.19-1 (2018-02-22) to Mandos<br>
1.8.9-2 (2019-09-04).<br>
<br>
> When we upgraded Mandos, we found that the new mandos-client ( 1.8.9)<br>
> now requires *--tls-privkey* and *--tls-pubkey.*<br>
><br>
> 1. When I manually test the command from client machine to request the<br>
> disk decryption key from the mandos server, it is successful IF I<br>
> specify the path of the tls key pair<br>
<br>
Yes; a complete example command is documented in<br>
/usr/share/doc/mandos-client/README.Debian.gz<br>
<br>
> sudo /usr/lib/x86_64-linux-gnu/mandos/plugins.d/mandos-client \<br>
> --pubkey=/etc/keys/mandos/pubkey.txt \<br>
> --seckey=/etc/keys/mandos/seckey.txt \<br>
> *--tls-pubkey=/etc/keys/mandos/tls-pubkey.pem \*<br>
> *--tls-privkey=/etc/keys/mandos/**tls-pubkey.pem** \*<br>
> --debug<br>
<br>
I assume that you meant "tls-privkey.pem" on that last line, and not<br>
"tls-pubkey.pem"?<br>
<br>
> 2. However, it appeared that once we rebooted the desktop with new<br>
> mandos 1.8.9, it failed to boot and it got stuck in the stage where<br>
> it is expecting a password from the mandos server. I am wondering<br>
> if the new *tls-pubkey.pem* and *tls-pubkey.pem *keypair in<br>
> /etc/keys/mandos/ were not found during the new startup process. My<br>
> hunch is this needs to be specified in the initramfs but<br>
> unfortunately there is very little migration documentation for this<br>
> topic so I hope I come to the right place for some insights on how<br>
> to proceed next.<br>
<br>
This is unlikely to be the source of the problem, since the new --tls-*<br>
options should be superfluous in the initramfs; the new tls-pubkey.pem<br>
and tls-privkey.pem files are *automatically* used if present and<br>
installed in the initramfs, which in turn should have been done by the<br>
package installation. (If you want to check, you could use the<br>
"initramfs-unpack" script from the Mandos source distribution to unpack<br>
the initramfs file in order to inspect the exact contents of the<br>
/conf/conf.d/mandos directory in the unpacked initramfs, where both<br>
tls-*.pem files should be present.)<br>
<br>
What does the server log say when the client tries to retrieve the<br>
password, i.e. when running mandos-monitor, perhaps in verbose mode<br>
(toggled using the "v" key)?<br>
<br>
If you need to debug the boot process (using initramfs-tools or dracut<br>
with sysvinit), uncomment the last line in the file<br>
/etc/mandos/plugin-runner.conf and rebuild the initramfs using the<br>
command "update-initramfs -k all -u".<br>
<br>
(If you are using dracut with systemd instead of initramfs-tools, and<br>
using Mandos 1.8.9 or older, in order to add debugging flags you need to<br>
edit the file /lib/dracut/modules.d/90mandos/ask-password-mandos.service<br>
and rebuild the initramfs using "dpkg-reconfigure dracut". A less ugly<br>
way to add flags to mandos-client was implemented in Mandos 1.8.10, but<br>
I assume that you are using Mandos 1.8.9.)<br>
<br>
/Teddy Hogeborn<br>
<br>
-- <br>
The Mandos Project<br>
<a href="https://www.recompile.se/mandos" rel="noreferrer" target="_blank">https://www.recompile.se/mandos</a><br>
</blockquote></div><br clear="all"><div><br></div><span class="gmail_signature_prefix">-- </span><br><div dir="ltr" class="gmail_signature"><table border="0" width="450px" style="max-width:450px">
<tbody>
<tr height="110px;">
<td valign="top" style="padding-top:6px;max-width:20px" width="20px">
<img src="https://www.visier.com/wp-content/uploads/2017/10/Visier_Vert_Black_NoTag.png" width="20px" style="max-width: 20px;" height="86px">
</td>
<td valign="top">
<table border="0">
<tbody>
<tr valign="top">
<td style="padding-left:7px;font-family:Arial,Helvetica,sans-serif;font-size:13px">
<strong>Alan Ho</strong> | he/him/his | Sr. IT Ops Engineer<br>
office: 604-753-8842 <br>
toll-free: 1-888-277-9331<br>
<a href="mailto:alan.ho@visier.com" style="color:rgb(0,0,0)" target="_blank">alan.ho@visier.com</a><br>
<a href="https://www.visier.com?utm_source=visier_email_signature&utm_medium=email" style="color:rgb(0,0,0);text-decoration:underline;display:inline" target="_blank">www.visier.com</a> |
<a href="https://www.visier.com/clarity/?utm_source=visier_email_signature&utm_medium=email" style="color:rgb(0,0,0);text-decoration:underline;display:inline" target="_blank"> Blog</a>
<br>
<div style="padding-top:7px">
<a href="https://twitter.com/visier" target="_blank"><img src="https://www.visier.com/wp-content/uploads/2017/10/twitter_black-1.png" style="max-width: 25px; width: 25px; height: 25px;"></a>
<a href="https://www.youtube.com/VisierAnalytics" target="_blank"><img src="https://www.visier.com/wp-content/uploads/2017/10/youtube_black-1.png" style="max-width: 25px; width: 25px; height: 25px;"></a>
<a href="https://www.linkedin.com/company/visier-analytics/" target="_blank"><img src="https://www.visier.com/wp-content/uploads/2017/10/linkedin_black-1.png" style="max-width: 25px; width: 25px; height: 25px;"></a>
<a href="https://www.facebook.com/Visier/" target="_blank"><img src="https://www.visier.com/wp-content/uploads/2017/10/facebook_black-1.png" style="max-width: 25px; width: 25px; height: 25px;"></a>
</div>
<div style="max-width:630px">
<a href="https://events.visier.com/outsmart23?utm_source=marketing&utm_campaign=outsmart-23&utm_medium=email&utm_term=&utm_content=email-banner&cid=6c08a47702e2a6b38953" target="_blank">
<img src="https://images.ctfassets.net/lbgy40h4xfb7/1kH7CP9wycpbkLybcLnQ2x/09d3ca4d9bee9d125bf372b2cdf42de6/Outsmart_2023_employee_email_footer_630.jpg" style="max-width: 630px;">
</a>
</div>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
</div>