mandos-client on Debian Buster
Birger Brunswiek
birger at brunswiek.org
Tue Sep 3 14:25:28 CEST 2019
On 30.08.19 22:08, Teddy Hogeborn wrote:
> Birger Brunswiek <birger at brunswiek.org> writes:
>
>> I was wondering if anyone has successfully used mandos-client on Debian
>> Buster with cryptroot.
> Well, yes; we do. It works fine with the new initramfs-tools.
>
>> It seems that Buster's cryptsetup-initramfs is
>> very different from Stretch's cryptsetup. For example in the generated
>> initrd there is no conf/conf.d/cryptroot. Instead there is a
>> etc/crypttab which has a different format (the same as /etc/crypttab on
>> the host). Thus the change introduced in
>> https://bzr.recompile.se/loggerhead/mandos/trunk/revision/961 seems
>> wrong.
> Fixing Mandos to work with the new initramfs was Debian bug #904899
> <https://bugs.debian.org/904899> and was done in bzr revision 953:
> <https://bzr.recompile.se/loggerhead/mandos/trunk/revision/953>.
>
>> Reboot worked again once I downgraded to Stretch's cryptsetup
>> (2:1.7.3-4). It still did not open any other devices but the root
>> device. I am still looking into this.
> The fix was introduced in Mandos 1.7.20; the latest version in both
> unstable and testing is now 1.8.8. What version did have trouble with?
I cannot really reconstruct which version I was using but I am pretty
sure it was 1.8.0 or newer. I was looking into the new support of TLS
keys. However, I cannot reconstruct the events that lead to the issue. I
believe I must have had a pre 953 initramfs-tools-script as I do not
remember seeing the mandos-to-cryptroot-unlock part of the if. However,
I cannot think of any way this could have happened so I probably messed
up something. Anyway, after upgrading to 1.8.7 and also upgrading
cryptsetup including cryptsetup-initramfs it all works as expected.
Well there is one more issue. Only my root device is decrypted at boot
time. Before I upgraded cryptsetup and cryptsetup-initramfs I could work
around the issue by reverting revision 906
(https://bzr.recompile.se/loggerhead/mandos/trunk/revision/906). With
the new cryptsetup mandos-to-cryptroot-unlock is used but the issue is
essentially the same. The retrieved key is only used to decrypt the root
device but not other devices scripts/local-top/cryptroot wants to open.
If I remove the break at
https://bzr.recompile.se/loggerhead/mandos/trunk/view/970/mandos-to-cryptroot-unlock#L72
it works. The better way is probably to restart the inner loop. Even
better would be to determine how many devices still need to be opened
and only break if there are none left.
Cheers,
Birger
More information about the Mandos-Dev
mailing list