Mandos on Fedora/RHEL

Teddy Hogeborn teddy at recompile.se
Tue Nov 5 10:12:26 CET 2013 

"Nathanael D. Noblet" <nathanael at gnat.ca> writes:

>   So I have a proof of concept systemd "ask password agent" that works
> for a F19 machine. However it hardcodes everything for test
> purposes...
>
>   For example my little c program runs this very specific command
> "mandos-client --pubkey=/path/to/pubkey.txt
> --seckey=/path/to/seckey.txt -c 192.168.4.100:55055"
>
>   That obviously isn't ideal. I see in your sources you have a
> plugin-runner. Is that part of the initrd system in debian?

No, the plugin-runner is part of the Mandos client-side system.

> For example I'm wondering about the whole plugin-runner.conf
> file. Does the mandos client have a config file at all?

No, the mandos-client program has command-line arguments, normally
provided by the plugin-runner, which in turn gets them from
plugin-runner.conf.

> Where is the proper place to put some of the defaults/configuration of
> the mandos client?

plugin-runner.conf

>   What I would prefer is that the ask-password agent simply calls
> mandos-client, and captures its output.

This is not ideal, since you would then be unable to enter the password
at the console.  This is the reason for the plugin-runner; it runs all
plugins, one of which asks for the password on the console, another
tries to use plymouth, another is the Mandos network client, etc.

So what you should do is run the plugin-runner, and capture *its*
output.

> As it stands I have to manually tell it where everything is. I mean it
> probably isn't a big deal when the initrd image is created to place
> the pubkey and seckey in the correct place. However how does one
> configure the networking aspects?

The mandos-client itself configures the network.  It brings up all
interfaces which look promising, and tries to find Mandos servers on all
interfaces.  Optionally, one can configure even more special interfaces
(like wireless, VPNs, or bridges) to be brought up; see the section
"NETWORK HOOKS" in mandos-client(8mandos).  After it is done or when a
terminating signal is received, all network interfaces are restored to
their original state; i.e. taken down if they were taken up, etc.

/Teddy

-- 
The Mandos Project
http://www.recompile.se/mandos
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 489 bytes
Desc: not available
URL: <http://mail.recompile.se/pipermail/mandos-dev/attachments/20131105/92cf44f9/attachment.sig>

More information about the Mandos-Dev mailing list