/mandos/release : revision 123

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/release

« back to all changes in this revision

Viewing changes to mandos.xml

Committer: Teddy Hogeborn
Date: 2008-08-31 08:47:38 UTC
Revision ID: teddy@fukt.bsnet.se-20080831084738-uu70kayyt876982d

* mandos-keygen: Minor help text change.

* mandos-keygen.xml: Changed plural "keys" to singular "key"
                     throughout.
  (NAME): Improved wording.
  (DESCRIPTION): Improved wording.
  (OPTIONS): Split options in <term> tags into separate <term> tags.
             Use <option> tags.  Move long options before short
             options.  Uppercase replaceables.
  (OVERVIEW): Improved wording.
  (EXIT STATUS): Also cover --password option.
  (EXAMPLE): Add two examples using the --password option.
  (SECURITY): Improved wording.

* overview.xml: Improved wording.

files added:
plugins.d/usplash

files removed:
.bzr-builddeb

.bzr-builddeb/default.conf

INSTALL

NEWS

README

common.ent

dbus-mandos.conf

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.links

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/po

debian/rules

debian/watch

default-mandos

init.d-mandos

legalnotice.xml

mandos-ctl

mandos-monitor

mandos.lsm

plugin-runner.conf

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

files renamed:
plugins.d/mandos-client.c => plugins.d/password-request.c

plugins.d/mandos-client.xml => plugins.d/password-request.xml

files modified:
.bzrignore

Makefile

TODO

clients.conf

initramfs-tools-hook

initramfs-tools-hook-conf

initramfs-tools-script

mandos

mandos-clients.conf.xml

mandos-keygen

mandos-keygen.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.xml

overview.xml

plugin-runner.c

plugin-runner.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

Show diffs side-by-side

added added

removed removed

mandos.xml

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY VERSION "1.0">

<!ENTITY COMMANDNAME "mandos">

<!ENTITY TIMESTAMP "2009-12-09">

<!ENTITY % common SYSTEM "common.ent">

%common;

<!ENTITY TIMESTAMP "2008-08-31">

<title>Mandos Manual</title>

<productname>Mandos</productname>

<productnumber>&version;</productnumber>

<productnumber>&VERSION;</productnumber>

<date>&TIMESTAMP;</date>

</authorgroup>

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

<xi:include href="legalnotice.xml"/>

<para>

This manual page is free software: you can redistribute it

and/or modify it under the terms of the GNU General Public

License as published by the Free Software Foundation,

either version 3 of the License, or (at your option) any

later version.

</para>

<para>

This manual page is distributed in the hope that it will

be useful, but WITHOUT ANY WARRANTY; without even the

implied warranty of MERCHANTABILITY or FITNESS FOR A

PARTICULAR PURPOSE. See the GNU General Public License

for more details.

</para>

<para>

You should have received a copy of the GNU General Public

License along with this program; If not, see

<ulink url="http://www.gnu.org/licenses/"/>.

</para>

</legalnotice>

</refentryinfo>

<refentrytitle>&COMMANDNAME;</refentrytitle>

Gives encrypted passwords to authenticated Mandos clients

</refpurpose>

</refnamediv>

<command>&COMMANDNAME;</command>

105

<replaceable>DIRECTORY</replaceable></option></arg>

106

<sbr/>

107

<arg><option>--debug</option></arg>

<sbr/>

<sbr/>

108

</cmdsynopsis>

109

110

<command>&COMMANDNAME;</command>

106

122

<arg choice="plain"><option>--check</option></arg>

107

123

</cmdsynopsis>

108

124

</refsynopsisdiv>

109

125

110

126

111

127

<title>DESCRIPTION</title>

112

128

<para>

121

137

Any authenticated client is then given the stored pre-encrypted

122

138

password for that specific client.

123

139

</para>

140

124

141

</refsect1>

125

142

126

143

127

144

<title>PURPOSE</title>

145

128

146

<para>

129

147

The purpose of this is to enable <emphasis>remote and unattended

130

148

rebooting</emphasis> of client host computer with an

131

149

<emphasis>encrypted root file system</emphasis>. See <xref

132

150

linkend="overview"/> for details.

133

151

</para>

152

134

153

</refsect1>

135

154

136

155

137

156

<title>OPTIONS</title>

157

138

158

139

159

160

140

161

141

142

162

143

163

<para>

144

164

Show a help message and exit

145

165

</para>

146

166

</listitem>

147

167

</varlistentry>

148

168

149

169

170

171

150

172

<term><option>--interface</option>

151

173

152

153

154

174

155

175

<xi:include href="mandos-options.xml" xpointer="interface"/>

156

176

</listitem>

157

177

</varlistentry>

158

178

159

179

160

<term><option>--address

161

<replaceable>ADDRESS</replaceable></option></term>

162

<term><option>-a

163

<replaceable>ADDRESS</replaceable></option></term>

180

<term><literal>-a</literal>, <literal>--address <replaceable>

181

ADDRESS</replaceable></literal></term>

164

182

165

183

<xi:include href="mandos-options.xml" xpointer="address"/>

166

184

</listitem>

167

185

</varlistentry>

168

186

169

187

170

<term><option>--port

171

172

<term><option>-p

173

188

189

PORT</replaceable></literal></term>

174

190

175

191

<xi:include href="mandos-options.xml" xpointer="port"/>

176

192

</listitem>

177

193

</varlistentry>

178

194

179

195

180

<term><option>--check</option></term>

196

<term><literal>--check</literal></term>

181

197

182

198

<para>

183

199

Run the server’s self-tests. This includes any unit

185

201

</para>

186

202

</listitem>

187

203

</varlistentry>

188

204

189

205

190

<term><option>--debug</option></term>

206

<term><literal>--debug</literal></term>

191

207

192

208

<xi:include href="mandos-options.xml" xpointer="debug"/>

193

209

</listitem>

194

210

</varlistentry>

195

211

196

212

197

<term><option>--priority <replaceable>

198

PRIORITY</replaceable></option></term>

213

<term><literal>--priority <replaceable>

214

PRIORITY</replaceable></literal></term>

199

215

200

216

<xi:include href="mandos-options.xml" xpointer="priority"/>

201

217

</listitem>

202

218

</varlistentry>

203

219

204

220

205

<term><option>--servicename

206

221

<term><literal>--servicename <replaceable>NAME</replaceable>

222

</literal></term>

207

223

208

224

<xi:include href="mandos-options.xml"

209

225

xpointer="servicename"/>

210

226

</listitem>

211

227

</varlistentry>

212

228

213

229

214

<term><option>--configdir

215

<replaceable>DIRECTORY</replaceable></option></term>

230

<term><literal>--configdir <replaceable>DIR</replaceable>

231

</literal></term>

216

232

217

233

<para>

218

234

Directory to search for configuration files. Default is

224

240

</para>

225

241

</listitem>

226

242

</varlistentry>

227

243

228

244

229

<term><option>--version</option></term>

245

<term><literal>--version</literal></term>

230

246

231

247

<para>

232

248

Prints the program version and exit.

233

249

</para>

234

250

</listitem>

235

251

</varlistentry>

236

237

238

239

240

<xi:include href="mandos-options.xml" xpointer="dbus"/>

241

<para>

242

See also <xref linkend="dbus_interface"/>.

243

</para>

244

</listitem>

245

</varlistentry>

246

247

248

249

250

<xi:include href="mandos-options.xml" xpointer="ipv6"/>

251

</listitem>

252

</varlistentry>

253

252

</variablelist>

254

253

</refsect1>

255

254

256

255

257

256

<title>OVERVIEW</title>

258

257

<xi:include href="overview.xml"/>

259

258

<para>

260

259

This program is the server part. It is a normal server program

261

260

and will run in a normal system environment, not in an initial

262

<acronym>RAM</acronym> disk environment.

261

RAM disk environment.

263

262

</para>

264

263

</refsect1>

265

264

266

265

267

266

<title>NETWORK PROTOCOL</title>

268

267

<para>

320

319

</row>

321

320

</tbody></tgroup></table>

322

321

</refsect1>

323

322

324

323

325

324

<title>CHECKING</title>

326

325

<para>

327

326

The server will, by default, continually check that the clients

328

327

are still up. If a client has not been confirmed as being up

329

328

for some time, the client is assumed to be compromised and is no

330

longer eligible to receive the encrypted password. (Manual

331

intervention is required to re-enable a client.) The timeout,

329

longer eligible to receive the encrypted password. The timeout,

332

330

checker program, and interval between checks can be configured

333

331

both globally and per client; see <citerefentry>

334

332

<refentrytitle>mandos-clients.conf</refentrytitle>

335

<manvolnum>5</manvolnum></citerefentry>. A client successfully

336

receiving its password will also be treated as a successful

337

checker run.

333

<manvolnum>5</manvolnum></citerefentry>.

338

334

</para>

339

335

</refsect1>

340

336

341

337

342

338

<title>LOGGING</title>

343

339

<para>

347

343

and also show them on the console.

348

344

</para>

349

345

</refsect1>

350

351

352

<title>D-BUS INTERFACE</title>

353

<para>

354

The server will by default provide a D-Bus system bus interface.

355

This interface will only be accessible by the root user or a

356

Mandos-specific user, if such a user exists.

357

358

</para>

359

</refsect1>

360

346

361

347

362

348

<title>EXIT STATUS</title>

363

349

<para>

365

351

critical error is encountered.

366

352

</para>

367

353

</refsect1>

368

354

369

355

370

356

<title>ENVIRONMENT</title>

371

357

385

371

</varlistentry>

386

372

</variablelist>

387

373

</refsect1>

388

389

374

375

390

376

<title>FILES</title>

391

377

<para>

392

378

Use the <option>--configdir</option> option to change where

415

401

</listitem>

416

402

</varlistentry>

417

403

418

<term><filename>/var/run/mandos.pid</filename></term>

404

<term><filename>/var/run/mandos/mandos.pid</filename></term>

419

405

420

406

<para>

421

407

The file containing the process id of

453

439

backtrace. This could be considered a feature.

454

440

</para>

455

441

<para>

456

Currently, if a client is disabled due to having timed out, the

457

server does not record this fact onto permanent storage. This

458

has some security implications, see <xref linkend="clients"/>.

442

Currently, if a client is declared <quote>invalid</quote> due to

443

having timed out, the server does not record this fact onto

444

permanent storage. This has some security implications, see

445

<xref linkend="CLIENTS"/>.

459

446

</para>

460

447

<para>

461

448

There is currently no way of querying the server of the current

469

456

Debug mode is conflated with running in the foreground.

470

457

</para>

471

458

<para>

472

The console log messages do not show a time stamp.

473

</para>

474

<para>

475

This server does not check the expire time of clients’ OpenPGP

476

keys.

459

The console log messages does not show a timestamp.

477

460

</para>

478

461

</refsect1>

479

462

514

497

</para>

515

498

</informalexample>

516

499

</refsect1>

517

500

518

501

519

502

<title>SECURITY</title>

520

503

521

504

<title>SERVER</title>

522

505

<para>

523

506

Running this <command>&COMMANDNAME;</command> server program

524

507

should not in itself present any security risk to the host

525

computer running it. The program switches to a non-root user

526

soon after startup.

508

computer running it. The program does not need any special

509

privileges to run, and is designed to run as a non-root user.

527

510

</para>

528

511

</refsect2>

529

512

530

513

<title>CLIENTS</title>

531

514

<para>

532

515

The server only gives out its stored data to clients which

539

522

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

540

523

<manvolnum>5</manvolnum></citerefentry>)

541

524

<emphasis>must</emphasis> be made non-readable by anyone

542

except the user starting the server (usually root).

525

except the user running the server.

543

526

</para>

544

527

<para>

545

528

As detailed in <xref linkend="checking"/>, the status of all

548

531

</para>

549

532

<para>

550

533

If a client is compromised, its downtime should be duly noted

551

by the server which would therefore disable the client. But

552

if the server was ever restarted, it would re-read its client

553

list from its configuration file and again regard all clients

554

therein as enabled, and hence eligible to receive their

555

passwords. Therefore, be careful when restarting servers if

556

it is suspected that a client has, in fact, been compromised

557

by parties who may now be running a fake Mandos client with

558

the keys from the non-encrypted initial <acronym>RAM</acronym>

559

image of the client host. What should be done in that case

560

(if restarting the server program really is necessary) is to

561

stop the server program, edit the configuration file to omit

562

any suspect clients, and restart the server program.

534

by the server which would therefore declare the client

535

invalid. But if the server was ever restarted, it would

536

re-read its client list from its configuration file and again

537

regard all clients therein as valid, and hence eligible to

538

receive their passwords. Therefore, be careful when

539

restarting servers if it is suspected that a client has, in

540

fact, been compromised by parties who may now be running a

541

fake Mandos client with the keys from the non-encrypted

542

initial RAM image of the client host. What should be done in

543

that case (if restarting the server program really is

544

necessary) is to stop the server program, edit the

545

configuration file to omit any suspect clients, and restart

546

the server program.

563

547

</para>

564

548

<para>

565

549

For more details on client-side security, see

566

<citerefentry><refentrytitle>mandos-client</refentrytitle>

550

<citerefentry><refentrytitle>password-request</refentrytitle>

567

551

<manvolnum>8mandos</manvolnum></citerefentry>.

568

552

</para>

569

553

</refsect2>

570

554

</refsect1>

571

555

572

556

573

557

574

558

<para>

577

561

578

562

<refentrytitle>mandos.conf</refentrytitle>

579

563

580

<refentrytitle>mandos-client</refentrytitle>

564

<refentrytitle>password-request</refentrytitle>

581

565

<manvolnum>8mandos</manvolnum></citerefentry>, <citerefentry>

582

566

583

567

</citerefentry>

Older »