To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/release
« back to all changes in this revision
Viewing changes to mandos.xml
- browse files at revision 237.2.195
- compare with another revision
- download diff
- download tarball
- view history from revision 237.2.195
- Committer: teddy at bsnet
- Date: 2010-09-15 17:21:04 UTC
- mto: (24.1.166 mandos) (237.12.2 mandos-persistent) (299.1.1 release) (300.1.1 release) (301.1.1 release)
- mto: This revision was merged to the branch mainline in revision 270.
- Revision ID: teddy@fukt.bsnet.se-20100915172104-eopud55s7dc6vkfj
* plugins.d/usplash.c (main): BUG FIX: allocate space for the final
NULL in cmdline_argv.
NULL in cmdline_argv.
- files added:
- initramfs-tools-hook-conf
- files removed:
- bugs.xml
- debian/source
- debian/tests
- debian/upstream
- dracut-module
- network-hooks.d
- plugin-helpers
- files modified:
- .bzrignore
added
removed
mandos.xml
2
2
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3
3
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4
4
<!ENTITY COMMANDNAME "mandos">
5
<!ENTITY TIMESTAMP "2025-06-27">
5
<!ENTITY TIMESTAMP "2010-09-11">
6
6
<!ENTITY % common SYSTEM "common.ent">
7
7
%common;
8
8
]>
19
19
<firstname>Björn</firstname>
20
20
<surname>Påhlsson</surname>
21
21
<address>
22
<email>belorn@recompile.se</email>
22
<email>belorn@fukt.bsnet.se</email>
23
23
</address>
24
24
</author>
25
25
<author>
26
26
<firstname>Teddy</firstname>
27
27
<surname>Hogeborn</surname>
28
28
<address>
29
<email>teddy@recompile.se</email>
29
<email>teddy@fukt.bsnet.se</email>
30
30
</address>
31
31
</author>
32
32
</authorgroup>
33
33
<copyright>
34
34
<year>2008</year>
35
35
<year>2009</year>
36
<year>2010</year>
37
<year>2011</year>
38
<year>2012</year>
39
<year>2013</year>
40
<year>2014</year>
41
<year>2015</year>
42
<year>2016</year>
43
<year>2017</year>
44
<year>2018</year>
45
<year>2019</year>
46
<year>2020</year>
47
<year>2021</year>
48
<year>2022</year>
49
36
<holder>Teddy Hogeborn</holder>
50
37
<holder>Björn Påhlsson</holder>
51
38
</copyright>
99
86
<sbr/>
100
87
<arg><option>--debug</option></arg>
101
88
<sbr/>
102
<arg><option>--debuglevel
103
<replaceable>LEVEL</replaceable></option></arg>
104
<sbr/>
105
89
<arg><option>--no-dbus</option></arg>
106
90
<sbr/>
107
91
<arg><option>--no-ipv6</option></arg>
108
<sbr/>
109
<arg><option>--no-restore</option></arg>
110
<sbr/>
111
<arg><option>--statedir
112
<replaceable>DIRECTORY</replaceable></option></arg>
113
<sbr/>
114
<arg><option>--socket
115
<replaceable>FD</replaceable></option></arg>
116
<sbr/>
117
<arg><option>--foreground</option></arg>
118
<sbr/>
119
<arg><option>--no-zeroconf</option></arg>
120
92
</cmdsynopsis>
121
93
<cmdsynopsis>
122
94
<command>&COMMANDNAME;</command>
139
111
<title>DESCRIPTION</title>
140
112
<para>
141
113
<command>&COMMANDNAME;</command> is a server daemon which
142
handles incoming requests for passwords for a pre-defined list
143
of client host computers. For an introduction, see
144
<citerefentry><refentrytitle>intro</refentrytitle>
145
<manvolnum>8mandos</manvolnum></citerefentry>. The Mandos server
146
uses Zeroconf to announce itself on the local network, and uses
147
TLS to communicate securely with and to authenticate the
148
clients. The Mandos server uses IPv6 to allow Mandos clients to
149
use IPv6 link-local addresses, since the clients will probably
150
not have any other addresses configured (see <xref
151
linkend="overview"/>). Any authenticated client is then given
152
the stored pre-encrypted password for that specific client.
114
handles incoming request for passwords for a pre-defined list of
115
client host computers. The Mandos server uses Zeroconf to
116
announce itself on the local network, and uses TLS to
117
communicate securely with and to authenticate the clients. The
118
Mandos server uses IPv6 to allow Mandos clients to use IPv6
119
link-local addresses, since the clients will probably not have
120
any other addresses configured (see <xref linkend="overview"/>).
121
Any authenticated client is then given the stored pre-encrypted
122
password for that specific client.
153
123
</para>
154
124
</refsect1>
155
125
224
194
</varlistentry>
225
195
226
196
<varlistentry>
227
<term><option>--debuglevel
228
<replaceable>LEVEL</replaceable></option></term>
229
<listitem>
230
<para>
231
Set the debugging log level.
232
<replaceable>LEVEL</replaceable> is a string, one of
233
<quote><literal>CRITICAL</literal></quote>,
234
<quote><literal>ERROR</literal></quote>,
235
<quote><literal>WARNING</literal></quote>,
236
<quote><literal>INFO</literal></quote>, or
237
<quote><literal>DEBUG</literal></quote>, in order of
238
increasing verbosity. The default level is
239
<quote><literal>WARNING</literal></quote>.
240
</para>
241
</listitem>
242
</varlistentry>
243
244
<varlistentry>
245
197
<term><option>--priority <replaceable>
246
198
PRIORITY</replaceable></option></term>
247
199
<listitem>
298
250
<xi:include href="mandos-options.xml" xpointer="ipv6"/>
299
251
</listitem>
300
252
</varlistentry>
301
302
<varlistentry>
303
<term><option>--no-restore</option></term>
304
<listitem>
305
<xi:include href="mandos-options.xml" xpointer="restore"/>
306
<para>
307
See also <xref linkend="persistent_state"/>.
308
</para>
309
</listitem>
310
</varlistentry>
311
312
<varlistentry>
313
<term><option>--statedir
314
<replaceable>DIRECTORY</replaceable></option></term>
315
<listitem>
316
<xi:include href="mandos-options.xml" xpointer="statedir"/>
317
</listitem>
318
</varlistentry>
319
320
<varlistentry>
321
<term><option>--socket
322
<replaceable>FD</replaceable></option></term>
323
<listitem>
324
<xi:include href="mandos-options.xml" xpointer="socket"/>
325
</listitem>
326
</varlistentry>
327
328
<varlistentry>
329
<term><option>--foreground</option></term>
330
<listitem>
331
<xi:include href="mandos-options.xml"
332
xpointer="foreground"/>
333
</listitem>
334
</varlistentry>
335
336
<varlistentry>
337
<term><option>--no-zeroconf</option></term>
338
<listitem>
339
<xi:include href="mandos-options.xml" xpointer="zeroconf"/>
340
</listitem>
341
</varlistentry>
342
343
253
</variablelist>
344
254
</refsect1>
345
255
365
275
start a TLS protocol handshake with a slight quirk: the Mandos
366
276
server program acts as a TLS <quote>client</quote> while the
367
277
connecting Mandos client acts as a TLS <quote>server</quote>.
368
The Mandos client must supply a TLS public key, and the key ID
369
of this public key is used by the Mandos server to look up (in a
370
list read from <filename>clients.conf</filename> at start time)
371
which binary blob to give the client. No other authentication
372
or authorization is done by the server.
278
The Mandos client must supply an OpenPGP certificate, and the
279
fingerprint of this certificate is used by the Mandos server to
280
look up (in a list read from <filename>clients.conf</filename>
281
at start time) which binary blob to give the client. No other
282
authentication or authorization is done by the server.
373
283
</para>
374
284
<table>
375
285
<title>Mandos Protocol (Version 1)</title><tgroup cols="3"><thead>
395
305
</emphasis></entry>
396
306
</row>
397
307
<row>
398
<entry>Public key (part of TLS handshake)</entry>
308
<entry>OpenPGP public key (part of TLS handshake)</entry>
399
309
<entry>-><!-- → --></entry>
400
310
</row>
401
311
<row>
419
329
for some time, the client is assumed to be compromised and is no
420
330
longer eligible to receive the encrypted password. (Manual
421
331
intervention is required to re-enable a client.) The timeout,
422
extended timeout, checker program, and interval between checks
423
can be configured both globally and per client; see
424
<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>
425
<manvolnum>5</manvolnum></citerefentry>.
426
</para>
427
</refsect1>
428
429
<refsect1 id="approval">
430
<title>APPROVAL</title>
431
<para>
432
The server can be configured to require manual approval for a
433
client before it is sent its secret. The delay to wait for such
434
approval and the default action (approve or deny) can be
435
configured both globally and per client; see <citerefentry>
332
checker program, and interval between checks can be configured
333
both globally and per client; see <citerefentry>
436
334
<refentrytitle>mandos-clients.conf</refentrytitle>
437
<manvolnum>5</manvolnum></citerefentry>. By default all clients
438
will be approved immediately without delay.
439
</para>
440
<para>
441
This can be used to deny a client its secret if not manually
442
approved within a specified time. It can also be used to make
443
the server delay before giving a client its secret, allowing
444
optional manual denying of this specific client.
445
</para>
446
335
<manvolnum>5</manvolnum></citerefentry>. A client successfully
336
receiving its password will also be treated as a successful
337
checker run.
338
</para>
447
339
</refsect1>
448
340
449
341
<refsect1 id="logging">
450
342
<title>LOGGING</title>
451
343
<para>
452
344
The server will send log message with various severity levels to
453
<filename class="devicefile">/dev/log</filename>. With the
345
<filename>/dev/log</filename>. With the
454
346
<option>--debug</option> option, it will log even more messages,
455
347
and also show them on the console.
456
348
</para>
457
349
</refsect1>
458
350
459
<refsect1 id="persistent_state">
460
<title>PERSISTENT STATE</title>
461
<para>
462
Client settings, initially read from
463
<filename>clients.conf</filename>, are persistent across
464
restarts, and run-time changes will override settings in
465
<filename>clients.conf</filename>. However, if a setting is
466
<emphasis>changed</emphasis> (or a client added, or removed) in
467
<filename>clients.conf</filename>, this will take precedence.
468
</para>
469
</refsect1>
470
471
351
<refsect1 id="dbus_interface">
472
352
<title>D-BUS INTERFACE</title>
473
353
<para>
535
415
</listitem>
536
416
</varlistentry>
537
417
<varlistentry>
538
<term><filename>/run/mandos.pid</filename></term>
539
<listitem>
540
<para>
541
The file containing the process id of the
542
<command>&COMMANDNAME;</command> process started last.
543
<emphasis >Note:</emphasis> If the <filename
544
class="directory">/run</filename> directory does not
545
exist, <filename>/var/run/mandos.pid</filename> will be
546
used instead.
547
</para>
548
</listitem>
549
</varlistentry>
550
<varlistentry>
551
<term><filename
552
class="directory">/var/lib/mandos</filename></term>
553
<listitem>
554
<para>
555
Directory where persistent state will be saved. Change
556
this with the <option>--statedir</option> option. See
557
also the <option>--no-restore</option> option.
558
</para>
559
</listitem>
560
</varlistentry>
561
<varlistentry>
562
<term><filename class="devicefile">/dev/log</filename></term>
418
<term><filename>/var/run/mandos.pid</filename></term>
419
<listitem>
420
<para>
421
The file containing the process id of
422
<command>&COMMANDNAME;</command>.
423
</para>
424
</listitem>
425
</varlistentry>
426
<varlistentry>
427
<term><filename>/dev/log</filename></term>
563
428
<listitem>
564
429
<para>
565
430
The Unix domain socket to where local syslog messages are
588
453
backtrace. This could be considered a feature.
589
454
</para>
590
455
<para>
456
Currently, if a client is disabled due to having timed out, the
457
server does not record this fact onto permanent storage. This
458
has some security implications, see <xref linkend="clients"/>.
459
</para>
460
<para>
591
461
There is no fine-grained control over logging and debug output.
592
462
</para>
593
<xi:include href="bugs.xml"/>
463
<para>
464
Debug mode is conflated with running in the foreground.
465
</para>
466
<para>
467
The console log messages do not show a time stamp.
468
</para>
469
<para>
470
This server does not check the expire time of clients’ OpenPGP
471
keys.
472
</para>
594
473
</refsect1>
595
474
596
475
<refsect1 id="example">
606
485
<informalexample>
607
486
<para>
608
487
Run the server in debug mode, read configuration files from
609
the <filename class="directory">~/mandos</filename> directory,
610
and use the Zeroconf service name <quote>Test</quote> to not
611
collide with any other official Mandos server on this host:
488
the <filename>~/mandos</filename> directory, and use the
489
Zeroconf service name <quote>Test</quote> to not collide with
490
any other official Mandos server on this host:
612
491
</para>
613
492
<para>
614
493
646
525
<title>CLIENTS</title>
647
526
<para>
648
527
The server only gives out its stored data to clients which
649
does have the correct key ID of the stored key ID. This is
650
guaranteed by the fact that the client sends its public key in
651
the TLS handshake; this ensures it to be genuine. The server
652
computes the key ID of the key itself and looks up the key ID
653
in its list of clients. The <filename>clients.conf</filename>
654
file (see
528
does have the OpenPGP key of the stored fingerprint. This is
529
guaranteed by the fact that the client sends its OpenPGP
530
public key in the TLS handshake; this ensures it to be
531
genuine. The server computes the fingerprint of the key
532
itself and looks up the fingerprint in its list of
533
clients. The <filename>clients.conf</filename> file (see
655
534
<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>
656
535
<manvolnum>5</manvolnum></citerefentry>)
657
536
<emphasis>must</emphasis> be made non-readable by anyone
663
542
compromised if they are gone for too long.
664
543
</para>
665
544
<para>
545
If a client is compromised, its downtime should be duly noted
546
by the server which would therefore disable the client. But
547
if the server was ever restarted, it would re-read its client
548
list from its configuration file and again regard all clients
549
therein as enabled, and hence eligible to receive their
550
passwords. Therefore, be careful when restarting servers if
551
it is suspected that a client has, in fact, been compromised
552
by parties who may now be running a fake Mandos client with
553
the keys from the non-encrypted initial <acronym>RAM</acronym>
554
image of the client host. What should be done in that case
555
(if restarting the server program really is necessary) is to
556
stop the server program, edit the configuration file to omit
557
any suspect clients, and restart the server program.
558
</para>
559
<para>
666
560
For more details on client-side security, see
667
561
<citerefentry><refentrytitle>mandos-client</refentrytitle>
668
562
<manvolnum>8mandos</manvolnum></citerefentry>.
673
567
<refsect1 id="see_also">
674
568
<title>SEE ALSO</title>
675
569
<para>
676
<citerefentry><refentrytitle>intro</refentrytitle>
677
<manvolnum>8mandos</manvolnum></citerefentry>,
678
<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>
679
<manvolnum>5</manvolnum></citerefentry>,
680
<citerefentry><refentrytitle>mandos.conf</refentrytitle>
681
<manvolnum>5</manvolnum></citerefentry>,
682
<citerefentry><refentrytitle>mandos-client</refentrytitle>
683
<manvolnum>8mandos</manvolnum></citerefentry>,
684
<citerefentry><refentrytitle>sh</refentrytitle>
685
<manvolnum>1</manvolnum></citerefentry>
570
<citerefentry>
571
<refentrytitle>mandos-clients.conf</refentrytitle>
572
<manvolnum>5</manvolnum></citerefentry>, <citerefentry>
573
<refentrytitle>mandos.conf</refentrytitle>
574
<manvolnum>5</manvolnum></citerefentry>, <citerefentry>
575
<refentrytitle>mandos-client</refentrytitle>
576
<manvolnum>8mandos</manvolnum></citerefentry>, <citerefentry>
577
<refentrytitle>sh</refentrytitle><manvolnum>1</manvolnum>
578
</citerefentry>
686
579
</para>
687
580
<variablelist>
688
581
<varlistentry>
698
591
</varlistentry>
699
592
<varlistentry>
700
593
<term>
701
<ulink url="https://www.avahi.org/">Avahi</ulink>
594
<ulink url="http://www.avahi.org/">Avahi</ulink>
702
595
</term>
703
596
<listitem>
704
597
<para>
709
602
</varlistentry>
710
603
<varlistentry>
711
604
<term>
712
<ulink url="https://gnutls.org/">GnuTLS</ulink>
605
<ulink url="http://www.gnu.org/software/gnutls/"
606
>GnuTLS</ulink>
713
607
</term>
714
608
<listitem>
715
609
<para>
716
610
GnuTLS is the library this server uses to implement TLS for
717
611
communicating securely with the client, and at the same time
718
confidently get the client’s public key.
612
confidently get the client’s public OpenPGP key.
719
613
</para>
720
614
</listitem>
721
615
</varlistentry>
742
636
<listitem>
743
637
<para>
744
638
The clients use IPv6 link-local addresses, which are
745
immediately usable since a link-local address is
639
immediately usable since a link-local addresses is
746
640
automatically assigned to a network interfaces when it
747
641
is brought up.
748
642
</para>
753
647
</varlistentry>
754
648
<varlistentry>
755
649
<term>
756
RFC 5246: <citetitle>The Transport Layer Security (TLS)
757
Protocol Version 1.2</citetitle>
650
RFC 4346: <citetitle>The Transport Layer Security (TLS)
651
Protocol Version 1.1</citetitle>
758
652
</term>
759
653
<listitem>
760
654
<para>
761
TLS 1.2 is the protocol implemented by GnuTLS.
655
TLS 1.1 is the protocol implemented by GnuTLS.
762
656
</para>
763
657
</listitem>
764
658
</varlistentry>
774
668
</varlistentry>
775
669
<varlistentry>
776
670
<term>
777
RFC 7250: <citetitle>Using Raw Public Keys in Transport
778
Layer Security (TLS) and Datagram Transport Layer Security
779
(DTLS)</citetitle>
780
</term>
781
<listitem>
782
<para>
783
This is implemented by GnuTLS version 3.6.6 and is, if
784
present, used by this server so that raw public keys can be
785
used.
786
</para>
787
</listitem>
788
</varlistentry>
789
<varlistentry>
790
<term>
791
RFC 6091: <citetitle>Using OpenPGP Keys for Transport Layer
792
Security (TLS) Authentication</citetitle>
793
</term>
794
<listitem>
795
<para>
796
This is implemented by GnuTLS before version 3.6.0 and is,
797
if present, used by this server so that OpenPGP keys can be
798
used.
671
RFC 5081: <citetitle>Using OpenPGP Keys for Transport Layer
672
Security</citetitle>
673
</term>
674
<listitem>
675
<para>
676
This is implemented by GnuTLS and used by this server so
677
that OpenPGP keys can be used.
799
678
</para>
800
679
</listitem>
801
680
</varlistentry>
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0