subject:"Bug#549585\: mandos\-client\: fails with\: fatal\: no entropy gathering module detected."

Bug#549585: mandos-client: fails with: fatal: no entropy gathering module detected.

2009-10-05 Thread Teddy Hogeborn

package mandos-client
retitle 549585 udev: creates /dev/{u,}random with too strict permissions
summary 549585 20
tags 549585 patch
reassign 549585 udev 146-3
package udev
affects 549585 mandos-client
thanks

Teddy Hogeborn te...@fukt.bsnet.se writes:

 Indeed, it seems that both /dev/random and urandom are readable
 only by user and group, respectively.

 [...]  What were the exact permissions and ownerships?  crw-rw
 root root?  That would be very strange.  I'll have to wait until
 tomorrow (when I should have access to a sid machine) [...]

I installed a virtual machine with sid here, and could reproduce the
problem.

 On the bright side, we seem to have found the actual cause of the
 problem; we just need to get udev to create the devices with the
 proper permissions.

I was correct; it is all caused by a recent change in udev; the same
thing was the cause of bug #549275.  Here is a patch for udev which
fixes our version of the problem:

diff -u /usr/share/initramfs-tools/hooks/udev.\~1\~ 
/usr/share/initramfs-tools/hooks/udev
--- /usr/share/initramfs-tools/hooks/udev.~1~   2009-09-27 01:37:44.0 
+0200
+++ /usr/share/initramfs-tools/hooks/udev   2009-10-05 08:35:37.0 
+0200
@@ -25,7 +25,7 @@
 mkdir -p $DESTDIR/lib/udev/rules.d/
 for rules in 50-udev-default.rules 60-persistent-storage.rules \
80-drivers.rules 70-persistent-net.rules \
-   60-persistent-storage-lvm.rules \
+   60-persistent-storage-lvm.rules 91-permissions.rules \
55-dm.rules 60-persistent-storage-dm.rules; do
   if   [ -e /etc/udev/rules.d/$rules ]; then
 cp -p /etc/udev/rules.d/$rules $DESTDIR/lib/udev/rules.d/

I am reassigning this to udev, since that is where the problem can be
fixed; I do not see how to fix this from our package.

/Teddy Hogeborn

-- 
The Mandos Project
http://www.fukt.bsnet.se/mandos



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#549585: mandos-client: fails with: fatal: no entropy gathering module detected.

2009-10-04 Thread C. Dominik Bodi

Package: mandos-client
Version: 1.0.12-1
Severity: grave
Justification: renders package unusable

After installing mandos I tested my configuration as described in
README.Debian. That worked successfully. However, booting a
mandos-enabled kernel, mandos will not run. The cryptsetup password
prompt appears and I have to type in the crypt volume's password
manually to make the system continue to boot.
At virtually the same time the cryptsetup password prompt appears,
an error message is printed on the console:
Fatal: no entropy gathering module detected

According to google that message seems to be related to gnutls.
However, as mandos-client doesn't seem to have a debug mode when run
from initrd, I wasn't able to dig deeper. There is no such error
message when testing mandos-client as described in README.Debian

-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.30-2-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages mandos-client depends on:
ii  adduser   3.111  add and remove users and groups
ii  cryptsetup2:1.0.7-2  configures encrypted block devices
ii  libavahi-common3  0.6.25-1   Avahi common library
ii  libavahi-core60.6.25-1   Avahi's embeddable mDNS/DNS-SD lib
ii  libc6 2.9-27 GNU C Library: Shared libraries
ii  libgnutls26   2.8.4-1the GNU TLS library - runtime libr
ii  libgpg-error0 1.6-1  library for common error values an
ii  libgpgme111.2.0-1GPGME - GnuPG Made Easy

mandos-client recommends no packages.

mandos-client suggests no packages.

-- no debconf information


Regards,
C. Dominik Bodi



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#549585: mandos-client: fails with: fatal: no entropy gathering module detected.

2009-10-04 Thread Teddy Hogeborn

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

C. Dominik Bodi dominik.b...@gmx.de writes:

 After installing mandos [...], booting a mandos-enabled kernel,
 mandos will not run. The cryptsetup password prompt appears and I
 have to type in the crypt volume's password manually to make the
 system continue to boot.
 At virtually the same time the cryptsetup password prompt appears,
 an error message is printed on the console:
 Fatal: no entropy gathering module detected

I agree that this is bad and should not happen.  We have never seen
this problem, so it must be some new factor.  Let's see if we can find
out what it is.

 According to google that message seems to be related to gnutls.
 However, as mandos-client doesn't seem to have a debug mode when run
 from initrd, I wasn't able to dig deeper.

Good news: it is actually possible to run mandos-client in debug mode
in the initrd.  If you uncomment the line:
- --options-for=mandos-client:--debug
in /etc/mandos/plugin-runner.conf and rebuild your initrd image file
with update-initrd -u -k all, the mandos-client plugin should be
extremely generous with debug messages when booting.

 There is no such error message when testing mandos-client as
 described in README.Debian

You could boot your system with the kernel parameter break, you
should get a shell running in the initrd environment.  You could check
if the problem is the lack of a proper readable /dev/urandom - this is
what the search results suggest is the usual cause of this message.

Would it be possible for you to do that and report back?  We don't
have many machines running testing or unstable, and I don't have
access to any at the moment.

 Kernel: Linux 2.6.30-2-amd64 (SMP w/1 CPU core)

I suspect that - Linux 2.6.30 - to be the cause.  We probably need to
force some specific module to be loaded in the initrd - which used to
be loaded by default or compiled in - to provide the random device
drivers.  In that case, the question is: what module?

/Teddy Hogeborn

- -- 
The Mandos Project
http://www.fukt.bsnet.se/mandos
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFKyNtpOWBmT5XqI90RAk9jAJ47AXTtespMGUIrI1HXff5Ku2mMwACguVx0
OVwvLHWavVIUKXD3gP9GM2Y=
=SFSQ
-END PGP SIGNATURE-



--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#549585: mandos-client: fails with: fatal: no entropy gathering module detected.

2009-10-04 Thread Teddy Hogeborn

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

C. Dominik Bodi dominik.b...@gmx.de writes:

 After installing mandos [...], booting a mandos-enabled kernel,
 mandos will not run. The cryptsetup password prompt appears and I
 have to type in the crypt volume's password manually to make the
 system continue to boot.
 At virtually the same time the cryptsetup password prompt appears,
 an error message is printed on the console:
 Fatal: no entropy gathering module detected

I agree that this is bad and should not happen.  We have never seen
this problem, so it must be some new factor.  Let's see if we can find
out what it is.

 According to google that message seems to be related to gnutls.
 However, as mandos-client doesn't seem to have a debug mode when run
 from initrd, I wasn't able to dig deeper.

Good news: it is actually possible to run mandos-client in debug mode
in the initrd.  If you uncomment the line:
- --options-for=mandos-client:--debug
in /etc/mandos/plugin-runner.conf and rebuild your initrd image file
with update-initrd -u -k all, the mandos-client plugin should be
extremely generous with debug messages when booting.

 There is no such error message when testing mandos-client as
 described in README.Debian

You could boot your system with the kernel parameter break, you
should get a shell running in the initrd environment.  You could check
if the problem is the lack of a proper readable /dev/urandom - this is
what the search results suggest is the usual cause of this message.

Would it be possible for you to do that and report back?  We don't
have many machines running testing or unstable, and I don't have
access to any at the moment.

 Kernel: Linux 2.6.30-2-amd64 (SMP w/1 CPU core)

I suspect that - Linux 2.6.30 - to be the cause.  We probably need to
force some specific module to be loaded in the initrd - which used to
be loaded by default or compiled in - to provide the random device
drivers.  In that case, the question is: what module?

/Teddy Hogeborn

- -- 
The Mandos Project
http://www.fukt.bsnet.se/mandos
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFKyNs1OWBmT5XqI90RAlGhAKCHK9H1I42skB0SfwwubApXIfkbAACfRgs7
uLYbeXwiKKcFm2167uicef0=
=AoHj
-END PGP SIGNATURE-



--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#549585: mandos-client: fails with: fatal: no entropy gathering module detected.

2009-10-04 Thread C. Dominik Bódi

After having enabled the debug mode via plugin-runner.conf as you suggested. 
The fatal error occurs immediately after the first debug messages, which is:
Initializing GNUTLS

Then I booted the kernel with the break option and ran sh scripts/init-
premount/udev. Indeed, it seems that both /dev/random and urandom are 
readable only by user and group, respectively.

Regards,
Dominik Bodi



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#549585: mandos-client: fails with: fatal: no entropy gathering module detected.

2009-10-04 Thread Teddy Hogeborn

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

C. Dominik Bódi dominik.b...@gmx.de writes:

 After having enabled the debug mode via plugin-runner.conf as you
 suggested.  The fatal error occurs immediately after the first
 debug messages, which is:
 Initializing GNUTLS

- From mandos-client.c:

  if(debug){
fprintf(stderr, Initializing GnuTLS\n);
  }
  
  ret = gnutls_global_init();

So the problem is definitely reported by GnuTLS (or libgcrypt).

 Then I booted the kernel with the break option and ran sh
 scripts/init- premount/udev.

Right, I forgot you need to run that too; sorry.

 Indeed, it seems that both /dev/random and urandom are readable only
 by user and group, respectively.

I was hoping for it to be just a missing module to load, but no such
luck, I guess.  What were the exact permissions and ownerships?
crw-rw root root?  That would be very strange.  I'll have to
wait until tomorrow (when I should have access to a sid machine) to
check which of the many changes from lenny to sid could cause it.

On the bright side, we seem to have found the actual cause of the
problem; we just need to get udev to create the devices with the
proper permissions.

/Teddy Hogeborn

- -- 
The Mandos Project
http://www.fukt.bsnet.se/mandos
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFKyPBEOWBmT5XqI90RAj0ZAJ4zYgbOjEGAC3yCGX0wHv1z0WBxkwCdEmHB
+ruOGs6j2NdDLNr+vyrYAGo=
=bUBW
-END PGP SIGNATURE-



--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#549585: mandos-client: fails with: fatal: no entropy gathering module detected.

Bug#549585: mandos-client: fails with: fatal: no entropy gathering module detected.

Bug#549585: mandos-client: fails with: fatal: no entropy gathering module detected.

Bug#549585: mandos-client: fails with: fatal: no entropy gathering module detected.

Bug#549585: mandos-client: fails with: fatal: no entropy gathering module detected.

Bug#549585: mandos-client: fails with: fatal: no entropy gathering module detected.

6 matches

Site Navigation

Mail list logo

Footer information