/mandos/release : revision 237.14.2

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/release

« back to all changes in this revision

Viewing changes to mandos.xml

Committer: Teddy Hogeborn
Date: 2011-11-26 22:22:20 UTC
mto: (237.12.8 mandos-persistent)
mto: This revision was merged to the branch mainline in revision 290.
Revision ID: teddy@recompile.se-20111126222220-1ubwjpb5ugqnrhec

Directory with persistent state can now be changed with the "statedir"
option.  The state directory /var/lib/mandos now gets created on
installation.  Added documentation about "restore" and "statedir"
options.

* Makefile (USER, GROUP, STATEDIR): New.
  (maintainer-clean): Also remove "statedir".
  (run-server): Replaced "--no-restore" with "--statedir=statedir".
  (statedir): New.
  (install-server): Make $(STATEDIR) directory.
* debian/mandos.dirs (var/lib/mandos): Added.
* debian/mandos.postinst: Fix ownership of /var/lib/mandos.
* mandos: New --statedir option.
  (stored_state_path): Not global anymore.
  (stored_state_file): New global.
* mandos.conf: Fix whitespace.
  (restore, statedir): Added.
* mandos.conf.xml (OPTIONS, EXAMPLE): Added "restore" and "statedir".
  mandos.xml (SYNOPSIS, OPTIONS): Added "--statedir".
  (FILES): Added "/var/lib/mandos".

files added:
DBUS-API

NEWS

dbus-mandos.conf

debian/source

debian/source/format

debian/source/local-options

debian/watch

intro.xml

mandos-ctl

mandos-ctl.xml

mandos-monitor

mandos-monitor.xml

mandos.lsm

plugins.d/askpass-fifo.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.xml

plugins.d/usplash.xml

files removed:
debian/mandos-client.config

debian/mandos-client.templates

debian/mandos.config

debian/mandos.templates

debian/po/POTFILES.in

debian/po/sv.po

files modified:
.bzrignore

INSTALL

Makefile

README

TODO

clients.conf

common.ent

debian/changelog

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.docs

debian/mandos.postinst

debian/mandos.prerm

debian/rules

init.d-mandos

initramfs-tools-hook

initramfs-tools-hook-conf

initramfs-tools-script

mandos

mandos-clients.conf.xml

mandos-keygen

mandos-keygen.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.xml

plugin-runner.c

plugin-runner.conf

plugin-runner.xml

plugins.d/askpass-fifo.c

plugins.d/mandos-client.c

plugins.d/mandos-client.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

plugins.d/splashy.c

plugins.d/usplash.c

Show diffs side-by-side

added added

removed removed

mandos.xml

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY COMMANDNAME "mandos">

<!ENTITY TIMESTAMP "2008-09-30">

<!ENTITY TIMESTAMP "2011-11-26">

<!ENTITY % common SYSTEM "common.ent">

%common;

<firstname>Björn</firstname>

<surname>Påhlsson</surname>

<email>belorn@fukt.bsnet.se</email>

<email>belorn@recompile.se</email>

</address>

</author>

<firstname>Teddy</firstname>

<surname>Hogeborn</surname>

<email>teddy@fukt.bsnet.se</email>

<email>teddy@recompile.se</email>

</address>

</author>

</authorgroup>

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

<replaceable>DIRECTORY</replaceable></option></arg>

<sbr/>

<arg><option>--debug</option></arg>

<sbr/>

<arg><option>--debuglevel

<replaceable>LEVEL</replaceable></option></arg>

<sbr/>

<sbr/>

<sbr/>

<arg><option>--no-restore</option></arg>

<sbr/>

100

<arg><option>--statedir

101

<replaceable>DIRECTORY</replaceable></option></arg>

102

</cmdsynopsis>

103

104

<command>&COMMANDNAME;</command>

107

122

<para>

108

123

<command>&COMMANDNAME;</command> is a server daemon which

109

124

handles incoming request for passwords for a pre-defined list of

110

client host computers. The Mandos server uses Zeroconf to

111

announce itself on the local network, and uses TLS to

112

communicate securely with and to authenticate the clients. The

113

Mandos server uses IPv6 to allow Mandos clients to use IPv6

114

link-local addresses, since the clients will probably not have

115

any other addresses configured (see <xref linkend="overview"/>).

116

Any authenticated client is then given the stored pre-encrypted

117

password for that specific client.

125

client host computers. For an introduction, see

126

<citerefentry><refentrytitle>intro</refentrytitle>

127

<manvolnum>8mandos</manvolnum></citerefentry>. The Mandos server

128

uses Zeroconf to announce itself on the local network, and uses

129

TLS to communicate securely with and to authenticate the

130

clients. The Mandos server uses IPv6 to allow Mandos clients to

131

use IPv6 link-local addresses, since the clients will probably

132

not have any other addresses configured (see <xref

133

linkend="overview"/>). Any authenticated client is then given

134

the stored pre-encrypted password for that specific client.

118

135

</para>

119

136

</refsect1>

120

137

189

206

</varlistentry>

190

207

191

208

209

<term><option>--debuglevel

210

<replaceable>LEVEL</replaceable></option></term>

211

212

<para>

213

Set the debugging log level.

214

<replaceable>LEVEL</replaceable> is a string, one of

215

<quote><literal>CRITICAL</literal></quote>,

216

<quote><literal>ERROR</literal></quote>,

217

<quote><literal>WARNING</literal></quote>,

218

<quote><literal>INFO</literal></quote>, or

219

<quote><literal>DEBUG</literal></quote>, in order of

220

increasing verbosity. The default level is

221

<quote><literal>WARNING</literal></quote>.

222

</para>

223

</listitem>

224

</varlistentry>

225

226

192

227

<term><option>--priority <replaceable>

193

228

PRIORITY</replaceable></option></term>

194

229

228

263

</para>

229

264

</listitem>

230

265

</varlistentry>

266

267

268

269

270

<xi:include href="mandos-options.xml" xpointer="dbus"/>

271

<para>

272

See also <xref linkend="dbus_interface"/>.

273

</para>

274

</listitem>

275

</varlistentry>

276

277

278

279

280

<xi:include href="mandos-options.xml" xpointer="ipv6"/>

281

</listitem>

282

</varlistentry>

283

284

285

<term><option>--no-restore</option></term>

286

287

<xi:include href="mandos-options.xml" xpointer="restore"/>

288

</listitem>

289

</varlistentry>

290

291

292

<term><option>--statedir

293

<replaceable>DIRECTORY</replaceable></option></term>

294

295

<xi:include href="mandos-options.xml" xpointer="statedir"/>

296

</listitem>

297

</varlistentry>

231

298

</variablelist>

232

299

</refsect1>

233

300

305

372

The server will, by default, continually check that the clients

306

373

are still up. If a client has not been confirmed as being up

307

374

for some time, the client is assumed to be compromised and is no

308

longer eligible to receive the encrypted password. The timeout,

309

checker program, and interval between checks can be configured

310

both globally and per client; see <citerefentry>

375

longer eligible to receive the encrypted password. (Manual

376

intervention is required to re-enable a client.) The timeout,

377

extended timeout, checker program, and interval between checks

378

can be configured both globally and per client; see

379

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

380

<manvolnum>5</manvolnum></citerefentry>. A client successfully

381

receiving its password will also be treated as a successful

382

checker run.

383

</para>

384

</refsect1>

385

386

387

<title>APPROVAL</title>

388

<para>

389

The server can be configured to require manual approval for a

390

client before it is sent its secret. The delay to wait for such

391

approval and the default action (approve or deny) can be

392

configured both globally and per client; see <citerefentry>

311

393

<refentrytitle>mandos-clients.conf</refentrytitle>

312

<manvolnum>5</manvolnum></citerefentry>.

313

</para>

394

<manvolnum>5</manvolnum></citerefentry>. By default all clients

395

will be approved immediately without delay.

396

</para>

397

<para>

398

This can be used to deny a client its secret if not manually

399

approved within a specified time. It can also be used to make

400

the server delay before giving a client its secret, allowing

401

optional manual denying of this specific client.

402

</para>

403

314

404

</refsect1>

315

405

316

406

323

413

</para>

324

414

</refsect1>

325

415

416

417

<title>D-BUS INTERFACE</title>

418

<para>

419

The server will by default provide a D-Bus system bus interface.

420

This interface will only be accessible by the root user or a

421

Mandos-specific user, if such a user exists. For documentation

422

of the D-Bus API, see the file <filename>DBUS-API</filename>.

423

</para>

424

</refsect1>

425

326

426

327

427

<title>EXIT STATUS</title>

328

428

<para>

351

451

</variablelist>

352

452

</refsect1>

353

453

354

454

355

455

<title>FILES</title>

356

456

<para>

357

457

Use the <option>--configdir</option> option to change where

383

483

<term><filename>/var/run/mandos.pid</filename></term>

384

484

385

485

<para>

386

The file containing the process id of

387

<command>&COMMANDNAME;</command>.

486

The file containing the process id of the

487

<command>&COMMANDNAME;</command> process started last.

488

</para>

489

</listitem>

490

</varlistentry>

491

492

<term><filename

493

class="directory">/var/lib/mandos</filename></term>

494

495

<para>

496

Directory where persistent state will be saved. Change

497

this with the <option>--statedir</option> option. See

498

also the <option>--no-restore</option> option.

388

499

</para>

389

500

</listitem>

390

501

</varlistentry>

418

529

backtrace. This could be considered a feature.

419

530

</para>

420

531

<para>

421

Currently, if a client is declared <quote>invalid</quote> due to

422

having timed out, the server does not record this fact onto

423

permanent storage. This has some security implications, see

424

<xref linkend="CLIENTS"/>.

425

</para>

426

<para>

427

There is currently no way of querying the server of the current

428

status of clients, other than analyzing its <systemitem

429

class="service">syslog</systemitem> output.

430

</para>

431

<para>

432

532

There is no fine-grained control over logging and debug output.

433

533

</para>

434

534

<para>

435

535

Debug mode is conflated with running in the foreground.

436

536

</para>

437

537

<para>

438

The console log messages does not show a time stamp.

439

</para>

440

<para>

441

538

This server does not check the expire time of clients’ OpenPGP

442

539

keys.

443

540

</para>

456

553

457

554

<para>

458

555

Run the server in debug mode, read configuration files from

459

the <filename>~/mandos</filename> directory, and use the

460

Zeroconf service name <quote>Test</quote> to not collide with

461

any other official Mandos server on this host:

556

the <filename class="directory">~/mandos</filename> directory,

557

and use the Zeroconf service name <quote>Test</quote> to not

558

collide with any other official Mandos server on this host:

462

559

</para>

463

560

<para>

464

561

483

580

484

581

485

582

<title>SECURITY</title>

486

583

487

584

<title>SERVER</title>

488

585

<para>

489

586

Running this <command>&COMMANDNAME;</command> server program

492

589

soon after startup.

493

590

</para>

494

591

</refsect2>

495

592

496

593

<title>CLIENTS</title>

497

594

<para>

498

595

The server only gives out its stored data to clients which

513

610

compromised if they are gone for too long.

514

611

</para>

515

612

<para>

516

If a client is compromised, its downtime should be duly noted

517

by the server which would therefore declare the client

518

invalid. But if the server was ever restarted, it would

519

re-read its client list from its configuration file and again

520

regard all clients therein as valid, and hence eligible to

521

receive their passwords. Therefore, be careful when

522

restarting servers if it is suspected that a client has, in

523

fact, been compromised by parties who may now be running a

524

fake Mandos client with the keys from the non-encrypted

525

initial <acronym>RAM</acronym> image of the client host. What

526

should be done in that case (if restarting the server program

527

really is necessary) is to stop the server program, edit the

528

configuration file to omit any suspect clients, and restart

529

the server program.

530

</para>

531

<para>

532

613

For more details on client-side security, see

533

614

<citerefentry><refentrytitle>mandos-client</refentrytitle>

534

615

<manvolnum>8mandos</manvolnum></citerefentry>.

539

620

540

621

541

622

<para>

542

543

<refentrytitle>mandos-clients.conf</refentrytitle>

544

545

<refentrytitle>mandos.conf</refentrytitle>

546

547

<refentrytitle>mandos-client</refentrytitle>

548

<manvolnum>8mandos</manvolnum></citerefentry>, <citerefentry>

549

550

</citerefentry>

623

<citerefentry><refentrytitle>intro</refentrytitle>

624

<manvolnum>8mandos</manvolnum></citerefentry>,

625

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

626

<manvolnum>5</manvolnum></citerefentry>,

627

<citerefentry><refentrytitle>mandos.conf</refentrytitle>

628

<manvolnum>5</manvolnum></citerefentry>,

629

<citerefentry><refentrytitle>mandos-client</refentrytitle>

630

<manvolnum>8mandos</manvolnum></citerefentry>,

631

632

551

633

</para>

552

634

553

635

Older »