To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/release
« back to all changes in this revision
Viewing changes to mandos.xml
- browse files at revision 237.16.9
- compare with another revision
- download diff
- download tarball
- view history from revision 237.16.9
- Committer: Teddy Hogeborn
- Date: 2011-11-14 20:55:32 UTC
- mfrom: (237.15.6 mandos-client-network-hooks)
- mto: (237.15.7 mandos-client-network-hooks)
- mto: This revision was merged to the branch mainline in revision 290.
- Revision ID: teddy@recompile.se-20111114205532-vzgr6a301z57guex
* plugins.d/mandos-client.c: Merge unified printing system.
- files added:
- .bzr-builddeb
- debian
- debian/po
- debian/source
- files removed:
- plugins.d/usplash
- files renamed:
- plugins.d/password-request.c => plugins.d/mandos-client.c
- plugins.d/password-request.xml => plugins.d/mandos-client.xml
- files modified:
- .bzrignore
added
removed
mandos.xml
1
1
<?xml version="1.0" encoding="UTF-8"?>
2
2
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3
3
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4
<!ENTITY VERSION "1.0">
5
4
<!ENTITY COMMANDNAME "mandos">
6
<!ENTITY TIMESTAMP "2008-08-31">
5
<!ENTITY TIMESTAMP "2011-10-03">
6
<!ENTITY % common SYSTEM "common.ent">
7
%common;
7
8
]>
8
9
9
10
<refentry xmlns:xi="http://www.w3.org/2001/XInclude">
10
<refentryinfo>
11
<refentryinfo>
11
12
<title>Mandos Manual</title>
12
13
<!-- NWalsh’s docbook scripts use this to generate the footer: -->
13
14
<productname>Mandos</productname>
14
<productnumber>&VERSION;</productnumber>
15
<productnumber>&version;</productnumber>
15
16
<date>&TIMESTAMP;</date>
16
17
<authorgroup>
17
18
<author>
18
19
<firstname>Björn</firstname>
19
20
<surname>Påhlsson</surname>
20
21
<address>
21
<email>belorn@fukt.bsnet.se</email>
22
<email>belorn@recompile.se</email>
22
23
</address>
23
24
</author>
24
25
<author>
25
26
<firstname>Teddy</firstname>
26
27
<surname>Hogeborn</surname>
27
28
<address>
28
<email>teddy@fukt.bsnet.se</email>
29
<email>teddy@recompile.se</email>
29
30
</address>
30
31
</author>
31
32
</authorgroup>
32
33
<copyright>
33
34
<year>2008</year>
35
<year>2009</year>
36
<year>2010</year>
37
<year>2011</year>
34
38
<holder>Teddy Hogeborn</holder>
35
39
<holder>Björn Påhlsson</holder>
36
40
</copyright>
37
<legalnotice>
38
<para>
39
This manual page is free software: you can redistribute it
40
and/or modify it under the terms of the GNU General Public
41
License as published by the Free Software Foundation,
42
either version 3 of the License, or (at your option) any
43
later version.
44
</para>
45
46
<para>
47
This manual page is distributed in the hope that it will
48
be useful, but WITHOUT ANY WARRANTY; without even the
49
implied warranty of MERCHANTABILITY or FITNESS FOR A
50
PARTICULAR PURPOSE. See the GNU General Public License
51
for more details.
52
</para>
53
54
<para>
55
You should have received a copy of the GNU General Public
56
License along with this program; If not, see
57
<ulink url="http://www.gnu.org/licenses/"/>.
58
</para>
59
</legalnotice>
41
<xi:include href="legalnotice.xml"/>
60
42
</refentryinfo>
61
43
62
44
<refmeta>
63
45
<refentrytitle>&COMMANDNAME;</refentrytitle>
64
46
<manvolnum>8</manvolnum>
70
52
Gives encrypted passwords to authenticated Mandos clients
71
53
</refpurpose>
72
54
</refnamediv>
73
55
74
56
<refsynopsisdiv>
75
57
<cmdsynopsis>
76
58
<command>&COMMANDNAME;</command>
105
87
<replaceable>DIRECTORY</replaceable></option></arg>
106
88
<sbr/>
107
89
<arg><option>--debug</option></arg>
90
<sbr/>
91
<arg><option>--debuglevel
92
<replaceable>LEVEL</replaceable></option></arg>
93
<sbr/>
94
<arg><option>--no-dbus</option></arg>
95
<sbr/>
96
<arg><option>--no-ipv6</option></arg>
108
97
</cmdsynopsis>
109
98
<cmdsynopsis>
110
99
<command>&COMMANDNAME;</command>
122
111
<arg choice="plain"><option>--check</option></arg>
123
112
</cmdsynopsis>
124
113
</refsynopsisdiv>
125
114
126
115
<refsect1 id="description">
127
116
<title>DESCRIPTION</title>
128
117
<para>
129
118
<command>&COMMANDNAME;</command> is a server daemon which
130
119
handles incoming request for passwords for a pre-defined list of
131
client host computers. The Mandos server uses Zeroconf to
132
announce itself on the local network, and uses TLS to
133
communicate securely with and to authenticate the clients. The
134
Mandos server uses IPv6 to allow Mandos clients to use IPv6
135
link-local addresses, since the clients will probably not have
136
any other addresses configured (see <xref linkend="overview"/>).
137
Any authenticated client is then given the stored pre-encrypted
138
password for that specific client.
120
client host computers. For an introduction, see
121
<citerefentry><refentrytitle>intro</refentrytitle>
122
<manvolnum>8mandos</manvolnum></citerefentry>. The Mandos server
123
uses Zeroconf to announce itself on the local network, and uses
124
TLS to communicate securely with and to authenticate the
125
clients. The Mandos server uses IPv6 to allow Mandos clients to
126
use IPv6 link-local addresses, since the clients will probably
127
not have any other addresses configured (see <xref
128
linkend="overview"/>). Any authenticated client is then given
129
the stored pre-encrypted password for that specific client.
139
130
</para>
140
141
131
</refsect1>
142
132
143
133
<refsect1 id="purpose">
144
134
<title>PURPOSE</title>
145
146
135
<para>
147
136
The purpose of this is to enable <emphasis>remote and unattended
148
137
rebooting</emphasis> of client host computer with an
149
138
<emphasis>encrypted root file system</emphasis>. See <xref
150
139
linkend="overview"/> for details.
151
140
</para>
152
153
141
</refsect1>
154
142
155
143
<refsect1 id="options">
156
144
<title>OPTIONS</title>
157
158
145
<variablelist>
159
146
<varlistentry>
160
147
<term><option>--help</option></term>
212
199
<xi:include href="mandos-options.xml" xpointer="debug"/>
213
200
</listitem>
214
201
</varlistentry>
215
202
203
<varlistentry>
204
<term><option>--debuglevel
205
<replaceable>LEVEL</replaceable></option></term>
206
<listitem>
207
<para>
208
Set the debugging log level.
209
<replaceable>LEVEL</replaceable> is a string, one of
210
<quote><literal>CRITICAL</literal></quote>,
211
<quote><literal>ERROR</literal></quote>,
212
<quote><literal>WARNING</literal></quote>,
213
<quote><literal>INFO</literal></quote>, or
214
<quote><literal>DEBUG</literal></quote>, in order of
215
increasing verbosity. The default level is
216
<quote><literal>WARNING</literal></quote>.
217
</para>
218
</listitem>
219
</varlistentry>
220
216
221
<varlistentry>
217
222
<term><option>--priority <replaceable>
218
223
PRIORITY</replaceable></option></term>
220
225
<xi:include href="mandos-options.xml" xpointer="priority"/>
221
226
</listitem>
222
227
</varlistentry>
223
228
224
229
<varlistentry>
225
230
<term><option>--servicename
226
231
<replaceable>NAME</replaceable></option></term>
229
234
xpointer="servicename"/>
230
235
</listitem>
231
236
</varlistentry>
232
237
233
238
<varlistentry>
234
239
<term><option>--configdir
235
240
<replaceable>DIRECTORY</replaceable></option></term>
244
249
</para>
245
250
</listitem>
246
251
</varlistentry>
247
252
248
253
<varlistentry>
249
254
<term><option>--version</option></term>
250
255
<listitem>
253
258
</para>
254
259
</listitem>
255
260
</varlistentry>
261
262
<varlistentry>
263
<term><option>--no-dbus</option></term>
264
<listitem>
265
<xi:include href="mandos-options.xml" xpointer="dbus"/>
266
<para>
267
See also <xref linkend="dbus_interface"/>.
268
</para>
269
</listitem>
270
</varlistentry>
271
272
<varlistentry>
273
<term><option>--no-ipv6</option></term>
274
<listitem>
275
<xi:include href="mandos-options.xml" xpointer="ipv6"/>
276
</listitem>
277
</varlistentry>
256
278
</variablelist>
257
279
</refsect1>
258
280
259
281
<refsect1 id="overview">
260
282
<title>OVERVIEW</title>
261
283
<xi:include href="overview.xml"/>
262
284
<para>
263
285
This program is the server part. It is a normal server program
264
286
and will run in a normal system environment, not in an initial
265
RAM disk environment.
287
<acronym>RAM</acronym> disk environment.
266
288
</para>
267
289
</refsect1>
268
290
269
291
<refsect1 id="protocol">
270
292
<title>NETWORK PROTOCOL</title>
271
293
<para>
323
345
</row>
324
346
</tbody></tgroup></table>
325
347
</refsect1>
326
348
327
349
<refsect1 id="checking">
328
350
<title>CHECKING</title>
329
351
<para>
330
352
The server will, by default, continually check that the clients
331
353
are still up. If a client has not been confirmed as being up
332
354
for some time, the client is assumed to be compromised and is no
333
longer eligible to receive the encrypted password. The timeout,
334
checker program, and interval between checks can be configured
335
both globally and per client; see <citerefentry>
355
longer eligible to receive the encrypted password. (Manual
356
intervention is required to re-enable a client.) The timeout,
357
extended timeout, checker program, and interval between checks
358
can be configured both globally and per client; see
359
<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>
360
<manvolnum>5</manvolnum></citerefentry>. A client successfully
361
receiving its password will also be treated as a successful
362
checker run.
363
</para>
364
</refsect1>
365
366
<refsect1 id="approval">
367
<title>APPROVAL</title>
368
<para>
369
The server can be configured to require manual approval for a
370
client before it is sent its secret. The delay to wait for such
371
approval and the default action (approve or deny) can be
372
configured both globally and per client; see <citerefentry>
336
373
<refentrytitle>mandos-clients.conf</refentrytitle>
337
<manvolnum>5</manvolnum></citerefentry>.
338
</para>
374
<manvolnum>5</manvolnum></citerefentry>. By default all clients
375
will be approved immediately without delay.
376
</para>
377
<para>
378
This can be used to deny a client its secret if not manually
379
approved within a specified time. It can also be used to make
380
the server delay before giving a client its secret, allowing
381
optional manual denying of this specific client.
382
</para>
383
339
384
</refsect1>
340
385
341
386
<refsect1 id="logging">
342
387
<title>LOGGING</title>
343
388
<para>
347
392
and also show them on the console.
348
393
</para>
349
394
</refsect1>
350
395
396
<refsect1 id="dbus_interface">
397
<title>D-BUS INTERFACE</title>
398
<para>
399
The server will by default provide a D-Bus system bus interface.
400
This interface will only be accessible by the root user or a
401
Mandos-specific user, if such a user exists. For documentation
402
of the D-Bus API, see the file <filename>DBUS-API</filename>.
403
</para>
404
</refsect1>
405
351
406
<refsect1 id="exit_status">
352
407
<title>EXIT STATUS</title>
353
408
<para>
355
410
critical error is encountered.
356
411
</para>
357
412
</refsect1>
358
413
359
414
<refsect1 id="environment">
360
415
<title>ENVIRONMENT</title>
361
416
<variablelist>
375
430
</varlistentry>
376
431
</variablelist>
377
432
</refsect1>
378
379
<refsect1 id="file">
433
434
<refsect1 id="files">
380
435
<title>FILES</title>
381
436
<para>
382
437
Use the <option>--configdir</option> option to change where
405
460
</listitem>
406
461
</varlistentry>
407
462
<varlistentry>
408
<term><filename>/var/run/mandos/mandos.pid</filename></term>
463
<term><filename>/var/run/mandos.pid</filename></term>
409
464
<listitem>
410
465
<para>
411
The file containing the process id of
412
<command>&COMMANDNAME;</command>.
466
The file containing the process id of the
467
<command>&COMMANDNAME;</command> process started last.
413
468
</para>
414
469
</listitem>
415
470
</varlistentry>
443
498
backtrace. This could be considered a feature.
444
499
</para>
445
500
<para>
446
Currently, if a client is declared <quote>invalid</quote> due to
447
having timed out, the server does not record this fact onto
448
permanent storage. This has some security implications, see
449
<xref linkend="CLIENTS"/>.
450
</para>
451
<para>
452
There is currently no way of querying the server of the current
453
status of clients, other than analyzing its <systemitem
454
class="service">syslog</systemitem> output.
501
Currently, if a client is disabled due to having timed out, the
502
server does not record this fact onto permanent storage. This
503
has some security implications, see <xref linkend="clients"/>.
455
504
</para>
456
505
<para>
457
506
There is no fine-grained control over logging and debug output.
460
509
Debug mode is conflated with running in the foreground.
461
510
</para>
462
511
<para>
463
The console log messages does not show a timestamp.
512
The console log messages do not show a time stamp.
513
</para>
514
<para>
515
This server does not check the expire time of clients’ OpenPGP
516
keys.
464
517
</para>
465
518
</refsect1>
466
519
501
554
</para>
502
555
</informalexample>
503
556
</refsect1>
504
557
505
558
<refsect1 id="security">
506
559
<title>SECURITY</title>
507
<refsect2 id="SERVER">
560
<refsect2 id="server">
508
561
<title>SERVER</title>
509
562
<para>
510
563
Running this <command>&COMMANDNAME;</command> server program
511
564
should not in itself present any security risk to the host
512
computer running it. The program does not need any special
513
privileges to run, and is designed to run as a non-root user.
565
computer running it. The program switches to a non-root user
566
soon after startup.
514
567
</para>
515
568
</refsect2>
516
<refsect2 id="CLIENTS">
569
<refsect2 id="clients">
517
570
<title>CLIENTS</title>
518
571
<para>
519
572
The server only gives out its stored data to clients which
526
579
<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>
527
580
<manvolnum>5</manvolnum></citerefentry>)
528
581
<emphasis>must</emphasis> be made non-readable by anyone
529
except the user running the server.
582
except the user starting the server (usually root).
530
583
</para>
531
584
<para>
532
585
As detailed in <xref linkend="checking"/>, the status of all
535
588
</para>
536
589
<para>
537
590
If a client is compromised, its downtime should be duly noted
538
by the server which would therefore declare the client
539
invalid. But if the server was ever restarted, it would
540
re-read its client list from its configuration file and again
541
regard all clients therein as valid, and hence eligible to
542
receive their passwords. Therefore, be careful when
543
restarting servers if it is suspected that a client has, in
544
fact, been compromised by parties who may now be running a
545
fake Mandos client with the keys from the non-encrypted
546
initial RAM image of the client host. What should be done in
547
that case (if restarting the server program really is
548
necessary) is to stop the server program, edit the
549
configuration file to omit any suspect clients, and restart
550
the server program.
591
by the server which would therefore disable the client. But
592
if the server was ever restarted, it would re-read its client
593
list from its configuration file and again regard all clients
594
therein as enabled, and hence eligible to receive their
595
passwords. Therefore, be careful when restarting servers if
596
it is suspected that a client has, in fact, been compromised
597
by parties who may now be running a fake Mandos client with
598
the keys from the non-encrypted initial <acronym>RAM</acronym>
599
image of the client host. What should be done in that case
600
(if restarting the server program really is necessary) is to
601
stop the server program, edit the configuration file to omit
602
any suspect clients, and restart the server program.
551
603
</para>
552
604
<para>
553
605
For more details on client-side security, see
554
<citerefentry><refentrytitle>password-request</refentrytitle>
606
<citerefentry><refentrytitle>mandos-client</refentrytitle>
555
607
<manvolnum>8mandos</manvolnum></citerefentry>.
556
608
</para>
557
609
</refsect2>
558
610
</refsect1>
559
611
560
612
<refsect1 id="see_also">
561
613
<title>SEE ALSO</title>
562
614
<para>
563
<citerefentry>
564
<refentrytitle>mandos-clients.conf</refentrytitle>
565
<manvolnum>5</manvolnum></citerefentry>, <citerefentry>
566
<refentrytitle>mandos.conf</refentrytitle>
567
<manvolnum>5</manvolnum></citerefentry>, <citerefentry>
568
<refentrytitle>password-request</refentrytitle>
569
<manvolnum>8mandos</manvolnum></citerefentry>, <citerefentry>
570
<refentrytitle>sh</refentrytitle><manvolnum>1</manvolnum>
571
</citerefentry>
615
<citerefentry><refentrytitle>intro</refentrytitle>
616
<manvolnum>8mandos</manvolnum></citerefentry>,
617
<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>
618
<manvolnum>5</manvolnum></citerefentry>,
619
<citerefentry><refentrytitle>mandos.conf</refentrytitle>
620
<manvolnum>5</manvolnum></citerefentry>,
621
<citerefentry><refentrytitle>mandos-client</refentrytitle>
622
<manvolnum>8mandos</manvolnum></citerefentry>,
623
<citerefentry><refentrytitle>sh</refentrytitle>
624
<manvolnum>1</manvolnum></citerefentry>
572
625
</para>
573
626
<variablelist>
574
627
<varlistentry>
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0