/mandos/release : revision 322

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/release

« back to all changes in this revision

Viewing changes to plugins.d/mandos-client.xml

Committer: Teddy Hogeborn
Date: 2014-08-06 20:56:55 UTC
Revision ID: teddy@recompile.se-20140806205655-lq7xkfr3b9pbwr6l

Tags: version-1.6.8-1

* Makefile (version): Changed to "1.6.8".
* NEWS (Version 1.6.8): New entry.
* debian/changelog (1.6.8-1): - '' -

files added:
initramfs-tools-hook-conf

files removed:
bugs.xml

debian/mandos-client.templates

debian/mandos.maintscript

debian/mandos.templates

debian/po/POTFILES.in

debian/po/de.po

debian/po/en_US.po

debian/po/es.po

debian/po/fr.po

debian/po/nl.po

debian/po/pt.po

debian/po/pt_BR.po

debian/po/sv.po

debian/po/templates.pot

debian/source/lintian-overrides

debian/tests

debian/tests/control

debian/upstream/metadata

dracut-module

dracut-module/ask-password-mandos.path

dracut-module/ask-password-mandos.service

dracut-module/cmdline-mandos.sh

dracut-module/module-setup.sh

dracut-module/password-agent.c

dracut-module/password-agent.xml

initramfs-tools-conf

initramfs-tools-conf-hook

initramfs-tools-script-stop

mandos-to-cryptroot-unlock

plugin-helpers

plugin-helpers/mandos-client-iprouteadddel.c

sysusers.d-mandos.conf

tmpfiles.d-mandos.conf

files modified:
.bzrignore

DBUS-API

INSTALL

Makefile

NEWS

README

TODO

clients.conf

common.ent

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.dirs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/rules

debian/watch

init.d-mandos

initramfs-tools-hook

initramfs-tools-script

initramfs-unpack

intro.xml

legalnotice.xml

mandos

mandos-clients.conf.xml

mandos-ctl

mandos-ctl.xml

mandos-keygen

mandos-keygen.xml

mandos-monitor

mandos-monitor.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.lsm

mandos.service

mandos.xml

network-hooks.d/bridge

network-hooks.d/openvpn

network-hooks.d/wireless

overview.xml

plugin-runner.c

plugin-runner.xml

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/mandos-client.c

plugins.d/mandos-client.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

Show diffs side-by-side

added added

removed removed

plugins.d/mandos-client.xml

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY COMMANDNAME "mandos-client">

<!ENTITY TIMESTAMP "2023-10-21">

<!ENTITY TIMESTAMP "2014-06-22">

<!ENTITY % common SYSTEM "../common.ent">

%common;

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

</group>

<sbr/>

<group>

100

<arg choice="plain"><option>--tls-privkey

101

102

<arg choice="plain"><option>-t

103

104

</group>

105

<sbr/>

106

<group>

107

<arg choice="plain"><option>--tls-pubkey

108

109

<arg choice="plain"><option>-T

110

111

</group>

112

<sbr/>

113

<arg>

114

<option>--priority <replaceable>STRING</replaceable></option>

115

</arg>

119

</arg>

120

<sbr/>

121

100

<arg>

122

<option>--dh-params <replaceable>FILE</replaceable></option>

123

</arg>

124

<sbr/>

125

<arg>

126

101

<option>--delay <replaceable>SECONDS</replaceable></option>

127

102

</arg>

128

103

<sbr/>

169

144

brings up network interfaces, uses the interfaces’ IPv6

170

145

link-local addresses to get network connectivity, uses Zeroconf

171

146

to find servers on the local network, and communicates with

172

servers using TLS with a raw public key to ensure authenticity

173

and confidentiality. This client program keeps running, trying

174

all servers on the network, until it receives a satisfactory

175

reply or a TERM signal. After all servers have been tried, all

147

servers using TLS with an OpenPGP key to ensure authenticity and

148

confidentiality. This client program keeps running, trying all

149

servers on the network, until it receives a satisfactory reply

150

or a TERM signal. After all servers have been tried, all

176

151

servers are periodically retried. If no servers are found it

177

152

will wait indefinitely for new servers to appear.

178

153

</para>

196

171

</para>

197

172

<para>

198

173

This program is not meant to be run directly; it is really meant

199

to be run by other programs in the initial

200

<acronym>RAM</acronym> disk environment; see <xref

201

linkend="overview"/>.

174

to run as a plugin of the <application>Mandos</application>

175

<citerefentry><refentrytitle>plugin-runner</refentrytitle>

176

<manvolnum>8mandos</manvolnum></citerefentry>, which runs in the

177

initial <acronym>RAM</acronym> disk environment because it is

178

specified as a <quote>keyscript</quote> in the <citerefentry>

179

<refentrytitle>crypttab</refentrytitle><manvolnum>5</manvolnum>

180

</citerefentry> file.

202

181

</para>

203

182

</refsect1>

204

183

216

195

<title>OPTIONS</title>

217

196

<para>

218

197

This program is commonly not invoked from the command line; it

219

is normally started by another program as described in <xref

220

linkend="description"/>. Any command line options this program

221

accepts are therefore normally provided by the invoking program,

222

and not directly.

198

is normally started by the <application>Mandos</application>

199

plugin runner, see <citerefentry><refentrytitle

200

>plugin-runner</refentrytitle><manvolnum>8mandos</manvolnum>

201

</citerefentry>. Any command line options this program accepts

202

are therefore normally provided by the plugin runner, and not

203

directly.

223

204

</para>

224

205

225

206

316

297

</varlistentry>

317

298

318

299

319

<term><option>--tls-pubkey=<replaceable

320

>FILE</replaceable></option></term>

321

<term><option>-T

322

323

324

<para>

325

TLS raw public key file name. The default name is

326

<quote><filename>/conf/conf.d/mandos/tls-pubkey.pem</filename

327

></quote>.

328

</para>

329

</listitem>

330

</varlistentry>

331

332

333

<term><option>--tls-privkey=<replaceable

334

>FILE</replaceable></option></term>

335

<term><option>-t

336

337

338

<para>

339

TLS secret key file name. The default name is

340

<quote><filename>/conf/conf.d/mandos/tls-privkey.pem</filename

341

></quote>.

342

</para>

343

</listitem>

344

</varlistentry>

345

346

347

300

<term><option>--priority=<replaceable

348

301

>STRING</replaceable></option></term>

349

302

358

311

359

312

<para>

360

313

Sets the number of bits to use for the prime number in the

361

TLS Diffie-Hellman key exchange. The default value is

362

selected automatically based on the GnuTLS security

363

profile set in its priority string. Note that if the

364

<option>--dh-params</option> option is used, the values

365

from that file will be used instead.

366

</para>

367

</listitem>

368

</varlistentry>

369

370

371

<term><option>--dh-params=<replaceable

372

>FILE</replaceable></option></term>

373

374

<para>

375

Specifies a PEM-encoded PKCS#3 file to read the parameters

376

needed by the TLS Diffie-Hellman key exchange from. If

377

this option is not given, or if the file for some reason

378

could not be used, the parameters will be generated on

379

startup, which will take some time and processing power.

380

Those using servers running under time, power or processor

381

constraints may want to generate such a file in advance

382

and use this option.

314

TLS Diffie-Hellman key exchange. Default is 1024.

383

315

</para>

384

316

</listitem>

385

317

</varlistentry>

476

408

<title>OVERVIEW</title>

477

409

<xi:include href="../overview.xml"/>

478

410

<para>

479

This program is the client part. It is run automatically in an

480

initial <acronym>RAM</acronym> disk environment.

481

</para>

482

<para>

483

In an initial <acronym>RAM</acronym> disk environment using

484

<citerefentry><refentrytitle>systemd</refentrytitle>

485

<manvolnum>1</manvolnum></citerefentry>, this program is started

486

by the <application>Mandos</application> <citerefentry>

487

<refentrytitle>password-agent</refentrytitle>

488

<manvolnum>8mandos</manvolnum></citerefentry>, which in turn is

489

started automatically by the <citerefentry>

490

<refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum>

491

</citerefentry> <quote>Password Agent</quote> system.

492

</para>

493

<para>

494

In the case of a non-<citerefentry>

495

<refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum>

496

</citerefentry> environment, this program is started as a plugin

497

of the <application>Mandos</application> <citerefentry>

498

<refentrytitle>plugin-runner</refentrytitle>

499

<manvolnum>8mandos</manvolnum></citerefentry>, which runs in the

500

initial <acronym>RAM</acronym> disk environment because it is

501

specified as a <quote>keyscript</quote> in the <citerefentry>

502

<refentrytitle>crypttab</refentrytitle><manvolnum>5</manvolnum>

503

</citerefentry> file.

411

This program is the client part. It is a plugin started by

412

<citerefentry><refentrytitle>plugin-runner</refentrytitle>

413

<manvolnum>8mandos</manvolnum></citerefentry> which will run in

414

an initial <acronym>RAM</acronym> disk environment.

504

415

</para>

505

416

<para>

506

417

This program could, theoretically, be used as a keyscript in

507

418

<filename>/etc/crypttab</filename>, but it would then be

508

419

impossible to enter a password for the encrypted root disk at

509

420

the console, since this program does not read from the console

510

at all.

421

at all. This is why a separate plugin runner (<citerefentry>

422

<refentrytitle>plugin-runner</refentrytitle>

423

<manvolnum>8mandos</manvolnum></citerefentry>) is used to run

424

both this program and others in in parallel,

425

<emphasis>one</emphasis> of which (<citerefentry>

426

<refentrytitle>password-prompt</refentrytitle>

427

<manvolnum>8mandos</manvolnum></citerefentry>) will prompt for

428

passwords on the system console.

511

429

</para>

512

430

</refsect1>

513

431

526

444

527

445

528

446

<title>ENVIRONMENT</title>

529

530

531

<term><envar>MANDOSPLUGINHELPERDIR</envar></term>

532

533

<para>

534

This environment variable will be assumed to contain the

535

directory containing any helper executables. The use and

536

nature of these helper executables, if any, is purposely

537

not documented.

538

</para>

539

</listitem>

540

</varlistentry>

541

</variablelist>

542

447

<para>

543

This program does not use any other environment variables, not

544

even the ones provided by <citerefentry><refentrytitle

448

This program does not use any environment variables, not even

449

the ones provided by <citerefentry><refentrytitle

545

450

>cryptsetup</refentrytitle><manvolnum>8</manvolnum>

546

451

</citerefentry>.

547

452

</para>

734

639

</listitem>

735

640

</varlistentry>

736

641

737

<term><filename>/conf/conf.d/mandos/tls-pubkey.pem</filename

738

></term>

739

<term><filename>/conf/conf.d/mandos/tls-privkey.pem</filename

740

></term>

741

742

<para>

743

Public and private raw key files, in <quote>PEM</quote>

744

format. These are the default file names, they can be

745

changed with the <option>--tls-pubkey</option> and

746

<option>--tls-privkey</option> options.

747

</para>

748

</listitem>

749

</varlistentry>

750

751

642

<term><filename

752

643

class="directory">/lib/mandos/network-hooks.d</filename></term>

753

644

761

652

</variablelist>

762

653

</refsect1>

763

654

764

765

766

<xi:include href="../bugs.xml"/>

767

</refsect1>

655

656

657

658

659

768

660

769

661

770

662

<title>EXAMPLE</title>

771

663

<para>

772

664

Note that normally, command line options will not be given

773

directly, but passed on via the program responsible for starting

774

this program; see <xref linkend="overview"/>.

665

directly, but via options for the Mandos <citerefentry

666

><refentrytitle>plugin-runner</refentrytitle>

667

<manvolnum>8mandos</manvolnum></citerefentry>.

775

668

</para>

776

669

777

670

<para>

794

687

</informalexample>

795

688

796

689

<para>

797

Run in debug mode, and use custom keys:

690

Run in debug mode, and use a custom key:

798

691

</para>

799

692

<para>

800

693

801

694

802

<userinput>&COMMANDNAME; --debug --pubkey keydir/pubkey.txt --seckey keydir/seckey.txt --tls-pubkey keydir/tls-pubkey.pem --tls-privkey keydir/tls-privkey.pem</userinput>

695

<userinput>&COMMANDNAME; --debug --pubkey keydir/pubkey.txt --seckey keydir/seckey.txt</userinput>

803

696

804

697

</para>

805

698

</informalexample>

806

699

807

700

<para>

808

Run in debug mode, with custom keys, and do not use Zeroconf

701

Run in debug mode, with a custom key, and do not use Zeroconf

809

702

to locate a server; connect directly to the IPv6 link-local

810

703

address <quote><systemitem class="ipaddress"

811

704

>fe80::aede:48ff:fe71:f6f2</systemitem></quote>, port 4711,

814

707

<para>

815

708

816

709

817

<userinput>&COMMANDNAME; --debug --pubkey keydir/pubkey.txt --seckey keydir/seckey.txt --tls-pubkey keydir/tls-pubkey.pem --tls-privkey keydir/tls-privkey.pem --connect fe80::aede:48ff:fe71:f6f2:4711 --interface eth2</userinput>

710

<userinput>&COMMANDNAME; --debug --pubkey keydir/pubkey.txt --seckey keydir/seckey.txt --connect fe80::aede:48ff:fe71:f6f2:4711 --interface eth2</userinput>

818

711

819

712

</para>

820

713

</informalexample>

823

716

824

717

<title>SECURITY</title>

825

718

<para>

826

This program assumes that it is set-uid to root, and will switch

827

back to the original (and presumably non-privileged) user and

828

group after bringing up the network interface.

719

This program is set-uid to root, but will switch back to the

720

original (and presumably non-privileged) user and group after

721

bringing up the network interface.

829

722

</para>

830

723

<para>

831

724

To use this program for its intended purpose (see <xref

844

737

<para>

845

738

The only remaining weak point is that someone with physical

846

739

access to the client hard drive might turn off the client

847

computer, read the OpenPGP and TLS keys directly from the hard

848

drive, and communicate with the server. To safeguard against

849

this, the server is supposed to notice the client disappearing

850

and stop giving out the encrypted data. Therefore, it is

851

important to set the timeout and checker interval values tightly

852

on the server. See <citerefentry><refentrytitle

740

computer, read the OpenPGP keys directly from the hard drive,

741

and communicate with the server. To safeguard against this, the

742

server is supposed to notice the client disappearing and stop

743

giving out the encrypted data. Therefore, it is important to

744

set the timeout and checker interval values tightly on the

745

server. See <citerefentry><refentrytitle

853

746

>mandos</refentrytitle><manvolnum>8</manvolnum></citerefentry>.

854

747

</para>

855

748

<para>

879

772

<manvolnum>5</manvolnum></citerefentry>,

880

773

<citerefentry><refentrytitle>mandos</refentrytitle>

881

774

<manvolnum>8</manvolnum></citerefentry>,

882

<citerefentry><refentrytitle>password-agent</refentrytitle>

775

<citerefentry><refentrytitle>password-prompt</refentrytitle>

883

776

<manvolnum>8mandos</manvolnum></citerefentry>,

884

777

<citerefentry><refentrytitle>plugin-runner</refentrytitle>

885

778

<manvolnum>8mandos</manvolnum></citerefentry>

898

791

</varlistentry>

899

792

900

793

<term>

901

<ulink url="https://www.avahi.org/">Avahi</ulink>

794

<ulink url="http://www.avahi.org/">Avahi</ulink>

902

795

</term>

903

796

904

797

<para>

909

802

</varlistentry>

910

803

911

804

<term>

912

<ulink url="https://www.gnutls.org/">GnuTLS</ulink>

805

<ulink url="http://www.gnu.org/software/gnutls/"

806

>GnuTLS</ulink>

913

807

</term>

914

808

915

809

<para>

916

810

GnuTLS is the library this client uses to implement TLS for

917

811

communicating securely with the server, and at the same time

918

send the public key to the server.

812

send the public OpenPGP key to the server.

919

813

</para>

920

814

</listitem>

921

815

</varlistentry>

922

816

923

817

<term>

924

<ulink url="https://www.gnupg.org/related_software/gpgme/"

818

<ulink url="http://www.gnupg.org/related_software/gpgme/"

925

819

>GPGME</ulink>

926

820

</term>

927

821

965

859

</varlistentry>

966

860

967

861

<term>

968

RFC 5246: <citetitle>The Transport Layer Security (TLS)

969

Protocol Version 1.2</citetitle>

862

RFC 4346: <citetitle>The Transport Layer Security (TLS)

863

Protocol Version 1.1</citetitle>

970

864

</term>

971

865

972

866

<para>

973

TLS 1.2 is the protocol implemented by GnuTLS.

867

TLS 1.1 is the protocol implemented by GnuTLS.

974

868

</para>

975

869

</listitem>

976

870

</varlistentry>

987

881

</varlistentry>

988

882

989

883

<term>

990

RFC 7250: <citetitle>Using Raw Public Keys in Transport

991

Layer Security (TLS) and Datagram Transport Layer Security

992

(DTLS)</citetitle>

993

</term>

994

995

<para>

996

This is implemented by GnuTLS in version 3.6.6 and is, if

997

present, used by this program so that raw public keys can be

998

used.

999

</para>

1000

</listitem>

1001

</varlistentry>

1002

1003

<term>

1004

RFC 6091: <citetitle>Using OpenPGP Keys for Transport Layer

884

RFC 5081: <citetitle>Using OpenPGP Keys for Transport Layer

1005

885

Security</citetitle>

1006

886

</term>

1007

887

1008

888

<para>

1009

This is implemented by GnuTLS before version 3.6.0 and is,

1010

if present, used by this program so that OpenPGP keys can be

1011

used.

889

This is implemented by GnuTLS and used by this program so

890

that OpenPGP keys can be used.

1012

891

</para>

1013

892

</listitem>

1014

893

</varlistentry>

Older »