1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
|
* Configure The Server
A client key has been automatically created in /etc/keys/mandos.
The next step is to run "mandos-keygen --password" to get a config
file section. This should be appended to /etc/mandos/clients.conf
on the Mandos server.
* Use the Correct Network Interface
If some other network interface than "eth0" is used, it will be
necessary to edit /etc/mandos/plugin-runner.conf to uncomment and
change the line there. If this is done, it will be necessary to
update the initrd image by doing "update-initramfs -k all -u".
* Test the Server
After the server has been started and this client's key added, it is
possible to verify that the correct password will be received by
this client by running the command, on the client:
# /usr/lib/mandos/plugins.d/mandos-client \
--pubkey=/etc/keys/mandos/pubkey.txt \
--seckey=/etc/keys/mandos/seckey.txt; echo
This command should retrieve the password from the server, decrypt
it, and output it to standard output. It is now possible to verify
the correctness of the password before rebooting.
* User-Supplied Plugins
Any plugins found in /etc/mandos/plugins.d will override and add to
the normal Mandos plugins. When adding or changing plugins, do not
forget to update the initital RAM disk image:
# update-initramfs -k all -u
* Do *NOT* Edit /etc/crypttab
It is NOT necessary to edit /etc/crypttab to specify
/usr/lib/mandos/plugin-runner as a keyscript for the root file
system; if no keyscript is given for the root file system, the
Mandos client will be the new default way for getting a password for
the root file system when booting.
* Emergency Escape
If it ever should be necessary, the Mandos client can be temporarily
prevented from running at startup by passing the parameter
"mandos=off" to the kernel.
-- Teddy Hogeborn <teddy@fukt.bsnet.se>, Mon, 12 Jan 2009 02:29:10 +0100
|