/mandos/release : contents of debian/mandos-client.README.Debian at revision 237.2.80

: (revision 237.2.80)

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/release

* Configure The Server
  
  A client key has been automatically created in /etc/keys/mandos.
  The next step is to run "mandos-keygen --password" to get a config
  file section.  This should be appended to /etc/mandos/clients.conf
  on the Mandos server.

* Use the Correct Network Interface
  
  Make sure that the correct network interface is specified in the
  DEVICE setting in the "/etc/initramfs-tools/initramfs.conf" file.
  If this is changed, it will be necessary to update the initrd image
  by doing "update-initramfs -k all -u".  This setting can be
  overridden at boot time on the Linux kernel command line using the
  sixth colon-separated field of the "ip=" option; for exact syntax,
  see the file "Documentation/nfsroot.txt" in the Linux source tree.

* Test the Server
  
  After the server has been started and this client's key added, it is
  possible to verify that the correct password will be received by
  this client by running the command, on the client:
  
	# /usr/lib/mandos/plugins.d/mandos-client \
		--pubkey=/etc/keys/mandos/pubkey.txt \
		--seckey=/etc/keys/mandos/seckey.txt; echo
  
  This command should retrieve the password from the server, decrypt
  it, and output it to standard output.  There it can be verified to
  be the correct password, before rebooting.

* User-Supplied Plugins
  
  Any plugins found in /etc/mandos/plugins.d will override and add to
  the normal Mandos plugins.  When adding or changing plugins, do not
  forget to update the initital RAM disk image:
  
	# update-initramfs -k all -u

* Do *NOT* Edit /etc/crypttab
  
  It is NOT necessary to edit /etc/crypttab to specify
  /usr/lib/mandos/plugin-runner as a keyscript for the root file
  system; if no keyscript is given for the root file system, the
  Mandos client will be the new default way for getting a password for
  the root file system when booting.

* Emergency Escape
  
  If it ever should be necessary, the Mandos client can be temporarily
  prevented from running at startup by passing the parameter
  "mandos=off" to the kernel.

* Non-local Connection (Not Using ZeroConf)
  
  If the "ip=" kernel command line option is used to specify a
  complete IP address and device name, as noted above, it then becomes
  possible to specify a specific IP address and port to connect to,
  instead of using ZeroConf.  The syntax for doing this is
  "mandos=connect:<IP_ADDRESS>:<PORT_NUMBER>".
  
  Warning: this will cause the client to make exactly one attempt at
  connecting, and then fail if it does not succeed.
  
  For very advanced users, it it possible to specify simply
  "mandos=connect" on the kernel command line to make the system only
  set up the network (using the data in the "ip=" option) and not pass
  any extra "--connect" options to mandos-client at boot.  For this to
  work, "--options-for=mandos-client:--connect=<ADDRESS>:<PORT>" needs
  to be manually added to the file "/etc/mandos/plugin-runner.conf".

 -- Teddy Hogeborn <teddy@fukt.bsnet.se>, Mon,  9 Feb 2009 00:36:55 +0100

228 by Teddy Hogeborn * INSTALL: Add instructions on how to set the correct network	1	* Configure The Server
	2
	3	A client key has been automatically created in /etc/keys/mandos.
	4	The next step is to run "mandos-keygen --password" to get a config
	5	file section. This should be appended to /etc/mandos/clients.conf
	6	on the Mandos server.
	7
	8	* Use the Correct Network Interface
	9
237.2.67 by Teddy Hogeborn Four new interrelated features:	10	Make sure that the correct network interface is specified in the
	11	DEVICE setting in the "/etc/initramfs-tools/initramfs.conf" file.
	12	If this is changed, it will be necessary to update the initrd image
	13	by doing "update-initramfs -k all -u". This setting can be
	14	overridden at boot time on the Linux kernel command line using the
	15	sixth colon-separated field of the "ip=" option; for exact syntax,
	16	see the file "Documentation/nfsroot.txt" in the Linux source tree.
228 by Teddy Hogeborn * INSTALL: Add instructions on how to set the correct network	17
	18	* Test the Server
	19
	20	After the server has been started and this client's key added, it is
	21	possible to verify that the correct password will be received by
	22	this client by running the command, on the client:
	23
	24	# /usr/lib/mandos/plugins.d/mandos-client \
	25	--pubkey=/etc/keys/mandos/pubkey.txt \
	26	--seckey=/etc/keys/mandos/seckey.txt; echo
	27
	28	This command should retrieve the password from the server, decrypt
237.2.67 by Teddy Hogeborn Four new interrelated features:	29	it, and output it to standard output. There it can be verified to
237.2.67 by Teddy Hogeborn Four new interrelated features:	30	be the correct password, before rebooting.
228 by Teddy Hogeborn * INSTALL: Add instructions on how to set the correct network	31
	32	* User-Supplied Plugins
237.2.67 by Teddy Hogeborn Four new interrelated features:	33
228 by Teddy Hogeborn * INSTALL: Add instructions on how to set the correct network	34	Any plugins found in /etc/mandos/plugins.d will override and add to
	35	the normal Mandos plugins. When adding or changing plugins, do not
	36	forget to update the initital RAM disk image:
237.2.67 by Teddy Hogeborn Four new interrelated features:	37
228 by Teddy Hogeborn * INSTALL: Add instructions on how to set the correct network	38	# update-initramfs -k all -u
	39
	40	* Do NOT Edit /etc/crypttab
237.2.67 by Teddy Hogeborn Four new interrelated features:	41
228 by Teddy Hogeborn * INSTALL: Add instructions on how to set the correct network	42	It is NOT necessary to edit /etc/crypttab to specify
	43	/usr/lib/mandos/plugin-runner as a keyscript for the root file
	44	system; if no keyscript is given for the root file system, the
	45	Mandos client will be the new default way for getting a password for
	46	the root file system when booting.
	47
237.2.32 by Teddy Hogeborn * debian/watch: New file.	48	* Emergency Escape
	49
	50	If it ever should be necessary, the Mandos client can be temporarily
	51	prevented from running at startup by passing the parameter
	52	"mandos=off" to the kernel.
	53
237.2.67 by Teddy Hogeborn Four new interrelated features:	54	* Non-local Connection (Not Using ZeroConf)
	55
	56	If the "ip=" kernel command line option is used to specify a
	57	complete IP address and device name, as noted above, it then becomes
	58	possible to specify a specific IP address and port to connect to,
	59	instead of using ZeroConf. The syntax for doing this is
	60	"mandos=connect:<IP_ADDRESS>:<PORT_NUMBER>".
	61
	62	Warning: this will cause the client to make exactly one attempt at
	63	connecting, and then fail if it does not succeed.
	64
	65	For very advanced users, it it possible to specify simply
	66	"mandos=connect" on the kernel command line to make the system only
	67	set up the network (using the data in the "ip=" option) and not pass
	68	any extra "--connect" options to mandos-client at boot. For this to
	69	work, "--options-for=mandos-client:--connect=<ADDRESS>:<PORT>" needs
	70	to be manually added to the file "/etc/mandos/plugin-runner.conf".
	71
	72	-- Teddy Hogeborn <teddy@fukt.bsnet.se>, Mon, 9 Feb 2009 00:36:55 +0100