/mandos/trunk : revision 1120

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to dracut-module/password-agent.xml

Committer: Teddy Hogeborn
Date: 2019-07-18 00:02:43 UTC
Revision ID: teddy@recompile.se-20190718000243-okz4s9xao1r1tfnx

Document bug in mandos-keygen which strips white space from passwords

Passwords, as read by mandos-keygen when given the --password or -p
options, are stripped of white space from the start and from the end
of the password.  This is because mandos-keygen is a shell script, and
the Bourne Shell "read" builtin does not seem to have a way to avoid
this.  Document this bug.

* manods-keygen.xml (OPTIONS): Document the white space-stripping
                               nature of the --password/-p option, and
                               also note in the description of
                               --passfile and -F that they avoid this
                               behavior.
  (BUGS): Again mention the problem with the --password and -p
          options, and suggest --passfile as a possible workaround.

files removed:
debian/po/POTFILES.in

debian/po/de.po

debian/po/en_US.po

debian/po/fr.po

debian/po/nl.po

debian/po/pt.po

debian/po/sv.po

debian/po/templates.pot

debian/source/lintian-overrides

debian/upstream/metadata

dracut-module

dracut-module/ask-password-mandos.path

dracut-module/ask-password-mandos.service

dracut-module/cmdline-mandos.sh

dracut-module/module-setup.sh

dracut-module/password-agent.c

dracut-module/password-agent.xml

sysusers.d-mandos.conf

files modified:
.bzrignore

DBUS-API

INSTALL

Makefile

NEWS

TODO

clients.conf

common.ent

debian/changelog

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos-client.templates

debian/mandos.dirs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.templates

debian/tests/control

initramfs-tools-hook

initramfs-tools-script

initramfs-unpack

intro.xml

mandos

mandos-ctl

mandos-ctl.xml

mandos-keygen

mandos-monitor

mandos-options.xml

mandos-to-cryptroot-unlock

mandos.lsm

mandos.service

mandos.xml

plugin-helpers/mandos-client-iprouteadddel.c

plugin-runner.c

plugin-runner.xml

plugins.d/askpass-fifo.c

plugins.d/mandos-client.c

plugins.d/mandos-client.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

Show diffs side-by-side

added added

removed removed

dracut-module/password-agent.xml

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY COMMANDNAME "password-agent">

<!ENTITY TIMESTAMP "2021-02-03">

<!ENTITY % common SYSTEM "../common.ent">

%common;

<title>Mandos Manual</title>

<productname>Mandos</productname>

<productnumber>&version;</productnumber>

<date>&TIMESTAMP;</date>

<firstname>Björn</firstname>

<surname>Påhlsson</surname>

<email>belorn@recompile.se</email>

</address>

</author>

<firstname>Teddy</firstname>

<surname>Hogeborn</surname>

<email>teddy@recompile.se</email>

</address>

</author>

</authorgroup>

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

<xi:include href="../legalnotice.xml"/>

</refentryinfo>

<refentrytitle>&COMMANDNAME;</refentrytitle>

<manvolnum>8mandos</manvolnum>

</refmeta>

<refname><command>&COMMANDNAME;</command></refname>

Run Mandos client as a systemd password agent.

</refpurpose>

</refnamediv>

<command>&COMMANDNAME;</command>

<arg><option>--agent-directory=<replaceable

>DIRECTORY</replaceable></option></arg>

<sbr/>

<arg><option>--helper-directory=<replaceable

>DIRECTORY</replaceable></option></arg>

<sbr/>

<arg><option>--user=<replaceable

>USERID</replaceable></option></arg>

<sbr/>

<arg><option>--group=<replaceable

>GROUPID</replaceable></option></arg>

<sbr/>

<arg>

<replaceable>MANDOS_CLIENT</replaceable>

<arg choice="plain"><replaceable>OPTIONS</replaceable></arg>

</group>

</arg>

</cmdsynopsis>

<command>&COMMANDNAME;</command>

</cmdsynopsis>

<command>&COMMANDNAME;</command>

</group>

</cmdsynopsis>

<command>&COMMANDNAME;</command>

<arg choice="plain"><option>--usage</option></arg>

100

</cmdsynopsis>

101

102

<command>&COMMANDNAME;</command>

103

104

<arg choice="plain"><option>--version</option></arg>

105

106

</group>

107

</cmdsynopsis>

108

</refsynopsisdiv>

109

110

111

<title>DESCRIPTION</title>

112

<para>

113

<command>&COMMANDNAME;</command> is a program which is meant to

114

be a <citerefentry><refentrytitle>systemd</refentrytitle>

115

<manvolnum>1</manvolnum></citerefentry> <quote>Password

116

Agent</quote> (See <ulink

117

url="https://systemd.io/PASSWORD_AGENTS/">Password

118

Agents</ulink>). The aim of this program is therefore to

119

acquire and then send a password to some other program which

120

will use the password to unlock the encrypted root disk.

121

</para>

122

<para>

123

This program is not meant to be invoked directly, but can be in

124

order to test it.

125

</para>

126

</refsect1>

127

128

129

<title>PURPOSE</title>

130

<para>

131

The purpose of this is to enable <emphasis>remote and unattended

132

rebooting</emphasis> of client host computer with an

133

<emphasis>encrypted root file system</emphasis>. See <xref

134

linkend="overview"/> for details.

135

</para>

136

</refsect1>

137

138

139

<title>OPTIONS</title>

140

141

142

143

<term><option>--agent-directory

144

<replaceable>DIRECTORY</replaceable></option></term>

145

146

<para>

147

Specify a different agent directory. The default is

148

<quote><filename class="directory"

149

>/run/systemd/ask-password</filename ></quote> as per the

150

<ulink url="https://systemd.io/PASSWORD_AGENTS/">Password

151

Agents</ulink> specification.

152

</para>

153

</listitem>

154

</varlistentry>

155

156

157

<term><option>--helper-directory

158

<replaceable>DIRECTORY</replaceable></option></term>

159

160

<para>

161

Specify a different helper directory. The default is

162

<quote><filename class="directory"

163

>/lib/mandos/plugin-helpers</filename

164

></quote>, which

165

will exist in the initial <acronym>RAM</acronym> disk

166

environment. (This will simply be passed to the

167

<replaceable>MANDOS_CLIENT</replaceable> program via the

168

<envar>MANDOSPLUGINHELPERDIR</envar> environment variable.

169

See

170

<citerefentry><refentrytitle>mandos-client</refentrytitle

171

><manvolnum>8mandos</manvolnum></citerefentry>.)

172

</para>

173

</listitem>

174

</varlistentry>

175

176

177

<term><option>--user

178

<replaceable>USERID</replaceable></option></term>

179

180

<para>

181

Change real user ID to <replaceable>USERID</replaceable>

182

when running <replaceable>MANDOS_CLIENT</replaceable>.

183

The default is 65534. <emphasis>Note:</emphasis> This

184

must be a number, not a name.

185

</para>

186

</listitem>

187

</varlistentry>

188

189

190

<term><option>--group

191

<replaceable>GROUPID</replaceable></option></term>

192

193

<para>

194

Change real group ID to <replaceable>GROUPID</replaceable>

195

when running <replaceable>MANDOS_CLIENT</replaceable>.

196

The default is 65534. <emphasis>Note:</emphasis> This

197

must be a number, not a name.

198

</para>

199

</listitem>

200

</varlistentry>

201

202

203

<term><replaceable>MANDOS_CLIENT</replaceable></term>

204

205

<para>

206

This specifies the file name for

207

<citerefentry><refentrytitle>mandos-client</refentrytitle

208

><manvolnum>8mandos</manvolnum></citerefentry>. If the

209

<quote><option>--</option></quote> option is given, any

210

following options are passed to the <replaceable

211

>MANDOS_CLIENT</replaceable> program. The default is

212

<quote><filename

213

>/lib/mandos/plugins.d/mandos-client</filename ></quote>

214

(which is the correct location for the initial

215

<acronym>RAM</acronym> disk environment) without any

216

options.

217

</para>

218

</listitem>

219

</varlistentry>

220

221

222

223

224

225

<para>

226

Gives a help message about options and their meanings.

227

</para>

228

</listitem>

229

</varlistentry>

230

231

232

233

234

<para>

235

Ignore normal operation; instead only run self-tests.

236

Adding the <option>--help</option> option may show more

237

options possible in combination with

238

<option>--test</option>.

239

</para>

240

</listitem>

241

</varlistentry>

242

243

244

<term><option>--usage</option></term>

245

246

<para>

247

Gives a short usage message.

248

</para>

249

</listitem>

250

</varlistentry>

251

252

253

<term><option>--version</option></term>

254

255

256

<para>

257

Prints the program version.

258

</para>

259

</listitem>

260

</varlistentry>

261

</variablelist>

262

</refsect1>

263

264

265

<title>OVERVIEW</title>

266

<xi:include href="../overview.xml"/>

267

<para>

268

This program, &COMMANDNAME;, will run on the client side in the

269

initial <acronym>RAM</acronym> disk environment, and is

270

responsible for getting a password from the Mandos client

271

program itself, and to send that password to whatever is

272

currently asking for a password using the systemd <ulink

273

url="https://systemd.io/PASSWORD_AGENTS/">Password

274

Agents</ulink> mechanism.

275

</para>

276

<para>To accomplish this, &COMMANDNAME; runs the

277

<command>mandos-client</command> program (which is the actual

278

client program communicating with the Mandos server) or,

279

alternatively, any executable file specified as

280

<replaceable>MANDOS_CLIENT</replaceable>, and, as soon as a

281

password is acquired from the

282

<replaceable>MANDOS_CLIENT</replaceable> program, sends that

283

password (as per the <ulink

284

url="https://systemd.io/PASSWORD_AGENTS/">Password Agents</ulink>

285

specification) to all currently unanswered password questions.

286

</para>

287

<para>

288

This program should be started (normally as a systemd service,

289

which in turn is normally started by a <citerefentry

290

><refentrytitle>systemd.path</refentrytitle>

291

<manvolnum>5</manvolnum></citerefentry> file) as a reaction to

292

files named <quote><filename>ask.<replaceable>xxxx</replaceable

293

></filename></quote> appearing in the agent directory

294

<quote><filename

295

class="directory">/run/systemd/ask-password</filename></quote>

296

(or the directory specified by

297

<option>--agent-directory</option>).

298

</para>

299

</refsect1>

300

301

302

<title>EXIT STATUS</title>

303

<para>

304

Exit status of this program is zero if no errors were

305

encountered, and otherwise not.

306

</para>

307

</refsect1>

308

309

310

<title>ENVIRONMENT</title>

311

<para>

312

This program does not use any environment variables itself, it

313

only passes on its environment to

314

<replaceable>MANDOS_CLIENT</replaceable>. Also, the

315

<option>--helper-directory</option> option will affect the

316

environment variable <envar>MANDOSPLUGINHELPERDIR</envar> for

317

<replaceable>MANDOS_CLIENT</replaceable>.

318

</para>

319

</refsect1>

320

321

322

<title>FILES</title>

323

<para>

324

325

326

<term><filename class="directory"

327

>/run/systemd/ask-password</filename></term>

328

329

<para>

330

The default directory to watch for password questions as

331

per the <ulink

332

url="https://systemd.io/PASSWORD_AGENTS/">Password

333

Agents</ulink> specification; can be changed by the

334

<option>--agent-directory</option> option.

335

</para>

336

</listitem>

337

</varlistentry>

338

339

<term><filename class="directory"

340

>/lib/mandos/plugin-helpers</filename

341

></term>

342

343

<para>

344

The helper directory as supplied to

345

<replaceable>MANDOS_CLIENT</replaceable> via the

346

<envar>MANDOSPLUGINHELPERDIR</envar> environment

347

variable; can be changed by the

348

<option>--helper-directory</option> option.

349

</para>

350

</listitem>

351

</varlistentry>

352

</variablelist>

353

</para>

354

</refsect1>

355

356

357

358

<xi:include href="../bugs.xml"/>

359

</refsect1>

360

361

362

<title>EXAMPLE</title>

363

364

<para>

365

Normal invocation needs no options:

366

</para>

367

<para>

368

<userinput>&COMMANDNAME;</userinput>

369

</para>

370

</informalexample>

371

372

<para>

373

Run an alternative <replaceable>MANDOS_CLIENT</replaceable>

374

program::

375

</para>

376

<para>

377

<userinput>&COMMANDNAME; /usr/local/sbin/alternate</userinput>

378

</para>

379

</informalexample>

380

381

<para>

382

Use alternative locations for the helper directory and the

383

Mandos client, and add extra options suitable for running in

384

the normal file system:

385

</para>

386

<para>

387

388

389

<userinput>&COMMANDNAME; --helper-directory=/usr/lib/x86_64-linux-gnu/mandos/plugin-helpers -- /usr/lib/x86_64-linux-gnu/mandos/plugins.d/mandos-client --pubkey=/etc/keys/mandos/pubkey.txt --seckey=/etc/keys/mandos/seckey.txt --tls-pubkey=/etc/keys/mandos/tls-pubkey.pem --tls-privkey=/etc/keys/mandos/tls-privkey.pem</userinput>

390

391

</para>

392

</informalexample>

393

394

<para>

395

Use the default location for

396

<citerefentry><refentrytitle>mandos-client</refentrytitle>

397

<manvolnum>8mandos</manvolnum></citerefentry>, but add many

398

options to it:

399

</para>

400

<para>

401

402

403

<userinput>&COMMANDNAME; -- /lib/mandos/plugins.d/mandos-client --pubkey=/etc/mandos/keys/pubkey.txt --seckey=/etc/mandos/keys/seckey.txt --tls-pubkey=/etc/mandos/keys/tls-pubkey.pem --tls-privkey=/etc/mandos/keys/tls-privkey.pem</userinput>

404

405

</para>

406

</informalexample>

407

408

<para>

409

Only run the self-tests:

410

</para>

411

<para>

412

<userinput>&COMMANDNAME; --test</userinput>

413

</para>

414

</informalexample>

415

</refsect1>

416

417

<title>SECURITY</title>

418

<para>

419

This program will need to run as the root user in order to read

420

the agent directory and the <quote><filename

421

>ask.<replaceable>xxxx</replaceable></filename></quote> files

422

there, and will, when starting the Mandos client program,

423

require the ability to set the <quote>real</quote> user and

424

group ids to another user, by default user and group 65534,

425

which are assumed to be non-privileged. This is done in order

426

to match the expectations of <citerefentry><refentrytitle

427

>mandos-client</refentrytitle><manvolnum>8mandos</manvolnum

428

></citerefentry>, which assumes that its executable file is

429

owned by the root user and also has the set-user-ID bit set (see

430

<citerefentry><refentrytitle>execve</refentrytitle><manvolnum

431

>2</manvolnum></citerefentry>).

432

</para>

433

</refsect1>

434

435

436

437

<para>

438

<citerefentry><refentrytitle>intro</refentrytitle>

439

<manvolnum>8mandos</manvolnum></citerefentry>,

440

<citerefentry><refentrytitle>mandos-client</refentrytitle>

441

<manvolnum>8mandos</manvolnum></citerefentry>,

442

<citerefentry><refentrytitle>systemd</refentrytitle>

443

<manvolnum>1</manvolnum></citerefentry>,

444

</para>

445

446

447

<term>

448

<ulink url="https://systemd.io/PASSWORD_AGENTS/">Password

449

Agents</ulink>

450

</term>

451

452

<para>

453

The specification for systemd <quote>Password

454

Agent</quote> programs, which

455

<command>&COMMANDNAME;</command> follows.

456

</para>

457

</listitem>

458

</varlistentry>

459

</variablelist>

460

</refsect1>

461

462

</refentry>

463

464

465

466

467

Older »