/mandos/release : revision 237.7.326

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/release

« back to all changes in this revision

Viewing changes to intro.xml

Committer: Teddy Hogeborn
Date: 2015-07-20 04:03:32 UTC
mto: (237.7.594 trunk)
mto: This revision was merged to the branch mainline in revision 325.
Revision ID: teddy@recompile.se-20150720040332-hw6s7nh14ju259z3

Update copyright year.

* debian/copyright (Copyright): Update copyright year.
* intro.xml (COPYRIGHT): - '' -
* mandos-clients.conf.xml (COPYRIGHT): - '' -
* mandos-ctl.xml (COPYRIGHT): - '' -
* mandos-keygen.xml (COPYRIGHT): - '' -
* mandos-monitor.xml (COPYRIGHT): - '' -
* mandos.conf.xml (COPYRIGHT): - '' -
* mandos.xml (COPYRIGHT): - '' -
* plugin-runner.c: - '' -
* plugin-runner.xml (COPYRIGHT): - '' -
* plugins.d/askpass-fifo.c: - '' -
* plugins.d/askpass-fifo.xml (COPYRIGHT): - '' -
* plugins.d/mandos-client.xml (COPYRIGHT): - '' -
* plugins.d/password-prompt.c: - '' -
* plugins.d/password-prompt.xml (COPYRIGHT): - '' -
* plugins.d/plymouth.c: - '' -
* plugins.d/plymouth.xml (COPYRIGHT): - '' -
* plugins.d/splashy.c: - '' -
* plugins.d/splashy.xml (COPYRIGHT): - '' -
* plugins.d/usplash.c: - '' -
* plugins.d/usplash.xml (COPYRIGHT): - '' -

files added:
debian/mandos-client.examples

debian/source/local-options

debian/upstream

debian/upstream/signing-key.asc

initramfs-unpack

mandos.service

network-hooks.d

network-hooks.d/bridge

network-hooks.d/bridge.conf

network-hooks.d/openvpn

network-hooks.d/openvpn.conf

network-hooks.d/wireless

network-hooks.d/wireless.conf

plugin-helpers

plugin-helpers/mandos-client-iprouteadddel.c

files modified:
.bzrignore

DBUS-API

INSTALL

Makefile

NEWS

README

TODO

clients.conf

common.ent

dbus-mandos.conf

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.postinst

debian/mandos.prerm

debian/rules

debian/watch

init.d-mandos

initramfs-tools-hook

intro.xml

mandos

mandos-clients.conf.xml

mandos-ctl

mandos-ctl.xml

mandos-keygen

mandos-keygen.xml

mandos-monitor

mandos-monitor.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.lsm

mandos.xml

plugin-runner.c

plugin-runner.xml

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/mandos-client.c

plugins.d/mandos-client.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

Show diffs side-by-side

added added

removed removed

intro.xml

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY TIMESTAMP "2011-08-08">

<!ENTITY TIMESTAMP "2015-07-20">

<!ENTITY % common SYSTEM "common.ent">

%common;

<firstname>Björn</firstname>

<surname>Påhlsson</surname>

<email>belorn@fukt.bsnet.se</email>

<email>belorn@recompile.se</email>

</address>

</author>

<firstname>Teddy</firstname>

<surname>Hogeborn</surname>

<email>teddy@fukt.bsnet.se</email>

<email>teddy@recompile.se</email>

</address>

</author>

</authorgroup>

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

196

200

</para>

197

201

</refsect2>

198

202

203

204

<title>How about sniffing the network traffic and decrypting it

205

later by physically grabbing the Mandos client and using its

206

key?</title>

207

<para>

208

We only use <acronym>PFS</acronym> (Perfect Forward Security)

209

key exchange algorithms in TLS, which protects against this.

210

</para>

211

</refsect2>

212

199

213

200

214

<title>Physically grabbing the Mandos server computer?</title>

201

215

<para>

214

228

</para>

215

229

</refsect2>

216

230

217

218

<title>Faking ping replies?</title>

231

232

<title>Faking checker results?</title>

219

233

<para>

220

The default for the server is to use

234

If the Mandos client does not have an SSH server, the default

235

is for the Mandos server to use

221

236

<quote><literal>fping</literal></quote>, the replies to which

222

237

could be faked to eliminate the timeout. But this could

223

238

easily be changed to any shell command, with any security

224

measures you like. It could, for instance, be changed to an

225

SSH command with strict keychecking, which could not be faked.

226

Or IPsec could be used for the ping packets, making them

227

secure.

239

measures you like. If the Mandos client

240

<emphasis>has</emphasis> an SSH server, the default

241

configuration (as generated by

242

<command>mandos-keygen</command> with the

243

<option>--password</option> option) is for the Mandos server

244

to use an <command>ssh-keyscan</command> command with strict

245

keychecking, which can not be faked. Alternatively, IPsec

246

could be used for the ping packets, making them secure.

228

247

</para>

229

248

</refsect2>

230

249

</refsect1>

392

411

393

412

394

413

<term>

395

<ulink url="http://www.fukt.bsnet.se/mandos">Mandos</ulink>

414

<ulink url="http://www.recompile.se/mandos">Mandos</ulink>

396

415

</term>

397

416

398

417

<para>

Older »