/mandos/release

To get this branch, use:
bzr branch http://bzr.recompile.se/loggerhead/mandos/release

« back to all changes in this revision

Viewing changes to plugin-runner.xml

  • Committer: Teddy Hogeborn
  • Date: 2016-06-03 17:18:46 UTC
  • mto: (237.7.594 trunk)
  • mto: This revision was merged to the branch mainline in revision 343.
  • Revision ID: teddy@recompile.se-20160603171846-zr11h4gshlkgoona
mandos-keygen: Try to use ECDSA keys with ssh-keyscan(1) by default.

* mandos-keygen (password): Add "ecdsa-sha2-nistp256" first in list of
                            SSH key types to try to scan for.

Show diffs side-by-side

added added

removed removed

Lines of Context:
1
1
<?xml version="1.0" encoding="UTF-8"?>
2
2
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3
3
        "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4
 
<!ENTITY VERSION "1.0">
5
4
<!ENTITY COMMANDNAME "plugin-runner">
6
 
<!ENTITY TIMESTAMP "2008-09-04">
 
5
<!ENTITY TIMESTAMP "2016-03-17">
 
6
<!ENTITY % common SYSTEM "common.ent">
 
7
%common;
7
8
]>
8
9
 
9
10
<refentry xmlns:xi="http://www.w3.org/2001/XInclude">
11
12
    <title>Mandos Manual</title>
12
13
    <!-- Nwalsh’s docbook scripts use this to generate the footer: -->
13
14
    <productname>Mandos</productname>
14
 
    <productnumber>&VERSION;</productnumber>
 
15
    <productnumber>&version;</productnumber>
15
16
    <date>&TIMESTAMP;</date>
16
17
    <authorgroup>
17
18
      <author>
18
19
        <firstname>Björn</firstname>
19
20
        <surname>Påhlsson</surname>
20
21
        <address>
21
 
          <email>belorn@fukt.bsnet.se</email>
 
22
          <email>belorn@recompile.se</email>
22
23
        </address>
23
24
      </author>
24
25
      <author>
25
26
        <firstname>Teddy</firstname>
26
27
        <surname>Hogeborn</surname>
27
28
        <address>
28
 
          <email>teddy@fukt.bsnet.se</email>
 
29
          <email>teddy@recompile.se</email>
29
30
        </address>
30
31
      </author>
31
32
    </authorgroup>
32
33
    <copyright>
33
34
      <year>2008</year>
 
35
      <year>2009</year>
 
36
      <year>2010</year>
 
37
      <year>2011</year>
 
38
      <year>2012</year>
 
39
      <year>2013</year>
 
40
      <year>2014</year>
 
41
      <year>2015</year>
 
42
      <year>2016</year>
34
43
      <holder>Teddy Hogeborn</holder>
35
44
      <holder>Björn Påhlsson</holder>
36
45
    </copyright>
37
46
    <xi:include href="legalnotice.xml"/>
38
47
  </refentryinfo>
39
 
 
 
48
  
40
49
  <refmeta>
41
50
    <refentrytitle>&COMMANDNAME;</refentrytitle>
42
51
    <manvolnum>8mandos</manvolnum>
48
57
      Run Mandos plugins, pass data from first to succeed.
49
58
    </refpurpose>
50
59
  </refnamediv>
51
 
 
 
60
  
52
61
  <refsynopsisdiv>
53
62
    <cmdsynopsis>
54
63
      <command>&COMMANDNAME;</command>
55
64
      <group rep="repeat">
56
65
        <arg choice="plain"><option>--global-env=<replaceable
57
 
        >VAR</replaceable><literal>=</literal><replaceable
 
66
        >ENV</replaceable><literal>=</literal><replaceable
58
67
        >value</replaceable></option></arg>
59
68
        <arg choice="plain"><option>-G
60
 
        <replaceable>VAR</replaceable><literal>=</literal><replaceable
 
69
        <replaceable>ENV</replaceable><literal>=</literal><replaceable
61
70
        >value</replaceable> </option></arg>
62
71
      </group>
63
72
      <sbr/>
111
120
      <arg><option>--plugin-dir=<replaceable
112
121
      >DIRECTORY</replaceable></option></arg>
113
122
      <sbr/>
 
123
      <arg><option>--plugin-helper-dir=<replaceable
 
124
      >DIRECTORY</replaceable></option></arg>
 
125
      <sbr/>
114
126
      <arg><option>--config-file=<replaceable
115
127
      >FILE</replaceable></option></arg>
116
128
      <sbr/>
170
182
    <variablelist>
171
183
      <varlistentry>
172
184
        <term><option>--global-env
173
 
        <replaceable>VAR</replaceable><literal>=</literal><replaceable
 
185
        <replaceable>ENV</replaceable><literal>=</literal><replaceable
174
186
        >value</replaceable></option></term>
175
187
        <term><option>-G
176
 
        <replaceable>VAR</replaceable><literal>=</literal><replaceable
 
188
        <replaceable>ENV</replaceable><literal>=</literal><replaceable
177
189
        >value</replaceable></option></term>
178
190
        <listitem>
179
191
          <para>
247
259
          </para>
248
260
        </listitem>
249
261
      </varlistentry>
250
 
 
 
262
      
251
263
      <varlistentry>
252
264
        <term><option>--disable
253
265
        <replaceable>PLUGIN</replaceable></option></term>
258
270
            Disable the plugin named
259
271
            <replaceable>PLUGIN</replaceable>.  The plugin will not be
260
272
            started.
261
 
          </para>       
 
273
          </para>
262
274
        </listitem>
263
275
      </varlistentry>
264
 
 
 
276
      
265
277
      <varlistentry>
266
278
        <term><option>--enable
267
279
        <replaceable>PLUGIN</replaceable></option></term>
276
288
          </para>
277
289
        </listitem>
278
290
      </varlistentry>
279
 
 
 
291
      
280
292
      <varlistentry>
281
293
        <term><option>--groupid
282
294
        <replaceable>ID</replaceable></option></term>
289
301
          </para>
290
302
        </listitem>
291
303
      </varlistentry>
292
 
 
 
304
      
293
305
      <varlistentry>
294
306
        <term><option>--userid
295
307
        <replaceable>ID</replaceable></option></term>
302
314
          </para>
303
315
        </listitem>
304
316
      </varlistentry>
305
 
 
 
317
      
306
318
      <varlistentry>
307
319
        <term><option>--plugin-dir
308
320
        <replaceable>DIRECTORY</replaceable></option></term>
317
329
      </varlistentry>
318
330
      
319
331
      <varlistentry>
 
332
        <term><option>--plugin-helper-dir
 
333
        <replaceable>DIRECTORY</replaceable></option></term>
 
334
        <listitem>
 
335
          <para>
 
336
            Specify a different plugin helper directory.  The default
 
337
            is <filename>/lib/mandos/plugin-helpers</filename>, which
 
338
            will exist in the initial <acronym>RAM</acronym> disk
 
339
            environment.  (This will simply be passed to all plugins
 
340
            via the <envar>MANDOSPLUGINHELPERDIR</envar> environment
 
341
            variable.  See <xref linkend="writing_plugins"/>)
 
342
          </para>
 
343
        </listitem>
 
344
      </varlistentry>
 
345
      
 
346
      <varlistentry>
320
347
        <term><option>--config-file
321
348
        <replaceable>FILE</replaceable></option></term>
322
349
        <listitem>
365
392
          </para>
366
393
        </listitem>
367
394
      </varlistentry>
368
 
 
 
395
      
369
396
      <varlistentry>
370
397
        <term><option>--version</option></term>
371
398
        <term><option>-V</option></term>
377
404
      </varlistentry>
378
405
    </variablelist>
379
406
  </refsect1>
380
 
 
 
407
  
381
408
  <refsect1 id="overview">
382
409
    <title>OVERVIEW</title>
383
410
    <xi:include href="overview.xml"/>
403
430
      code will make this plugin-runner output the password from that
404
431
      plugin, stop any other plugins, and exit.
405
432
    </para>
406
 
 
 
433
    
407
434
    <refsect2 id="writing_plugins">
408
435
      <title>WRITING PLUGINS</title>
409
436
      <para>
416
443
        console.
417
444
      </para>
418
445
      <para>
 
446
        If the password is a single-line, manually entered passprase,
 
447
        a final trailing newline character should
 
448
        <emphasis>not</emphasis> be printed.
 
449
      </para>
 
450
      <para>
419
451
        The plugin will run in the initial RAM disk environment, so
420
452
        care must be taken not to depend on any files or running
421
 
        services not available there.
 
453
        services not available there.  Any helper executables required
 
454
        by the plugin (which are not in the <envar>PATH</envar>) can
 
455
        be placed in the plugin helper directory, the name of which
 
456
        will be made available to the plugin via the
 
457
        <envar>MANDOSPLUGINHELPERDIR</envar> environment variable.
422
458
      </para>
423
459
      <para>
424
460
        The plugin must exit cleanly and free all allocated resources
467
503
      only passes on its environment to all the plugins.  The
468
504
      environment passed to plugins can be modified using the
469
505
      <option>--global-env</option> and <option>--env-for</option>
470
 
      options.
 
506
      options.  Also, the <option>--plugin-helper-dir</option> option
 
507
      will affect the environment variable
 
508
      <envar>MANDOSPLUGINHELPERDIR</envar> for the plugins.
471
509
    </para>
472
510
  </refsect1>
473
511
  
506
544
            </para>
507
545
          </listitem>
508
546
        </varlistentry>
 
547
        <varlistentry>
 
548
          <term><filename class="directory"
 
549
          >/lib/mandos/plugins.d</filename></term>
 
550
          <listitem>
 
551
            <para>
 
552
              The default plugin directory; can be changed by the
 
553
              <option>--plugin-dir</option> option.
 
554
            </para>
 
555
          </listitem>
 
556
        </varlistentry>
 
557
        <varlistentry>
 
558
          <term><filename class="directory"
 
559
          >/lib/mandos/plugin-helpers</filename></term>
 
560
          <listitem>
 
561
            <para>
 
562
              The default plugin helper directory; can be changed by
 
563
              the <option>--plugin-helper-dir</option> option.
 
564
            </para>
 
565
          </listitem>
 
566
        </varlistentry>
509
567
      </variablelist>
510
568
    </para>
511
569
  </refsect1>
512
570
  
513
 
<!--   <refsect1 id="bugs"> -->
514
 
<!--     <title>BUGS</title> -->
515
 
<!--     <para> -->
516
 
<!--     </para> -->
517
 
<!--   </refsect1> -->
 
571
  <refsect1 id="bugs">
 
572
    <title>BUGS</title>
 
573
    <para>
 
574
      The <option>--config-file</option> option is ignored when
 
575
      specified from within a configuration file.
 
576
    </para>
 
577
    <xi:include href="bugs.xml"/>
 
578
  </refsect1>
518
579
  
519
580
  <refsect1 id="examples">
520
581
    <title>EXAMPLE</title>
562
623
    </informalexample>
563
624
    <informalexample>
564
625
      <para>
565
 
        Run plugins from a different directory and add two
566
 
        options to the <citerefentry><refentrytitle
567
 
        >password-request</refentrytitle>
 
626
        Read a different configuration file, run plugins from a
 
627
        different directory, specify an alternate plugin helper
 
628
        directory and add two options to the
 
629
        <citerefentry><refentrytitle >mandos-client</refentrytitle>
568
630
        <manvolnum>8mandos</manvolnum></citerefentry> plugin:
569
631
      </para>
570
632
      <para>
571
633
 
572
634
<!-- do not wrap this line -->
573
 
<userinput>&COMMANDNAME;  --plugin-dir=plugins.d --options-for=password-request:--pubkey=keydir/pubkey.txt,--seckey=keydir/seckey.txt</userinput>
 
635
<userinput>cd /etc/keys/mandos; &COMMANDNAME;  --config-file=/etc/mandos/plugin-runner.conf --plugin-dir /usr/lib/x86_64-linux-gnu/mandos/plugins.d --plugin-helper-dir /usr/lib/x86_64-linux-gnu/mandos/plugin-helpers --options-for=mandos-client:--pubkey=pubkey.txt,--seckey=seckey.txt</userinput>
574
636
 
575
637
      </para>
576
638
    </informalexample>
584
646
      non-privileged.  This user and group is then what all plugins
585
647
      will be started as.  Therefore, the only way to run a plugin as
586
648
      a privileged user is to have the set-user-ID or set-group-ID bit
587
 
      set on the plugin executable files (see <citerefentry>
 
649
      set on the plugin executable file (see <citerefentry>
588
650
      <refentrytitle>execve</refentrytitle><manvolnum>2</manvolnum>
589
651
      </citerefentry>).
590
652
    </para>
608
670
  <refsect1 id="see_also">
609
671
    <title>SEE ALSO</title>
610
672
    <para>
 
673
      <citerefentry><refentrytitle>intro</refentrytitle>
 
674
      <manvolnum>8mandos</manvolnum></citerefentry>,
611
675
      <citerefentry><refentrytitle>cryptsetup</refentrytitle>
612
676
      <manvolnum>8</manvolnum></citerefentry>,
613
677
      <citerefentry><refentrytitle>crypttab</refentrytitle>
618
682
      <manvolnum>8</manvolnum></citerefentry>,
619
683
      <citerefentry><refentrytitle>password-prompt</refentrytitle>
620
684
      <manvolnum>8mandos</manvolnum></citerefentry>,
621
 
      <citerefentry><refentrytitle>password-request</refentrytitle>
 
685
      <citerefentry><refentrytitle>mandos-client</refentrytitle>
622
686
      <manvolnum>8mandos</manvolnum></citerefentry>
623
687
    </para>
624
688
  </refsect1>