/mandos/release : revision 237.7.832

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/release

« back to all changes in this revision

Viewing changes to plugins.d/mandos-client.xml

Committer: Teddy Hogeborn
Date: 2024-09-08 02:18:57 UTC
mto: This revision was merged to the branch mainline in revision 410.
Revision ID: teddy@recompile.se-20240908021857-821e09dd4mp37h9k

Be more tolerant when a client is misconfigured in clients.conf

* mandos (Client/config_parser): If a client config section in
clients.conf lacks both a fingerprint= and a key_id= setting, show
an error and skip that client instead of crashing.

files added:
.bzr-builddeb

.bzr-builddeb/default.conf

DBUS-API

INSTALL

NEWS

README

bugs.xml

common.ent

dbus-mandos.conf

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.examples

debian/mandos-client.links

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos-client.templates

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.maintscript

debian/mandos.postinst

debian/mandos.prerm

debian/mandos.templates

debian/po

debian/po/POTFILES.in

debian/po/de.po

debian/po/en_US.po

debian/po/es.po

debian/po/fr.po

debian/po/nl.po

debian/po/pt.po

debian/po/pt_BR.po

debian/po/sv.po

debian/po/templates.pot

debian/rules

debian/source

debian/source/format

debian/source/lintian-overrides

debian/source/local-options

debian/tests

debian/tests/control

debian/upstream

debian/upstream/metadata

debian/upstream/signing-key.asc

debian/watch

default-mandos

dracut-module

dracut-module/ask-password-mandos.path

dracut-module/ask-password-mandos.service

dracut-module/cmdline-mandos.sh

dracut-module/module-setup.sh

dracut-module/password-agent.c

dracut-module/password-agent.xml

init.d-mandos

initramfs-tools-conf

initramfs-tools-conf-hook

initramfs-tools-script-stop

initramfs-unpack

intro.xml

mandos-ctl

mandos-ctl.xml

mandos-monitor

mandos-monitor.xml

mandos-to-cryptroot-unlock

mandos.lsm

mandos.service

network-hooks.d

network-hooks.d/bridge

network-hooks.d/bridge.conf

network-hooks.d/openvpn

network-hooks.d/openvpn.conf

network-hooks.d/wireless

network-hooks.d/wireless.conf

plugin-helpers

plugin-helpers/mandos-client-iprouteadddel.c

plugin-runner.conf

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

sysusers.d-mandos.conf

tmpfiles.d-mandos.conf

files removed:
initramfs-tools-hook-conf

plugins.d/usplash

files renamed:
plugins.d/password-request.c => plugins.d/mandos-client.c

plugins.d/password-request.xml => plugins.d/mandos-client.xml

files modified:
.bzrignore

Makefile

TODO

clients.conf

initramfs-tools-hook

initramfs-tools-script

legalnotice.xml

mandos

mandos-clients.conf.xml

mandos-keygen

mandos-keygen.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.xml

overview.xml

plugin-runner.c

plugin-runner.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

Show diffs side-by-side

added added

removed removed

plugins.d/mandos-client.xml

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY VERSION "1.0">

<!ENTITY COMMANDNAME "password-request">

<!ENTITY TIMESTAMP "2008-09-03">

<!ENTITY COMMANDNAME "mandos-client">

<!ENTITY TIMESTAMP "2023-10-21">

<!ENTITY % common SYSTEM "../common.ent">

%common;

<title>Mandos Manual</title>

<productname>Mandos</productname>

<productnumber>&VERSION;</productnumber>

<productnumber>&version;</productnumber>

<date>&TIMESTAMP;</date>

<firstname>Björn</firstname>

<surname>Påhlsson</surname>

<email>belorn@fukt.bsnet.se</email>

<email>belorn@recompile.se</email>

</address>

</author>

<firstname>Teddy</firstname>

<surname>Hogeborn</surname>

<email>teddy@fukt.bsnet.se</email>

<email>teddy@recompile.se</email>

</address>

</author>

</authorgroup>

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

<xi:include href="../legalnotice.xml"/>

</refentryinfo>

<refentrytitle>&COMMANDNAME;</refentrytitle>

<manvolnum>8mandos</manvolnum>

<refname><command>&COMMANDNAME;</command></refname>

Client for mandos

Client for <application>Mandos</application>

</refpurpose>

</refnamediv>

<command>&COMMANDNAME;</command>

<group>

<arg choice="plain"><option>--connect

<replaceable>IPADDR</replaceable><literal>:</literal

<replaceable>ADDRESS</replaceable><literal>:</literal

><replaceable>PORT</replaceable></option></arg>

<arg choice="plain"><option>-c

<replaceable>IPADDR</replaceable><literal>:</literal

<replaceable>ADDRESS</replaceable><literal>:</literal

><replaceable>PORT</replaceable></option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--keydir

<replaceable>DIRECTORY</replaceable></option></arg>

<arg choice="plain"><option>-d

<replaceable>DIRECTORY</replaceable></option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--interface

<arg choice="plain"><option>-i

<replaceable>NAME</replaceable><arg rep='repeat'

>,<replaceable>NAME</replaceable></arg></option></arg>

<arg choice="plain"><option>-i <replaceable>NAME</replaceable

><arg rep='repeat'>,<replaceable>NAME</replaceable></arg

></option></arg>

</group>

<sbr/>

<group>

</group>

<sbr/>

<group>

100

<arg choice="plain"><option>--tls-privkey

101

102

<arg choice="plain"><option>-t

103

104

</group>

105

<sbr/>

106

<group>

107

<arg choice="plain"><option>--tls-pubkey

108

109

<arg choice="plain"><option>-T

110

111

</group>

112

<sbr/>

113

<arg>

114

<option>--priority <replaceable>STRING</replaceable></option>

115

</arg>

119

</arg>

120

<sbr/>

100

121

<arg>

122

<option>--dh-params <replaceable>FILE</replaceable></option>

123

</arg>

124

<sbr/>

125

<arg>

126

<option>--delay <replaceable>SECONDS</replaceable></option>

127

</arg>

128

<sbr/>

129

<arg>

130

<option>--retry <replaceable>SECONDS</replaceable></option>

131

</arg>

132

<sbr/>

133

<arg>

134

<option>--network-hook-dir

135

136

</arg>

137

<sbr/>

138

<arg>

101

139

<option>--debug</option>

102

140

</arg>

103

141

</cmdsynopsis>

120

158

</group>

121

159

</cmdsynopsis>

122

160

</refsynopsisdiv>

123

161

124

162

125

163

<title>DESCRIPTION</title>

126

164

<para>

127

165

<command>&COMMANDNAME;</command> is a client program that

128

166

communicates with <citerefentry><refentrytitle

129

167

>mandos</refentrytitle><manvolnum>8</manvolnum></citerefentry>

130

to get a password. It uses IPv6 link-local addresses to get

131

network connectivity, Zeroconf to find servers, and TLS with an

132

OpenPGP key to ensure authenticity and confidentiality. It

133

keeps running, trying all servers on the network, until it

134

receives a satisfactory reply or a TERM signal is recieved.

168

to get a password. In slightly more detail, this client program

169

brings up network interfaces, uses the interfaces’ IPv6

170

link-local addresses to get network connectivity, uses Zeroconf

171

to find servers on the local network, and communicates with

172

servers using TLS with a raw public key to ensure authenticity

173

and confidentiality. This client program keeps running, trying

174

all servers on the network, until it receives a satisfactory

175

reply or a TERM signal. After all servers have been tried, all

176

servers are periodically retried. If no servers are found it

177

will wait indefinitely for new servers to appear.

178

</para>

179

<para>

180

The network interfaces are selected like this: If any interfaces

181

are specified using the <option>--interface</option> option,

182

those interface are used. Otherwise,

183

<command>&COMMANDNAME;</command> will use all interfaces that

184

are not loopback interfaces, are not point-to-point interfaces,

185

are capable of broadcasting and do not have the NOARP flag (see

186

<citerefentry><refentrytitle>netdevice</refentrytitle>

187

<manvolnum>7</manvolnum></citerefentry>). (If the

188

<option>--connect</option> option is used, point-to-point

189

interfaces and non-broadcast interfaces are accepted.) If any

190

used interfaces are not up and running, they are first taken up

191

(and later taken down again on program exit).

192

</para>

193

<para>

194

Before network interfaces are selected, all <quote>network

195

hooks</quote> are run; see <xref linkend="network-hooks"/>.

135

196

</para>

136

197

<para>

137

198

This program is not meant to be run directly; it is really meant

138

to run as a plugin of the <application>Mandos</application>

139

<citerefentry><refentrytitle>plugin-runner</refentrytitle>

140

<manvolnum>8mandos</manvolnum></citerefentry>, which runs in the

141

initial <acronym>RAM</acronym> disk environment because it is

142

specified as a <quote>keyscript</quote> in the <citerefentry>

143

<refentrytitle>crypttab</refentrytitle><manvolnum>5</manvolnum>

144

</citerefentry> file.

199

to be run by other programs in the initial

200

<acronym>RAM</acronym> disk environment; see <xref

201

linkend="overview"/>.

145

202

</para>

146

203

</refsect1>

147

204

159

216

<title>OPTIONS</title>

160

217

<para>

161

218

This program is commonly not invoked from the command line; it

162

is normally started by the <application>Mandos</application>

163

plugin runner, see <citerefentry><refentrytitle

164

>plugin-runner</refentrytitle><manvolnum>8mandos</manvolnum>

165

</citerefentry>. Any command line options this program accepts

166

are therefore normally provided by the plugin runner, and not

167

directly.

219

is normally started by another program as described in <xref

220

linkend="description"/>. Any command line options this program

221

accepts are therefore normally provided by the invoking program,

222

and not directly.

168

223

</para>

169

224

170

225

184

239

assumed to separate the address from the port number.

185

240

</para>

186

241

<para>

187

This option is normally only useful for testing and

188

debugging.

242

Normally, Zeroconf would be used to locate Mandos servers,

243

in which case this option would only be used when testing

244

and debugging.

189

245

</para>

190

246

</listitem>

191

247

</varlistentry>

192

248

193

249

194

<term><option>--keydir=<replaceable

195

>DIRECTORY</replaceable></option></term>

196

<term><option>-d

197

<replaceable>DIRECTORY</replaceable></option></term>

198

199

<para>

200

Directory to read the OpenPGP key files

201

<filename>pubkey.txt</filename> and

202

<filename>seckey.txt</filename> from. The default is

203

<filename>/conf/conf.d/mandos</filename> (in the initial

204

<acronym>RAM</acronym> disk environment).

205

</para>

206

</listitem>

207

</varlistentry>

208

209

210

<term><option>--interface=

211

250

<term><option>--interface=<replaceable

251

>NAME</replaceable><arg rep='repeat'>,<replaceable

252

>NAME</replaceable></arg></option></term>

212

253

<term><option>-i

213

254

<replaceable>NAME</replaceable><arg rep='repeat'>,<replaceable

255

>NAME</replaceable></arg></option></term>

214

256

215

257

<para>

216

Network interface that will be brought up and scanned for

217

Mandos servers to connect to. The default it

218

<quote><literal>eth0</literal></quote>.

258

Comma separated list of network interfaces that will be

259

brought up and scanned for Mandos servers to connect to.

260

The default is the empty string, which will automatically

261

use all appropriate interfaces.

262

</para>

263

<para>

264

If the <option>--connect</option> option is used, and

265

exactly one interface name is specified (except

266

<quote><literal>none</literal></quote>), this specifies

267

the interface to use to connect to the address given.

268

</para>

269

<para>

270

Note that since this program will normally run in the

271

initial RAM disk environment, the interface must be an

272

interface which exists at that stage. Thus, the interface

273

can normally not be a pseudo-interface such as

274

<quote>br0</quote> or <quote>tun0</quote>; such interfaces

275

will not exist until much later in the boot process, and

276

can not be used by this program, unless created by a

277

<quote>network hook</quote> — see <xref

278

linkend="network-hooks"/>.

279

</para>

280

<para>

281

<replaceable>NAME</replaceable> can be the string

282

<quote><literal>none</literal></quote>; this will make

283

<command>&COMMANDNAME;</command> only bring up interfaces

284

specified <emphasis>before</emphasis> this string. This

285

is not recommended, and only meant for advanced users.

219

286

</para>

220

287

</listitem>

221

288

</varlistentry>

227

294

228

295

229

296

<para>

230

OpenPGP public key file base name. This will be combined

231

with the directory from the <option>--keydir</option>

232

option to form an absolute file name. The default name is

233

<quote><literal>pubkey.txt</literal></quote>.

297

OpenPGP public key file name. The default name is

298

<quote><filename>/conf/conf.d/mandos/pubkey.txt</filename

299

></quote>.

234

300

</para>

235

301

</listitem>

236

302

</varlistentry>

237

303

238

304

239

305

<term><option>--seckey=<replaceable

240

306

>FILE</replaceable></option></term>

242

308

243

309

244

310

<para>

245

OpenPGP secret key file base name. This will be combined

246

with the directory from the <option>--keydir</option>

247

option to form an absolute file name. The default name is

248

<quote><literal>seckey.txt</literal></quote>.

311

OpenPGP secret key file name. The default name is

312

<quote><filename>/conf/conf.d/mandos/seckey.txt</filename

313

></quote>.

249

314

</para>

250

315

</listitem>

251

316

</varlistentry>

252

317

253

318

319

<term><option>--tls-pubkey=<replaceable

320

>FILE</replaceable></option></term>

321

<term><option>-T

322

323

324

<para>

325

TLS raw public key file name. The default name is

326

<quote><filename>/conf/conf.d/mandos/tls-pubkey.pem</filename

327

></quote>.

328

</para>

329

</listitem>

330

</varlistentry>

331

332

333

<term><option>--tls-privkey=<replaceable

334

>FILE</replaceable></option></term>

335

<term><option>-t

336

337

338

<para>

339

TLS secret key file name. The default name is

340

<quote><filename>/conf/conf.d/mandos/tls-privkey.pem</filename

341

></quote>.

342

</para>

343

</listitem>

344

</varlistentry>

345

346

254

347

<term><option>--priority=<replaceable

255

348

>STRING</replaceable></option></term>

256

349

258

351

xpointer="priority"/>

259

352

</listitem>

260

353

</varlistentry>

261

354

262

355

263

356

<term><option>--dh-bits=<replaceable

264

357

>BITS</replaceable></option></term>

265

358

266

359

<para>

267

360

Sets the number of bits to use for the prime number in the

268

TLS Diffie-Hellman key exchange. Default is 1024.

361

TLS Diffie-Hellman key exchange. The default value is

362

selected automatically based on the GnuTLS security

363

profile set in its priority string. Note that if the

364

<option>--dh-params</option> option is used, the values

365

from that file will be used instead.

366

</para>

367

</listitem>

368

</varlistentry>

369

370

371

<term><option>--dh-params=<replaceable

372

>FILE</replaceable></option></term>

373

374

<para>

375

Specifies a PEM-encoded PKCS#3 file to read the parameters

376

needed by the TLS Diffie-Hellman key exchange from. If

377

this option is not given, or if the file for some reason

378

could not be used, the parameters will be generated on

379

startup, which will take some time and processing power.

380

Those using servers running under time, power or processor

381

constraints may want to generate such a file in advance

382

and use this option.

383

</para>

384

</listitem>

385

</varlistentry>

386

387

388

<term><option>--delay=<replaceable

389

>SECONDS</replaceable></option></term>

390

391

<para>

392

After bringing a network interface up, the program waits

393

for the interface to arrive in a <quote>running</quote>

394

state before proceeding. During this time, the kernel log

395

level will be lowered to reduce clutter on the system

396

console, alleviating any other plugins which might be

397

using the system console. This option sets the upper

398

limit of seconds to wait. The default is 2.5 seconds.

399

</para>

400

</listitem>

401

</varlistentry>

402

403

404

<term><option>--retry=<replaceable

405

>SECONDS</replaceable></option></term>

406

407

<para>

408

All Mandos servers are tried repeatedly until a password

409

is received. This value specifies, in seconds, how long

410

between each successive try <emphasis>for the same

411

server</emphasis>. The default is 10 seconds.

412

</para>

413

</listitem>

414

</varlistentry>

415

416

417

<term><option>--network-hook-dir=<replaceable

418

>DIR</replaceable></option></term>

419

420

<para>

421

Network hook directory. The default directory is

422

<quote><filename class="directory"

423

>/lib/mandos/network-hooks.d</filename></quote>.

269

424

</para>

270

425

</listitem>

271

426

</varlistentry>

304

459

</para>

305

460

</listitem>

306

461

</varlistentry>

307

462

308

463

309

464

<term><option>--version</option></term>

310

465

316

471

</varlistentry>

317

472

</variablelist>

318

473

</refsect1>

319

474

320

475

321

476

<title>OVERVIEW</title>

322

477

<xi:include href="../overview.xml"/>

323

478

<para>

324

This program is the client part. It is a plugin started by

325

<citerefentry><refentrytitle>plugin-runner</refentrytitle>

326

<manvolnum>8mandos</manvolnum></citerefentry> which will run in

327

an initial <acronym>RAM</acronym> disk environment.

479

This program is the client part. It is run automatically in an

480

initial <acronym>RAM</acronym> disk environment.

481

</para>

482

<para>

483

In an initial <acronym>RAM</acronym> disk environment using

484

<citerefentry><refentrytitle>systemd</refentrytitle>

485

<manvolnum>1</manvolnum></citerefentry>, this program is started

486

by the <application>Mandos</application> <citerefentry>

487

<refentrytitle>password-agent</refentrytitle>

488

<manvolnum>8mandos</manvolnum></citerefentry>, which in turn is

489

started automatically by the <citerefentry>

490

<refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum>

491

</citerefentry> <quote>Password Agent</quote> system.

492

</para>

493

<para>

494

In the case of a non-<citerefentry>

495

<refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum>

496

</citerefentry> environment, this program is started as a plugin

497

of the <application>Mandos</application> <citerefentry>

498

<refentrytitle>plugin-runner</refentrytitle>

499

<manvolnum>8mandos</manvolnum></citerefentry>, which runs in the

500

initial <acronym>RAM</acronym> disk environment because it is

501

specified as a <quote>keyscript</quote> in the <citerefentry>

502

<refentrytitle>crypttab</refentrytitle><manvolnum>5</manvolnum>

503

</citerefentry> file.

328

504

</para>

329

505

<para>

330

506

This program could, theoretically, be used as a keyscript in

331

507

<filename>/etc/crypttab</filename>, but it would then be

332

508

impossible to enter a password for the encrypted root disk at

333

509

the console, since this program does not read from the console

334

at all. This is why a separate plugin does that, which will be

335

run in parallell to this one by the plugin runner.

510

at all.

336

511

</para>

337

512

</refsect1>

338

513

343

518

server could be found and the password received from it could be

344

519

successfully decrypted and output on standard output. The

345

520

program will exit with a non-zero exit status only if a critical

346

error occurs. Otherwise, it will forever connect to new

347

<application>Mandos</application> servers as they appear, trying

348

to get a decryptable password.

521

error occurs. Otherwise, it will forever connect to any

522

discovered <application>Mandos</application> servers, trying to

523

get a decryptable password and print it.

349

524

</para>

350

525

</refsect1>

351

526

352

527

353

528

<title>ENVIRONMENT</title>

529

530

531

<term><envar>MANDOSPLUGINHELPERDIR</envar></term>

532

533

<para>

534

This environment variable will be assumed to contain the

535

directory containing any helper executables. The use and

536

nature of these helper executables, if any, is purposely

537

not documented.

538

</para>

539

</listitem>

540

</varlistentry>

541

</variablelist>

354

542

<para>

355

This program does not use any environment variables, not even

356

the ones provided by <citerefentry><refentrytitle

543

This program does not use any other environment variables, not

544

even the ones provided by <citerefentry><refentrytitle

357

545

>cryptsetup</refentrytitle><manvolnum>8</manvolnum>

358

546

</citerefentry>.

359

547

</para>

360

548

</refsect1>

361

549

362

550

551

<title>NETWORK HOOKS</title>

552

<para>

553

If a network interface like a bridge or tunnel is required to

554

find a Mandos server, this requires the interface to be up and

555

running before <command>&COMMANDNAME;</command> starts looking

556

for Mandos servers. This can be accomplished by creating a

557

<quote>network hook</quote> program, and placing it in a special

558

directory.

559

</para>

560

<para>

561

Before the network is used (and again before program exit), any

562

runnable programs found in the network hook directory are run

563

with the argument <quote><literal>start</literal></quote> or

564

<quote><literal>stop</literal></quote>. This should bring up or

565

down, respectively, any network interface which

566

<command>&COMMANDNAME;</command> should use.

567

</para>

568

569

<title>REQUIREMENTS</title>

570

<para>

571

A network hook must be an executable file, and its name must

572

consist entirely of upper and lower case letters, digits,

573

underscores, periods, and hyphens.

574

</para>

575

<para>

576

A network hook will receive one argument, which can be one of

577

the following:

578

</para>

579

580

581

<term><literal>start</literal></term>

582

583

<para>

584

This should make the network hook create (if necessary)

585

and bring up a network interface.

586

</para>

587

</listitem>

588

</varlistentry>

589

590

591

592

<para>

593

This should make the network hook take down a network

594

interface, and delete it if it did not exist previously.

595

</para>

596

</listitem>

597

</varlistentry>

598

599

<term><literal>files</literal></term>

600

601

<para>

602

This should make the network hook print, <emphasis>one

603

file per line</emphasis>, all the files needed for it to

604

run. (These files will be copied into the initial RAM

605

filesystem.) Typical use is for a network hook which is

606

a shell script to print its needed binaries.

607

</para>

608

<para>

609

It is not necessary to print any non-executable files

610

already in the network hook directory, these will be

611

copied implicitly if they otherwise satisfy the name

612

requirements.

613

</para>

614

</listitem>

615

</varlistentry>

616

617

<term><literal>modules</literal></term>

618

619

<para>

620

This should make the network hook print, <emphasis>on

621

separate lines</emphasis>, all the kernel modules needed

622

for it to run. (These modules will be copied into the

623

initial RAM filesystem.) For instance, a tunnel

624

interface needs the

625

<quote><literal>tun</literal></quote> module.

626

</para>

627

</listitem>

628

</varlistentry>

629

</variablelist>

630

<para>

631

The network hook will be provided with a number of environment

632

variables:

633

</para>

634

635

636

<term><envar>MANDOSNETHOOKDIR</envar></term>

637

638

<para>

639

The network hook directory, specified to

640

<command>&COMMANDNAME;</command> by the

641

<option>--network-hook-dir</option> option. Note: this

642

should <emphasis>always</emphasis> be used by the

643

network hook to refer to itself or any files in the hook

644

directory it may require.

645

</para>

646

</listitem>

647

</varlistentry>

648

649

<term><envar>DEVICE</envar></term>

650

651

<para>

652

The network interfaces, as specified to

653

<command>&COMMANDNAME;</command> by the

654

<option>--interface</option> option, combined to one

655

string and separated by commas. If this is set, and

656

does not contain the interface a hook will bring up,

657

there is no reason for a hook to continue.

658

</para>

659

</listitem>

660

</varlistentry>

661

662

663

664

<para>

665

This will be the same as the first argument;

666

i.e. <quote><literal>start</literal></quote>,

667

<quote><literal>stop</literal></quote>,

668

<quote><literal>files</literal></quote>, or

669

<quote><literal>modules</literal></quote>.

670

</para>

671

</listitem>

672

</varlistentry>

673

674

<term><envar>VERBOSITY</envar></term>

675

676

<para>

677

This will be the <quote><literal>1</literal></quote> if

678

the <option>--debug</option> option is passed to

679

<command>&COMMANDNAME;</command>, otherwise

680

<quote><literal>0</literal></quote>.

681

</para>

682

</listitem>

683

</varlistentry>

684

685

<term><envar>DELAY</envar></term>

686

687

<para>

688

This will be the same as the <option>--delay</option>

689

option passed to <command>&COMMANDNAME;</command>. Is

690

only set if <envar>MODE</envar> is

691

<quote><literal>start</literal></quote> or

692

<quote><literal>stop</literal></quote>.

693

</para>

694

</listitem>

695

</varlistentry>

696

697

<term><envar>CONNECT</envar></term>

698

699

<para>

700

This will be the same as the <option>--connect</option>

701

option passed to <command>&COMMANDNAME;</command>. Is

702

only set if <option>--connect</option> is passed and

703

<envar>MODE</envar> is

704

<quote><literal>start</literal></quote> or

705

<quote><literal>stop</literal></quote>.

706

</para>

707

</listitem>

708

</varlistentry>

709

</variablelist>

710

<para>

711

A hook may not read from standard input, and should be

712

restrictive in printing to standard output or standard error

713

unless <varname>VERBOSITY</varname> is

714

<quote><literal>1</literal></quote>.

715

</para>

716

</refsect2>

717

</refsect1>

718

719

363

720

<title>FILES</title>

364

<para>

365

</para>

721

722

723

<term><filename>/conf/conf.d/mandos/pubkey.txt</filename

724

></term>

725

<term><filename>/conf/conf.d/mandos/seckey.txt</filename

726

></term>

727

728

<para>

729

OpenPGP public and private key files, in <quote>ASCII

730

Armor</quote> format. These are the default file names,

731

they can be changed with the <option>--pubkey</option> and

732

<option>--seckey</option> options.

733

</para>

734

</listitem>

735

</varlistentry>

736

737

<term><filename>/conf/conf.d/mandos/tls-pubkey.pem</filename

738

></term>

739

<term><filename>/conf/conf.d/mandos/tls-privkey.pem</filename

740

></term>

741

742

<para>

743

Public and private raw key files, in <quote>PEM</quote>

744

format. These are the default file names, they can be

745

changed with the <option>--tls-pubkey</option> and

746

<option>--tls-privkey</option> options.

747

</para>

748

</listitem>

749

</varlistentry>

750

751

<term><filename

752

class="directory">/lib/mandos/network-hooks.d</filename></term>

753

754

<para>

755

Directory where network hooks are located. Change this

756

with the <option>--network-hook-dir</option> option. See

757

<xref linkend="network-hooks"/>.

758

</para>

759

</listitem>

760

</varlistentry>

761

</variablelist>

366

762

</refsect1>

367

763

368

764

369

765

370

<para>

371

</para>

766

<xi:include href="../bugs.xml"/>

372

767

</refsect1>

373

768

374

769

375

770

<title>EXAMPLE</title>

376

771

<para>

772

Note that normally, command line options will not be given

773

directly, but passed on via the program responsible for starting

774

this program; see <xref linkend="overview"/>.

377

775

</para>

776

777

<para>

778

Normal invocation needs no options, if the network interfaces

779

can be automatically determined:

780

</para>

781

<para>

782

<userinput>&COMMANDNAME;</userinput>

783

</para>

784

</informalexample>

785

786

<para>

787

Search for Mandos servers (and connect to them) using one

788

specific interface:

789

</para>

790

<para>

791

792

<userinput>&COMMANDNAME; --interface eth1</userinput>

793

</para>

794

</informalexample>

795

796

<para>

797

Run in debug mode, and use custom keys:

798

</para>

799

<para>

800

801

802

<userinput>&COMMANDNAME; --debug --pubkey keydir/pubkey.txt --seckey keydir/seckey.txt --tls-pubkey keydir/tls-pubkey.pem --tls-privkey keydir/tls-privkey.pem</userinput>

803

804

</para>

805

</informalexample>

806

807

<para>

808

Run in debug mode, with custom keys, and do not use Zeroconf

809

to locate a server; connect directly to the IPv6 link-local

810

address <quote><systemitem class="ipaddress"

811

>fe80::aede:48ff:fe71:f6f2</systemitem></quote>, port 4711,

812

using interface eth2:

813

</para>

814

<para>

815

816

817

<userinput>&COMMANDNAME; --debug --pubkey keydir/pubkey.txt --seckey keydir/seckey.txt --tls-pubkey keydir/tls-pubkey.pem --tls-privkey keydir/tls-privkey.pem --connect fe80::aede:48ff:fe71:f6f2:4711 --interface eth2</userinput>

818

819

</para>

820

</informalexample>

378

821

</refsect1>

379

822

380

823

381

824

<title>SECURITY</title>

382

825

<para>

826

This program assumes that it is set-uid to root, and will switch

827

back to the original (and presumably non-privileged) user and

828

group after bringing up the network interface.

829

</para>

830

<para>

831

To use this program for its intended purpose (see <xref

832

linkend="purpose"/>), the password for the root file system will

833

have to be given out to be stored in a server computer, after

834

having been encrypted using an OpenPGP key. This encrypted data

835

which will be stored in a server can only be decrypted by the

836

OpenPGP key, and the data will only be given out to those

837

clients who can prove they actually have that key. This key,

838

however, is stored unencrypted on the client side in its initial

839

<acronym>RAM</acronym> disk image file system. This is normally

840

readable by all, but this is normally fixed during installation

841

of this program; file permissions are set so that no-one is able

842

to read that file.

843

</para>

844

<para>

845

The only remaining weak point is that someone with physical

846

access to the client hard drive might turn off the client

847

computer, read the OpenPGP and TLS keys directly from the hard

848

drive, and communicate with the server. To safeguard against

849

this, the server is supposed to notice the client disappearing

850

and stop giving out the encrypted data. Therefore, it is

851

important to set the timeout and checker interval values tightly

852

on the server. See <citerefentry><refentrytitle

853

>mandos</refentrytitle><manvolnum>8</manvolnum></citerefentry>.

854

</para>

855

<para>

856

It will also help if the checker program on the server is

857

configured to request something from the client which can not be

858

spoofed by someone else on the network, like SSH server key

859

fingerprints, and unlike unencrypted <acronym>ICMP</acronym>

860

echo (<quote>ping</quote>) replies.

861

</para>

862

<para>

863

<emphasis>Note</emphasis>: This makes it completely insecure to

864

have <application >Mandos</application> clients which dual-boot

865

to another operating system which is <emphasis>not</emphasis>

866

trusted to keep the initial <acronym>RAM</acronym> disk image

867

confidential.

383

868

</para>

384

869

</refsect1>

385

870

386

871

387

872

388

873

<para>

874

<citerefentry><refentrytitle>intro</refentrytitle>

875

<manvolnum>8mandos</manvolnum></citerefentry>,

876

<citerefentry><refentrytitle>cryptsetup</refentrytitle>

877

<manvolnum>8</manvolnum></citerefentry>,

878

<citerefentry><refentrytitle>crypttab</refentrytitle>

879

<manvolnum>5</manvolnum></citerefentry>,

389

880

<citerefentry><refentrytitle>mandos</refentrytitle>

390

881

<manvolnum>8</manvolnum></citerefentry>,

391

<citerefentry><refentrytitle>password-prompt</refentrytitle>

882

<citerefentry><refentrytitle>password-agent</refentrytitle>

392

883

<manvolnum>8mandos</manvolnum></citerefentry>,

393

884

<citerefentry><refentrytitle>plugin-runner</refentrytitle>

394

885

<manvolnum>8mandos</manvolnum></citerefentry>

395

886

</para>

396

397

398

<ulink url="http://www.zeroconf.org/">Zeroconf</ulink>

399

</para></listitem>

400

401

402

<ulink url="http://www.avahi.org/">Avahi</ulink>

403

</para></listitem>

404

405

406

<ulink

407

url="http://www.gnu.org/software/gnutls/">GnuTLS</ulink>

408

</para></listitem>

409

410

411

<ulink

412

url="http://www.gnupg.org/related_software/gpgme/"

413

>GPGME</ulink>

414

</para></listitem>

415

416

417

<citation>RFC 4880: <citetitle>OpenPGP Message

418

Format</citetitle></citation>

419

</para></listitem>

420

421

422

<citation>RFC 5081: <citetitle>Using OpenPGP Keys for

423

Transport Layer Security</citetitle></citation>

424

</para></listitem>

425

426

427

<citation>RFC 4291: <citetitle>IP Version 6 Addressing

428

Architecture</citetitle>, section 2.5.6, Link-Local IPv6

429

Unicast Addresses</citation>

430

</para></listitem>

431

</itemizedlist>

887

888

889

<term>

890

<ulink url="http://www.zeroconf.org/">Zeroconf</ulink>

891

</term>

892

893

<para>

894

Zeroconf is the network protocol standard used for finding

895

Mandos servers on the local network.

896

</para>

897

</listitem>

898

</varlistentry>

899

900

<term>

901

<ulink url="https://www.avahi.org/">Avahi</ulink>

902

</term>

903

904

<para>

905

Avahi is the library this program calls to find Zeroconf

906

services.

907

</para>

908

</listitem>

909

</varlistentry>

910

911

<term>

912

<ulink url="https://www.gnutls.org/">GnuTLS</ulink>

913

</term>

914

915

<para>

916

GnuTLS is the library this client uses to implement TLS for

917

communicating securely with the server, and at the same time

918

send the public key to the server.

919

</para>

920

</listitem>

921

</varlistentry>

922

923

<term>

924

<ulink url="https://www.gnupg.org/related_software/gpgme/"

925

>GPGME</ulink>

926

</term>

927

928

<para>

929

GPGME is the library used to decrypt the OpenPGP data sent

930

by the server.

931

</para>

932

</listitem>

933

</varlistentry>

934

935

<term>

936

RFC 4291: <citetitle>IP Version 6 Addressing

937

Architecture</citetitle>

938

</term>

939

940

941

942

<term>Section 2.2: <citetitle>Text Representation of

943

Addresses</citetitle></term>

944

945

</varlistentry>

946

947

<term>Section 2.5.5.2: <citetitle>IPv4-Mapped IPv6

948

Address</citetitle></term>

949

950

</varlistentry>

951

952

<term>Section 2.5.6, <citetitle>Link-Local IPv6 Unicast

953

Addresses</citetitle></term>

954

955

<para>

956

This client uses IPv6 link-local addresses, which are

957

immediately usable since a link-local addresses is

958

automatically assigned to a network interface when it

959

is brought up.

960

</para>

961

</listitem>

962

</varlistentry>

963

</variablelist>

964

</listitem>

965

</varlistentry>

966

967

<term>

968

RFC 5246: <citetitle>The Transport Layer Security (TLS)

969

Protocol Version 1.2</citetitle>

970

</term>

971

972

<para>

973

TLS 1.2 is the protocol implemented by GnuTLS.

974

</para>

975

</listitem>

976

</varlistentry>

977

978

<term>

979

RFC 4880: <citetitle>OpenPGP Message Format</citetitle>

980

</term>

981

982

<para>

983

The data received from the server is binary encrypted

984

OpenPGP data.

985

</para>

986

</listitem>

987

</varlistentry>

988

989

<term>

990

RFC 7250: <citetitle>Using Raw Public Keys in Transport

991

Layer Security (TLS) and Datagram Transport Layer Security

992

(DTLS)</citetitle>

993

</term>

994

995

<para>

996

This is implemented by GnuTLS in version 3.6.6 and is, if

997

present, used by this program so that raw public keys can be

998

used.

999

</para>

1000

</listitem>

1001

</varlistentry>

1002

1003

<term>

1004

RFC 6091: <citetitle>Using OpenPGP Keys for Transport Layer

1005

Security</citetitle>

1006

</term>

1007

1008

<para>

1009

This is implemented by GnuTLS before version 3.6.0 and is,

1010

if present, used by this program so that OpenPGP keys can be

1011

used.

1012

</para>

1013

</listitem>

1014

</varlistentry>

1015

</variablelist>

432

1016

</refsect1>

433

434

1017

</refentry>

1018

435

1019

436

1020

437

1021

Older »