1
A client key has been automatically created in /etc/keys/mandos. The
2
next step is to run "mandos-keygen --password" to get a config file
3
stanza to copy and paste into /etc/mandos/clients.conf on the Mandos
6
Also, if some other network interface than "eth0" is used, it will be
7
necessary to edit /etc/mandos/plugin-runner.conf to uncomment and
8
change the line there. If this file is changed, it will be necessary
9
to update the initrd image by doing "update-initramfs -k all -u".
11
It is NOT necessary to edit /etc/crypttab to specify
12
/usr/lib/mandos/plugin-runner as a keyscript for the root file system;
13
if no keyscript is given for the root file system, the Mandos client
14
will be the new default way for getting a password for the root file
3
A client key has been automatically created in /etc/keys/mandos.
4
The next step is to run "mandos-keygen --password" to get a config
5
file section. This should be appended to /etc/mandos/clients.conf
8
* Use the Correct Network Interface
10
If some other network interface than "eth0" is used, it will be
11
necessary to edit /etc/mandos/plugin-runner.conf to uncomment and
12
change the line there. If this is done, it will be necessary to
13
update the initrd image by doing "update-initramfs -k all -u".
17
After the server has been started and this client's key added, it is
18
possible to verify that the correct password will be received by
19
this client by running the command, on the client:
21
# /usr/lib/mandos/plugins.d/mandos-client \
22
--pubkey=/etc/keys/mandos/pubkey.txt \
23
--seckey=/etc/keys/mandos/seckey.txt; echo
25
This command should retrieve the password from the server, decrypt
26
it, and output it to standard output. It is now possible to verify
27
the correctness of the password before rebooting.
29
* User-Supplied Plugins
31
Any plugins found in /etc/mandos/plugins.d will override and add to
32
the normal Mandos plugins. When adding or changing plugins, do not
33
forget to update the initital RAM disk image:
35
# update-initramfs -k all -u
37
* Do *NOT* Edit /etc/crypttab
39
It is NOT necessary to edit /etc/crypttab to specify
40
/usr/lib/mandos/plugin-runner as a keyscript for the root file
41
system; if no keyscript is given for the root file system, the
42
Mandos client will be the new default way for getting a password for
43
the root file system when booting.
45
-- Teddy Hogeborn <teddy@fukt.bsnet.se>, Sun, 5 Oct 2008 19:04:26 +0200