Bug#549585: mandos-client: fails with: fatal: no entropy gathering module detected.
package mandos-client retitle 549585 udev: creates /dev/{u,}random with too strict permissions summary 549585 20 tags 549585 patch reassign 549585 udev 146-3 package udev affects 549585 mandos-client thanks Teddy Hogeborn writes: >> Indeed, it seems that both /dev/random and urandom are readable >> only by user and group, respectively. > > [...] What were the exact permissions and ownerships? "crw-rw > root root"? That would be very strange. I'll have to wait until > tomorrow (when I should have access to a sid machine) [...] I installed a virtual machine with sid here, and could reproduce the problem. > On the bright side, we seem to have found the actual cause of the > problem; we just need to get udev to create the devices with the > proper permissions. I was correct; it is all caused by a recent change in "udev"; the same thing was the cause of bug #549275. Here is a patch for udev which fixes our version of the problem: diff -u /usr/share/initramfs-tools/hooks/udev.\~1\~ /usr/share/initramfs-tools/hooks/udev --- /usr/share/initramfs-tools/hooks/udev.~1~ 2009-09-27 01:37:44.0 +0200 +++ /usr/share/initramfs-tools/hooks/udev 2009-10-05 08:35:37.0 +0200 @@ -25,7 +25,7 @@ mkdir -p $DESTDIR/lib/udev/rules.d/ for rules in 50-udev-default.rules 60-persistent-storage.rules \ 80-drivers.rules 70-persistent-net.rules \ - 60-persistent-storage-lvm.rules \ + 60-persistent-storage-lvm.rules 91-permissions.rules \ 55-dm.rules 60-persistent-storage-dm.rules; do if [ -e /etc/udev/rules.d/$rules ]; then cp -p /etc/udev/rules.d/$rules $DESTDIR/lib/udev/rules.d/ I am reassigning this to udev, since that is where the problem can be fixed; I do not see how to fix this from our package. /Teddy Hogeborn -- The Mandos Project http://www.fukt.bsnet.se/mandos -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#549585: mandos-client: fails with: fatal: no entropy gathering module detected.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 C. Dominik Bódi writes: > After having enabled the debug mode via plugin-runner.conf as you > suggested. The "fatal" error occurs immediately after the first > debug messages, which is: > "Initializing GNUTLS" - From mandos-client.c: if(debug){ fprintf(stderr, "Initializing GnuTLS\n"); } ret = gnutls_global_init(); So the problem is definitely reported by GnuTLS (or libgcrypt). > Then I booted the kernel with the break option and ran "sh > scripts/init- premount/udev". Right, I forgot you need to run that too; sorry. > Indeed, it seems that both /dev/random and urandom are readable only > by user and group, respectively. I was hoping for it to be just a missing module to load, but no such luck, I guess. What were the exact permissions and ownerships? "crw-rw root root"? That would be very strange. I'll have to wait until tomorrow (when I should have access to a sid machine) to check which of the many changes from lenny to sid could cause it. On the bright side, we seem to have found the actual cause of the problem; we just need to get udev to create the devices with the proper permissions. /Teddy Hogeborn - -- The Mandos Project http://www.fukt.bsnet.se/mandos -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFKyPBEOWBmT5XqI90RAj0ZAJ4zYgbOjEGAC3yCGX0wHv1z0WBxkwCdEmHB +ruOGs6j2NdDLNr+vyrYAGo= =bUBW -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#549585: mandos-client: fails with: fatal: no entropy gathering module detected.
After having enabled the debug mode via plugin-runner.conf as you suggested. The "fatal" error occurs immediately after the first debug messages, which is: "Initializing GNUTLS" Then I booted the kernel with the break option and ran "sh scripts/init- premount/udev". Indeed, it seems that both /dev/random and urandom are readable only by user and group, respectively. Regards, Dominik Bodi -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#549585: mandos-client: fails with: fatal: no entropy gathering module detected.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 "C. Dominik Bodi" writes: > After installing mandos [...], booting a mandos-enabled kernel, > mandos will not run. The cryptsetup password prompt appears and I > have to type in the crypt volume's password manually to make the > system continue to boot. > At virtually the same time the cryptsetup password prompt appears, > an error message is printed on the console: > Fatal: no entropy gathering module detected I agree that this is bad and should not happen. We have never seen this problem, so it must be some new factor. Let's see if we can find out what it is. > According to google that message seems to be related to gnutls. > However, as mandos-client doesn't seem to have a debug mode when run > from initrd, I wasn't able to dig deeper. Good news: it is actually possible to run mandos-client in debug mode in the initrd. If you uncomment the line: - --options-for=mandos-client:--debug in "/etc/mandos/plugin-runner.conf" and rebuild your initrd image file with "update-initrd -u -k all", the mandos-client plugin should be extremely generous with debug messages when booting. > There is no such error message when testing mandos-client as > described in README.Debian You could boot your system with the kernel parameter "break", you should get a shell running in the initrd environment. You could check if the problem is the lack of a proper readable /dev/urandom - this is what the search results suggest is the usual cause of this message. Would it be possible for you to do that and report back? We don't have many machines running testing or unstable, and I don't have access to any at the moment. > Kernel: Linux 2.6.30-2-amd64 (SMP w/1 CPU core) I suspect that - Linux 2.6.30 - to be the cause. We probably need to force some specific module to be loaded in the initrd - which used to be loaded by default or compiled in - to provide the random device drivers. In that case, the question is: what module? /Teddy Hogeborn - -- The Mandos Project http://www.fukt.bsnet.se/mandos -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFKyNs1OWBmT5XqI90RAlGhAKCHK9H1I42skB0SfwwubApXIfkbAACfRgs7 uLYbeXwiKKcFm2167uicef0= =AoHj -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#549585: mandos-client: fails with: fatal: no entropy gathering module detected.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 "C. Dominik Bodi" writes: > After installing mandos [...], booting a mandos-enabled kernel, > mandos will not run. The cryptsetup password prompt appears and I > have to type in the crypt volume's password manually to make the > system continue to boot. > At virtually the same time the cryptsetup password prompt appears, > an error message is printed on the console: > Fatal: no entropy gathering module detected I agree that this is bad and should not happen. We have never seen this problem, so it must be some new factor. Let's see if we can find out what it is. > According to google that message seems to be related to gnutls. > However, as mandos-client doesn't seem to have a debug mode when run > from initrd, I wasn't able to dig deeper. Good news: it is actually possible to run mandos-client in debug mode in the initrd. If you uncomment the line: - --options-for=mandos-client:--debug in "/etc/mandos/plugin-runner.conf" and rebuild your initrd image file with "update-initrd -u -k all", the mandos-client plugin should be extremely generous with debug messages when booting. > There is no such error message when testing mandos-client as > described in README.Debian You could boot your system with the kernel parameter "break", you should get a shell running in the initrd environment. You could check if the problem is the lack of a proper readable /dev/urandom - this is what the search results suggest is the usual cause of this message. Would it be possible for you to do that and report back? We don't have many machines running testing or unstable, and I don't have access to any at the moment. > Kernel: Linux 2.6.30-2-amd64 (SMP w/1 CPU core) I suspect that - Linux 2.6.30 - to be the cause. We probably need to force some specific module to be loaded in the initrd - which used to be loaded by default or compiled in - to provide the random device drivers. In that case, the question is: what module? /Teddy Hogeborn - -- The Mandos Project http://www.fukt.bsnet.se/mandos -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFKyNtpOWBmT5XqI90RAk9jAJ47AXTtespMGUIrI1HXff5Ku2mMwACguVx0 OVwvLHWavVIUKXD3gP9GM2Y= =SFSQ -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#549585: mandos-client: fails with: fatal: no entropy gathering module detected.
Package: mandos-client Version: 1.0.12-1 Severity: grave Justification: renders package unusable After installing mandos I tested my configuration as described in README.Debian. That worked successfully. However, booting a mandos-enabled kernel, mandos will not run. The cryptsetup password prompt appears and I have to type in the crypt volume's password manually to make the system continue to boot. At virtually the same time the cryptsetup password prompt appears, an error message is printed on the console: Fatal: no entropy gathering module detected According to google that message seems to be related to gnutls. However, as mandos-client doesn't seem to have a debug mode when run from initrd, I wasn't able to dig deeper. There is no such error message when testing mandos-client as described in README.Debian -- System Information: Debian Release: squeeze/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 2.6.30-2-amd64 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages mandos-client depends on: ii adduser 3.111 add and remove users and groups ii cryptsetup2:1.0.7-2 configures encrypted block devices ii libavahi-common3 0.6.25-1 Avahi common library ii libavahi-core60.6.25-1 Avahi's embeddable mDNS/DNS-SD lib ii libc6 2.9-27 GNU C Library: Shared libraries ii libgnutls26 2.8.4-1the GNU TLS library - runtime libr ii libgpg-error0 1.6-1 library for common error values an ii libgpgme111.2.0-1GPGME - GnuPG Made Easy mandos-client recommends no packages. mandos-client suggests no packages. -- no debconf information Regards, C. Dominik Bodi -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org