Mandos-client failing when run inside initramfs of Ubuntu 24.04
Joe Rhodes
joe at joerhodes.com
Wed May 15 17:55:21 CEST 2024
Hello!
Iv’e been using Mandos server/client for a while now with Ubuntu 22.04. Recently, I’ve attempted to use it under Ubuntu 24.04 and the client is failing. The critical log messages (when using —debug) are:
Mandos plugin mandos-client: Closing TLS session
Mandos plugin mandos-client: GnuTLS: WRITE FLUSH: 0 bytes in buffer.
Mandos plugin mandos-client: GnuTLS: ASSERT: ../../lib/buffers.c[_gnutls_io_write_flush]:668
Mandos plugin mandos-client: GnuTLS: REC: Sending Alert[1|0] - Close notify
Mandos plugin mandos-client: GnuTLS: REC[0x5f24f0f7b610]: Preparing Packet Alert(21) with length: 2 and min pad: 0
Mandos plugin mandos-client: GnuTLS: ENC[0x5f24f0f7b610]: cipher: AES-256-GCM, MAC: AEAD, Epoch: 2
Mandos plugin mandos-client: GnuTLS: WRITE: enqueued 24 bytes for 0x5. Total 24 bytes.
Mandos plugin mandos-client: GnuTLS: WRITE FLUSH: 24 bytes in buffer.
Mandos plugin mandos-client: GnuTLS: WRITE: wrote 24 bytes, 0 bytes left.
Mandos plugin mandos-client: GnuTLS: REC[0x5f24f0f7b610]: Sent Packet[1] Alert(21) in epoch 2 and length: 24
Mandos plugin mandos-client: Trying to decrypt OpenPGP data
Mandos plugin mandos-client: bad gpgme_op_decrypt: GnuPG: No secret key
Mandos plugin mandos-client: Wrong key usage: No
Mandos plugin mandos-client: Public key algorithm: RSA
Mandos plugin mandos-client: Key ID: 53C68F92563C776C
Mandos plugin mandos-client: Secret key available: Yes
Mandos plugin mandos-client: GnuTLS: REC[0x5f24f0f7b610]: Start of epoch cleanup
Mandos plugin mandos-client: GnuTLS: REC[0x5f24f0f7b610]: End of epoch cleanup
Mandos plugin mandos-client: GnuTLS: REC[0x5f24f0f7b610]: Epoch #2 freed
Mandos plugin mandos-client: Retrying in 10 seconds
^CMandos plugin mandos-client: /lib/mandos/plugins.d/mandos-client exiting due to signal 2: Interrupt
Mandos plugin mandos-client: Ignoring hook "." - not a file
Mandos plugin mandos-client: Ignoring hook ".." - not a file
Mandos plugin mandos-client: No interfaces needed to be taken down
Mandos plugin mandos-client: Unlinking "/run/tmp/mandosHTUCr1/pubring.kbx"
Mandos plugin mandos-client: Unlinking "/run/tmp/mandosHTUCr1/pubring.kbx~"
Mandos plugin mandos-client: Unlinking "/run/tmp/mandosHTUCr1/trustdb.gpg"
I am running mandos-client 1.8.16 that is included in Ubuntu 24.04.
In an effort to get some better logging and diagnostics, I’ve discovered that I can re-create this issue by exploding the initramfs image to my filesystem, bind-mount the correct /dev /sys and /proc partitions and chroot into that filesystem.
I’ve use the following command for testing inside this chroot environment:
/lib/mandos/plugins.d/mandos-client --pubkey=/conf/conf.d/mandos/pubkey.txt --seckey=/conf/conf.d/mandos/seckey.txt --connect=172.31.0.162:62379 --tls-privkey=/conf/conf.d/mandos/tls-privkey.pem --tls-pubkey=/conf/conf.d/mandos/tls-pubkey.pem —debug
In an effort to compare against a working version, I’ve copied an initramfs image from an Ubuntu 22.04 instance and exploded it on the same machine. I copied the very same keys into that file system, and when in chroot, the command works as expected:
/lib/mandos/plugins.d/mandos-client --pubkey=/conf/conf.d/mandos/pubkey.txt --seckey=/conf/conf.d/mandos/seckey.txt --connect=172.31.0.162:62379 --tls-privkey=/conf/conf.d/mandos/tls-privkey.pem --tls-pubkey=/conf/conf.d/mandos/tls-pubkey.pem —debug
<GnuTLS lines omitted for brevity>
Mandos plugin mandos-client: Closing TLS session
Mandos plugin mandos-client: GnuTLS: WRITE FLUSH: 0 bytes in buffer.
Mandos plugin mandos-client: GnuTLS: ASSERT: ../../lib/buffers.c[_gnutls_io_write_flush]:696
Mandos plugin mandos-client: GnuTLS: REC: Sending Alert[1|0] - Close notify
Mandos plugin mandos-client: GnuTLS: REC[0x601fd5713920]: Preparing Packet Alert(21) with length: 2 and min pad: 0
Mandos plugin mandos-client: GnuTLS: ENC[0x601fd5713920]: cipher: AES-256-GCM, MAC: AEAD, Epoch: 2
Mandos plugin mandos-client: GnuTLS: WRITE: enqueued 24 bytes for 0x5. Total 24 bytes.
Mandos plugin mandos-client: GnuTLS: WRITE FLUSH: 24 bytes in buffer.
Mandos plugin mandos-client: GnuTLS: WRITE: wrote 24 bytes, 0 bytes left.
Mandos plugin mandos-client: GnuTLS: REC[0x601fd5713920]: Sent Packet[1] Alert(21) in epoch 2 and length: 24
Mandos plugin mandos-client: Trying to decrypt OpenPGP data
Mandos plugin mandos-client: Decryption of OpenPGP data succeeded
Mandos plugin mandos-client: Decrypted password is: 6A 6F 65 72 68 6F 64 65 73 joerhodesMandos plugin mandos-client: GnuTLS: REC[0x601fd5713920]: Start of epoch cleanup
Mandos plugin mandos-client: GnuTLS: REC[0x601fd5713920]: End of epoch cleanup
Mandos plugin mandos-client: GnuTLS: REC[0x601fd5713920]: Epoch #2 freed
Mandos plugin mandos-client: /lib/mandos/plugins.d/mandos-client exiting
Mandos plugin mandos-client: Ignoring hook "." - not a file
Mandos plugin mandos-client: Ignoring hook ".." - not a file
Mandos plugin mandos-client: No interfaces needed to be taken down
Mandos plugin mandos-client: Unlinking "/run/tmp/mandos7iZpAg/private-keys-v1.d"
Mandos plugin mandos-client: Unlinking "private-keys-v1.d/39A8C95E682740801D832E81656EA71BD193DE5E.key"
Mandos plugin mandos-client: Unlinking "private-keys-v1.d/3DD38971A5315226E4B05FDFF634EF54D97755C1.key"
Mandos plugin mandos-client: Unlinking "/run/tmp/mandos7iZpAg/pubring.kbx"
Mandos plugin mandos-client: Unlinking "/run/tmp/mandos7iZpAg/pubring.kbx~"
Mandos plugin mandos-client: Unlinking "/run/tmp/mandos7iZpAg/trustdb.gpg”
The version of mandos-client running inside that image is mandos-client: mandos-client 1.8.14. Slightly older as it’s an older version of Ubuntu.
If I run the mandos-client 1.18.16 natively in the root file system of the 24.04 machine (not doing the chroot into the initramfs) , it decrypts correctly:
/usr/lib/x86_64-linux-gnu/mandos/plugins.d/mandos-client --pubkey=/etc/keys/mandos/pubkey.txt --seckey=/etc/keys/mandos/seckey.txt --connect=172.31.0.162:62379 --tls-privkey=/etc/keys/mandos/tls-privkey.pem --tls-pubkey=/etc/keys/mandos/tls-pubkey.pem —debug
Mandos plugin mandos-client: Closing TLS session
Mandos plugin mandos-client: GnuTLS: WRITE FLUSH: 0 bytes in buffer.
Mandos plugin mandos-client: GnuTLS: ASSERT: ../../lib/buffers.c[_gnutls_io_write_flush]:668
Mandos plugin mandos-client: GnuTLS: REC: Sending Alert[1|0] - Close notify
Mandos plugin mandos-client: GnuTLS: REC[0x5695d20507f0]: Preparing Packet Alert(21) with length: 2 and min pad: 0
Mandos plugin mandos-client: GnuTLS: ENC[0x5695d20507f0]: cipher: AES-256-GCM, MAC: AEAD, Epoch: 2
Mandos plugin mandos-client: GnuTLS: WRITE: enqueued 24 bytes for 0x5. Total 24 bytes.
Mandos plugin mandos-client: GnuTLS: WRITE FLUSH: 24 bytes in buffer.
Mandos plugin mandos-client: GnuTLS: WRITE: wrote 24 bytes, 0 bytes left.
Mandos plugin mandos-client: GnuTLS: REC[0x5695d20507f0]: Sent Packet[1] Alert(21) in epoch 2 and length: 24
Mandos plugin mandos-client: Trying to decrypt OpenPGP data
Mandos plugin mandos-client: Decryption of OpenPGP data succeeded
Mandos plugin mandos-client: Decrypted password is: 6A 6F 65 72 68 6F 64 65 73 joerhodesMandos plugin mandos-client: GnuTLS: REC[0x5695d20507f0]: Start of epoch cleanup
Mandos plugin mandos-client: GnuTLS: REC[0x5695d20507f0]: End of epoch cleanup
Mandos plugin mandos-client: GnuTLS: REC[0x5695d20507f0]: Epoch #2 freed
Mandos plugin mandos-client: /usr/lib/x86_64-linux-gnu/mandos/plugins.d/mandos-client exiting
Mandos plugin mandos-client: Network hook directory "/lib/mandos/network-hooks.d" not found
Mandos plugin mandos-client: No interfaces needed to be taken down
Mandos plugin mandos-client: Unlinking "/run/tmp/mandos4DK8AK/private-keys-v1.d"
Mandos plugin mandos-client: Unlinking "private-keys-v1.d/39A8C95E682740801D832E81656EA71BD193DE5E.key"
Mandos plugin mandos-client: Unlinking "private-keys-v1.d/3DD38971A5315226E4B05FDFF634EF54D97755C1.key"
Mandos plugin mandos-client: Unlinking "/run/tmp/mandos4DK8AK/pubring.kbx"
Mandos plugin mandos-client: Unlinking "/run/tmp/mandos4DK8AK/pubring.kbx~"
Mandos plugin mandos-client: Unlinking "/run/tmp/mandos4DK8AK/trustdb.gpg”
So it seems that the mandos-client only fails when it’s running inside the initramfs of the 24.04 machine.
Inside the initramfs 22.04 image:
# busybox
BusyBox v1.30.1 (Ubuntu 1:1.30.1-7ubuntu3) multi-call binary.
mandos-client 1.8.14.
Inside the initramfs 24.04 image:
# busybox
BusyBox v1.36.1 (Ubuntu 1:1.36.1-6ubuntu3) multi-call binary.
mandos-client 1.18.16
Any help would be greatly appreciated!
Cheers!
-Joe
More information about the Mandos-Dev
mailing list