=== added directory '.bzr-builddeb' === added file '.bzr-builddeb/default.conf' --- .bzr-builddeb/default.conf 1970-01-01 00:00:00 +0000 +++ .bzr-builddeb/default.conf 2008-09-17 00:34:09 +0000 @@ -0,0 +1,2 @@ +[BUILDDEB] +split = True === modified file 'Makefile' --- Makefile 2008-09-13 15:36:18 +0000 +++ Makefile 2008-09-17 00:34:09 +0000 @@ -141,9 +141,7 @@ install: install-server install-client-nokey install-server: doc - install --directory $(CONFDIR) $(MANDIR)/man5 \ - $(MANDIR)/man8 $(DESTDIR)/etc/init.d \ - $(DESTDIR)/etc/default $(PREFIX)/sbin + install --directory $(CONFDIR) install --mode=u=rwx,go=rx mandos $(PREFIX)/sbin/mandos install --mode=u=rw,go=r --target-directory=$(CONFDIR) \ mandos.conf @@ -162,13 +160,8 @@ > $(MANDIR)/man5/mandos-clients.conf.5.gz install-client-nokey: all doc - install --directory $(PREFIX)/lib/mandos $(CONFDIR) \ - $(MANDIR)/man8 $(PREFIX)/sbin \ - $(INITRAMFSTOOLS)/hooks \ - $(INITRAMFSTOOLS)/conf-hooks.d \ - $(INITRAMFSTOOLS)/scripts/local-top - install --directory --mode=u=rwx $(KEYDIR) - install --directory --mode=u=rwx \ + install --directory $(PREFIX)/lib/mandos $(CONFDIR) + install --directory --mode=u=rwx $(KEYDIR) \ $(PREFIX)/lib/mandos/plugins.d if [ "$(CONFDIR)" != "$(PREFIX)/lib/mandos" ]; then \ install --mode=u=rwx \ @@ -191,7 +184,7 @@ plugins.d/usplash install initramfs-tools-hook \ $(INITRAMFSTOOLS)/hooks/mandos - install initramfs-tools-hook-conf \ + install --mode=u=rw,go=r initramfs-tools-hook-conf \ $(INITRAMFSTOOLS)/conf-hooks.d/mandos install initramfs-tools-script \ $(INITRAMFSTOOLS)/scripts/local-top/mandos === modified file 'README' --- README 2008-09-13 15:36:18 +0000 +++ README 2008-09-17 00:34:09 +0000 @@ -49,13 +49,13 @@ Now, of course the initial RAM disk image is not on the encrypted root file system, so anyone who had physical access could take the - server offline and read the disk with their own tools to get the - authentication keys used by a client. *But*, by then the Mandos - server should notice that the original server has been offline for - too long, and will no longer give out the encrypted key. The timing - here is the only real weak point, and the method, frequency and - timeout of the server’s checking can be adjusted to any desired - level of paranoia + Mandos client computer offline and read the disk with their own + tools to get the authentication keys used by a client. *But*, by + then the Mandos server should notice that the original server has + been offline for too long, and will no longer give out the encrypted + key. The timing here is the only real weak point, and the method, + frequency and timeout of the server’s checking can be adjusted to + any desired level of paranoia (The encrypted keys on the Mandos server is on its normal file system, so those are safe, provided the root file system of *that* @@ -69,12 +69,12 @@ to do. An attacker would have to physically disassemble the client computer, extract the key from the initial RAM disk image, and then connect to a *still online* Mandos server to get the encrypted key, - all *before* the Mandos server timeout kicks in and the Mandos - server refuses to give out the key to anyone. + and do all this *before* the Mandos server timeout kicks in and the + Mandos server refuses to give out the key to anyone. - Now, as the typical SOP seems to be to barge in and turn off and - grab *all* computers, to maybe look at them months later, this is - not likely. If someone does that, the whole system *will* lock + Now, as the typical procedure seems to be to barge in and turn off + and grab *all* computers, to maybe look at them months later, this + is not likely. If someone does that, the whole system *will* lock itself up completely, since Mandos servers are no longer running. For sophisticated attackers who *could* do the clever thing, *and* @@ -132,11 +132,11 @@ * Copyright - Copyright (C) 2008 Teddy Hogeborn - 2008 Björn Påhlsson - + Copyright © 2008 Teddy Hogeborn + 2008 Björn Påhlsson + ** License: - + This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the === modified file 'TODO' --- TODO 2008-09-13 19:20:50 +0000 +++ TODO 2008-09-17 00:34:09 +0000 @@ -1,6 +1,8 @@ -*- org -*- -* DONE plugin-runner +* plugin-runner +** TODO Man page for plugin-runner.conf.5 + link to plugin-runner.8 * mandos-client ** TODO [#B] Temporarily lower kernel log level @@ -48,7 +50,7 @@ **** TODO [#A] Ask for password twice for confirmation **** TODO "--passfile" option Using the "secfile" option instead of "secret" -**** TODO [#A] "--test" option +**** TODO [#B] "--test" option For testing decryption before rebooting. ** Server-side *** TODO [#A] Create mandos user and group for server @@ -63,6 +65,8 @@ From XML sources directly? ** TODO unperish ** DONE bzr-builddeb +** TODO mandos user/group creation +** TODO Key creation in postinst * TODO Web site ** DONE http://www.fukt.bsnet.se/mandos === added directory 'debian' === added file 'debian/changelog' --- debian/changelog 1970-01-01 00:00:00 +0000 +++ debian/changelog 2008-09-17 00:34:09 +0000 @@ -0,0 +1,5 @@ +mandos (1.0) unstable; urgency=low + + * Initial Release. + + -- Mandos Maintainers Sun, 07 Sep 2008 11:55:51 +0200 === added file 'debian/compat' --- debian/compat 1970-01-01 00:00:00 +0000 +++ debian/compat 2008-09-17 00:34:09 +0000 @@ -0,0 +1,1 @@ +7 === added file 'debian/control' --- debian/control 1970-01-01 00:00:00 +0000 +++ debian/control 2008-09-17 00:34:09 +0000 @@ -0,0 +1,49 @@ +Source: mandos +Section: admin +Priority: extra +Maintainer: Mandos Maintainers +Build-Depends: debhelper (>= 7), docbook-xsl, docbook (<5.0), + libavahi-core-dev, libgpgme11-dev, libgnutls-dev, xsltproc +Standards-Version: 3.8.0 +Vcs-Bzr: ftp://anonymous@ftp.fukt.bsnet.se/pub/mandos/latest +Homepage: http://www.fukt.bsnet.se/mandos + +Package: mandos +Architecture: all +Depends: ${shlibs:Depends}, ${misc:Depends}, python (>=2.5), + python-gnutls, python-dbus, python-avahi, avahi-daemon, + gnupg (< 2) +Recommends: fping +Description: a server giving encrypted passwords to Mandos clients + This is the server part of the Mandos system, which allows + computers to have encrypted root file systems and at the + same time be capable of remote and/or unattended reboots. + . + The computers run a small client program in the initial RAM + disk environment which will communicate with a server over a + network. All network communication is encrypted using TLS. + The clients are identified by the server using an OpenPGP + key; each client has one unique to it. The server sends the + clients an encrypted password. The encrypted password is + decrypted by the clients using the same OpenPGP key, and the + password is then used to unlock the root file system, + whereupon the computers can continue booting normally. + +Package: mandos-client +Architecture: any +Depends: ${shlibs:Depends}, ${misc:Depends} +Enhances: cryptsetup +Description: do unattended reboots with an encrypted root file system + This is the client part of the Mandos system, which allows + computers to have encrypted root file systems and at the + same time be capable of remote and/or unattended reboots. + . + The computers run a small client program in the initial RAM + disk environment which will communicate with a server over a + network. All network communication is encrypted using TLS. + The clients are identified by the server using an OpenPGP + key; each client has one unique to it. The server sends the + clients an encrypted password. The encrypted password is + decrypted by the clients using the same OpenPGP key, and the + password is then used to unlock the root file system, + whereupon the computers can continue booting normally. === added file 'debian/copyright' --- debian/copyright 1970-01-01 00:00:00 +0000 +++ debian/copyright 2008-09-17 00:34:09 +0000 @@ -0,0 +1,27 @@ +Authors: Teddy Hogeborn, Björn Påhlsson + +Homepage: + +Copyright: + + Copyright © 2008 Teddy Hogeborn + 2008 Björn Påhlsson + +License: + + This program is free software: you can redistribute it and/or + modify it under the terms of the GNU General Public License as + published by the Free Software Foundation, either version 3 of the + License, or (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see + . + +On Debian systems, the complete text of the GNU General Public License +can be found in "/usr/share/common-licenses/GPL". === added file 'debian/mandos-client.README.Debian' --- debian/mandos-client.README.Debian 1970-01-01 00:00:00 +0000 +++ debian/mandos-client.README.Debian 2008-09-17 00:34:09 +0000 @@ -0,0 +1,10 @@ +A client key has been automatically created in /etc/keys/mandos. The +next step is to run "mandos-keygen --password" to get a config file +stanza to copy and paste into /etc/mandos/clients.conf on the Mandos +server. + +It is NOT necessary to edit /etc/crypttab to specify +/usr/lib/mandos/plugin-runner as a keyscript for the root file system; +if no keyscript is given for the root file system, the Mandos client +will be the new default way for getting a password for the root file +system when booting. === added file 'debian/mandos-client.dirs' --- debian/mandos-client.dirs 1970-01-01 00:00:00 +0000 +++ debian/mandos-client.dirs 2008-09-17 00:34:09 +0000 @@ -0,0 +1,5 @@ +usr/share/man/man8 +usr/sbin +usr/share/initramfs-tools/hooks +usr/share/initramfs-tools/conf-hooks.d +usr/share/initramfs-tools/scripts/local-top === added file 'debian/mandos-client.lintian-overrides' --- debian/mandos-client.lintian-overrides 1970-01-01 00:00:00 +0000 +++ debian/mandos-client.lintian-overrides 2008-09-17 00:34:09 +0000 @@ -0,0 +1,4 @@ +mandos-client binary: manpage-has-errors-from-man usr/share/man/man8/plugin-runner.8mandos.gz 297: warning [p 4, 5.8i]: can't break line +mandos-client binary: non-standard-dir-perm etc/keys/mandos/ 0700 != 0755 +mandos-client binary: setuid-binary usr/lib/mandos/plugins.d/mandos-client 4755 root/root +mandos-client binary: non-standard-dir-perm usr/lib/mandos/plugins.d/ 0700 != 0755 === added file 'debian/mandos-client.postinst' --- debian/mandos-client.postinst 1970-01-01 00:00:00 +0000 +++ debian/mandos-client.postinst 2008-09-17 00:34:09 +0000 @@ -0,0 +1,44 @@ +#!/bin/bash -e +# This script can be called in the following ways: +# +# After the package was installed: +# configure +# +# +# If prerm fails during upgrade or fails on failed upgrade: +# abort-upgrade +# +# If prerm fails during deconfiguration of a package: +# abort-deconfigure in-favour +# removing +# +# If prerm fails during replacement due to conflict: +# abort-remove in-favour + +. /usr/share/debconf/confmodule + +# Update the initramfs +update_initramfs() +{ + if which update-initramfs >/dev/null 2>&1; then + update-initramfs -u + fi +} + +case "$1" in + configure) + update_initramfs + ;; + + abort-upgrade|abort-deconfigure|abort-remove) + ;; + + *) + echo "$0 called with unknown argument \`$1'" 1>&2 + exit 1 + ;; +esac + +#DEBHELPER# + +exit 0 === added file 'debian/mandos-client.postrm' --- debian/mandos-client.postrm 1970-01-01 00:00:00 +0000 +++ debian/mandos-client.postrm 2008-09-17 00:34:09 +0000 @@ -0,0 +1,62 @@ +#!/bin/sh -e +# This script can be called in the following ways: +# +# After the package was removed: +# remove +# +# After the package was purged: +# purge +# +# After the package was upgraded: +# upgrade +# if that fails: +# failed-upgrade +# +# +# After all of the packages files have been replaced: +# disappear +# +# +# If preinst fails during install: +# abort-install +# +# If preinst fails during upgrade of removed package: +# abort-install +# +# If preinst fails during upgrade: +# abort-upgrade + + +# Update the initramfs +update_initramfs() +{ + if which update-initramfs >/dev/null 2>&1; then + update-initramfs -u + fi +} + + +case "$1" in + remove) + update_initramfs + ;; + + purge) + shred --remove /etc/keys/mandos/seckey.txt || : + rm --force /etc/mandos/plugin-runner.conf \ + /etc/keys/mandos/pubkey.txt \ + /etc/keys/mandos/seckey.txt + rmdir /etc/keys/mandos /etc/mandos/plugins.d /etc/mandos || : + ;; + upgrade|failed-upgrade|disappear|abort-install|abort-upgrade) + ;; + + *) + echo "$0 called with unknown argument \`$1'" 1>&2 + exit 1 + ;; +esac + +#DEBHELPER# + +exit 0 === added file 'debian/mandos.dirs' --- debian/mandos.dirs 1970-01-01 00:00:00 +0000 +++ debian/mandos.dirs 2008-09-17 00:34:09 +0000 @@ -0,0 +1,5 @@ +usr/share/man/man5 +usr/share/man/man8 +etc/init.d +etc/default +usr/sbin === added file 'debian/mandos.lintian-overrides' --- debian/mandos.lintian-overrides 1970-01-01 00:00:00 +0000 +++ debian/mandos.lintian-overrides 2008-09-17 00:34:09 +0000 @@ -0,0 +1,1 @@ +mandos binary: non-standard-file-perm etc/mandos/clients.conf 0600 != 0644 === added file 'debian/rules' --- debian/rules 1970-01-01 00:00:00 +0000 +++ debian/rules 2008-09-17 00:34:09 +0000 @@ -0,0 +1,116 @@ +#!/usr/bin/make -f +# Sample debian/rules that uses debhelper. +# +# This file was originally written by Joey Hess and Craig Small. +# As a special exception, when this file is copied by dh-make into a +# dh-make output file, you may use that output file without restriction. +# This special exception was added by Craig Small in version 0.37 of dh-make. +# +# Modified to make a template file for a multi-binary package with separated +# build-arch and build-indep targets by Bill Allombert 2001 + +# Uncomment this to turn on verbose mode. +export DH_VERBOSE=1 + +# This has to be exported to make some magic below work. +export DH_OPTIONS + +configure: configure-stamp +configure-stamp: + dh_testdir +# Add here commands to configure the package. + touch configure-stamp + +#Architecture +build: build-arch build-indep + +build-arch: build-arch-stamp +build-arch-stamp: configure-stamp +# Add here commands to compile the arch part of the package. + dh_auto_build -- all doc + touch $@ + +build-indep: build-indep-stamp +build-indep-stamp: configure-stamp +# Add here commands to compile the indep part of the package. + dh_auto_build -- doc + touch $@ + +clean: + dh_testdir + dh_testroot + rm -f build-arch-stamp build-indep-stamp configure-stamp +# Add here commands to clean up after the build process. + dh_auto_clean + dh_clean + +install: install-indep install-arch +install-indep: + dh_testdir + dh_testroot + dh_prep + dh_installdirs --indep +# Add here commands to install the indep part of the package into +# debian/-doc. + $(MAKE) DESTDIR=$(CURDIR)/debian/mandos install-server + dh_lintian + dh_installinit --onlyscripts --no-start + dh_install --indep + +install-arch: + dh_testdir + dh_testroot + dh_prep + dh_installdirs --same-arch + +# Add here commands to install the arch part of the package into +# debian/tmp. + $(MAKE) DESTDIR=$(CURDIR)/debian/mandos-client install-client-nokey + dh_lintian + dh_install --same-arch + +# Must not depend on anything. This is to be called by +# binary-arch/binary-indep +# in another 'make' thread. +binary-common: + dh_testdir + dh_testroot + dh_installchangelogs + dh_installdocs +# dh_installexamples +# dh_installmenu +# dh_installdebconf +# dh_installlogrotate +# dh_installemacsen +# dh_installpam +# dh_installmime +# dh_pycentral +# dh_installinit +# dh_installcron +# dh_installinfo +# dh_installman + dh_link + dh_strip + dh_compress + dh_fixperms --exclude etc/keys/mandos \ + --exclude etc/mandos/clients.conf \ + --exclude usr/lib/mandos/plugins.d +# dh_perl + dh_makeshlibs + dh_installdeb + dh_shlibdeps + dh_gencontrol + dh_md5sums + dh_builddeb +# Build architecture independant packages using the common target. +binary-indep: build-indep install-indep + $(MAKE) -f debian/rules DH_OPTIONS=--indep binary-common + +# Build architecture dependant packages using the common target. +binary-arch: build-arch install-arch + $(MAKE) -f debian/rules DH_OPTIONS=--same-arch binary-common + +binary: binary-arch binary-indep + +.PHONY: build clean binary-indep binary-arch binary install \ + install-indep install-arch configure === modified file 'default-mandos' --- default-mandos 2008-09-05 08:38:30 +0000 +++ default-mandos 2008-09-17 00:34:09 +0000 @@ -2,3 +2,6 @@ # "/etc/mandos". # #CONFIGDIR=/etc/mandos + +# Additional options that are passed to the Daemon. +DAEMON_ARGS=""