/mandos/release

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/release

« back to all changes in this revision

Viewing changes to mandos-clients.conf.xml

Committer: Teddy Hogeborn
Date: 2015-03-10 18:03:38 UTC
mto: (237.7.304 trunk)
mto: This revision was merged to the branch mainline in revision 325.
Revision ID: teddy@recompile.se-20150310180338-pcxw6r2qmw9k6br9

Add ":!RSA" to GnuTLS priority string, to disallow non-DHE kx.

If Mandos was somehow made to use a non-ephemeral Diffie-Hellman key
exchange algorithm in the TLS handshake, any saved network traffic
could then be decrypted later if the Mandos client key was obtained.
By default, Mandos uses ephemeral DH key exchanges which does not have
this problem, but a non-ephemeral key exchange algorithm was still
enabled by default. The simplest solution is to simply turn that off,
which ensures that Mandos will always use ephemeral DH key exchanges.

There is a "PFS" priority string specifier, but we can't use it because:

1. Security-wise, it is a mix between "NORMAL" and "SECURE128" - it
enables a lot more algorithms than "SECURE256".

2. It is only available since GnuTLS 3.2.4.

Thanks to Andreas Fischer <af@bantuX.org> for reporting this issue.

files added:
debian/upstream

debian/upstream/signing-key.asc

files modified:
DBUS-API

INSTALL

Makefile

NEWS

TODO

common.ent

debian/changelog

debian/control

debian/copyright

debian/mandos-client.lintian-overrides

debian/mandos.postinst

debian/rules

debian/watch

initramfs-tools-hook

intro.xml

mandos

mandos-clients.conf.xml

mandos-ctl

mandos-keygen

mandos-keygen.xml

mandos-monitor

mandos-monitor.xml

mandos-options.xml

mandos.conf

mandos.lsm

mandos.service

mandos.xml

plugin-runner.c

plugins.d/askpass-fifo.c

plugins.d/mandos-client.c

plugins.d/mandos-client.xml

plugins.d/password-prompt.c

plugins.d/plymouth.c

plugins.d/splashy.c

plugins.d/usplash.c

Show diffs side-by-side

added added

removed removed

mandos-clients.conf.xml

3

3

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

4

4

<!ENTITY CONFNAME "mandos-clients.conf">

5

5

<!ENTITY CONFPATH "<filename>/etc/mandos/clients.conf</filename>">

6

<!ENTITY TIMESTAMP "2013-10-15">

6

<!ENTITY TIMESTAMP "2014-06-22">

7

7

<!ENTITY % common SYSTEM "common.ent">

8

8

%common;

9

9

]>

177

177

<varname>PATH</varname> will be searched. The default

178

178

value for the checker command is <quote><literal

179

179

><command>fping</command> <option>-q</option> <option

180

>--</option> %%(host)s</literal></quote>.

180

>--</option> %%(host)s</literal></quote>. Note that

181

<command>mandos-keygen</command>, when generating output

182

to be inserted into this file, normally looks for an SSH

183

server on the Mandos client, and, if it find one, outputs

184

a <option>checker</option> option to check for the

185

client’s key fingerprint – this is more secure against

186

spoofing.

181

187

</para>

182

188

<para>

183

189

In addition to normal start time expansion, this option

Older »