bzr branch
http://bzr.recompile.se/loggerhead/mandos/release
|
237.2.129
by Teddy Hogeborn
* debian/mandos-client.README.Debian: Improved wording and formatting. |
1 |
* Adding a Client Password to the Server |
2 |
|
|
3 |
The server must be given a password to give back to the client on |
|
4 |
boot time. This password must be a one which can be used to unlock |
|
5 |
the root file system device. On the *client*, run this command: |
|
6 |
|
|
7 |
mandos-keygen --password |
|
8 |
|
|
9 |
It will prompt for a password and output a config file section. |
|
10 |
This output should be copied to the Mandos server and added to the |
|
11 |
file "/etc/mandos/clients.conf" there. |
|
12 |
||
13 |
* Testing that it Works (Without Rebooting) |
|
14 |
|
|
15 |
After the server has been started with this client's key added, it |
|
16 |
is possible to verify that the correct password will be received by |
|
|
228
by Teddy Hogeborn
* INSTALL: Add instructions on how to set the correct network |
17 |
this client by running the command, on the client: |
18 |
|
|
|
237.25.2
by Teddy Hogeborn
mandos-client: Try to start a plugin to add and remove a local route. |
19 |
MANDOSPLUGINHELPERDIR=/usr/lib/$(dpkg-architecture \ |
20 |
-qDEB_HOST_MULTIARCH)/mandos/plugin-helpers \ |
|
|
237.7.189
by Teddy Hogeborn
Doc fix: Refer to architecture libdir. |
21 |
/usr/lib/$(dpkg-architecture -qDEB_HOST_MULTIARCH \ |
22 |
)/mandos/plugins.d/mandos-client \ |
|
|
228
by Teddy Hogeborn
* INSTALL: Add instructions on how to set the correct network |
23 |
--pubkey=/etc/keys/mandos/pubkey.txt \ |
24 |
--seckey=/etc/keys/mandos/seckey.txt; echo |
|
25 |
|
|
26 |
This command should retrieve the password from the server, decrypt |
|
|
237.2.67
by Teddy Hogeborn
Four new interrelated features: |
27 |
it, and output it to standard output. There it can be verified to |
28 |
be the correct password, before rebooting. |
|
|
228
by Teddy Hogeborn
* INSTALL: Add instructions on how to set the correct network |
29 |
|
|
237.11.2
by Teddy Hogeborn
Change "fukt.bsnet.se" to "recompile.se" throughout. |
30 |
* Emergency Escape |
31 |
|
|
32 |
If it ever should be necessary, the Mandos client can be temporarily |
|
33 |
prevented from running at startup by passing the parameter |
|
34 |
"mandos=off" to the kernel. |
|
35 |
||
36 |
* Specifying a Client Network Interface |
|
37 |
|
|
|
237.7.148
by Teddy Hogeborn
* debian/mandos-client.README.Debian: Update documentation for using |
38 |
At boot time the network interfaces to use will by default be |
39 |
automatically detected. If this should result in incorrect |
|
40 |
interfaces, edit the DEVICE setting in the |
|
|
237.7.95
by Björn Påhlsson
adding missing words |
41 |
"/etc/initramfs-tools/initramfs.conf" file. (The default setting is |
42 |
empty, meaning it will autodetect the interface.) *If* the DEVICE |
|
43 |
setting is changed, it will be necessary to update the initrd image |
|
44 |
by running the command |
|
|
237.11.2
by Teddy Hogeborn
Change "fukt.bsnet.se" to "recompile.se" throughout. |
45 |
|
46 |
update-initramfs -k all -u |
|
47 |
|
|
|
237.7.148
by Teddy Hogeborn
* debian/mandos-client.README.Debian: Update documentation for using |
48 |
The device can also be overridden at boot time on the Linux kernel |
|
237.11.2
by Teddy Hogeborn
Change "fukt.bsnet.se" to "recompile.se" throughout. |
49 |
command line using the sixth colon-separated field of the "ip=" |
50 |
option; for exact syntax, read the documentation in the file |
|
|
237.7.169
by Teddy Hogeborn
* debian/mandos-client.README.Debian: Update Linux documentation link. |
51 |
"/usr/share/doc/linux-doc-*/Documentation/filesystems/nfs/nfsroot.txt", |
|
237.11.2
by Teddy Hogeborn
Change "fukt.bsnet.se" to "recompile.se" throughout. |
52 |
available in the "linux-doc-*" package. |
53 |
|
|
|
237.7.148
by Teddy Hogeborn
* debian/mandos-client.README.Debian: Update documentation for using |
54 |
Note that since the network interfaces are used in the initial RAM |
55 |
disk environment, the network interfaces *must* exist at that stage. |
|
56 |
Thus, an interface can *not* be a pseudo-interface such as "br0" or |
|
57 |
"tun0"; instead, only real interfaces (such as "eth0") can be used. |
|
|
237.16.14
by teddy at bsnet
Hooks take new "modules" argument, and hook names can contain periods. |
58 |
This can be overcome by writing a "network hook" program to create |
|
237.7.148
by Teddy Hogeborn
* debian/mandos-client.README.Debian: Update documentation for using |
59 |
an interface (see mandos-client(8mandos)) and placing it in |
|
237.16.13
by Teddy Hogeborn
* debian/mandos-client.README.Debian: Document network hook facility. |
60 |
"/etc/mandos/network-hooks.d", from where it will be copied into the |
|
237.16.14
by teddy at bsnet
Hooks take new "modules" argument, and hook names can contain periods. |
61 |
initial RAM disk. Example network hook scripts can be found in |
|
237.7.142
by Teddy Hogeborn
* debian/copyright (Copyright): Join the two lines to one line. |
62 |
"/usr/share/doc/mandos-client/examples/network-hooks.d". |
|
237.11.2
by Teddy Hogeborn
Change "fukt.bsnet.se" to "recompile.se" throughout. |
63 |
|
|
228
by Teddy Hogeborn
* INSTALL: Add instructions on how to set the correct network |
64 |
* User-Supplied Plugins |
|
237.2.67
by Teddy Hogeborn
Four new interrelated features: |
65 |
|
|
237.2.129
by Teddy Hogeborn
* debian/mandos-client.README.Debian: Improved wording and formatting. |
66 |
Any plugins found in "/etc/mandos/plugins.d" will override and add |
67 |
to the normal Mandos plugins. When adding or changing plugins, do |
|
68 |
not forget to update the initital RAM disk image: |
|
|
237.2.67
by Teddy Hogeborn
Four new interrelated features: |
69 |
|
|
237.2.129
by Teddy Hogeborn
* debian/mandos-client.README.Debian: Improved wording and formatting. |
70 |
update-initramfs -k all -u |
|
228
by Teddy Hogeborn
* INSTALL: Add instructions on how to set the correct network |
71 |
|
|
237.2.129
by Teddy Hogeborn
* debian/mandos-client.README.Debian: Improved wording and formatting. |
72 |
* Do *NOT* Edit "/etc/crypttab" |
|
237.2.67
by Teddy Hogeborn
Four new interrelated features: |
73 |
|
|
237.2.129
by Teddy Hogeborn
* debian/mandos-client.README.Debian: Improved wording and formatting. |
74 |
It is NOT necessary to edit "/etc/crypttab" to specify |
75 |
"/usr/lib/mandos/plugin-runner" as a keyscript for the root file |
|
|
228
by Teddy Hogeborn
* INSTALL: Add instructions on how to set the correct network |
76 |
system; if no keyscript is given for the root file system, the |
77 |
Mandos client will be the new default way for getting a password for |
|
78 |
the root file system when booting. |
|
79 |
||
|
237.2.67
by Teddy Hogeborn
Four new interrelated features: |
80 |
* Non-local Connection (Not Using ZeroConf) |
81 |
|
|
82 |
If the "ip=" kernel command line option is used to specify a |
|
83 |
complete IP address and device name, as noted above, it then becomes |
|
84 |
possible to specify a specific IP address and port to connect to, |
|
85 |
instead of using ZeroConf. The syntax for doing this is |
|
|
237.11.2
by Teddy Hogeborn
Change "fukt.bsnet.se" to "recompile.se" throughout. |
86 |
"mandos=connect:<IP_ADDRESS>:<PORT_NUMBER>" on the kernel command |
87 |
line. |
|
|
237.2.67
by Teddy Hogeborn
Four new interrelated features: |
88 |
|
89 |
For very advanced users, it it possible to specify simply |
|
90 |
"mandos=connect" on the kernel command line to make the system only |
|
91 |
set up the network (using the data in the "ip=" option) and not pass |
|
92 |
any extra "--connect" options to mandos-client at boot. For this to |
|
93 |
work, "--options-for=mandos-client:--connect=<ADDRESS>:<PORT>" needs |
|
94 |
to be manually added to the file "/etc/mandos/plugin-runner.conf". |
|
95 |
||
|
237.25.2
by Teddy Hogeborn
mandos-client: Try to start a plugin to add and remove a local route. |
96 |
-- Teddy Hogeborn <teddy@recompile.se>, Mon, 29 Jun 2015 18:17:41 +0200 |