bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
|
493
by Teddy Hogeborn
* Makefile (DOCS): Added "intro.8mandos". |
1 |
<?xml version="1.0" encoding="UTF-8"?>
|
2 |
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
|
|
3 |
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
|
|
|
778
by Teddy Hogeborn
Update copyright year. |
4 |
<!ENTITY TIMESTAMP "2015-07-20">
|
|
493
by Teddy Hogeborn
* Makefile (DOCS): Added "intro.8mandos". |
5 |
<!ENTITY % common SYSTEM "common.ent">
|
6 |
%common; |
|
7 |
]> |
|
8 |
||
9 |
<refentry xmlns:xi="http://www.w3.org/2001/XInclude"> |
|
10 |
<refentryinfo> |
|
11 |
<title>Mandos Manual</title> |
|
12 |
<!-- NWalsh’s docbook scripts use this to generate the footer: --> |
|
13 |
<productname>Mandos</productname> |
|
14 |
<productnumber>&version;</productnumber> |
|
15 |
<date>&TIMESTAMP;</date> |
|
16 |
<authorgroup> |
|
17 |
<author> |
|
18 |
<firstname>Björn</firstname> |
|
19 |
<surname>Påhlsson</surname> |
|
20 |
<address> |
|
|
505.1.2
by Teddy Hogeborn
Change "fukt.bsnet.se" to "recompile.se" throughout. |
21 |
<email>belorn@recompile.se</email> |
|
493
by Teddy Hogeborn
* Makefile (DOCS): Added "intro.8mandos". |
22 |
</address> |
23 |
</author> |
|
24 |
<author> |
|
25 |
<firstname>Teddy</firstname> |
|
26 |
<surname>Hogeborn</surname> |
|
27 |
<address> |
|
|
505.1.2
by Teddy Hogeborn
Change "fukt.bsnet.se" to "recompile.se" throughout. |
28 |
<email>teddy@recompile.se</email> |
|
493
by Teddy Hogeborn
* Makefile (DOCS): Added "intro.8mandos". |
29 |
</address> |
30 |
</author> |
|
31 |
</authorgroup> |
|
32 |
<copyright> |
|
33 |
<year>2011</year> |
|
|
544
by Teddy Hogeborn
Updated year in copyright notices. |
34 |
<year>2012</year> |
|
778
by Teddy Hogeborn
Update copyright year. |
35 |
<year>2013</year> |
36 |
<year>2014</year> |
|
37 |
<year>2015</year> |
|
|
493
by Teddy Hogeborn
* Makefile (DOCS): Added "intro.8mandos". |
38 |
<holder>Teddy Hogeborn</holder> |
39 |
<holder>Björn Påhlsson</holder> |
|
40 |
</copyright> |
|
41 |
<xi:include href="legalnotice.xml"/> |
|
42 |
</refentryinfo> |
|
43 |
|
|
44 |
<refmeta> |
|
45 |
<refentrytitle>intro</refentrytitle> |
|
46 |
<manvolnum>8mandos</manvolnum> |
|
47 |
</refmeta> |
|
48 |
|
|
49 |
<refnamediv> |
|
50 |
<refname>intro</refname> |
|
51 |
<refpurpose> |
|
52 |
Introduction to the Mandos system |
|
53 |
</refpurpose> |
|
54 |
</refnamediv> |
|
55 |
|
|
56 |
<refsect1 id="description"> |
|
57 |
<title>DESCRIPTION</title> |
|
58 |
<para> |
|
59 |
This is the the Mandos system, which allows computers to have |
|
60 |
encrypted root file systems and at the same time be capable of |
|
61 |
remote and/or unattended reboots. |
|
62 |
</para> |
|
63 |
<para> |
|
64 |
The computers run a small client program in the initial RAM disk |
|
65 |
environment which will communicate with a server over a network. |
|
66 |
All network communication is encrypted using TLS. The clients |
|
67 |
are identified by the server using an OpenPGP key; each client |
|
68 |
has one unique to it. The server sends the clients an encrypted |
|
69 |
password. The encrypted password is decrypted by the clients |
|
70 |
using the same OpenPGP key, and the password is then used to |
|
71 |
unlock the root file system, whereupon the computers can |
|
72 |
continue booting normally. |
|
73 |
</para> |
|
74 |
</refsect1> |
|
75 |
|
|
76 |
<refsect1 id="introduction"> |
|
77 |
<title>INTRODUCTION</title> |
|
78 |
<para> |
|
79 |
You know how it is. You’ve heard of it happening. The Man |
|
80 |
comes and takes away your servers, your friends’ servers, the |
|
81 |
servers of everybody in the same hosting facility. The servers |
|
82 |
of their neighbors, and their neighbors’ friends. The servers |
|
83 |
of people who owe them money. And like |
|
84 |
<emphasis>that</emphasis>, they’re gone. And you doubt you’ll |
|
85 |
ever see them again. |
|
86 |
</para> |
|
87 |
<para> |
|
88 |
That is why your servers have encrypted root file systems. |
|
89 |
However, there’s a downside. There’s no going around it: |
|
90 |
rebooting is a pain. Dragging out that rarely-used keyboard and |
|
91 |
screen and unraveling cables behind your servers to plug them in |
|
92 |
to type in that password is messy, especially if you have many |
|
93 |
servers. There are some people who do clever things like using |
|
94 |
serial line consoles and daisy-chain it to the next server, and |
|
95 |
keep all the servers connected in a ring with serial cables, |
|
96 |
which will work, if your servers are physically close enough. |
|
97 |
There are also other out-of-band management solutions, but with |
|
98 |
<emphasis>all</emphasis> these, you still have to be on hand and |
|
99 |
manually type in the password at boot time. Otherwise the |
|
100 |
server just sits there, waiting for a password. |
|
101 |
</para> |
|
102 |
<para> |
|
103 |
Wouldn’t it be great if you could have the security of encrypted |
|
104 |
root file systems and still have servers that could boot up |
|
105 |
automatically if there was a short power outage while you were |
|
106 |
asleep? That you could reboot at will, without having someone |
|
107 |
run over to the server to type in the password? |
|
108 |
</para> |
|
109 |
<para> |
|
110 |
Well, with Mandos, you (almost) can! The gain in convenience |
|
111 |
will only be offset by a small loss in security. The setup is |
|
112 |
as follows: |
|
113 |
</para> |
|
114 |
<para> |
|
115 |
The server will still have its encrypted root file system. The |
|
116 |
password to this file system will be stored on another computer |
|
117 |
(henceforth known as the Mandos server) on the same local |
|
118 |
network. The password will <emphasis>not</emphasis> be stored |
|
119 |
in plaintext, but encrypted with OpenPGP. To decrypt this |
|
120 |
password, a key is needed. This key (the Mandos client key) |
|
121 |
will not be stored there, but back on the original server |
|
122 |
(henceforth known as the Mandos client) in the initial RAM disk |
|
123 |
image. Oh, and all network Mandos client/server communications |
|
124 |
will be encrypted, using TLS (SSL). |
|
125 |
</para> |
|
126 |
<para> |
|
127 |
So, at boot time, the Mandos client will ask for its encrypted |
|
128 |
data over the network, decrypt it to get the password, use it to |
|
129 |
decrypt the root file, and continue booting. |
|
130 |
</para> |
|
131 |
<para> |
|
132 |
Now, of course the initial RAM disk image is not on the |
|
133 |
encrypted root file system, so anyone who had physical access |
|
134 |
could take the Mandos client computer offline and read the disk |
|
135 |
with their own tools to get the authentication keys used by a |
|
136 |
client. <emphasis>But</emphasis>, by then the Mandos server |
|
137 |
should notice that the original server has been offline for too |
|
138 |
long, and will no longer give out the encrypted key. The timing |
|
139 |
here is the only real weak point, and the method, frequency and |
|
140 |
timeout of the server’s checking can be adjusted to any desired |
|
141 |
level of paranoia |
|
142 |
</para> |
|
143 |
<para> |
|
144 |
(The encrypted keys on the Mandos server is on its normal file |
|
145 |
system, so those are safe, provided the root file system of |
|
146 |
<emphasis>that</emphasis> server is encrypted.) |
|
147 |
</para> |
|
148 |
</refsect1> |
|
149 |
|
|
150 |
<refsect1 id="faq"> |
|
151 |
<title>FREQUENTLY ASKED QUESTIONS</title> |
|
152 |
<para> |
|
153 |
Couldn’t the security be defeated by… |
|
154 |
</para> |
|
155 |
<refsect2 id="quick"> |
|
156 |
<title>Grabbing the Mandos client key from the |
|
157 |
initrd <emphasis>really quickly</emphasis>?</title> |
|
158 |
<para> |
|
159 |
This, as mentioned above, is the only real weak point. But if |
|
160 |
you set the timing values tight enough, this will be really |
|
161 |
difficult to do. An attacker would have to physically |
|
162 |
disassemble the client computer, extract the key from the |
|
163 |
initial RAM disk image, and then connect to a <emphasis>still |
|
164 |
online</emphasis> Mandos server to get the encrypted key, and do |
|
165 |
all this <emphasis>before</emphasis> the Mandos server timeout |
|
166 |
kicks in and the Mandos server refuses to give out the key to |
|
167 |
anyone.
|
|
168 |
</para> |
|
169 |
<para> |
|
170 |
Now, as the typical procedure seems to be to barge in and turn |
|
171 |
off and grab <emphasis>all</emphasis> computers, to maybe look |
|
172 |
at them months later, this is not likely. If someone does that, |
|
173 |
the whole system <emphasis>will</emphasis> lock itself up |
|
174 |
completely, since Mandos servers are no longer running. |
|
175 |
</para> |
|
176 |
<para> |
|
177 |
For sophisticated attackers who <emphasis>could</emphasis> do |
|
178 |
the clever thing, <emphasis>and</emphasis> had physical access |
|
179 |
to the server for enough time, it would be simpler to get a key |
|
180 |
for an encrypted file system by using hardware memory scanners |
|
181 |
and reading it right off the memory bus. |
|
182 |
</para> |
|
183 |
</refsect2> |
|
184 |
|
|
185 |
<refsect2 id="replay"> |
|
186 |
<title>Replay attacks?</title> |
|
187 |
<para> |
|
188 |
Nope, the network stuff is all done over TLS, which provides |
|
189 |
protection against that. |
|
190 |
</para> |
|
191 |
</refsect2> |
|
192 |
|
|
193 |
<refsect2 id="mitm"> |
|
194 |
<title>Man-in-the-middle?</title> |
|
195 |
<para> |
|
196 |
No. The server only gives out the passwords to clients which |
|
197 |
have <emphasis>in the TLS handshake</emphasis> proven that |
|
198 |
they do indeed hold the OpenPGP private key corresponding to |
|
199 |
that client. |
|
200 |
</para> |
|
201 |
</refsect2> |
|
202 |
|
|
|
742
by Teddy Hogeborn
Add ":!RSA" to GnuTLS priority string, to disallow non-DHE kx. |
203 |
<refsect2 id="sniff"> |
204 |
<title>How about sniffing the network traffic and decrypting it |
|
205 |
later by physically grabbing the Mandos client and using its |
|
206 |
key?</title> |
|
207 |
<para> |
|
208 |
We only use <acronym>PFS</acronym> (Perfect Forward Security) |
|
209 |
key exchange algorithms in TLS, which protects against this. |
|
210 |
</para> |
|
211 |
</refsect2> |
|
212 |
|
|
|
493
by Teddy Hogeborn
* Makefile (DOCS): Added "intro.8mandos". |
213 |
<refsect2 id="physgrab"> |
214 |
<title>Physically grabbing the Mandos server computer?</title> |
|
215 |
<para> |
|
216 |
You could protect <emphasis>that</emphasis> computer the |
|
217 |
old-fashioned way, with a must-type-in-the-password-at-boot |
|
218 |
method. Or you could have two computers be the Mandos server |
|
219 |
for each other. |
|
220 |
</para> |
|
221 |
<para> |
|
222 |
Multiple Mandos servers can coexist on a network without any |
|
223 |
trouble. They do not clash, and clients will try all |
|
224 |
available servers. This means that if just one reboots then |
|
225 |
the other can bring it back up, but if both reboot at the same |
|
226 |
time they will stay down until someone types in the password |
|
227 |
on one of them. |
|
228 |
</para> |
|
229 |
</refsect2> |
|
230 |
|
|
|
708
by Teddy Hogeborn
mandos-keygen: Generate "checker" option to use SSH fingerprints. |
231 |
<refsect2 id="fakecheck"> |
232 |
<title>Faking checker results?</title> |
|
|
493
by Teddy Hogeborn
* Makefile (DOCS): Added "intro.8mandos". |
233 |
<para> |
|
708
by Teddy Hogeborn
mandos-keygen: Generate "checker" option to use SSH fingerprints. |
234 |
If the Mandos client does not have an SSH server, the default |
235 |
is for the Mandos server to use |
|
|
493
by Teddy Hogeborn
* Makefile (DOCS): Added "intro.8mandos". |
236 |
<quote><literal>fping</literal></quote>, the replies to which |
237 |
could be faked to eliminate the timeout. But this could |
|
238 |
easily be changed to any shell command, with any security |
|
|
708
by Teddy Hogeborn
mandos-keygen: Generate "checker" option to use SSH fingerprints. |
239 |
measures you like. If the Mandos client |
240 |
<emphasis>has</emphasis> an SSH server, the default |
|
241 |
configuration (as generated by |
|
242 |
<command>mandos-keygen</command> with the |
|
243 |
<option>--password</option> option) is for the Mandos server |
|
244 |
to use an <command>ssh-keyscan</command> command with strict |
|
245 |
keychecking, which can not be faked. Alternatively, IPsec |
|
246 |
could be used for the ping packets, making them secure. |
|
|
493
by Teddy Hogeborn
* Makefile (DOCS): Added "intro.8mandos". |
247 |
</para> |
248 |
</refsect2> |
|
249 |
</refsect1> |
|
250 |
|
|
251 |
<refsect1 id="security"> |
|
252 |
<title>SECURITY</title> |
|
253 |
<para> |
|
254 |
So, in summary: The only weakness in the Mandos system is from |
|
255 |
people who have: |
|
256 |
</para> |
|
257 |
<orderedlist> |
|
258 |
<listitem> |
|
259 |
<para> |
|
260 |
The power to come in and physically take your servers, |
|
261 |
<emphasis>and</emphasis> |
|
262 |
</para> |
|
263 |
</listitem> |
|
264 |
<listitem> |
|
265 |
<para> |
|
266 |
The cunning and patience to do it carefully, one at a time, |
|
267 |
and <emphasis>quickly</emphasis>, faking Mandos |
|
268 |
client/server responses for each one before the timeout. |
|
269 |
</para> |
|
270 |
</listitem> |
|
271 |
</orderedlist> |
|
272 |
<para> |
|
273 |
While there are some who may be threatened by people who have |
|
274 |
<emphasis>both</emphasis> these attributes, they do not, |
|
275 |
probably, constitute the majority. |
|
276 |
</para> |
|
277 |
<para> |
|
278 |
If you <emphasis>do</emphasis> face such opponents, you must |
|
279 |
figure that they could just as well open your servers and read |
|
280 |
the file system keys right off the memory by running wires to |
|
281 |
the memory bus. |
|
282 |
</para> |
|
283 |
<para> |
|
284 |
What Mandos is designed to protect against is |
|
285 |
<emphasis>not</emphasis> such determined, focused, and competent |
|
286 |
attacks, but against the early morning knock on your door and |
|
287 |
the sudden absence of all the servers in your server room. |
|
288 |
Which it does nicely. |
|
289 |
</para> |
|
290 |
</refsect1> |
|
291 |
|
|
292 |
<refsect1 id="plugins"> |
|
293 |
<title>PLUGINS</title> |
|
294 |
<para> |
|
295 |
In the early designs, the |
|
296 |
<citerefentry><refentrytitle>mandos-client</refentrytitle |
|
297 |
><manvolnum>8mandos</manvolnum></citerefentry> program (which |
|
298 |
retrieves a password from the Mandos server) also prompted for a |
|
299 |
password on the terminal, in case a Mandos server could not be |
|
300 |
found. Other ways of retrieving a password could easily be |
|
301 |
envisoned, but this multiplicity of purpose was seen to be too |
|
302 |
complex to be a viable way to continue. Instead, the original |
|
303 |
program was separated into <citerefentry><refentrytitle |
|
304 |
>mandos-client</refentrytitle><manvolnum>8mandos</manvolnum |
|
305 |
></citerefentry> and <citerefentry><refentrytitle |
|
306 |
>password-prompt</refentrytitle><manvolnum>8mandos</manvolnum |
|
307 |
></citerefentry>, and a <citerefentry><refentrytitle |
|
308 |
>plugin-runner</refentrytitle><manvolnum>8mandos</manvolnum |
|
309 |
></citerefentry> exist to run them both in parallel, allowing |
|
310 |
the first successful plugin to provide the password. This |
|
311 |
opened up for any number of additional plugins to run, all |
|
312 |
competing to be the first to find a password and provide it to |
|
313 |
the plugin runner. |
|
314 |
</para> |
|
315 |
<para> |
|
316 |
Four additional plugins are provided: |
|
317 |
</para> |
|
318 |
<variablelist> |
|
319 |
<varlistentry> |
|
320 |
<term> |
|
321 |
<citerefentry><refentrytitle>plymouth</refentrytitle> |
|
322 |
<manvolnum>8mandos</manvolnum></citerefentry> |
|
323 |
</term> |
|
324 |
<listitem> |
|
325 |
<para> |
|
326 |
This prompts for a password when using <citerefentry> |
|
327 |
<refentrytitle>plymouth</refentrytitle><manvolnum |
|
328 |
>8</manvolnum></citerefentry>. |
|
329 |
</para> |
|
330 |
</listitem> |
|
331 |
</varlistentry> |
|
332 |
<varlistentry> |
|
333 |
<term> |
|
334 |
<citerefentry><refentrytitle>usplash</refentrytitle> |
|
335 |
<manvolnum>8mandos</manvolnum></citerefentry> |
|
336 |
</term> |
|
337 |
<listitem> |
|
338 |
<para> |
|
339 |
This prompts for a password when using <citerefentry> |
|
340 |
<refentrytitle>usplash</refentrytitle><manvolnum |
|
341 |
>8</manvolnum></citerefentry>. |
|
342 |
</para> |
|
343 |
</listitem> |
|
344 |
</varlistentry> |
|
345 |
<varlistentry> |
|
346 |
<term> |
|
347 |
<citerefentry><refentrytitle>splashy</refentrytitle> |
|
348 |
<manvolnum>8mandos</manvolnum></citerefentry> |
|
349 |
</term> |
|
350 |
<listitem> |
|
351 |
<para> |
|
352 |
This prompts for a password when using <citerefentry> |
|
353 |
<refentrytitle>splashy</refentrytitle><manvolnum |
|
354 |
>8</manvolnum></citerefentry>. |
|
355 |
</para> |
|
356 |
</listitem> |
|
357 |
</varlistentry> |
|
358 |
<varlistentry> |
|
359 |
<term> |
|
360 |
<citerefentry><refentrytitle>askpass-fifo</refentrytitle> |
|
361 |
<manvolnum>8mandos</manvolnum></citerefentry> |
|
362 |
</term> |
|
363 |
<listitem> |
|
364 |
<para> |
|
365 |
To provide compatibility with the "askpass" program from |
|
366 |
cryptsetup, this plugin listens to the same FIFO as |
|
367 |
askpass would do. |
|
368 |
</para> |
|
369 |
</listitem> |
|
370 |
</varlistentry> |
|
371 |
</variablelist> |
|
372 |
<para> |
|
373 |
More plugins can easily be written and added by the system |
|
374 |
administrator; see the section called "WRITING PLUGINS" in |
|
375 |
<citerefentry><refentrytitle>plugin-runner</refentrytitle> |
|
376 |
<manvolnum>8mandos</manvolnum></citerefentry> to learn the |
|
377 |
plugin requirements. |
|
378 |
</para> |
|
379 |
</refsect1> |
|
380 |
|
|
381 |
<refsect1 id="see_also"> |
|
382 |
<title>SEE ALSO</title> |
|
383 |
<para> |
|
384 |
<citerefentry><refentrytitle>mandos</refentrytitle> |
|
385 |
<manvolnum>8</manvolnum></citerefentry>, |
|
386 |
<citerefentry><refentrytitle>mandos.conf</refentrytitle> |
|
387 |
<manvolnum>5</manvolnum></citerefentry>, |
|
388 |
<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle> |
|
389 |
<manvolnum>5</manvolnum></citerefentry>, |
|
390 |
<citerefentry><refentrytitle>mandos-ctl</refentrytitle> |
|
391 |
<manvolnum>8</manvolnum></citerefentry>, |
|
392 |
<citerefentry><refentrytitle>mandos-monitor</refentrytitle> |
|
393 |
<manvolnum>8</manvolnum></citerefentry>, |
|
394 |
<citerefentry><refentrytitle>plugin-runner</refentrytitle> |
|
395 |
<manvolnum>8mandos</manvolnum></citerefentry>, |
|
396 |
<citerefentry><refentrytitle>mandos-client</refentrytitle> |
|
397 |
<manvolnum>8mandos</manvolnum></citerefentry>, |
|
398 |
<citerefentry><refentrytitle>password-prompt</refentrytitle> |
|
399 |
<manvolnum>8mandos</manvolnum></citerefentry>, |
|
400 |
<citerefentry><refentrytitle>plymouth</refentrytitle> |
|
401 |
<manvolnum>8mandos</manvolnum></citerefentry>, |
|
402 |
<citerefentry><refentrytitle>usplash</refentrytitle> |
|
403 |
<manvolnum>8mandos</manvolnum></citerefentry>, |
|
404 |
<citerefentry><refentrytitle>splashy</refentrytitle> |
|
405 |
<manvolnum>8mandos</manvolnum></citerefentry>, |
|
406 |
<citerefentry><refentrytitle>askpass-fifo</refentrytitle> |
|
407 |
<manvolnum>8mandos</manvolnum></citerefentry>, |
|
408 |
<citerefentry><refentrytitle>mandos-keygen</refentrytitle> |
|
409 |
<manvolnum>8</manvolnum></citerefentry> |
|
410 |
</para> |
|
411 |
<variablelist> |
|
412 |
<varlistentry> |
|
413 |
<term> |
|
|
505.1.2
by Teddy Hogeborn
Change "fukt.bsnet.se" to "recompile.se" throughout. |
414 |
<ulink url="http://www.recompile.se/mandos">Mandos</ulink> |
|
493
by Teddy Hogeborn
* Makefile (DOCS): Added "intro.8mandos". |
415 |
</term> |
416 |
<listitem> |
|
417 |
<para> |
|
418 |
The Mandos home page. |
|
419 |
</para> |
|
420 |
</listitem> |
|
421 |
</varlistentry> |
|
422 |
</variablelist> |
|
423 |
</refsect1> |
|
424 |
</refentry>
|
|
425 |
<!-- Local Variables: -->
|
|
426 |
<!-- time-stamp-start: "<!ENTITY TIMESTAMP [\"']" -->
|
|
427 |
<!-- time-stamp-end: "[\"']>" -->
|
|
428 |
<!-- time-stamp-format: "%:y-%02m-%02d" -->
|
|
429 |
<!-- End: -->
|