/mandos/release : revision 149

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/release

« back to all changes in this revision

Viewing changes to plugins.d/password-request.xml

Committer: Teddy Hogeborn
Date: 2008-09-03 19:13:50 UTC
mfrom: (24.1.83 mandos)
Revision ID: teddy@fukt.bsnet.se-20080903191350-la2y2wuxt67xjslb

* mandos-keygen.xml (BUGS): Commented out.

* mandos.xml (BUGS): Note non-checking of expire time of OpenPGP keys.

files added:
plugins.d/usplash

files removed:
.bzr-builddeb

.bzr-builddeb/default.conf

INSTALL

NEWS

README

common.ent

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.links

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/po

debian/rules

debian/watch

default-mandos

init.d-mandos

mandos-ctl

mandos.lsm

plugin-runner.conf

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

files renamed:
plugins.d/mandos-client.c => plugins.d/password-request.c

plugins.d/mandos-client.xml => plugins.d/password-request.xml

files modified:
.bzrignore

Makefile

TODO

clients.conf

initramfs-tools-hook

initramfs-tools-script

legalnotice.xml

mandos

mandos-clients.conf.xml

mandos-keygen

mandos-keygen.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.xml

overview.xml

plugin-runner.c

plugin-runner.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

Show diffs side-by-side

added added

removed removed

plugins.d/password-request.xml

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY COMMANDNAME "mandos-client">

<!ENTITY TIMESTAMP "2009-01-04">

<!ENTITY % common SYSTEM "../common.ent">

%common;

<!ENTITY VERSION "1.0">

<!ENTITY COMMANDNAME "password-request">

<!ENTITY TIMESTAMP "2008-09-03">

<title>Mandos Manual</title>

<productname>Mandos</productname>

<productnumber>&version;</productnumber>

<productnumber>&VERSION;</productnumber>

<date>&TIMESTAMP;</date>

</authorgroup>

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

<xi:include href="../legalnotice.xml"/>

</refentryinfo>

<refentrytitle>&COMMANDNAME;</refentrytitle>

<manvolnum>8mandos</manvolnum>

<refname><command>&COMMANDNAME;</command></refname>

Client for <application>Mandos</application>

Client for mandos

</refpurpose>

</refnamediv>

<command>&COMMANDNAME;</command>

<group>

<arg choice="plain"><option>--connect

<replaceable>ADDRESS</replaceable><literal>:</literal

<replaceable>IPADDR</replaceable><literal>:</literal

><replaceable>PORT</replaceable></option></arg>

<arg choice="plain"><option>-c

<replaceable>ADDRESS</replaceable><literal>:</literal

<replaceable>IPADDR</replaceable><literal>:</literal

><replaceable>PORT</replaceable></option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--keydir

<replaceable>DIRECTORY</replaceable></option></arg>

<arg choice="plain"><option>-d

<replaceable>DIRECTORY</replaceable></option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--interface

<arg choice="plain"><option>-i

115

120

</group>

116

121

</cmdsynopsis>

117

122

</refsynopsisdiv>

118

123

119

124

120

125

<title>DESCRIPTION</title>

121

126

<para>

126

131

network connectivity, Zeroconf to find servers, and TLS with an

127

132

OpenPGP key to ensure authenticity and confidentiality. It

128

133

keeps running, trying all servers on the network, until it

129

receives a satisfactory reply or a TERM signal is received.

134

receives a satisfactory reply or a TERM signal is recieved.

130

135

</para>

131

136

<para>

132

137

This program is not meant to be run directly; it is really meant

186

191

</varlistentry>

187

192

188

193

194

<term><option>--keydir=<replaceable

195

>DIRECTORY</replaceable></option></term>

196

<term><option>-d

197

<replaceable>DIRECTORY</replaceable></option></term>

198

199

<para>

200

Directory to read the OpenPGP key files

201

<filename>pubkey.txt</filename> and

202

<filename>seckey.txt</filename> from. The default is

203

<filename>/conf/conf.d/mandos</filename> (in the initial

204

<acronym>RAM</acronym> disk environment).

205

</para>

206

</listitem>

207

</varlistentry>

208

209

189

210

<term><option>--interface=

190

211

191

212

<term><option>-i

211

232

212

233

213

234

<para>

214

OpenPGP public key file name. The default name is

215

<quote><filename>/conf/conf.d/mandos/pubkey.txt</filename

216

></quote>.

235

OpenPGP public key file base name. This will be combined

236

with the directory from the <option>--keydir</option>

237

option to form an absolute file name. The default name is

238

<quote><literal>pubkey.txt</literal></quote>.

217

239

</para>

218

240

</listitem>

219

241

</varlistentry>

220

242

221

243

222

244

<term><option>--seckey=<replaceable

223

245

>FILE</replaceable></option></term>

225

247

226

248

227

249

<para>

228

OpenPGP secret key file name. The default name is

229

<quote><filename>/conf/conf.d/mandos/seckey.txt</filename

230

></quote>.

250

OpenPGP secret key file base name. This will be combined

251

with the directory from the <option>--keydir</option>

252

option to form an absolute file name. The default name is

253

<quote><literal>seckey.txt</literal></quote>.

231

254

</para>

232

255

</listitem>

233

256

</varlistentry>

240

263

xpointer="priority"/>

241

264

</listitem>

242

265

</varlistentry>

243

266

244

267

245

268

<term><option>--dh-bits=<replaceable

246

269

>BITS</replaceable></option></term>

286

309

</para>

287

310

</listitem>

288

311

</varlistentry>

289

312

290

313

291

314

<term><option>--version</option></term>

292

315

298

321

</varlistentry>

299

322

</variablelist>

300

323

</refsect1>

301

324

302

325

303

326

<title>OVERVIEW</title>

304

327

<xi:include href="../overview.xml"/>

313

336

<filename>/etc/crypttab</filename>, but it would then be

314

337

impossible to enter a password for the encrypted root disk at

315

338

the console, since this program does not read from the console

316

at all. This is why a separate plugin runner (<citerefentry>

317

<refentrytitle>plugin-runner</refentrytitle>

318

<manvolnum>8mandos</manvolnum></citerefentry>) is used to run

319

both this program and others in in parallel,

320

<emphasis>one</emphasis> of which will prompt for passwords on

321

the system console.

339

at all. This is why a separate plugin (<citerefentry>

340

<refentrytitle>password-prompt</refentrytitle>

341

<manvolnum>8mandos</manvolnum></citerefentry>) does that, which

342

will be run in parallell to this one by the plugin runner.

322

343

</para>

323

344

</refsect1>

324

345

331

352

program will exit with a non-zero exit status only if a critical

332

353

error occurs. Otherwise, it will forever connect to new

333

354

<application>Mandos</application> servers as they appear, trying

334

to get a decryptable password and print it.

355

to get a decryptable password.

335

356

</para>

336

357

</refsect1>

337

358

345

366

</para>

346

367

</refsect1>

347

368

348

369

349

370

<title>FILES</title>

350

371

351

372

370

391

371

392

372

393

373

394

374

395

375

396

<title>EXAMPLE</title>

376

397

<para>

390

411

</informalexample>

391

412

392

413

<para>

393

Search for Mandos servers (and connect to them) using another

394

interface:

414

Search for Mandos servers on another interface:

395

415

</para>

396

416

<para>

397

417

400

420

</informalexample>

401

421

402

422

<para>

403

Run in debug mode, and use a custom key:

423

Run in debug mode, and use a custom key directory:

404

424

</para>

405

425

<para>

406

407

408

<userinput>&COMMANDNAME; --debug --pubkey keydir/pubkey.txt --seckey keydir/seckey.txt</userinput>

409

426

427

<userinput>&COMMANDNAME; --debug --keydir keydir</userinput>

410

428

</para>

411

429

</informalexample>

412

430

413

431

<para>

414

Run in debug mode, with a custom key, and do not use Zeroconf

415

to locate a server; connect directly to the IPv6 address

416

<quote><systemitem class="ipaddress"

432

Run in debug mode, with a custom key directory, and do not use

433

Zeroconf to locate a server; connect directly to the IPv6

434

address <quote><systemitem class="ipaddress"

417

435

>2001:db8:f983:bd0b:30de:ae4a:71f2:f672</systemitem></quote>,

418

436

port 4711, using interface eth2:

419

437

</para>

420

438

<para>

421

439

422

440

423

<userinput>&COMMANDNAME; --debug --pubkey keydir/pubkey.txt --seckey keydir/seckey.txt --connect 2001:db8:f983:bd0b:30de:ae4a:71f2:f672:4711 --interface eth2</userinput>

441

<userinput>&COMMANDNAME; --debug --keydir keydir --connect 2001:db8:f983:bd0b:30de:ae4a:71f2:f672:4711 --interface eth2</userinput>

424

442

425

443

</para>

426

444

</informalexample>

427

445

</refsect1>

428

446

429

447

430

448

<title>SECURITY</title>

431

449

<para>

451

469

The only remaining weak point is that someone with physical

452

470

access to the client hard drive might turn off the client

453

471

computer, read the OpenPGP keys directly from the hard drive,

454

and communicate with the server. To safeguard against this, the

455

server is supposed to notice the client disappearing and stop

456

giving out the encrypted data. Therefore, it is important to

457

set the timeout and checker interval values tightly on the

458

server. See <citerefentry><refentrytitle

472

and communicate with the server. The defense against this is

473

that the server is supposed to notice the client disappearing

474

and will stop giving out the encrypted data. Therefore, it is

475

important to set the timeout and checker interval values tightly

476

on the server. See <citerefentry><refentrytitle

459

477

>mandos</refentrytitle><manvolnum>8</manvolnum></citerefentry>.

460

478

</para>

461

479

<para>

472

490

confidential.

473

491

</para>

474

492

</refsect1>

475

493

476

494

477

495

478

496

<para>

603

621

</varlistentry>

604

622

</variablelist>

605

623

</refsect1>

624

606

625

</refentry>

607

608

626

609

627

610

628

Older »