1
* Adding a Client Password to the Server
3
The server must be given a password to give back to the client on
4
boot time. This password must be a one which can be used to unlock
5
the root file system device. On the *client*, run this command:
7
mandos-keygen --password
9
It will prompt for a password and output a config file section.
10
This output should be copied to the Mandos server and added to the
11
file "/etc/mandos/clients.conf" there.
13
* Testing that it Works (Without Rebooting)
15
After the server has been started with this client's key added, it
16
is possible to verify that the correct password will be received by
3
A client key has been automatically created in /etc/keys/mandos.
4
The next step is to run "mandos-keygen --password" to get a config
5
file section. This should be appended to /etc/mandos/clients.conf
8
* Use the Correct Network Interface
10
If some other network interface than "eth0" is used, it will be
11
necessary to edit /etc/mandos/plugin-runner.conf to uncomment and
12
change the line there. If this is done, it will be necessary to
13
update the initrd image by doing "update-initramfs -k all -u".
17
After the server has been started and this client's key added, it is
18
possible to verify that the correct password will be received by
17
19
this client by running the command, on the client:
19
/usr/lib/mandos/plugins.d/mandos-client \
21
# /usr/lib/mandos/plugins.d/mandos-client \
20
22
--pubkey=/etc/keys/mandos/pubkey.txt \
21
23
--seckey=/etc/keys/mandos/seckey.txt; echo
23
25
This command should retrieve the password from the server, decrypt
24
it, and output it to standard output. There it can be verified to
25
be the correct password, before rebooting.
26
it, and output it to standard output. It is now possible to verify
27
the correctness of the password before rebooting.
29
* User-Supplied Plugins
31
Any plugins found in /etc/mandos/plugins.d will override and add to
32
the normal Mandos plugins. When adding or changing plugins, do not
33
forget to update the initital RAM disk image:
35
# update-initramfs -k all -u
37
* Do *NOT* Edit /etc/crypttab
39
It is NOT necessary to edit /etc/crypttab to specify
40
/usr/lib/mandos/plugin-runner as a keyscript for the root file
41
system; if no keyscript is given for the root file system, the
42
Mandos client will be the new default way for getting a password for
43
the root file system when booting.
30
48
prevented from running at startup by passing the parameter
31
49
"mandos=off" to the kernel.
33
* Specifying a Client Network Interface
35
At boot time the network interface to use will by default be
36
automatically detected. If should result in an incorrect interface,
37
edit the DEVICE setting in the "/etc/initramfs-tools/initramfs.conf"
38
file. (The default setting is empty, meaning to autodetect the
39
interface.) *If* the DEVICE setting is changed, it will be
40
necessary to update the initrd image by running the command
42
update-initramfs -k all -u
44
The device can be overridden at boot time on the Linux kernel
45
command line using the sixth colon-separated field of the "ip="
46
option; for exact syntax, read the documentation in the file
47
"/usr/share/doc/linux-doc-*/Documentation/filesystems/nfsroot.txt",
48
available in the "linux-doc-*" package.
50
Note that since this network interface is used in the initial RAM
51
disk environment, the network interface *must* exist at that stage.
52
Thus, the interface can *not* be a pseudo-interface such as "br0" or
53
"tun0"; instead, only real interface (such as "eth0") can be used.
55
* User-Supplied Plugins
57
Any plugins found in "/etc/mandos/plugins.d" will override and add
58
to the normal Mandos plugins. When adding or changing plugins, do
59
not forget to update the initital RAM disk image:
61
update-initramfs -k all -u
63
* Do *NOT* Edit "/etc/crypttab"
65
It is NOT necessary to edit "/etc/crypttab" to specify
66
"/usr/lib/mandos/plugin-runner" as a keyscript for the root file
67
system; if no keyscript is given for the root file system, the
68
Mandos client will be the new default way for getting a password for
69
the root file system when booting.
71
* Non-local Connection (Not Using ZeroConf)
73
If the "ip=" kernel command line option is used to specify a
74
complete IP address and device name, as noted above, it then becomes
75
possible to specify a specific IP address and port to connect to,
76
instead of using ZeroConf. The syntax for doing this is
77
"mandos=connect:<IP_ADDRESS>:<PORT_NUMBER>" on the kernel command
80
For very advanced users, it it possible to specify simply
81
"mandos=connect" on the kernel command line to make the system only
82
set up the network (using the data in the "ip=" option) and not pass
83
any extra "--connect" options to mandos-client at boot. For this to
84
work, "--options-for=mandos-client:--connect=<ADDRESS>:<PORT>" needs
85
to be manually added to the file "/etc/mandos/plugin-runner.conf".
87
-- Teddy Hogeborn <teddy@recompile.se>, Wed, 5 Oct 2011 17:50:22 +0200
51
-- Teddy Hogeborn <teddy@fukt.bsnet.se>, Mon, 12 Jan 2009 02:29:10 +0100
added
removed
debian/mandos-client.README.Debian
