root <ro...@bouissou.org> writes: > Package: mandos-client > Version: 1.7.15-1 > Severity: important
If practical, try the latest version, 1.7.19.
> Mandos plugin mandos-client: Trying to decrypt OpenPGP data
> Mandos plugin mandos-client: bad gpgme_op_decrypt: GPGME: Decryption failed
That is the important message. It means that it failed to decrypt the
data from the server using the GPGME library. In the past, this error
has been due to all the necessary GnuPG binaries not having been copied
into the initramfs image.
> plugins.d/mandos-client.c:422:2: runtime error: null pointer passed as
> argument 3, which is declared to never be null
That error is simply about not being able to print an error message
about any "unsupported algorithm", since that field is NULL. I.e. a
spurious error message from the error handling routing itself. Ignore
it for now.
> If I test the client per the manual instructions, it WORKS.
>
> If I unpack the initramfs, chroot into it and run the client, it WORKS.
>
> But when the system boots, it FAILS.
>
> During system boot, I can SSH into the running initramfs using
> dropbear, then if I run the client manually, it fails with the exact
> same error that I can see displayed on screen when booting unattended.
First, when SSHing into the running system, make sure that /tmp is made
writeable by the unprivileged _mandos user. This is fixed by the
automatic scripts when booting, but if you are running things manually
it might not be done. Simply run "chmod a=rwxt /tmp" in the initramfs
file system.
Second, be aware that the instructions for running the client manually
does not contain the optional --dh-params option (Usually passed with an
argument of /etc/keys/mandos/dhparams.pem), but this option is used
automatically by the boot scripts. Just to make sure, does it work when
run manually with or without a chroot with this option? (Passing this
option also makes the client startup quite a bit faster, speeding up
debugging.)
> Any help in solving this will be greatly appreciated :-)
Since GPGME is giving the error, and it has been a problem in the past,
until it has beeen proved otherwise I suspect that the proper binaries
are not present in the system, or that they are not runnable somehow.
What does the "gpgconf" command output, in the normal system, in chroot,
and at boot? Do the listed binaries all exist in all three systems,
i.e. what is the output of this command?
ls -laF $(gpgconf | awk -F: '{ print $3 }')
(Also don't forget to double check for a non-writeable /tmp.)
/Teddy Hogeborn
--
The Mandos Project
https://www.recompile.se/mandos
signature.asc
Description: PGP signature
