Startup troubles

Teddy Hogeborn teddy at recompile.se
Tue Jun 5 19:11:38 CEST 2012 

Dick Middleton <dick at fouter.net> writes:

> I'm having trouble getting this thing to work.  I'm using Debian
> squeeze i386 on the server and Debian Wheezy amd64 on the client.  On
> the server I've updated mandos to 1.5.4 to match the client version.

Sorry, could not reproduce your problem on same setup here.

> Firstly is there not a HOWTO guide for setting this up?

The README.Debian files contain the most direct instructions.

> I've created a client section for the server using mandos-keygen
> --password
>
> I'm then trying to test using /usr/lib/mandos/plugins.d/mandos-client
> --pubkey....  etc as in README.Debian

Yes, that should work.

> On the server the following message is seen:
>
>  Jun  3 16:55:20 hagrid <28>Mandos [28204]: WARNING: Handshake failed: An
> algorithm that is not enabled was negotiated.
>
> That doesn't mean much to me; is it important?

Yes.  The handshake should not fail.  This is the major problem
preventing Mandos from working.  WHY the handshake fails is another
matter, and I have no answer to that question.

> Incidentally why is the program name given to logger "<28>Mandos"?

It isn't; from the server source code (version 1.5.5, lines 119-121):

    syslogger.setFormatter(logging.Formatter
                           ('Mandos [%(process)d]: %(levelname)s:'
                            '%(message)s'))

These odd junk characters could be indicative of some deeper problem
with your system.

> On the client I get:
>
> Mandos plugin mandos-client: scandir: No such file or directory
>
> Again I don't know what's missing and whether it's important.

That's harmless and normal when running the client outside the initramfs
environment.  (The directory it fails to find is the network-hooks.d
directory, and if you had configured any network hooks you probably
wouldn't want them to run outside the initramfs environment anyway.)

> All I know is no password is returned.  It just sits and waits.
>
> Looking at debug client is reporting:
> Mandos plugin mandos-client: *** GnuTLS Handshake failed ***
> GnuTLS error: A TLS packet with unexpected length was received.
>
> Apart from the Handshake error above the server seems happy.

The handshake is the problem, but it works on our setup.

> Some guidance for what to do next would be appreciated.

I would suggest filing a Debian bug using the "reportbug" tool - this
will let us know what versions of libraries you have and many other
details which might be helpful.

> OK now, I need 2 passphrases for my client.  One for the root disc and
> one for the hibernate partition.  Is this supported?

Not really - it might work, but we haven't tested it.

> Do I just need two sections, one for each passphrase?

I would instead suggest using Mandos for the root partition password and
then using a password file as the third field of crypttab for any
subsequent encrypted partitions needed for booting.  The password
file(s) should of course be appropriately secured by file permissions
and located on the root partition.

> If I use the -n option on mandos-keygen --password it not only changes
> the section name it also changes the host name.  Is that right?

Is does, yes.  However, that doesn't really affect anything - the name
in the OpenPGP key is not used for anything, and the host name can be
changed in clients.conf with no ill effects.

/Teddy Hogebort

-- 
The Mandos Project
http://www.recompile.se/mandos
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 489 bytes
Desc: not available
URL: <http://mail.recompile.se/pipermail/mandos-dev/attachments/20120605/576169ef/attachment-0001.pgp>

More information about the Mandos-Dev mailing list