PURPOSE

=== modified file 'mandos.xml' --- mandos.xml 2008-09-01 08:29:23 +0000 +++ mandos.xml 2008-09-02 17:42:53 +0000 @@ -3,7 +3,7 @@ "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [ - + ]> @@ -115,24 +115,20 @@ Any authenticated client is then given the stored pre-encrypted password for that specific client. - PURPOSE - The purpose of this is to enable remote and unattended rebooting of client host computer with an encrypted root file system. See for details. - OPTIONS - === modified file 'plugins.d/password-request.c' --- plugins.d/password-request.c 2008-08-24 10:49:09 +0000 +++ plugins.d/password-request.c 2008-09-02 17:42:53 +0000 @@ -774,7 +774,8 @@ const char *pubkeyname = "pubkey.txt"; const char *seckeyname = "seckey.txt"; mandos_context mc = { .simple_poll = NULL, .server = NULL, - .dh_bits = 1024, .priority = "SECURE256"}; + .dh_bits = 1024, .priority = "SECURE256" + ":!CTYPE-X.509:+CTYPE-OPENPGP" }; bool gnutls_initalized = false; { @@ -817,25 +818,25 @@ /* Get the INPUT argument from `argp_parse', which we know is a pointer to our plugin list pointer. */ switch (key) { - case 128: + case 128: /* --debug */ debug = true; break; - case 'c': + case 'c': /* --connect */ connect_to = arg; break; - case 'i': + case 'i': /* --interface */ interface = arg; break; - case 'd': + case 'd': /* --keydir */ keydir = arg; break; - case 's': + case 's': /* --seckey */ seckeyname = arg; break; - case 'p': + case 'p': /* --pubkey */ pubkeyname = arg; break; - case 129: + case 129: /* --dh-bits */ errno = 0; mc.dh_bits = (unsigned int) strtol(arg, NULL, 10); if (errno){ @@ -843,7 +844,7 @@ exit(EXIT_FAILURE); } break; - case 130: + case 130: /* --priority */ mc.priority = arg; break; case ARGP_KEY_ARG: === modified file 'plugins.d/password-request.xml' --- plugins.d/password-request.xml 2008-08-31 15:06:39 +0000 +++ plugins.d/password-request.xml 2008-09-02 17:42:53 +0000 @@ -3,7 +3,7 @@ "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [ - + ]> @@ -124,21 +124,67 @@ DESCRIPTION - &COMMANDNAME; is a mandos plugin that works - like a client program that through avahi detects mandos servers, - sets up a gnutls connect and request a encrypted password. Any - passwords given is automaticly decrypted and passed to - cryptsetup. + &COMMANDNAME; is a client program that + communicates with mandos8 + to get a password. It uses IPv6 link-local addresses to get + network connectivity, Zeroconf to find the server, and TLS with + an OpenPGP key to ensure authenticity and confidentiality. It + keeps running, trying all servers on the network, until it + receives a satisfactory reply. + + + This program is not meant to be run directly; it is really meant + to run as a plugin of the Mandos + plugin-runner + 8mandos, which in turn + runs as a keyscript specified in the + crypttab + 5 file. + + + + + PURPOSE + + The purpose of this is to enable remote and unattended + rebooting of client host computer with an + encrypted root file system. See for details. + + + + + OVERVIEW + + + This program is the client part. It is a plugin started by + plugin-runner + 8mandos which will run in + an initial RAM disk environment. + + + This program could, theoretically, be used as a keyscript in + /etc/crypttab, but it would then be + impossible to enter the encrypted root disk password at the + console, since this program does not read from the console at + all. This is why a separate plugin does that, which will be run + in parallell to this one. OPTIONS - Commonly not invoked as command lines but from configuration - file of plugin runner. + This program is commonly not invoked from the command line; it + is normally started by the Mandos + plugin runner, see plugin-runner8mandos + . Any command line options this program accepts + are therefore normally provided by the plugin runner, and not + directly. - + - Connect directly to a specified mandos server + Do not use Zeroconf to locate servers. Connect directly + to only one specified Mandos + server. Note that an IPv6 address has colon characters in + it, so the last colon character is + assumed to separate the address from the port number. + + + This option is normally only useful for debugging. - + @@ -161,7 +214,11 @@ DIRECTORY - Directory where the openpgp keyring is + Directory to read the OpenPGP key files + pubkey.txt and + seckey.txt from. The default is + /conf/conf.d/mandos (in the initial + RAM disk environment). @@ -173,11 +230,13 @@ NAME - Interface that Avahi will connect through + Network interface that will be brought up and scanned for + Mandos servers to connect to. The default it + eth0. - + @@ -185,7 +244,10 @@ FILE - Public openpgp key for gnutls authentication + OpenPGP public key file name. This will be combined with + the directory from the option to + form an absolute file name. The default name is + pubkey.txt. @@ -197,7 +259,10 @@ FILE - Secret OpenPGP key for GnuTLS authentication + OpenPGP secret key file name. This will be combined with + the directory from the option to + form an absolute file name. The default name is + seckey.txt. @@ -206,9 +271,7 @@ - - GnuTLS priority - + @@ -217,7 +280,8 @@ >BITS - DH bits to use in gnutls communication + Sets the number of bits to use for the prime number in the + TLS Diffie-Hellman key exchange. Default is 1024. @@ -226,7 +290,14 @@ - Debug mode + Enable debug mode. This will enable a lot of output to + standard error about what the program is doing. The + program will still perform all other functions normally. + + + It will also enable debug mode in the Avahi and GnuTLS + libraries, making them print large amounts of debugging + output. @@ -236,7 +307,7 @@ - Gives a help message + Gives a help message about options and their meanings. @@ -245,7 +316,7 @@ - Gives a short usage message + Gives a short usage message. @@ -255,7 +326,7 @@ - Prints the program version + Prints the program version. @@ -265,15 +336,23 @@ EXIT STATUS - - - - - ENVIRONMENT - - - - + This program will exit with a successful (zero) exit status if a + server could be found and the password received from it could be + successfully decrypted and output on standard output. The + program will exit with a non-zero exit status only if a critical + error occurs. Otherwise, it will forever connect to new + Mandosservers servers as they appear, + trying to get a decryptable password. + + + + + + + + + + FILES