%common; ]> Mandos &version; &TIMESTAMP; Björn Påhlsson

belorn@recompile.se

Teddy Hogeborn

teddy@recompile.se

2019 2020 Teddy Hogeborn Björn Påhlsson &COMMANDNAME; 8mandos &COMMANDNAME; Run Mandos client as a systemd password agent. &COMMANDNAME; --agent-directory=DIRECTORY --helper-directory=DIRECTORY --user=USERID --group=GROUPID -- MANDOS_CLIENT OPTIONS &COMMANDNAME; --test &COMMANDNAME; --help -? &COMMANDNAME; --usage &COMMANDNAME; --version -V &COMMANDNAME; is a program which is meant to be a systemd 1 Password Agent (See Password Agents). The aim of this program is therefore to acquire and then send a password to some other program which will use the password to unlock the encrypted root disk. This program is not meant to be invoked directly, but can be in order to test it. The purpose of this is to enable remote and unattended rebooting of client host computer with an encrypted root file system. See for details. --agent-directory DIRECTORY Specify a different agent directory. The default is /run/systemd/ask-password as per the Password Agents specification. --helper-directory DIRECTORY Specify a different helper directory. The default is /lib/mandos/plugin-helpers, which will exist in the initial RAM disk environment. (This will simply be passed to the MANDOS_CLIENT program via the MANDOSPLUGINHELPERDIR environment variable. See mandos-client8mandos.) --user USERID Change real user ID to USERID when running MANDOS_CLIENT. The default is 65534. Note: This must be a number, not a name. --group GROUPID Change real group ID to GROUPID when running MANDOS_CLIENT. The default is 65534. Note: This must be a number, not a name. MANDOS_CLIENT This specifies the file name for mandos-client8mandos. If the -- option is given, any following options are passed to the MANDOS_CLIENT program. The default is /lib/mandos/plugins.d/mandos-client (which is the correct location for the initial RAM disk environment) without any options. --help -? Gives a help message about options and their meanings. --test Ignore normal operation; instead only run self-tests. Adding the --help option may show more options possible in combination with --test. --usage Gives a short usage message. --version -V Prints the program version. This program, &COMMANDNAME;, will run on the client side in the initial RAM disk environment, and is responsible for getting a password from the Mandos client program itself, and to send that password to whatever is currently asking for a password using the systemd Password Agents mechanism. To accomplish this, &COMMANDNAME; runs the mandos-client program (which is the actual client program communicating with the Mandos server) or, alternatively, any executable file specified as MANDOS_CLIENT, and, as soon as a password is acquired from the MANDOS_CLIENT program, sends that password (as per the Password Agents specification) to all currently unanswered password questions. This program should be started (normally as a systemd service, which in turn is normally started by a systemd.path 5 file) as a reaction to files named ask.xxxx appearing in the agent directory /run/systemd/ask-password (or the directory specified by --agent-directory). Exit status of this program is zero if no errors were encountered, and otherwise not. This program does not use any environment variables itself, it only passes on its environment to MANDOS_CLIENT. Also, the --helper-directory option will affect the environment variable MANDOSPLUGINHELPERDIR for MANDOS_CLIENT. /run/systemd/ask-password The default directory to watch for password questions as per the Password Agents specification; can be changed by the --agent-directory option. /lib/mandos/plugin-helpers The helper directory as supplied to MANDOS_CLIENT via the MANDOSPLUGINHELPERDIR environment variable; can be changed by the --helper-directory option. Normal invocation needs no options: &COMMANDNAME; Run an alternative MANDOS_CLIENT program:: &COMMANDNAME; /usr/local/sbin/alternate Use alternative locations for the helper directory and the Mandos client, and add extra options suitable for running in the normal file system: &COMMANDNAME; --helper-directory=/usr/lib/x86_64-linux-gnu/mandos/plugin-helpers -- /usr/lib/x86_64-linux-gnu/mandos/plugins.d/mandos-client --pubkey=/etc/keys/mandos/pubkey.txt --seckey=/etc/keys/mandos/seckey.txt --tls-pubkey=/etc/keys/mandos/tls-pubkey.pem --tls-privkey=/etc/keys/mandos/tls-privkey.pem Use the default location for mandos-client 8mandos, but add many options to it: &COMMANDNAME; -- /lib/mandos/plugins.d/mandos-client --pubkey=/etc/mandos/keys/pubkey.txt --seckey=/etc/mandos/keys/seckey.txt --tls-pubkey=/etc/mandos/keys/tls-pubkey.pem --tls-privkey=/etc/mandos/keys/tls-privkey.pem Only run the self-tests: &COMMANDNAME; --test This program will need to run as the root user in order to read the agent directory and the ask.xxxx files there, and will, when starting the Mandos client program, require the ability to set the real user and group ids to another user, by default user and group 65534, which are assumed to be non-privileged. This is done in order to match the expectations of mandos-client8mandos, which assumes that its executable file is owned by the root user and also has the set-user-ID bit set (see execve2). intro 8mandos, mandos-client 8mandos, systemd 1, Password Agents The specification for systemd Password Agent programs, which &COMMANDNAME; follows.