Hello Teddy, and thanks for having taken the time to reply on a saturday :-)
Le 31/03/2018 à 20:30, Teddy Hogeborn a écrit : > > If practical, try the latest version, 1.7.19. I have just installed and tested it. Alas, it exhibits the very same behaviour... > That is the important message. It means that it failed to decrypt the > data from the server using the GPGME library. In the past, this error > has been due to all the necessary GnuPG binaries not having been copied > into the initramfs image. I had guessed that. However, as it works running from chroot into an unpacked copy of the initramfs, I guess that all the required files must be present... > First, when SSHing into the running system, make sure that /tmp is made > writeable by the unprivileged _mandos user. This is fixed by the > automatic scripts when booting, but if you are running things manually > it might not be done. Simply run "chmod a=rwxt /tmp" in the initramfs > file system. That's already OK. ~ # ls -ld /tmp drwxrwxrwt 3 root root 0 Jan 1 00:00 /tmp > Second, be aware that the instructions for running the client manually > does not contain the optional --dh-params option (Usually passed with an > argument of /etc/keys/mandos/dhparams.pem), but this option is used > automatically by the boot scripts. Just to make sure, does it work when > run manually with or without a chroot with this option? (Passing this > option also makes the client startup quite a bit faster, speeding up > debugging.) I get the same result (working in chroot, but not working in actual initramfs) in all environments, whether I use : /lib/mandos/plugins.d/mandos-client --pubkey=/conf/conf.d/mandos/pubkey.txt --seckey=/conf/conf.d/mandos/seckey.txt --connect=[SERVER_IP]:9601 --debug; echo or simply : /lib/mandos/plugin-runner I assume the latter starts the clients with the exact options from /conf/conf.d/mandos/plugin-runner.conf ... and there is no --dh-params option. It also works with the manually added --dh-params option, either in the normal system, or in the chroot. The only difference is that is the normal system, the keys are located in /etc/keys/mandos , where in the initramfs they are in /conf/conf.d/mandos > Since GPGME is giving the error, and it has been a problem in the past, > until it has beeen proved otherwise I suspect that the proper binaries > are not present in the system, or that they are not runnable somehow. Well, they are surely there as it works in the chrooted copy of initramfs... > What does the "gpgconf" command output, in the normal system, in chroot, > and at boot? Do the listed binaries all exist in all three systems, > i.e. what is the output of this command? > > ls -laF $(gpgconf | awk -F: '{ print $3 }') Inside the true running (and failing) initramfs : / # ls -laF $(gpgconf | awk -F: '{ print $3 }') ls: /usr/lib/gnupg/scdaemon: No such file or directory ls: /usr/bin/gpgsm: No such file or directory ls: /usr/bin/dirmngr: No such file or directory ls: /usr/bin/pinentry: No such file or directory -rwxr-xr-x 1 root root 814996 Sep 18 2017 /usr/bin/gpg* -rwxr-xr-x 1 root root 301848 Sep 18 2017 /usr/bin/gpg-agent* Inside the (working OK) chroot copy : / # ls -laF $(gpgconf | awk -F: '{ print $3 }') ls: /usr/lib/gnupg/scdaemon: No such file or directory ls: /usr/bin/gpgsm: No such file or directory ls: /usr/bin/dirmngr: No such file or directory ls: /usr/bin/pinentry: No such file or directory -rwxr-xr-x 1 root root 814996 Apr 1 07:04 /usr/bin/gpg* -rwxr-xr-x 1 root root 301848 Apr 1 07:04 /usr/bin/gpg-agent* In the "normal" system environment : root@tethys:/# ls -laF $(gpgconf | awk -F: '{ print $3 }') ls: impossible d'accéder à '/usr/lib/gnupg/scdaemon': Aucun fichier ou dossier de ce type ls: impossible d'accéder à '/usr/bin/gpgsm': Aucun fichier ou dossier de ce type ls: impossible d'accéder à '/usr/bin/dirmngr': Aucun fichier ou dossier de ce type -rwxr-xr-x 1 root root 814996 sept. 18 2017 /usr/bin/gpg* -rwxr-xr-x 1 root root 301848 sept. 18 2017 /usr/bin/gpg-agent* lrwxrwxrwx 1 root root 26 nov. 29 02:17 /usr/bin/pinentry -> /etc/alternatives/pinentry* Thank you very much for your kind asistance. ॐ -- Michel Bouissou <mic...@bouissou.net> OpenPGP ID 0xEB04D09C
signature.asc
Description: OpenPGP digital signature