124
147
<refsect1 id="description">
125
148
<title>DESCRIPTION</title>
127
<command>&COMMANDNAME;</command> is a client program that
128
communicates with <citerefentry><refentrytitle
129
>mandos</refentrytitle><manvolnum>8</manvolnum></citerefentry>
130
to get a password. It uses IPv6 link-local addresses to get
131
network connectivity, Zeroconf to find the server, and TLS with
132
an OpenPGP key to ensure authenticity and confidentiality. It
133
keeps running, trying all servers on the network, until it
134
receives a satisfactory reply.
137
This program is not meant to be run directly; it is really meant
138
to run as a plugin of the <application>Mandos</application>
139
<citerefentry><refentrytitle>plugin-runner</refentrytitle>
140
<manvolnum>8mandos</manvolnum></citerefentry>, which in turn
141
runs as a <quote>keyscript</quote> specified in the
142
<citerefentry><refentrytitle>crypttab</refentrytitle>
143
<manvolnum>5</manvolnum></citerefentry> file.
147
<refsect1 id="purpose">
148
<title>PURPOSE</title>
150
The purpose of this is to enable <emphasis>remote and unattended
151
rebooting</emphasis> of client host computer with an
152
<emphasis>encrypted root file system</emphasis>. See <xref
153
linkend="overview"/> for details.
157
<refsect1 id="overview">
158
<title>OVERVIEW</title>
159
<xi:include href="overview.xml"/>
161
This program is the client part. It is a plugin started by
162
<citerefentry><refentrytitle>plugin-runner</refentrytitle>
163
<manvolnum>8mandos</manvolnum></citerefentry> which will run in
164
an initial <acronym>RAM</acronym> disk environment.
167
This program could, theoretically, be used as a keyscript in
168
<filename>/etc/crypttab</filename>, but it would then be
169
impossible to enter the encrypted root disk password at the
170
console, since this program does not read from the console at
171
all. This is why a separate plugin does that, which will be run
172
in parallell to this one.
150
<command>&COMMANDNAME;</command> is a mandos plugin that works
151
like a client program that through avahi detects mandos servers,
152
sets up a gnutls connect and request a encrypted password. Any
153
passwords given is automaticly decrypted and passed to
176
158
<refsect1 id="options">
177
159
<title>OPTIONS</title>
179
This program is commonly not invoked from the command line; it
180
is normally started by the <application>Mandos</application>
181
plugin runner, see <citerefentry><refentrytitle
182
>plugin-runner</refentrytitle><manvolnum>8mandos</manvolnum>
183
</citerefentry>. Any command line options this program accepts
184
are therefore normally provided by the plugin runner, and not
161
Commonly not invoked as command lines but from configuration
162
file of plugin runner.
190
<term><option>--connect=<replaceable
191
>IPADDR</replaceable><literal>:</literal><replaceable
192
>PORT</replaceable></option></term>
194
<replaceable>IPADDR</replaceable><literal>:</literal
195
><replaceable>PORT</replaceable></option></term>
198
Do not use Zeroconf to locate servers. Connect directly
199
to only one specified <application>Mandos</application>
200
server. Note that an IPv6 address has colon characters in
201
it, so the <emphasis>last</emphasis> colon character is
202
assumed to separate the address from the port number.
205
This option is normally only useful for debugging.
211
<term><option>--keydir=<replaceable
212
>DIRECTORY</replaceable></option></term>
214
<replaceable>DIRECTORY</replaceable></option></term>
217
Directory to read the OpenPGP key files
218
<filename>pubkey.txt</filename> and
219
<filename>seckey.txt</filename> from. The default is
220
<filename>/conf/conf.d/mandos</filename> (in the initial
221
<acronym>RAM</acronym> disk environment).
227
<term><option>--interface=
228
<replaceable>NAME</replaceable></option></term>
230
<replaceable>NAME</replaceable></option></term>
233
Network interface that will be brought up and scanned for
234
Mandos servers to connect to. The default it
235
<quote><literal>eth0</literal></quote>.
241
<term><option>--pubkey=<replaceable
242
>FILE</replaceable></option></term>
244
<replaceable>FILE</replaceable></option></term>
247
OpenPGP public key file name. This will be combined with
248
the directory from the <option>--keydir</option> option to
249
form an absolute file name. The default name is
250
<quote><literal>pubkey.txt</literal></quote>.
256
<term><option>--seckey=<replaceable
257
>FILE</replaceable></option></term>
259
<replaceable>FILE</replaceable></option></term>
262
OpenPGP secret key file name. This will be combined with
263
the directory from the <option>--keydir</option> option to
264
form an absolute file name. The default name is
265
<quote><literal>seckey.txt</literal></quote>.
271
<term><option>--priority=<replaceable
272
>STRING</replaceable></option></term>
274
<xi:include href="mandos-options.xml" xpointer="priority"/>
279
<term><option>--dh-bits=<replaceable
280
>BITS</replaceable></option></term>
283
Sets the number of bits to use for the prime number in the
284
TLS Diffie-Hellman key exchange. Default is 1024.
290
<term><option>--debug</option></term>
293
Enable debug mode. This will enable a lot of output to
294
standard error about what the program is doing. The
295
program will still perform all other functions normally.
298
It will also enable debug mode in the Avahi and GnuTLS
299
libraries, making them print large amounts of debugging
306
<term><option>--help</option></term>
307
<term><option>-?</option></term>
310
Gives a help message about options and their meanings.
316
<term><option>--usage</option></term>
319
Gives a short usage message.
325
<term><option>--version</option></term>
326
<term><option>-V</option></term>
329
Prints the program version.
167
<term><literal>-c</literal>, <literal>--connect=<replaceable>
168
IP</replaceable></literal></term>
171
Connect directly to a specified mandos server
177
<term><literal>-d</literal>, <literal>--keydir=<replaceable>
178
KEYDIR</replaceable></literal></term>
181
Directory where the openpgp keyring is
187
<term><literal>-i</literal>, <literal>--interface=
188
<replaceable>INTERFACE</replaceable></literal></term>
191
Interface that Avahi will conntect through
197
<term><literal>-p</literal>, <literal>--pubkey=<replaceable>
198
PUBKEY</replaceable></literal></term>
201
Public openpgp key for gnutls authentication
207
<term><literal>-s</literal>, <literal>--seckey=<replaceable>
208
SECKEY</replaceable></literal></term>
211
Secret openpgp key for gnutls authentication
217
<term><literal>--priority=<replaceable>PRIORITY</replaceable>
227
<term><literal>--dh-bits=<replaceable>BITS</replaceable>
231
dh-bits to use in gnutls communication
237
<term><literal>--debug</literal></term>
246
<term><literal>-?</literal>, <literal>--help</literal></term>
255
<term><literal>--usage</literal></term>
258
Gives a short usage message
264
<term><literal>-V</literal>, <literal>--version</literal></term>
267
Prints the program version