Mandos-client fails decode

Teddy Hogeborn teddy at recompile.se
Wed Mar 2 17:33:52 CET 2016 

Dick Middleton <dick at lingbrae.com> writes:

> I'm now using mandos-client 1.7.3 on a Stretch system.
>
> If I test mandos-client fetching passcode it is successful.  However
> at boot time it consistently fails to unlock the disk.  It reports:
>
> bad gpme_op_decode: GPME decryption failed

I don't know what that could be; you say it's working when you run
mandos-client on a running system, but fails in the initramfs?
What does the "gpgconf" command output?

What happens if you generate a new entry for the Mandos server's
/etc/mandos/clients.conf file by running "mandos-keygen --password
--force" on the client, install the entry in the server and restart the
Mandos server process?

> I get these symptoms on another system too.  This other system is a
> Via mini-itx thingy which is relatively slow 1.2GHz 32bit x86 cpu.
> Also running Stretch with mandos-client 1.7.3.
> 
> When testing mandos-client on this slow machine it can take up to
> 3mins to get the passphrase.  During this time it is running at 100%
> cpu.
> 
> Using debug these are the last message shown during that time:
> 
> Mandos plugin mandos-client: This OpenPGP key implies using a GnuTLS security parameter "High".
> Mandos plugin mandos-client: A "High" GnuTLS security parameter implies 3072 DH bits; using that.

That is unrelated; those messages, and the delay, all mean that
mandos-client is not invoked with the --dh-params option (or that the
file so specified was unusable for some reason), so it is not using a DH
parameters file, and taking some time to generate new DH parameters each
boot.

> and when the time is up it is followed by this:
> 
> Mandos plugin mandos-client: Tempdir /run/tmp/mandosMYxeRj did not work,
> trying /tmp/mandosXXXXXX

That message is normal; it can be ignored.

> I took the trouble of regenerating the dhparams but it makes no
> difference.

Based on the above messages, I am sure that mandos-client is not using
the dhparams.pem file - it may even be that no such file exists in the
initramfs.

> As I mentioned I'm using Stretch (not Sid) and I'm wondering if
> there's some other significant difference. I've only seen these
> problems on Stretch. Jessie worked OK.

We use jessie here.  

> Would reporting problem using reportbug help?

I don't think so.  What whould mostly help is debug output from
mandos-client when run from the initramfs, since that is where you can
reproduce the problem.

/Teddy Hogeborn

-- 
The Mandos Project
http://www.recompile.se/mandos
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 818 bytes
Desc: not available
URL: <http://mail.recompile.se/pipermail/mandos-dev/attachments/20160302/4ac35700/attachment.sig>

More information about the Mandos-Dev mailing list