Mandos Manual

]> Mandos Manual Mandos &VERSION; &TIMESTAMP; Björn Påhlsson

belorn@fukt.bsnet.se

Teddy Hogeborn

teddy@fukt.bsnet.se

2008 Teddy Hogeborn Björn Påhlsson &COMMANDNAME; 8mandos &COMMANDNAME; Client for mandos &COMMANDNAME; &COMMANDNAME; &COMMANDNAME; &COMMANDNAME; DESCRIPTION &COMMANDNAME; is a client program that communicates with mandos8 to get a password. It uses IPv6 link-local addresses to get network connectivity, Zeroconf to find the server, and TLS with an OpenPGP key to ensure authenticity and confidentiality. It keeps running, trying all servers on the network, until it receives a satisfactory reply. This program is not meant to be run directly; it is really meant to run as a plugin of the Mandos plugin-runner 8mandos, which runs in the initial RAM disk environment because it is specified as a keyscript in the crypttab5 file. PURPOSE The purpose of this is to enable remote and unattended rebooting of client host computer with an encrypted root file system. See for details. OPTIONS This program is commonly not invoked from the command line; it is normally started by the Mandos plugin runner, see plugin-runner8mandos . Any command line options this program accepts are therefore normally provided by the plugin runner, and not directly. Do not use Zeroconf to locate servers. Connect directly to only one specified Mandos server. Note that an IPv6 address has colon characters in it, so the last colon character is assumed to separate the address from the port number. This option is normally only useful for testing and debugging. Directory to read the OpenPGP key files pubkey.txt and seckey.txt from. The default is /conf/conf.d/mandos (in the initial RAM disk environment). Network interface that will be brought up and scanned for Mandos servers to connect to. The default it eth0. OpenPGP public key file base name. This will be combined with the directory from the option to form an absolute file name. The default name is pubkey.txt. OpenPGP secret key file base name. This will be combined with the directory from the option to form an absolute file name. The default name is seckey.txt. Sets the number of bits to use for the prime number in the TLS Diffie-Hellman key exchange. Default is 1024. Enable debug mode. This will enable a lot of output to standard error about what the program is doing. The program will still perform all other functions normally. It will also enable debug mode in the Avahi and GnuTLS libraries, making them print large amounts of debugging output. Gives a help message about options and their meanings. Gives a short usage message. Prints the program version. OVERVIEW This program is the client part. It is a plugin started by plugin-runner 8mandos which will run in an initial RAM disk environment. This program could, theoretically, be used as a keyscript in /etc/crypttab, but it would then be impossible to enter the encrypted root disk password at the console, since this program does not read from the console at all. This is why a separate plugin does that, which will be run in parallell to this one. EXIT STATUS This program will exit with a successful (zero) exit status if a server could be found and the password received from it could be successfully decrypted and output on standard output. The program will exit with a non-zero exit status only if a critical error occurs. Otherwise, it will forever connect to new Mandosservers servers as they appear, trying to get a decryptable password. ENVIRONMENT This program does not use any environment variables, not even the ones provided by cryptsetup8 . FILES BUGS EXAMPLE SECURITY SEE ALSO mandos 8, password-prompt 8mandos, plugin-runner 8mandos Zeroconf Avahi GnuTLS GPGME RFC 4880: OpenPGP Message Format RFC 5081: Using OpenPGP Keys for Transport Layer Security RFC 4291: IP Version 6 Addressing Architecture, section 2.5.6, Link-Local IPv6 Unicast Addresses