/mandos/release

To get this branch, use:
bzr branch http://bzr.recompile.se/loggerhead/mandos/release

« back to all changes in this revision

Viewing changes to plugins.d/mandos-client.xml

  • Committer: Teddy Hogeborn
  • Date: 2018-08-19 01:35:11 UTC
  • mto: (237.7.594 trunk)
  • mto: This revision was merged to the branch mainline in revision 368.
  • Revision ID: teddy@recompile.se-20180819013511-cku25q9yeub3dnr0
Adapt to changes in cryptsetup; use "cryptroot-unlock" program

* Makefile (install-client-nokey): Also install new script files
  "mandos-to-cryptroot-unlock" and "initramfs-tools-script-stop".
* debian/mandos-client.dirs: Add
  "usr/share/initramfs-tools/scripts/local-premount".
* initramfs-tools-hook: Also copy "mandos-to-cryptroot-unlock".
* initramfs-tools-script: Only modify keyscript setting in cryptroot
  file if the file exists, otherwise start
  "mandos-to-cryptroot-unlock" in background.
* initramfs-tools-script-stop: New script to make sure plugin-runner
  has stopped before continuing.
* mandos-to-cryptroot-unlock: New script to run plugin-runner and feed
  any password it gets into the "cryptroot-unlock" program.

Show diffs side-by-side

added added

removed removed

Lines of Context:
2
2
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3
3
        "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4
4
<!ENTITY COMMANDNAME "mandos-client">
5
 
<!ENTITY TIMESTAMP "2014-03-01">
 
5
<!ENTITY TIMESTAMP "2018-02-08">
6
6
<!ENTITY % common SYSTEM "../common.ent">
7
7
%common;
8
8
]>
33
33
    <copyright>
34
34
      <year>2008</year>
35
35
      <year>2009</year>
 
36
      <year>2010</year>
 
37
      <year>2011</year>
36
38
      <year>2012</year>
37
39
      <year>2013</year>
38
40
      <year>2014</year>
 
41
      <year>2015</year>
 
42
      <year>2016</year>
 
43
      <year>2017</year>
 
44
      <year>2018</year>
39
45
      <holder>Teddy Hogeborn</holder>
40
46
      <holder>Björn Påhlsson</holder>
41
47
    </copyright>
98
104
      </arg>
99
105
      <sbr/>
100
106
      <arg>
 
107
        <option>--dh-params <replaceable>FILE</replaceable></option>
 
108
      </arg>
 
109
      <sbr/>
 
110
      <arg>
101
111
        <option>--delay <replaceable>SECONDS</replaceable></option>
102
112
      </arg>
103
113
      <sbr/>
261
271
          <para>
262
272
            <replaceable>NAME</replaceable> can be the string
263
273
            <quote><literal>none</literal></quote>; this will make
264
 
            <command>&COMMANDNAME;</command> not bring up
265
 
            <emphasis>any</emphasis> interfaces specified
266
 
            <emphasis>after</emphasis> this string.  This is not
267
 
            recommended, and only meant for advanced users.
 
274
            <command>&COMMANDNAME;</command> only bring up interfaces
 
275
            specified <emphasis>before</emphasis> this string.  This
 
276
            is not recommended, and only meant for advanced users.
268
277
          </para>
269
278
        </listitem>
270
279
      </varlistentry>
312
321
        <listitem>
313
322
          <para>
314
323
            Sets the number of bits to use for the prime number in the
315
 
            TLS Diffie-Hellman key exchange.  Default is 1024.
 
324
            TLS Diffie-Hellman key exchange.  The default value is
 
325
            selected automatically based on the OpenPGP key.  Note
 
326
            that if the <option>--dh-params</option> option is used,
 
327
            the values from that file will be used instead.
 
328
          </para>
 
329
        </listitem>
 
330
      </varlistentry>
 
331
      
 
332
      <varlistentry>
 
333
        <term><option>--dh-params=<replaceable
 
334
        >FILE</replaceable></option></term>
 
335
        <listitem>
 
336
          <para>
 
337
            Specifies a PEM-encoded PKCS#3 file to read the parameters
 
338
            needed by the TLS Diffie-Hellman key exchange from.  If
 
339
            this option is not given, or if the file for some reason
 
340
            could not be used, the parameters will be generated on
 
341
            startup, which will take some time and processing power.
 
342
            Those using servers running under time, power or processor
 
343
            constraints may want to generate such a file in advance
 
344
            and use this option.
316
345
          </para>
317
346
        </listitem>
318
347
      </varlistentry>
445
474
  
446
475
  <refsect1 id="environment">
447
476
    <title>ENVIRONMENT</title>
 
477
    <variablelist>
 
478
      <varlistentry>
 
479
        <term><envar>MANDOSPLUGINHELPERDIR</envar></term>
 
480
        <listitem>
 
481
          <para>
 
482
            This environment variable will be assumed to contain the
 
483
            directory containing any helper executables.  The use and
 
484
            nature of these helper executables, if any, is
 
485
            purposefully not documented.
 
486
        </para>
 
487
        </listitem>
 
488
      </varlistentry>
 
489
    </variablelist>
448
490
    <para>
449
 
      This program does not use any environment variables, not even
450
 
      the ones provided by <citerefentry><refentrytitle
 
491
      This program does not use any other environment variables, not
 
492
      even the ones provided by <citerefentry><refentrytitle
451
493
      >cryptsetup</refentrytitle><manvolnum>8</manvolnum>
452
494
    </citerefentry>.
453
495
    </para>
653
695
    </variablelist>
654
696
  </refsect1>
655
697
  
656
 
<!--   <refsect1 id="bugs"> -->
657
 
<!--     <title>BUGS</title> -->
658
 
<!--     <para> -->
659
 
<!--     </para> -->
660
 
<!--   </refsect1> -->
 
698
  <refsect1 id="bugs">
 
699
    <title>BUGS</title>
 
700
    <xi:include href="../bugs.xml"/>
 
701
  </refsect1>
661
702
  
662
703
  <refsect1 id="example">
663
704
    <title>EXAMPLE</title>
749
790
    <para>
750
791
      It will also help if the checker program on the server is
751
792
      configured to request something from the client which can not be
752
 
      spoofed by someone else on the network, unlike unencrypted
753
 
      <acronym>ICMP</acronym> echo (<quote>ping</quote>) replies.
 
793
      spoofed by someone else on the network, like SSH server key
 
794
      fingerprints, and unlike unencrypted <acronym>ICMP</acronym>
 
795
      echo (<quote>ping</quote>) replies.
754
796
    </para>
755
797
    <para>
756
798
      <emphasis>Note</emphasis>: This makes it completely insecure to
802
844
      </varlistentry>
803
845
      <varlistentry>
804
846
        <term>
805
 
          <ulink url="http://www.gnu.org/software/gnutls/"
806
 
          >GnuTLS</ulink>
 
847
          <ulink url="https://www.gnutls.org/">GnuTLS</ulink>
807
848
        </term>
808
849
      <listitem>
809
850
        <para>
815
856
      </varlistentry>
816
857
      <varlistentry>
817
858
        <term>
818
 
          <ulink url="http://www.gnupg.org/related_software/gpgme/"
 
859
          <ulink url="https://www.gnupg.org/related_software/gpgme/"
819
860
                 >GPGME</ulink>
820
861
        </term>
821
862
        <listitem>
859
900
      </varlistentry>
860
901
      <varlistentry>
861
902
        <term>
862
 
          RFC 4346: <citetitle>The Transport Layer Security (TLS)
863
 
          Protocol Version 1.1</citetitle>
 
903
          RFC 5246: <citetitle>The Transport Layer Security (TLS)
 
904
          Protocol Version 1.2</citetitle>
864
905
        </term>
865
906
      <listitem>
866
907
        <para>
867
 
          TLS 1.1 is the protocol implemented by GnuTLS.
 
908
          TLS 1.2 is the protocol implemented by GnuTLS.
868
909
        </para>
869
910
      </listitem>
870
911
      </varlistentry>
881
922
      </varlistentry>
882
923
      <varlistentry>
883
924
        <term>
884
 
          RFC 5081: <citetitle>Using OpenPGP Keys for Transport Layer
 
925
          RFC 6091: <citetitle>Using OpenPGP Keys for Transport Layer
885
926
          Security</citetitle>
886
927
        </term>
887
928
      <listitem>