Mandos-client failing when run inside initramfs of Ubuntu 24.04

Joe Rhodes joe at joerhodes.com
Thu May 16 21:11:21 CEST 2024 

So answering my own question:

The issue is that the gpg-agent and gpgconfig binaries are not being included in the initramfs under ubuntu 24.04.  That stems from the fact that the libgpgme11 library has been renamed in 24.04 to libgpgme11t64.  Because of that, the initramfs hook  /usr/share/initramfs-tools/hooks/mandos doesn’t work correctly.  Specifically, like 183 of that script:

libgpgme11_version="`dpkg-query --showformat='${Version}' --show libgpgme11`”

That line returns an empty string under Ubuntu 24.04 but works correctly under 22.04.  It then doesn’t match the logic conditions later on, and the gig utilities do not get included.  A simple fix that allows it to work on both Ubuntu 22.04 and 24.04 would be to just add an asterisk at the end of that line:

libgpgme11_version="`dpkg-query --showformat='${Version}' --show libgpgme11*`”

This is the work around I’ll use for now.  Not sure if it would be possible to get either this fix or something more sophisticated included in a new version?

Cheers!
-Joe 




> On May 15, 2024, at 11:55, Joe Rhodes <joe at joerhodes.com> wrote:
> 
> Hello!
> 
> Iv’e been using Mandos server/client for a while now with Ubuntu 22.04.  Recently, I’ve attempted to use it under Ubuntu 24.04 and the client is failing.  The critical log messages (when using —debug) are:
> 
> Mandos plugin mandos-client: Closing TLS session
> Mandos plugin mandos-client: GnuTLS: WRITE FLUSH: 0 bytes in buffer.
> Mandos plugin mandos-client: GnuTLS: ASSERT: ../../lib/buffers.c[_gnutls_io_write_flush]:668
> Mandos plugin mandos-client: GnuTLS: REC: Sending Alert[1|0] - Close notify
> Mandos plugin mandos-client: GnuTLS: REC[0x5f24f0f7b610]: Preparing Packet Alert(21) with length: 2 and min pad: 0
> Mandos plugin mandos-client: GnuTLS: ENC[0x5f24f0f7b610]: cipher: AES-256-GCM, MAC: AEAD, Epoch: 2
> Mandos plugin mandos-client: GnuTLS: WRITE: enqueued 24 bytes for 0x5. Total 24 bytes.
> Mandos plugin mandos-client: GnuTLS: WRITE FLUSH: 24 bytes in buffer.
> Mandos plugin mandos-client: GnuTLS: WRITE: wrote 24 bytes, 0 bytes left.
> Mandos plugin mandos-client: GnuTLS: REC[0x5f24f0f7b610]: Sent Packet[1] Alert(21) in epoch 2 and length: 24
> Mandos plugin mandos-client: Trying to decrypt OpenPGP data
> Mandos plugin mandos-client: bad gpgme_op_decrypt: GnuPG: No secret key
> Mandos plugin mandos-client: Wrong key usage: No
> Mandos plugin mandos-client: Public key algorithm: RSA
> Mandos plugin mandos-client: Key ID: 53C68F92563C776C
> Mandos plugin mandos-client: Secret key available: Yes
> Mandos plugin mandos-client: GnuTLS: REC[0x5f24f0f7b610]: Start of epoch cleanup
> Mandos plugin mandos-client: GnuTLS: REC[0x5f24f0f7b610]: End of epoch cleanup
> Mandos plugin mandos-client: GnuTLS: REC[0x5f24f0f7b610]: Epoch #2 freed
> Mandos plugin mandos-client: Retrying in 10 seconds
> ^CMandos plugin mandos-client: /lib/mandos/plugins.d/mandos-client exiting due to signal 2: Interrupt
> Mandos plugin mandos-client: Ignoring hook "." - not a file
> Mandos plugin mandos-client: Ignoring hook ".." - not a file
> Mandos plugin mandos-client: No interfaces needed to be taken down
> Mandos plugin mandos-client: Unlinking "/run/tmp/mandosHTUCr1/pubring.kbx"
> Mandos plugin mandos-client: Unlinking "/run/tmp/mandosHTUCr1/pubring.kbx~"
> Mandos plugin mandos-client: Unlinking "/run/tmp/mandosHTUCr1/trustdb.gpg"
> 
> I am running mandos-client 1.8.16 that is included in Ubuntu 24.04.
> 
> In an effort to get some better logging and diagnostics, I’ve discovered that I can re-create this issue by exploding the initramfs image to my filesystem, bind-mount the correct /dev /sys and /proc partitions and chroot into that filesystem. 
> 
> I’ve use the following command for testing inside this chroot environment:
> 
> /lib/mandos/plugins.d/mandos-client  --pubkey=/conf/conf.d/mandos/pubkey.txt --seckey=/conf/conf.d/mandos/seckey.txt --connect=172.31.0.162:62379 --tls-privkey=/conf/conf.d/mandos/tls-privkey.pem --tls-pubkey=/conf/conf.d/mandos/tls-pubkey.pem —debug
> 
> 
> In an effort to compare against a working version, I’ve copied an initramfs image from an Ubuntu 22.04 instance and exploded it on the same machine.  I copied the very same keys into that file system, and when  in chroot, the command works as expected:
> 
> /lib/mandos/plugins.d/mandos-client  --pubkey=/conf/conf.d/mandos/pubkey.txt --seckey=/conf/conf.d/mandos/seckey.txt --connect=172.31.0.162:62379 --tls-privkey=/conf/conf.d/mandos/tls-privkey.pem --tls-pubkey=/conf/conf.d/mandos/tls-pubkey.pem —debug
> 
> <GnuTLS lines omitted for brevity>
> Mandos plugin mandos-client: Closing TLS session
> Mandos plugin mandos-client: GnuTLS: WRITE FLUSH: 0 bytes in buffer.
> Mandos plugin mandos-client: GnuTLS: ASSERT: ../../lib/buffers.c[_gnutls_io_write_flush]:696
> Mandos plugin mandos-client: GnuTLS: REC: Sending Alert[1|0] - Close notify
> Mandos plugin mandos-client: GnuTLS: REC[0x601fd5713920]: Preparing Packet Alert(21) with length: 2 and min pad: 0
> Mandos plugin mandos-client: GnuTLS: ENC[0x601fd5713920]: cipher: AES-256-GCM, MAC: AEAD, Epoch: 2
> Mandos plugin mandos-client: GnuTLS: WRITE: enqueued 24 bytes for 0x5. Total 24 bytes.
> Mandos plugin mandos-client: GnuTLS: WRITE FLUSH: 24 bytes in buffer.
> Mandos plugin mandos-client: GnuTLS: WRITE: wrote 24 bytes, 0 bytes left.
> Mandos plugin mandos-client: GnuTLS: REC[0x601fd5713920]: Sent Packet[1] Alert(21) in epoch 2 and length: 24
> Mandos plugin mandos-client: Trying to decrypt OpenPGP data
> Mandos plugin mandos-client: Decryption of OpenPGP data succeeded
> Mandos plugin mandos-client: Decrypted password is: 6A 6F 65 72 68 6F 64 65 73  joerhodesMandos plugin mandos-client: GnuTLS: REC[0x601fd5713920]: Start of epoch cleanup
> Mandos plugin mandos-client: GnuTLS: REC[0x601fd5713920]: End of epoch cleanup
> Mandos plugin mandos-client: GnuTLS: REC[0x601fd5713920]: Epoch #2 freed
> Mandos plugin mandos-client: /lib/mandos/plugins.d/mandos-client exiting
> Mandos plugin mandos-client: Ignoring hook "." - not a file
> Mandos plugin mandos-client: Ignoring hook ".." - not a file
> Mandos plugin mandos-client: No interfaces needed to be taken down
> Mandos plugin mandos-client: Unlinking "/run/tmp/mandos7iZpAg/private-keys-v1.d"
> Mandos plugin mandos-client: Unlinking "private-keys-v1.d/39A8C95E682740801D832E81656EA71BD193DE5E.key"
> Mandos plugin mandos-client: Unlinking "private-keys-v1.d/3DD38971A5315226E4B05FDFF634EF54D97755C1.key"
> Mandos plugin mandos-client: Unlinking "/run/tmp/mandos7iZpAg/pubring.kbx"
> Mandos plugin mandos-client: Unlinking "/run/tmp/mandos7iZpAg/pubring.kbx~"
> Mandos plugin mandos-client: Unlinking "/run/tmp/mandos7iZpAg/trustdb.gpg”
> 
> The version of mandos-client running inside that image is mandos-client: mandos-client 1.8.14.  Slightly older as it’s an older version of Ubuntu.
> 
> If I run the mandos-client 1.18.16 natively in the root file system of the 24.04 machine  (not doing the chroot into the initramfs) , it decrypts correctly:
> 
> /usr/lib/x86_64-linux-gnu/mandos/plugins.d/mandos-client --pubkey=/etc/keys/mandos/pubkey.txt --seckey=/etc/keys/mandos/seckey.txt --connect=172.31.0.162:62379 --tls-privkey=/etc/keys/mandos/tls-privkey.pem  --tls-pubkey=/etc/keys/mandos/tls-pubkey.pem —debug
> 
> Mandos plugin mandos-client: Closing TLS session
> Mandos plugin mandos-client: GnuTLS: WRITE FLUSH: 0 bytes in buffer.
> Mandos plugin mandos-client: GnuTLS: ASSERT: ../../lib/buffers.c[_gnutls_io_write_flush]:668
> Mandos plugin mandos-client: GnuTLS: REC: Sending Alert[1|0] - Close notify
> Mandos plugin mandos-client: GnuTLS: REC[0x5695d20507f0]: Preparing Packet Alert(21) with length: 2 and min pad: 0
> Mandos plugin mandos-client: GnuTLS: ENC[0x5695d20507f0]: cipher: AES-256-GCM, MAC: AEAD, Epoch: 2
> Mandos plugin mandos-client: GnuTLS: WRITE: enqueued 24 bytes for 0x5. Total 24 bytes.
> Mandos plugin mandos-client: GnuTLS: WRITE FLUSH: 24 bytes in buffer.
> Mandos plugin mandos-client: GnuTLS: WRITE: wrote 24 bytes, 0 bytes left.
> Mandos plugin mandos-client: GnuTLS: REC[0x5695d20507f0]: Sent Packet[1] Alert(21) in epoch 2 and length: 24
> Mandos plugin mandos-client: Trying to decrypt OpenPGP data
> Mandos plugin mandos-client: Decryption of OpenPGP data succeeded
> Mandos plugin mandos-client: Decrypted password is: 6A 6F 65 72 68 6F 64 65 73  joerhodesMandos plugin mandos-client: GnuTLS: REC[0x5695d20507f0]: Start of epoch cleanup
> Mandos plugin mandos-client: GnuTLS: REC[0x5695d20507f0]: End of epoch cleanup
> Mandos plugin mandos-client: GnuTLS: REC[0x5695d20507f0]: Epoch #2 freed
> Mandos plugin mandos-client: /usr/lib/x86_64-linux-gnu/mandos/plugins.d/mandos-client exiting
> Mandos plugin mandos-client: Network hook directory "/lib/mandos/network-hooks.d" not found
> Mandos plugin mandos-client: No interfaces needed to be taken down
> Mandos plugin mandos-client: Unlinking "/run/tmp/mandos4DK8AK/private-keys-v1.d"
> Mandos plugin mandos-client: Unlinking "private-keys-v1.d/39A8C95E682740801D832E81656EA71BD193DE5E.key"
> Mandos plugin mandos-client: Unlinking "private-keys-v1.d/3DD38971A5315226E4B05FDFF634EF54D97755C1.key"
> Mandos plugin mandos-client: Unlinking "/run/tmp/mandos4DK8AK/pubring.kbx"
> Mandos plugin mandos-client: Unlinking "/run/tmp/mandos4DK8AK/pubring.kbx~"
> Mandos plugin mandos-client: Unlinking "/run/tmp/mandos4DK8AK/trustdb.gpg”
> 
> So it seems that the mandos-client only fails when it’s running inside the initramfs of the 24.04 machine.
> 
> Inside the initramfs 22.04 image:
> # busybox 
> BusyBox v1.30.1 (Ubuntu 1:1.30.1-7ubuntu3) multi-call binary.
> mandos-client 1.8.14.
> 
> Inside the initramfs 24.04 image: 
> # busybox
> BusyBox v1.36.1 (Ubuntu 1:1.36.1-6ubuntu3) multi-call binary.
> mandos-client 1.18.16 
> 
> Any help would be greatly appreciated!
> 
> Cheers!
> -Joe 
> 
> 
>

More information about the Mandos-Dev mailing list