/mandos/release : revision 237.2.207

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/release

« back to all changes in this revision

Viewing changes to mandos.xml

Committer: Teddy Hogeborn
Date: 2010-09-26 18:32:58 UTC
mto: (24.1.168 mandos) (237.12.2 mandos-persistent) (299.1.1 release) (300.1.1 release) (301.1.1 release)
mto: This revision was merged to the branch mainline in revision 270.
Revision ID: teddy@fukt.bsnet.se-20100926183258-n31ux2r8d06m1hi1

Update copyright year to "2010" wherever appropriate.

* DBUS-API: Added copyright and license statement.
* README: Mention new "plymouth" plugin.
* debian/control: Depend on python-2.6 or python-multiprocessing.
* debian/mandos-client.README.Debian: Update info about DEVICE setting
of initramfs.conf.
* mandos-ctl: Added copyright and license statement.
* mandos-monitor: - '' -
* plugins.d/plymouth.c: - '' -

files added:
.bzr-builddeb

.bzr-builddeb/default.conf

DBUS-API

INSTALL

NEWS

README

common.ent

dbus-mandos.conf

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.links

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/po

debian/rules

debian/watch

default-mandos

init.d-mandos

legalnotice.xml

mandos-ctl

mandos-ctl.xml

mandos-monitor

mandos-monitor.xml

mandos.lsm

plugin-runner.conf

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

files removed:
plugins.d/usplash

files renamed:
plugins.d/password-request.c => plugins.d/mandos-client.c

plugins.d/password-request.xml => plugins.d/mandos-client.xml

files modified:
.bzrignore

Makefile

TODO

clients.conf

initramfs-tools-hook

initramfs-tools-hook-conf

initramfs-tools-script

mandos

mandos-clients.conf.xml

mandos-keygen

mandos-keygen.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.xml

overview.xml

plugin-runner.c

plugin-runner.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

Show diffs side-by-side

added added

removed removed

mandos.xml

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY VERSION "1.0">

<!ENTITY COMMANDNAME "mandos">

<!ENTITY TIMESTAMP "2010-09-26">

<!ENTITY % common SYSTEM "common.ent">

%common;

<title>&COMMANDNAME;</title>

<title>Mandos Manual</title>

<productname>&COMMANDNAME;</productname>

<productnumber>&VERSION;</productnumber>

<productname>Mandos</productname>

<productnumber>&version;</productnumber>

<date>&TIMESTAMP;</date>

<firstname>Björn</firstname>

</authorgroup>

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

<para>

This manual page is free software: you can redistribute it

and/or modify it under the terms of the GNU General Public

License as published by the Free Software Foundation,

either version 3 of the License, or (at your option) any

later version.

</para>

<para>

This manual page is distributed in the hope that it will

be useful, but WITHOUT ANY WARRANTY; without even the

implied warranty of MERCHANTABILITY or FITNESS FOR A

PARTICULAR PURPOSE. See the GNU General Public License

for more details.

</para>

<para>

You should have received a copy of the GNU General Public

License along with this program; If not, see

<ulink url="http://www.gnu.org/licenses/"/>.

</para>

</legalnotice>

<xi:include href="legalnotice.xml"/>

</refentryinfo>

<refentrytitle>&COMMANDNAME;</refentrytitle>

<refname><command>&COMMANDNAME;</command></refname>

Sends encrypted passwords to authenticated Mandos clients

Gives encrypted passwords to authenticated Mandos clients

</refpurpose>

</refnamediv>

<command>&COMMANDNAME;</command>

<arg>--interface<arg choice="plain">NAME</arg></arg>

<arg>--address<arg choice="plain">ADDRESS</arg></arg>

<arg>--priority<arg choice="plain">PRIORITY</arg></arg>

<arg>--servicename<arg choice="plain">NAME</arg></arg>

<arg>--configdir<arg choice="plain">DIRECTORY</arg></arg>

<arg>--debug</arg>

</cmdsynopsis>

<command>&COMMANDNAME;</command>

<arg>-a<arg choice="plain">ADDRESS</arg></arg>

<arg>--priority<arg choice="plain">PRIORITY</arg></arg>

<arg>--servicename<arg choice="plain">NAME</arg></arg>

<arg>--configdir<arg choice="plain">DIRECTORY</arg></arg>

<arg>--debug</arg>

<group>

<arg choice="plain"><option>--interface

<arg choice="plain"><option>-i

</group>

<sbr/>

<group>

<arg choice="plain"><option>--address

<replaceable>ADDRESS</replaceable></option></arg>

<arg choice="plain"><option>-a

<replaceable>ADDRESS</replaceable></option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--port

<arg choice="plain"><option>-p

</group>

<sbr/>

<arg><option>--priority

<replaceable>PRIORITY</replaceable></option></arg>

<sbr/>

<arg><option>--servicename

<sbr/>

<arg><option>--configdir

<replaceable>DIRECTORY</replaceable></option></arg>

<sbr/>

<arg><option>--debug</option></arg>

<sbr/>

<sbr/>

</cmdsynopsis>

<command>&COMMANDNAME;</command>

</group>

100

</cmdsynopsis>

100

101

101

102

<command>&COMMANDNAME;</command>

102

<arg choice="plain">--version</arg>

103

<arg choice="plain"><option>--version</option></arg>

103

104

</cmdsynopsis>

104

105

105

106

<command>&COMMANDNAME;</command>

106

<arg choice="plain">--check</arg>

107

<arg choice="plain"><option>--check</option></arg>

107

108

</cmdsynopsis>

108

109

</refsynopsisdiv>

109

110

111

111

112

<title>DESCRIPTION</title>

112

113

<para>

121

122

Any authenticated client is then given the stored pre-encrypted

122

123

password for that specific client.

123

124

</para>

124

125

</refsect1>

126

127

128

<title>PURPOSE</title>

129

130

129

<para>

131

130

The purpose of this is to enable <emphasis>remote and unattended

132

131

rebooting</emphasis> of client host computer with an

133

132

<emphasis>encrypted root file system</emphasis>. See <xref

134

133

linkend="overview"/> for details.

135

134

</para>

136

137

135

</refsect1>

138

136

139

137

140

138

<title>OPTIONS</title>

141

142

139

143

140

144

141

142

145

143

146

144

<para>

147

145

Show a help message and exit

148

146

</para>

149

147

</listitem>

150

148

</varlistentry>

151

149

152

150

153

<term><literal>-i</literal>, <literal>--interface <replaceable

154

>NAME</replaceable></literal></term>

151

<term><option>--interface</option>

152

153

154

155

156

<xi:include href="mandos-options.xml" xpointer="interface"/>

157

</listitem>

158

</varlistentry>

159

160

161

<term><literal>-a</literal>, <literal>--address <replaceable>

162

ADDRESS</replaceable></literal></term>

161

<term><option>--address

162

<replaceable>ADDRESS</replaceable></option></term>

163

<term><option>-a

164

<replaceable>ADDRESS</replaceable></option></term>

163

165

164

166

<xi:include href="mandos-options.xml" xpointer="address"/>

165

167

</listitem>

166

168

</varlistentry>

167

169

168

170

169

170

PORT</replaceable></literal></term>

171

<term><option>--port

172

173

<term><option>-p

174

171

175

172

176

<xi:include href="mandos-options.xml" xpointer="port"/>

173

177

</listitem>

174

178

</varlistentry>

175

179

176

180

177

<term><literal>--check</literal></term>

181

<term><option>--check</option></term>

178

182

179

183

<para>

180

184

Run the server’s self-tests. This includes any unit

182

186

</para>

183

187

</listitem>

184

188

</varlistentry>

185

189

186

190

187

<term><literal>--debug</literal></term>

191

<term><option>--debug</option></term>

188

192

189

193

<xi:include href="mandos-options.xml" xpointer="debug"/>

190

194

</listitem>

191

195

</varlistentry>

192

196

193

197

194

<term><literal>--priority <replaceable>

195

PRIORITY</replaceable></literal></term>

198

<term><option>--priority <replaceable>

199

PRIORITY</replaceable></option></term>

196

200

197

201

<xi:include href="mandos-options.xml" xpointer="priority"/>

198

202

</listitem>

199

203

</varlistentry>

200

204

201

205

202

<term><literal>--servicename <replaceable>NAME</replaceable>

203

</literal></term>

206

<term><option>--servicename

207

204

208

205

209

<xi:include href="mandos-options.xml"

206

210

xpointer="servicename"/>

207

211

</listitem>

208

212

</varlistentry>

209

213

210

214

211

<term><literal>--configdir <replaceable>DIR</replaceable>

212

</literal></term>

215

<term><option>--configdir

216

<replaceable>DIRECTORY</replaceable></option></term>

213

217

214

218

<para>

215

219

Directory to search for configuration files. Default is

221

225

</para>

222

226

</listitem>

223

227

</varlistentry>

224

228

225

229

226

<term><literal>--version</literal></term>

230

<term><option>--version</option></term>

227

231

228

232

<para>

229

233

Prints the program version and exit.

230

234

</para>

231

235

</listitem>

232

236

</varlistentry>

237

238

239

240

241

<xi:include href="mandos-options.xml" xpointer="dbus"/>

242

<para>

243

See also <xref linkend="dbus_interface"/>.

244

</para>

245

</listitem>

246

</varlistentry>

247

248

249

250

251

<xi:include href="mandos-options.xml" xpointer="ipv6"/>

252

</listitem>

253

</varlistentry>

233

254

</variablelist>

234

255

</refsect1>

235

256

236

257

237

258

<title>OVERVIEW</title>

238

259

<xi:include href="overview.xml"/>

239

260

<para>

240

261

This program is the server part. It is a normal server program

241

262

and will run in a normal system environment, not in an initial

242

RAM disk environment.

263

<acronym>RAM</acronym> disk environment.

243

264

</para>

244

265

</refsect1>

245

266

246

267

247

268

<title>NETWORK PROTOCOL</title>

248

269

<para>

300

321

</row>

301

322

</tbody></tgroup></table>

302

323

</refsect1>

303

324

304

325

305

326

<title>CHECKING</title>

306

327

<para>

307

328

The server will, by default, continually check that the clients

308

329

are still up. If a client has not been confirmed as being up

309

330

for some time, the client is assumed to be compromised and is no

310

longer eligible to receive the encrypted password. The timeout,

331

longer eligible to receive the encrypted password. (Manual

332

intervention is required to re-enable a client.) The timeout,

311

333

checker program, and interval between checks can be configured

312

334

both globally and per client; see <citerefentry>

313

335

<refentrytitle>mandos-clients.conf</refentrytitle>

314

<manvolnum>5</manvolnum></citerefentry>.

315

</para>

316

</refsect1>

317

336

<manvolnum>5</manvolnum></citerefentry>. A client successfully

337

receiving its password will also be treated as a successful

338

checker run.

339

</para>

340

</refsect1>

341

342

343

<title>APPROVAL</title>

344

<para>

345

The server can be configured to require manual approval for a

346

client before it is sent its secret. The delay to wait for such

347

approval and the default action (approve or deny) can be

348

configured both globally and per client; see <citerefentry>

349

<refentrytitle>mandos-clients.conf</refentrytitle>

350

<manvolnum>5</manvolnum></citerefentry>. By default all clients

351

will be approved immediately without delay.

352

</para>

353

<para>

354

This can be used to deny a client its secret if not manually

355

approved within a specified time. It can also be used to make

356

the server delay before giving a client its secret, allowing

357

optional manual denying of this specific client.

358

</para>

359

360

</refsect1>

361

318

362

319

363

<title>LOGGING</title>

320

364

<para>

324

368

and also show them on the console.

325

369

</para>

326

370

</refsect1>

327

371

372

373

<title>D-BUS INTERFACE</title>

374

<para>

375

The server will by default provide a D-Bus system bus interface.

376

This interface will only be accessible by the root user or a

377

Mandos-specific user, if such a user exists. For documentation

378

of the D-Bus API, see the file <filename>DBUS-API</filename>.

379

</para>

380

</refsect1>

381

328

382

329

383

<title>EXIT STATUS</title>

330

384

<para>

332

386

critical error is encountered.

333

387

</para>

334

388

</refsect1>

335

389

336

390

337

391

<title>ENVIRONMENT</title>

338

392

339

393

340

394

341

395

342

396

<para>

343

397

To start the configured checker (see <xref

352

406

</varlistentry>

353

407

</variablelist>

354

408

</refsect1>

355

356

409

410

357

411

<title>FILES</title>

358

412

<para>

359

413

Use the <option>--configdir</option> option to change where

382

436

</listitem>

383

437

</varlistentry>

384

438

385

<term><filename>/var/run/mandos/mandos.pid</filename></term>

439

<term><filename>/var/run/mandos.pid</filename></term>

386

440

387

441

<para>

388

The file containing the process id of

389

<command>&COMMANDNAME;</command>.

442

The file containing the process id of the

443

<command>&COMMANDNAME;</command> process started last.

390

444

</para>

391

445

</listitem>

392

446

</varlistentry>

420

474

backtrace. This could be considered a feature.

421

475

</para>

422

476

<para>

423

Currently, if a client is declared <quote>invalid</quote> due to

424

having timed out, the server does not record this fact onto

425

permanent storage. This has some security implications, see

426

<xref linkend="CLIENTS"/>.

427

</para>

428

<para>

429

There is currently no way of querying the server of the current

430

status of clients, other than analyzing its <systemitem

431

class="service">syslog</systemitem> output.

477

Currently, if a client is disabled due to having timed out, the

478

server does not record this fact onto permanent storage. This

479

has some security implications, see <xref linkend="clients"/>.

432

480

</para>

433

481

<para>

434

482

There is no fine-grained control over logging and debug output.

437

485

Debug mode is conflated with running in the foreground.

438

486

</para>

439

487

<para>

440

The console log messages does not show a timestamp.

488

The console log messages do not show a time stamp.

489

</para>

490

<para>

491

This server does not check the expire time of clients’ OpenPGP

492

keys.

441

493

</para>

442

494

</refsect1>

443

495

478

530

</para>

479

531

</informalexample>

480

532

</refsect1>

481

533

482

534

483

535

<title>SECURITY</title>

484

536

485

537

<title>SERVER</title>

486

538

<para>

487

539

Running this <command>&COMMANDNAME;</command> server program

488

540

should not in itself present any security risk to the host

489

computer running it. The program does not need any special

490

privileges to run, and is designed to run as a non-root user.

541

computer running it. The program switches to a non-root user

542

soon after startup.

491

543

</para>

492

544

</refsect2>

493

545

494

546

<title>CLIENTS</title>

495

547

<para>

496

548

The server only gives out its stored data to clients which

503

555

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

504

556

<manvolnum>5</manvolnum></citerefentry>)

505

557

<emphasis>must</emphasis> be made non-readable by anyone

506

except the user running the server.

558

except the user starting the server (usually root).

507

559

</para>

508

560

<para>

509

561

As detailed in <xref linkend="checking"/>, the status of all

512

564

</para>

513

565

<para>

514

566

If a client is compromised, its downtime should be duly noted

515

by the server which would therefore declare the client

516

invalid. But if the server was ever restarted, it would

517

re-read its client list from its configuration file and again

518

regard all clients therein as valid, and hence eligible to

519

receive their passwords. Therefore, be careful when

520

restarting servers if it is suspected that a client has, in

521

fact, been compromised by parties who may now be running a

522

fake Mandos client with the keys from the non-encrypted

523

initial RAM image of the client host. What should be done in

524

that case (if restarting the server program really is

525

necessary) is to stop the server program, edit the

526

configuration file to omit any suspect clients, and restart

527

the server program.

567

by the server which would therefore disable the client. But

568

if the server was ever restarted, it would re-read its client

569

list from its configuration file and again regard all clients

570

therein as enabled, and hence eligible to receive their

571

passwords. Therefore, be careful when restarting servers if

572

it is suspected that a client has, in fact, been compromised

573

by parties who may now be running a fake Mandos client with

574

the keys from the non-encrypted initial <acronym>RAM</acronym>

575

image of the client host. What should be done in that case

576

(if restarting the server program really is necessary) is to

577

stop the server program, edit the configuration file to omit

578

any suspect clients, and restart the server program.

528

579

</para>

529

580

<para>

530

581

For more details on client-side security, see

531

<citerefentry><refentrytitle>password-request</refentrytitle>

582

<citerefentry><refentrytitle>mandos-client</refentrytitle>

532

583

<manvolnum>8mandos</manvolnum></citerefentry>.

533

584

</para>

534

585

</refsect2>

535

586

</refsect1>

536

587

537

588

538

589

539

590

<para>

540

591

592

<refentrytitle>mandos-clients.conf</refentrytitle>

593

541

594

<refentrytitle>mandos.conf</refentrytitle>

542

595

543

<refentrytitle>mandos-clients.conf</refentrytitle>

544

545

<refentrytitle>password-request</refentrytitle>

596

<refentrytitle>mandos-client</refentrytitle>

546

597

<manvolnum>8mandos</manvolnum></citerefentry>, <citerefentry>

547

598

548

599

</citerefentry>

651

702

</variablelist>

652

703

</refsect1>

653

704

</refentry>

705

706

707

708

709

Older »