Http server instead of own server?

Zenny garbytrash at gmail.com
Wed Feb 13 12:37:09 CET 2013 

On 2/13/13, Teddy Hogeborn <teddy at recompile.se> wrote:
> Cesare Bianchi <kzar79 at gmail.com> writes:
>
>> I manage various (virtual) servers running in various clients'
>> locations. The clients must not have direct access to the servers
>> data, so I ecnrypted the disks. At the present time, I must physically
>> go (or connect to the virtual host) if a server reboots.
>>
>> I wanted to install Mandos client on the servers, but it needs a
>> Mandos server runnning in the network, and obviously this only adds
>> complexity.
>>
>> So, is it possible to use some simple form of connection to the
>> "Mandos server", for example with a public basic http server?
>
> Firstly, your setup is not secure.  Your clients can access the memory
> of the virtual machines, where the keys to the encrypted disks are
> stored.
>
> Secondly, the problem you want to solve does not need any source
> changes; the code is written to be flexible enough to cover your use
> case.  What you should do is four things:
>
> 1. Add "ip=dhcp" to the Linux kernel command line; do this by editing
>    the GRUB_CMDLINE_LINUX_DEFAULT setting in your /etc/default/grub
>    file; add "ip=dhcp" to the setting.  If DHCP is not available for the
>    Mandos client systems, use the syntax "ip=1.1.1.2::1.1.1.1", where
>    "1.1.1.2" is the client IP address and "1.1.1.1" is the local
>    gateway.
>
> 2. Add, to the /etc/mandos/plugin-runner.conf file, this line:
>
> --options-for=mandos-client:--connect=1.2.3.4:1234
>
>    Replace "1.2.3.4:1234" with the IP address and your chosen port of
>    the Mandos server.

Thanks Teddy for sharing very useful info, that I have been searching
for. Great!

BTW, it is a bit confusing for me at least. You stated that replace
the IP with the Mandos Server IP, and I guess the change to the
/etc/mandos/plugin-runner.conf  is needed to be made in the Mandos
client machine right?

>
> 3. Run "update-initramfs -k all -u" to update the initramfs image.
>
> 4. Configure the Mandos server to use a specific port number by
>    uncommenting and editing the "port" setting in /etc/mandos.conf on
>    the Mandos server host.
>
> (Note; I have written these four steps mostly from my memory of how this
> is supposed to work, but I have not tested them.  It is always possible
> I have forgotten something.)
>
> /Teddy Hogeborn
>
> --
> The Mandos Project
> http://www.recompile.se/mandos
> _______________________________________________
> Mandos-Dev mailing list
> Mandos-Dev at recompile.se
> https://mail.recompile.se/cgi-bin/mailman/listinfo/mandos-dev
>

More information about the Mandos-Dev mailing list