/mandos/release : revision 84

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/release

« back to all changes in this revision

Viewing changes to mandos.xml

Committer: Teddy Hogeborn
Date: 2008-08-17 22:42:28 UTC
Revision ID: teddy@fukt.bsnet.se-20080817224228-nhor2yuv230if01i

* Makefile (DOCBOOKTOMAN): Use the local manpages/docbook.xsl file, do
                           not rely on a stylesheet declaration.

* mandos.xml: Removed <?xml-stylesheet>.  New entity "&OVERVIEW;"
              refers to "overview.xml". Changed all single quotes to
              double quotes for consistency.
  (DESCRIPTION): Use the term "TLS" and not "GnuTLS" for the protocol.
                 Refer to the "OVERVIEW" section for reason for IPv6
                 link-local addresses.
  (PURPOSE): Shortened a lot.  Refer to "OVERVIEW" section for details.
  (OVERVIEW): New section.  Include &OVERVIEW; and add a paragraph
              about what the role of this program is.
  (SECURITY/CLIENTS): Refer to the "CHECKING" section for details on
                      checking.
  (SEE ALSO): Changed from an <itemizedlist> to a <variablelist>.
              Added a short text for each entry.  Removed reference to
              plugin-runner(8mandos).  Add reference to RFC 4291 and
              RFC 4346.

* overview.xml: New file, containing a single <para>.  The idea is to
                use this in all the man pages.

* plugins.d/password-request.c: Updated comments about spurious
                                warnings.

files added:
plugins.d/usplash

files removed:
.bzr-builddeb

.bzr-builddeb/default.conf

.bzrignore

INSTALL

NEWS

README

common.ent

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.config

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.links

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos-client.templates

debian/mandos.README.Debian

debian/mandos.config

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/mandos.templates

debian/po

debian/po/POTFILES.in

debian/po/sv.po

debian/rules

default-mandos

init.d-mandos

legalnotice.xml

mandos-list

mandos-options.xml

mandos.lsm

plugin-runner.conf

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

files renamed:
plugins.d/mandos-client.c => plugins.d/password-request.c

plugins.d/mandos-client.xml => plugins.d/password-request.xml

files modified:
Makefile

TODO

clients.conf

initramfs-tools-hook

initramfs-tools-script

mandos

mandos-clients.conf.xml

mandos-keygen

mandos-keygen.xml

mandos.conf

mandos.conf.xml

mandos.xml

overview.xml

plugin-runner.c

plugin-runner.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

Show diffs side-by-side

added added

removed removed

mandos.xml

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY VERSION "1.0">

<!ENTITY COMMANDNAME "mandos">

<!ENTITY TIMESTAMP "2008-10-03">

<!ENTITY % common SYSTEM "common.ent">

%common;

<!ENTITY OVERVIEW SYSTEM "overview.xml">

<title>Mandos Manual</title>

<title>&COMMANDNAME;</title>

<productname>Mandos</productname>

<productnumber>&version;</productnumber>

<date>&TIMESTAMP;</date>

<productname>&COMMANDNAME;</productname>

<productnumber>&VERSION;</productnumber>

<firstname>Björn</firstname>

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

<xi:include href="legalnotice.xml"/>

<para>

This manual page is free software: you can redistribute it

and/or modify it under the terms of the GNU General Public

License as published by the Free Software Foundation,

either version 3 of the License, or (at your option) any

later version.

</para>

<para>

This manual page is distributed in the hope that it will

be useful, but WITHOUT ANY WARRANTY; without even the

implied warranty of MERCHANTABILITY or FITNESS FOR A

PARTICULAR PURPOSE. See the GNU General Public License

for more details.

</para>

<para>

You should have received a copy of the GNU General Public

License along with this program; If not, see

<ulink url="http://www.gnu.org/licenses/"/>.

</para>

</legalnotice>

</refentryinfo>

<refentrytitle>&COMMANDNAME;</refentrytitle>

<refname><command>&COMMANDNAME;</command></refname>

Gives encrypted passwords to authenticated Mandos clients

Sends encrypted passwords to authenticated Mandos clients

</refpurpose>

</refnamediv>

<command>&COMMANDNAME;</command>

<group>

<arg choice="plain"><option>--interface

<arg choice="plain"><option>-i

</group>

<sbr/>

<group>

<arg choice="plain"><option>--address

<replaceable>ADDRESS</replaceable></option></arg>

<arg choice="plain"><option>-a

<replaceable>ADDRESS</replaceable></option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--port

<arg choice="plain"><option>-p

</group>

<sbr/>

<arg><option>--priority

<replaceable>PRIORITY</replaceable></option></arg>

<sbr/>

<arg><option>--servicename

<sbr/>

<arg><option>--configdir

<replaceable>DIRECTORY</replaceable></option></arg>

<sbr/>

<arg><option>--debug</option></arg>

</cmdsynopsis>

<command>&COMMANDNAME;</command>

</group>

</cmdsynopsis>

<command>&COMMANDNAME;</command>

<arg choice="plain"><option>--version</option></arg>

</cmdsynopsis>

100

<command>&COMMANDNAME;</command>

101

<arg choice="plain"><option>--check</option></arg>

<arg choice="opt">--interface<arg choice="plain">IF</arg></arg>

<arg choice="opt">--address<arg choice="plain">ADDRESS</arg></arg>

<arg choice="opt">--priority<arg choice="plain">PRIORITY</arg></arg>

<arg choice="opt">--servicename<arg choice="plain">NAME</arg></arg>

<arg choice="opt">--configdir<arg choice="plain">DIRECTORY</arg></arg>

<arg choice="opt">--debug</arg>

</cmdsynopsis>

<command>&COMMANDNAME;</command>

<arg choice="opt">-a<arg choice="plain">ADDRESS</arg></arg>

<arg choice="opt">--priority<arg choice="plain">PRIORITY</arg></arg>

<arg choice="opt">--servicename<arg choice="plain">NAME</arg></arg>

<arg choice="opt">--configdir<arg choice="plain">DIRECTORY</arg></arg>

<arg choice="opt">--debug</arg>

</cmdsynopsis>

<command>&COMMANDNAME;</command>

</cmdsynopsis>

<command>&COMMANDNAME;</command>

100

<arg choice="plain">--version</arg>

101

</cmdsynopsis>

102

103

<command>&COMMANDNAME;</command>

104

<arg choice="plain">--check</arg>

102

105

</cmdsynopsis>

103

106

</refsynopsisdiv>

104

107

105

108

106

109

<title>DESCRIPTION</title>

107

110

<para>

116

119

Any authenticated client is then given the stored pre-encrypted

117

120

password for that specific client.

118

121

</para>

122

119

123

</refsect1>

120

124

121

125

122

126

<title>PURPOSE</title>

127

123

128

<para>

124

129

The purpose of this is to enable <emphasis>remote and unattended

125

130

rebooting</emphasis> of client host computer with an

126

131

<emphasis>encrypted root file system</emphasis>. See <xref

127

132

linkend="overview"/> for details.

128

133

</para>

134

129

135

</refsect1>

130

136

131

137

132

138

<title>OPTIONS</title>

139

133

140

134

141

135

136

142

137

143

138

144

<para>

139

145

Show a help message and exit

140

146

</para>

141

147

</listitem>

142

148

</varlistentry>

143

144

145

<term><option>--interface</option>

146

147

148

149

150

<xi:include href="mandos-options.xml" xpointer="interface"/>

151

</listitem>

152

</varlistentry>

153

154

155

<term><option>--address

156

<replaceable>ADDRESS</replaceable></option></term>

157

<term><option>-a

158

<replaceable>ADDRESS</replaceable></option></term>

159

160

<xi:include href="mandos-options.xml" xpointer="address"/>

161

</listitem>

162

</varlistentry>

163

164

165

<term><option>--port

166

167

<term><option>-p

168

169

170

<xi:include href="mandos-options.xml" xpointer="port"/>

171

</listitem>

172

</varlistentry>

173

174

175

<term><option>--check</option></term>

149

150

151

<term><literal>-i</literal>, <literal>--interface <replaceable>

152

IF</replaceable></literal></term>

153

154

<para>

155

Only announce the server and listen to requests on network

156

interface <replaceable>IF</replaceable>. Default is to

157

use all available interfaces.

158

</para>

159

</listitem>

160

</varlistentry>

161

162

163

<term><literal>-a</literal>, <literal>--address <replaceable>

164

ADDRESS</replaceable></literal></term>

165

166

<para>

167

If this option is used, the server will only listen to a

168

specific address. This must currently be an IPv6 address;

169

an IPv4 address can be specified using the

170

<quote><literal>::FFFF:192.0.2.3</literal></quote> syntax.

171

Also, if a link-local address is specified, an interface

172

should be set, since a link-local address is only valid on

173

a single interface. By default, the server will listen to

174

all available addresses.

175

</para>

176

</listitem>

177

</varlistentry>

178

179

180

181

PORT</replaceable></literal></term>

182

183

<para>

184

If this option is used, the server to bind to that

185

port. By default, the server will listen to an arbitrary

186

port given by the operating system.

187

</para>

188

</listitem>

189

</varlistentry>

190

191

192

<term><literal>--check</literal></term>

176

193

177

194

<para>

178

195

Run the server’s self-tests. This includes any unit

180

197

</para>

181

198

</listitem>

182

199

</varlistentry>

183

184

185

<term><option>--debug</option></term>

186

187

<xi:include href="mandos-options.xml" xpointer="debug"/>

188

</listitem>

189

</varlistentry>

190

191

192

<term><option>--priority <replaceable>

193

PRIORITY</replaceable></option></term>

194

195

<xi:include href="mandos-options.xml" xpointer="priority"/>

196

</listitem>

197

</varlistentry>

198

199

200

<term><option>--servicename

201

202

203

<xi:include href="mandos-options.xml"

204

xpointer="servicename"/>

205

</listitem>

206

</varlistentry>

207

208

209

<term><option>--configdir

210

<replaceable>DIRECTORY</replaceable></option></term>

200

201

202

<term><literal>--debug</literal></term>

203

204

<para>

205

If the server is run in debug mode, it will run in the

206

foreground and print a lot of debugging information. The

207

default is <emphasis>not</emphasis> to run in debug mode.

208

</para>

209

</listitem>

210

</varlistentry>

211

212

213

<term><literal>--priority <replaceable>

214

PRIORITY</replaceable></literal></term>

215

216

<para>

217

GnuTLS priority string for the TLS handshake with the

218

clients. The default is

219

<quote><literal>SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP</literal></quote>.

220

See <citerefentry><refentrytitle>gnutls_priority_init

221

</refentrytitle><manvolnum>3</manvolnum></citerefentry>

222

for the syntax. <emphasis>Warning</emphasis>: changing

223

this may make the TLS handshake fail, making communication

224

with clients impossible.

225

</para>

226

</listitem>

227

</varlistentry>

228

229

230

<term><literal>--servicename <replaceable>NAME</replaceable>

231

</literal></term>

232

233

<para>

234

Zeroconf service name. The default is

235

<quote><literal>Mandos</literal></quote>. You only need

236

to change this if you for some reason want to run more

237

than one server on the same <emphasis>host</emphasis>,

238

which would not normally be useful. If there are name

239

collisions on the same <emphasis>network</emphasis>, the

240

newer server will automatically rename itself to

241

<quote><literal>Mandos #2</literal></quote>, and so on;

242

therefore, this option is not needed in that case.

243

</para>

244

</listitem>

245

</varlistentry>

246

247

248

<term><literal>--configdir <replaceable>DIR</replaceable>

249

</literal></term>

211

250

212

251

<para>

213

252

Directory to search for configuration files. Default is

219

258

</para>

220

259

</listitem>

221

260

</varlistentry>

222

261

223

262

224

<term><option>--version</option></term>

263

<term><literal>--version</literal></term>

225

264

226

265

<para>

227

266

Prints the program version and exit.

230

269

</varlistentry>

231

270

</variablelist>

232

271

</refsect1>

233

272

234

273

235

274

<title>OVERVIEW</title>

236

<xi:include href="overview.xml"/>

275

&OVERVIEW;

237

276

<para>

238

277

This program is the server part. It is a normal server program

239

278

and will run in a normal system environment, not in an initial

240

<acronym>RAM</acronym> disk environment.

279

RAM disk environment.

241

280

</para>

242

281

</refsect1>

243

282

244

283

245

284

<title>NETWORK PROTOCOL</title>

246

285

<para>

272

311

273

312

</row>

274

313

<row>

275

314

276

315

277

316

</row>

278

317

<row>

298

337

</row>

299

338

</tbody></tgroup></table>

300

339

</refsect1>

301

340

302

341

303

342

<title>CHECKING</title>

304

343

<para>

308

347

longer eligible to receive the encrypted password. The timeout,

309

348

checker program, and interval between checks can be configured

310

349

both globally and per client; see <citerefentry>

350

<refentrytitle>mandos.conf</refentrytitle>

351

311

352

<refentrytitle>mandos-clients.conf</refentrytitle>

312

353

<manvolnum>5</manvolnum></citerefentry>.

313

354

</para>

314

355

</refsect1>

315

356

316

357

317

358

<title>LOGGING</title>

318

359

<para>

319

The server will send log message with various severity levels to

320

<filename>/dev/log</filename>. With the

360

The server will send log messaged with various severity levels

361

to <filename>/dev/log</filename>. With the

321

362

<option>--debug</option> option, it will log even more messages,

322

363

and also show them on the console.

323

364

</para>

324

365

</refsect1>

325

366

326

367

327

368

<title>EXIT STATUS</title>

328

369

<para>

330

371

critical error is encountered.

331

372

</para>

332

373

</refsect1>

333

334

335

<title>ENVIRONMENT</title>

336

337

338

339

340

<para>

341

To start the configured checker (see <xref

342

linkend="checking"/>), the server uses

343

<filename>/bin/sh</filename>, which in turn uses

344

<varname>PATH</varname> to search for matching commands if

345

an absolute path is not given. See <citerefentry>

346

347

</citerefentry>.

348

</para>

349

</listitem>

350

</varlistentry>

351

</variablelist>

352

</refsect1>

353

354

374

375

355

376

<title>FILES</title>

356

377

<para>

357

378

Use the <option>--configdir</option> option to change where

380

401

</listitem>

381

402

</varlistentry>

382

403

383

<term><filename>/var/run/mandos.pid</filename></term>

404

<term><filename>/var/run/mandos/mandos.pid</filename></term>

384

405

385

406

<para>

386

407

The file containing the process id of

397

418

</para>

398

419

</listitem>

399

420

</varlistentry>

400

401

402

403

<para>

404

This is used to start the configured checker command for

405

each client. See <citerefentry>

406

<refentrytitle>mandos-clients.conf</refentrytitle>

407

<manvolnum>5</manvolnum></citerefentry> for details.

408

</para>

409

</listitem>

410

</varlistentry>

411

421

</variablelist>

412

422

</refsect1>

413

423

414

424

415

425

416

426

<para>

417

427

This server might, on especially fatal errors, emit a Python

418

428

backtrace. This could be considered a feature.

419

429

</para>

420

<para>

421

Currently, if a client is declared <quote>invalid</quote> due to

422

having timed out, the server does not record this fact onto

423

permanent storage. This has some security implications, see

424

<xref linkend="clients"/>.

425

</para>

426

<para>

427

There is currently no way of querying the server of the current

428

status of clients, other than analyzing its <systemitem

429

class="service">syslog</systemitem> output.

430

</para>

431

<para>

432

There is no fine-grained control over logging and debug output.

433

</para>

434

<para>

435

Debug mode is conflated with running in the foreground.

436

</para>

437

<para>

438

The console log messages does not show a time stamp.

439

</para>

440

<para>

441

This server does not check the expire time of clients’ OpenPGP

442

keys.

443

</para>

444

430

</refsect1>

445

446

447

<title>EXAMPLE</title>

431

432

433

<title>EXAMPLES</title>

448

434

449

435

<para>

450

436

Normal invocation needs no options:

451

437

</para>

452

438

<para>

453

<userinput>&COMMANDNAME;</userinput>

439

<userinput>mandos</userinput>

454

440

</para>

455

441

</informalexample>

456

442

463

449

<para>

464

450

465

451

466

<userinput>&COMMANDNAME; --debug --configdir ~/mandos --servicename Test</userinput>

452

<userinput>mandos --debug --configdir ~/mandos --servicename Test</userinput>

467

453

468

454

</para>

469

455

</informalexample>

475

461

<para>

476

462

477

463

478

<userinput>&COMMANDNAME; --interface eth7 --address fe80::aede:48ff:fe71:f6f2</userinput>

464

<userinput>mandos --interface eth7 --address fe80::aede:48ff:fe71:f6f2</userinput>

479

465

480

466

</para>

481

467

</informalexample>

482

468

</refsect1>

483

469

484

470

485

471

<title>SECURITY</title>

486

472

487

473

<title>SERVER</title>

488

474

<para>

489

Running this <command>&COMMANDNAME;</command> server program

490

should not in itself present any security risk to the host

491

computer running it. The program switches to a non-root user

492

soon after startup.

475

Running this &COMMANDNAME; server program should not in itself

476

present any security risk to the host computer running it.

477

The program does not need any special privileges to run, and

478

is designed to run as a non-root user.

493

479

</para>

494

480

</refsect2>

495

481

496

482

<title>CLIENTS</title>

497

483

<para>

498

484

The server only gives out its stored data to clients which

505

491

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

506

492

<manvolnum>5</manvolnum></citerefentry>)

507

493

<emphasis>must</emphasis> be made non-readable by anyone

508

except the user starting the server (usually root).

494

except the user running the server.

509

495

</para>

510

496

<para>

511

497

As detailed in <xref linkend="checking"/>, the status of all

513

499

compromised if they are gone for too long.

514

500

</para>

515

501

<para>

516

If a client is compromised, its downtime should be duly noted

517

by the server which would therefore declare the client

518

invalid. But if the server was ever restarted, it would

519

re-read its client list from its configuration file and again

520

regard all clients therein as valid, and hence eligible to

521

receive their passwords. Therefore, be careful when

522

restarting servers if it is suspected that a client has, in

523

fact, been compromised by parties who may now be running a

524

fake Mandos client with the keys from the non-encrypted

525

initial <acronym>RAM</acronym> image of the client host. What

526

should be done in that case (if restarting the server program

527

really is necessary) is to stop the server program, edit the

528

configuration file to omit any suspect clients, and restart

529

the server program.

530

</para>

531

<para>

532

502

For more details on client-side security, see

533

<citerefentry><refentrytitle>mandos-client</refentrytitle>

503

<citerefentry><refentrytitle>password-request</refentrytitle>

534

504

<manvolnum>8mandos</manvolnum></citerefentry>.

535

505

</para>

536

506

</refsect2>

537

507

</refsect1>

538

508

539

509

540

510

541

<para>

542

543

<refentrytitle>mandos-clients.conf</refentrytitle>

544

545

<refentrytitle>mandos.conf</refentrytitle>

546

547

<refentrytitle>mandos-client</refentrytitle>

548

<manvolnum>8mandos</manvolnum></citerefentry>, <citerefentry>

549

550

</citerefentry>

551

</para>

552

511

553

512

554

513

<term>

514

515

<refentrytitle>password-request</refentrytitle>

516

<manvolnum>8mandos</manvolnum>

517

</citerefentry>

518

</term>

519

520

<para>

521

This is the actual program which talks to this server.

522

Note that it is normally not invoked directly, and is only

523

run in the initial RAM disk environment, and not on a

524

fully started system.

525

</para>

526

</listitem>

527

</varlistentry>

528

529

<term>

555

530

<ulink url="http://www.zeroconf.org/">Zeroconf</ulink>

556

531

</term>

557

532

574

549

</varlistentry>

575

550

576

551

<term>

577

<ulink url="http://www.gnu.org/software/gnutls/"

578

>GnuTLS</ulink>

552

<ulink

553

url="http://www.gnu.org/software/gnutls/">GnuTLS</ulink>

579

554

</term>

580

555

581

556

<para>

587

562

</varlistentry>

588

563

589

564

<term>

590

RFC 4291: <citetitle>IP Version 6 Addressing

591

Architecture</citetitle>

565

<citation>RFC 4291: <citetitle>IP Version 6 Addressing

566

Architecture</citetitle>, section 2.5.6, Link-Local IPv6

567

Unicast Addresses</citation>

592

568

</term>

593

569

594

595

596

<term>Section 2.2: <citetitle>Text Representation of

597

Addresses</citetitle></term>

598

599

</varlistentry>

600

601

<term>Section 2.5.5.2: <citetitle>IPv4-Mapped IPv6

602

Address</citetitle></term>

603

604

</varlistentry>

605

606

<term>Section 2.5.6, <citetitle>Link-Local IPv6 Unicast

607

Addresses</citetitle></term>

608

609

<para>

610

The clients use IPv6 link-local addresses, which are

611

immediately usable since a link-local addresses is

612

automatically assigned to a network interfaces when it

613

is brought up.

614

</para>

615

</listitem>

616

</varlistentry>

617

</variablelist>

570

<para>

571

The clients use IPv6 link-local addresses, which are

572

immediately usable since a link-local addresses is

573

automatically assigned to a network interfaces when it is

574

brought up.

575

</para>

618

576

</listitem>

619

577

</varlistentry>

620

578

621

579

<term>

622

RFC 4346: <citetitle>The Transport Layer Security (TLS)

623

Protocol Version 1.1</citetitle>

580

<citation>RFC 4346: <citetitle>The Transport Layer Security

581

(TLS) Protocol Version 1.1</citetitle></citation>

624

582

</term>

625

583

626

584

<para>

630

588

</varlistentry>

631

589

632

590

<term>

633

RFC 4880: <citetitle>OpenPGP Message Format</citetitle>

591

<citation>RFC 4880: <citetitle>OpenPGP Message

592

Format</citetitle></citation>

634

593

</term>

635

594

636

595

<para>

640

599

</varlistentry>

641

600

642

601

<term>

643

RFC 5081: <citetitle>Using OpenPGP Keys for Transport Layer

644

Security</citetitle>

602

<citation>RFC 5081: <citetitle>Using OpenPGP Keys for

603

Transport Layer Security</citetitle></citation>

645

604

</term>

646

605

647

606

<para>

653

612

</variablelist>

654

613

</refsect1>

655

614

</refentry>

656

657

658

659

660

Older »