3
A client key has been automatically created in /etc/keys/mandos.
4
The next step is to run "mandos-keygen --password" to get a config
5
file section. This should be appended to /etc/mandos/clients.conf
8
* Use the Correct Network Interface
10
Make sure that the correct network interface is specified in the
11
DEVICE setting in the "/etc/initramfs-tools/initramfs.conf" file.
12
If this is changed, it will be necessary to update the initrd image
13
by doing "update-initramfs -k all -u". This setting can be
14
overridden at boot time on the Linux kernel command line using the
15
sixth colon-separated field of the "ip=" option; for exact syntax,
16
see the file "Documentation/nfsroot.txt" in the Linux source tree.
18
Note that since this is used in the initial RAM disk environment,
19
the network interface must exist at that stage. Thus, the interface
20
can *not* be a pseudo-interface such as "br0" or "tun0"; instead, a
21
real interface (such as "eth0") must be used.
25
After the server has been started and this client's key added, it is
26
possible to verify that the correct password will be received by
1
* Choose the Client Network Interface
3
Please make sure that the correct network interface is specified in
4
the DEVICE setting in the "/etc/initramfs-tools/initramfs.conf"
5
file. If the setting is empty, the interface will be autodetected
6
at boot time, which may not be correct. *If* the DEVICE setting is
7
changed, it will be necessary to update the initrd image by running
10
update-initramfs -k all -u
12
The device can be overridden at boot time on the Linux kernel
13
command line using the sixth colon-separated field of the "ip="
14
option; for exact syntax, read the documentation in the file
15
"/usr/share/doc/linux-doc-*/Documentation/filesystems/nfsroot.txt",
16
available in the "linux-doc-*" package.
18
Note that since this network interface is used in the initial RAM
19
disk environment, the network interface *must* exist at that stage.
20
Thus, the interface can *not* be a pseudo-interface such as "br0" or
21
"tun0"; instead, a real interface (such as "eth0") must be used.
23
* Adding a Client Password to the Server
25
The server must be given a password to give back to the client on
26
boot time. This password must be a one which can be used to unlock
27
the root file system device. On the *client*, run this command:
29
mandos-keygen --password
31
It will prompt for a password and output a config file section.
32
This output should be copied to the Mandos server and added to the
33
file "/etc/mandos/clients.conf" there.
35
* Testing that it Works (Without Rebooting)
37
After the server has been started with this client's key added, it
38
is possible to verify that the correct password will be received by
27
39
this client by running the command, on the client:
29
# /usr/lib/mandos/plugins.d/mandos-client \
41
/usr/lib/mandos/plugins.d/mandos-client \
30
42
--pubkey=/etc/keys/mandos/pubkey.txt \
31
43
--seckey=/etc/keys/mandos/seckey.txt; echo
37
49
* User-Supplied Plugins
39
Any plugins found in /etc/mandos/plugins.d will override and add to
40
the normal Mandos plugins. When adding or changing plugins, do not
41
forget to update the initital RAM disk image:
51
Any plugins found in "/etc/mandos/plugins.d" will override and add
52
to the normal Mandos plugins. When adding or changing plugins, do
53
not forget to update the initital RAM disk image:
43
# update-initramfs -k all -u
55
update-initramfs -k all -u
45
* Do *NOT* Edit /etc/crypttab
57
* Do *NOT* Edit "/etc/crypttab"
47
It is NOT necessary to edit /etc/crypttab to specify
48
/usr/lib/mandos/plugin-runner as a keyscript for the root file
59
It is NOT necessary to edit "/etc/crypttab" to specify
60
"/usr/lib/mandos/plugin-runner" as a keyscript for the root file
49
61
system; if no keyscript is given for the root file system, the
50
62
Mandos client will be the new default way for getting a password for
51
63
the root file system when booting.
added
removed
debian/mandos-client.README.Debian
