DESCRIPTION

=== modified file 'Makefile' --- Makefile 2008-08-15 20:47:22 +0000 +++ Makefile 2008-08-17 06:01:58 +0000 @@ -20,8 +20,16 @@ # MANDIR=/usr/local/man MANDIR=/usr/share/man +GNUTLS_CFLAGS=$(shell libgnutls-config --cflags) +GNUTLS_LIBS=$(shell libgnutls-config --libs) +AVAHI_CFLAGS=$(shell pkg-config --cflags-only-I avahi-core) +AVAHI_LIBS=$(shell pkg-config --libs avahi-core) +GPGME_CFLAGS=$(shell gpgme-config --cflags) +GPGME_LIBS=$(shell gpgme-config --libs) + # Do not change these two -CFLAGS=$(WARN) $(DEBUG) $(FORTIFY) $(COVERAGE) $(OPTIMIZE) $(LANGUAGE) +CFLAGS=$(WARN) $(DEBUG) $(FORTIFY) $(COVERAGE) $(OPTIMIZE) \ + $(LANGUAGE) $(GNUTLS_CFLAGS) $(AVAHI_CFLAGS) $(GPGME_CFLAGS) LDFLAGS=$(COVERAGE) DOCBOOKTOMAN=xsltproc --nonet \ @@ -30,6 +38,8 @@ --param make.single.year.ranges 1 \ --param man.output.quietly 1 \ --param man.authors.section.enabled 0 +# DocBook-to-man post-processing to fix a \n escape bug +MANPOST=sed --in-place --expression='s,\\en,\en,g;s,\een,\en,g' PLUGINS=plugins.d/password-prompt plugins.d/password-request PROGS=plugin-runner $(PLUGINS) @@ -38,32 +48,26 @@ plugins.d/password-prompt.8mandos mandos.conf.5 \ mandos-clients.conf.5 -objects=$(shell for p in $(PROGS); do echo $${p}.o; done) +objects=$(addsuffix .o,$(PROGS)) all: $(PROGS) doc: $(DOCS) %.5: %.xml - cd $(dir $^); $(DOCBOOKTOMAN) $(notdir $^) + cd $(dir $^); $(DOCBOOKTOMAN) $(notdir $^) $(MANPOST) $@ %.8: %.xml - cd $(dir $^); $(DOCBOOKTOMAN) $(notdir $^) + cd $(dir $^); $(DOCBOOKTOMAN) $(notdir $^); $(MANPOST) $@ %.8mandos: %.xml - cd $(dir $^); $(DOCBOOKTOMAN) $(notdir $^) - -plugin-runner: plugin-runner.o - $(LINK.o) -lgnutls $(COMMON) $^ $(LOADLIBES) $(LDLIBS) -o $@ + cd $(dir $^); $(DOCBOOKTOMAN) $(notdir $^) $(MANPOST) $@ plugins.d/password-request: plugins.d/password-request.o - $(LINK.o) -lgnutls -lavahi-core -lgpgme $(COMMON) $^ \ - $(LOADLIBES) $(LDLIBS) -o $@ - -plugins.d/password-prompt: plugins.d/password-prompt.o - $(LINK.o) $(COMMON) $^ $(LOADLIBES) $(LDLIBS) -o $@ - -.PHONY : all clean distclean run-client run-server install \ + $(LINK.o) $(GNUTLS_LIBS) $(AVAHI_LIBS) $(GPGME_LIBS) \ + $(COMMON) $^ $(LOADLIBES) $(LDLIBS) -o $@ + +.PHONY : all doc clean distclean run-client run-server install \ install-server install-client uninstall uninstall-server \ uninstall-client purge purge-server purge-client === modified file 'mandos.xml' --- mandos.xml 2008-08-16 20:31:21 +0000 +++ mandos.xml 2008-08-17 06:01:58 +0000 @@ -31,7 +31,8 @@ 2008 - Teddy Hogeborn & Björn Påhlsson + Teddy Hogeborn + Björn Påhlsson @@ -66,7 +67,7 @@ &COMMANDNAME; - Sends encrypted passwords to authenticated mandos clients + Sends encrypted passwords to authenticated Mandos clients @@ -83,6 +84,16 @@ &COMMANDNAME; + -iIF + -aADDRESS + -pPORT + --priorityPRIORITY + --servicenameNAME + --configdirDIRECTORY + --debug + + + &COMMANDNAME; --help @@ -98,12 +109,34 @@ DESCRIPTION - &COMMANDNAME; is a server daemon that handels - incomming passwords request for passwords. Mandos use avahi to - announce the service, and through gnutls authenticates - clients. Any authenticated client is then given its encrypted - password. - + &COMMANDNAME; is a server daemon which + handles incoming request for passwords for a pre-defined list of + client host computers. The Mandos server uses Zeroconf to + announce itself on the local network, and uses GnuTLS to + communicate securely with and to authenticate the clients. + Mandos uses IPv6 link-local addresses, since the clients are + assumed to not have any other addresses configured yet. Any + authenticated client is then given the pre-encrypted password + for that specific client. + + + + + + PURPOSE + + + The purpose of this is to enable remote and unattended + rebooting of any client host computer with an + encrypted root file system. The client + host computer should start a Mandos client in the initial RAM + disk environment, the Mandos client program communicates with + this server program to get an encrypted password, which is then + decrypted and used to unlock the encrypted root file system. + The client host computer can then continue its boot sequence + normally. + + @@ -114,7 +147,7 @@ -h, --help - show a help message and exit + Show a help message and exit @@ -124,7 +157,9 @@ IF - Bind to interface IF + Only announce the server and listen to requests on network + interface IF. Default is to + use all available interfaces. @@ -134,7 +169,14 @@ ADDRESS - Address to listen for requests on + If this option is used, the server will only listen to a + specific address. This must currently be an IPv6 address; + an IPv4 address can be specified using the + "::FFFF:192.0.2.3" syntax. Also, if a + link-local address is specified, an interface should be + set, since a link-local address is only valid on a single + interface. By default, the server will listen to all + available addresses. @@ -144,7 +186,9 @@ PORT - Port number to receive requests on + If this option is used, the server to bind to that + port. By default, the server will listen to an arbitrary + port given by the operating system. @@ -153,7 +197,8 @@ --check - Run self-test on the server + Run the server's self-tests. This includes any unit + tests, etc. @@ -162,7 +207,9 @@ --debug - Debug mode + If the server is run in debug mode, it will run in the + foreground and print a lot of debugging information. The + default is not to run in debug mode. @@ -172,9 +219,15 @@ PRIORITY - GnuTLS priority string. See - gnutls_priority_init - 3 + GnuTLS priority string for the TLS handshake with the + clients. See + gnutls_priority_init + 3 + for the syntax. The default is + "SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP". + Warning: changing this may make the + TLS handshake fail, making communication with clients + impossible. @@ -184,7 +237,13 @@ - Zeroconf service name + Zeroconf service name. The default is + "Mandos". You only need to change this + if you for some reason want to run more than one server on + the same host. If there are name + collisions on the same network, the + new server will automatically rename itself to "Mandos + #2", etc. @@ -194,7 +253,12 @@ - Directory to search for configuration files + Directory to search for configuration files. Default is + "/etc/mandos". See + mandos.conf + 5 and + mandos-clients.conf + 5. @@ -203,31 +267,108 @@ --version - Prints the program version + Prints the program version and exit. + + NETWORK PROTOCOL + + The Mandos server announces itself as a Zeroconf service of type + "_mandos._tcp". The Mandos client connects + to the announced address and port, and sends a line of text + where the first whitespace-separated field is the protocol + version, which currently is "1". The client + and server then start a TLS protocol handshake with a slight + quirk: the Mandos server program acts as a TLS "client" while + the connecting Mandos client acts as a TLS "server". The Mandos + client must supply an OpenPGP certificate, and the fingerprint + of this certificate is used by the Mandos server to look up (in + a list read from a file at start time) which binary blob to give + the client. No other authentication or authorization is done by + the server. + + + + Mandos Client + Direction + Mandos Server + + + + Connect + -> + + + "1\r\en" + -> + + + TLS handshake + <-> + TLS handshake + + + OpenPGP public key (part of TLS handshake) + -> + + + + <- + Binary blob + + + + <- + Close + + + + + + LOGGING + + The server will log a lot of information with various severity + levels to + syslog + 8. With the + option, it will log even more messages, + and also show them on the console. + + + EXIT STATUS + The server will exit with a non-zero exit status only when a + critical error is encountered. FILES + + + /etc/mandos/mandos.conf See + mandos.conf + 5. + + + /etc/mandos/clients.conf See + mandos-clients.conf + 5. + + + /var/run/mandos/mandos.pid + + - - NOTES - - - - BUGS @@ -248,14 +389,45 @@ SEE ALSO - - plugin-runner - 8mandos, - password-request - 8mandos and - password-prompt - 8mandos - + + + password-request + 8mandos + + + + plugin-runner + 8mandos + + + + Zeroconf + + + + Avahi + + + + GnuTLS + + + + RFC 4880: OpenPGP Message + Format + + + + RFC 5081: Using OpenPGP Keys for + Transport Layer Security + + + + RFC 4291: IP Version 6 Addressing + Architecture, section 2.5.6, Link-Local IPv6 + Unicast Addresses + + - === removed file 'network-protocol.txt' --- network-protocol.txt 2008-08-07 22:30:45 +0000 +++ network-protocol.txt 1970-01-01 00:00:00 +0000 @@ -1,19 +0,0 @@ -The Mandos server announces itself as a Zeroconf service of type -"_mandos._tcp". The Mandos client sends a line of text where the first -whitespace-separated field is the protocol version, which currently is -"1". The client and server then start a TLS protocol handshake with a -slight quirk: the Mandos server program acts as a TLS "client" while -the connecting Mandos client acts as a TLS "server". The Mandos -client must supply an OpenPGP certificate, and the fingerprint of this -certificate is used by the Mandos server to look up (in a list read -from a file at start time) which binary blob to give the client. No -other authentication or authorization is done by the server. - -| Mandos Client | | Mandos Server | -|--------------------------------------------+-----+---------------| -| Connect | | | -| "1\r\n" | -> | | -| TLS handshake | <-> | TLS handshake | -| OpenPGP public key (part of TLS handshake) | -> | | -| | <- | Binary blob | -| | | Close | === modified file 'plugins.d/password-request.xml' --- plugins.d/password-request.xml 2008-08-16 20:31:21 +0000 +++ plugins.d/password-request.xml 2008-08-17 06:01:58 +0000 @@ -120,7 +120,7 @@ IP - Connect directly to a sepcified mandos server + Connect directly to a specified mandos server @@ -261,13 +261,57 @@ SEE ALSO - - mandos - 8, - plugin-runner - 8mandos and - password-prompt - 8mandos - - + + + mandos + 8 + + + + plugin-runner + 8mandos + + + + password-prompt + 8mandos + + + + Zeroconf + + + + Avahi + + + + GnuTLS + + + + + GPGME + + + + RFC 4880: OpenPGP Message + Format + + + + RFC 5081: Using OpenPGP Keys for + Transport Layer Security + + + + RFC 4291: IP Version 6 Addressing + Architecture, section 2.5.6, Link-Local IPv6 + Unicast Addresses + + + +