Cannot decrypt swap partition with Mandos inside a LV (LVM)
Olivier Molinete
olivier at molinete.org
Sun Jun 1 01:46:41 CEST 2014
On 31/05/2014 23:32, Teddy Hogeborn wrote:
> Olivier Molinete <olivier at molinete.org> writes:
>
>> Yep, that's right. You can use both setups (LVM on LUKS or LUKS on
>> LVM). I prefer LUKS on LVM for the reasons you can find on the
>> comparison table at
>> https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system#Overview
>
> If I read that table correctly, the only downside to LVM-on-LUKS
> (compared to LUKS-on-LVM) is if you want multiple keys on separate
> partitions. Which you presumably don't. So I really don't see the
> advantage. But you are free to do whatever you like, of course.
You're right, but I saw interesting the feature to have different
passphrases for each partition, although than my LVM structure will be
visible ;)
I'm a little bit paranoid, heh o:)
>> /etc/mandos/clients.conf:
>> -------------------------
> [...]
>> [all-in-one]
>> approved_by_default = True
>> enabled = True
>> host = all-in-one
>> #host = 192.168.1.100
>> fingerprint = C978376F75A37FCC1DCCF44F7EF7AA808895F276
>> secret =
>> hQIMAwyhKB/kSSbzARAAqjg0cXIeisdbU+KejPvcd8Wnyv5fBtf0PgEds4QMVZY3
>> LmLq4j3mM7uXWK1/K4AKFPHTY24N7DtvEUpVncCXkV4ajuPyoYGqZaYRVp1jGsp2
>> [...]
>> 63+Nahwibhsj+ipFQToCQMIGkweFC8P5QWsuVyQblVUE6M2ANi4ig9cK7tMrC6VC
>> m2bYTxkv
>
> This should mean that the Mandos server should have a client with that
> fingerprint, and yet:
>
>> And this is what mandos-monitor shows:
>> --------------------------------------
>>
>> 2014-05-30T12:47:11.519245: Client with address ::ffff:192.168.1.100
>> and
>> fingerprint C978376F75A37FCC1DCCF44F7EF7AA808895F276 could not be
>> found
>
> This message means that everything worked fine, except that the server
> does not have such a client in its list. But it should, according to
> the above clients.conf.
Yes, that's right.
> Does mandos-monitor show a "all-in-one" client?
> If you run the command "mandos-ctl --verbose all-in-one", does it show
> the correct fingerprint for the client?
mandos-monitor does not show anything at this moment on the superior
half of the screen, only that in the inferior half:
2014-06-01T01:38:28.137928: Client with address ::ffff:192.168.1.100 and
fingerprint C978376F75A37FCC1DCCF44F7EF7AA808895F276 could not be found
Here's the output for the "# mandos-ctl --verbose all-in-one" command:
[01:39]-[root at imandos01:~] # mandos-ctl --verbose all-in-one
Client not found on server: 'all-in-one'
[01:39]-[root at imandos01:~] # mandos-ctl --verbose 192.168.1.100
Client not found on server: '192.168.1.100'
[01:39]-[root at imandos01:~] #
> The "mandos-monitor" command, if running, shows most interesting
> events.
>
> /Teddy Hogeborn
Nope. In my case, it only shows the same message every 10 seconds at
this time:
2014-06-01T01:38:28.137928: Client with address ::ffff:192.168.1.100 and
fingerprint C978376F75A37FCC1DCCF44F7EF7AA808895F276 could not be found
I saw your other post about the clients.pickle file, so I will tell you
what I will do in its body message :)
Thank you again, Teddy ;)
More information about the Mandos-Dev
mailing list