67
48
<refname><command>&COMMANDNAME;</command></refname>
50
Client for <application>Mandos</application>
75
56
<command>&COMMANDNAME;</command>
76
<arg choice='opt' rep='repeat'>OPTION</arg>
58
<arg choice="plain"><option>--connect
59
<replaceable>ADDRESS</replaceable><literal>:</literal
60
><replaceable>PORT</replaceable></option></arg>
61
<arg choice="plain"><option>-c
62
<replaceable>ADDRESS</replaceable><literal>:</literal
63
><replaceable>PORT</replaceable></option></arg>
67
<arg choice="plain"><option>--interface
68
<replaceable>NAME</replaceable></option></arg>
69
<arg choice="plain"><option>-i
70
<replaceable>NAME</replaceable></option></arg>
74
<arg choice="plain"><option>--pubkey
75
<replaceable>FILE</replaceable></option></arg>
76
<arg choice="plain"><option>-p
77
<replaceable>FILE</replaceable></option></arg>
81
<arg choice="plain"><option>--seckey
82
<replaceable>FILE</replaceable></option></arg>
83
<arg choice="plain"><option>-s
84
<replaceable>FILE</replaceable></option></arg>
88
<option>--priority <replaceable>STRING</replaceable></option>
92
<option>--dh-bits <replaceable>BITS</replaceable></option>
96
<option>--delay <replaceable>SECONDS</replaceable></option>
100
<option>--debug</option>
104
<command>&COMMANDNAME;</command>
106
<arg choice="plain"><option>--help</option></arg>
107
<arg choice="plain"><option>-?</option></arg>
111
<command>&COMMANDNAME;</command>
112
<arg choice="plain"><option>--usage</option></arg>
115
<command>&COMMANDNAME;</command>
117
<arg choice="plain"><option>--version</option></arg>
118
<arg choice="plain"><option>-V</option></arg>
80
123
<refsect1 id="description">
81
124
<title>DESCRIPTION</title>
83
<command>&COMMANDNAME;</command> is a mandos plugin that works
84
like a client program that through avahi detects mandos servers,
85
sets up a gnutls connect and request a encrypted password. Any
86
passwords given is automaticly decrypted and passed to
92
<term><literal>-c</literal>, <literal>--connect=<replaceable>
93
IP</replaceable></literal></term>
96
Connect directly to a sepcified mandos server
102
<term><literal>-d</literal>, <literal>--keydir=<replaceable>
103
KEYDIR</replaceable></literal></term>
106
Directory where the openpgp keyring is
112
<term><literal>-i</literal>, <literal>--interface=
113
<replaceable>INTERFACE</replaceable></literal></term>
116
Interface that Avahi will conntect through
122
<term><literal>-p</literal>, <literal>--pubkey=<replaceable>
123
PUBKEY</replaceable></literal></term>
126
Public openpgp key for gnutls authentication
132
<term><literal>-s</literal>, <literal>--seckey=<replaceable>
133
SECKEY</replaceable></literal></term>
136
Secret openpgp key for gnutls authentication
142
<term><literal>--priority=<replaceable>PRIORITY</replaceable>
152
<term><literal>--dh-bits=<replaceable>BITS</replaceable>
156
dh-bits to use in gnutls communication
162
<term><literal>--debug</literal></term>
171
<term><literal>-?</literal>, <literal>--help</literal></term>
180
<term><literal>--usage</literal></term>
183
Gives a short usage message
189
<term><literal>-V</literal>, <literal>--version</literal></term>
192
Prints the program version
126
<command>&COMMANDNAME;</command> is a client program that
127
communicates with <citerefentry><refentrytitle
128
>mandos</refentrytitle><manvolnum>8</manvolnum></citerefentry>
129
to get a password. It uses IPv6 link-local addresses to get
130
network connectivity, Zeroconf to find servers, and TLS with an
131
OpenPGP key to ensure authenticity and confidentiality. It
132
keeps running, trying all servers on the network, until it
133
receives a satisfactory reply or a TERM signal is received.
136
This program is not meant to be run directly; it is really meant
137
to run as a plugin of the <application>Mandos</application>
138
<citerefentry><refentrytitle>plugin-runner</refentrytitle>
139
<manvolnum>8mandos</manvolnum></citerefentry>, which runs in the
140
initial <acronym>RAM</acronym> disk environment because it is
141
specified as a <quote>keyscript</quote> in the <citerefentry>
142
<refentrytitle>crypttab</refentrytitle><manvolnum>5</manvolnum>
143
</citerefentry> file.
147
<refsect1 id="purpose">
148
<title>PURPOSE</title>
150
The purpose of this is to enable <emphasis>remote and unattended
151
rebooting</emphasis> of client host computer with an
152
<emphasis>encrypted root file system</emphasis>. See <xref
153
linkend="overview"/> for details.
157
<refsect1 id="options">
158
<title>OPTIONS</title>
160
This program is commonly not invoked from the command line; it
161
is normally started by the <application>Mandos</application>
162
plugin runner, see <citerefentry><refentrytitle
163
>plugin-runner</refentrytitle><manvolnum>8mandos</manvolnum>
164
</citerefentry>. Any command line options this program accepts
165
are therefore normally provided by the plugin runner, and not
171
<term><option>--connect=<replaceable
172
>ADDRESS</replaceable><literal>:</literal><replaceable
173
>PORT</replaceable></option></term>
175
<replaceable>ADDRESS</replaceable><literal>:</literal
176
><replaceable>PORT</replaceable></option></term>
179
Do not use Zeroconf to locate servers. Connect directly
180
to only one specified <application>Mandos</application>
181
server. Note that an IPv6 address has colon characters in
182
it, so the <emphasis>last</emphasis> colon character is
183
assumed to separate the address from the port number.
186
This option is normally only useful for testing and
193
<term><option>--interface=
194
<replaceable>NAME</replaceable></option></term>
196
<replaceable>NAME</replaceable></option></term>
199
Network interface that will be brought up and scanned for
200
Mandos servers to connect to. The default it
201
<quote><literal>eth0</literal></quote>.
204
If the <option>--connect</option> option is used, this
205
specifies the interface to use to connect to the address
212
<term><option>--pubkey=<replaceable
213
>FILE</replaceable></option></term>
215
<replaceable>FILE</replaceable></option></term>
218
OpenPGP public key file name. The default name is
219
<quote><filename>/conf/conf.d/mandos/pubkey.txt</filename
226
<term><option>--seckey=<replaceable
227
>FILE</replaceable></option></term>
229
<replaceable>FILE</replaceable></option></term>
232
OpenPGP secret key file name. The default name is
233
<quote><filename>/conf/conf.d/mandos/seckey.txt</filename
240
<term><option>--priority=<replaceable
241
>STRING</replaceable></option></term>
243
<xi:include href="../mandos-options.xml"
244
xpointer="priority"/>
249
<term><option>--dh-bits=<replaceable
250
>BITS</replaceable></option></term>
253
Sets the number of bits to use for the prime number in the
254
TLS Diffie-Hellman key exchange. Default is 1024.
260
<term><option>--delay=<replaceable
261
>SECONDS</replaceable></option></term>
264
After bringing the network interface up, the program waits
265
for the interface to arrive in a <quote>running</quote>
266
state before proceeding. During this time, the kernel log
267
level will be lowered to reduce clutter on the system
268
console, alleviating any other plugins which might be
269
using the system console. This option sets the upper
270
limit of seconds to wait. The default is 2.5 seconds.
276
<term><option>--debug</option></term>
279
Enable debug mode. This will enable a lot of output to
280
standard error about what the program is doing. The
281
program will still perform all other functions normally.
284
It will also enable debug mode in the Avahi and GnuTLS
285
libraries, making them print large amounts of debugging
292
<term><option>--help</option></term>
293
<term><option>-?</option></term>
296
Gives a help message about options and their meanings.
302
<term><option>--usage</option></term>
305
Gives a short usage message.
311
<term><option>--version</option></term>
312
<term><option>-V</option></term>
315
Prints the program version.
322
<refsect1 id="overview">
323
<title>OVERVIEW</title>
324
<xi:include href="../overview.xml"/>
326
This program is the client part. It is a plugin started by
327
<citerefentry><refentrytitle>plugin-runner</refentrytitle>
328
<manvolnum>8mandos</manvolnum></citerefentry> which will run in
329
an initial <acronym>RAM</acronym> disk environment.
332
This program could, theoretically, be used as a keyscript in
333
<filename>/etc/crypttab</filename>, but it would then be
334
impossible to enter a password for the encrypted root disk at
335
the console, since this program does not read from the console
336
at all. This is why a separate plugin runner (<citerefentry>
337
<refentrytitle>plugin-runner</refentrytitle>
338
<manvolnum>8mandos</manvolnum></citerefentry>) is used to run
339
both this program and others in in parallel,
340
<emphasis>one</emphasis> of which will prompt for passwords on
345
<refsect1 id="exit_status">
346
<title>EXIT STATUS</title>
348
This program will exit with a successful (zero) exit status if a
349
server could be found and the password received from it could be
350
successfully decrypted and output on standard output. The
351
program will exit with a non-zero exit status only if a critical
352
error occurs. Otherwise, it will forever connect to new
353
<application>Mandos</application> servers as they appear, trying
354
to get a decryptable password and print it.
358
<refsect1 id="environment">
359
<title>ENVIRONMENT</title>
361
This program does not use any environment variables, not even
362
the ones provided by <citerefentry><refentrytitle
363
>cryptsetup</refentrytitle><manvolnum>8</manvolnum>
368
<refsect1 id="files">
372
<term><filename>/conf/conf.d/mandos/pubkey.txt</filename
374
<term><filename>/conf/conf.d/mandos/seckey.txt</filename
378
OpenPGP public and private key files, in <quote>ASCII
379
Armor</quote> format. These are the default file names,
380
they can be changed with the <option>--pubkey</option> and
381
<option>--seckey</option> options.
388
<!-- <refsect1 id="bugs"> -->
389
<!-- <title>BUGS</title> -->
394
<refsect1 id="example">
395
<title>EXAMPLE</title>
397
Note that normally, command line options will not be given
398
directly, but via options for the Mandos <citerefentry
399
><refentrytitle>plugin-runner</refentrytitle>
400
<manvolnum>8mandos</manvolnum></citerefentry>.
404
Normal invocation needs no options, if the network interface
405
is <quote>eth0</quote>:
408
<userinput>&COMMANDNAME;</userinput>
413
Search for Mandos servers (and connect to them) using another
417
<!-- do not wrap this line -->
418
<userinput>&COMMANDNAME; --interface eth1</userinput>
423
Run in debug mode, and use a custom key:
427
<!-- do not wrap this line -->
428
<userinput>&COMMANDNAME; --debug --pubkey keydir/pubkey.txt --seckey keydir/seckey.txt</userinput>
434
Run in debug mode, with a custom key, and do not use Zeroconf
435
to locate a server; connect directly to the IPv6 address
436
<quote><systemitem class="ipaddress"
437
>2001:db8:f983:bd0b:30de:ae4a:71f2:f672</systemitem></quote>,
438
port 4711, using interface eth2:
442
<!-- do not wrap this line -->
443
<userinput>&COMMANDNAME; --debug --pubkey keydir/pubkey.txt --seckey keydir/seckey.txt --connect 2001:db8:f983:bd0b:30de:ae4a:71f2:f672:4711 --interface eth2</userinput>
449
<refsect1 id="security">
450
<title>SECURITY</title>
452
This program is set-uid to root, but will switch back to the
453
original (and presumably non-privileged) user and group after
454
bringing up the network interface.
457
To use this program for its intended purpose (see <xref
458
linkend="purpose"/>), the password for the root file system will
459
have to be given out to be stored in a server computer, after
460
having been encrypted using an OpenPGP key. This encrypted data
461
which will be stored in a server can only be decrypted by the
462
OpenPGP key, and the data will only be given out to those
463
clients who can prove they actually have that key. This key,
464
however, is stored unencrypted on the client side in its initial
465
<acronym>RAM</acronym> disk image file system. This is normally
466
readable by all, but this is normally fixed during installation
467
of this program; file permissions are set so that no-one is able
471
The only remaining weak point is that someone with physical
472
access to the client hard drive might turn off the client
473
computer, read the OpenPGP keys directly from the hard drive,
474
and communicate with the server. To safeguard against this, the
475
server is supposed to notice the client disappearing and stop
476
giving out the encrypted data. Therefore, it is important to
477
set the timeout and checker interval values tightly on the
478
server. See <citerefentry><refentrytitle
479
>mandos</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
482
It will also help if the checker program on the server is
483
configured to request something from the client which can not be
484
spoofed by someone else on the network, unlike unencrypted
485
<acronym>ICMP</acronym> echo (<quote>ping</quote>) replies.
488
<emphasis>Note</emphasis>: This makes it completely insecure to
489
have <application >Mandos</application> clients which dual-boot
490
to another operating system which is <emphasis>not</emphasis>
491
trusted to keep the initial <acronym>RAM</acronym> disk image
496
<refsect1 id="see_also">
497
<title>SEE ALSO</title>
499
<citerefentry><refentrytitle>cryptsetup</refentrytitle>
500
<manvolnum>8</manvolnum></citerefentry>,
501
<citerefentry><refentrytitle>crypttab</refentrytitle>
502
<manvolnum>5</manvolnum></citerefentry>,
503
<citerefentry><refentrytitle>mandos</refentrytitle>
504
<manvolnum>8</manvolnum></citerefentry>,
505
<citerefentry><refentrytitle>password-prompt</refentrytitle>
506
<manvolnum>8mandos</manvolnum></citerefentry>,
507
<citerefentry><refentrytitle>plugin-runner</refentrytitle>
508
<manvolnum>8mandos</manvolnum></citerefentry>
513
<ulink url="http://www.zeroconf.org/">Zeroconf</ulink>
517
Zeroconf is the network protocol standard used for finding
518
Mandos servers on the local network.
524
<ulink url="http://www.avahi.org/">Avahi</ulink>
528
Avahi is the library this program calls to find Zeroconf
535
<ulink url="http://www.gnu.org/software/gnutls/"
540
GnuTLS is the library this client uses to implement TLS for
541
communicating securely with the server, and at the same time
542
send the public OpenPGP key to the server.
548
<ulink url="http://www.gnupg.org/related_software/gpgme/"
553
GPGME is the library used to decrypt the OpenPGP data sent
560
RFC 4291: <citetitle>IP Version 6 Addressing
561
Architecture</citetitle>
566
<term>Section 2.2: <citetitle>Text Representation of
567
Addresses</citetitle></term>
568
<listitem><para/></listitem>
571
<term>Section 2.5.5.2: <citetitle>IPv4-Mapped IPv6
572
Address</citetitle></term>
573
<listitem><para/></listitem>
576
<term>Section 2.5.6, <citetitle>Link-Local IPv6 Unicast
577
Addresses</citetitle></term>
580
This client uses IPv6 link-local addresses, which are
581
immediately usable since a link-local addresses is
582
automatically assigned to a network interfaces when it
592
RFC 4346: <citetitle>The Transport Layer Security (TLS)
593
Protocol Version 1.1</citetitle>
597
TLS 1.1 is the protocol implemented by GnuTLS.
603
RFC 4880: <citetitle>OpenPGP Message Format</citetitle>
607
The data received from the server is binary encrypted
614
RFC 5081: <citetitle>Using OpenPGP Keys for Transport Layer
619
This is implemented by GnuTLS and used by this program so
620
that OpenPGP keys can be used.
628
<!-- Local Variables: -->
629
<!-- time-stamp-start: "<!ENTITY TIMESTAMP [\"']" -->
630
<!-- time-stamp-end: "[\"']>" -->
631
<!-- time-stamp-format: "%:y-%02m-%02d" -->