/mandos/release : revision 237.7.816

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/release

« back to all changes in this revision

Viewing changes to mandos-clients.conf.xml

Committer: Teddy Hogeborn
Date: 2023-02-07 23:03:33 UTC
mto: This revision was merged to the branch mainline in revision 408.
Revision ID: teddy@recompile.se-20230207230333-5halrp7943pgb3w1

Server: Bug fix: Stagger checker runs when creating clients

* mandos (Client.enable()): Do not set self.expires here; move it to
  "init_checker".
  (Client.init_checker()): Take new "randomize_start" argument.  If
  True, randomize delay before starting checker.  Also, do not start
  checker right now, but instead extend expire time so that the
  scheduled checker always has time to run.
  (Checker.start_checker): Take new "start_was_randomized" argument.
  If True, reset scheduled checker runs to be 'interval' apart,
  instead of using the initial delay.  (Bug fix)
  (main): On startup, pass argument randomize_start=True to
  client.init_checker() when initizlizing checkers for all enabled
  clients.

Reported-by: Louis Charreau <Louis.Charreau@vadesecure.com>
Suggested-by: Louis Charreau <Louis.Charreau@vadesecure.com>
Fixes: 1200 ("Server: Stagger checker runs when creating clients")

files added:
bugs.xml

debian/mandos-client.examples

debian/mandos-client.templates

debian/mandos.templates

debian/po/POTFILES.in

debian/po/de.po

debian/po/en_US.po

debian/po/es.po

debian/po/fr.po

debian/po/nl.po

debian/po/pt.po

debian/po/sv.po

debian/po/templates.pot

debian/source/lintian-overrides

debian/source/local-options

debian/tests

debian/tests/control

debian/upstream

debian/upstream/metadata

debian/upstream/signing-key.asc

dracut-module

dracut-module/ask-password-mandos.path

dracut-module/ask-password-mandos.service

dracut-module/cmdline-mandos.sh

dracut-module/module-setup.sh

dracut-module/password-agent.c

dracut-module/password-agent.xml

initramfs-tools-conf

initramfs-tools-conf-hook

initramfs-tools-script-stop

initramfs-unpack

intro.xml

mandos-to-cryptroot-unlock

mandos.service

network-hooks.d

network-hooks.d/bridge

network-hooks.d/bridge.conf

network-hooks.d/openvpn

network-hooks.d/openvpn.conf

network-hooks.d/wireless

network-hooks.d/wireless.conf

plugin-helpers

plugin-helpers/mandos-client-iprouteadddel.c

sysusers.d-mandos.conf

tmpfiles.d-mandos.conf

files removed:
initramfs-tools-hook-conf

files modified:
.bzrignore

DBUS-API

INSTALL

Makefile

NEWS

README

TODO

clients.conf

common.ent

dbus-mandos.conf

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/rules

debian/watch

init.d-mandos

initramfs-tools-hook

initramfs-tools-script

legalnotice.xml

mandos

mandos-clients.conf.xml

mandos-ctl

mandos-ctl.xml

mandos-keygen

mandos-keygen.xml

mandos-monitor

mandos-monitor.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.lsm

mandos.xml

overview.xml

plugin-runner.c

plugin-runner.xml

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/mandos-client.c

plugins.d/mandos-client.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

Show diffs side-by-side

added added

removed removed

mandos-clients.conf.xml

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY CONFNAME "mandos-clients.conf">

<!ENTITY CONFPATH "<filename>/etc/mandos/clients.conf</filename>">

<!ENTITY TIMESTAMP "2010-09-26">

<!ENTITY TIMESTAMP "2019-02-10">

<!ENTITY % common SYSTEM "common.ent">

%common;

<firstname>Björn</firstname>

<surname>Påhlsson</surname>

<email>belorn@fukt.bsnet.se</email>

<email>belorn@recompile.se</email>

</address>

</author>

<firstname>Teddy</firstname>

<surname>Hogeborn</surname>

<email>teddy@fukt.bsnet.se</email>

<email>teddy@recompile.se</email>

</address>

</author>

</authorgroup>

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

><refentrytitle>mandos</refentrytitle>

<manvolnum>8</manvolnum></citerefentry>, read by it at startup.

The file needs to list all clients that should be able to use

the service. All clients listed will be regarded as enabled,

even if a client was disabled in a previous run of the server.

the service. The settings in this file can be overridden by

runtime changes to the server, which it saves across restarts.

(See the section called <quote>PERSISTENT STATE</quote> in

<citerefentry><refentrytitle>mandos</refentrytitle><manvolnum

>8</manvolnum></citerefentry>.) However, any <emphasis

>changes</emphasis> to this file (including adding and removing

clients) will, at startup, override changes done during runtime.

</para>

<para>

The format starts with a <literal>[<replaceable>section

110

124

<para>

111

125

How long to wait for external approval before resorting to

112

126

use the <option>approved_by_default</option> value. The

113

default is <quote>0s</quote>, i.e. not to wait.

127

default is <quote>PT0S</quote>, i.e. not to wait.

114

128

</para>

115

129

<para>

116

130

The format of <replaceable>TIME</replaceable> is the same

160

174

This option is <emphasis>optional</emphasis>.

161

175

</para>

162

176

<para>

163

This option allows you to override the default shell

164

command that the server will use to check if the client is

165

still up. Any output of the command will be ignored, only

166

the exit code is checked: If the exit code of the command

167

is zero, the client is considered up. The command will be

168

run using <quote><command><filename>/bin/sh</filename>

177

This option overrides the default shell command that the

178

server will use to check if the client is still up. Any

179

output of the command will be ignored, only the exit code

180

is checked: If the exit code of the command is zero, the

181

client is considered up. The command will be run using

182

169

183

<option>-c</option></command></quote>, so

170

184

<varname>PATH</varname> will be searched. The default

171

185

value for the checker command is <quote><literal

172

186

><command>fping</command> <option>-q</option> <option

173

>--</option> %%(host)s</literal></quote>.

187

>--</option> %%(host)s</literal></quote>. Note that

188

<command>mandos-keygen</command>, when generating output

189

to be inserted into this file, normally looks for an SSH

190

server on the Mandos client, and, if it finds one, outputs

191

a <option>checker</option> option to check for the

192

client’s SSH key fingerprint – this is more secure against

193

spoofing.

174

194

</para>

175

195

<para>

176

196

In addition to normal start time expansion, this option

181

201

</varlistentry>

182

202

183

203

204

<term><option>extended_timeout<literal> = </literal><replaceable

205

>TIME</replaceable></option></term>

206

207

<para>

208

This option is <emphasis>optional</emphasis>.

209

</para>

210

<para>

211

Extended timeout is an added timeout that is given once

212

after a password has been sent successfully to a client.

213

The timeout is by default longer than the normal timeout,

214

and is used for handling the extra long downtime while a

215

machine is booting up. Time to take into consideration

216

when changing this value is file system checks and quota

217

checks. The default value is 15 minutes.

218

</para>

219

<para>

220

The format of <replaceable>TIME</replaceable> is the same

221

as for <varname>timeout</varname> below.

222

</para>

223

</listitem>

224

</varlistentry>

225

226

184

227

<term><option>fingerprint<literal> = </literal

185

228

><replaceable>HEXSTRING</replaceable></option></term>

186

229

187

230

<para>

188

This option is <emphasis>required</emphasis>.

189

</para>

190

<para>

191

This option sets the OpenPGP fingerprint that identifies

192

the public key that clients authenticate themselves with

193

through TLS. The string needs to be in hexidecimal form,

194

but spaces or upper/lower case are not significant.

231

This option is <emphasis>required</emphasis> if the

232

<option>key_id</option> is not set, and

233

<emphasis>optional</emphasis> otherwise.

234

</para>

235

<para>

236

This option sets the OpenPGP fingerprint that (before

237

GnuTLS 3.6.0) identified the public key that clients

238

authenticate themselves with through TLS. The string

239

needs to be in hexadecimal form, but spaces or upper/lower

240

case are not significant.

241

</para>

242

</listitem>

243

</varlistentry>

244

245

246

<term><option>key_id<literal> = </literal

247

><replaceable>HEXSTRING</replaceable></option></term>

248

249

<para>

250

This option is <emphasis>required</emphasis> if the

251

<option>fingerprint</option> is not set, and

252

<emphasis>optional</emphasis> otherwise.

253

</para>

254

<para>

255

This option sets the certificate key ID that (with GnuTLS

256

3.6.6 or later) identifies the public key that clients

257

authenticate themselves with through TLS. The string

258

needs to be in hexadecimal form, but spaces or upper/lower

259

case are not significant.

195

260

</para>

196

261

</listitem>

197

262

</varlistentry>

228

293

will wait for a checker to complete until the below

229

294

<quote><varname>timeout</varname></quote> occurs, at which

230

295

time the client will be disabled, and any running checker

231

killed. The default interval is 5 minutes.

296

killed. The default interval is 2 minutes.

232

297

</para>

233

298

<para>

234

299

The format of <replaceable>TIME</replaceable> is the same

272

337

<para>

273

338

If present, this option must be set to a string of

274

339

base64-encoded binary data. It will be decoded and sent

275

to the client matching the above

276

<option>fingerprint</option>. This should, of course, be

277

OpenPGP encrypted data, decryptable only by the client.

340

to the client matching the above <option>key_id</option>

341

or <option>fingerprint</option>. This should, of course,

342

be OpenPGP encrypted data, decryptable only by the client.

278

343

The program <citerefentry><refentrytitle><command

279

344

>mandos-keygen</command></refentrytitle><manvolnum

280

345

>8</manvolnum></citerefentry> can, using its

298

363

This option is <emphasis>optional</emphasis>.

299

364

</para>

300

365

<para>

301

The timeout is how long the server will wait (for either a

302

successful checker run or a client receiving its secret)

303

until a client is disabled and not allowed to get the data

304

this server holds. By default Mandos will use 1 hour.

305

</para>

306

<para>

307

The <replaceable>TIME</replaceable> is specified as a

308

space-separated number of values, each of which is a

309

number and a one-character suffix. The suffix must be one

310

of <quote>d</quote>, <quote>s</quote>, <quote>m</quote>,

311

<quote>h</quote>, and <quote>w</quote> for days, seconds,

312

minutes, hours, and weeks, respectively. The values are

313

added together to give the total time value, so all of

314

<quote><literal>330s</literal></quote>,

315

<quote><literal>110s 110s 110s</literal></quote>, and

316

<quote><literal>5m 30s</literal></quote> will give a value

317

of five minutes and thirty seconds.

366

The timeout is how long the server will wait, after a

367

successful checker run, until a client is disabled and not

368

allowed to get the data this server holds. By default

369

Mandos will use 5 minutes. See also the

370

<option>extended_timeout</option> option.

371

</para>

372

<para>

373

The <replaceable>TIME</replaceable> is specified as an RFC

374

3339 duration; for example

375

<quote><literal>P1Y2M3DT4H5M6S</literal></quote> meaning

376

one year, two months, three days, four hours, five

377

minutes, and six seconds. Some values can be omitted, see

378

RFC 3339 Appendix A for details.

379

</para>

380

</listitem>

381

</varlistentry>

382

383

384

<term><option>enabled<literal> = </literal>{ <literal

385

>1</literal> | <literal>yes</literal> | <literal>true</literal

386

> | <literal >on</literal> | <literal>0</literal> | <literal

387

>no</literal> | <literal>false</literal> | <literal

388

>off</literal> }</option></term>

389

390

<para>

391

Whether this client should be enabled by default. The

392

default is <quote>true</quote>.

318

393

</para>

319

394

</listitem>

320

395

</varlistentry>

364

439

<quote><literal>approval_duration</literal></quote>,

365

440

<quote><literal>created</literal></quote>,

366

441

<quote><literal>enabled</literal></quote>,

442

<quote><literal>expires</literal></quote>,

443

<quote><literal>key_id</literal></quote>,

367

444

<quote><literal>fingerprint</literal></quote>,

368

445

<quote><literal>host</literal></quote>,

369

446

<quote><literal>interval</literal></quote>,

412

489

<literal>%(<replaceable>foo</replaceable>)s</literal> is

413

490

obscure.

414

491

</para>

492

<xi:include href="bugs.xml"/>

415

493

</refsect1>

416

494

417

495

419

497

420

498

421

499

[DEFAULT]

422

timeout = 1h

423

interval = 5m

500

timeout = PT5M

501

interval = PT2M

424

502

checker = fping -q -- %%(host)s

425

503

426

504

# Client "foo"

427

505

[foo]

506

key_id = 788cd77115cd0bb7b2d5e0ae8496f6b48149d5e712c652076b1fd2d957ef7c1f

428

507

fingerprint = 7788 2722 5BA7 DE53 9C5A 7CFA 59CF F7CD BD9A 5920

429

508

secret =

430

509

hQIOA6QdEjBs2L/HEAf/TCyrDe5Xnm9esa+Pb/vWF9CUqfn4srzVgSu234

443

522

4T2zw4dxS5NswXWU0sVEXxjs6PYxuIiCTL7vdpx8QjBkrPWDrAbcMyBr2O

444

523

QlnHIvPzEArRQLo=

445

524

host = foo.example.org

446

interval = 1m

525

interval = PT1M

447

526

448

527

# Client "bar"

449

528

[bar]

529

key_id = F90C7A81D72D1EA69A51031A91FF8885F36C8B46D155C8C58709A4C99AE9E361

450

530

fingerprint = 3e393aeaefb84c7e89e2f547b3a107558fca3a27

451

531

secfile = /etc/mandos/bar-secret

452

timeout = 15m

532

timeout = PT15M

453

533

approved_by_default = False

454

approval_delay = 30s

534

approval_delay = PT30S

455

535

</programlisting>

456

536

</informalexample>

457

537

</refsect1>

459

539

460

540

461

541

<para>

542

<citerefentry><refentrytitle>intro</refentrytitle>

543

<manvolnum>8mandos</manvolnum></citerefentry>,

462

544

<citerefentry><refentrytitle>mandos-keygen</refentrytitle>

463

545

<manvolnum>8</manvolnum></citerefentry>,

464

546

<citerefentry><refentrytitle>mandos.conf</refentrytitle>

465

547

<manvolnum>5</manvolnum></citerefentry>,

466

548

<citerefentry><refentrytitle>mandos</refentrytitle>

549

<manvolnum>8</manvolnum></citerefentry>,

550

<citerefentry><refentrytitle>fping</refentrytitle>

467

551

468

552

</para>

553

554

555

<term>

556

RFC 3339: <citetitle>Date and Time on the Internet:

557

Timestamps</citetitle>

558

</term>

559

560

<para>

561

The time intervals are in the "duration" format, as

562

specified in ABNF in Appendix A of RFC 3339.

563

</para>

564

</listitem>

565

</varlistentry>

566

</variablelist>

469

567

</refsect1>

470

568

</refentry>

471

569

Older »