/mandos/release : revision 237.23.7

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/release

« back to all changes in this revision

Viewing changes to plugins.d/mandos-client.xml

Committer: Teddy Hogeborn
Date: 2014-07-25 23:42:53 UTC
mto: (237.7.272 trunk)
mto: This revision was merged to the branch mainline in revision 321.
Revision ID: teddy@recompile.se-20140725234253-m11fdsv01fetbk51

Use the .major attribute on sys.version_info instead of using "[0]".

The components of sys.version_info can now be accessed by attributes
instead of by numerical index, so do that.

* mandos-ctl: Get major version by using "sys.version_info.major".
* mandos-monitor: - '' -

files added:
initramfs-tools-hook-conf

files removed:
bugs.xml

debian/mandos-client.templates

debian/mandos.maintscript

debian/mandos.templates

debian/po/POTFILES.in

debian/po/de.po

debian/po/en_US.po

debian/po/es.po

debian/po/fr.po

debian/po/nl.po

debian/po/pt.po

debian/po/pt_BR.po

debian/po/sv.po

debian/po/templates.pot

debian/source/lintian-overrides

debian/tests

debian/tests/control

debian/upstream/metadata

dracut-module

dracut-module/ask-password-mandos.path

dracut-module/ask-password-mandos.service

dracut-module/cmdline-mandos.sh

dracut-module/module-setup.sh

dracut-module/password-agent.c

dracut-module/password-agent.xml

initramfs-tools-conf

initramfs-tools-conf-hook

initramfs-tools-script-stop

mandos-to-cryptroot-unlock

plugin-helpers

plugin-helpers/mandos-client-iprouteadddel.c

sysusers.d-mandos.conf

tmpfiles.d-mandos.conf

files modified:
.bzrignore

DBUS-API

INSTALL

Makefile

NEWS

README

TODO

clients.conf

common.ent

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.dirs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/rules

debian/watch

init.d-mandos

initramfs-tools-hook

initramfs-tools-script

initramfs-unpack

intro.xml

legalnotice.xml

mandos

mandos-clients.conf.xml

mandos-ctl

mandos-ctl.xml

mandos-keygen

mandos-keygen.xml

mandos-monitor

mandos-monitor.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.lsm

mandos.service

mandos.xml

network-hooks.d/bridge

network-hooks.d/openvpn

network-hooks.d/wireless

overview.xml

plugin-runner.c

plugin-runner.xml

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/mandos-client.c

plugins.d/mandos-client.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

Show diffs side-by-side

added added

removed removed

plugins.d/mandos-client.xml

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY COMMANDNAME "mandos-client">

<!ENTITY TIMESTAMP "2025-06-27">

<!ENTITY TIMESTAMP "2014-06-22">

<!ENTITY % common SYSTEM "../common.ent">

%common;

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

101

102

</group>

103

<sbr/>

104

<group>

105

<arg choice="plain"><option>--tls-privkey

106

107

<arg choice="plain"><option>-t

108

109

</group>

110

<sbr/>

111

<group>

112

<arg choice="plain"><option>--tls-pubkey

113

114

<arg choice="plain"><option>-T

115

116

</group>

117

<sbr/>

118

<arg>

119

<option>--priority <replaceable>STRING</replaceable></option>

120

</arg>

124

</arg>

125

<sbr/>

126

100

<arg>

127

<option>--dh-params <replaceable>FILE</replaceable></option>

128

</arg>

129

<sbr/>

130

<arg>

131

101

<option>--delay <replaceable>SECONDS</replaceable></option>

132

102

</arg>

133

103

<sbr/>

174

144

brings up network interfaces, uses the interfaces’ IPv6

175

145

link-local addresses to get network connectivity, uses Zeroconf

176

146

to find servers on the local network, and communicates with

177

servers using TLS with a raw public key to ensure authenticity

178

and confidentiality. This client program keeps running, trying

179

all servers on the network, until it receives a satisfactory

180

reply or a TERM signal. After all servers have been tried, all

147

servers using TLS with an OpenPGP key to ensure authenticity and

148

confidentiality. This client program keeps running, trying all

149

servers on the network, until it receives a satisfactory reply

150

or a TERM signal. After all servers have been tried, all

181

151

servers are periodically retried. If no servers are found it

182

152

will wait indefinitely for new servers to appear.

183

153

</para>

201

171

</para>

202

172

<para>

203

173

This program is not meant to be run directly; it is really meant

204

to be run by other programs in the initial

205

<acronym>RAM</acronym> disk environment; see <xref

206

linkend="overview"/>.

174

to run as a plugin of the <application>Mandos</application>

175

<citerefentry><refentrytitle>plugin-runner</refentrytitle>

176

<manvolnum>8mandos</manvolnum></citerefentry>, which runs in the

177

initial <acronym>RAM</acronym> disk environment because it is

178

specified as a <quote>keyscript</quote> in the <citerefentry>

179

<refentrytitle>crypttab</refentrytitle><manvolnum>5</manvolnum>

180

</citerefentry> file.

207

181

</para>

208

182

</refsect1>

209

183

221

195

<title>OPTIONS</title>

222

196

<para>

223

197

This program is commonly not invoked from the command line; it

224

is normally started by another program as described in <xref

225

linkend="description"/>. Any command line options this program

226

accepts are therefore normally provided by the invoking program,

227

and not directly.

198

is normally started by the <application>Mandos</application>

199

plugin runner, see <citerefentry><refentrytitle

200

>plugin-runner</refentrytitle><manvolnum>8mandos</manvolnum>

201

</citerefentry>. Any command line options this program accepts

202

are therefore normally provided by the plugin runner, and not

203

directly.

228

204

</para>

229

205

230

206

321

297

</varlistentry>

322

298

323

299

324

<term><option>--tls-pubkey=<replaceable

325

>FILE</replaceable></option></term>

326

<term><option>-T

327

328

329

<para>

330

TLS raw public key file name. The default name is

331

<quote><filename>/conf/conf.d/mandos/tls-pubkey.pem</filename

332

></quote>.

333

</para>

334

</listitem>

335

</varlistentry>

336

337

338

<term><option>--tls-privkey=<replaceable

339

>FILE</replaceable></option></term>

340

<term><option>-t

341

342

343

<para>

344

TLS secret key file name. The default name is

345

<quote><filename>/conf/conf.d/mandos/tls-privkey.pem</filename

346

></quote>.

347

</para>

348

</listitem>

349

</varlistentry>

350

351

352

300

<term><option>--priority=<replaceable

353

301

>STRING</replaceable></option></term>

354

302

363

311

364

312

<para>

365

313

Sets the number of bits to use for the prime number in the

366

TLS Diffie-Hellman key exchange. The default value is

367

selected automatically based on the GnuTLS security

368

profile set in its priority string. Note that if the

369

<option>--dh-params</option> option is used, the values

370

from that file will be used instead.

371

</para>

372

</listitem>

373

</varlistentry>

374

375

376

<term><option>--dh-params=<replaceable

377

>FILE</replaceable></option></term>

378

379

<para>

380

Specifies a PEM-encoded PKCS#3 file to read the parameters

381

needed by the TLS Diffie-Hellman key exchange from. If

382

this option is not given, or if the file for some reason

383

could not be used, the parameters will be generated on

384

startup, which will take some time and processing power.

385

Those using servers running under time, power or processor

386

constraints may want to generate such a file in advance

387

and use this option.

314

TLS Diffie-Hellman key exchange. Default is 1024.

388

315

</para>

389

316

</listitem>

390

317

</varlistentry>

481

408

<title>OVERVIEW</title>

482

409

<xi:include href="../overview.xml"/>

483

410

<para>

484

This program is the client part. It is run automatically in an

485

initial <acronym>RAM</acronym> disk environment.

486

</para>

487

<para>

488

In an initial <acronym>RAM</acronym> disk environment using

489

<citerefentry><refentrytitle>systemd</refentrytitle>

490

<manvolnum>1</manvolnum></citerefentry>, this program is started

491

by the <application>Mandos</application> <citerefentry>

492

<refentrytitle>password-agent</refentrytitle>

493

<manvolnum>8mandos</manvolnum></citerefentry>, which in turn is

494

started automatically by the <citerefentry>

495

<refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum>

496

</citerefentry> <quote>Password Agent</quote> system.

497

</para>

498

<para>

499

In the case of a non-<citerefentry>

500

<refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum>

501

</citerefentry> environment, this program is started as a plugin

502

of the <application>Mandos</application> <citerefentry>

503

<refentrytitle>plugin-runner</refentrytitle>

504

<manvolnum>8mandos</manvolnum></citerefentry>, which runs in the

505

initial <acronym>RAM</acronym> disk environment because it is

506

specified as a <quote>keyscript</quote> in the <citerefentry>

507

<refentrytitle>crypttab</refentrytitle><manvolnum>5</manvolnum>

508

</citerefentry> file.

411

This program is the client part. It is a plugin started by

412

<citerefentry><refentrytitle>plugin-runner</refentrytitle>

413

<manvolnum>8mandos</manvolnum></citerefentry> which will run in

414

an initial <acronym>RAM</acronym> disk environment.

509

415

</para>

510

416

<para>

511

417

This program could, theoretically, be used as a keyscript in

512

418

<filename>/etc/crypttab</filename>, but it would then be

513

419

impossible to enter a password for the encrypted root disk at

514

420

the console, since this program does not read from the console

515

at all.

421

at all. This is why a separate plugin runner (<citerefentry>

422

<refentrytitle>plugin-runner</refentrytitle>

423

<manvolnum>8mandos</manvolnum></citerefentry>) is used to run

424

both this program and others in in parallel,

425

<emphasis>one</emphasis> of which (<citerefentry>

426

<refentrytitle>password-prompt</refentrytitle>

427

<manvolnum>8mandos</manvolnum></citerefentry>) will prompt for

428

passwords on the system console.

516

429

</para>

517

430

</refsect1>

518

431

531

444

532

445

533

446

<title>ENVIRONMENT</title>

534

535

536

<term><envar>MANDOSPLUGINHELPERDIR</envar></term>

537

538

<para>

539

This environment variable will be assumed to contain the

540

directory containing any helper executables. The use and

541

nature of these helper executables, if any, is purposely

542

not documented.

543

</para>

544

</listitem>

545

</varlistentry>

546

</variablelist>

547

447

<para>

548

This program does not use any other environment variables, not

549

even the ones provided by <citerefentry><refentrytitle

448

This program does not use any environment variables, not even

449

the ones provided by <citerefentry><refentrytitle

550

450

>cryptsetup</refentrytitle><manvolnum>8</manvolnum>

551

451

</citerefentry>.

552

452

</para>

739

639

</listitem>

740

640

</varlistentry>

741

641

742

<term><filename>/conf/conf.d/mandos/tls-pubkey.pem</filename

743

></term>

744

<term><filename>/conf/conf.d/mandos/tls-privkey.pem</filename

745

></term>

746

747

<para>

748

Public and private raw key files, in <quote>PEM</quote>

749

format. These are the default file names, they can be

750

changed with the <option>--tls-pubkey</option> and

751

<option>--tls-privkey</option> options.

752

</para>

753

</listitem>

754

</varlistentry>

755

756

642

<term><filename

757

643

class="directory">/lib/mandos/network-hooks.d</filename></term>

758

644

766

652

</variablelist>

767

653

</refsect1>

768

654

769

770

771

<xi:include href="../bugs.xml"/>

772

</refsect1>

655

656

657

658

659

773

660

774

661

775

662

<title>EXAMPLE</title>

776

663

<para>

777

664

Note that normally, command line options will not be given

778

directly, but passed on via the program responsible for starting

779

this program; see <xref linkend="overview"/>.

665

directly, but via options for the Mandos <citerefentry

666

><refentrytitle>plugin-runner</refentrytitle>

667

<manvolnum>8mandos</manvolnum></citerefentry>.

780

668

</para>

781

669

782

670

<para>

799

687

</informalexample>

800

688

801

689

<para>

802

Run in debug mode, and use custom keys:

690

Run in debug mode, and use a custom key:

803

691

</para>

804

692

<para>

805

693

806

694

807

<userinput>&COMMANDNAME; --debug --pubkey keydir/pubkey.txt --seckey keydir/seckey.txt --tls-pubkey keydir/tls-pubkey.pem --tls-privkey keydir/tls-privkey.pem</userinput>

695

<userinput>&COMMANDNAME; --debug --pubkey keydir/pubkey.txt --seckey keydir/seckey.txt</userinput>

808

696

809

697

</para>

810

698

</informalexample>

811

699

812

700

<para>

813

Run in debug mode, with custom keys, and do not use Zeroconf

701

Run in debug mode, with a custom key, and do not use Zeroconf

814

702

to locate a server; connect directly to the IPv6 link-local

815

703

address <quote><systemitem class="ipaddress"

816

704

>fe80::aede:48ff:fe71:f6f2</systemitem></quote>, port 4711,

819

707

<para>

820

708

821

709

822

<userinput>&COMMANDNAME; --debug --pubkey keydir/pubkey.txt --seckey keydir/seckey.txt --tls-pubkey keydir/tls-pubkey.pem --tls-privkey keydir/tls-privkey.pem --connect fe80::aede:48ff:fe71:f6f2:4711 --interface eth2</userinput>

710

<userinput>&COMMANDNAME; --debug --pubkey keydir/pubkey.txt --seckey keydir/seckey.txt --connect fe80::aede:48ff:fe71:f6f2:4711 --interface eth2</userinput>

823

711

824

712

</para>

825

713

</informalexample>

828

716

829

717

<title>SECURITY</title>

830

718

<para>

831

This program assumes that it is set-uid to root, and will switch

832

back to the original (and presumably non-privileged) user and

833

group after bringing up the network interface.

719

This program is set-uid to root, but will switch back to the

720

original (and presumably non-privileged) user and group after

721

bringing up the network interface.

834

722

</para>

835

723

<para>

836

724

To use this program for its intended purpose (see <xref

849

737

<para>

850

738

The only remaining weak point is that someone with physical

851

739

access to the client hard drive might turn off the client

852

computer, read the OpenPGP and TLS keys directly from the hard

853

drive, and communicate with the server. To safeguard against

854

this, the server is supposed to notice the client disappearing

855

and stop giving out the encrypted data. Therefore, it is

856

important to set the timeout and checker interval values tightly

857

on the server. See <citerefentry><refentrytitle

740

computer, read the OpenPGP keys directly from the hard drive,

741

and communicate with the server. To safeguard against this, the

742

server is supposed to notice the client disappearing and stop

743

giving out the encrypted data. Therefore, it is important to

744

set the timeout and checker interval values tightly on the

745

server. See <citerefentry><refentrytitle

858

746

>mandos</refentrytitle><manvolnum>8</manvolnum></citerefentry>.

859

747

</para>

860

748

<para>

884

772

<manvolnum>5</manvolnum></citerefentry>,

885

773

<citerefentry><refentrytitle>mandos</refentrytitle>

886

774

<manvolnum>8</manvolnum></citerefentry>,

887

<citerefentry><refentrytitle>password-agent</refentrytitle>

775

<citerefentry><refentrytitle>password-prompt</refentrytitle>

888

776

<manvolnum>8mandos</manvolnum></citerefentry>,

889

777

<citerefentry><refentrytitle>plugin-runner</refentrytitle>

890

778

<manvolnum>8mandos</manvolnum></citerefentry>

903

791

</varlistentry>

904

792

905

793

<term>

906

<ulink url="https://www.avahi.org/">Avahi</ulink>

794

<ulink url="http://www.avahi.org/">Avahi</ulink>

907

795

</term>

908

796

909

797

<para>

914

802

</varlistentry>

915

803

916

804

<term>

917

<ulink url="https://www.gnutls.org/">GnuTLS</ulink>

805

<ulink url="http://www.gnu.org/software/gnutls/"

806

>GnuTLS</ulink>

918

807

</term>

919

808

920

809

<para>

921

810

GnuTLS is the library this client uses to implement TLS for

922

811

communicating securely with the server, and at the same time

923

send the public key to the server.

812

send the public OpenPGP key to the server.

924

813

</para>

925

814

</listitem>

926

815

</varlistentry>

927

816

928

817

<term>

929

<ulink url="https://www.gnupg.org/related_software/gpgme/"

818

<ulink url="http://www.gnupg.org/related_software/gpgme/"

930

819

>GPGME</ulink>

931

820

</term>

932

821

970

859

</varlistentry>

971

860

972

861

<term>

973

RFC 5246: <citetitle>The Transport Layer Security (TLS)

974

Protocol Version 1.2</citetitle>

862

RFC 4346: <citetitle>The Transport Layer Security (TLS)

863

Protocol Version 1.1</citetitle>

975

864

</term>

976

865

977

866

<para>

978

TLS 1.2 is the protocol implemented by GnuTLS.

867

TLS 1.1 is the protocol implemented by GnuTLS.

979

868

</para>

980

869

</listitem>

981

870

</varlistentry>

992

881

</varlistentry>

993

882

994

883

<term>

995

RFC 7250: <citetitle>Using Raw Public Keys in Transport

996

Layer Security (TLS) and Datagram Transport Layer Security

997

(DTLS)</citetitle>

998

</term>

999

1000

<para>

1001

This is implemented by GnuTLS in version 3.6.6 and is, if

1002

present, used by this program so that raw public keys can be

1003

used.

1004

</para>

1005

</listitem>

1006

</varlistentry>

1007

1008

<term>

1009

RFC 6091: <citetitle>Using OpenPGP Keys for Transport Layer

884

RFC 5081: <citetitle>Using OpenPGP Keys for Transport Layer

1010

885

Security</citetitle>

1011

886

</term>

1012

887

1013

888

<para>

1014

This is implemented by GnuTLS before version 3.6.0 and is,

1015

if present, used by this program so that OpenPGP keys can be

1016

used.

889

This is implemented by GnuTLS and used by this program so

890

that OpenPGP keys can be used.

1017

891

</para>

1018

892

</listitem>

1019

893

</varlistentry>

Older »