1
A client key has been automatically created in /etc/keys/mandos. The
2
next step is to run "mandos-keygen --password" to get a config file
3
stanza to copy and paste into /etc/mandos/clients.conf on the Mandos
6
Also, if some other network interface than "eth0" is used, it will be
7
necessary to edit /etc/mandos/plugin-runner.conf to uncomment and
8
change the line there. If this file is changed, it will be necessary
9
to update the initrd image by doing "update-initramfs -k all -u".
11
Any plugins found in /etc/mandos/plugins.d will override and add to
12
the normal Mandos plugins. When adding or changing plugins, do not
13
forget to update the initital RAM disk image:
15
# update-initramfs -k all -u
17
It is NOT necessary to edit /etc/crypttab to specify
18
/usr/lib/mandos/plugin-runner as a keyscript for the root file system;
19
if no keyscript is given for the root file system, the Mandos client
20
will be the new default way for getting a password for the root file
23
-- Teddy Hogeborn <teddy@fukt.bsnet.se>, Fri, 19 Sep 2008 22:50:16 +0200
3
A client key has been automatically created in /etc/keys/mandos.
4
The next step is to run "mandos-keygen --password" to get a config
5
file section. This should be appended to /etc/mandos/clients.conf
8
* Use the Correct Network Interface
10
Make sure that the correct network interface is specified in the
11
DEVICE setting in the "/etc/initramfs-tools/initramfs.conf" file.
12
If this is changed, it will be necessary to update the initrd image
13
by doing "update-initramfs -k all -u". This setting can be
14
overridden at boot time on the Linux kernel command line using the
15
sixth colon-separated field of the "ip=" option; for exact syntax,
16
see the file "Documentation/nfsroot.txt" in the Linux source tree.
20
After the server has been started and this client's key added, it is
21
possible to verify that the correct password will be received by
22
this client by running the command, on the client:
24
# /usr/lib/mandos/plugins.d/mandos-client \
25
--pubkey=/etc/keys/mandos/pubkey.txt \
26
--seckey=/etc/keys/mandos/seckey.txt; echo
28
This command should retrieve the password from the server, decrypt
29
it, and output it to standard output. There it can be verified to
30
be the correct password, before rebooting.
32
* User-Supplied Plugins
34
Any plugins found in /etc/mandos/plugins.d will override and add to
35
the normal Mandos plugins. When adding or changing plugins, do not
36
forget to update the initital RAM disk image:
38
# update-initramfs -k all -u
40
* Do *NOT* Edit /etc/crypttab
42
It is NOT necessary to edit /etc/crypttab to specify
43
/usr/lib/mandos/plugin-runner as a keyscript for the root file
44
system; if no keyscript is given for the root file system, the
45
Mandos client will be the new default way for getting a password for
46
the root file system when booting.
50
If it ever should be necessary, the Mandos client can be temporarily
51
prevented from running at startup by passing the parameter
52
"mandos=off" to the kernel.
54
* Non-local Connection (Not Using ZeroConf)
56
If the "ip=" kernel command line option is used to specify a
57
complete IP address and device name, as noted above, it then becomes
58
possible to specify a specific IP address and port to connect to,
59
instead of using ZeroConf. The syntax for doing this is
60
"mandos=connect:<IP_ADDRESS>:<PORT_NUMBER>".
62
Warning: this will cause the client to make exactly one attempt at
63
connecting, and then fail if it does not succeed.
65
For very advanced users, it it possible to specify simply
66
"mandos=connect" on the kernel command line to make the system only
67
set up the network (using the data in the "ip=" option) and not pass
68
any extra "--connect" options to mandos-client at boot. For this to
69
work, "--options-for=mandos-client:--connect=<ADDRESS>:<PORT>" needs
70
to be manually added to the file "/etc/mandos/plugin-runner.conf".
72
-- Teddy Hogeborn <teddy@fukt.bsnet.se>, Mon, 9 Feb 2009 00:36:55 +0100