Mandos 1.7.15

The Mandos system allows computers to have encrypted root file systems and at the same time be capable of remote or unattended reboots. The computers run a small client program in the initial RAM disk environment which will communicate with a server over a network. All network communication is encrypted using TLS. The clients are identified by the server using an OpenPGP key that is unique to each client. The server sends the clients an encrypted password. The encrypted password is decrypted by the clients using the same OpenPGP key, and the password is then used to unlock the root file system.

Tags boot security cryptography systems administration
License GNU GPLv3
State stable

Recent Releases

1.7.1523 Feb 2017 21:13 minor bugfix: Server Bug fix: Respect the mandos.conf "zeroconf" and "restore" options. Client bug fix in "mandos-keygen": Handle backslashes in passphrases.
1.7.1425 Jan 2017 20:24 minor bugfix: Server Minor Bug fix: Don't use deprecated directive name in systemd service file.
1.7.1308 Oct 2016 06:27 minor bugfix: Client Minor Bug fix: Don't ask for passphrase or fail when generating keys using GnuPG 2.1 in a chrooted environment.
1.7.1205 Oct 2016 20:57 major bugfix: Client Bug fix: Don't crash after exit() when using DH parameters file
1.7.1101 Oct 2016 15:25 minor bugfix: Client Security fix: Don't compile with AddressSanitizer. Server Bug fix: Find GnuTLS library when gnutls28-dev is not installed. Server Bug Fix: Include "Expires" and "Last Checker Status" in mandos-ctl verbose output. Server New Feature: New option for mandos-ctl: --dump-json
1.7.1023 Jun 2016 21:10 minor bugfix: Client security fix: restrict permissions of /etc/mandos/plugin-helpers directory (by default empty). Server bug fix: Make the --interface flag work with Python 2.7 when "cc" is not installed
1.7.922 Jun 2016 09:07 minor bugfix: Client bug fix: Do not include intro(8mandos) man page which conflicts with the same one from the server package.
1.7.821 Jun 2016 20:47 minor bugfix: Client bug fix: Work with GnuPG 2 when booting (Debian bug #819982) by copying /usr/bin/gpg-agent into initramfs. Server bug fix: Make the --interface option work when using Python 2.7 by trying harder to find SO_BINDTODEVICE.
1.7.719 Mar 2016 22:26 minor bugfix: Bug fix: Fix bug in Plymouth password prompting plugin, bug present since 1.2, but only recently broken since the introduction of the -fsanitize=address compilation flag in version 1.7.2.
1.7.613 Mar 2016 22:45 minor bugfix: Bug fix: Fix bug where stopping server would time out. Also make server program compatible with Python 3.
1.7.508 Mar 2016 00:55 minor bugfix: Bug fix: Fix security restrictions in systemd service file. Work around bug where stopping server would time out.
1.7.405 Mar 2016 22:42 minor bugfix: Bug fix: Fix compilation on mips, mipsel and s390x. On boot, tolerate errors from the external "configure_networking" shell function. Add extra security restrictions in systemd service file.
1.7.329 Feb 2016 22:50 minor bugfix: Bug fix: Remove new type of keyring directory used by GnuPG 2.1. Bug fix: Remove "nonnull" attribute from a function argument, which would otherwise generate a spurious runtime warning.
1.7.228 Feb 2016 16:17 minor bugfix: Bug fix: Don't try to send D-Bus signal ClientRemoved if not using D-Bus. Also stop using Python-GnuTLS library and instead call the GnuTLS library directly.
1.7.124 Oct 2015 18:33 minor bugfix: Bug fix: Can now really find Mandos server even if the server has an IPv6 address on a network other than the one which the Mandos server is on.
1.7.010 Aug 2015 21:22 minor feature: Server bugs fixed: Handle local Zeroconf service name collisions better, the "ERROR: Child process vanished" bug, start server correctly in systemd, be compatible with old 2048-bit DSA keys. Server features: The D-Bus API now provides the standard D-Bus ObjectManager interface (deprecating older functionality). Client bug fixed: mandos-keygen now generates correct output for the "Checker" variable even if the SSH server on the Mandos client has multiple SSH key types. Client features: Can now find Mandos server even if the server has an IPv6 address on a network without IPv6 Router Advertisment, now uses a better value than 1024 for the default number of DH bits, can now use pre-generated Diffie-Hellman parameters from a file.
1.6.926 Oct 2014 15:23 minor feature: Server: Changed to emit standard D-Bus signal when D-Bus properties change. (The old signal is still emitted too, but marked as deprecated.)