/mandos/release : revision 24.1.185

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/release

« back to all changes in this revision

Viewing changes to mandos.xml

Committer: Björn Påhlsson
Date: 2011-10-02 13:45:45 UTC
mto: (237.7.53 trunk)
mto: This revision was merged to the branch mainline in revision 286.
Revision ID: belorn@fukt.bsnet.se-20111002134545-oytmfbl15r8lsm6p

working transition code for going between se.bsnet.fukt to se.recompile

files added:
DBUS-API

dbus-mandos.conf

debian/source

debian/source/format

intro.xml

mandos-ctl.xml

mandos-monitor

mandos-monitor.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

files modified:
.bzrignore

INSTALL

Makefile

NEWS

README

TODO

clients.conf

common.ent

debian/changelog

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.lintian-overrides

debian/mandos-client.postrm

debian/mandos.dirs

debian/mandos.docs

debian/rules

debian/watch

initramfs-tools-script

mandos

mandos-clients.conf.xml

mandos-ctl

mandos-keygen

mandos-keygen.xml

mandos.conf.xml

mandos.lsm

mandos.xml

plugin-runner.c

plugin-runner.xml

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/mandos-client.c

plugins.d/mandos-client.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

Show diffs side-by-side

added added

removed removed

mandos.xml

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY COMMANDNAME "mandos">

<!ENTITY TIMESTAMP "2009-09-17">

<!ENTITY TIMESTAMP "2011-08-08">

<!ENTITY % common SYSTEM "common.ent">

%common;

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

<sbr/>

<arg><option>--debug</option></arg>

<sbr/>

<arg><option>--debuglevel

<replaceable>LEVEL</replaceable></option></arg>

<sbr/>

<sbr/>

112

117

<para>

113

118

<command>&COMMANDNAME;</command> is a server daemon which

114

119

handles incoming request for passwords for a pre-defined list of

115

client host computers. The Mandos server uses Zeroconf to

116

announce itself on the local network, and uses TLS to

117

communicate securely with and to authenticate the clients. The

118

Mandos server uses IPv6 to allow Mandos clients to use IPv6

119

link-local addresses, since the clients will probably not have

120

any other addresses configured (see <xref linkend="overview"/>).

121

Any authenticated client is then given the stored pre-encrypted

122

password for that specific client.

120

client host computers. For an introduction, see

121

<citerefentry><refentrytitle>intro</refentrytitle>

122

<manvolnum>8mandos</manvolnum></citerefentry>. The Mandos server

123

uses Zeroconf to announce itself on the local network, and uses

124

TLS to communicate securely with and to authenticate the

125

clients. The Mandos server uses IPv6 to allow Mandos clients to

126

use IPv6 link-local addresses, since the clients will probably

127

not have any other addresses configured (see <xref

128

linkend="overview"/>). Any authenticated client is then given

129

the stored pre-encrypted password for that specific client.

123

130

</para>

124

131

</refsect1>

125

132

194

201

</varlistentry>

195

202

196

203

204

<term><option>--debuglevel

205

<replaceable>LEVEL</replaceable></option></term>

206

207

<para>

208

Set the debugging log level.

209

<replaceable>LEVEL</replaceable> is a string, one of

210

<quote><literal>CRITICAL</literal></quote>,

211

<quote><literal>ERROR</literal></quote>,

212

<quote><literal>WARNING</literal></quote>,

213

<quote><literal>INFO</literal></quote>, or

214

<quote><literal>DEBUG</literal></quote>, in order of

215

increasing verbosity. The default level is

216

<quote><literal>WARNING</literal></quote>.

217

</para>

218

</listitem>

219

</varlistentry>

220

221

197

222

<term><option>--priority <replaceable>

198

223

PRIORITY</replaceable></option></term>

199

224

329

354

for some time, the client is assumed to be compromised and is no

330

355

longer eligible to receive the encrypted password. (Manual

331

356

intervention is required to re-enable a client.) The timeout,

332

checker program, and interval between checks can be configured

333

both globally and per client; see <citerefentry>

334

<refentrytitle>mandos-clients.conf</refentrytitle>

357

extended timeout, checker program, and interval between checks

358

can be configured both globally and per client; see

359

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

335

360

<manvolnum>5</manvolnum></citerefentry>. A client successfully

336

361

receiving its password will also be treated as a successful

337

362

checker run.

338

363

</para>

339

364

</refsect1>

340

365

366

367

<title>APPROVAL</title>

368

<para>

369

The server can be configured to require manual approval for a

370

client before it is sent its secret. The delay to wait for such

371

approval and the default action (approve or deny) can be

372

configured both globally and per client; see <citerefentry>

373

<refentrytitle>mandos-clients.conf</refentrytitle>

374

<manvolnum>5</manvolnum></citerefentry>. By default all clients

375

will be approved immediately without delay.

376

</para>

377

<para>

378

This can be used to deny a client its secret if not manually

379

approved within a specified time. It can also be used to make

380

the server delay before giving a client its secret, allowing

381

optional manual denying of this specific client.

382

</para>

383

384

</refsect1>

385

341

386

342

387

<title>LOGGING</title>

343

388

<para>

353

398

<para>

354

399

The server will by default provide a D-Bus system bus interface.

355

400

This interface will only be accessible by the root user or a

356

Mandos-specific user, if such a user exists.

357

401

Mandos-specific user, if such a user exists. For documentation

402

of the D-Bus API, see the file <filename>DBUS-API</filename>.

358

403

</para>

359

404

</refsect1>

360

405

418

463

<term><filename>/var/run/mandos.pid</filename></term>

419

464

420

465

<para>

421

The file containing the process id of

422

<command>&COMMANDNAME;</command>.

466

The file containing the process id of the

467

<command>&COMMANDNAME;</command> process started last.

423

468

</para>

424

469

</listitem>

425

470

</varlistentry>

453

498

backtrace. This could be considered a feature.

454

499

</para>

455

500

<para>

456

Currently, if a client is declared <quote>invalid</quote> due to

457

having timed out, the server does not record this fact onto

458

permanent storage. This has some security implications, see

459

<xref linkend="clients"/>.

460

</para>

461

<para>

462

There is currently no way of querying the server of the current

463

status of clients, other than analyzing its <systemitem

464

class="service">syslog</systemitem> output.

501

Currently, if a client is disabled due to having timed out, the

502

server does not record this fact onto permanent storage. This

503

has some security implications, see <xref linkend="clients"/>.

465

504

</para>

466

505

<para>

467

506

There is no fine-grained control over logging and debug output.

549

588

</para>

550

589

<para>

551

590

If a client is compromised, its downtime should be duly noted

552

by the server which would therefore declare the client

553

invalid. But if the server was ever restarted, it would

554

re-read its client list from its configuration file and again

555

regard all clients therein as valid, and hence eligible to

556

receive their passwords. Therefore, be careful when

557

restarting servers if it is suspected that a client has, in

558

fact, been compromised by parties who may now be running a

559

fake Mandos client with the keys from the non-encrypted

560

initial <acronym>RAM</acronym> image of the client host. What

561

should be done in that case (if restarting the server program

562

really is necessary) is to stop the server program, edit the

563

configuration file to omit any suspect clients, and restart

564

the server program.

591

by the server which would therefore disable the client. But

592

if the server was ever restarted, it would re-read its client

593

list from its configuration file and again regard all clients

594

therein as enabled, and hence eligible to receive their

595

passwords. Therefore, be careful when restarting servers if

596

it is suspected that a client has, in fact, been compromised

597

by parties who may now be running a fake Mandos client with

598

the keys from the non-encrypted initial <acronym>RAM</acronym>

599

image of the client host. What should be done in that case

600

(if restarting the server program really is necessary) is to

601

stop the server program, edit the configuration file to omit

602

any suspect clients, and restart the server program.

565

603

</para>

566

604

<para>

567

605

For more details on client-side security, see

574

612

575

613

576

614

<para>

577

578

<refentrytitle>mandos-clients.conf</refentrytitle>

579

580

<refentrytitle>mandos.conf</refentrytitle>

581

582

<refentrytitle>mandos-client</refentrytitle>

583

<manvolnum>8mandos</manvolnum></citerefentry>, <citerefentry>

584

585

</citerefentry>

615

<citerefentry><refentrytitle>intro</refentrytitle>

616

<manvolnum>8mandos</manvolnum></citerefentry>,

617

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

618

<manvolnum>5</manvolnum></citerefentry>,

619

<citerefentry><refentrytitle>mandos.conf</refentrytitle>

620

<manvolnum>5</manvolnum></citerefentry>,

621

<citerefentry><refentrytitle>mandos-client</refentrytitle>

622

<manvolnum>8mandos</manvolnum></citerefentry>,

623

624

586

625

</para>

587

626

588

627

Older »