/mandos/trunk

To get this branch, use:
bzr branch http://bzr.recompile.se/loggerhead/mandos/trunk
768 by Teddy Hogeborn
debian/mandos-client.README.Debian: Document the dhparams.pem file.
1
This file documents the next steps to take after installation of the
2
Debian package, and also contain some notes specific to the Debian
3
packaging which are not also in the manual.
4
366 by Teddy Hogeborn
* debian/mandos-client.README.Debian: Improved wording and formatting.
5
* Adding a Client Password to the Server
6
  
7
  The server must be given a password to give back to the client on
8
  boot time.  This password must be a one which can be used to unlock
9
  the root file system device.  On the *client*, run this command:
10
  
11
	mandos-keygen --password
12
  
13
  It will prompt for a password and output a config file section.
14
  This output should be copied to the Mandos server and added to the
15
  file "/etc/mandos/clients.conf" there.
16
17
* Testing that it Works (Without Rebooting)
18
  
19
  After the server has been started with this client's key added, it
20
  is possible to verify that the correct password will be received by
228 by Teddy Hogeborn
* INSTALL: Add instructions on how to set the correct network
21
  this client by running the command, on the client:
22
  
738.1.2 by Teddy Hogeborn
mandos-client: Try to start a plugin to add and remove a local route.
23
	MANDOSPLUGINHELPERDIR=/usr/lib/$(dpkg-architecture \
24
	-qDEB_HOST_MULTIARCH)/mandos/plugin-helpers \
641 by Teddy Hogeborn
Doc fix: Refer to architecture libdir.
25
	/usr/lib/$(dpkg-architecture -qDEB_HOST_MULTIARCH \
26
	)/mandos/plugins.d/mandos-client \
228 by Teddy Hogeborn
* INSTALL: Add instructions on how to set the correct network
27
		--pubkey=/etc/keys/mandos/pubkey.txt \
962 by Teddy Hogeborn
Add support for using raw public keys in TLS (RFC 7250)
28
		--seckey=/etc/keys/mandos/seckey.txt \
29
		--tls-privkey=/etc/keys/mandos/tls-privkey.pem \
30
		--tls-pubkey=/etc/keys/mandos/tls-pubkey.pem; echo
228 by Teddy Hogeborn
* INSTALL: Add instructions on how to set the correct network
31
  
32
  This command should retrieve the password from the server, decrypt
304 by Teddy Hogeborn
Four new interrelated features:
33
  it, and output it to standard output.  There it can be verified to
34
  be the correct password, before rebooting.
228 by Teddy Hogeborn
* INSTALL: Add instructions on how to set the correct network
35
505.1.2 by Teddy Hogeborn
Change "fukt.bsnet.se" to "recompile.se" throughout.
36
* Emergency Escape
37
  
38
  If it ever should be necessary, the Mandos client can be temporarily
39
  prevented from running at startup by passing the parameter
40
  "mandos=off" to the kernel.
41
42
* Specifying a Client Network Interface
43
  
600 by Teddy Hogeborn
* debian/mandos-client.README.Debian: Update documentation for using
44
  At boot time the network interfaces to use will by default be
45
  automatically detected.  If this should result in incorrect
46
  interfaces, edit the DEVICE setting in the
547 by Björn Påhlsson
adding missing words
47
  "/etc/initramfs-tools/initramfs.conf" file.  (The default setting is
847 by Teddy Hogeborn
Minor documentation fix.
48
  empty, meaning it will autodetect the interfaces.)  *If* the DEVICE
547 by Björn Påhlsson
adding missing words
49
  setting is changed, it will be necessary to update the initrd image
847 by Teddy Hogeborn
Minor documentation fix.
50
  by running this command:
505.1.2 by Teddy Hogeborn
Change "fukt.bsnet.se" to "recompile.se" throughout.
51
  
1127 by Teddy Hogeborn
Add dracut(8) support
52
	(For initramfs-tools:)
505.1.2 by Teddy Hogeborn
Change "fukt.bsnet.se" to "recompile.se" throughout.
53
	update-initramfs -k all -u
1127 by Teddy Hogeborn
Add dracut(8) support
54
	
55
	(For dracut:)
56
	dpkg-reconfigure dracut
505.1.2 by Teddy Hogeborn
Change "fukt.bsnet.se" to "recompile.se" throughout.
57
  
600 by Teddy Hogeborn
* debian/mandos-client.README.Debian: Update documentation for using
58
  The device can also be overridden at boot time on the Linux kernel
505.1.2 by Teddy Hogeborn
Change "fukt.bsnet.se" to "recompile.se" throughout.
59
  command line using the sixth colon-separated field of the "ip="
60
  option; for exact syntax, read the documentation in the file
621 by Teddy Hogeborn
* debian/mandos-client.README.Debian: Update Linux documentation link.
61
  "/usr/share/doc/linux-doc-*/Documentation/filesystems/nfs/nfsroot.txt",
505.1.2 by Teddy Hogeborn
Change "fukt.bsnet.se" to "recompile.se" throughout.
62
  available in the "linux-doc-*" package.
63
  
600 by Teddy Hogeborn
* debian/mandos-client.README.Debian: Update documentation for using
64
  Note that since the network interfaces are used in the initial RAM
65
  disk environment, the network interfaces *must* exist at that stage.
66
  Thus, an interface can *not* be a pseudo-interface such as "br0" or
1106 by Teddy Hogeborn
Doc fix: Use new style interface names instead of "eth0"
67
  "tun0"; instead, only real interfaces (such as "enp1s0" or "eth0")
68
  can be used. This can be overcome by writing a "network hook"
69
  program to create an interface (see mandos-client(8mandos)) and
70
  placing it in "/etc/mandos/network-hooks.d", from where it will be
71
  copied into the initial RAM disk.  Example network hook scripts can
72
  be found in "/usr/share/doc/mandos-client/examples/network-hooks.d".
505.1.2 by Teddy Hogeborn
Change "fukt.bsnet.se" to "recompile.se" throughout.
73
228 by Teddy Hogeborn
* INSTALL: Add instructions on how to set the correct network
74
* User-Supplied Plugins
304 by Teddy Hogeborn
Four new interrelated features:
75
  
366 by Teddy Hogeborn
* debian/mandos-client.README.Debian: Improved wording and formatting.
76
  Any plugins found in "/etc/mandos/plugins.d" will override and add
77
  to the normal Mandos plugins.  When adding or changing plugins, do
1278 by Teddy Hogeborn
Minor documentation improvements
78
  not forget to update the initial RAM disk image:
304 by Teddy Hogeborn
Four new interrelated features:
79
  
1127 by Teddy Hogeborn
Add dracut(8) support
80
	(For initramfs-tools:)
366 by Teddy Hogeborn
* debian/mandos-client.README.Debian: Improved wording and formatting.
81
	update-initramfs -k all -u
1127 by Teddy Hogeborn
Add dracut(8) support
82
	
83
	(For dracut:)
84
	dpkg-reconfigure dracut
228 by Teddy Hogeborn
* INSTALL: Add instructions on how to set the correct network
85
366 by Teddy Hogeborn
* debian/mandos-client.README.Debian: Improved wording and formatting.
86
* Do *NOT* Edit "/etc/crypttab"
304 by Teddy Hogeborn
Four new interrelated features:
87
  
366 by Teddy Hogeborn
* debian/mandos-client.README.Debian: Improved wording and formatting.
88
  It is NOT necessary to edit "/etc/crypttab" to specify
89
  "/usr/lib/mandos/plugin-runner" as a keyscript for the root file
228 by Teddy Hogeborn
* INSTALL: Add instructions on how to set the correct network
90
  system; if no keyscript is given for the root file system, the
91
  Mandos client will be the new default way for getting a password for
92
  the root file system when booting.
93
304 by Teddy Hogeborn
Four new interrelated features:
94
* Non-local Connection (Not Using ZeroConf)
95
  
96
  If the "ip=" kernel command line option is used to specify a
97
  complete IP address and device name, as noted above, it then becomes
98
  possible to specify a specific IP address and port to connect to,
99
  instead of using ZeroConf.  The syntax for doing this is
505.1.2 by Teddy Hogeborn
Change "fukt.bsnet.se" to "recompile.se" throughout.
100
  "mandos=connect:<IP_ADDRESS>:<PORT_NUMBER>" on the kernel command
101
  line.
304 by Teddy Hogeborn
Four new interrelated features:
102
  
1279 by Teddy Hogeborn
Document how to add options to mandos-client when using dracut
103
  For very advanced users, it is possible to specify "mandos=connect"
104
  on the kernel command line to make the system only set up the
105
  network (using the data in the "ip=" option) and not pass any extra
106
  "--connect" options to mandos-client at boot.  For this to work,
107
  "--options-for=mandos-client:--connect=<ADDRESS>:<PORT>" needs to be
108
  manually added to the file "/etc/mandos/plugin-runner.conf" or, if
109
  dracut is used with systemd, the "--connect=<ADDRESS>:<PORT>"
110
  options needs to be added to an environment variable in an override
111
  file for the "ask-password-mandos" service, as detailed in the file
112
  "/usr/lib/dracut/modules.d/90mandos/ask-password-mandos.service".
304 by Teddy Hogeborn
Four new interrelated features:
113
768 by Teddy Hogeborn
debian/mandos-client.README.Debian: Document the dhparams.pem file.
114
* Diffie-Hellman Parameters
115
116
  On installation, a file with Diffie-Hellman parameters,
117
  /etc/keys/mandos/dhparams.pem, will be generated and automatically
1278 by Teddy Hogeborn
Minor documentation improvements
118
  installed into the initial RAM disk image and also used by the
768 by Teddy Hogeborn
debian/mandos-client.README.Debian: Document the dhparams.pem file.
119
  Mandos Client on boot.  If different parameters are needed for
120
  policy or other reasons, simply replace the existing dhparams.pem
1278 by Teddy Hogeborn
Minor documentation improvements
121
  file and update the initial RAM disk image.
768 by Teddy Hogeborn
debian/mandos-client.README.Debian: Document the dhparams.pem file.
122
1278 by Teddy Hogeborn
Minor documentation improvements
123
 -- Teddy Hogeborn <teddy@recompile.se>, Sun,  8 Sep 2024 02:09:20 +0200