Mandos on Fedora/RHEL

Teddy Hogeborn teddy at recompile.se
Tue Nov 5 22:26:39 CET 2013 

Nathanael Noblet <nathanael at gnat.ca> writes:

> So in fedora/rhel/centos land the plugin runner is unnecessary. Dracut
> already has console and Plymouth ask password commands. The little
> systemd service I 'created' is run in tandem with all other relevant
> password retrieval pieces. The network pieces are handled by other
> dracut modules and can deal with bonded interfaces VPN etc..

Huh, I do not recall dracut being this advanced last I checked, but this
was some time ago.  Do you know if this behavior occurs both with and
without systemd?

> Given that how would you prefer to proceed? I'm wondering if the
> actual client portion could be split out into a separate little
> program. So all the avahi setup and anything needed to setup networks
> in its own area. Then a network client that requires the keys and IP
> and port and does its thing. In fedora and derivatives we simply
> install that little client and the systems services. In Debian and
> derivatives you include the entire plugin runner? Thoughts?

The Avahi setup in mandos-client is necessary in the normal use case; it
is how the client finds Mandos servers using ZeroConf, and it is not
called at all when using --connect.  We want to keep the usage of
ZeroConf to be the default, since this is the most easy way to set the
whole system up; just start a Mandos server on the same network, add the
client info to it and it all just works.

Also, a split is unneccessary; just specify --interfaces=none to
mandos-client, and it will not do *anything* to any interfaces and
simply use any interfaces that are already available and configured.

Do you have any other reasons for wanting a split?

> For my test today I'm going to modify the mandos client to grab some
> variables from the environment. I'm still using non avahi connection
> methods. I noticed that the code has a comment about that code path
> being for testing purposes. I'm wondering why? I have a handful of
> servers but most are in separate data centers so avahi is useless to
> me if I'm not mistaken..

Well, that particular code was initially written for our own testing
purposes; we did not envision the scenario of remote Mandos servers to
be common.  But the code path is supported; from the top of my head I
would say that the comment "(Mainly meant for debugging)" is reflecting
our expected use case, and not indicative of the level of support for
the code.

/Teddy Hogeborn

-- 
The Mandos Project
http://www.recompile.se/mandos
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 489 bytes
Desc: not available
URL: <http://mail.recompile.se/pipermail/mandos-dev/attachments/20131105/7077a31f/attachment.sig>

More information about the Mandos-Dev mailing list