1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
|
* Configure The Server
A client key has been automatically created in /etc/keys/mandos.
The next step is to run "mandos-keygen --password" to get a config
file section. This should be appended to /etc/mandos/clients.conf
on the Mandos server.
* Use the Correct Network Interface
Make sure that the correct network interface is specified in the
DEVICE setting in the "/etc/initramfs-tools/initramfs.conf" file.
If this is changed, it will be necessary to update the initrd image
by doing "update-initramfs -k all -u". This setting can be
overridden at boot time on the Linux kernel command line using the
sixth colon-separated field of the "ip=" option; for exact syntax,
see the file "Documentation/nfsroot.txt" in the Linux source tree.
Note that since this is used in the initial RAM disk environment,
the network interface must exist at that stage. Thus, the interface
can *not* be a pseudo-interface such as "br0" or "tun0"; instead, a
real interface (such as "eth0") must be used.
* Test the Server
After the server has been started and this client's key added, it is
possible to verify that the correct password will be received by
this client by running the command, on the client:
# /usr/lib/mandos/plugins.d/mandos-client \
--pubkey=/etc/keys/mandos/pubkey.txt \
--seckey=/etc/keys/mandos/seckey.txt; echo
This command should retrieve the password from the server, decrypt
it, and output it to standard output. There it can be verified to
be the correct password, before rebooting.
* User-Supplied Plugins
Any plugins found in /etc/mandos/plugins.d will override and add to
the normal Mandos plugins. When adding or changing plugins, do not
forget to update the initital RAM disk image:
# update-initramfs -k all -u
* Do *NOT* Edit /etc/crypttab
It is NOT necessary to edit /etc/crypttab to specify
/usr/lib/mandos/plugin-runner as a keyscript for the root file
system; if no keyscript is given for the root file system, the
Mandos client will be the new default way for getting a password for
the root file system when booting.
* Emergency Escape
If it ever should be necessary, the Mandos client can be temporarily
prevented from running at startup by passing the parameter
"mandos=off" to the kernel.
* Non-local Connection (Not Using ZeroConf)
If the "ip=" kernel command line option is used to specify a
complete IP address and device name, as noted above, it then becomes
possible to specify a specific IP address and port to connect to,
instead of using ZeroConf. The syntax for doing this is
"mandos=connect:<IP_ADDRESS>:<PORT_NUMBER>".
Warning: this will cause the client to make exactly one attempt at
connecting, and then fail if it does not succeed.
For very advanced users, it it possible to specify simply
"mandos=connect" on the kernel command line to make the system only
set up the network (using the data in the "ip=" option) and not pass
any extra "--connect" options to mandos-client at boot. For this to
work, "--options-for=mandos-client:--connect=<ADDRESS>:<PORT>" needs
to be manually added to the file "/etc/mandos/plugin-runner.conf".
-- Teddy Hogeborn <teddy@fukt.bsnet.se>, Tue, 14 Apr 2009 16:51:18 +0200
|