1
1
<?xml version="1.0" encoding="UTF-8"?>
2
2
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3
3
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4
<!ENTITY VERSION "1.0">
4
5
<!ENTITY COMMANDNAME "mandos">
5
<!ENTITY TIMESTAMP "2012-01-01">
6
<!ENTITY % common SYSTEM "common.ent">
10
8
<refentry xmlns:xi="http://www.w3.org/2001/XInclude">
12
<title>Mandos Manual</title>
10
<title>&COMMANDNAME;</title>
13
11
<!-- NWalsh’s docbook scripts use this to generate the footer: -->
14
<productname>Mandos</productname>
15
<productnumber>&version;</productnumber>
16
<date>&TIMESTAMP;</date>
12
<productname>&COMMANDNAME;</productname>
13
<productnumber>&VERSION;</productnumber>
19
16
<firstname>Björn</firstname>
20
17
<surname>Påhlsson</surname>
22
<email>belorn@recompile.se</email>
19
<email>belorn@fukt.bsnet.se</email>
26
23
<firstname>Teddy</firstname>
27
24
<surname>Hogeborn</surname>
29
<email>teddy@recompile.se</email>
26
<email>teddy@fukt.bsnet.se</email>
39
32
<holder>Teddy Hogeborn</holder>
40
33
<holder>Björn Påhlsson</holder>
42
<xi:include href="legalnotice.xml"/>
37
This manual page is free software: you can redistribute it
38
and/or modify it under the terms of the GNU General Public
39
License as published by the Free Software Foundation,
40
either version 3 of the License, or (at your option) any
45
This manual page is distributed in the hope that it will
46
be useful, but WITHOUT ANY WARRANTY; without even the
47
implied warranty of MERCHANTABILITY or FITNESS FOR A
48
PARTICULAR PURPOSE. See the GNU General Public License
53
You should have received a copy of the GNU General Public
54
License along with this program; If not, see
55
<ulink url="http://www.gnu.org/licenses/"/>.
46
61
<refentrytitle>&COMMANDNAME;</refentrytitle>
47
62
<manvolnum>8</manvolnum>
51
66
<refname><command>&COMMANDNAME;</command></refname>
53
Gives encrypted passwords to authenticated Mandos clients
68
Sends encrypted passwords to authenticated Mandos clients
59
74
<command>&COMMANDNAME;</command>
61
<arg choice="plain"><option>--interface
62
<replaceable>NAME</replaceable></option></arg>
63
<arg choice="plain"><option>-i
64
<replaceable>NAME</replaceable></option></arg>
68
<arg choice="plain"><option>--address
69
<replaceable>ADDRESS</replaceable></option></arg>
70
<arg choice="plain"><option>-a
71
<replaceable>ADDRESS</replaceable></option></arg>
75
<arg choice="plain"><option>--port
76
<replaceable>PORT</replaceable></option></arg>
77
<arg choice="plain"><option>-p
78
<replaceable>PORT</replaceable></option></arg>
81
<arg><option>--priority
82
<replaceable>PRIORITY</replaceable></option></arg>
84
<arg><option>--servicename
85
<replaceable>NAME</replaceable></option></arg>
87
<arg><option>--configdir
88
<replaceable>DIRECTORY</replaceable></option></arg>
90
<arg><option>--debug</option></arg>
92
<arg><option>--debuglevel
93
<replaceable>LEVEL</replaceable></option></arg>
95
<arg><option>--no-dbus</option></arg>
97
<arg><option>--no-ipv6</option></arg>
99
<arg><option>--no-restore</option></arg>
101
<arg><option>--statedir
102
<replaceable>DIRECTORY</replaceable></option></arg>
75
<arg>--interface<arg choice="plain">NAME</arg></arg>
76
<arg>--address<arg choice="plain">ADDRESS</arg></arg>
77
<arg>--port<arg choice="plain">PORT</arg></arg>
78
<arg>--priority<arg choice="plain">PRIORITY</arg></arg>
79
<arg>--servicename<arg choice="plain">NAME</arg></arg>
80
<arg>--configdir<arg choice="plain">DIRECTORY</arg></arg>
84
<command>&COMMANDNAME;</command>
85
<arg>-i<arg choice="plain">NAME</arg></arg>
86
<arg>-a<arg choice="plain">ADDRESS</arg></arg>
87
<arg>-p<arg choice="plain">PORT</arg></arg>
88
<arg>--priority<arg choice="plain">PRIORITY</arg></arg>
89
<arg>--servicename<arg choice="plain">NAME</arg></arg>
90
<arg>--configdir<arg choice="plain">DIRECTORY</arg></arg>
105
94
<command>&COMMANDNAME;</command>
106
95
<group choice="req">
107
<arg choice="plain"><option>--help</option></arg>
108
<arg choice="plain"><option>-h</option></arg>
96
<arg choice="plain">-h</arg>
97
<arg choice="plain">--help</arg>
112
101
<command>&COMMANDNAME;</command>
113
<arg choice="plain"><option>--version</option></arg>
102
<arg choice="plain">--version</arg>
116
105
<command>&COMMANDNAME;</command>
117
<arg choice="plain"><option>--check</option></arg>
106
<arg choice="plain">--check</arg>
119
108
</refsynopsisdiv>
121
110
<refsect1 id="description">
122
111
<title>DESCRIPTION</title>
124
113
<command>&COMMANDNAME;</command> is a server daemon which
125
114
handles incoming request for passwords for a pre-defined list of
126
client host computers. For an introduction, see
127
<citerefentry><refentrytitle>intro</refentrytitle>
128
<manvolnum>8mandos</manvolnum></citerefentry>. The Mandos server
129
uses Zeroconf to announce itself on the local network, and uses
130
TLS to communicate securely with and to authenticate the
131
clients. The Mandos server uses IPv6 to allow Mandos clients to
132
use IPv6 link-local addresses, since the clients will probably
133
not have any other addresses configured (see <xref
134
linkend="overview"/>). Any authenticated client is then given
135
the stored pre-encrypted password for that specific client.
115
client host computers. The Mandos server uses Zeroconf to
116
announce itself on the local network, and uses TLS to
117
communicate securely with and to authenticate the clients. The
118
Mandos server uses IPv6 to allow Mandos clients to use IPv6
119
link-local addresses, since the clients will probably not have
120
any other addresses configured (see <xref linkend="overview"/>).
121
Any authenticated client is then given the stored pre-encrypted
122
password for that specific client.
139
127
<refsect1 id="purpose">
140
128
<title>PURPOSE</title>
142
131
The purpose of this is to enable <emphasis>remote and unattended
143
132
rebooting</emphasis> of client host computer with an
144
133
<emphasis>encrypted root file system</emphasis>. See <xref
145
134
linkend="overview"/> for details.
149
139
<refsect1 id="options">
150
140
<title>OPTIONS</title>
153
<term><option>--help</option></term>
154
<term><option>-h</option></term>
144
<term><literal>-h</literal>, <literal>--help</literal></term>
157
147
Show a help message and exit
163
<term><option>--interface</option>
164
<replaceable>NAME</replaceable></term>
165
<term><option>-i</option>
166
<replaceable>NAME</replaceable></term>
153
<term><literal>-i</literal>, <literal>--interface <replaceable
154
>NAME</replaceable></literal></term>
168
156
<xi:include href="mandos-options.xml" xpointer="interface"/>
173
<term><option>--address
174
<replaceable>ADDRESS</replaceable></option></term>
176
<replaceable>ADDRESS</replaceable></option></term>
161
<term><literal>-a</literal>, <literal>--address <replaceable>
162
ADDRESS</replaceable></literal></term>
178
164
<xi:include href="mandos-options.xml" xpointer="address"/>
184
<replaceable>PORT</replaceable></option></term>
186
<replaceable>PORT</replaceable></option></term>
169
<term><literal>-p</literal>, <literal>--port <replaceable>
170
PORT</replaceable></literal></term>
188
172
<xi:include href="mandos-options.xml" xpointer="port"/>
193
<term><option>--check</option></term>
177
<term><literal>--check</literal></term>
196
180
Run the server’s self-tests. This includes any unit
203
<term><option>--debug</option></term>
187
<term><literal>--debug</literal></term>
205
189
<xi:include href="mandos-options.xml" xpointer="debug"/>
210
<term><option>--debuglevel
211
<replaceable>LEVEL</replaceable></option></term>
214
Set the debugging log level.
215
<replaceable>LEVEL</replaceable> is a string, one of
216
<quote><literal>CRITICAL</literal></quote>,
217
<quote><literal>ERROR</literal></quote>,
218
<quote><literal>WARNING</literal></quote>,
219
<quote><literal>INFO</literal></quote>, or
220
<quote><literal>DEBUG</literal></quote>, in order of
221
increasing verbosity. The default level is
222
<quote><literal>WARNING</literal></quote>.
228
<term><option>--priority <replaceable>
229
PRIORITY</replaceable></option></term>
194
<term><literal>--priority <replaceable>
195
PRIORITY</replaceable></literal></term>
231
197
<xi:include href="mandos-options.xml" xpointer="priority"/>
236
<term><option>--servicename
237
<replaceable>NAME</replaceable></option></term>
202
<term><literal>--servicename <replaceable>NAME</replaceable>
239
205
<xi:include href="mandos-options.xml"
240
206
xpointer="servicename"/>
245
<term><option>--configdir
246
<replaceable>DIRECTORY</replaceable></option></term>
211
<term><literal>--configdir <replaceable>DIR</replaceable>
249
215
Directory to search for configuration files. Default is
367
301
</tbody></tgroup></table>
370
304
<refsect1 id="checking">
371
305
<title>CHECKING</title>
373
307
The server will, by default, continually check that the clients
374
308
are still up. If a client has not been confirmed as being up
375
309
for some time, the client is assumed to be compromised and is no
376
longer eligible to receive the encrypted password. (Manual
377
intervention is required to re-enable a client.) The timeout,
378
extended timeout, checker program, and interval between checks
379
can be configured both globally and per client; see
380
<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>
381
<manvolnum>5</manvolnum></citerefentry>. A client successfully
382
receiving its password will also be treated as a successful
387
<refsect1 id="approval">
388
<title>APPROVAL</title>
390
The server can be configured to require manual approval for a
391
client before it is sent its secret. The delay to wait for such
392
approval and the default action (approve or deny) can be
393
configured both globally and per client; see <citerefentry>
310
longer eligible to receive the encrypted password. The timeout,
311
checker program, and interval between checks can be configured
312
both globally and per client; see <citerefentry>
394
313
<refentrytitle>mandos-clients.conf</refentrytitle>
395
<manvolnum>5</manvolnum></citerefentry>. By default all clients
396
will be approved immediately without delay.
399
This can be used to deny a client its secret if not manually
400
approved within a specified time. It can also be used to make
401
the server delay before giving a client its secret, allowing
402
optional manual denying of this specific client.
314
<manvolnum>5</manvolnum></citerefentry>.
407
318
<refsect1 id="logging">
408
319
<title>LOGGING</title>
410
321
The server will send log message with various severity levels to
411
<filename class="devicefile">/dev/log</filename>. With the
322
<filename>/dev/log</filename>. With the
412
323
<option>--debug</option> option, it will log even more messages,
413
324
and also show them on the console.
417
<refsect1 id="dbus_interface">
418
<title>D-BUS INTERFACE</title>
420
The server will by default provide a D-Bus system bus interface.
421
This interface will only be accessible by the root user or a
422
Mandos-specific user, if such a user exists. For documentation
423
of the D-Bus API, see the file <filename>DBUS-API</filename>.
427
328
<refsect1 id="exit_status">
428
329
<title>EXIT STATUS</title>
614
511
compromised if they are gone for too long.
514
If a client is compromised, its downtime should be duly noted
515
by the server which would therefore declare the client
516
invalid. But if the server was ever restarted, it would
517
re-read its client list from its configuration file and again
518
regard all clients therein as valid, and hence eligible to
519
receive their passwords. Therefore, be careful when
520
restarting servers if it is suspected that a client has, in
521
fact, been compromised by parties who may now be running a
522
fake Mandos client with the keys from the non-encrypted
523
initial RAM image of the client host. What should be done in
524
that case (if restarting the server program really is
525
necessary) is to stop the server program, edit the
526
configuration file to omit any suspect clients, and restart
617
530
For more details on client-side security, see
618
<citerefentry><refentrytitle>mandos-client</refentrytitle>
531
<citerefentry><refentrytitle>password-request</refentrytitle>
619
532
<manvolnum>8mandos</manvolnum></citerefentry>.
624
537
<refsect1 id="see_also">
625
538
<title>SEE ALSO</title>
627
<citerefentry><refentrytitle>intro</refentrytitle>
628
<manvolnum>8mandos</manvolnum></citerefentry>,
629
<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>
630
<manvolnum>5</manvolnum></citerefentry>,
631
<citerefentry><refentrytitle>mandos.conf</refentrytitle>
632
<manvolnum>5</manvolnum></citerefentry>,
633
<citerefentry><refentrytitle>mandos-client</refentrytitle>
634
<manvolnum>8mandos</manvolnum></citerefentry>,
635
<citerefentry><refentrytitle>sh</refentrytitle>
636
<manvolnum>1</manvolnum></citerefentry>
541
<refentrytitle>mandos.conf</refentrytitle>
542
<manvolnum>5</manvolnum></citerefentry>, <citerefentry>
543
<refentrytitle>mandos-clients.conf</refentrytitle>
544
<manvolnum>5</manvolnum></citerefentry>, <citerefentry>
545
<refentrytitle>password-request</refentrytitle>
546
<manvolnum>8mandos</manvolnum></citerefentry>, <citerefentry>
547
<refentrytitle>sh</refentrytitle><manvolnum>1</manvolnum>
676
RFC 4291: <citetitle>IP Version 6 Addressing
677
Architecture</citetitle>
588
<citation>RFC 4291: <citetitle>IP Version 6 Addressing
589
Architecture</citetitle>, section 2.5.6, Link-Local IPv6
590
Unicast Addresses</citation>
682
<term>Section 2.2: <citetitle>Text Representation of
683
Addresses</citetitle></term>
684
<listitem><para/></listitem>
687
<term>Section 2.5.5.2: <citetitle>IPv4-Mapped IPv6
688
Address</citetitle></term>
689
<listitem><para/></listitem>
692
<term>Section 2.5.6, <citetitle>Link-Local IPv6 Unicast
693
Addresses</citetitle></term>
696
The clients use IPv6 link-local addresses, which are
697
immediately usable since a link-local addresses is
698
automatically assigned to a network interfaces when it
594
The clients use IPv6 link-local addresses, which are
595
immediately usable since a link-local addresses is
596
automatically assigned to a network interfaces when it is
708
RFC 4346: <citetitle>The Transport Layer Security (TLS)
709
Protocol Version 1.1</citetitle>
603
<citation>RFC 4346: <citetitle>The Transport Layer Security
604
(TLS) Protocol Version 1.1</citetitle></citation>