/mandos/release

To get this branch, use:
bzr branch http://bzr.recompile.se/loggerhead/mandos/release

« back to all changes in this revision

Viewing changes to mandos.xml

  • Committer: Teddy Hogeborn
  • Date: 2014-03-01 09:39:25 UTC
  • mto: (237.7.272 trunk)
  • mto: This revision was merged to the branch mainline in revision 311.
  • Revision ID: teddy@recompile.se-20140301093925-0x6nwf21f0zljk6e
* debian/copyright: Change year to "2014".
* mandos-ctl: - '' -
* mandos-monitor: - '' -
* plugins.d/mandos-client.xml: - '' -

Show diffs side-by-side

added added

removed removed

Lines of Context:
2
2
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3
3
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4
4
<!ENTITY COMMANDNAME "mandos">
5
 
<!ENTITY TIMESTAMP "2010-09-26">
 
5
<!ENTITY TIMESTAMP "2013-10-26">
6
6
<!ENTITY % common SYSTEM "common.ent">
7
7
%common;
8
8
]>
19
19
        <firstname>Björn</firstname>
20
20
        <surname>Påhlsson</surname>
21
21
        <address>
22
 
          <email>belorn@fukt.bsnet.se</email>
 
22
          <email>belorn@recompile.se</email>
23
23
        </address>
24
24
      </author>
25
25
      <author>
26
26
        <firstname>Teddy</firstname>
27
27
        <surname>Hogeborn</surname>
28
28
        <address>
29
 
          <email>teddy@fukt.bsnet.se</email>
 
29
          <email>teddy@recompile.se</email>
30
30
        </address>
31
31
      </author>
32
32
    </authorgroup>
34
34
      <year>2008</year>
35
35
      <year>2009</year>
36
36
      <year>2010</year>
 
37
      <year>2011</year>
 
38
      <year>2012</year>
 
39
      <year>2013</year>
37
40
      <holder>Teddy Hogeborn</holder>
38
41
      <holder>Björn Påhlsson</holder>
39
42
    </copyright>
87
90
      <sbr/>
88
91
      <arg><option>--debug</option></arg>
89
92
      <sbr/>
 
93
      <arg><option>--debuglevel
 
94
      <replaceable>LEVEL</replaceable></option></arg>
 
95
      <sbr/>
90
96
      <arg><option>--no-dbus</option></arg>
91
97
      <sbr/>
92
98
      <arg><option>--no-ipv6</option></arg>
 
99
      <sbr/>
 
100
      <arg><option>--no-restore</option></arg>
 
101
      <sbr/>
 
102
      <arg><option>--statedir
 
103
      <replaceable>DIRECTORY</replaceable></option></arg>
 
104
      <sbr/>
 
105
      <arg><option>--socket
 
106
      <replaceable>FD</replaceable></option></arg>
 
107
      <sbr/>
 
108
      <arg><option>--foreground</option></arg>
93
109
    </cmdsynopsis>
94
110
    <cmdsynopsis>
95
111
      <command>&COMMANDNAME;</command>
113
129
    <para>
114
130
      <command>&COMMANDNAME;</command> is a server daemon which
115
131
      handles incoming request for passwords for a pre-defined list of
116
 
      client host computers.  The Mandos server uses Zeroconf to
117
 
      announce itself on the local network, and uses TLS to
118
 
      communicate securely with and to authenticate the clients.  The
119
 
      Mandos server uses IPv6 to allow Mandos clients to use IPv6
120
 
      link-local addresses, since the clients will probably not have
121
 
      any other addresses configured (see <xref linkend="overview"/>).
122
 
      Any authenticated client is then given the stored pre-encrypted
123
 
      password for that specific client.
 
132
      client host computers. For an introduction, see
 
133
      <citerefentry><refentrytitle>intro</refentrytitle>
 
134
      <manvolnum>8mandos</manvolnum></citerefentry>. The Mandos server
 
135
      uses Zeroconf to announce itself on the local network, and uses
 
136
      TLS to communicate securely with and to authenticate the
 
137
      clients.  The Mandos server uses IPv6 to allow Mandos clients to
 
138
      use IPv6 link-local addresses, since the clients will probably
 
139
      not have any other addresses configured (see <xref
 
140
      linkend="overview"/>).  Any authenticated client is then given
 
141
      the stored pre-encrypted password for that specific client.
124
142
    </para>
125
143
  </refsect1>
126
144
  
195
213
      </varlistentry>
196
214
      
197
215
      <varlistentry>
 
216
        <term><option>--debuglevel
 
217
        <replaceable>LEVEL</replaceable></option></term>
 
218
        <listitem>
 
219
          <para>
 
220
            Set the debugging log level.
 
221
            <replaceable>LEVEL</replaceable> is a string, one of
 
222
            <quote><literal>CRITICAL</literal></quote>,
 
223
            <quote><literal>ERROR</literal></quote>,
 
224
            <quote><literal>WARNING</literal></quote>,
 
225
            <quote><literal>INFO</literal></quote>, or
 
226
            <quote><literal>DEBUG</literal></quote>, in order of
 
227
            increasing verbosity.  The default level is
 
228
            <quote><literal>WARNING</literal></quote>.
 
229
          </para>
 
230
        </listitem>
 
231
      </varlistentry>
 
232
      
 
233
      <varlistentry>
198
234
        <term><option>--priority <replaceable>
199
235
        PRIORITY</replaceable></option></term>
200
236
        <listitem>
201
 
          <xi:include href="mandos-options.xml" xpointer="priority"/>
 
237
          <xi:include href="mandos-options.xml"
 
238
                      xpointer="priority_compat"/>
202
239
        </listitem>
203
240
      </varlistentry>
204
241
      
251
288
          <xi:include href="mandos-options.xml" xpointer="ipv6"/>
252
289
        </listitem>
253
290
      </varlistentry>
 
291
      
 
292
      <varlistentry>
 
293
        <term><option>--no-restore</option></term>
 
294
        <listitem>
 
295
          <xi:include href="mandos-options.xml" xpointer="restore"/>
 
296
          <para>
 
297
            See also <xref linkend="persistent_state"/>.
 
298
          </para>
 
299
        </listitem>
 
300
      </varlistentry>
 
301
      
 
302
      <varlistentry>
 
303
        <term><option>--statedir
 
304
        <replaceable>DIRECTORY</replaceable></option></term>
 
305
        <listitem>
 
306
          <xi:include href="mandos-options.xml" xpointer="statedir"/>
 
307
        </listitem>
 
308
      </varlistentry>
 
309
      
 
310
      <varlistentry>
 
311
        <term><option>--socket
 
312
        <replaceable>FD</replaceable></option></term>
 
313
        <listitem>
 
314
          <xi:include href="mandos-options.xml" xpointer="socket"/>
 
315
        </listitem>
 
316
      </varlistentry>
 
317
      
 
318
      <varlistentry>
 
319
        <term><option>--foreground</option></term>
 
320
        <listitem>
 
321
          <xi:include href="mandos-options.xml"
 
322
                      xpointer="foreground"/>
 
323
        </listitem>
 
324
      </varlistentry>
 
325
      
254
326
    </variablelist>
255
327
  </refsect1>
256
328
  
330
402
      for some time, the client is assumed to be compromised and is no
331
403
      longer eligible to receive the encrypted password.  (Manual
332
404
      intervention is required to re-enable a client.)  The timeout,
333
 
      checker program, and interval between checks can be configured
334
 
      both globally and per client; see <citerefentry>
335
 
      <refentrytitle>mandos-clients.conf</refentrytitle>
336
 
      <manvolnum>5</manvolnum></citerefentry>.  A client successfully
337
 
      receiving its password will also be treated as a successful
338
 
      checker run.
 
405
      extended timeout, checker program, and interval between checks
 
406
      can be configured both globally and per client; see
 
407
      <citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>
 
408
      <manvolnum>5</manvolnum></citerefentry>.
339
409
    </para>
340
410
  </refsect1>
341
411
  
363
433
    <title>LOGGING</title>
364
434
    <para>
365
435
      The server will send log message with various severity levels to
366
 
      <filename>/dev/log</filename>.  With the
 
436
      <filename class="devicefile">/dev/log</filename>.  With the
367
437
      <option>--debug</option> option, it will log even more messages,
368
438
      and also show them on the console.
369
439
    </para>
370
440
  </refsect1>
371
441
  
 
442
  <refsect1 id="persistent_state">
 
443
    <title>PERSISTENT STATE</title>
 
444
    <para>
 
445
      Client settings, initially read from
 
446
      <filename>clients.conf</filename>, are persistent across
 
447
      restarts, and run-time changes will override settings in
 
448
      <filename>clients.conf</filename>.  However, if a setting is
 
449
      <emphasis>changed</emphasis> (or a client added, or removed) in
 
450
      <filename>clients.conf</filename>, this will take precedence.
 
451
    </para>
 
452
  </refsect1>
 
453
  
372
454
  <refsect1 id="dbus_interface">
373
455
    <title>D-BUS INTERFACE</title>
374
456
    <para>
436
518
        </listitem>
437
519
      </varlistentry>
438
520
      <varlistentry>
439
 
        <term><filename>/var/run/mandos.pid</filename></term>
 
521
        <term><filename>/run/mandos.pid</filename></term>
440
522
        <listitem>
441
523
          <para>
442
524
            The file containing the process id of the
443
525
            <command>&COMMANDNAME;</command> process started last.
 
526
            <emphasis >Note:</emphasis> If the <filename
 
527
            class="directory">/run</filename> directory does not
 
528
            exist, <filename>/var/run/mandos.pid</filename> will be
 
529
            used instead.
 
530
          </para>
 
531
        </listitem>
 
532
      </varlistentry>
 
533
      <varlistentry>
 
534
        <term><filename class="devicefile">/dev/log</filename></term>
 
535
      </varlistentry>
 
536
      <varlistentry>
 
537
        <term><filename
 
538
        class="directory">/var/lib/mandos</filename></term>
 
539
        <listitem>
 
540
          <para>
 
541
            Directory where persistent state will be saved.  Change
 
542
            this with the <option>--statedir</option> option.  See
 
543
            also the <option>--no-restore</option> option.
444
544
          </para>
445
545
        </listitem>
446
546
      </varlistentry>
474
574
      backtrace.  This could be considered a feature.
475
575
    </para>
476
576
    <para>
477
 
      Currently, if a client is disabled due to having timed out, the
478
 
      server does not record this fact onto permanent storage.  This
479
 
      has some security implications, see <xref linkend="clients"/>.
480
 
    </para>
481
 
    <para>
482
577
      There is no fine-grained control over logging and debug output.
483
578
    </para>
484
579
    <para>
485
 
      Debug mode is conflated with running in the foreground.
486
 
    </para>
487
 
    <para>
488
 
      The console log messages do not show a time stamp.
489
 
    </para>
490
 
    <para>
491
580
      This server does not check the expire time of clients’ OpenPGP
492
581
      keys.
493
582
    </para>
506
595
    <informalexample>
507
596
      <para>
508
597
        Run the server in debug mode, read configuration files from
509
 
        the <filename>~/mandos</filename> directory, and use the
510
 
        Zeroconf service name <quote>Test</quote> to not collide with
511
 
        any other official Mandos server on this host:
 
598
        the <filename class="directory">~/mandos</filename> directory,
 
599
        and use the Zeroconf service name <quote>Test</quote> to not
 
600
        collide with any other official Mandos server on this host:
512
601
      </para>
513
602
      <para>
514
603
 
563
652
        compromised if they are gone for too long.
564
653
      </para>
565
654
      <para>
566
 
        If a client is compromised, its downtime should be duly noted
567
 
        by the server which would therefore disable the client.  But
568
 
        if the server was ever restarted, it would re-read its client
569
 
        list from its configuration file and again regard all clients
570
 
        therein as enabled, and hence eligible to receive their
571
 
        passwords.  Therefore, be careful when restarting servers if
572
 
        it is suspected that a client has, in fact, been compromised
573
 
        by parties who may now be running a fake Mandos client with
574
 
        the keys from the non-encrypted initial <acronym>RAM</acronym>
575
 
        image of the client host.  What should be done in that case
576
 
        (if restarting the server program really is necessary) is to
577
 
        stop the server program, edit the configuration file to omit
578
 
        any suspect clients, and restart the server program.
579
 
      </para>
580
 
      <para>
581
655
        For more details on client-side security, see
582
656
        <citerefentry><refentrytitle>mandos-client</refentrytitle>
583
657
        <manvolnum>8mandos</manvolnum></citerefentry>.
588
662
  <refsect1 id="see_also">
589
663
    <title>SEE ALSO</title>
590
664
    <para>
591
 
      <citerefentry>
592
 
        <refentrytitle>mandos-clients.conf</refentrytitle>
593
 
        <manvolnum>5</manvolnum></citerefentry>, <citerefentry>
594
 
        <refentrytitle>mandos.conf</refentrytitle>
595
 
        <manvolnum>5</manvolnum></citerefentry>, <citerefentry>
596
 
        <refentrytitle>mandos-client</refentrytitle>
597
 
        <manvolnum>8mandos</manvolnum></citerefentry>, <citerefentry>
598
 
        <refentrytitle>sh</refentrytitle><manvolnum>1</manvolnum>
599
 
      </citerefentry>
 
665
      <citerefentry><refentrytitle>intro</refentrytitle>
 
666
      <manvolnum>8mandos</manvolnum></citerefentry>,
 
667
      <citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>
 
668
      <manvolnum>5</manvolnum></citerefentry>,
 
669
      <citerefentry><refentrytitle>mandos.conf</refentrytitle>
 
670
      <manvolnum>5</manvolnum></citerefentry>,
 
671
      <citerefentry><refentrytitle>mandos-client</refentrytitle>
 
672
      <manvolnum>8mandos</manvolnum></citerefentry>,
 
673
      <citerefentry><refentrytitle>sh</refentrytitle>
 
674
      <manvolnum>1</manvolnum></citerefentry>
600
675
    </para>
601
676
    <variablelist>
602
677
      <varlistentry>