OVERVIEW

=== modified file 'Makefile' --- Makefile 2008-09-02 15:02:37 +0000 +++ Makefile 2008-09-03 05:04:40 +0000 @@ -67,10 +67,21 @@ %.8mandos: %.xml legalnotice.xml $(DOCBOOKTOMAN) -mandos.8: mandos.xml mandos-options.xml - $(DOCBOOKTOMAN) - -mandos.conf.5: mandos.conf.xml mandos-options.xml +mandos.8: mandos.xml mandos-options.xml overview.xml legalnotice.xml + $(DOCBOOKTOMAN) + +mandos-keygen.8: mandos-keygen.xml overview.xml legalnotice.xml + $(DOCBOOKTOMAN) + +mandos.conf.5: mandos.conf.xml mandos-options.xml legalnotice.xml + $(DOCBOOKTOMAN) + +plugin-runner.8mandos: plugin-runner.xml overview.xml legalnotice.xml + $(DOCBOOKTOMAN) + +plugins.d/password-request.8mandos: plugins.d/password-request.xml \ + mandos-options.xml \ + overview.xml legalnotice.xml $(DOCBOOKTOMAN) plugins.d/password-request: plugins.d/password-request.o === modified file 'TODO' --- TODO 2008-09-02 17:42:53 +0000 +++ TODO 2008-09-03 05:04:40 +0000 @@ -9,17 +9,6 @@ * password-request ** [#A] Man page: man8/password-request.8mandos -*** DESCRIPTION - State that this command is not meant to be invoked directly, but - is run as a plugin from mandos-client(8) and only run in the - initrd environment, not the real system. -*** PURPOSE - As in mandos.xml -*** OVERVIEW - As in mandos.xml -*** EXIT STATUS -*** ENVIRONMENT - Note that it does *not* currently use cryptsource or crypttarget. *** FILES Describe the key files and the key ring files. Also note that they should normally have been automatically created. === modified file 'mandos-options.xml' --- mandos-options.xml 2008-09-02 17:42:53 +0000 +++ mandos-options.xml 2008-09-03 05:04:40 +0000 @@ -45,15 +45,14 @@ - GnuTLS priority string for the TLS handshake - with the clients. The default is - SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP. See - gnutls_priority_init + GnuTLS priority string for the TLS handshake. + The default is SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP. See + gnutls_priority_init 3 for the syntax. Warning: changing this may make the - TLS handshake fail, making communication with - clients impossible. + TLS handshake fail, making server-client + communication impossible. === modified file 'plugins.d/password-request.c' --- plugins.d/password-request.c 2008-09-02 17:42:53 +0000 +++ plugins.d/password-request.c 2008-09-03 05:04:40 +0000 @@ -281,7 +281,7 @@ } plaintext_length += ret; } - + if(debug){ fprintf(stderr, "Decrypted password is: "); for(ssize_t i = 0; i < plaintext_length; i++){ @@ -380,15 +380,14 @@ } gnutls_certificate_set_dh_params(mc->cred, mc->dh_params); - + return 0; - + globalfail: - + gnutls_certificate_free_credentials(mc->cred); gnutls_global_deinit(); return -1; - } static int init_gnutls_session(mandos_context *mc, @@ -466,7 +465,7 @@ perror("socket"); return -1; } - + if(debug){ if(if_indextoname((unsigned int)if_index, interface) == NULL){ perror("if_indextoname"); @@ -511,7 +510,7 @@ perror("connect"); return -1; } - + const char *out = mandos_protocol_version; written = 0; while (true){ @@ -535,13 +534,13 @@ } } } - + if(debug){ fprintf(stderr, "Establishing TLS session with %s\n", ip); } gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) tcp_sd); - + do{ ret = gnutls_handshake (session); } while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED); @@ -561,7 +560,7 @@ fprintf(stderr, "Retrieving pgp encrypted password from %s\n", ip); } - + while(true){ buffer_capacity = adjustbuffer(&buffer, buffer_length, buffer_capacity); @@ -783,35 +782,37 @@ { .name = "debug", .key = 128, .doc = "Debug mode", .group = 3 }, { .name = "connect", .key = 'c', - .arg = "IP", - .doc = "Connect directly to a sepcified mandos server", + .arg = "ADDRESS:PORT", + .doc = "Connect directly to a specific Mandos server", .group = 1 }, { .name = "interface", .key = 'i', - .arg = "INTERFACE", - .doc = "Interface that Avahi will conntect through", + .arg = "NAME", + .doc = "Interface that will be used to search for Mandos" + " servers", .group = 1 }, { .name = "keydir", .key = 'd', - .arg = "KEYDIR", - .doc = "Directory where the openpgp keyring is", + .arg = "DIRECTORY", + .doc = "Directory to read the OpenPGP key files from", .group = 1 }, { .name = "seckey", .key = 's', - .arg = "SECKEY", - .doc = "Secret openpgp key for gnutls authentication", + .arg = "FILE", + .doc = "OpenPGP secret key file base name", .group = 1 }, { .name = "pubkey", .key = 'p', - .arg = "PUBKEY", - .doc = "Public openpgp key for gnutls authentication", + .arg = "FILE", + .doc = "OpenPGP public key file base name", .group = 2 }, { .name = "dh-bits", .key = 129, .arg = "BITS", - .doc = "dh-bits to use in gnutls communication", + .doc = "Bit length of the prime number used in the" + " Diffie-Hellman key exchange", .group = 2 }, { .name = "priority", .key = 130, - .arg = "PRIORITY", - .doc = "GNUTLS priority", .group = 1 }, + .arg = "STRING", + .doc = "GnuTLS priority string for the TLS handshake", + .group = 1 }, { .name = NULL } }; - error_t parse_opt (int key, char *arg, struct argp_state *state) { @@ -856,11 +857,11 @@ } return 0; } - + struct argp argp = { .options = options, .parser = parse_opt, .args_doc = "", .doc = "Mandos client -- Get and decrypt" - " passwords from mandos server" }; + " passwords from a Mandos server" }; ret = argp_parse (&argp, argc, argv, 0, 0, NULL); if (ret == ARGP_ERR_UNKNOWN){ fprintf(stderr, "Unknown error while parsing arguments\n"); @@ -868,7 +869,7 @@ goto end; } } - + pubkeyfilename = combinepath(keydir, pubkeyname); if (pubkeyfilename == NULL){ perror("combinepath"); @@ -882,7 +883,7 @@ exitcode = EXIT_FAILURE; goto end; } - + ret = init_gnutls_global(&mc, pubkeyfilename, seckeyfilename); if (ret == -1){ fprintf(stderr, "init_gnutls_global failed\n"); @@ -980,7 +981,7 @@ exitcode = EXIT_FAILURE; goto end; } - + { AvahiServerConfig config; /* Do not publish any local Zeroconf records */ @@ -989,12 +990,12 @@ config.publish_addresses = 0; config.publish_workstation = 0; config.publish_domain = 0; - + /* Allocate a new server */ mc.server = avahi_server_new(avahi_simple_poll_get (mc.simple_poll), &config, NULL, NULL, &error); - + /* Free the Avahi configuration data */ avahi_server_config_free(&config); } @@ -1020,7 +1021,7 @@ } /* Run the main loop */ - + if (debug){ fprintf(stderr, "Starting Avahi loop search\n"); } @@ -1028,7 +1029,7 @@ avahi_simple_poll_loop(mc.simple_poll); end: - + if (debug){ fprintf(stderr, "%s exiting\n", argv[0]); } @@ -1039,12 +1040,12 @@ if (mc.server != NULL) avahi_server_free(mc.server); - + if (mc.simple_poll != NULL) avahi_simple_poll_free(mc.simple_poll); free(pubkeyfilename); free(seckeyfilename); - + if (gnutls_initalized){ gnutls_certificate_free_credentials(mc.cred); gnutls_global_deinit (); === modified file 'plugins.d/password-request.xml' --- plugins.d/password-request.xml 2008-09-02 17:42:53 +0000 +++ plugins.d/password-request.xml 2008-09-03 05:04:40 +0000 @@ -3,7 +3,7 @@ "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [ - + ]> @@ -137,10 +137,11 @@ This program is not meant to be run directly; it is really meant to run as a plugin of the Mandos plugin-runner - 8mandos, which in turn - runs as a keyscript specified in the - crypttab - 5 file. + 8mandos, which runs in the + initial RAM disk environment because it is + specified as a keyscript in the + crypttab5 + file. @@ -154,25 +155,6 @@ - - OVERVIEW - - - This program is the client part. It is a plugin started by - plugin-runner - 8mandos which will run in - an initial RAM disk environment. - - - This program could, theoretically, be used as a keyscript in - /etc/crypttab, but it would then be - impossible to enter the encrypted root disk password at the - console, since this program does not read from the console at - all. This is why a separate plugin does that, which will be run - in parallell to this one. - - - OPTIONS @@ -188,10 +170,10 @@ @@ -202,7 +184,8 @@ assumed to separate the address from the port number. - This option is normally only useful for debugging. + This option is normally only useful for testing and + debugging. @@ -244,9 +227,9 @@ FILE - OpenPGP public key file name. This will be combined with - the directory from the option to - form an absolute file name. The default name is + OpenPGP public key file base name. This will be combined + with the directory from the + option to form an absolute file name. The default name is pubkey.txt. @@ -259,9 +242,9 @@ FILE - OpenPGP secret key file name. This will be combined with - the directory from the option to - form an absolute file name. The default name is + OpenPGP secret key file base name. This will be combined + with the directory from the + option to form an absolute file name. The default name is seckey.txt. @@ -271,7 +254,8 @@ - + @@ -333,6 +317,25 @@ + + OVERVIEW + + + This program is the client part. It is a plugin started by + plugin-runner + 8mandos which will run in + an initial RAM disk environment. + + + This program could, theoretically, be used as a keyscript in + /etc/crypttab, but it would then be + impossible to enter the encrypted root disk password at the + console, since this program does not read from the console at + all. This is why a separate plugin does that, which will be run + in parallell to this one. + + + EXIT STATUS @@ -346,12 +349,15 @@ - - - - - - + + ENVIRONMENT + + This program does not use any environment variables, not even + the ones provided by cryptsetup8 + . + + FILES @@ -403,8 +409,8 @@ - GPGME + url="http://www.gnupg.org/related_software/gpgme/" + >GPGME