Cannot decrypt swap partition with Mandos inside a LV (LVM)
Teddy Hogeborn
teddy at recompile.se
Sat May 31 23:32:02 CEST 2014
Olivier Molinete <olivier at molinete.org> writes:
> Yep, that's right. You can use both setups (LVM on LUKS or LUKS on
> LVM). I prefer LUKS on LVM for the reasons you can find on the
> comparison table at
> https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system#Overview
If I read that table correctly, the only downside to LVM-on-LUKS
(compared to LUKS-on-LVM) is if you want multiple keys on separate
partitions. Which you presumably don't. So I really don't see the
advantage. But you are free to do whatever you like, of course.
> Now, my problem is other: Yesterday, everything worked flawlessly, but
> now I don't know if I'm doing something wrong, because the machine
> with mandos-client does not get the password from the mandos(-server)
> on another machine.
>
[...]
> Host with mandos(-server): (Called "imandos01", on 192.168.1.165)
> ==========================
[...]
> /etc/mandos/clients.conf:
> -------------------------
[...]
> [all-in-one]
> approved_by_default = True
> enabled = True
> host = all-in-one
> #host = 192.168.1.100
> fingerprint = C978376F75A37FCC1DCCF44F7EF7AA808895F276
> secret =
> hQIMAwyhKB/kSSbzARAAqjg0cXIeisdbU+KejPvcd8Wnyv5fBtf0PgEds4QMVZY3
> LmLq4j3mM7uXWK1/K4AKFPHTY24N7DtvEUpVncCXkV4ajuPyoYGqZaYRVp1jGsp2
> [...]
> 63+Nahwibhsj+ipFQToCQMIGkweFC8P5QWsuVyQblVUE6M2ANi4ig9cK7tMrC6VC
> m2bYTxkv
This should mean that the Mandos server should have a client with that
fingerprint, and yet:
[...]
> And this is what mandos-monitor shows:
> --------------------------------------
>
> 2014-05-30T12:47:11.519245: Client with address ::ffff:192.168.1.100 and
> fingerprint C978376F75A37FCC1DCCF44F7EF7AA808895F276 could not be found
This message means that everything worked fine, except that the server
does not have such a client in its list. But it should, according to
the above clients.conf. Does mandos-monitor show a "all-in-one" client?
If you run the command "mandos-ctl --verbose all-in-one", does it show
the correct fingerprint for the client?
> - What am I doing wrong or missing??
> - On the other hand, mandos has any kind of log? I searched on the
> documentation and I found nothing related :(
The "mandos-monitor" command, if running, shows most interesting
events.
/Teddy Hogeborn
--
The Mandos Project
http://www.recompile.se/mandos
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 489 bytes
Desc: not available
URL: <http://mail.recompile.se/pipermail/mandos-dev/attachments/20140531/d427d676/attachment.sig>
More information about the Mandos-Dev
mailing list