/mandos/release : revision 237.2.132

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/release

« back to all changes in this revision

Viewing changes to mandos.xml

Committer: Teddy Hogeborn
Date: 2009-09-16 23:28:39 UTC
mto: (24.1.142 mandos) (237.12.2 mandos-persistent) (299.1.1 release) (300.1.1 release) (301.1.1 release)
mto: This revision was merged to the branch mainline in revision 264.
Revision ID: teddy@fukt.bsnet.se-20090916232839-3o7i8qmcdcz5j1ya

* init.d-mandos (Required-Start, Required-Stop): Bug fix: Added
                 "$syslog", thanks to Petter Reinholdtsen
                 <pere@hungry.com> (Debian bug #546928).

* initramfs-tools-script: Removed erroneous comment.

* plugins.d/askpass-fifo.c: Removed TEMP_FAILURE_RETRY since it is
                            not needed.

* plugins.d/mandos-client.c (main): Bug fix: Initialize
                                    "old_sigterm_action".

* plugins.d/splashy.c (main): Bug fix: really check return value from
                              "sigaddset".  Fix some warnings on
                              64-bit systems.

* plugins.d/usplash.c (termination_handler, main): Save received
                                                   signal and
                                                   re-raise it on
                                                   exit.
  (usplash_write): Do not close FIFO, instead, take an additional file
                   descriptor pointer to it and open only when needed
                   (all callers changed).  Abort immediately on EINTR.
                   Bug fix:  Add NUL byte on single-word commands.
                   Ignore "interrupted_by_signal".
  (makeprompt, find_usplash): New; broken out from "main()".
  (find_usplash): Bug fix: close /proc/<pid>/cmdline FD on error.
  (main): Reorganized to jump to a new "failure" label on any error.
          Bug fix: check return values from sigaddset.
          New variable "usplash_accessed" to flag if usplash(8) needs
          to be killed and restarted.  Removed the "an_error_occured"
          variable.

files added:
.bzr-builddeb

.bzr-builddeb/default.conf

.bzrignore

INSTALL

NEWS

README

common.ent

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.links

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/po

debian/rules

debian/watch

default-mandos

init.d-mandos

legalnotice.xml

mandos-ctl

mandos.lsm

plugin-runner.conf

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

files removed:
plugins.d/usplash

files renamed:
plugins.d/password-request.c => plugins.d/mandos-client.c

plugins.d/password-request.xml => plugins.d/mandos-client.xml

files modified:
Makefile

TODO

clients.conf

initramfs-tools-hook

initramfs-tools-hook-conf

initramfs-tools-script

mandos

mandos-clients.conf.xml

mandos-keygen

mandos-keygen.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.xml

overview.xml

plugin-runner.c

plugin-runner.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

Show diffs side-by-side

added added

removed removed

mandos.xml

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY VERSION "1.0">

<!ENTITY COMMANDNAME "mandos">

<!ENTITY TIMESTAMP "2009-09-10">

<!ENTITY % common SYSTEM "common.ent">

%common;

<title>&COMMANDNAME;</title>

<title>Mandos Manual</title>

<productname>&COMMANDNAME;</productname>

<productnumber>&VERSION;</productnumber>

<productname>Mandos</productname>

<productnumber>&version;</productnumber>

<date>&TIMESTAMP;</date>

<firstname>Björn</firstname>

</authorgroup>

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

<para>

This manual page is free software: you can redistribute it

and/or modify it under the terms of the GNU General Public

License as published by the Free Software Foundation,

either version 3 of the License, or (at your option) any

later version.

</para>

<para>

This manual page is distributed in the hope that it will

be useful, but WITHOUT ANY WARRANTY; without even the

implied warranty of MERCHANTABILITY or FITNESS FOR A

PARTICULAR PURPOSE. See the GNU General Public License

for more details.

</para>

<para>

You should have received a copy of the GNU General Public

License along with this program; If not, see

<ulink url="http://www.gnu.org/licenses/"/>.

</para>

</legalnotice>

<xi:include href="legalnotice.xml"/>

</refentryinfo>

<refentrytitle>&COMMANDNAME;</refentrytitle>

<refname><command>&COMMANDNAME;</command></refname>

Sends encrypted passwords to authenticated Mandos clients

Gives encrypted passwords to authenticated Mandos clients

</refpurpose>

</refnamediv>

<command>&COMMANDNAME;</command>

<arg>--interface<arg choice="plain">IF</arg></arg>

<arg>--address<arg choice="plain">ADDRESS</arg></arg>

<arg>--priority<arg choice="plain">PRIORITY</arg></arg>

<arg>--servicename<arg choice="plain">NAME</arg></arg>

<arg>--configdir<arg choice="plain">DIRECTORY</arg></arg>

<arg>--debug</arg>

</cmdsynopsis>

<command>&COMMANDNAME;</command>

<arg>-a<arg choice="plain">ADDRESS</arg></arg>

<arg>--priority<arg choice="plain">PRIORITY</arg></arg>

<arg>--servicename<arg choice="plain">NAME</arg></arg>

<arg>--configdir<arg choice="plain">DIRECTORY</arg></arg>

<arg>--debug</arg>

<group>

<arg choice="plain"><option>--interface

<arg choice="plain"><option>-i

</group>

<sbr/>

<group>

<arg choice="plain"><option>--address

<replaceable>ADDRESS</replaceable></option></arg>

<arg choice="plain"><option>-a

<replaceable>ADDRESS</replaceable></option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--port

<arg choice="plain"><option>-p

</group>

<sbr/>

<arg><option>--priority

<replaceable>PRIORITY</replaceable></option></arg>

<sbr/>

<arg><option>--servicename

<sbr/>

<arg><option>--configdir

<replaceable>DIRECTORY</replaceable></option></arg>

<sbr/>

<arg><option>--debug</option></arg>

<sbr/>

<sbr/>

</cmdsynopsis>

<command>&COMMANDNAME;</command>

</group>

</cmdsynopsis>

100

101

<command>&COMMANDNAME;</command>

102

<arg choice="plain">--version</arg>

102

<arg choice="plain"><option>--version</option></arg>

103

</cmdsynopsis>

104

105

<command>&COMMANDNAME;</command>

106

<arg choice="plain">--check</arg>

106

<arg choice="plain"><option>--check</option></arg>

107

</cmdsynopsis>

108

</refsynopsisdiv>

109

110

111

<title>DESCRIPTION</title>

112

<para>

121

Any authenticated client is then given the stored pre-encrypted

122

password for that specific client.

123

</para>

124

125

124

</refsect1>

126

125

127

126

128

127

<title>PURPOSE</title>

129

130

128

<para>

131

129

The purpose of this is to enable <emphasis>remote and unattended

132

130

rebooting</emphasis> of client host computer with an

133

131

<emphasis>encrypted root file system</emphasis>. See <xref

134

132

linkend="overview"/> for details.

135

133

</para>

136

137

134

</refsect1>

138

135

139

136

140

137

<title>OPTIONS</title>

141

142

138

143

139

144

140

141

145

142

146

143

<para>

147

144

Show a help message and exit

148

145

</para>

149

146

</listitem>

150

147

</varlistentry>

151

148

152

149

153

<term><literal>-i</literal>, <literal>--interface <replaceable>

154

IF</replaceable></literal></term>

150

<term><option>--interface</option>

151

152

153

155

154

156

155

<xi:include href="mandos-options.xml" xpointer="interface"/>

157

156

</listitem>

158

157

</varlistentry>

159

158

160

159

161

<term><literal>-a</literal>, <literal>--address <replaceable>

162

ADDRESS</replaceable></literal></term>

160

<term><option>--address

161

<replaceable>ADDRESS</replaceable></option></term>

162

<term><option>-a

163

<replaceable>ADDRESS</replaceable></option></term>

163

164

164

165

<xi:include href="mandos-options.xml" xpointer="address"/>

165

166

</listitem>

166

167

</varlistentry>

167

168

169

169

170

PORT</replaceable></literal></term>

170

<term><option>--port

171

172

<term><option>-p

173

171

174

172

175

<xi:include href="mandos-options.xml" xpointer="port"/>

173

176

</listitem>

174

177

</varlistentry>

175

178

176

179

177

<term><literal>--check</literal></term>

180

<term><option>--check</option></term>

178

181

179

182

<para>

180

183

Run the server’s self-tests. This includes any unit

182

185

</para>

183

186

</listitem>

184

187

</varlistentry>

185

188

186

189

187

<term><literal>--debug</literal></term>

190

<term><option>--debug</option></term>

188

191

189

192

<xi:include href="mandos-options.xml" xpointer="debug"/>

190

193

</listitem>

191

194

</varlistentry>

192

195

193

196

194

<term><literal>--priority <replaceable>

195

PRIORITY</replaceable></literal></term>

197

<term><option>--priority <replaceable>

198

PRIORITY</replaceable></option></term>

196

199

197

200

<xi:include href="mandos-options.xml" xpointer="priority"/>

198

201

</listitem>

199

202

</varlistentry>

200

203

201

204

202

<term><literal>--servicename <replaceable>NAME</replaceable>

203

</literal></term>

205

<term><option>--servicename

206

204

207

205

208

<xi:include href="mandos-options.xml"

206

209

xpointer="servicename"/>

207

210

</listitem>

208

211

</varlistentry>

209

212

210

213

211

<term><literal>--configdir <replaceable>DIR</replaceable>

212

</literal></term>

214

<term><option>--configdir

215

<replaceable>DIRECTORY</replaceable></option></term>

213

216

214

217

<para>

215

218

Directory to search for configuration files. Default is

221

224

</para>

222

225

</listitem>

223

226

</varlistentry>

224

227

225

228

226

<term><literal>--version</literal></term>

229

<term><option>--version</option></term>

227

230

228

231

<para>

229

232

Prints the program version and exit.

230

233

</para>

231

234

</listitem>

232

235

</varlistentry>

236

237

238

239

240

<xi:include href="mandos-options.xml" xpointer="dbus"/>

241

<para>

242

See also <xref linkend="dbus_interface"/>.

243

</para>

244

</listitem>

245

</varlistentry>

246

247

248

249

250

<xi:include href="mandos-options.xml" xpointer="ipv6"/>

251

</listitem>

252

</varlistentry>

233

253

</variablelist>

234

254

</refsect1>

235

255

236

256

237

257

<title>OVERVIEW</title>

238

258

<xi:include href="overview.xml"/>

239

259

<para>

240

260

This program is the server part. It is a normal server program

241

261

and will run in a normal system environment, not in an initial

242

RAM disk environment.

262

<acronym>RAM</acronym> disk environment.

243

263

</para>

244

264

</refsect1>

245

265

246

266

247

267

<title>NETWORK PROTOCOL</title>

248

268

<para>

274

294

275

295

</row>

276

296

<row>

277

297

278

298

279

299

</row>

280

300

<row>

300

320

</row>

301

321

</tbody></tgroup></table>

302

322

</refsect1>

303

323

304

324

305

325

<title>CHECKING</title>

306

326

<para>

307

327

The server will, by default, continually check that the clients

308

328

are still up. If a client has not been confirmed as being up

309

329

for some time, the client is assumed to be compromised and is no

310

longer eligible to receive the encrypted password. The timeout,

330

longer eligible to receive the encrypted password. (Manual

331

intervention is required to re-enable a client.) The timeout,

311

332

checker program, and interval between checks can be configured

312

333

both globally and per client; see <citerefentry>

313

<refentrytitle>mandos.conf</refentrytitle>

314

315

334

<refentrytitle>mandos-clients.conf</refentrytitle>

316

335

<manvolnum>5</manvolnum></citerefentry>.

317

336

</para>

318

337

</refsect1>

319

338

320

339

321

340

<title>LOGGING</title>

322

341

<para>

323

The server will send log messaged with various severity levels

324

to <filename>/dev/log</filename>. With the

342

The server will send log message with various severity levels to

343

<filename>/dev/log</filename>. With the

325

344

<option>--debug</option> option, it will log even more messages,

326

345

and also show them on the console.

327

346

</para>

328

347

</refsect1>

329

348

349

350

<title>D-BUS INTERFACE</title>

351

<para>

352

The server will by default provide a D-Bus system bus interface.

353

This interface will only be accessible by the root user or a

354

Mandos-specific user, if such a user exists.

355

356

</para>

357

</refsect1>

358

330

359

331

360

<title>EXIT STATUS</title>

332

361

<para>

334

363

critical error is encountered.

335

364

</para>

336

365

</refsect1>

337

366

338

367

339

368

<title>ENVIRONMENT</title>

340

369

341

370

342

371

343

372

344

373

<para>

345

374

To start the configured checker (see <xref

348

377

<varname>PATH</varname> to search for matching commands if

349

378

an absolute path is not given. See <citerefentry>

350

379

351

</citerefentry>

380

</citerefentry>.

352

381

</para>

353

382

</listitem>

354

383

</varlistentry>

355

384

</variablelist>

356

385

</refsect1>

357

358

386

387

359

388

<title>FILES</title>

360

389

<para>

361

390

Use the <option>--configdir</option> option to change where

384

413

</listitem>

385

414

</varlistentry>

386

415

387

<term><filename>/var/run/mandos/mandos.pid</filename></term>

416

<term><filename>/var/run/mandos.pid</filename></term>

388

417

389

418

<para>

390

419

The file containing the process id of

425

454

Currently, if a client is declared <quote>invalid</quote> due to

426

455

having timed out, the server does not record this fact onto

427

456

permanent storage. This has some security implications, see

428

<xref linkend="CLIENTS"/>.

457

<xref linkend="clients"/>.

429

458

</para>

430

459

<para>

431

460

There is currently no way of querying the server of the current

439

468

Debug mode is conflated with running in the foreground.

440

469

</para>

441

470

<para>

442

The console log messages does not show a timestamp.

471

The console log messages do not show a time stamp.

472

</para>

473

<para>

474

This server does not check the expire time of clients’ OpenPGP

475

keys.

443

476

</para>

444

477

</refsect1>

445

478

450

483

Normal invocation needs no options:

451

484

</para>

452

485

<para>

453

<userinput>mandos</userinput>

486

<userinput>&COMMANDNAME;</userinput>

454

487

</para>

455

488

</informalexample>

456

489

463

496

<para>

464

497

465

498

466

<userinput>mandos --debug --configdir ~/mandos --servicename Test</userinput>

499

<userinput>&COMMANDNAME; --debug --configdir ~/mandos --servicename Test</userinput>

467

500

468

501

</para>

469

502

</informalexample>

475

508

<para>

476

509

477

510

478

<userinput>mandos --interface eth7 --address fe80::aede:48ff:fe71:f6f2</userinput>

511

<userinput>&COMMANDNAME; --interface eth7 --address fe80::aede:48ff:fe71:f6f2</userinput>

479

512

480

513

</para>

481

514

</informalexample>

482

515

</refsect1>

483

516

484

517

485

518

<title>SECURITY</title>

486

519

487

520

<title>SERVER</title>

488

521

<para>

489

522

Running this <command>&COMMANDNAME;</command> server program

490

523

should not in itself present any security risk to the host

491

computer running it. The program does not need any special

492

privileges to run, and is designed to run as a non-root user.

524

computer running it. The program switches to a non-root user

525

soon after startup.

493

526

</para>

494

527

</refsect2>

495

528

496

529

<title>CLIENTS</title>

497

530

<para>

498

531

The server only gives out its stored data to clients which

505

538

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

506

539

<manvolnum>5</manvolnum></citerefentry>)

507

540

<emphasis>must</emphasis> be made non-readable by anyone

508

except the user running the server.

541

except the user starting the server (usually root).

509

542

</para>

510

543

<para>

511

544

As detailed in <xref linkend="checking"/>, the status of all

522

555

restarting servers if it is suspected that a client has, in

523

556

fact, been compromised by parties who may now be running a

524

557

fake Mandos client with the keys from the non-encrypted

525

initial RAM image of the client host. What should be done in

526

that case (if restarting the server program really is

527

necessary) is to stop the server program, edit the

558

initial <acronym>RAM</acronym> image of the client host. What

559

should be done in that case (if restarting the server program

560

really is necessary) is to stop the server program, edit the

528

561

configuration file to omit any suspect clients, and restart

529

562

the server program.

530

563

</para>

531

564

<para>

532

565

For more details on client-side security, see

533

<citerefentry><refentrytitle>password-request</refentrytitle>

566

<citerefentry><refentrytitle>mandos-client</refentrytitle>

534

567

<manvolnum>8mandos</manvolnum></citerefentry>.

535

568

</para>

536

569

</refsect2>

537

570

</refsect1>

538

571

539

572

540

573

574

<para>

575

576

<refentrytitle>mandos-clients.conf</refentrytitle>

577

578

<refentrytitle>mandos.conf</refentrytitle>

579

580

<refentrytitle>mandos-client</refentrytitle>

581

<manvolnum>8mandos</manvolnum></citerefentry>, <citerefentry>

582

583

</citerefentry>

584

</para>

541

585

542

586

543

587

<term>

544

545

<refentrytitle>password-request</refentrytitle>

546

<manvolnum>8mandos</manvolnum>

547

</citerefentry>

548

</term>

549

550

<para>

551

This is the actual program which talks to this server.

552

Note that it is normally not invoked directly, and is only

553

run in the initial RAM disk environment, and not on a

554

fully started system.

555

</para>

556

</listitem>

557

</varlistentry>

558

559

<term>

560

588

<ulink url="http://www.zeroconf.org/">Zeroconf</ulink>

561

589

</term>

562

590

579

607

</varlistentry>

580

608

581

609

<term>

582

<ulink

583

url="http://www.gnu.org/software/gnutls/">GnuTLS</ulink>

610

<ulink url="http://www.gnu.org/software/gnutls/"

611

>GnuTLS</ulink>

584

612

</term>

585

613

586

614

<para>

592

620

</varlistentry>

593

621

594

622

<term>

595

<citation>RFC 4291: <citetitle>IP Version 6 Addressing

596

Architecture</citetitle>, section 2.5.6, Link-Local IPv6

597

Unicast Addresses</citation>

623

RFC 4291: <citetitle>IP Version 6 Addressing

624

Architecture</citetitle>

598

625

</term>

599

626

600

<para>

601

The clients use IPv6 link-local addresses, which are

602

immediately usable since a link-local addresses is

603

automatically assigned to a network interfaces when it is

604

brought up.

605

</para>

627

628

629

<term>Section 2.2: <citetitle>Text Representation of

630

Addresses</citetitle></term>

631

632

</varlistentry>

633

634

<term>Section 2.5.5.2: <citetitle>IPv4-Mapped IPv6

635

Address</citetitle></term>

636

637

</varlistentry>

638

639

<term>Section 2.5.6, <citetitle>Link-Local IPv6 Unicast

640

Addresses</citetitle></term>

641

642

<para>

643

The clients use IPv6 link-local addresses, which are

644

immediately usable since a link-local addresses is

645

automatically assigned to a network interfaces when it

646

is brought up.

647

</para>

648

</listitem>

649

</varlistentry>

650

</variablelist>

606

651

</listitem>

607

652

</varlistentry>

608

653

609

654

<term>

610

<citation>RFC 4346: <citetitle>The Transport Layer Security

611

(TLS) Protocol Version 1.1</citetitle></citation>

655

RFC 4346: <citetitle>The Transport Layer Security (TLS)

656

Protocol Version 1.1</citetitle>

612

657

</term>

613

658

614

659

<para>

618

663

</varlistentry>

619

664

620

665

<term>

621

<citation>RFC 4880: <citetitle>OpenPGP Message

622

Format</citetitle></citation>

666

RFC 4880: <citetitle>OpenPGP Message Format</citetitle>

623

667

</term>

624

668

625

669

<para>

629

673

</varlistentry>

630

674

631

675

<term>

632

<citation>RFC 5081: <citetitle>Using OpenPGP Keys for

633

Transport Layer Security</citetitle></citation>

676

RFC 5081: <citetitle>Using OpenPGP Keys for Transport Layer

677

Security</citetitle>

634

678

</term>

635

679

636

680

<para>

642

686

</variablelist>

643

687

</refsect1>

644

688

</refentry>

689

690

691

692

693

Older »