/mandos/release : revision 131

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/release

« back to all changes in this revision

Viewing changes to mandos.xml

Committer: Teddy Hogeborn
Date: 2008-08-31 15:06:39 UTC
Revision ID: teddy@fukt.bsnet.se-20080831150639-tqdkyea3b9p3rou7

* Makefile: Make all DocBook rules include legalnotice.xml as a
            dependency.

* legalnotice.xml: New file with just the <legalnotice> tag in it.

* mandos-clients.conf.xml (/refentry): Add XInclude namespace.
  (/refentry/refentryinfo/legalnotice): Replaced with an inclusion of
                                        "legalnotice.xml".
* mandos-keygen.xml (/refentry/refentryinfo/legalnotice): - '' -
* mandos-conf.xml (/refentry/refentryinfo/legalnotice): - '' -
* mandos.xml (/refentry/refentryinfo/legalnotice): - '' -

* overview.xml: Changed root node tag name in DOCTYPE declaration.

* plugin-runner.xml (/refentry): Add XInclude namespace.
  (/refentry/refentryinfo/legalnotice): Replaced with an inclusion of
                                        "legalnotice.xml".

* plugins.d/password-prompt.xml (/refentry): Add XInclude namespace.
  (/refentry/refentryinfo/legalnotice): Replaced with an inclusion of
                                        "legalnotice.xml".

* plugins.d/password-request.xml (/refentry): Add XInclude namespace.
  (/refentry/refentryinfo/legalnotice): Replaced with an inclusion of
                                        "legalnotice.xml".

files added:
plugins.d/usplash

files removed:
.bzr-builddeb

.bzr-builddeb/default.conf

DBUS-API

INSTALL

NEWS

README

common.ent

dbus-mandos.conf

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.links

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/po

debian/rules

debian/source

debian/source/format

debian/source/local-options

debian/watch

default-mandos

init.d-mandos

intro.xml

mandos-ctl

mandos-ctl.xml

mandos-monitor

mandos-monitor.xml

mandos.lsm

network-hooks.d

network-hooks.d/bridge

network-hooks.d/bridge.conf

network-hooks.d/openvpn

network-hooks.d/openvpn.conf

network-hooks.d/wireless

network-hooks.d/wireless.conf

plugin-runner.conf

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

files renamed:
plugins.d/mandos-client.c => plugins.d/password-request.c

plugins.d/mandos-client.xml => plugins.d/password-request.xml

files modified:
.bzrignore

Makefile

TODO

clients.conf

initramfs-tools-hook

initramfs-tools-hook-conf

initramfs-tools-script

legalnotice.xml

mandos

mandos-clients.conf.xml

mandos-keygen

mandos-keygen.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.xml

overview.xml

plugin-runner.c

plugin-runner.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

Show diffs side-by-side

added added

removed removed

mandos.xml

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY VERSION "1.0">

<!ENTITY COMMANDNAME "mandos">

<!ENTITY TIMESTAMP "2012-05-26">

<!ENTITY % common SYSTEM "common.ent">

%common;

<!ENTITY TIMESTAMP "2008-08-31">

<title>Mandos Manual</title>

<productname>Mandos</productname>

<productnumber>&version;</productnumber>

<productnumber>&VERSION;</productnumber>

<date>&TIMESTAMP;</date>

<firstname>Björn</firstname>

<surname>Påhlsson</surname>

<email>belorn@recompile.se</email>

<email>belorn@fukt.bsnet.se</email>

</address>

</author>

<firstname>Teddy</firstname>

<surname>Hogeborn</surname>

<email>teddy@recompile.se</email>

<email>teddy@fukt.bsnet.se</email>

</address>

</author>

</authorgroup>

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

<xi:include href="legalnotice.xml"/>

</refentryinfo>

<refentrytitle>&COMMANDNAME;</refentrytitle>

Gives encrypted passwords to authenticated Mandos clients

</refpurpose>

</refnamediv>

<command>&COMMANDNAME;</command>

<replaceable>DIRECTORY</replaceable></option></arg>

<sbr/>

<arg><option>--debug</option></arg>

<sbr/>

<arg><option>--debuglevel

<replaceable>LEVEL</replaceable></option></arg>

<sbr/>

<sbr/>

<sbr/>

<arg><option>--no-restore</option></arg>

100

<sbr/>

101

<arg><option>--statedir

102

<replaceable>DIRECTORY</replaceable></option></arg>

103

<sbr/>

104

<arg><option>--socket

105

106

</cmdsynopsis>

107

108

<command>&COMMANDNAME;</command>

120

100

<arg choice="plain"><option>--check</option></arg>

121

101

</cmdsynopsis>

122

102

</refsynopsisdiv>

123

103

124

104

125

105

<title>DESCRIPTION</title>

126

106

<para>

127

107

<command>&COMMANDNAME;</command> is a server daemon which

128

108

handles incoming request for passwords for a pre-defined list of

129

client host computers. For an introduction, see

130

<citerefentry><refentrytitle>intro</refentrytitle>

131

<manvolnum>8mandos</manvolnum></citerefentry>. The Mandos server

132

uses Zeroconf to announce itself on the local network, and uses

133

TLS to communicate securely with and to authenticate the

134

clients. The Mandos server uses IPv6 to allow Mandos clients to

135

use IPv6 link-local addresses, since the clients will probably

136

not have any other addresses configured (see <xref

137

linkend="overview"/>). Any authenticated client is then given

138

the stored pre-encrypted password for that specific client.

109

client host computers. The Mandos server uses Zeroconf to

110

announce itself on the local network, and uses TLS to

111

communicate securely with and to authenticate the clients. The

112

Mandos server uses IPv6 to allow Mandos clients to use IPv6

113

link-local addresses, since the clients will probably not have

114

any other addresses configured (see <xref linkend="overview"/>).

115

Any authenticated client is then given the stored pre-encrypted

116

password for that specific client.

139

117

</para>

118

140

119

</refsect1>

141

120

142

121

143

122

<title>PURPOSE</title>

123

144

124

<para>

145

125

The purpose of this is to enable <emphasis>remote and unattended

146

126

rebooting</emphasis> of client host computer with an

147

127

<emphasis>encrypted root file system</emphasis>. See <xref

148

128

linkend="overview"/> for details.

149

129

</para>

130

150

131

</refsect1>

151

132

152

133

153

134

<title>OPTIONS</title>

135

154

136

155

137

156

138

208

190

<xi:include href="mandos-options.xml" xpointer="debug"/>

209

191

</listitem>

210

192

</varlistentry>

211

212

213

<term><option>--debuglevel

214

<replaceable>LEVEL</replaceable></option></term>

215

216

<para>

217

Set the debugging log level.

218

<replaceable>LEVEL</replaceable> is a string, one of

219

<quote><literal>CRITICAL</literal></quote>,

220

<quote><literal>ERROR</literal></quote>,

221

<quote><literal>WARNING</literal></quote>,

222

<quote><literal>INFO</literal></quote>, or

223

<quote><literal>DEBUG</literal></quote>, in order of

224

increasing verbosity. The default level is

225

<quote><literal>WARNING</literal></quote>.

226

</para>

227

</listitem>

228

</varlistentry>

229

193

230

194

231

195

<term><option>--priority <replaceable>

232

196

PRIORITY</replaceable></option></term>

234

198

<xi:include href="mandos-options.xml" xpointer="priority"/>

235

199

</listitem>

236

200

</varlistentry>

237

201

238

202

239

203

<term><option>--servicename

240

204

243

207

xpointer="servicename"/>

244

208

</listitem>

245

209

</varlistentry>

246

210

247

211

248

212

<term><option>--configdir

249

213

<replaceable>DIRECTORY</replaceable></option></term>

258

222

</para>

259

223

</listitem>

260

224

</varlistentry>

261

225

262

226

263

227

<term><option>--version</option></term>

264

228

267

231

</para>

268

232

</listitem>

269

233

</varlistentry>

270

271

272

273

274

<xi:include href="mandos-options.xml" xpointer="dbus"/>

275

<para>

276

See also <xref linkend="dbus_interface"/>.

277

</para>

278

</listitem>

279

</varlistentry>

280

281

282

283

284

<xi:include href="mandos-options.xml" xpointer="ipv6"/>

285

</listitem>

286

</varlistentry>

287

288

289

<term><option>--no-restore</option></term>

290

291

<xi:include href="mandos-options.xml" xpointer="restore"/>

292

<para>

293

See also <xref linkend="persistent_state"/>.

294

</para>

295

</listitem>

296

</varlistentry>

297

298

299

<term><option>--statedir

300

<replaceable>DIRECTORY</replaceable></option></term>

301

302

<xi:include href="mandos-options.xml" xpointer="statedir"/>

303

</listitem>

304

</varlistentry>

305

306

307

<term><option>--socket

308

309

310

<xi:include href="mandos-options.xml" xpointer="socket"/>

311

</listitem>

312

</varlistentry>

313

314

234

</variablelist>

315

235

</refsect1>

316

236

317

237

318

238

<title>OVERVIEW</title>

319

239

<xi:include href="overview.xml"/>

320

240

<para>

321

241

This program is the server part. It is a normal server program

322

242

and will run in a normal system environment, not in an initial

323

<acronym>RAM</acronym> disk environment.

243

RAM disk environment.

324

244

</para>

325

245

</refsect1>

326

246

327

247

328

248

<title>NETWORK PROTOCOL</title>

329

249

<para>

381

301

</row>

382

302

</tbody></tgroup></table>

383

303

</refsect1>

384

304

385

305

386

306

<title>CHECKING</title>

387

307

<para>

388

308

The server will, by default, continually check that the clients

389

309

are still up. If a client has not been confirmed as being up

390

310

for some time, the client is assumed to be compromised and is no

391

longer eligible to receive the encrypted password. (Manual

392

intervention is required to re-enable a client.) The timeout,

393

extended timeout, checker program, and interval between checks

394

can be configured both globally and per client; see

395

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

311

longer eligible to receive the encrypted password. The timeout,

312

checker program, and interval between checks can be configured

313

both globally and per client; see <citerefentry>

314

<refentrytitle>mandos-clients.conf</refentrytitle>

396

315

<manvolnum>5</manvolnum></citerefentry>.

397

316

</para>

398

317

</refsect1>

399

400

401

<title>APPROVAL</title>

402

<para>

403

The server can be configured to require manual approval for a

404

client before it is sent its secret. The delay to wait for such

405

approval and the default action (approve or deny) can be

406

configured both globally and per client; see <citerefentry>

407

<refentrytitle>mandos-clients.conf</refentrytitle>

408

<manvolnum>5</manvolnum></citerefentry>. By default all clients

409

will be approved immediately without delay.

410

</para>

411

<para>

412

This can be used to deny a client its secret if not manually

413

approved within a specified time. It can also be used to make

414

the server delay before giving a client its secret, allowing

415

optional manual denying of this specific client.

416

</para>

417

418

</refsect1>

419

318

420

319

421

320

<title>LOGGING</title>

422

321

<para>

423

322

The server will send log message with various severity levels to

424

<filename class="devicefile">/dev/log</filename>. With the

323

<filename>/dev/log</filename>. With the

425

324

<option>--debug</option> option, it will log even more messages,

426

325

and also show them on the console.

427

326

</para>

428

327

</refsect1>

429

430

431

<title>PERSISTENT STATE</title>

432

<para>

433

Client settings, initially read from

434

<filename>clients.conf</filename>, are persistent across

435

restarts, and run-time changes will override settings in

436

<filename>clients.conf</filename>. However, if a setting is

437

<emphasis>changed</emphasis> (or a client added, or removed) in

438

<filename>clients.conf</filename>, this will take precedence.

439

</para>

440

</refsect1>

441

442

443

<title>D-BUS INTERFACE</title>

444

<para>

445

The server will by default provide a D-Bus system bus interface.

446

This interface will only be accessible by the root user or a

447

Mandos-specific user, if such a user exists. For documentation

448

of the D-Bus API, see the file <filename>DBUS-API</filename>.

449

</para>

450

</refsect1>

451

328

452

329

453

330

<title>EXIT STATUS</title>

454

331

<para>

456

333

critical error is encountered.

457

334

</para>

458

335

</refsect1>

459

336

460

337

461

338

<title>ENVIRONMENT</title>

462

339

476

353

</varlistentry>

477

354

</variablelist>

478

355

</refsect1>

479

480

356

357

481

358

<title>FILES</title>

482

359

<para>

483

360

Use the <option>--configdir</option> option to change where

506

383

</listitem>

507

384

</varlistentry>

508

385

509

<term><filename>/var/run/mandos.pid</filename></term>

510

511

<para>

512

The file containing the process id of the

513

<command>&COMMANDNAME;</command> process started last.

514

</para>

515

</listitem>

516

</varlistentry>

517

518

519

</varlistentry>

520

521

<term><filename

522

class="directory">/var/lib/mandos</filename></term>

523

524

<para>

525

Directory where persistent state will be saved. Change

526

this with the <option>--statedir</option> option. See

527

also the <option>--no-restore</option> option.

386

<term><filename>/var/run/mandos/mandos.pid</filename></term>

387

388

<para>

389

The file containing the process id of

390

<command>&COMMANDNAME;</command>.

528

391

</para>

529

392

</listitem>

530

393

</varlistentry>

558

421

backtrace. This could be considered a feature.

559

422

</para>

560

423

<para>

424

Currently, if a client is declared <quote>invalid</quote> due to

425

having timed out, the server does not record this fact onto

426

permanent storage. This has some security implications, see

427

<xref linkend="CLIENTS"/>.

428

</para>

429

<para>

430

There is currently no way of querying the server of the current

431

status of clients, other than analyzing its <systemitem

432

class="service">syslog</systemitem> output.

433

</para>

434

<para>

561

435

There is no fine-grained control over logging and debug output.

562

436

</para>

563

437

<para>

564

438

Debug mode is conflated with running in the foreground.

565

439

</para>

566

440

<para>

567

This server does not check the expire time of clients’ OpenPGP

568

keys.

441

The console log messages does not show a timestamp.

569

442

</para>

570

443

</refsect1>

571

444

582

455

583

456

<para>

584

457

Run the server in debug mode, read configuration files from

585

the <filename class="directory">~/mandos</filename> directory,

586

and use the Zeroconf service name <quote>Test</quote> to not

587

collide with any other official Mandos server on this host:

458

the <filename>~/mandos</filename> directory, and use the

459

Zeroconf service name <quote>Test</quote> to not collide with

460

any other official Mandos server on this host:

588

461

</para>

589

462

<para>

590

463

606

479

</para>

607

480

</informalexample>

608

481

</refsect1>

609

482

610

483

611

484

<title>SECURITY</title>

612

485

613

486

<title>SERVER</title>

614

487

<para>

615

488

Running this <command>&COMMANDNAME;</command> server program

616

489

should not in itself present any security risk to the host

617

computer running it. The program switches to a non-root user

618

soon after startup.

490

computer running it. The program does not need any special

491

privileges to run, and is designed to run as a non-root user.

619

492

</para>

620

493

</refsect2>

621

494

622

495

<title>CLIENTS</title>

623

496

<para>

624

497

The server only gives out its stored data to clients which

631

504

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

632

505

<manvolnum>5</manvolnum></citerefentry>)

633

506

<emphasis>must</emphasis> be made non-readable by anyone

634

except the user starting the server (usually root).

507

except the user running the server.

635

508

</para>

636

509

<para>

637

510

As detailed in <xref linkend="checking"/>, the status of all

639

512

compromised if they are gone for too long.

640

513

</para>

641

514

<para>

515

If a client is compromised, its downtime should be duly noted

516

by the server which would therefore declare the client

517

invalid. But if the server was ever restarted, it would

518

re-read its client list from its configuration file and again

519

regard all clients therein as valid, and hence eligible to

520

receive their passwords. Therefore, be careful when

521

restarting servers if it is suspected that a client has, in

522

fact, been compromised by parties who may now be running a

523

fake Mandos client with the keys from the non-encrypted

524

initial RAM image of the client host. What should be done in

525

that case (if restarting the server program really is

526

necessary) is to stop the server program, edit the

527

configuration file to omit any suspect clients, and restart

528

the server program.

529

</para>

530

<para>

642

531

For more details on client-side security, see

643

<citerefentry><refentrytitle>mandos-client</refentrytitle>

532

<citerefentry><refentrytitle>password-request</refentrytitle>

644

533

<manvolnum>8mandos</manvolnum></citerefentry>.

645

534

</para>

646

535

</refsect2>

647

536

</refsect1>

648

537

649

538

650

539

651

540

<para>

652

<citerefentry><refentrytitle>intro</refentrytitle>

653

<manvolnum>8mandos</manvolnum></citerefentry>,

654

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

655

<manvolnum>5</manvolnum></citerefentry>,

656

<citerefentry><refentrytitle>mandos.conf</refentrytitle>

657

<manvolnum>5</manvolnum></citerefentry>,

658

<citerefentry><refentrytitle>mandos-client</refentrytitle>

659

<manvolnum>8mandos</manvolnum></citerefentry>,

660

661

541

542

<refentrytitle>mandos-clients.conf</refentrytitle>

543

544

<refentrytitle>mandos.conf</refentrytitle>

545

546

<refentrytitle>password-request</refentrytitle>

547

<manvolnum>8mandos</manvolnum></citerefentry>, <citerefentry>

548

549

</citerefentry>

662

550

</para>

663

551

664

552

Older »