Mandos on Fedora/RHEL

Nathanael Noblet nathanael at gnat.ca
Tue Nov 5 14:24:20 CET 2013 

Sorry for the top post I'm on a mobile device at the moment...


So in fedora/rhel/centos land the plugin runner is unnecessary. Dracut already has console and Plymouth ask password commands. The little systemd service I 'created' is run in tandem with all other relevant password retrieval pieces. The network pieces are handled by other dracut modules and can deal with bonded interfaces VPN etc.. 

  Given that how would you prefer to proceed? I'm wondering if the actual client portion could be split out into a separate little program. So all the avahi setup and anything needed to setup networks in its own area. Then a network client that requires the keys and IP and port and does its thing. In fedora and derivatives we simply install that little client and the systems services. In Debian and derivatives you include the entire plugin runner? Thoughts?

For my test today I'm going to modify the mandos client to grab some variables from the environment. I'm still using non avahi connection methods. I noticed that the code has a comment about that code path being for testing purposes. I'm wondering why? I have a handful of servers but most are in separate data centers so avahi is useless to me if I'm not mistaken..

Sincerely,
Nathanael

  

Teddy Hogeborn <teddy at recompile.se> wrote:

>"Nathanael D. Noblet" <nathanael at gnat.ca> writes:
>
>>   So I have a proof of concept systemd "ask password agent" that works
>> for a F19 machine. However it hardcodes everything for test
>> purposes...
>>
>>   For example my little c program runs this very specific command
>> "mandos-client --pubkey=/path/to/pubkey.txt
>> --seckey=/path/to/seckey.txt -c 192.168.4.100:55055"
>>
>>   That obviously isn't ideal. I see in your sources you have a
>> plugin-runner. Is that part of the initrd system in debian?
>
>No, the plugin-runner is part of the Mandos client-side system.
>
>> For example I'm wondering about the whole plugin-runner.conf
>> file. Does the mandos client have a config file at all?
>
>No, the mandos-client program has command-line arguments, normally
>provided by the plugin-runner, which in turn gets them from
>plugin-runner.conf.
>
>> Where is the proper place to put some of the defaults/configuration of
>> the mandos client?
>
>plugin-runner.conf
>
>>   What I would prefer is that the ask-password agent simply calls
>> mandos-client, and captures its output.
>
>This is not ideal, since you would then be unable to enter the password
>at the console.  This is the reason for the plugin-runner; it runs all
>plugins, one of which asks for the password on the console, another
>tries to use plymouth, another is the Mandos network client, etc.
>
>So what you should do is run the plugin-runner, and capture *its*
>output.
>
>> As it stands I have to manually tell it where everything is. I mean it
>> probably isn't a big deal when the initrd image is created to place
>> the pubkey and seckey in the correct place. However how does one
>> configure the networking aspects?
>
>The mandos-client itself configures the network.  It brings up all
>interfaces which look promising, and tries to find Mandos servers on all
>interfaces.  Optionally, one can configure even more special interfaces
>(like wireless, VPNs, or bridges) to be brought up; see the section
>"NETWORK HOOKS" in mandos-client(8mandos).  After it is done or when a
>terminating signal is received, all network interfaces are restored to
>their original state; i.e. taken down if they were taken up, etc.
>
>/Teddy
>
>-- 
>The Mandos Project
>http://www.recompile.se/mandos
>
>_______________________________________________
>Mandos-Dev mailing list
>Mandos-Dev at recompile.se
>https://mail.recompile.se/cgi-bin/mailman/listinfo/mandos-dev

More information about the Mandos-Dev mailing list