Hello Teddy, and thanks for having taken the time to reply on a saturday :-)
Le 31/03/2018 à 20:30, Teddy Hogeborn a écrit :
>
> If practical, try the latest version, 1.7.19.
I have just installed and tested it. Alas, it exhibits the very same
behaviour...
> That is the important message. It means that it failed to decrypt the
> data from the server using the GPGME library. In the past, this error
> has been due to all the necessary GnuPG binaries not having been copied
> into the initramfs image.
I had guessed that. However, as it works running from chroot into an
unpacked copy of the initramfs, I guess that all the required files must
be present...
> First, when SSHing into the running system, make sure that /tmp is made
> writeable by the unprivileged _mandos user. This is fixed by the
> automatic scripts when booting, but if you are running things manually
> it might not be done. Simply run "chmod a=rwxt /tmp" in the initramfs
> file system.
That's already OK.
~ # ls -ld /tmp
drwxrwxrwt 3 root root 0 Jan 1 00:00 /tmp
> Second, be aware that the instructions for running the client manually
> does not contain the optional --dh-params option (Usually passed with an
> argument of /etc/keys/mandos/dhparams.pem), but this option is used
> automatically by the boot scripts. Just to make sure, does it work when
> run manually with or without a chroot with this option? (Passing this
> option also makes the client startup quite a bit faster, speeding up
> debugging.)
I get the same result (working in chroot, but not working in actual
initramfs) in all environments, whether I use :
/lib/mandos/plugins.d/mandos-client
--pubkey=/conf/conf.d/mandos/pubkey.txt
--seckey=/conf/conf.d/mandos/seckey.txt --connect=[SERVER_IP]:9601
--debug; echo
or simply :
/lib/mandos/plugin-runner
I assume the latter starts the clients with the exact options from
/conf/conf.d/mandos/plugin-runner.conf ... and there is no --dh-params
option.
It also works with the manually added --dh-params option, either in the
normal system, or in the chroot. The only difference is that is the
normal system, the keys are located in /etc/keys/mandos , where in the
initramfs they are in /conf/conf.d/mandos
> Since GPGME is giving the error, and it has been a problem in the past,
> until it has beeen proved otherwise I suspect that the proper binaries
> are not present in the system, or that they are not runnable somehow.
Well, they are surely there as it works in the chrooted copy of initramfs...
> What does the "gpgconf" command output, in the normal system, in chroot,
> and at boot? Do the listed binaries all exist in all three systems,
> i.e. what is the output of this command?
>
> ls -laF $(gpgconf | awk -F: '{ print $3 }')
Inside the true running (and failing) initramfs :
/ # ls -laF $(gpgconf | awk -F: '{ print $3 }')
ls: /usr/lib/gnupg/scdaemon: No such file or directory
ls: /usr/bin/gpgsm: No such file or directory
ls: /usr/bin/dirmngr: No such file or directory
ls: /usr/bin/pinentry: No such file or directory
-rwxr-xr-x 1 root root 814996 Sep 18 2017 /usr/bin/gpg*
-rwxr-xr-x 1 root root 301848 Sep 18 2017 /usr/bin/gpg-agent*
Inside the (working OK) chroot copy :
/ # ls -laF $(gpgconf | awk -F: '{ print $3 }')
ls: /usr/lib/gnupg/scdaemon: No such file or directory
ls: /usr/bin/gpgsm: No such file or directory
ls: /usr/bin/dirmngr: No such file or directory
ls: /usr/bin/pinentry: No such file or directory
-rwxr-xr-x 1 root root 814996 Apr 1 07:04 /usr/bin/gpg*
-rwxr-xr-x 1 root root 301848 Apr 1 07:04 /usr/bin/gpg-agent*
In the "normal" system environment :
root@tethys:/# ls -laF $(gpgconf | awk -F: '{ print $3 }')
ls: impossible d'accéder à '/usr/lib/gnupg/scdaemon': Aucun fichier ou
dossier de ce type
ls: impossible d'accéder à '/usr/bin/gpgsm': Aucun fichier ou dossier de
ce type
ls: impossible d'accéder à '/usr/bin/dirmngr': Aucun fichier ou dossier
de ce type
-rwxr-xr-x 1 root root 814996 sept. 18 2017 /usr/bin/gpg*
-rwxr-xr-x 1 root root 301848 sept. 18 2017 /usr/bin/gpg-agent*
lrwxrwxrwx 1 root root 26 nov. 29 02:17 /usr/bin/pinentry ->
/etc/alternatives/pinentry*
Thank you very much for your kind asistance.
ॐ
--
Michel Bouissou <mic...@bouissou.net> OpenPGP ID 0xEB04D09C
signature.asc
Description: OpenPGP digital signature
