/mandos/release : revision 237.2.208

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/release

« back to all changes in this revision

Viewing changes to mandos.xml

Committer: Teddy Hogeborn
Date: 2010-09-26 21:27:28 UTC
mto: (24.1.168 mandos) (237.12.2 mandos-persistent) (299.1.1 release) (300.1.1 release) (301.1.1 release)
mto: This revision was merged to the branch mainline in revision 270.
Revision ID: teddy@fukt.bsnet.se-20100926212728-ej205k5037nfhz2g

Update copyright year to "2010" wherever appropriate.

* plugin-runner.c: - '' -
* plugins.d/mandos-client.c: - '' -

files added:
.bzr-builddeb

.bzr-builddeb/default.conf

DBUS-API

INSTALL

NEWS

README

common.ent

dbus-mandos.conf

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.links

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/po

debian/rules

debian/watch

default-mandos

init.d-mandos

legalnotice.xml

mandos-ctl

mandos-ctl.xml

mandos-monitor

mandos-monitor.xml

mandos.lsm

plugin-runner.conf

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

files removed:
plugins.d/usplash

files renamed:
plugins.d/password-request.c => plugins.d/mandos-client.c

plugins.d/password-request.xml => plugins.d/mandos-client.xml

files modified:
.bzrignore

Makefile

TODO

clients.conf

initramfs-tools-hook

initramfs-tools-hook-conf

initramfs-tools-script

mandos

mandos-clients.conf.xml

mandos-keygen

mandos-keygen.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.xml

overview.xml

plugin-runner.c

plugin-runner.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

Show diffs side-by-side

added added

removed removed

mandos.xml

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY VERSION "1.0">

<!ENTITY COMMANDNAME "mandos">

<!ENTITY TIMESTAMP "2008-08-29">

<!ENTITY TIMESTAMP "2010-09-26">

<!ENTITY % common SYSTEM "common.ent">

%common;

<title>Mandos Manual</title>

<productname>Mandos</productname>

<productnumber>&VERSION;</productnumber>

<productnumber>&version;</productnumber>

<date>&TIMESTAMP;</date>

</authorgroup>

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

<para>

This manual page is free software: you can redistribute it

and/or modify it under the terms of the GNU General Public

License as published by the Free Software Foundation,

either version 3 of the License, or (at your option) any

later version.

</para>

<para>

This manual page is distributed in the hope that it will

be useful, but WITHOUT ANY WARRANTY; without even the

implied warranty of MERCHANTABILITY or FITNESS FOR A

PARTICULAR PURPOSE. See the GNU General Public License

for more details.

</para>

<para>

You should have received a copy of the GNU General Public

License along with this program; If not, see

<ulink url="http://www.gnu.org/licenses/"/>.

</para>

</legalnotice>

<xi:include href="legalnotice.xml"/>

</refentryinfo>

<refentrytitle>&COMMANDNAME;</refentrytitle>

<refname><command>&COMMANDNAME;</command></refname>

Sends encrypted passwords to authenticated Mandos clients

Gives encrypted passwords to authenticated Mandos clients

</refpurpose>

</refnamediv>

<command>&COMMANDNAME;</command>

<arg>--interface<arg choice="plain">NAME</arg></arg>

<arg>--address<arg choice="plain">ADDRESS</arg></arg>

<arg>--priority<arg choice="plain">PRIORITY</arg></arg>

<arg>--servicename<arg choice="plain">NAME</arg></arg>

<arg>--configdir<arg choice="plain">DIRECTORY</arg></arg>

<arg>--debug</arg>

</cmdsynopsis>

<command>&COMMANDNAME;</command>

<arg>-a<arg choice="plain">ADDRESS</arg></arg>

<arg>--priority<arg choice="plain">PRIORITY</arg></arg>

<arg>--servicename<arg choice="plain">NAME</arg></arg>

<arg>--configdir<arg choice="plain">DIRECTORY</arg></arg>

<arg>--debug</arg>

<group>

<arg choice="plain"><option>--interface

<arg choice="plain"><option>-i

</group>

<sbr/>

<group>

<arg choice="plain"><option>--address

<replaceable>ADDRESS</replaceable></option></arg>

<arg choice="plain"><option>-a

<replaceable>ADDRESS</replaceable></option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--port

<arg choice="plain"><option>-p

</group>

<sbr/>

<arg><option>--priority

<replaceable>PRIORITY</replaceable></option></arg>

<sbr/>

<arg><option>--servicename

<sbr/>

<arg><option>--configdir

<replaceable>DIRECTORY</replaceable></option></arg>

<sbr/>

<arg><option>--debug</option></arg>

<sbr/>

<sbr/>

</cmdsynopsis>

<command>&COMMANDNAME;</command>

100

</group>

101

100

</cmdsynopsis>

102

101

103

102

<command>&COMMANDNAME;</command>

104

<arg choice="plain">--version</arg>

103

<arg choice="plain"><option>--version</option></arg>

105

104

</cmdsynopsis>

106

105

107

106

<command>&COMMANDNAME;</command>

108

<arg choice="plain">--check</arg>

107

<arg choice="plain"><option>--check</option></arg>

109

108

</cmdsynopsis>

110

109

</refsynopsisdiv>

111

110

112

111

113

112

<title>DESCRIPTION</title>

114

113

<para>

123

122

Any authenticated client is then given the stored pre-encrypted

124

123

password for that specific client.

125

124

</para>

126

127

125

</refsect1>

128

126

129

127

130

128

<title>PURPOSE</title>

131

132

129

<para>

133

130

The purpose of this is to enable <emphasis>remote and unattended

134

131

rebooting</emphasis> of client host computer with an

135

132

<emphasis>encrypted root file system</emphasis>. See <xref

136

133

linkend="overview"/> for details.

137

134

</para>

138

139

135

</refsect1>

140

136

141

137

142

138

<title>OPTIONS</title>

143

144

139

145

140

146

141

142

147

143

148

144

<para>

149

145

Show a help message and exit

150

146

</para>

151

147

</listitem>

152

148

</varlistentry>

153

149

154

150

155

<term><literal>-i</literal>, <literal>--interface <replaceable

156

>NAME</replaceable></literal></term>

151

<term><option>--interface</option>

152

153

154

157

155

158

156

<xi:include href="mandos-options.xml" xpointer="interface"/>

159

157

</listitem>

160

158

</varlistentry>

161

159

162

160

163

<term><literal>-a</literal>, <literal>--address <replaceable>

164

ADDRESS</replaceable></literal></term>

161

<term><option>--address

162

<replaceable>ADDRESS</replaceable></option></term>

163

<term><option>-a

164

<replaceable>ADDRESS</replaceable></option></term>

165

166

<xi:include href="mandos-options.xml" xpointer="address"/>

167

</listitem>

168

</varlistentry>

169

170

171

172

PORT</replaceable></literal></term>

171

<term><option>--port

172

173

<term><option>-p

174

173

175

174

176

<xi:include href="mandos-options.xml" xpointer="port"/>

175

177

</listitem>

176

178

</varlistentry>

177

179

178

180

179

<term><literal>--check</literal></term>

181

<term><option>--check</option></term>

180

182

181

183

<para>

182

184

Run the server’s self-tests. This includes any unit

184

186

</para>

185

187

</listitem>

186

188

</varlistentry>

187

189

188

190

189

<term><literal>--debug</literal></term>

191

<term><option>--debug</option></term>

190

192

191

193

<xi:include href="mandos-options.xml" xpointer="debug"/>

192

194

</listitem>

193

195

</varlistentry>

194

196

195

197

196

<term><literal>--priority <replaceable>

197

PRIORITY</replaceable></literal></term>

198

<term><option>--priority <replaceable>

199

PRIORITY</replaceable></option></term>

198

200

199

201

<xi:include href="mandos-options.xml" xpointer="priority"/>

200

202

</listitem>

201

203

</varlistentry>

202

204

203

205

204

<term><literal>--servicename <replaceable>NAME</replaceable>

205

</literal></term>

206

<term><option>--servicename

207

206

208

207

209

<xi:include href="mandos-options.xml"

208

210

xpointer="servicename"/>

209

211

</listitem>

210

212

</varlistentry>

211

213

212

214

213

<term><literal>--configdir <replaceable>DIR</replaceable>

214

</literal></term>

215

<term><option>--configdir

216

<replaceable>DIRECTORY</replaceable></option></term>

215

217

216

218

<para>

217

219

Directory to search for configuration files. Default is

223

225

</para>

224

226

</listitem>

225

227

</varlistentry>

226

228

227

229

228

<term><literal>--version</literal></term>

230

<term><option>--version</option></term>

229

231

230

232

<para>

231

233

Prints the program version and exit.

232

234

</para>

233

235

</listitem>

234

236

</varlistentry>

237

238

239

240

241

<xi:include href="mandos-options.xml" xpointer="dbus"/>

242

<para>

243

See also <xref linkend="dbus_interface"/>.

244

</para>

245

</listitem>

246

</varlistentry>

247

248

249

250

251

<xi:include href="mandos-options.xml" xpointer="ipv6"/>

252

</listitem>

253

</varlistentry>

235

254

</variablelist>

236

255

</refsect1>

237

256

238

257

239

258

<title>OVERVIEW</title>

240

259

<xi:include href="overview.xml"/>

241

260

<para>

242

261

This program is the server part. It is a normal server program

243

262

and will run in a normal system environment, not in an initial

244

RAM disk environment.

263

<acronym>RAM</acronym> disk environment.

245

264

</para>

246

265

</refsect1>

247

266

248

267

249

268

<title>NETWORK PROTOCOL</title>

250

269

<para>

302

321

</row>

303

322

</tbody></tgroup></table>

304

323

</refsect1>

305

324

306

325

307

326

<title>CHECKING</title>

308

327

<para>

309

328

The server will, by default, continually check that the clients

310

329

are still up. If a client has not been confirmed as being up

311

330

for some time, the client is assumed to be compromised and is no

312

longer eligible to receive the encrypted password. The timeout,

331

longer eligible to receive the encrypted password. (Manual

332

intervention is required to re-enable a client.) The timeout,

313

333

checker program, and interval between checks can be configured

314

334

both globally and per client; see <citerefentry>

315

335

<refentrytitle>mandos-clients.conf</refentrytitle>

316

<manvolnum>5</manvolnum></citerefentry>.

317

</para>

318

</refsect1>

319

336

<manvolnum>5</manvolnum></citerefentry>. A client successfully

337

receiving its password will also be treated as a successful

338

checker run.

339

</para>

340

</refsect1>

341

342

343

<title>APPROVAL</title>

344

<para>

345

The server can be configured to require manual approval for a

346

client before it is sent its secret. The delay to wait for such

347

approval and the default action (approve or deny) can be

348

configured both globally and per client; see <citerefentry>

349

<refentrytitle>mandos-clients.conf</refentrytitle>

350

<manvolnum>5</manvolnum></citerefentry>. By default all clients

351

will be approved immediately without delay.

352

</para>

353

<para>

354

This can be used to deny a client its secret if not manually

355

approved within a specified time. It can also be used to make

356

the server delay before giving a client its secret, allowing

357

optional manual denying of this specific client.

358

</para>

359

360

</refsect1>

361

320

362

321

363

<title>LOGGING</title>

322

364

<para>

326

368

and also show them on the console.

327

369

</para>

328

370

</refsect1>

329

371

372

373

<title>D-BUS INTERFACE</title>

374

<para>

375

The server will by default provide a D-Bus system bus interface.

376

This interface will only be accessible by the root user or a

377

Mandos-specific user, if such a user exists. For documentation

378

of the D-Bus API, see the file <filename>DBUS-API</filename>.

379

</para>

380

</refsect1>

381

330

382

331

383

<title>EXIT STATUS</title>

332

384

<para>

334

386

critical error is encountered.

335

387

</para>

336

388

</refsect1>

337

389

338

390

339

391

<title>ENVIRONMENT</title>

340

392

341

393

342

394

343

395

344

396

<para>

345

397

To start the configured checker (see <xref

354

406

</varlistentry>

355

407

</variablelist>

356

408

</refsect1>

357

358

409

410

359

411

<title>FILES</title>

360

412

<para>

361

413

Use the <option>--configdir</option> option to change where

384

436

</listitem>

385

437

</varlistentry>

386

438

387

<term><filename>/var/run/mandos/mandos.pid</filename></term>

439

<term><filename>/var/run/mandos.pid</filename></term>

388

440

389

441

<para>

390

The file containing the process id of

391

<command>&COMMANDNAME;</command>.

442

The file containing the process id of the

443

<command>&COMMANDNAME;</command> process started last.

392

444

</para>

393

445

</listitem>

394

446

</varlistentry>

422

474

backtrace. This could be considered a feature.

423

475

</para>

424

476

<para>

425

Currently, if a client is declared <quote>invalid</quote> due to

426

having timed out, the server does not record this fact onto

427

permanent storage. This has some security implications, see

428

<xref linkend="CLIENTS"/>.

429

</para>

430

<para>

431

There is currently no way of querying the server of the current

432

status of clients, other than analyzing its <systemitem

433

class="service">syslog</systemitem> output.

477

Currently, if a client is disabled due to having timed out, the

478

server does not record this fact onto permanent storage. This

479

has some security implications, see <xref linkend="clients"/>.

434

480

</para>

435

481

<para>

436

482

There is no fine-grained control over logging and debug output.

439

485

Debug mode is conflated with running in the foreground.

440

486

</para>

441

487

<para>

442

The console log messages does not show a timestamp.

488

The console log messages do not show a time stamp.

489

</para>

490

<para>

491

This server does not check the expire time of clients’ OpenPGP

492

keys.

443

493

</para>

444

494

</refsect1>

445

495

480

530

</para>

481

531

</informalexample>

482

532

</refsect1>

483

533

484

534

485

535

<title>SECURITY</title>

486

536

487

537

<title>SERVER</title>

488

538

<para>

489

539

Running this <command>&COMMANDNAME;</command> server program

490

540

should not in itself present any security risk to the host

491

computer running it. The program does not need any special

492

privileges to run, and is designed to run as a non-root user.

541

computer running it. The program switches to a non-root user

542

soon after startup.

493

543

</para>

494

544

</refsect2>

495

545

496

546

<title>CLIENTS</title>

497

547

<para>

498

548

The server only gives out its stored data to clients which

505

555

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

506

556

<manvolnum>5</manvolnum></citerefentry>)

507

557

<emphasis>must</emphasis> be made non-readable by anyone

508

except the user running the server.

558

except the user starting the server (usually root).

509

559

</para>

510

560

<para>

511

561

As detailed in <xref linkend="checking"/>, the status of all

514

564

</para>

515

565

<para>

516

566

If a client is compromised, its downtime should be duly noted

517

by the server which would therefore declare the client

518

invalid. But if the server was ever restarted, it would

519

re-read its client list from its configuration file and again

520

regard all clients therein as valid, and hence eligible to

521

receive their passwords. Therefore, be careful when

522

restarting servers if it is suspected that a client has, in

523

fact, been compromised by parties who may now be running a

524

fake Mandos client with the keys from the non-encrypted

525

initial RAM image of the client host. What should be done in

526

that case (if restarting the server program really is

527

necessary) is to stop the server program, edit the

528

configuration file to omit any suspect clients, and restart

529

the server program.

567

by the server which would therefore disable the client. But

568

if the server was ever restarted, it would re-read its client

569

list from its configuration file and again regard all clients

570

therein as enabled, and hence eligible to receive their

571

passwords. Therefore, be careful when restarting servers if

572

it is suspected that a client has, in fact, been compromised

573

by parties who may now be running a fake Mandos client with

574

the keys from the non-encrypted initial <acronym>RAM</acronym>

575

image of the client host. What should be done in that case

576

(if restarting the server program really is necessary) is to

577

stop the server program, edit the configuration file to omit

578

any suspect clients, and restart the server program.

530

579

</para>

531

580

<para>

532

581

For more details on client-side security, see

533

<citerefentry><refentrytitle>password-request</refentrytitle>

582

<citerefentry><refentrytitle>mandos-client</refentrytitle>

534

583

<manvolnum>8mandos</manvolnum></citerefentry>.

535

584

</para>

536

585

</refsect2>

537

586

</refsect1>

538

587

539

588

540

589

541

590

<para>

544

593

545

594

<refentrytitle>mandos.conf</refentrytitle>

546

595

547

<refentrytitle>password-request</refentrytitle>

596

<refentrytitle>mandos-client</refentrytitle>

548

597

<manvolnum>8mandos</manvolnum></citerefentry>, <citerefentry>

549

598

550

599

</citerefentry>

Older »