/mandos/release : revision 138

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/release

« back to all changes in this revision

Viewing changes to mandos.xml

Committer: Teddy Hogeborn
Date: 2008-09-02 06:13:47 UTC
Revision ID: teddy@fukt.bsnet.se-20080902061347-psw61eqt17j425sq

* plugin-runner.c: Changed short option for "--global-env" to "-G",
changed short option for "--env-for" to "-E",
added new option "--enable" ("-e").

files added:
plugins.d/usplash

files removed:
.bzr-builddeb

.bzr-builddeb/default.conf

DBUS-API

INSTALL

NEWS

README

common.ent

dbus-mandos.conf

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.examples

debian/mandos-client.links

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/po

debian/rules

debian/source

debian/source/format

debian/source/local-options

debian/watch

default-mandos

init.d-mandos

initramfs-unpack

intro.xml

mandos-change-keytype

mandos-ctl

mandos-ctl.xml

mandos-monitor

mandos-monitor.xml

mandos.lsm

network-hooks.d

network-hooks.d/bridge

network-hooks.d/bridge.conf

network-hooks.d/openvpn

network-hooks.d/openvpn.conf

network-hooks.d/wireless

network-hooks.d/wireless.conf

plugin-runner.conf

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

files renamed:
plugins.d/mandos-client.c => plugins.d/password-request.c

plugins.d/mandos-client.xml => plugins.d/password-request.xml

files modified:
.bzrignore

Makefile

TODO

clients.conf

initramfs-tools-hook

initramfs-tools-hook-conf

initramfs-tools-script

legalnotice.xml

mandos

mandos-clients.conf.xml

mandos-keygen

mandos-keygen.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.xml

overview.xml

plugin-runner.c

plugin-runner.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

Show diffs side-by-side

added added

removed removed

mandos.xml

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY VERSION "1.0">

<!ENTITY COMMANDNAME "mandos">

<!ENTITY TIMESTAMP "2013-10-20">

<!ENTITY % common SYSTEM "common.ent">

%common;

<!ENTITY TIMESTAMP "2008-09-01">

<title>Mandos Manual</title>

<productname>Mandos</productname>

<productnumber>&version;</productnumber>

<productnumber>&VERSION;</productnumber>

<date>&TIMESTAMP;</date>

<firstname>Björn</firstname>

<surname>Påhlsson</surname>

<email>belorn@recompile.se</email>

<email>belorn@fukt.bsnet.se</email>

</address>

</author>

<firstname>Teddy</firstname>

<surname>Hogeborn</surname>

<email>teddy@recompile.se</email>

<email>teddy@fukt.bsnet.se</email>

</address>

</author>

</authorgroup>

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

<xi:include href="legalnotice.xml"/>

</refentryinfo>

<refentrytitle>&COMMANDNAME;</refentrytitle>

Gives encrypted passwords to authenticated Mandos clients

</refpurpose>

</refnamediv>

<command>&COMMANDNAME;</command>

<replaceable>DIRECTORY</replaceable></option></arg>

<sbr/>

<arg><option>--debug</option></arg>

<sbr/>

<arg><option>--debuglevel

<replaceable>LEVEL</replaceable></option></arg>

<sbr/>

<sbr/>

<sbr/>

100

<arg><option>--no-restore</option></arg>

101

<sbr/>

102

<arg><option>--statedir

103

<replaceable>DIRECTORY</replaceable></option></arg>

104

<sbr/>

105

<arg><option>--socket

106

107

<sbr/>

108

<arg><option>--foreground</option></arg>

109

</cmdsynopsis>

110

111

<command>&COMMANDNAME;</command>

123

100

<arg choice="plain"><option>--check</option></arg>

124

101

</cmdsynopsis>

125

102

</refsynopsisdiv>

126

103

127

104

128

105

<title>DESCRIPTION</title>

129

106

<para>

130

107

<command>&COMMANDNAME;</command> is a server daemon which

131

108

handles incoming request for passwords for a pre-defined list of

132

client host computers. For an introduction, see

133

<citerefentry><refentrytitle>intro</refentrytitle>

134

<manvolnum>8mandos</manvolnum></citerefentry>. The Mandos server

135

uses Zeroconf to announce itself on the local network, and uses

136

TLS to communicate securely with and to authenticate the

137

clients. The Mandos server uses IPv6 to allow Mandos clients to

138

use IPv6 link-local addresses, since the clients will probably

139

not have any other addresses configured (see <xref

140

linkend="overview"/>). Any authenticated client is then given

141

the stored pre-encrypted password for that specific client.

109

client host computers. The Mandos server uses Zeroconf to

110

announce itself on the local network, and uses TLS to

111

communicate securely with and to authenticate the clients. The

112

Mandos server uses IPv6 to allow Mandos clients to use IPv6

113

link-local addresses, since the clients will probably not have

114

any other addresses configured (see <xref linkend="overview"/>).

115

Any authenticated client is then given the stored pre-encrypted

116

password for that specific client.

142

117

</para>

118

143

119

</refsect1>

144

120

145

121

146

122

<title>PURPOSE</title>

123

147

124

<para>

148

125

The purpose of this is to enable <emphasis>remote and unattended

149

126

rebooting</emphasis> of client host computer with an

150

127

<emphasis>encrypted root file system</emphasis>. See <xref

151

128

linkend="overview"/> for details.

152

129

</para>

130

153

131

</refsect1>

154

132

155

133

156

134

<title>OPTIONS</title>

135

157

136

158

137

159

138

211

190

<xi:include href="mandos-options.xml" xpointer="debug"/>

212

191

</listitem>

213

192

</varlistentry>

214

215

216

<term><option>--debuglevel

217

<replaceable>LEVEL</replaceable></option></term>

218

219

<para>

220

Set the debugging log level.

221

<replaceable>LEVEL</replaceable> is a string, one of

222

<quote><literal>CRITICAL</literal></quote>,

223

<quote><literal>ERROR</literal></quote>,

224

<quote><literal>WARNING</literal></quote>,

225

<quote><literal>INFO</literal></quote>, or

226

<quote><literal>DEBUG</literal></quote>, in order of

227

increasing verbosity. The default level is

228

<quote><literal>WARNING</literal></quote>.

229

</para>

230

</listitem>

231

</varlistentry>

232

193

233

194

234

195

<term><option>--priority <replaceable>

235

196

PRIORITY</replaceable></option></term>

237

198

<xi:include href="mandos-options.xml" xpointer="priority"/>

238

199

</listitem>

239

200

</varlistentry>

240

201

241

202

242

203

<term><option>--servicename

243

204

246

207

xpointer="servicename"/>

247

208

</listitem>

248

209

</varlistentry>

249

210

250

211

251

212

<term><option>--configdir

252

213

<replaceable>DIRECTORY</replaceable></option></term>

261

222

</para>

262

223

</listitem>

263

224

</varlistentry>

264

225

265

226

266

227

<term><option>--version</option></term>

267

228

270

231

</para>

271

232

</listitem>

272

233

</varlistentry>

273

274

275

276

277

<xi:include href="mandos-options.xml" xpointer="dbus"/>

278

<para>

279

See also <xref linkend="dbus_interface"/>.

280

</para>

281

</listitem>

282

</varlistentry>

283

284

285

286

287

<xi:include href="mandos-options.xml" xpointer="ipv6"/>

288

</listitem>

289

</varlistentry>

290

291

292

<term><option>--no-restore</option></term>

293

294

<xi:include href="mandos-options.xml" xpointer="restore"/>

295

<para>

296

See also <xref linkend="persistent_state"/>.

297

</para>

298

</listitem>

299

</varlistentry>

300

301

302

<term><option>--statedir

303

<replaceable>DIRECTORY</replaceable></option></term>

304

305

<xi:include href="mandos-options.xml" xpointer="statedir"/>

306

</listitem>

307

</varlistentry>

308

309

310

<term><option>--socket

311

312

313

<xi:include href="mandos-options.xml" xpointer="socket"/>

314

</listitem>

315

</varlistentry>

316

317

318

<term><option>--foreground</option></term>

319

320

<xi:include href="mandos-options.xml"

321

xpointer="foreground"/>

322

</listitem>

323

</varlistentry>

324

325

234

</variablelist>

326

235

</refsect1>

327

236

328

237

329

238

<title>OVERVIEW</title>

330

239

<xi:include href="overview.xml"/>

334

243

<acronym>RAM</acronym> disk environment.

335

244

</para>

336

245

</refsect1>

337

246

338

247

339

248

<title>NETWORK PROTOCOL</title>

340

249

<para>

392

301

</row>

393

302

</tbody></tgroup></table>

394

303

</refsect1>

395

304

396

305

397

306

<title>CHECKING</title>

398

307

<para>

399

308

The server will, by default, continually check that the clients

400

309

are still up. If a client has not been confirmed as being up

401

310

for some time, the client is assumed to be compromised and is no

402

longer eligible to receive the encrypted password. (Manual

403

intervention is required to re-enable a client.) The timeout,

404

extended timeout, checker program, and interval between checks

405

can be configured both globally and per client; see

406

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

311

longer eligible to receive the encrypted password. The timeout,

312

checker program, and interval between checks can be configured

313

both globally and per client; see <citerefentry>

314

<refentrytitle>mandos-clients.conf</refentrytitle>

407

315

<manvolnum>5</manvolnum></citerefentry>.

408

316

</para>

409

317

</refsect1>

410

411

412

<title>APPROVAL</title>

413

<para>

414

The server can be configured to require manual approval for a

415

client before it is sent its secret. The delay to wait for such

416

approval and the default action (approve or deny) can be

417

configured both globally and per client; see <citerefentry>

418

<refentrytitle>mandos-clients.conf</refentrytitle>

419

<manvolnum>5</manvolnum></citerefentry>. By default all clients

420

will be approved immediately without delay.

421

</para>

422

<para>

423

This can be used to deny a client its secret if not manually

424

approved within a specified time. It can also be used to make

425

the server delay before giving a client its secret, allowing

426

optional manual denying of this specific client.

427

</para>

428

429

</refsect1>

430

318

431

319

432

320

<title>LOGGING</title>

433

321

<para>

434

322

The server will send log message with various severity levels to

435

<filename class="devicefile">/dev/log</filename>. With the

323

<filename>/dev/log</filename>. With the

436

324

<option>--debug</option> option, it will log even more messages,

437

325

and also show them on the console.

438

326

</para>

439

327

</refsect1>

440

441

442

<title>PERSISTENT STATE</title>

443

<para>

444

Client settings, initially read from

445

<filename>clients.conf</filename>, are persistent across

446

restarts, and run-time changes will override settings in

447

<filename>clients.conf</filename>. However, if a setting is

448

<emphasis>changed</emphasis> (or a client added, or removed) in

449

<filename>clients.conf</filename>, this will take precedence.

450

</para>

451

</refsect1>

452

453

454

<title>D-BUS INTERFACE</title>

455

<para>

456

The server will by default provide a D-Bus system bus interface.

457

This interface will only be accessible by the root user or a

458

Mandos-specific user, if such a user exists. For documentation

459

of the D-Bus API, see the file <filename>DBUS-API</filename>.

460

</para>

461

</refsect1>

462

328

463

329

464

330

<title>EXIT STATUS</title>

465

331

<para>

467

333

critical error is encountered.

468

334

</para>

469

335

</refsect1>

470

336

471

337

472

338

<title>ENVIRONMENT</title>

473

339

487

353

</varlistentry>

488

354

</variablelist>

489

355

</refsect1>

490

491

356

357

492

358

<title>FILES</title>

493

359

<para>

494

360

Use the <option>--configdir</option> option to change where

517

383

</listitem>

518

384

</varlistentry>

519

385

520

<term><filename>/run/mandos.pid</filename></term>

521

522

<para>

523

The file containing the process id of the

524

<command>&COMMANDNAME;</command> process started last.

525

</para>

526

</listitem>

527

</varlistentry>

528

529

530

</varlistentry>

531

532

<term><filename

533

class="directory">/var/lib/mandos</filename></term>

534

535

<para>

536

Directory where persistent state will be saved. Change

537

this with the <option>--statedir</option> option. See

538

also the <option>--no-restore</option> option.

386

<term><filename>/var/run/mandos/mandos.pid</filename></term>

387

388

<para>

389

The file containing the process id of

390

<command>&COMMANDNAME;</command>.

539

391

</para>

540

392

</listitem>

541

393

</varlistentry>

569

421

backtrace. This could be considered a feature.

570

422

</para>

571

423

<para>

424

Currently, if a client is declared <quote>invalid</quote> due to

425

having timed out, the server does not record this fact onto

426

permanent storage. This has some security implications, see

427

<xref linkend="CLIENTS"/>.

428

</para>

429

<para>

430

There is currently no way of querying the server of the current

431

status of clients, other than analyzing its <systemitem

432

class="service">syslog</systemitem> output.

433

</para>

434

<para>

572

435

There is no fine-grained control over logging and debug output.

573

436

</para>

574

437

<para>

575

This server does not check the expire time of clients’ OpenPGP

576

keys.

438

Debug mode is conflated with running in the foreground.

439

</para>

440

<para>

441

The console log messages does not show a timestamp.

577

442

</para>

578

443

</refsect1>

579

444

590

455

591

456

<para>

592

457

Run the server in debug mode, read configuration files from

593

the <filename class="directory">~/mandos</filename> directory,

594

and use the Zeroconf service name <quote>Test</quote> to not

595

collide with any other official Mandos server on this host:

458

the <filename>~/mandos</filename> directory, and use the

459

Zeroconf service name <quote>Test</quote> to not collide with

460

any other official Mandos server on this host:

596

461

</para>

597

462

<para>

598

463

614

479

</para>

615

480

</informalexample>

616

481

</refsect1>

617

482

618

483

619

484

<title>SECURITY</title>

620

485

621

486

<title>SERVER</title>

622

487

<para>

623

488

Running this <command>&COMMANDNAME;</command> server program

624

489

should not in itself present any security risk to the host

625

computer running it. The program switches to a non-root user

626

soon after startup.

490

computer running it. The program does not need any special

491

privileges to run, and is designed to run as a non-root user.

627

492

</para>

628

493

</refsect2>

629

494

630

495

<title>CLIENTS</title>

631

496

<para>

632

497

The server only gives out its stored data to clients which

639

504

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

640

505

<manvolnum>5</manvolnum></citerefentry>)

641

506

<emphasis>must</emphasis> be made non-readable by anyone

642

except the user starting the server (usually root).

507

except the user running the server.

643

508

</para>

644

509

<para>

645

510

As detailed in <xref linkend="checking"/>, the status of all

647

512

compromised if they are gone for too long.

648

513

</para>

649

514

<para>

515

If a client is compromised, its downtime should be duly noted

516

by the server which would therefore declare the client

517

invalid. But if the server was ever restarted, it would

518

re-read its client list from its configuration file and again

519

regard all clients therein as valid, and hence eligible to

520

receive their passwords. Therefore, be careful when

521

restarting servers if it is suspected that a client has, in

522

fact, been compromised by parties who may now be running a

523

fake Mandos client with the keys from the non-encrypted

524

initial <acronym>RAM</acronym> image of the client host. What

525

should be done in that case (if restarting the server program

526

really is necessary) is to stop the server program, edit the

527

configuration file to omit any suspect clients, and restart

528

the server program.

529

</para>

530

<para>

650

531

For more details on client-side security, see

651

<citerefentry><refentrytitle>mandos-client</refentrytitle>

532

<citerefentry><refentrytitle>password-request</refentrytitle>

652

533

<manvolnum>8mandos</manvolnum></citerefentry>.

653

534

</para>

654

535

</refsect2>

655

536

</refsect1>

656

537

657

538

658

539

659

540

<para>

660

<citerefentry><refentrytitle>intro</refentrytitle>

661

<manvolnum>8mandos</manvolnum></citerefentry>,

662

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

663

<manvolnum>5</manvolnum></citerefentry>,

664

<citerefentry><refentrytitle>mandos.conf</refentrytitle>

665

<manvolnum>5</manvolnum></citerefentry>,

666

<citerefentry><refentrytitle>mandos-client</refentrytitle>

667

<manvolnum>8mandos</manvolnum></citerefentry>,

668

669

541

542

<refentrytitle>mandos-clients.conf</refentrytitle>

543

544

<refentrytitle>mandos.conf</refentrytitle>

545

546

<refentrytitle>password-request</refentrytitle>

547

<manvolnum>8mandos</manvolnum></citerefentry>, <citerefentry>

548

549

</citerefentry>

670

550

</para>

671

551

672

552

Older »