/mandos/trunk : revision 114

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos.xml

Committer: Teddy Hogeborn
Date: 2008-08-29 07:30:17 UTC
Revision ID: teddy@fukt.bsnet.se-20080829073017-tvryowganbf75zp5

* mandos-clients.conf.xml (SEE ALSO): Alphabetized, as per
                                      man-pages(7).
* mandos-keygen.xml: - '' -
* mandos.conf.xml: - '' -
* mandos.xml: - '' -
* plugin-runner.xml: - '' -
* plugins.d/password-request.xml (SEE ALSO): Changed from an
                                             <itemizedlist> to a
                                             <para>, as per
                                             man-pages(7).  Also
                                             alphabetize.

files added:
plugins.d/usplash

files removed:
.bzr-builddeb

.bzr-builddeb/default.conf

DBUS-API

INSTALL

NEWS

README

common.ent

dbus-mandos.conf

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.links

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/po

debian/rules

debian/watch

default-mandos

init.d-mandos

legalnotice.xml

mandos-ctl

mandos-ctl.xml

mandos-monitor

mandos-monitor.xml

mandos.lsm

plugin-runner.conf

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

files renamed:
plugins.d/mandos-client.c => plugins.d/password-request.c

plugins.d/mandos-client.xml => plugins.d/password-request.xml

files modified:
.bzrignore

Makefile

TODO

clients.conf

initramfs-tools-hook

initramfs-tools-hook-conf

initramfs-tools-script

mandos

mandos-clients.conf.xml

mandos-keygen

mandos-keygen.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.xml

overview.xml

plugin-runner.c

plugin-runner.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

Show diffs side-by-side

added added

removed removed

mandos.xml

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY VERSION "1.0">

<!ENTITY COMMANDNAME "mandos">

<!ENTITY TIMESTAMP "2010-09-26">

<!ENTITY % common SYSTEM "common.ent">

%common;

<!ENTITY TIMESTAMP "2008-08-29">

<title>Mandos Manual</title>

<productname>Mandos</productname>

<productnumber>&version;</productnumber>

<productnumber>&VERSION;</productnumber>

<date>&TIMESTAMP;</date>

</authorgroup>

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

<xi:include href="legalnotice.xml"/>

<para>

This manual page is free software: you can redistribute it

and/or modify it under the terms of the GNU General Public

License as published by the Free Software Foundation,

either version 3 of the License, or (at your option) any

later version.

</para>

<para>

This manual page is distributed in the hope that it will

be useful, but WITHOUT ANY WARRANTY; without even the

implied warranty of MERCHANTABILITY or FITNESS FOR A

PARTICULAR PURPOSE. See the GNU General Public License

for more details.

</para>

<para>

You should have received a copy of the GNU General Public

License along with this program; If not, see

<ulink url="http://www.gnu.org/licenses/"/>.

</para>

</legalnotice>

</refentryinfo>

<refentrytitle>&COMMANDNAME;</refentrytitle>

<refname><command>&COMMANDNAME;</command></refname>

Gives encrypted passwords to authenticated Mandos clients

Sends encrypted passwords to authenticated Mandos clients

</refpurpose>

</refnamediv>

<command>&COMMANDNAME;</command>

<group>

<arg choice="plain"><option>--interface

<arg choice="plain"><option>-i

</group>

<sbr/>

<group>

<arg choice="plain"><option>--address

<replaceable>ADDRESS</replaceable></option></arg>

<arg choice="plain"><option>-a

<replaceable>ADDRESS</replaceable></option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--port

<arg choice="plain"><option>-p

</group>

<sbr/>

<arg><option>--priority

<replaceable>PRIORITY</replaceable></option></arg>

<sbr/>

<arg><option>--servicename

<sbr/>

<arg><option>--configdir

<replaceable>DIRECTORY</replaceable></option></arg>

<sbr/>

<arg><option>--debug</option></arg>

<sbr/>

<sbr/>

<arg>--interface<arg choice="plain">NAME</arg></arg>

<arg>--address<arg choice="plain">ADDRESS</arg></arg>

<arg>--priority<arg choice="plain">PRIORITY</arg></arg>

<arg>--servicename<arg choice="plain">NAME</arg></arg>

<arg>--configdir<arg choice="plain">DIRECTORY</arg></arg>

<arg>--debug</arg>

</cmdsynopsis>

<command>&COMMANDNAME;</command>

<arg>-a<arg choice="plain">ADDRESS</arg></arg>

<arg>--priority<arg choice="plain">PRIORITY</arg></arg>

<arg>--servicename<arg choice="plain">NAME</arg></arg>

<arg>--configdir<arg choice="plain">DIRECTORY</arg></arg>

<arg>--debug</arg>

</cmdsynopsis>

<command>&COMMANDNAME;</command>

100

</group>

100

101

</cmdsynopsis>

101

102

102

103

<command>&COMMANDNAME;</command>

103

<arg choice="plain"><option>--version</option></arg>

104

<arg choice="plain">--version</arg>

104

105

</cmdsynopsis>

105

106

106

107

<command>&COMMANDNAME;</command>

107

<arg choice="plain"><option>--check</option></arg>

108

<arg choice="plain">--check</arg>

108

109

</cmdsynopsis>

109

110

</refsynopsisdiv>

110

111

112

112

113

<title>DESCRIPTION</title>

113

114

<para>

122

123

Any authenticated client is then given the stored pre-encrypted

123

124

password for that specific client.

124

125

</para>

126

125

127

</refsect1>

126

128

127

129

128

130

<title>PURPOSE</title>

131

129

132

<para>

130

133

The purpose of this is to enable <emphasis>remote and unattended

131

134

rebooting</emphasis> of client host computer with an

132

135

<emphasis>encrypted root file system</emphasis>. See <xref

133

136

linkend="overview"/> for details.

134

137

</para>

138

135

139

</refsect1>

136

140

137

141

138

142

<title>OPTIONS</title>

143

139

144

140

145

141

142

146

143

147

144

148

<para>

145

149

Show a help message and exit

146

150

</para>

147

151

</listitem>

148

152

</varlistentry>

149

153

150

154

151

<term><option>--interface</option>

152

153

154

155

<term><literal>-i</literal>, <literal>--interface <replaceable

156

>NAME</replaceable></literal></term>

155

157

156

158

<xi:include href="mandos-options.xml" xpointer="interface"/>

157

159

</listitem>

158

160

</varlistentry>

159

161

160

162

161

<term><option>--address

162

<replaceable>ADDRESS</replaceable></option></term>

163

<term><option>-a

164

<replaceable>ADDRESS</replaceable></option></term>

163

<term><literal>-a</literal>, <literal>--address <replaceable>

164

ADDRESS</replaceable></literal></term>

165

166

<xi:include href="mandos-options.xml" xpointer="address"/>

167

</listitem>

168

</varlistentry>

169

170

171

<term><option>--port

172

173

<term><option>-p

174

171

172

PORT</replaceable></literal></term>

175

173

176

174

<xi:include href="mandos-options.xml" xpointer="port"/>

177

175

</listitem>

178

176

</varlistentry>

179

177

180

178

181

<term><option>--check</option></term>

179

<term><literal>--check</literal></term>

182

180

183

181

<para>

184

182

Run the server’s self-tests. This includes any unit

186

184

</para>

187

185

</listitem>

188

186

</varlistentry>

189

187

190

188

191

<term><option>--debug</option></term>

189

<term><literal>--debug</literal></term>

192

190

193

191

<xi:include href="mandos-options.xml" xpointer="debug"/>

194

192

</listitem>

195

193

</varlistentry>

196

194

197

195

198

<term><option>--priority <replaceable>

199

PRIORITY</replaceable></option></term>

196

<term><literal>--priority <replaceable>

197

PRIORITY</replaceable></literal></term>

200

198

201

199

<xi:include href="mandos-options.xml" xpointer="priority"/>

202

200

</listitem>

203

201

</varlistentry>

204

202

205

203

206

<term><option>--servicename

207

204

<term><literal>--servicename <replaceable>NAME</replaceable>

205

</literal></term>

208

206

209

207

<xi:include href="mandos-options.xml"

210

208

xpointer="servicename"/>

211

209

</listitem>

212

210

</varlistentry>

213

211

214

212

215

<term><option>--configdir

216

<replaceable>DIRECTORY</replaceable></option></term>

213

<term><literal>--configdir <replaceable>DIR</replaceable>

214

</literal></term>

217

215

218

216

<para>

219

217

Directory to search for configuration files. Default is

225

223

</para>

226

224

</listitem>

227

225

</varlistentry>

228

226

229

227

230

<term><option>--version</option></term>

228

<term><literal>--version</literal></term>

231

229

232

230

<para>

233

231

Prints the program version and exit.

234

232

</para>

235

233

</listitem>

236

234

</varlistentry>

237

238

239

240

241

<xi:include href="mandos-options.xml" xpointer="dbus"/>

242

<para>

243

See also <xref linkend="dbus_interface"/>.

244

</para>

245

</listitem>

246

</varlistentry>

247

248

249

250

251

<xi:include href="mandos-options.xml" xpointer="ipv6"/>

252

</listitem>

253

</varlistentry>

254

235

</variablelist>

255

236

</refsect1>

256

237

257

238

258

239

<title>OVERVIEW</title>

259

240

<xi:include href="overview.xml"/>

260

241

<para>

261

242

This program is the server part. It is a normal server program

262

243

and will run in a normal system environment, not in an initial

263

<acronym>RAM</acronym> disk environment.

244

RAM disk environment.

264

245

</para>

265

246

</refsect1>

266

247

267

248

268

249

<title>NETWORK PROTOCOL</title>

269

250

<para>

321

302

</row>

322

303

</tbody></tgroup></table>

323

304

</refsect1>

324

305

325

306

326

307

<title>CHECKING</title>

327

308

<para>

328

309

The server will, by default, continually check that the clients

329

310

are still up. If a client has not been confirmed as being up

330

311

for some time, the client is assumed to be compromised and is no

331

longer eligible to receive the encrypted password. (Manual

332

intervention is required to re-enable a client.) The timeout,

312

longer eligible to receive the encrypted password. The timeout,

333

313

checker program, and interval between checks can be configured

334

314

both globally and per client; see <citerefentry>

335

315

<refentrytitle>mandos-clients.conf</refentrytitle>

336

<manvolnum>5</manvolnum></citerefentry>. A client successfully

337

receiving its password will also be treated as a successful

338

checker run.

339

</para>

340

</refsect1>

341

342

343

<title>APPROVAL</title>

344

<para>

345

The server can be configured to require manual approval for a

346

client before it is sent its secret. The delay to wait for such

347

approval and the default action (approve or deny) can be

348

configured both globally and per client; see <citerefentry>

349

<refentrytitle>mandos-clients.conf</refentrytitle>

350

<manvolnum>5</manvolnum></citerefentry>. By default all clients

351

will be approved immediately without delay.

352

</para>

353

<para>

354

This can be used to deny a client its secret if not manually

355

approved within a specified time. It can also be used to make

356

the server delay before giving a client its secret, allowing

357

optional manual denying of this specific client.

358

</para>

359

360

</refsect1>

361

316

<manvolnum>5</manvolnum></citerefentry>.

317

</para>

318

</refsect1>

319

362

320

363

321

<title>LOGGING</title>

364

322

<para>

368

326

and also show them on the console.

369

327

</para>

370

328

</refsect1>

371

372

373

<title>D-BUS INTERFACE</title>

374

<para>

375

The server will by default provide a D-Bus system bus interface.

376

This interface will only be accessible by the root user or a

377

Mandos-specific user, if such a user exists. For documentation

378

of the D-Bus API, see the file <filename>DBUS-API</filename>.

379

</para>

380

</refsect1>

381

329

382

330

383

331

<title>EXIT STATUS</title>

384

332

<para>

386

334

critical error is encountered.

387

335

</para>

388

336

</refsect1>

389

337

390

338

391

339

<title>ENVIRONMENT</title>

392

340

393

341

394

342

395

343

396

344

<para>

397

345

To start the configured checker (see <xref

406

354

</varlistentry>

407

355

</variablelist>

408

356

</refsect1>

409

410

357

358

411

359

<title>FILES</title>

412

360

<para>

413

361

Use the <option>--configdir</option> option to change where

436

384

</listitem>

437

385

</varlistentry>

438

386

439

<term><filename>/var/run/mandos.pid</filename></term>

387

<term><filename>/var/run/mandos/mandos.pid</filename></term>

440

388

441

389

<para>

442

The file containing the process id of the

443

<command>&COMMANDNAME;</command> process started last.

390

The file containing the process id of

391

<command>&COMMANDNAME;</command>.

444

392

</para>

445

393

</listitem>

446

394

</varlistentry>

474

422

backtrace. This could be considered a feature.

475

423

</para>

476

424

<para>

477

Currently, if a client is disabled due to having timed out, the

478

server does not record this fact onto permanent storage. This

479

has some security implications, see <xref linkend="clients"/>.

425

Currently, if a client is declared <quote>invalid</quote> due to

426

having timed out, the server does not record this fact onto

427

permanent storage. This has some security implications, see

428

<xref linkend="CLIENTS"/>.

429

</para>

430

<para>

431

There is currently no way of querying the server of the current

432

status of clients, other than analyzing its <systemitem

433

class="service">syslog</systemitem> output.

480

434

</para>

481

435

<para>

482

436

There is no fine-grained control over logging and debug output.

485

439

Debug mode is conflated with running in the foreground.

486

440

</para>

487

441

<para>

488

The console log messages do not show a time stamp.

489

</para>

490

<para>

491

This server does not check the expire time of clients’ OpenPGP

492

keys.

442

The console log messages does not show a timestamp.

493

443

</para>

494

444

</refsect1>

495

445

530

480

</para>

531

481

</informalexample>

532

482

</refsect1>

533

483

534

484

535

485

<title>SECURITY</title>

536

486

537

487

<title>SERVER</title>

538

488

<para>

539

489

Running this <command>&COMMANDNAME;</command> server program

540

490

should not in itself present any security risk to the host

541

computer running it. The program switches to a non-root user

542

soon after startup.

491

computer running it. The program does not need any special

492

privileges to run, and is designed to run as a non-root user.

543

493

</para>

544

494

</refsect2>

545

495

546

496

<title>CLIENTS</title>

547

497

<para>

548

498

The server only gives out its stored data to clients which

555

505

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

556

506

<manvolnum>5</manvolnum></citerefentry>)

557

507

<emphasis>must</emphasis> be made non-readable by anyone

558

except the user starting the server (usually root).

508

except the user running the server.

559

509

</para>

560

510

<para>

561

511

As detailed in <xref linkend="checking"/>, the status of all

564

514

</para>

565

515

<para>

566

516

If a client is compromised, its downtime should be duly noted

567

by the server which would therefore disable the client. But

568

if the server was ever restarted, it would re-read its client

569

list from its configuration file and again regard all clients

570

therein as enabled, and hence eligible to receive their

571

passwords. Therefore, be careful when restarting servers if

572

it is suspected that a client has, in fact, been compromised

573

by parties who may now be running a fake Mandos client with

574

the keys from the non-encrypted initial <acronym>RAM</acronym>

575

image of the client host. What should be done in that case

576

(if restarting the server program really is necessary) is to

577

stop the server program, edit the configuration file to omit

578

any suspect clients, and restart the server program.

517

by the server which would therefore declare the client

518

invalid. But if the server was ever restarted, it would

519

re-read its client list from its configuration file and again

520

regard all clients therein as valid, and hence eligible to

521

receive their passwords. Therefore, be careful when

522

restarting servers if it is suspected that a client has, in

523

fact, been compromised by parties who may now be running a

524

fake Mandos client with the keys from the non-encrypted

525

initial RAM image of the client host. What should be done in

526

that case (if restarting the server program really is

527

necessary) is to stop the server program, edit the

528

configuration file to omit any suspect clients, and restart

529

the server program.

579

530

</para>

580

531

<para>

581

532

For more details on client-side security, see

582

<citerefentry><refentrytitle>mandos-client</refentrytitle>

533

<citerefentry><refentrytitle>password-request</refentrytitle>

583

534

<manvolnum>8mandos</manvolnum></citerefentry>.

584

535

</para>

585

536

</refsect2>

586

537

</refsect1>

587

538

588

539

589

540

590

541

<para>

593

544

594

545

<refentrytitle>mandos.conf</refentrytitle>

595

546

596

<refentrytitle>mandos-client</refentrytitle>

547

<refentrytitle>password-request</refentrytitle>

597

548

<manvolnum>8mandos</manvolnum></citerefentry>, <citerefentry>

598

549

599

550

</citerefentry>

Older »