Http server instead of own server?
Zenny
garbytrash at gmail.com
Wed Feb 13 12:37:09 CET 2013
On 2/13/13, Teddy Hogeborn <teddy at recompile.se> wrote:
> Cesare Bianchi <kzar79 at gmail.com> writes:
>
>> I manage various (virtual) servers running in various clients'
>> locations. The clients must not have direct access to the servers
>> data, so I ecnrypted the disks. At the present time, I must physically
>> go (or connect to the virtual host) if a server reboots.
>>
>> I wanted to install Mandos client on the servers, but it needs a
>> Mandos server runnning in the network, and obviously this only adds
>> complexity.
>>
>> So, is it possible to use some simple form of connection to the
>> "Mandos server", for example with a public basic http server?
>
> Firstly, your setup is not secure. Your clients can access the memory
> of the virtual machines, where the keys to the encrypted disks are
> stored.
>
> Secondly, the problem you want to solve does not need any source
> changes; the code is written to be flexible enough to cover your use
> case. What you should do is four things:
>
> 1. Add "ip=dhcp" to the Linux kernel command line; do this by editing
> the GRUB_CMDLINE_LINUX_DEFAULT setting in your /etc/default/grub
> file; add "ip=dhcp" to the setting. If DHCP is not available for the
> Mandos client systems, use the syntax "ip=1.1.1.2::1.1.1.1", where
> "1.1.1.2" is the client IP address and "1.1.1.1" is the local
> gateway.
>
> 2. Add, to the /etc/mandos/plugin-runner.conf file, this line:
>
> --options-for=mandos-client:--connect=1.2.3.4:1234
>
> Replace "1.2.3.4:1234" with the IP address and your chosen port of
> the Mandos server.
Thanks Teddy for sharing very useful info, that I have been searching
for. Great!
BTW, it is a bit confusing for me at least. You stated that replace
the IP with the Mandos Server IP, and I guess the change to the
/etc/mandos/plugin-runner.conf is needed to be made in the Mandos
client machine right?
>
> 3. Run "update-initramfs -k all -u" to update the initramfs image.
>
> 4. Configure the Mandos server to use a specific port number by
> uncommenting and editing the "port" setting in /etc/mandos.conf on
> the Mandos server host.
>
> (Note; I have written these four steps mostly from my memory of how this
> is supposed to work, but I have not tested them. It is always possible
> I have forgotten something.)
>
> /Teddy Hogeborn
>
> --
> The Mandos Project
> http://www.recompile.se/mandos
> _______________________________________________
> Mandos-Dev mailing list
> Mandos-Dev at recompile.se
> https://mail.recompile.se/cgi-bin/mailman/listinfo/mandos-dev
>
More information about the Mandos-Dev
mailing list