Michel Bouissou <mic...@bouissou.net> writes: > /lib/mandos/plugin-runner > > I assume the latter starts the clients with the exact options from > /conf/conf.d/mandos/plugin-runner.conf
Yes, as documented in plugin-runner(8mandos). > ... and there is no --dh-params option. There isn't? To be precise, do you mean that the /conf/conf.d/mandos/plugin-runner.conf file does not contain the line --options-for=mandos-client:--dh-params=/conf/conf.d/mandos/dhparams.pem at the top? What, exactly, *does* it contain? Does it lack the --groupid and --userid options too? If so, that is odd; these options should have been added when creating the initramfs image. The script which adds the Mandos client to the initramfs image also adds these options when copying the base /etc/mandos/plugin-runner.conf to /conf/conf.d/mandos/plugin-runner.conf in the initramfs image. If the --userid and --groupid options are not in /conf/conf.d/mandos/plugin-runner.conf, that might explain the observed behavior. Maybe the Mandos initramfs creation hook script aborts for some reason before it comes that far? Does "update-initramfs -k all -u" (as root, on the client system) give some error messages or warnings? > > Since GPGME is giving the error, and it has been a problem in the > > past, until it has beeen proved otherwise I suspect that the proper > > binaries are not present in the system, or that they are not > > runnable somehow. > > Well, they are surely there as it works in the chrooted copy of > initramfs... Well, maybe they aren't runnable because plugin-runner is switching to the wrong user and group ID. But in that case it's strange that it could read the OpenPGP key files. /Teddy Hogeborn -- The Mandos Project https://www.recompile.se/mandos
signature.asc
Description: PGP signature
