Mandos-client fails decode

Dick Middleton dick at lingbrae.com
Sat Mar 5 15:15:54 CET 2016 

On 03/04/16 23:17, Teddy Hogeborn wrote:
> Dick Middleton <dick at lingbrae.com> writes:
> 
>>>> I'm now using mandos-client 1.7.3 on a Stretch system.
>>>>
>>>> If I test mandos-client fetching passcode it is successful.
>>>> However at boot time it consistently fails to unlock the disk.  It
>>>> reports:
>>>>
>>>> bad gpme_op_decode: GPME decryption failed
>>>

>> Where is the default location for the file?  Installer puts it in
>> /etc/keys/mandos/dhparams.pem ?
>>
>> It's got 600 permissions and owned by root.

> Yes.  It's not actually used from there; it's copied into the initramfs
> and used from there at boot, just like the key files.

I looked a initramfs image and the dhparams file is included.  It suggests to
me that mandos-client is not picking up the dhparms file correctly.

all the mandos content is in <initramfs>/conf/conf.d/mandos

>> But, on my desktop (amd64) it segfaults when dh-params option given:
>>
>> Mandos plugin mandos-client: Unlinking "/tmp/mandosw2gt4j/S.gpg-agent"
>> Mandos plugin mandos-client: Unlinking "/tmp/mandosw2gt4j/private-keys-v1.d"
>> Mandos plugin mandos-client: Unlinking
>> "private-keys-v1.d/13DBD26E0DC10CE96543319E414937C7EEC55184.key"
>> Mandos plugin mandos-client: Unlinking
>> "private-keys-v1.d/CBCE568BDECE4A0147CA114196184F834909A49E.key"
>> Mandos plugin mandos-client: Unlinking "/tmp/mandosw2gt4j/pubring.kbx"
>> Mandos plugin mandos-client: Unlinking "/tmp/mandosw2gt4j/pubring.kbx~"
>> Mandos plugin mandos-client: Unlinking "/tmp/mandosw2gt4j/trustdb.gpg"
>> Floating point exception
> 
> That is very strange. 

Today it reports just "Segmentation fault" at the same point.  If I run it
without debug it reports "illegal instruction".  I look forward to tomorrow's
variation :)

> Just to be clear, the program itself doesn't do any significant floating
> point operations, and neither do any libraries it uses have any reason
> for doing so.

I think floating point might be spurious.  It's just a segfault.

I've been playing about with initramfs trying to find anything not working.
This is a bit of a long shot but if I chroot into the initramfs file system
and try to run plugin-runner I get the following:

 Mandos plugin mandos-client: Initializing GnuTLS
Mandos plugin mandos-client: Attempting to use OpenPGP public key
/conf/conf.d/mandos/pubkey.txt and secret key /conf/conf.d/mandos/seckey.txt
as GnuTLS credentials

I get the same if I run mandos-client directly:

Mandos plugin mandos-client: Error[-64] while reading the OpenPGP key pair
('./pubkey.txt', './seckey.txt')
Mandos plugin mandos-client: The GnuTLS error is: Error while reading file.
Mandos plugin mandos-client: init_gnutls_global failed

N.B /proc, /sys and /dev/exist in the chroot and I've added debug and
interface to plugin-runner.conf.

It can find plugin-runner and plugin-runner.conf but croaks on the keyfiles.
Both keyfiles exist and are accessible.

These all work if I'm not chrooted which suggest there's something missing
from initramfs.  What is gnu/pgp using to access these files?

Dick

-- 
Dick Middleton
dick at lingbrae.com

More information about the Mandos-Dev mailing list